WIP: implement the authority field for TLS onload, to set the SNI.

This is the SNI sent in the client TLS connection to a backend. We use VMOD dynamic for backends represented by an ExternalName Service (likely the common use case for TLS onload). VMOD dynamic does not have the authority field that klarlack makes available for standard backends. But if the host_header field is set for a VMOD dynamic director, the VMOD uses that value for the SNI. So if the BackendConfig authority field is set, we also assign its value to the host_header field. Since BackendConfig also has a separate field for host_header, both of them could be conceivably set to different values. If we find that the two fields are set to non-empty, conflicting values, the controller emits a SyncFatalError, and the BackendConfig is not synced.

WIP: implement the authority field for TLS onload, to set the SNI.
This is the SNI sent in the client TLS connection to a backend. We use VMOD dynamic for backends represented by an ExternalName Service (likely the common use case for TLS onload). VMOD dynamic does not have the authority field that klarlack makes available for standard backends. But if the host_header field is set for a VMOD dynamic director, the VMOD uses that value for the SNI. So if the BackendConfig authority field is set, we also assign its value to the host_header field. Since BackendConfig also has a separate field for host_header, both of them could be conceivably set to different values. If we find that the two fields are set to non-empty, conflicting values, the controller emits a SyncFatalError, and the BackendConfig is not synced.
ffd5ec79 · Geoff Simmons · b3c72dff · ffd5ec79 · ffd5ec79 · ffd5ec79
Commit ffd5ec79 authored Sep 17, 2021 by Geoff Simmons
5 changed files
--- a/examples/tls/onload/backend-cfg.yaml
+++ b/examples/tls/onload/backend-cfg.yaml
@@ -10,3 +10,4 @@ spec:

  tls:
    verify: false
+    authority: caffeine.org
--- a/examples/tls/onload/cafe.vtc
+++ b/examples/tls/onload/cafe.vtc
@@ -9,5 +9,6 @@ client c1 -connect "${localhost} ${localport}" {
 	expect resp.status == 200
 	expect resp.http.X-Host ~ "^coffee-[a-z0-9]+-[a-z0-9]+$"
 	expect resp.http.X-URI == "/coffee/foo/bar"
+	expect resp.http.X-SNI == "caffeine.org"
 	expect resp.body == "GET /coffee/foo/bar HTTP/1.1"
 } -run
--- a/examples/tls/onload/values.yaml
+++ b/examples/tls/onload/values.yaml
@@ -7,6 +7,7 @@ apps:
    config:
      tls:
        verify: false
+        authority: caffeine.org

  coffee:
    image: uplex/https-echo

--- a/pkg/controller/ingress.go
+++ b/pkg/controller/ingress.go
@@ -457,6 +457,23 @@ BCfgs:

 		if bcfg.Spec.TLS.Authority != nil {
 			authority := *bcfg.Spec.TLS.Authority
+			if authority != "" {
+				if vclSvc.HostHeader != "" &&
+					vclSvc.HostHeader != authority {
+					return vclSvc, nil, nil,
+						update.MakeFatal(
+							"Service %s/%s, "+
+								"BackendConfig %s/%s: "+
+								"host-header (%s) and "+
+								"authority (%s) conflict",
+							svcNamespace, svcName,
+							bcfg.Namespace,
+							bcfg.Name,
+							vclSvc.HostHeader,
+							authority)
+				}
+				vclSvc.HostHeader = authority
+			}
 			vclSvc.Authority = &authority
 			onload.Authority = true
 		} else {

--- a/pkg/haproxy/dataplane.go
+++ b/pkg/haproxy/dataplane.go
@@ -263,12 +263,12 @@ func getOnldSite(spec *OnloadSpec) ([]byte, error) {
 			Alpn:    "http/1.1",
 			Stick:   "enabled",
 		}
+		if spec.Authority {
+			server.Sni = "fc_pp_authority"
+		}
 		if spec.Verify {
 			server.Verify = "required"
 			server.SslCafile = caBundlePath
-			if spec.Authority {
-				server.Sni = "fc_pp_authority"
-			}
 		} else {
 			server.Verify = "none"
 		}