From a3ad4be429ab004600f99ad53afee28e3843e1a8 Mon Sep 17 00:00:00 2001 From: Blake Covarrubias Date: Wed, 26 Jan 2022 08:12:12 -0800 Subject: [PATCH] docs: Add ingress TLS cipher and version documentation (#12163) Document the new TLS cipher and version parameters that were added to ingress gateways in #11576. Co-authored-by: Mike Morris --- .../config-entries/ingress-gateway.mdx | 63 ++++++++++++++++++- 1 file changed, 61 insertions(+), 2 deletions(-) diff --git a/website/content/docs/connect/config-entries/ingress-gateway.mdx b/website/content/docs/connect/config-entries/ingress-gateway.mdx index e539001d1f..cc3f1014e5 100644 --- a/website/content/docs/connect/config-entries/ingress-gateway.mdx +++ b/website/content/docs/connect/config-entries/ingress-gateway.mdx @@ -979,6 +979,36 @@ You can specify the following parameters to configure ingress gateway configurat "Set this configuration to `true` to enable built-in TLS for every listener on the gateway.

If TLS is enabled, then each host defined in each service's `hosts` fields will be added as a DNSSAN to the gateway's x509 certificate.", }, }, + { + name: 'TLSMinVersion', + type: 'string: ""', + description: "Set the default minimum TLS version supported for the gateway's listeners. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer [will default to TLS 1.2 as a min version](https://github.com/envoyproxy/envoy/pull/19330), while older releases of Envoy default to TLS 1.0.", + }, + { + name: 'TLSMaxVersion', + type: 'string: ""', + description: { + hcl: + "Set the default maximum TLS version supported for the gateway's listeners. Must be greater than or equal to `TLSMinVersion`. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`." , + yaml: + "Set the default maximum TLS version supported for the gateway's listeners. Must be greater than or equal to `tls_min_version`. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`." , + }, + }, + { + name: 'CipherSuites', + type: 'array: ', + description: `Set the default list of TLS cipher suites for the gateway's + listeners to support when negotiating connections using + TLS 1.2 or earlier. If unspecified, Envoy will use a + [default server cipher list](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-tlsparameters-cipher-suites). + The list of supported cipher suites can seen in + [\`consul/types/tls.go\`](https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169) + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but + insecure cipher suites, and future releases of Consul + may add new supported cipher suites if any are added to + Envoy.` + }, { name: 'SDS', yaml: false, @@ -1133,11 +1163,40 @@ You can specify the following parameters to configure ingress gateway configurat type: 'bool: false', description: { hcl: - "Set this configuration to `true` to enable built-in TLS for this listener.

If TLS is enabled, then each host defined in each service's `Hosts` field will be added as a DNSSAN to the gateway's x509 certificate. Note that even hosts from other listeners with TLS disabled will be added.", + "Set this configuration to `true` to enable built-in TLS for this listener.

If TLS is enabled, then each host defined in each service's `Hosts` field will be added as a DNSSAN to the gateway's x509 certificate. Note that even hosts from other listeners with TLS disabled will be added. TLS can not be disabled for individual listeners if it is enabled on the gateway.", yaml: - "Set this configuration to `true` to enable built-in TLS for this listener.

If TLS is enabled, then each host defined in the `hosts` field will be added as a DNSSAN to the gateway's x509 certificate. Note that even hosts from other listeners with TLS disabled will be added.", + "Set this configuration to `true` to enable built-in TLS for this listener.

If TLS is enabled, then each host defined in the `hosts` field will be added as a DNSSAN to the gateway's x509 certificate. Note that even hosts from other listeners with TLS disabled will be added. TLS can not be disabled for individual listeners if it is enabled on the gateway.", }, }, + { + name: 'TLSMinVersion', + type: 'string: ""', + description: "Set the minimum TLS version supported for this listener. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer [will default to TLS 1.2 as a min version](https://github.com/envoyproxy/envoy/pull/19330), while older releases of Envoy default to TLS 1.0.", + }, + { + name: 'TLSMaxVersion', + type: 'string: ""', + description: { + hcl: + "Set the maximum TLS version supported for this listener. Must be greater than or equal to `TLSMinVersion`. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`." , + yaml: + "Set the maximum TLS version supported for this listener. Must be greater than or equal to `tls_min_version`. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`." , + }, + }, + { + name: 'CipherSuites', + type: 'array: ', + description: `Set the list of TLS cipher suites to support when negotiating + connections using TLS 1.2 or earlier. If unspecified, + Envoy will use a + [default server cipher list](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-tlsparameters-cipher-suites). + The list of supported cipher suites can seen in + [\`consul/types/tls.go\`](https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169) + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but + insecure cipher suites, and future releases of Consul + may add new supported cipher suites if any are added to Envoy.` + }, { name: 'SDS', type: 'SDSConfig: ',