config: add option for tls renogotiation

config/envoyconfig/clusters.go

@@ -308,6 +308,7 @@ func (b *Builder) buildPolicyTransportSocket(
 			},
 		},
 		Sni:                sni,
+		AllowRenegotiation: policy.TLSUpstreamAllowRenegotiation,
 	}
 	if policy.ClientCertificate != nil {
 		tlsContext.CommonTlsContext.TlsCertificates = append(tlsContext.CommonTlsContext.TlsCertificates,

config/envoyconfig/clusters_test.go

@@ -429,6 +429,61 @@ func Test_buildPolicyTransportSocket(t *testing.T) {
 			}
 		`, ts)
 	})
+	t.Run("allow renegotiation", func(t *testing.T) {
+		ts, err := b.buildPolicyTransportSocket(ctx, o1, &config.Policy{
+			To:                            mustParseWeightedURLs(t, "https://example.com"),
+			TLSUpstreamAllowRenegotiation: true,
+		}, *mustParseURL(t, "https://example.com"))
+		require.NoError(t, err)
+		testutil.AssertProtoJSONEqual(t, `
+			{
+				"name": "tls",
+				"typedConfig": {
+					"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+					"allowRenegotiation": true,
+					"commonTlsContext": {
+						"alpnProtocols": ["h2", "http/1.1"],
+						"tlsParams": {
+							"cipherSuites": [
+								"ECDHE-ECDSA-AES256-GCM-SHA384",
+								"ECDHE-RSA-AES256-GCM-SHA384",
+								"ECDHE-ECDSA-AES128-GCM-SHA256",
+								"ECDHE-RSA-AES128-GCM-SHA256",
+								"ECDHE-ECDSA-CHACHA20-POLY1305",
+								"ECDHE-RSA-CHACHA20-POLY1305",
+								"ECDHE-ECDSA-AES128-SHA",
+								"ECDHE-RSA-AES128-SHA",
+								"AES128-GCM-SHA256",
+								"AES128-SHA",
+								"ECDHE-ECDSA-AES256-SHA",
+								"ECDHE-RSA-AES256-SHA",
+								"AES256-GCM-SHA384",
+								"AES256-SHA"
+							],
+							"ecdhCurves": [
+								"X25519",
+								"P-256",
+								"P-384",
+								"P-521"
+							]
+						},
+						"validationContext": {
+							"matchTypedSubjectAltNames": [{
+								"sanType": "DNS",
+								"matcher": {
+									"exact": "example.com"
+								}
+							}],
+							"trustedCa": {
+								"filename": "`+rootCA+`"
+							}
+						}
+					},
+					"sni": "example.com"
+				}
+			}
+		`, ts)
+	})
 }
 
 func Test_buildCluster(t *testing.T) {

config/policy.go

@@ -119,6 +119,9 @@ type Policy struct {
 	TLSDownstreamClientCA     string `mapstructure:"tls_downstream_client_ca" yaml:"tls_downstream_client_ca,omitempty"`
 	TLSDownstreamClientCAFile string `mapstructure:"tls_downstream_client_ca_file" yaml:"tls_downstream_client_ca_file,omitempty"`
 
+	// TLSUpstreamAllowRenegotiation allows server-initiated TLS renegotiation.
+	TLSUpstreamAllowRenegotiation bool `mapstructure:"tls_upstream_allow_renegotiation" yaml:"allow_renegotiation,omitempty"`
+
 	// SetAuthorizationHeader sets the authorization request header based on the user's identity. Supported modes are
 	// `pass_through`, `access_token` and `id_token`.
 	SetAuthorizationHeader string `mapstructure:"set_authorization_header" yaml:"set_authorization_header,omitempty"`

pkg/grpc/config/config.proto

@@ -90,6 +90,8 @@ message Route {
   string tls_downstream_client_ca = 38;
   string tls_downstream_client_ca_file = 39;
 
+  bool tls_upstream_allow_renegotiation = 60;
+
   map<string, string> set_request_headers = 22;
   repeated string remove_request_headers = 23;
   map<string, string> set_response_headers = 41;