envoy: configure upstream IP SAN match as needed (#4380)

When building an upstream validation context for a particular URL, check
whether the hostname is an IP address. If so, configure the SAN match to
use type IP_ADDRESS rather than DNS.

config/envoyconfig/tls.go

@@ -5,6 +5,7 @@ import (
 	"crypto/x509"
 	"encoding/asn1"
 	"fmt"
+	"net/netip"
 	"net/url"
 	"regexp"
 	"strings"
@@ -24,6 +25,21 @@ func (b *Builder) buildSubjectAltNameMatcher(
 		sni = overrideName
 	}
 
+	if ip, err := netip.ParseAddr(sni); err == nil {
+		// Strip off any IPv6 zone.
+		if ip.Zone() != "" {
+			ip = ip.WithZone("")
+		}
+		return &envoy_extensions_transport_sockets_tls_v3.SubjectAltNameMatcher{
+			SanType: envoy_extensions_transport_sockets_tls_v3.SubjectAltNameMatcher_IP_ADDRESS,
+			Matcher: &envoy_type_matcher_v3.StringMatcher{
+				MatchPattern: &envoy_type_matcher_v3.StringMatcher_Exact{
+					Exact: ip.String(),
+				},
+			},
+		}
+	}
+
 	if strings.Contains(sni, "*") {
 		pattern := regexp.QuoteMeta(sni)
 		pattern = strings.Replace(pattern, "\\*", ".*", -1)

config/envoyconfig/tls_test.go

@@ -21,6 +21,24 @@ func TestBuildSubjectAltNameMatcher(t *testing.T) {
 			"exact": "example.com"
 		}
 	}`, b.buildSubjectAltNameMatcher(&url.URL{Host: "example.com:1234"}, ""))
+	testutil.AssertProtoJSONEqual(t, `{
+		"sanType": "IP_ADDRESS",
+		"matcher": {
+			"exact": "10.0.0.1"
+		}
+	}`, b.buildSubjectAltNameMatcher(&url.URL{Host: "10.0.0.1:1234"}, ""))
+	testutil.AssertProtoJSONEqual(t, `{
+		"sanType": "IP_ADDRESS",
+		"matcher": {
+			"exact": "fd12:3456:789a:1::1"
+		}
+	}`, b.buildSubjectAltNameMatcher(&url.URL{Host: "[fd12:3456:789a:1::1]:1234"}, ""))
+	testutil.AssertProtoJSONEqual(t, `{
+		"sanType": "IP_ADDRESS",
+		"matcher": {
+			"exact": "fe80::1ff:fe23:4567:890a"
+		}
+	}`, b.buildSubjectAltNameMatcher(&url.URL{Host: "[fe80::1ff:fe23:4567:890a%eth2]:1234"}, ""))
 	testutil.AssertProtoJSONEqual(t, `{
 		"sanType": "DNS",
 		"matcher": {