fix(kuma-cp): add option to disable sslsni in universal (backport #…

…5318) (#5322)

Signed-off-by: Mike Beaumont <mjboamail@gmail.com>
Co-authored-by: Mike Beaumont <mjboamail@gmail.com>

UPGRADE.md

@@ -11,7 +11,11 @@ does not have any particular instructions.
 ### Universal
 
 A `lib/pq` change enables SNI by default when connecting to Postgres over TLS.
-Make sure your certificates contain a valid CN or SANs.
+Either make sure your certificates contain a valid CN or SANs for the hostname
+you're using
+or update to `2.0.1` and disable `sslsni` by setting the
+`KUMA_STORE_POSTGRES_TLS_DISABLE_SSLSNI` environment variable or
+`store.postgres.tls.disableSSLSNI` in the config to `true`.
 
 ### `kuma-prometheus-sd`
 

pkg/config/loader_test.go

@@ -115,6 +115,7 @@ var _ = Describe("Config loader", func() {
 			Expect(cfg.Store.Postgres.TLS.CertPath).To(Equal("/path/to/cert"))
 			Expect(cfg.Store.Postgres.TLS.KeyPath).To(Equal("/path/to/key"))
 			Expect(cfg.Store.Postgres.TLS.CAPath).To(Equal("/path/to/rootCert"))
+			Expect(cfg.Store.Postgres.TLS.DisableSSLSNI).To(BeTrue())
 
 			Expect(cfg.ApiServer.ReadOnly).To(Equal(true))
 			Expect(cfg.ApiServer.HTTP.Enabled).To(Equal(false))
@@ -310,6 +311,7 @@ store:
       certPath: /path/to/cert
       keyPath: /path/to/key
       caPath: /path/to/rootCert
+      disableSSLSNI: true
   kubernetes:
     systemNamespace: test-namespace
   cache:
@@ -567,6 +569,7 @@ proxy:
 				"KUMA_STORE_POSTGRES_TLS_CERT_PATH":                                                        "/path/to/cert",
 				"KUMA_STORE_POSTGRES_TLS_KEY_PATH":                                                         "/path/to/key",
 				"KUMA_STORE_POSTGRES_TLS_CA_PATH":                                                          "/path/to/rootCert",
+				"KUMA_STORE_POSTGRES_TLS_DISABLE_SSLSNI":                                                   "true",
 				"KUMA_STORE_POSTGRES_MIN_RECONNECT_INTERVAL":                                               "44s",
 				"KUMA_STORE_POSTGRES_MAX_RECONNECT_INTERVAL":                                               "55s",
 				"KUMA_STORE_KUBERNETES_SYSTEM_NAMESPACE":                                                   "test-namespace",

pkg/config/plugins/resources/postgres/config.go

@@ -51,9 +51,16 @@ func (cfg PostgresStoreConfig) ConnectionString() (string, error) {
 		return "", err
 	}
 	escape := func(value string) string { return strings.ReplaceAll(strings.ReplaceAll(value, `\`, `\\`), `'`, `\'`) }
+	boolOption := func(value bool) string {
+		if value {
+			return "1"
+		} else {
+			return "0"
+		}
+	}
 	return fmt.Sprintf(
-		`host='%s' port=%d user='%s' password='%s' dbname='%s' connect_timeout=%d sslmode=%s sslcert='%s' sslkey='%s' sslrootcert='%s'`,
-		escape(cfg.Host), cfg.Port, escape(cfg.User), escape(cfg.Password), escape(cfg.DbName), cfg.ConnectionTimeout, mode, escape(cfg.TLS.CertPath), escape(cfg.TLS.KeyPath), escape(cfg.TLS.CAPath),
+		`host='%s' port=%d user='%s' password='%s' dbname='%s' connect_timeout=%d sslmode=%s sslcert='%s' sslkey='%s' sslrootcert='%s' sslsni=%s`,
+		escape(cfg.Host), cfg.Port, escape(cfg.User), escape(cfg.Password), escape(cfg.DbName), cfg.ConnectionTimeout, mode, escape(cfg.TLS.CertPath), escape(cfg.TLS.KeyPath), escape(cfg.TLS.CAPath), boolOption(!cfg.TLS.DisableSSLSNI),
 	), nil
 }
 
@@ -94,6 +101,8 @@ type TLSPostgresStoreConfig struct {
 	KeyPath string `yaml:"keyPath" envconfig:"kuma_store_postgres_tls_key_path"`
 	// Path to the root certificate. Used in verifyCa and verifyFull modes.
 	CAPath string `yaml:"caPath" envconfig:"kuma_store_postgres_tls_ca_path"`
+	// Whether to disable SNI the postgres `sslsni` option.
+	DisableSSLSNI bool `yaml:"disableSSLSNI" envconfig:"kuma_store_postgres_tls_disable_sslsni"`
 }
 
 func (s TLSPostgresStoreConfig) Sanitize() {

pkg/config/plugins/resources/postgres/config_test.go

@@ -81,6 +81,13 @@ var _ = Describe("TLSPostgresStoreConfig", func() {
 			KeyPath:  "/path",
 			CertPath: "/path",
 		}),
+		Entry("mode VerifyFull without sslsni", postgres.TLSPostgresStoreConfig{
+			Mode:          postgres.VerifyFull,
+			CAPath:        "/path",
+			KeyPath:       "/path",
+			CertPath:      "/path",
+			DisableSSLSNI: true,
+		}),
 	)
 })
 
@@ -113,24 +120,25 @@ var _ = Describe("PostgresStoreConfig", func() {
 				MinReconnectInterval: 10 * time.Second,
 				MaxReconnectInterval: 10 * time.Second,
 			},
-			expected: `host='localhost' port=0 user='postgres' password='postgres' dbname='kuma' connect_timeout=0 sslmode=verify-full sslcert='/path' sslkey='/path' sslrootcert='/path'`,
+			expected: `host='localhost' port=0 user='postgres' password='postgres' dbname='kuma' connect_timeout=0 sslmode=verify-full sslcert='/path' sslkey='/path' sslrootcert='/path' sslsni=1`,
 		}),
-		Entry("password needing escape", stringTestCase{
+		Entry("password needing escape without sslsni", stringTestCase{
 			given: postgres.PostgresStoreConfig{
 				Host:     "localhost",
 				User:     "postgres",
 				Password: `'\`,
 				DbName:   "kuma",
 				TLS: postgres.TLSPostgresStoreConfig{
-					Mode:     postgres.VerifyFull,
-					CAPath:   "/path",
-					KeyPath:  "/path",
-					CertPath: "/path",
+					Mode:          postgres.VerifyFull,
+					CAPath:        "/path",
+					KeyPath:       "/path",
+					CertPath:      "/path",
+					DisableSSLSNI: true,
 				},
 				MinReconnectInterval: 10 * time.Second,
 				MaxReconnectInterval: 10 * time.Second,
 			},
-			expected: `host='localhost' port=0 user='postgres' password='\'\\' dbname='kuma' connect_timeout=0 sslmode=verify-full sslcert='/path' sslkey='/path' sslrootcert='/path'`,
+			expected: `host='localhost' port=0 user='postgres' password='\'\\' dbname='kuma' connect_timeout=0 sslmode=verify-full sslcert='/path' sslkey='/path' sslrootcert='/path' sslsni=0`,
 		}),
 	)
 	type validateTestCase struct {