postgres: support for upstream SSL (#23990)

Postgres filter can negotiate upstream SSL connection with Postgres server and enable upstream encryption. Upon receiving the initial postgres request, the filter buffers the received packet (without sending it) and sends to the upstream server a request to establish SSL connection. When the server agrees, the postgres filter enables upstream STARTTLS transport socket and sends the previously buffered initial packet. From now on, the connection to upstream is encrypted and the filter can read the postgres payloads in clear-text. If the server does not agree for SSL or converting STARTTLS transport socket to secure mode fails, depending on the configuration, the filter may continue in clear-text or may tear down the connection. Risk Level: Low Testing: unit, integration and manual tests. Docs Changes: yes. Release Notes: yes Platform Specific Features: No Fixes #19527 Signed-off-by: Christoph Pakulski <christoph@tetrate.io> Mirrored from https://github.com/envoyproxy/envoy @ 0ce6cf5fc3b54185b068ac0b6ec2dd5e461fc3cb
2 years ago · d5767d6b5c
parent 194681eadd
commit d5767d6b5c
1 changed files with 18 additions and 0 deletions
--- a/contrib/envoy/extensions/filters/network/postgres_proxy/v3alpha/postgres_proxy.proto
+++ b/contrib/envoy/extensions/filters/network/postgres_proxy/v3alpha/postgres_proxy.proto
@ -20,6 +20,16 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#extension: envoy.filters.network.postgres_proxy]

 message PostgresProxy {
+  // Upstream SSL operational modes.
+  enum SSLMode {
+    // Do not encrypt upstream connection to the server.
+    DISABLE = 0;
+
+    // Establish upstream SSL connection to the server. If the server does not
+    // accept the request for SSL connection, the session is terminated.
+    REQUIRE = 1;
+  }
+
  // The human readable prefix to use when emitting :ref:`statistics
  // <config_network_filters_postgres_proxy_stats>`.
  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
@ -39,4 +49,12 @@ message PostgresProxy {
  // Refer to official documentation for details
  // `SSL Session Encryption Message Flow <https://www.postgresql.org/docs/current/protocol-flow.html#id-1.10.5.7.11>`_.
  bool terminate_ssl = 3;
+
+  // Controls whether to establish upstream SSL connection to the server.
+  // Envoy will try to establish upstream SSL connection to the server only when
+  // Postgres filter is able to read Postgres payload in clear-text. It happens when
+  // a client established a clear-text connection to Envoy or when a client established
+  // SSL connection to Envoy and Postgres filter is configured to terminate SSL.
+  // Defaults to SSL_DISABLE.
+  SSLMode upstream_ssl = 4;
 }