From 34246f3ef305cc8da32cc829e8a5f579eff8c031 Mon Sep 17 00:00:00 2001
From: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Date: Thu, 24 Jun 2021 16:40:46 +0200
Subject: [PATCH] feat(kuma-cp) add SNI to TLSed ExternalServices

Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
---
 pkg/xds/envoy/clusters/v3/client_side_tls_configurer.go     | 6 +++++-
 .../envoy/clusters/v3/client_side_tls_configurer_test.go    | 2 ++
 pkg/xds/envoy/tls/v3/tls.go                                 | 3 ++-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/pkg/xds/envoy/clusters/v3/client_side_tls_configurer.go b/pkg/xds/envoy/clusters/v3/client_side_tls_configurer.go
index 9a80fd703813..579711a8007b 100644
--- a/pkg/xds/envoy/clusters/v3/client_side_tls_configurer.go
+++ b/pkg/xds/envoy/clusters/v3/client_side_tls_configurer.go
@@ -1,6 +1,8 @@
 package clusters
 
 import (
+	"fmt"
+
 	envoy_cluster "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"
 	envoy_core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	pstruct "github.com/golang/protobuf/ptypes/struct"
@@ -26,7 +28,9 @@ func (c *ClientSideTLSConfigurer) Configure(cluster *envoy_cluster.Cluster) erro
 				ep.ExternalService.ClientCert,
 				ep.ExternalService.ClientKey,
 				ep.ExternalService.AllowRenegotiation,
-				ep.Target)
+				ep.Target,
+				fmt.Sprintf("%s:%d", ep.Target, ep.Port),
+			)
 			if err != nil {
 				return err
 			}
diff --git a/pkg/xds/envoy/clusters/v3/client_side_tls_configurer_test.go b/pkg/xds/envoy/clusters/v3/client_side_tls_configurer_test.go
index a7d57c034269..fc31e53501d3 100644
--- a/pkg/xds/envoy/clusters/v3/client_side_tls_configurer_test.go
+++ b/pkg/xds/envoy/clusters/v3/client_side_tls_configurer_test.go
@@ -71,6 +71,7 @@ var _ = Describe("ClientSideTLSConfigurer", func() {
             typedConfig:
               '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
               commonTlsContext: {}
+              sni: httpbin.org:3000
         type: EDS
 `}),
 		Entry("cluster with mTLS and certs", testCase{
@@ -117,6 +118,7 @@ var _ = Describe("ClientSideTLSConfigurer", func() {
                       - exact: httpbin.org
                       trustedCa:
                         inlineBytes: Y2FjZXJ0
+                  sni: httpbin.org:3000
             type: EDS
 `}),
 	)
diff --git a/pkg/xds/envoy/tls/v3/tls.go b/pkg/xds/envoy/tls/v3/tls.go
index 140bc8635cc7..86e36342dcb5 100644
--- a/pkg/xds/envoy/tls/v3/tls.go
+++ b/pkg/xds/envoy/tls/v3/tls.go
@@ -201,7 +201,7 @@ func googleGrpcSdsSpecifier(context xds_context.Context, name string, metadata *
 	}, nil
 }
 
-func UpstreamTlsContextOutsideMesh(ca, cert, key []byte, allowRenegotiation bool, hostname string) (*envoy_tls.UpstreamTlsContext, error) {
+func UpstreamTlsContextOutsideMesh(ca, cert, key []byte, allowRenegotiation bool, hostname string, sni string) (*envoy_tls.UpstreamTlsContext, error) {
 	var tlsCertificates []*envoy_tls.TlsCertificate
 	if cert != nil && key != nil {
 		tlsCertificates = []*envoy_tls.TlsCertificate{
@@ -230,6 +230,7 @@ func UpstreamTlsContextOutsideMesh(ca, cert, key []byte, allowRenegotiation bool
 
 	return &envoy_tls.UpstreamTlsContext{
 		AllowRenegotiation: allowRenegotiation,
+		Sni:                sni,
 		CommonTlsContext: &envoy_tls.CommonTlsContext{
 			TlsCertificates:       tlsCertificates,
 			ValidationContextType: validationContextType,