cmd/contour: Update to TLS 1.3 for xDS between Contour and Envoy (#4065)

Signed-off-by: Tero Saarni <tero.saarni@est.tech>

changelogs/unreleased/4065-tsaarni-major.md

@@ -0,0 +1,9 @@
+## xDS management connection between Contour and Envoy set to TLSv1.3
+
+The minimum accepted TLS version for Contour xDS server is changed from TLSv1.2 to TLSv1.3.
+Previously in Contour 1.19, the maximum accepted TLS version for Envoy xDS client was increased to TLSv1.3 which allows it to connect to Contour xDS server using TLSv1.3.
+
+If upgrading from a version **prior to Contour 1.19**, the old Envoys will be unable to connect to new Contour until also Envoys are upgraded.
+Until that, old Envoys are unable to receive new configuration data.
+
+For further information, see [Contour architecture](https://projectcontour.io/docs/main/architecture/) and [xDS API](https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol) in Envoy documentation.

cmd/contour/servecontext.go

@@ -192,7 +192,7 @@ func tlsconfig(log logrus.FieldLogger, contourXDSTLS *contour_api_v1alpha1.TLS)
 			Certificates: []tls.Certificate{cert},
 			ClientAuth:   tls.RequireAndVerifyClientCert,
 			ClientCAs:    certPool,
-			MinVersion:   tls.VersionTLS12,
+			MinVersion:   tls.VersionTLS13,
 		}, nil
 	}
 
@@ -202,7 +202,7 @@ func tlsconfig(log logrus.FieldLogger, contourXDSTLS *contour_api_v1alpha1.TLS)
 	}
 
 	return &tls.Config{
-		MinVersion: tls.VersionTLS12,
+		MinVersion: tls.VersionTLS13,
 		ClientAuth: tls.RequireAndVerifyClientCert,
 		Rand:       rand.Reader,
 		GetConfigForClient: func(*tls.ClientHelloInfo) (*tls.Config, error) {

cmd/contour/servecontext_test.go

@@ -236,7 +236,7 @@ func TestTlsVersionDeprecation(t *testing.T) {
 	tlsConfig, err := preliminaryTLSConfig.GetConfigForClient(nil)
 	checkFatalErr(t, err)
 
-	assert.Equal(t, tlsConfig.MinVersion, uint16(tls.VersionTLS12))
+	assert.Equal(t, tlsConfig.MinVersion, uint16(tls.VersionTLS13))
 }
 
 func checkFatalErr(t *testing.T, err error) {