only add istio automtls when label has value (#10574)

Author: stevenctl

changelog/v1.19.0-beta4/istio-automtls-disabled.yaml

@@ -0,0 +1,7 @@
+changelog:
+  - type: FIX
+    issueLink: https://github.com/solo-io/gloo/issues/10575
+    resolvesIssue: true
+    description: |
+      When a workload has the label `security.istio.io/tlsMode: disabled`
+      we will no longer attempt to send mTLS to that workload.

projects/gateway2/krtcollections/endpoints.go

@@ -13,10 +13,10 @@ import (
 	"google.golang.org/protobuf/types/known/wrapperspb"
 
 	ggv2utils "github.com/solo-io/gloo/projects/gateway2/utils"
-	"github.com/solo-io/gloo/projects/gloo/constants"
 	v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1"
 	glookubev1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1/kube/apis/gloo.solo.io/v1"
 	kubeplugin "github.com/solo-io/gloo/projects/gloo/pkg/api/v1/options/kubernetes"
+	"github.com/solo-io/gloo/projects/gloo/pkg/plugins/istio_automtls"
 	"github.com/solo-io/gloo/projects/gloo/pkg/translator"
 	"github.com/solo-io/go-utils/contextutils"
 	"istio.io/istio/pkg/kube"
@@ -336,7 +336,7 @@ func CreateLBEndpoint(address string, port uint32, podLabels map[string]string,
 	metadata := &envoy_config_core_v3.Metadata{
 		FilterMetadata: map[string]*structpb.Struct{},
 	}
-	metadata = addIstioAutomtlsMetadata(metadata, podLabels, enableAutoMtls)
+	metadata = istio_automtls.AddIstioAutomtlsMetadata(metadata, podLabels, enableAutoMtls)
 	// Don't add the annotations to the metadata - it's not documented so it's not coming
 	// metadata = addAnnotations(metadata, addr.GetMetadata().GetAnnotations())
 
@@ -365,24 +365,6 @@ func CreateLBEndpoint(address string, port uint32, podLabels map[string]string,
 	}
 }
 
-func addIstioAutomtlsMetadata(metadata *envoy_config_core_v3.Metadata, labels map[string]string, enableAutoMtls bool) *envoy_config_core_v3.Metadata {
-	const EnvoyTransportSocketMatch = "envoy.transport_socket_match"
-	if enableAutoMtls {
-		if _, ok := labels[constants.IstioTlsModeLabel]; ok {
-			metadata.GetFilterMetadata()[EnvoyTransportSocketMatch] = &structpb.Struct{
-				Fields: map[string]*structpb.Value{
-					constants.TLSModeLabelShortname: {
-						Kind: &structpb.Value_StringValue{
-							StringValue: constants.IstioMutualTLSModeLabel,
-						},
-					},
-				},
-			}
-		}
-	}
-	return metadata
-}
-
 func findPortForService(kctx krt.HandlerContext, services krt.Collection[*corev1.Service], spec *kubeplugin.UpstreamSpec) (*corev1.ServicePort, bool) {
 	maybeSvc := krt.FetchOne(kctx, services, krt.FilterObjectName(types.NamespacedName{
 		Namespace: spec.GetServiceNamespace(),

projects/gloo/pkg/plugins/istio_automtls/helper.go

@@ -0,0 +1,36 @@
+package istio_automtls
+
+import (
+	"github.com/solo-io/gloo/projects/gloo/constants"
+	"google.golang.org/protobuf/types/known/structpb"
+
+	envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+)
+
+const EnvoyTransportSocketMatch = "envoy.transport_socket_match"
+
+// AddIstioAutomtlsMetadata adds metadata used by the transport_socket_match
+// to select the mTLS transport socket. The Envoy metadata label is added
+// based on the presence of the Istio workload label "security.istio.io/tlsMode=istio".
+func AddIstioAutomtlsMetadata(
+	metadata *envoy_config_core_v3.Metadata,
+	workloadLabels map[string]string,
+	enableAutoMtls bool,
+) *envoy_config_core_v3.Metadata {
+	if enableAutoMtls {
+		// Valid label values are 'istio', 'disabled'
+		// https://github.com/istio/api/blob/5b3f065ee1c2802fb4bc6010ac847c181caa6cc3/label/labels.gen.go#L285
+		if value, ok := workloadLabels[constants.IstioTlsModeLabel]; ok && value == constants.IstioMutualTLSModeLabel {
+			metadata.GetFilterMetadata()[EnvoyTransportSocketMatch] = &structpb.Struct{
+				Fields: map[string]*structpb.Value{
+					constants.TLSModeLabelShortname: {
+						Kind: &structpb.Value_StringValue{
+							StringValue: constants.IstioMutualTLSModeLabel,
+						},
+					},
+				},
+			}
+		}
+	}
+	return metadata
+}