Fixes #20930 - expose path for HTTPS endpoints

[vijayraghav-io]

Description

fixes #20930

Added 3 parameters CAFile, CertFile, KeyFile to ServiceDefinition -> Proxy -> Expose -> Path.
In case of HTTPS path , these 3 parameters are used to configure envoy and allow HTTPS -> HTTPS traffic for external service path to be exposed.

Testing & Reproduction steps

refer #20930 for reproduction scenario

Links

PR Checklist

• updated test coverage
• external facing docs updated
• appropriate backport labels added
• not a security concern

[vijayraghav-io]

Hi @david-yu / @huikang / @jkirschner-hashicorp ,

Kindly take this PR for review.

@Cottand

[Cottand]

@vijayraghav-io thanks for the PR.

Do we need these fields to be set in config for HTTPS -> HTTPS ? I would expect it should be possible to simply not terminate TLS at all.

And if it does terminate TLS, why do we need the keyFile? Can we not have envoy trust the provided CA and expose HTTP? As in HTTP -> HTTPS

[vijayraghav-io]

@Cottand Thanks for your comments

Yes, as an option, HTTPS passthrough i.e. without terminating TLS and using normal TCP_Proxy can be provided. Updated to accommodate this. For this protocol must be provided as "tcp" (Service -> Proxy -> Expose -> Path -> Protocol = "tcp") , no need to provide certfile or keyfile path in this case.

For terminating TLS, yes its a good suggestion to have envoy trust the provided CA, let me get a collective feedback from other reviewers as well if any before updating.