set upstream tls for extension and dnsname clusters

Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>

cmd/contour/serve.go

@@ -1200,6 +1200,7 @@ func (s *Server) getDAGBuilder(dbc dagBuilderConfig) *dag.Builder {
 			FieldLogger:       s.log.WithField("context", "ExtensionServiceProcessor"),
 			ClientCertificate: dbc.clientCert,
 			ConnectTimeout:    dbc.connectTimeout,
+			UpstreamTLS:       dbc.upstreamTLS,
 		},
 		&dag.HTTPProxyProcessor{
 			EnableExternalNameService:     dbc.enableExternalNameService,

internal/dag/extension_processor.go

@@ -39,6 +39,10 @@ type ExtensionServiceProcessor struct {
 
 	// ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service.
 	ConnectTimeout time.Duration
+
+	// UpstreamTLS defines the TLS settings like min/max version
+	// and cipher suites for upstream connections.
+	UpstreamTLS *contour_api_v1alpha1.EnvoyTLS
 }
 
 var _ Processor = &ExtensionServiceProcessor{}
@@ -114,6 +118,7 @@ func (p *ExtensionServiceProcessor) buildExtensionService(
 		ClusterTimeoutPolicy: ctp,
 		SNI:                  "",
 		ClientCertificate:    clientCertSecret,
+		UpstreamTLS:          (*UpstreamTLS)(p.UpstreamTLS),
 	}
 
 	lbPolicy := loadBalancerPolicy(ext.Spec.LoadBalancerPolicy)

internal/dag/httpproxy_processor.go

@@ -493,6 +493,7 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_api_v1.HTTPProxy) {
 							Port:               port,
 							DNSLookupFamily:    dnsLookupFamily,
 							UpstreamValidation: uv,
+							UpstreamTLS:        (*UpstreamTLS)(p.UpstreamTLS),
 						},
 						CacheDuration: cacheDuration,
 					},