PR comments

This commit is contained in:
freddygv 2021-03-17 16:18:56 -06:00
parent 4c58711594
commit 3c7e5c3308
2 changed files with 34 additions and 42 deletions

View File

@ -311,7 +311,9 @@ func (s *state) initWatchesConnectProxy(snap *ConfigSnapshot) error {
}
// Watch for updates to service endpoints for all upstreams
for _, u := range s.proxyCfg.Upstreams {
for i := range s.proxyCfg.Upstreams {
u := s.proxyCfg.Upstreams[i]
// This can be true if the upstream is a synthetic entry populated from centralized upstream config.
// Watches should not be created for them.
if u.CentrallyConfigured {

View File

@ -33,6 +33,7 @@ import (
)
const (
// TODO (freddy) Make this configurable
TProxyOutboundPort = 15001
)
@ -88,9 +89,6 @@ func (s *Server) listenersFromSnapshotConnectProxy(cInfo connectionInfo, cfgSnap
for id, chain := range cfgSnap.ConnectProxy.DiscoveryChain {
upstreamCfg := cfgSnap.ConnectProxy.UpstreamConfig[id]
if upstreamCfg != nil && upstreamCfg.DestinationType == structs.UpstreamDestTypePreparedQuery {
continue
}
cfg := getAndModifyUpstreamConfigForListener(s.Logger, id, upstreamCfg, chain)
// If escape hatch is present, create a listener from it and move on to the next
@ -718,6 +716,30 @@ func (s *Server) makeInboundListener(cInfo connectionInfo, cfgSnap *proxycfg.Con
return nil, err
}
// For HTTP-like services attach an RBAC http filter and do a best-effort insert
if useHTTPFilter {
httpAuthzFilter, err := makeRBACHTTPFilter(
cfgSnap.ConnectProxy.Intentions,
cfgSnap.IntentionDefaultAllow,
)
if err != nil {
return nil, err
}
// Try our best to inject the HTTP RBAC filter.
if err := injectHTTPFilterOnFilterChains(l, httpAuthzFilter); err != nil {
s.Logger.Warn(
"could not inject the HTTP RBAC filter to enforce intentions on user-provided "+
"'envoy_public_listener_json' config; falling back on the RBAC network filter instead",
"proxy", cfgSnap.ProxyID,
"error", err,
)
// If we get an error inject the RBAC network filter instead.
useHTTPFilter = false
}
}
err := s.finalizePublicListenerFromConfig(l, cInfo, cfgSnap, useHTTPFilter)
if err != nil {
return nil, fmt.Errorf("failed to attach Consul filters and TLS context to custom public listener: %v", err)
@ -725,7 +747,7 @@ func (s *Server) makeInboundListener(cInfo connectionInfo, cfgSnap *proxycfg.Con
return l, nil
}
// No user config, use default listener address
// No JSON user config, use default listener address
// Default to listening on all addresses, but override with bind address if one is set.
addr := cfgSnap.Address
if addr == "" {
@ -738,9 +760,6 @@ func (s *Server) makeInboundListener(cInfo connectionInfo, cfgSnap *proxycfg.Con
// Override with bind port if one is set, otherwise default to
// proxy service's address
port := cfgSnap.Port
// if cfgSnap.Proxy.TransparentProxy {
// port = TProxyInboundPort
// }
if cfg.BindPort != 0 {
port = cfg.BindPort
}
@ -775,47 +794,18 @@ func (s *Server) makeInboundListener(cInfo connectionInfo, cfgSnap *proxycfg.Con
},
}
if !useHTTPFilter {
// Authz filters for non-HTTP services need to be inserted at the head of the list of filters
// on the filter chain.
if err := s.injectConnectFilters(cInfo, cfgSnap, l); err != nil {
return nil, err
}
}
if err := s.injectConnectTLSOnFilterChains(cInfo, cfgSnap, l); err != nil {
return nil, err
err = s.finalizePublicListenerFromConfig(l, cInfo, cfgSnap, useHTTPFilter)
if err != nil {
return nil, fmt.Errorf("failed to attach Consul filters and TLS context to custom public listener: %v", err)
}
return l, err
}
// finalizePublicListenerFromConfig is used for best-effort injection of Consul filter-chains onto custom public listeners.
// finalizePublicListenerFromConfig is used for best-effort injection of Consul filter-chains onto listeners.
// This include L4 authorization filters and TLS context.
func (s *Server) finalizePublicListenerFromConfig(l *envoy_listener_v3.Listener,
cInfo connectionInfo, cfgSnap *proxycfg.ConfigSnapshot, useHTTPFilter bool) error {
// For HTTP-like services attach an RBAC http filter and do a best-effort insert
if useHTTPFilter {
httpAuthzFilter, err := makeRBACHTTPFilter(
cfgSnap.ConnectProxy.Intentions,
cfgSnap.IntentionDefaultAllow,
)
if err != nil {
return err
}
// We're using the listener escape hatch, so try our best to inject the HTTP RBAC filter.
if err := injectHTTPFilterOnFilterChains(l, httpAuthzFilter); err != nil {
s.Logger.Warn(
"could not inject the HTTP RBAC filter to enforce intentions on user-provided "+
"'envoy_public_listener_json' config; falling back on the RBAC network filter instead",
"proxy", cfgSnap.ProxyID,
"error", err,
)
// If we get an error inject the RBAC network filter instead.
useHTTPFilter = false
}
}
if !useHTTPFilter {
// Best-effort injection of L4 intentions
if err := s.injectConnectFilters(cInfo, cfgSnap, l); err != nil {