PR comments
This commit is contained in:
freddygv
parent
4c58711594
commit
3c7e5c3308
|
|
@ -311,7 +311,9 @@ func (s *state) initWatchesConnectProxy(snap *ConfigSnapshot) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Watch for updates to service endpoints for all upstreams
|
// Watch for updates to service endpoints for all upstreams
|
||||||
for _, u := range s.proxyCfg.Upstreams {
|
for i := range s.proxyCfg.Upstreams {
|
||||||
|
u := s.proxyCfg.Upstreams[i]
|
||||||
|
|
||||||
// This can be true if the upstream is a synthetic entry populated from centralized upstream config.
|
// This can be true if the upstream is a synthetic entry populated from centralized upstream config.
|
||||||
// Watches should not be created for them.
|
// Watches should not be created for them.
|
||||||
if u.CentrallyConfigured {
|
if u.CentrallyConfigured {
|
||||||
|
|
|
||||||
|
|
@ -33,6 +33,7 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
|
// TODO (freddy) Make this configurable
|
||||||
TProxyOutboundPort = 15001
|
TProxyOutboundPort = 15001
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
@ -88,9 +89,6 @@ func (s *Server) listenersFromSnapshotConnectProxy(cInfo connectionInfo, cfgSnap
|
||||||
|
|
||||||
for id, chain := range cfgSnap.ConnectProxy.DiscoveryChain {
|
for id, chain := range cfgSnap.ConnectProxy.DiscoveryChain {
|
||||||
upstreamCfg := cfgSnap.ConnectProxy.UpstreamConfig[id]
|
upstreamCfg := cfgSnap.ConnectProxy.UpstreamConfig[id]
|
||||||
if upstreamCfg != nil && upstreamCfg.DestinationType == structs.UpstreamDestTypePreparedQuery {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
cfg := getAndModifyUpstreamConfigForListener(s.Logger, id, upstreamCfg, chain)
|
cfg := getAndModifyUpstreamConfigForListener(s.Logger, id, upstreamCfg, chain)
|
||||||
|
|
||||||
// If escape hatch is present, create a listener from it and move on to the next
|
// If escape hatch is present, create a listener from it and move on to the next
|
||||||
|
|
@ -718,6 +716,30 @@ func (s *Server) makeInboundListener(cInfo connectionInfo, cfgSnap *proxycfg.Con
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// For HTTP-like services attach an RBAC http filter and do a best-effort insert
|
||||||
|
if useHTTPFilter {
|
||||||
|
httpAuthzFilter, err := makeRBACHTTPFilter(
|
||||||
|
cfgSnap.ConnectProxy.Intentions,
|
||||||
|
cfgSnap.IntentionDefaultAllow,
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try our best to inject the HTTP RBAC filter.
|
||||||
|
if err := injectHTTPFilterOnFilterChains(l, httpAuthzFilter); err != nil {
|
||||||
|
s.Logger.Warn(
|
||||||
|
"could not inject the HTTP RBAC filter to enforce intentions on user-provided "+
|
||||||
|
"'envoy_public_listener_json' config; falling back on the RBAC network filter instead",
|
||||||
|
"proxy", cfgSnap.ProxyID,
|
||||||
|
"error", err,
|
||||||
|
)
|
||||||
|
|
||||||
|
// If we get an error inject the RBAC network filter instead.
|
||||||
|
useHTTPFilter = false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
err := s.finalizePublicListenerFromConfig(l, cInfo, cfgSnap, useHTTPFilter)
|
err := s.finalizePublicListenerFromConfig(l, cInfo, cfgSnap, useHTTPFilter)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to attach Consul filters and TLS context to custom public listener: %v", err)
|
return nil, fmt.Errorf("failed to attach Consul filters and TLS context to custom public listener: %v", err)
|
||||||
|
|
@ -725,7 +747,7 @@ func (s *Server) makeInboundListener(cInfo connectionInfo, cfgSnap *proxycfg.Con
|
||||||
return l, nil
|
return l, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// No user config, use default listener address
|
// No JSON user config, use default listener address
|
||||||
// Default to listening on all addresses, but override with bind address if one is set.
|
// Default to listening on all addresses, but override with bind address if one is set.
|
||||||
addr := cfgSnap.Address
|
addr := cfgSnap.Address
|
||||||
if addr == "" {
|
if addr == "" {
|
||||||
|
|
@ -738,9 +760,6 @@ func (s *Server) makeInboundListener(cInfo connectionInfo, cfgSnap *proxycfg.Con
|
||||||
// Override with bind port if one is set, otherwise default to
|
// Override with bind port if one is set, otherwise default to
|
||||||
// proxy service's address
|
// proxy service's address
|
||||||
port := cfgSnap.Port
|
port := cfgSnap.Port
|
||||||
// if cfgSnap.Proxy.TransparentProxy {
|
|
||||||
// port = TProxyInboundPort
|
|
||||||
// }
|
|
||||||
if cfg.BindPort != 0 {
|
if cfg.BindPort != 0 {
|
||||||
port = cfg.BindPort
|
port = cfg.BindPort
|
||||||
}
|
}
|
||||||
|
|
@ -775,47 +794,18 @@ func (s *Server) makeInboundListener(cInfo connectionInfo, cfgSnap *proxycfg.Con
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
if !useHTTPFilter {
|
err = s.finalizePublicListenerFromConfig(l, cInfo, cfgSnap, useHTTPFilter)
|
||||||
// Authz filters for non-HTTP services need to be inserted at the head of the list of filters
|
if err != nil {
|
||||||
// on the filter chain.
|
return nil, fmt.Errorf("failed to attach Consul filters and TLS context to custom public listener: %v", err)
|
||||||
if err := s.injectConnectFilters(cInfo, cfgSnap, l); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if err := s.injectConnectTLSOnFilterChains(cInfo, cfgSnap, l); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return l, err
|
return l, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// finalizePublicListenerFromConfig is used for best-effort injection of Consul filter-chains onto custom public listeners.
|
// finalizePublicListenerFromConfig is used for best-effort injection of Consul filter-chains onto listeners.
|
||||||
|
// This include L4 authorization filters and TLS context.
|
||||||
func (s *Server) finalizePublicListenerFromConfig(l *envoy_listener_v3.Listener,
|
func (s *Server) finalizePublicListenerFromConfig(l *envoy_listener_v3.Listener,
|
||||||
cInfo connectionInfo, cfgSnap *proxycfg.ConfigSnapshot, useHTTPFilter bool) error {
|
cInfo connectionInfo, cfgSnap *proxycfg.ConfigSnapshot, useHTTPFilter bool) error {
|
||||||
|
|
||||||
// For HTTP-like services attach an RBAC http filter and do a best-effort insert
|
|
||||||
if useHTTPFilter {
|
|
||||||
httpAuthzFilter, err := makeRBACHTTPFilter(
|
|
||||||
cfgSnap.ConnectProxy.Intentions,
|
|
||||||
cfgSnap.IntentionDefaultAllow,
|
|
||||||
)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
// We're using the listener escape hatch, so try our best to inject the HTTP RBAC filter.
|
|
||||||
if err := injectHTTPFilterOnFilterChains(l, httpAuthzFilter); err != nil {
|
|
||||||
s.Logger.Warn(
|
|
||||||
"could not inject the HTTP RBAC filter to enforce intentions on user-provided "+
|
|
||||||
"'envoy_public_listener_json' config; falling back on the RBAC network filter instead",
|
|
||||||
"proxy", cfgSnap.ProxyID,
|
|
||||||
"error", err,
|
|
||||||
)
|
|
||||||
|
|
||||||
// If we get an error inject the RBAC network filter instead.
|
|
||||||
useHTTPFilter = false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if !useHTTPFilter {
|
if !useHTTPFilter {
|
||||||
// Best-effort injection of L4 intentions
|
// Best-effort injection of L4 intentions
|
||||||
if err := s.injectConnectFilters(cInfo, cfgSnap, l); err != nil {
|
if err := s.injectConnectFilters(cInfo, cfgSnap, l); err != nil {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue