Return SPIFFE ID for connect proxies in PeerMeta

Proxies dialing exporting services need to know the SPIFFE ID of services dialed so that the upstream's SANs can be validated. This commit attaches the SPIFFE ID to all connect proxies exported over the peering stream so that they are available to importing clusters. The data in the SPIFFE ID cannot be re-constructed in peer clusters because the partition of exported services is overwritten on imports.
2022-05-26 18:56:51 -06:00 · 2022-05-26 18:56:51 -06:00 · 5cd5108075
parent a75af9d94a
commit 5cd5108075
2 changed files with 33 additions and 17 deletions
--- a/agent/rpc/peering/stream_test.go
+++ b/agent/rpc/peering/stream_test.go
@ -633,6 +633,15 @@ func testStreamResources_Server_ServiceUpdates(t *testing.T, disableMeshGateways
 	lastIdx++
 	require.NoError(t, store.EnsureService(lastIdx, "foo", mysql.Service))

+	lastIdx++
+	require.NoError(t, store.EnsureService(lastIdx, "foo", &structs.NodeService{
+		ID:      "mysql-sidecar-proxy",
+		Service: "mysql-sidecar-proxy",
+		Kind:    structs.ServiceKindConnectProxy,
+		Port:    5000,
+		Proxy:   structs.ConnectProxyConfig{DestinationServiceName: "mysql"},
+	}))
+
 	var (
 		mongoSN      = structs.NewServiceName("mongo", nil).String()
 		mongoProxySN = structs.NewServiceName("mongo-sidecar-proxy", nil).String()
@ -691,8 +700,14 @@ func testStreamResources_Server_ServiceUpdates(t *testing.T, disableMeshGateways
 			func(t *testing.T, msg *pbpeering.ReplicationMessage) {
 				require.Equal(t, pbpeering.TypeURLService, msg.GetResponse().ResourceURL)
 				require.Equal(t, mysqlProxySN, msg.GetResponse().ResourceID)
-				require.Equal(t, pbpeering.ReplicationMessage_Response_DELETE, msg.GetResponse().Operation)
-				require.Nil(t, msg.GetResponse().Resource)
+				require.Equal(t, pbpeering.ReplicationMessage_Response_UPSERT, msg.GetResponse().Operation)
+
+				var nodes pbservice.IndexedCheckServiceNodes
+				require.NoError(t, ptypes.UnmarshalAny(msg.GetResponse().Resource, &nodes))
+				require.Len(t, nodes.Nodes, 1)
+
+				svid := "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/mysql"
+				require.Equal(t, []string{svid}, nodes.Nodes[0].Service.Connect.PeerMeta.SpiffeID)
 			},
 		)
 	})
--- a/agent/rpc/peering/subscription_manager.go
+++ b/agent/rpc/peering/subscription_manager.go
@ -200,22 +200,23 @@ func (m *subscriptionManager) handleEvent(ctx context.Context, state *subscripti
 			return nil // ignore event
 		}

-		// Clear this raft index before exporting.
-		csn.Index = 0
+		sn := structs.ServiceNameFromString(strings.TrimPrefix(u.CorrelationID, subExportedProxyService))
+		spiffeID := connect.SpiffeIDService{
+			Host:       m.trustDomain,
+			Partition:  sn.PartitionOrDefault(),
+			Namespace:  sn.NamespaceOrDefault(),
+			Datacenter: m.config.Datacenter,
+			Service:    sn.Name,
+		}
+		peerMeta := &pbservice.PeeringServiceMeta{
+			SpiffeID: []string{spiffeID.URI().String()},
+		}

-		// // Flatten health checks
-		// for _, instance := range csn.Nodes {
-		// 	instance.Checks = flattenChecks(
-		// 		instance.Node.Node,
-		// 		instance.Service.ID,
-		// 		instance.Service.Service,
-		// 		instance.Service.EnterpriseMeta,
-		// 		instance.Checks,
-		// 	)
-		// }
-
-		// Scrub raft indexes
+		// skip checks since we just generated one from scratch
+		// Set peerMeta on all instances and scrub the raft indexes.
 		for _, instance := range csn.Nodes {
+			instance.Service.Connect.PeerMeta = peerMeta
+
 			instance.Node.RaftIndex = nil
 			instance.Service.RaftIndex = nil
 			if m.config.DisableMeshGatewayMode {
@ -223,8 +224,8 @@ func (m *subscriptionManager) handleEvent(ctx context.Context, state *subscripti
 					chk.RaftIndex = nil
 				}
 			}
-			// skip checks since we just generated one from scratch
 		}
+		csn.Index = 0

 		id := proxyServicePayloadIDPrefix + strings.TrimPrefix(u.CorrelationID, subExportedProxyService)