diff --git a/.changelog/10329.txt b/.changelog/10329.txt new file mode 100644 index 000000000..1e7cc6723 --- /dev/null +++ b/.changelog/10329.txt @@ -0,0 +1,3 @@ +```release-note:improvement +connect: Support dialing individual service IP addresses through transparent proxies. +``` \ No newline at end of file diff --git a/agent/agent_endpoint_test.go b/agent/agent_endpoint_test.go index 50350e761..5835ca4cf 100644 --- a/agent/agent_endpoint_test.go +++ b/agent/agent_endpoint_test.go @@ -399,7 +399,7 @@ func TestAgent_Service(t *testing.T) { Service: "web-sidecar-proxy", Port: 8000, Proxy: expectProxy.ToAPI(), - ContentHash: "9dcdedfd5047d46e", + ContentHash: "518ece989813bc13", Weights: api.AgentWeights{ Passing: 1, Warning: 1, @@ -413,7 +413,7 @@ func TestAgent_Service(t *testing.T) { // Copy and modify updatedResponse := *expectedResponse updatedResponse.Port = 9999 - updatedResponse.ContentHash = "a08487ca7854c7cc" + updatedResponse.ContentHash = "6cc7a4afb000afb1" // Simple response for non-proxy service registered in TestAgent config expectWebResponse := &api.AgentService{ diff --git a/agent/config/builder.go b/agent/config/builder.go index b17df1197..ed34f19a0 100644 --- a/agent/config/builder.go +++ b/agent/config/builder.go @@ -1766,6 +1766,7 @@ func (b *builder) transparentProxyConfVal(tproxyConf *TransparentProxyConfig) st } out.OutboundListenerPort = intVal(tproxyConf.OutboundListenerPort) + out.DialedDirectly = boolVal(tproxyConf.DialedDirectly) return out } diff --git a/agent/config/config.go b/agent/config/config.go index 51e8f9445..3e5372391 100644 --- a/agent/config/config.go +++ b/agent/config/config.go @@ -545,8 +545,13 @@ type MeshGatewayConfig struct { } type TransparentProxyConfig struct { - // Mesh Gateway Mode + // The port of the listener where outbound application traffic is being redirected to. OutboundListenerPort *int `mapstructure:"outbound_listener_port"` + + // DialedDirectly indicates whether transparent proxies can dial this proxy instance directly. + // The discovery chain is not considered when dialing a service instance directly. + // This setting is useful when addressing stateful services, such as a database cluster with a leader node. + DialedDirectly *bool `mapstructure:"dialed_directly"` } // ExposeConfig describes HTTP paths to expose through Envoy outside of Connect. diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index 397e49e93..1a2f318a2 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -2584,7 +2584,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { }, "mode": "transparent", "transparent_proxy": { - "outbound_listener_port": 10101 + "outbound_listener_port": 10101, + "dialed_directly": true }, "upstreams": [ { @@ -2630,6 +2631,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { mode = "transparent" transparent_proxy = { outbound_listener_port = 10101 + dialed_directly = true } upstreams = [ { @@ -2678,6 +2680,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { Mode: structs.ProxyModeTransparent, TransparentProxy: structs.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, Upstreams: structs.Upstreams{ structs.Upstream{ @@ -2741,7 +2744,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { }, "mode": "transparent", "transparent_proxy": { - "outbound_listener_port": 10101 + "outbound_listener_port": 10101, + "dialed_directly": true }, "upstreams": [ { @@ -2782,6 +2786,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { mode = "transparent" transparent_proxy = { outbound_listener_port = 10101 + dialed_directly = true } upstreams = [ { @@ -2825,6 +2830,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { Mode: structs.ProxyModeTransparent, TransparentProxy: structs.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, Upstreams: structs.Upstreams{ structs.Upstream{ @@ -3471,7 +3477,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { }, "mode": "transparent", "transparent_proxy": { - "outbound_listener_port": 10101 + "outbound_listener_port": 10101, + "dialed_directly": true } } ] @@ -3494,6 +3501,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { mode = "transparent" transparent_proxy = { outbound_listener_port = 10101 + dialed_directly = true } } }`}, @@ -3516,6 +3524,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { Mode: structs.ProxyModeTransparent, TransparentProxy: structs.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, }, } @@ -3541,7 +3550,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { }, "Mode": "transparent", "TransparentProxy": { - "OutboundListenerPort": 10101 + "OutboundListenerPort": 10101, + "DialedDirectly": true } } ] @@ -3564,6 +3574,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { Mode = "transparent" TransparentProxy = { OutboundListenerPort = 10101 + DialedDirectly = true } } }`}, @@ -3586,6 +3597,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { Mode: structs.ProxyModeTransparent, TransparentProxy: structs.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, }, } @@ -3611,7 +3623,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { }, "mode": "transparent", "transparent_proxy": { - "outbound_listener_port": 10101 + "outbound_listener_port": 10101, + "dialed_directly": true } } ] @@ -3634,6 +3647,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { mode = "transparent" transparent_proxy = { outbound_listener_port = 10101 + dialed_directly = true } } }`}, @@ -3656,6 +3670,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { Mode: structs.ProxyModeTransparent, TransparentProxy: structs.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, }, } @@ -3681,7 +3696,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { }, "Mode": "transparent", "TransparentProxy": { - "OutboundListenerPort": 10101 + "OutboundListenerPort": 10101, + "DialedDirectly": true } } ] @@ -3704,6 +3720,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { Mode = "transparent" TransparentProxy = { OutboundListenerPort = 10101 + DialedDirectly = true } } }`}, @@ -3726,6 +3743,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { Mode: structs.ProxyModeTransparent, TransparentProxy: structs.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, }, } @@ -5670,6 +5688,7 @@ func TestLoad_FullConfig(t *testing.T) { Mode: structs.ProxyModeTransparent, TransparentProxy: structs.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, }, Weights: &structs.Weights{ diff --git a/agent/config/testdata/full-config.hcl b/agent/config/testdata/full-config.hcl index cf7a3d3d8..28f8248ce 100644 --- a/agent/config/testdata/full-config.hcl +++ b/agent/config/testdata/full-config.hcl @@ -602,6 +602,7 @@ services = [ mode = "transparent" transparent_proxy = { outbound_listener_port = 10101 + dialed_directly = true } } }, diff --git a/agent/config/testdata/full-config.json b/agent/config/testdata/full-config.json index 8a575ceb6..66fad69f3 100644 --- a/agent/config/testdata/full-config.json +++ b/agent/config/testdata/full-config.json @@ -575,7 +575,8 @@ }, "mode": "transparent", "transparent_proxy": { - "outbound_listener_port": 10101 + "outbound_listener_port": 10101, + "dialed_directly": true }, "upstreams": [ { diff --git a/agent/consul/config_endpoint.go b/agent/consul/config_endpoint.go index 0ab771e5c..6c8e0ff9a 100644 --- a/agent/consul/config_endpoint.go +++ b/agent/consul/config_endpoint.go @@ -396,6 +396,9 @@ func (c *ConfigEntry) ResolveServiceConfig(args *structs.ServiceConfigRequest, r if serviceConf.TransparentProxy.OutboundListenerPort != 0 { thisReply.TransparentProxy.OutboundListenerPort = serviceConf.TransparentProxy.OutboundListenerPort } + if serviceConf.TransparentProxy.DialedDirectly { + thisReply.TransparentProxy.DialedDirectly = serviceConf.TransparentProxy.DialedDirectly + } if serviceConf.Mode != structs.ProxyModeDefault { thisReply.Mode = serviceConf.Mode } diff --git a/agent/consul/config_endpoint_test.go b/agent/consul/config_endpoint_test.go index 527018ee0..f94660598 100644 --- a/agent/consul/config_endpoint_test.go +++ b/agent/consul/config_endpoint_test.go @@ -911,10 +911,13 @@ func TestConfigEntry_ResolveServiceConfig_TransparentProxy(t *testing.T) { name: "from proxy-defaults", entries: []structs.ConfigEntry{ &structs.ProxyConfigEntry{ - Kind: structs.ProxyDefaults, - Name: structs.ProxyConfigGlobal, - Mode: structs.ProxyModeTransparent, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 10101}, + Kind: structs.ProxyDefaults, + Name: structs.ProxyConfigGlobal, + Mode: structs.ProxyModeTransparent, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 10101, + DialedDirectly: true, + }, }, }, request: structs.ServiceConfigRequest{ @@ -922,8 +925,11 @@ func TestConfigEntry_ResolveServiceConfig_TransparentProxy(t *testing.T) { Datacenter: "dc1", }, expect: structs.ServiceConfigResponse{ - Mode: structs.ProxyModeTransparent, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 10101}, + Mode: structs.ProxyModeTransparent, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 10101, + DialedDirectly: true, + }, }, }, { @@ -949,16 +955,22 @@ func TestConfigEntry_ResolveServiceConfig_TransparentProxy(t *testing.T) { name: "service-defaults overrides proxy-defaults", entries: []structs.ConfigEntry{ &structs.ProxyConfigEntry{ - Kind: structs.ProxyDefaults, - Name: structs.ProxyConfigGlobal, - Mode: structs.ProxyModeDirect, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 10101}, + Kind: structs.ProxyDefaults, + Name: structs.ProxyConfigGlobal, + Mode: structs.ProxyModeDirect, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 10101, + DialedDirectly: false, + }, }, &structs.ServiceConfigEntry{ - Kind: structs.ServiceDefaults, - Name: "foo", - Mode: structs.ProxyModeTransparent, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 808}, + Kind: structs.ServiceDefaults, + Name: "foo", + Mode: structs.ProxyModeTransparent, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 808, + DialedDirectly: true, + }, }, }, request: structs.ServiceConfigRequest{ @@ -966,8 +978,11 @@ func TestConfigEntry_ResolveServiceConfig_TransparentProxy(t *testing.T) { Datacenter: "dc1", }, expect: structs.ServiceConfigResponse{ - Mode: structs.ProxyModeTransparent, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 808}, + Mode: structs.ProxyModeTransparent, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 808, + DialedDirectly: true, + }, }, }, } @@ -1303,8 +1318,11 @@ func TestConfigEntry_ResolveServiceConfig_Upstreams(t *testing.T) { }, // TransparentProxy on the config entry but not the config request - Mode: structs.ProxyModeTransparent, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 10101}, + Mode: structs.ProxyModeTransparent, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 10101, + DialedDirectly: true, + }, }, }, request: structs.ServiceConfigRequest{ @@ -1314,8 +1332,11 @@ func TestConfigEntry_ResolveServiceConfig_Upstreams(t *testing.T) { // Empty Upstreams/UpstreamIDs }, expect: structs.ServiceConfigResponse{ - Mode: structs.ProxyModeTransparent, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 10101}, + Mode: structs.ProxyModeTransparent, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 10101, + DialedDirectly: true, + }, UpstreamIDConfigs: structs.OpaqueUpstreamConfigs{ { Upstream: wildcard, diff --git a/agent/proxycfg/manager_test.go b/agent/proxycfg/manager_test.go index 88f15a06d..268bf3ee7 100644 --- a/agent/proxycfg/manager_test.go +++ b/agent/proxycfg/manager_test.go @@ -237,6 +237,7 @@ func TestManager_BasicLifecycle(t *testing.T) { upstreams[1].Identifier(): &upstreams[1], upstreams[2].Identifier(): &upstreams[2], }, + PassthroughUpstreams: map[string]ServicePassthroughAddrs{}, }, PreparedQueryEndpoints: map[string]structs.CheckServiceNodes{}, WatchedServiceChecks: map[structs.ServiceID][]structs.CheckType{}, @@ -293,6 +294,7 @@ func TestManager_BasicLifecycle(t *testing.T) { upstreams[1].Identifier(): &upstreams[1], upstreams[2].Identifier(): &upstreams[2], }, + PassthroughUpstreams: map[string]ServicePassthroughAddrs{}, }, PreparedQueryEndpoints: map[string]structs.CheckServiceNodes{}, WatchedServiceChecks: map[structs.ServiceID][]structs.CheckType{}, diff --git a/agent/proxycfg/snapshot.go b/agent/proxycfg/snapshot.go index c7674186a..991ef38fd 100644 --- a/agent/proxycfg/snapshot.go +++ b/agent/proxycfg/snapshot.go @@ -47,6 +47,18 @@ type ConfigSnapshotUpstreams struct { // UpstreamConfig is a map to an upstream's configuration. UpstreamConfig map[string]*structs.Upstream + + // PassthroughEndpoints is a map of: ServiceName -> ServicePassthroughAddrs. + PassthroughUpstreams map[string]ServicePassthroughAddrs +} + +// ServicePassthroughAddrs contains the LAN addrs +type ServicePassthroughAddrs struct { + // SNI is the Service SNI of the upstream. + SNI string + + // Addrs is a set of the best LAN addresses for the instances of the upstream. + Addrs map[string]struct{} } type configSnapshotConnectProxy struct { @@ -80,6 +92,7 @@ func (c *configSnapshotConnectProxy) IsEmpty() bool { len(c.WatchedServiceChecks) == 0 && len(c.PreparedQueryEndpoints) == 0 && len(c.UpstreamConfig) == 0 && + len(c.PassthroughUpstreams) == 0 && !c.MeshConfigSet } diff --git a/agent/proxycfg/state.go b/agent/proxycfg/state.go index f53f46086..63269378f 100644 --- a/agent/proxycfg/state.go +++ b/agent/proxycfg/state.go @@ -15,6 +15,7 @@ import ( "github.com/hashicorp/consul/agent/cache" cachetype "github.com/hashicorp/consul/agent/cache-types" + "github.com/hashicorp/consul/agent/connect" "github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/consul/logging" ) @@ -582,6 +583,7 @@ func (s *state) initialConfigSnapshot() ConfigSnapshot { snap.ConnectProxy.WatchedServiceChecks = make(map[structs.ServiceID][]structs.CheckType) snap.ConnectProxy.PreparedQueryEndpoints = make(map[string]structs.CheckServiceNodes) snap.ConnectProxy.UpstreamConfig = make(map[string]*structs.Upstream) + snap.ConnectProxy.PassthroughUpstreams = make(map[string]ServicePassthroughAddrs) case structs.ServiceKindTerminatingGateway: snap.TerminatingGateway.WatchedServices = make(map[structs.ServiceName]context.CancelFunc) snap.TerminatingGateway.WatchedIntentions = make(map[structs.ServiceName]context.CancelFunc) @@ -885,23 +887,28 @@ func (s *state) handleUpdateConnectProxy(u cache.UpdateEvent, snap *ConfigSnapsh snap.ConnectProxy.MeshConfigSet = true default: - return s.handleUpdateUpstreams(u, &snap.ConnectProxy.ConfigSnapshotUpstreams) + return s.handleUpdateUpstreams(u, snap) } return nil } -func (s *state) handleUpdateUpstreams(u cache.UpdateEvent, snap *ConfigSnapshotUpstreams) error { +func (s *state) handleUpdateUpstreams(u cache.UpdateEvent, snap *ConfigSnapshot) error { if u.Err != nil { return fmt.Errorf("error filling agent cache: %v", u.Err) } + upstreamsSnapshot := &snap.ConnectProxy.ConfigSnapshotUpstreams + if snap.Kind == structs.ServiceKindIngressGateway { + upstreamsSnapshot = &snap.IngressGateway.ConfigSnapshotUpstreams + } + switch { case u.CorrelationID == leafWatchID: leaf, ok := u.Result.(*structs.IssuedCert) if !ok { return fmt.Errorf("invalid type for response: %T", u.Result) } - snap.Leaf = leaf + upstreamsSnapshot.Leaf = leaf case strings.HasPrefix(u.CorrelationID, "discovery-chain:"): resp, ok := u.Result.(*structs.DiscoveryChainResponse) @@ -909,9 +916,9 @@ func (s *state) handleUpdateUpstreams(u cache.UpdateEvent, snap *ConfigSnapshotU return fmt.Errorf("invalid type for response: %T", u.Result) } svc := strings.TrimPrefix(u.CorrelationID, "discovery-chain:") - snap.DiscoveryChain[svc] = resp.Chain + upstreamsSnapshot.DiscoveryChain[svc] = resp.Chain - if err := s.resetWatchesFromChain(svc, resp.Chain, snap); err != nil { + if err := s.resetWatchesFromChain(svc, resp.Chain, upstreamsSnapshot); err != nil { return err } @@ -926,10 +933,53 @@ func (s *state) handleUpdateUpstreams(u cache.UpdateEvent, snap *ConfigSnapshotU return fmt.Errorf("invalid correlation id %q", u.CorrelationID) } - if _, ok := snap.WatchedUpstreamEndpoints[svc]; !ok { - snap.WatchedUpstreamEndpoints[svc] = make(map[string]structs.CheckServiceNodes) + if _, ok := upstreamsSnapshot.WatchedUpstreamEndpoints[svc]; !ok { + upstreamsSnapshot.WatchedUpstreamEndpoints[svc] = make(map[string]structs.CheckServiceNodes) + } + upstreamsSnapshot.WatchedUpstreamEndpoints[svc][targetID] = resp.Nodes + + var passthroughAddrs map[string]ServicePassthroughAddrs + + for _, node := range resp.Nodes { + if snap.Proxy.Mode == structs.ProxyModeTransparent && node.Service.Proxy.TransparentProxy.DialedDirectly { + if passthroughAddrs == nil { + passthroughAddrs = make(map[string]ServicePassthroughAddrs) + } + + svc := node.Service.CompoundServiceName() + + // Overwrite the name if it's a connect proxy (as opposed to Connect native). + // We don't reference the proxy name directly for things like SNI, but rather the name + // of the destination. The enterprise meta of a proxy will always be the same as that of + // the destination service, so that remains intact. + if node.Service.Kind == structs.ServiceKindConnectProxy { + dst := node.Service.Proxy.DestinationServiceName + if dst == "" { + dst = node.Service.Proxy.DestinationServiceID + } + svc.Name = dst + } + + sni := connect.ServiceSNI( + svc.Name, + "", + svc.NamespaceOrDefault(), + snap.Datacenter, + snap.Roots.TrustDomain) + + if _, ok := upstreamsSnapshot.PassthroughUpstreams[svc.String()]; !ok { + upstreamsSnapshot.PassthroughUpstreams[svc.String()] = ServicePassthroughAddrs{ + SNI: sni, + + // Stored in a set because it's possible for these to be duplicated + // when the upstream-target is targeted by multiple discovery chains. + Addrs: make(map[string]struct{}), + } + } + addr, _ := node.BestAddress(false) + upstreamsSnapshot.PassthroughUpstreams[svc.String()].Addrs[addr] = struct{}{} + } } - snap.WatchedUpstreamEndpoints[svc][targetID] = resp.Nodes case strings.HasPrefix(u.CorrelationID, "mesh-gateway:"): resp, ok := u.Result.(*structs.IndexedNodesWithGateways) @@ -941,10 +991,10 @@ func (s *state) handleUpdateUpstreams(u cache.UpdateEvent, snap *ConfigSnapshotU if !ok { return fmt.Errorf("invalid correlation id %q", u.CorrelationID) } - if _, ok = snap.WatchedGatewayEndpoints[svc]; !ok { - snap.WatchedGatewayEndpoints[svc] = make(map[string]structs.CheckServiceNodes) + if _, ok = upstreamsSnapshot.WatchedGatewayEndpoints[svc]; !ok { + upstreamsSnapshot.WatchedGatewayEndpoints[svc] = make(map[string]structs.CheckServiceNodes) } - snap.WatchedGatewayEndpoints[svc][dc] = resp.Nodes + upstreamsSnapshot.WatchedGatewayEndpoints[svc][dc] = resp.Nodes default: return fmt.Errorf("unknown correlation ID: %s", u.CorrelationID) } @@ -1703,7 +1753,7 @@ func (s *state) handleUpdateIngressGateway(u cache.UpdateEvent, snap *ConfigSnap } default: - return s.handleUpdateUpstreams(u, &snap.IngressGateway.ConfigSnapshotUpstreams) + return s.handleUpdateUpstreams(u, snap) } return nil diff --git a/agent/proxycfg/state_test.go b/agent/proxycfg/state_test.go index d2549d1a2..22e99477e 100644 --- a/agent/proxycfg/state_test.go +++ b/agent/proxycfg/state_test.go @@ -3,6 +3,7 @@ package proxycfg import ( "context" "fmt" + "github.com/hashicorp/consul/agent/connect" "sync" "testing" "time" @@ -1767,11 +1768,40 @@ func TestState_WatchesAndUpdates(t *testing.T) { { Node: &structs.Node{ Node: "node1", - Address: "127.0.0.1", + Address: "10.0.0.1", }, Service: &structs.NodeService{ - ID: "db1", - Service: "db", + Kind: structs.ServiceKindConnectProxy, + ID: "db-sidecar-proxy", + Service: "db-sidecar-proxy", + Address: "10.10.10.10", + TaggedAddresses: map[string]structs.ServiceAddress{ + structs.TaggedAddressWAN: {Address: "17.5.7.8"}, + structs.TaggedAddressWANIPv6: {Address: "2607:f0d0:1002:51::4"}, + }, + Proxy: structs.ConnectProxyConfig{ + DestinationServiceName: "db", + TransparentProxy: structs.TransparentProxyConfig{ + DialedDirectly: true, + }, + }, + }, + }, + { + Node: &structs.Node{ + Node: "node2", + Address: "10.0.0.2", + }, + Service: &structs.NodeService{ + Kind: structs.ServiceKindConnectProxy, + ID: "db-sidecar-proxy2", + Service: "db-sidecar-proxy", + Proxy: structs.ConnectProxyConfig{ + DestinationServiceName: "db", + TransparentProxy: structs.TransparentProxyConfig{ + DialedDirectly: true, + }, + }, }, }, }, @@ -1789,15 +1819,56 @@ func TestState_WatchesAndUpdates(t *testing.T) { { Node: &structs.Node{ Node: "node1", - Address: "127.0.0.1", + Address: "10.0.0.1", }, Service: &structs.NodeService{ - ID: "db1", - Service: "db", + Kind: structs.ServiceKindConnectProxy, + ID: "db-sidecar-proxy", + Service: "db-sidecar-proxy", + Address: "10.10.10.10", + TaggedAddresses: map[string]structs.ServiceAddress{ + structs.TaggedAddressWAN: {Address: "17.5.7.8"}, + structs.TaggedAddressWANIPv6: {Address: "2607:f0d0:1002:51::4"}, + }, + Proxy: structs.ConnectProxyConfig{ + DestinationServiceName: "db", + TransparentProxy: structs.TransparentProxyConfig{ + DialedDirectly: true, + }, + }, + }, + }, + { + Node: &structs.Node{ + Node: "node2", + Address: "10.0.0.2", + }, + Service: &structs.NodeService{ + Kind: structs.ServiceKindConnectProxy, + ID: "db-sidecar-proxy2", + Service: "db-sidecar-proxy", + Proxy: structs.ConnectProxyConfig{ + DestinationServiceName: "db", + TransparentProxy: structs.TransparentProxyConfig{ + DialedDirectly: true, + }, + }, }, }, }, ) + // The LAN service address is used below because transparent proxying + // does not support querying service nodes in other DCs, and the WAN address + // should not be used in DC-local calls. + require.Equal(t, snap.ConnectProxy.PassthroughUpstreams, map[string]ServicePassthroughAddrs{ + db.String(): { + SNI: connect.ServiceSNI("db", "", structs.IntentionDefaultNamespace, snap.Datacenter, snap.Roots.TrustDomain), + Addrs: map[string]struct{}{ + "10.10.10.10": {}, + "10.0.0.2": {}, + }, + }, + }) }, }, // Discovery chain updates should be stored diff --git a/agent/service_manager.go b/agent/service_manager.go index e67f30ce0..d112fc2d0 100644 --- a/agent/service_manager.go +++ b/agent/service_manager.go @@ -383,6 +383,9 @@ func mergeServiceConfig(defaults *structs.ServiceConfigResponse, service *struct if ns.Proxy.TransparentProxy.OutboundListenerPort == 0 { ns.Proxy.TransparentProxy.OutboundListenerPort = defaults.TransparentProxy.OutboundListenerPort } + if !ns.Proxy.TransparentProxy.DialedDirectly { + ns.Proxy.TransparentProxy.DialedDirectly = defaults.TransparentProxy.DialedDirectly + } // remoteUpstreams contains synthetic Upstreams generated from central config (service-defaults.UpstreamConfigs). remoteUpstreams := make(map[structs.ServiceID]structs.Upstream) diff --git a/agent/service_manager_test.go b/agent/service_manager_test.go index 464b7087e..41aabd228 100644 --- a/agent/service_manager_test.go +++ b/agent/service_manager_test.go @@ -953,6 +953,7 @@ func Test_mergeServiceConfig_UpstreamOverrides(t *testing.T) { Mode: structs.ProxyModeTransparent, TransparentProxy: structs.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, Upstreams: structs.Upstreams{ structs.Upstream{ @@ -976,6 +977,7 @@ func Test_mergeServiceConfig_UpstreamOverrides(t *testing.T) { Mode: structs.ProxyModeTransparent, TransparentProxy: structs.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, Upstreams: structs.Upstreams{ structs.Upstream{ @@ -1197,8 +1199,11 @@ func Test_mergeServiceConfig_TransparentProxy(t *testing.T) { name: "inherit transparent proxy settings", args: args{ defaults: &structs.ServiceConfigResponse{ - Mode: structs.ProxyModeTransparent, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 10101}, + Mode: structs.ProxyModeTransparent, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 10101, + DialedDirectly: true, + }, }, service: &structs.NodeService{ ID: "foo-proxy", @@ -1218,7 +1223,10 @@ func Test_mergeServiceConfig_TransparentProxy(t *testing.T) { DestinationServiceName: "foo", DestinationServiceID: "foo", Mode: structs.ProxyModeTransparent, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 10101}, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 10101, + DialedDirectly: true, + }, }, }, }, @@ -1226,8 +1234,11 @@ func Test_mergeServiceConfig_TransparentProxy(t *testing.T) { name: "override transparent proxy settings", args: args{ defaults: &structs.ServiceConfigResponse{ - Mode: structs.ProxyModeTransparent, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 10101}, + Mode: structs.ProxyModeTransparent, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 10101, + DialedDirectly: false, + }, }, service: &structs.NodeService{ ID: "foo-proxy", @@ -1236,7 +1247,10 @@ func Test_mergeServiceConfig_TransparentProxy(t *testing.T) { DestinationServiceName: "foo", DestinationServiceID: "foo", Mode: structs.ProxyModeDirect, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 808}, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 808, + DialedDirectly: true, + }, }, }, }, @@ -1247,7 +1261,10 @@ func Test_mergeServiceConfig_TransparentProxy(t *testing.T) { DestinationServiceName: "foo", DestinationServiceID: "foo", Mode: structs.ProxyModeDirect, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 808}, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 808, + DialedDirectly: true, + }, }, }, }, diff --git a/agent/structs/connect_proxy_config.go b/agent/structs/connect_proxy_config.go index d55dacec1..20037a71d 100644 --- a/agent/structs/connect_proxy_config.go +++ b/agent/structs/connect_proxy_config.go @@ -125,10 +125,18 @@ func ValidateProxyMode(mode string) (ProxyMode, error) { type TransparentProxyConfig struct { // The port of the listener where outbound application traffic is being redirected to. OutboundListenerPort int `json:",omitempty" alias:"outbound_listener_port"` + + // DialedDirectly indicates whether transparent proxies can dial this proxy instance directly. + // The discovery chain is not considered when dialing a service instance directly. + // This setting is useful when addressing stateful services, such as a database cluster with a leader node. + DialedDirectly bool `json:",omitempty" alias:"dialed_directly"` } func (c TransparentProxyConfig) ToAPI() *api.TransparentProxyConfig { - return &api.TransparentProxyConfig{OutboundListenerPort: c.OutboundListenerPort} + return &api.TransparentProxyConfig{ + OutboundListenerPort: c.OutboundListenerPort, + DialedDirectly: c.DialedDirectly, + } } // ConnectProxyConfig describes the configuration needed for any proxy managed @@ -225,6 +233,9 @@ func (t *ConnectProxyConfig) UnmarshalJSON(data []byte) (err error) { if t.TransparentProxy.OutboundListenerPort == 0 { t.TransparentProxy.OutboundListenerPort = aux.TransparentProxySnake.OutboundListenerPort } + if !t.TransparentProxy.DialedDirectly { + t.TransparentProxy.DialedDirectly = aux.TransparentProxySnake.DialedDirectly + } return nil diff --git a/agent/structs/discovery_chain.go b/agent/structs/discovery_chain.go index 42b8ebb60..ded0e1726 100644 --- a/agent/structs/discovery_chain.go +++ b/agent/structs/discovery_chain.go @@ -94,6 +94,11 @@ func (c *CompiledDiscoveryChain) ID() string { return chainID("", c.ServiceName, c.Namespace, c.Datacenter) } +func (c *CompiledDiscoveryChain) CompoundServiceName() ServiceName { + entMeta := NewEnterpriseMeta(c.Namespace) + return NewServiceName(c.ServiceName, &entMeta) +} + const ( DiscoveryGraphNodeTypeRouter = "router" DiscoveryGraphNodeTypeSplitter = "splitter" diff --git a/agent/structs/structs_filtering_test.go b/agent/structs/structs_filtering_test.go index 6ac29cdba..94ab53c61 100644 --- a/agent/structs/structs_filtering_test.go +++ b/agent/structs/structs_filtering_test.go @@ -102,6 +102,11 @@ var expectedFieldConfigTransparentProxyConfig bexpr.FieldConfigurations = bexpr. CoerceFn: bexpr.CoerceInt, SupportedOperations: []bexpr.MatchOperator{bexpr.MatchEqual, bexpr.MatchNotEqual}, }, + "DialedDirectly": &bexpr.FieldConfiguration{ + StructFieldName: "DialedDirectly", + CoerceFn: bexpr.CoerceBool, + SupportedOperations: []bexpr.MatchOperator{bexpr.MatchEqual, bexpr.MatchNotEqual}, + }, } var expectedFieldConfigExposeConfig bexpr.FieldConfigurations = bexpr.FieldConfigurations{ diff --git a/agent/xds/clusters.go b/agent/xds/clusters.go index d32fc57a4..c473f33cd 100644 --- a/agent/xds/clusters.go +++ b/agent/xds/clusters.go @@ -96,20 +96,12 @@ func (s *ResourceGenerator) clustersFromSnapshotConnectProxy(cfgSnap *proxycfg.C } clusters = append(clusters, appCluster) - // In transparent proxy mode there needs to be a passthrough cluster for traffic going to destinations - // that aren't in Consul's catalog. - if cfgSnap.Proxy.Mode == structs.ProxyModeTransparent && - (cfgSnap.ConnectProxy.MeshConfig == nil || - !cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.CatalogDestinationsOnly) { - - clusters = append(clusters, &envoy_cluster_v3.Cluster{ - Name: OriginalDestinationClusterName, - ClusterDiscoveryType: &envoy_cluster_v3.Cluster_Type{ - Type: envoy_cluster_v3.Cluster_ORIGINAL_DST, - }, - LbPolicy: envoy_cluster_v3.Cluster_CLUSTER_PROVIDED, - ConnectTimeout: ptypes.DurationProto(5 * time.Second), - }) + if cfgSnap.Proxy.Mode == structs.ProxyModeTransparent { + passthroughs, err := makePassthroughClusters(cfgSnap) + if err != nil { + return nil, fmt.Errorf("failed to make passthrough clusters for transparent proxy: %v", err) + } + clusters = append(clusters, passthroughs...) } for id, chain := range cfgSnap.ConnectProxy.DiscoveryChain { @@ -176,6 +168,58 @@ func makeExposeClusterName(destinationPort int) string { return fmt.Sprintf("exposed_cluster_%d", destinationPort) } +// In transparent proxy mode there are potentially multiple passthrough clusters added. +// The first is for destinations outside of Consul's catalog. This is for a plain TCP proxy. +// All of these use Envoy's ORIGINAL_DST listener filter, which forwards to the original +// destination address (before the iptables redirection). +// The rest are for destinations inside the mesh, which require certificates for mTLS. +func makePassthroughClusters(cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message, error) { + // This size is an upper bound. + clusters := make([]proto.Message, 0, len(cfgSnap.ConnectProxy.PassthroughUpstreams)+1) + + if cfgSnap.ConnectProxy.MeshConfig == nil || + !cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.CatalogDestinationsOnly { + + clusters = append(clusters, &envoy_cluster_v3.Cluster{ + Name: OriginalDestinationClusterName, + ClusterDiscoveryType: &envoy_cluster_v3.Cluster_Type{ + Type: envoy_cluster_v3.Cluster_ORIGINAL_DST, + }, + LbPolicy: envoy_cluster_v3.Cluster_CLUSTER_PROVIDED, + ConnectTimeout: ptypes.DurationProto(5 * time.Second), + }) + } + + for _, passthrough := range cfgSnap.ConnectProxy.PassthroughUpstreams { + // Prefixed with passthrough to distinguish from non-passthrough clusters for the same upstream. + name := "passthrough~" + passthrough.SNI + + c := envoy_cluster_v3.Cluster{ + Name: name, + ClusterDiscoveryType: &envoy_cluster_v3.Cluster_Type{ + Type: envoy_cluster_v3.Cluster_ORIGINAL_DST, + }, + LbPolicy: envoy_cluster_v3.Cluster_CLUSTER_PROVIDED, + + // TODO(tproxy) This should use the connection timeout configured on the upstream's config entry + ConnectTimeout: ptypes.DurationProto(5 * time.Second), + } + + tlsContext := envoy_tls_v3.UpstreamTlsContext{ + CommonTlsContext: makeCommonTLSContextFromLeaf(cfgSnap, cfgSnap.Leaf()), + Sni: passthrough.SNI, + } + transportSocket, err := makeUpstreamTLSTransportSocket(&tlsContext) + if err != nil { + return nil, err + } + c.TransportSocket = transportSocket + clusters = append(clusters, &c) + } + + return clusters, nil +} + // clustersFromSnapshotMeshGateway returns the xDS API representation of the "clusters" // for a mesh gateway. This will include 1 cluster per remote datacenter as well as // 1 cluster for each service subset. diff --git a/agent/xds/clusters_test.go b/agent/xds/clusters_test.go index 0d96b2af4..5fa6c7ccf 100644 --- a/agent/xds/clusters_test.go +++ b/agent/xds/clusters_test.go @@ -14,6 +14,8 @@ import ( testinf "github.com/mitchellh/go-testing-interface" "github.com/stretchr/testify/require" + "github.com/hashicorp/consul/agent/connect" + "github.com/hashicorp/consul/agent/consul/discoverychain" "github.com/hashicorp/consul/agent/proxycfg" "github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/consul/agent/xds/proxysupport" @@ -646,7 +648,7 @@ func TestClustersFromSnapshot(t *testing.T) { }, }, { - name: "transparent-proxy catalog destinations only", + name: "transparent-proxy-catalog-destinations-only", create: proxycfg.TestConfigSnapshot, setup: func(snap *proxycfg.ConfigSnapshot) { snap.Proxy.Mode = structs.ProxyModeTransparent @@ -659,6 +661,52 @@ func TestClustersFromSnapshot(t *testing.T) { } }, }, + { + name: "transparent-proxy-dial-instances-directly", + create: proxycfg.TestConfigSnapshot, + setup: func(snap *proxycfg.ConfigSnapshot) { + snap.Proxy.Mode = structs.ProxyModeTransparent + + // We add a passthrough cluster for each upstream service name + snap.ConnectProxy.PassthroughUpstreams = map[string]proxycfg.ServicePassthroughAddrs{ + "default/kafka": { + SNI: "kafka.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul", + Addrs: map[string]struct{}{ + "9.9.9.9": {}, + }, + }, + "default/mongo": { + SNI: "mongo.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul", + Addrs: map[string]struct{}{ + "10.10.10.10": {}, + "10.10.10.12": {}, + }, + }, + } + + // There should still be a cluster for non-passthrough requests + snap.ConnectProxy.DiscoveryChain["mongo"] = discoverychain.TestCompileConfigEntries( + t, "mongo", "default", "dc1", + connect.TestClusterID+".consul", "dc1", nil) + snap.ConnectProxy.WatchedUpstreamEndpoints["mongo"] = map[string]structs.CheckServiceNodes{ + "mongo.default.dc1": { + structs.CheckServiceNode{ + Node: &structs.Node{ + Datacenter: "dc1", + }, + Service: &structs.NodeService{ + Service: "mongo", + Address: "7.7.7.7", + Port: 27017, + TaggedAddresses: map[string]structs.ServiceAddress{ + "virtual": {Address: "6.6.6.6"}, + }, + }, + }, + }, + } + }, + }, } latestEnvoyVersion := proxysupport.EnvoyVersions[0] diff --git a/agent/xds/listeners.go b/agent/xds/listeners.go index cc08ed0d5..b7fe4452c 100644 --- a/agent/xds/listeners.go +++ b/agent/xds/listeners.go @@ -91,8 +91,6 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg. } } - var hasFilterChains bool - for id, chain := range cfgSnap.ConnectProxy.DiscoveryChain { upstreamCfg := cfgSnap.ConnectProxy.UpstreamConfig[id] cfg := s.getAndModifyUpstreamConfigForListener(id, upstreamCfg, chain) @@ -167,45 +165,51 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg. // For every potential address we collected, create the appropriate address prefix to match on. // In this case we are matching on exact addresses, so the prefix is the address itself, // and the prefix length is based on whether it's IPv4 or IPv6. - ranges := make([]*envoy_core_v3.CidrRange, 0) - - for addr := range uniqueAddrs { - ip := net.ParseIP(addr) - if ip == nil { - continue - } - - pfxLen := uint32(32) - if ip.To4() == nil { - pfxLen = 128 - } - ranges = append(ranges, &envoy_core_v3.CidrRange{ - AddressPrefix: addr, - PrefixLen: &wrappers.UInt32Value{Value: pfxLen}, - }) - } - - // The match rules are stable sorted to avoid draining if the list is provided out of order - sort.SliceStable(ranges, func(i, j int) bool { - return ranges[i].AddressPrefix < ranges[j].AddressPrefix - }) - - filterChain.FilterChainMatch = &envoy_listener_v3.FilterChainMatch{ - PrefixRanges: ranges, - } + filterChain.FilterChainMatch = makeFilterChainMatchFromAddrs(uniqueAddrs) // Only attach the filter chain if there are addresses to match on - if len(ranges) > 0 { + if filterChain.FilterChainMatch != nil && len(filterChain.FilterChainMatch.PrefixRanges) > 0 { outboundListener.FilterChains = append(outboundListener.FilterChains, filterChain) } - hasFilterChains = true } - // Only create the outbound listener when there are upstreams and filter chains are present - if outboundListener != nil && hasFilterChains { + if outboundListener != nil { + // Add a passthrough for every mesh endpoint that can be dialed directly, + // as opposed to via a virtual IP. + var passthroughChains []*envoy_listener_v3.FilterChain + + for svc, passthrough := range cfgSnap.ConnectProxy.PassthroughUpstreams { + sn := structs.ServiceNameFromString(svc) + u := structs.Upstream{ + DestinationName: sn.Name, + DestinationNamespace: sn.NamespaceOrDefault(), + } + + filterChain, err := s.makeUpstreamFilterChainForDiscoveryChain( + "", + "passthrough~"+passthrough.SNI, + + // TODO(tproxy) This should use the protocol configured on the upstream's config entry + "tcp", + &u, + nil, + cfgSnap, + nil, + ) + if err != nil { + return nil, err + } + filterChain.FilterChainMatch = makeFilterChainMatchFromAddrs(passthrough.Addrs) + + passthroughChains = append(passthroughChains, filterChain) + } + + outboundListener.FilterChains = append(outboundListener.FilterChains, passthroughChains...) + // Filter chains are stable sorted to avoid draining if the list is provided out of order sort.SliceStable(outboundListener.FilterChains, func(i, j int) bool { - return outboundListener.FilterChains[i].Name < outboundListener.FilterChains[j].Name + return outboundListener.FilterChains[i].FilterChainMatch.PrefixRanges[0].AddressPrefix < + outboundListener.FilterChains[j].FilterChainMatch.PrefixRanges[0].AddressPrefix }) // Add a catch-all filter chain that acts as a TCP proxy to non-catalog destinations @@ -213,7 +217,7 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg. !cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.CatalogDestinationsOnly { filterChain, err := s.makeUpstreamFilterChainForDiscoveryChain( - "passthrough", + "", OriginalDestinationClusterName, "tcp", nil, @@ -227,7 +231,10 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg. outboundListener.FilterChains = append(outboundListener.FilterChains, filterChain) } - resources = append(resources, outboundListener) + // Only add the outbound listener if configured. + if len(outboundListener.FilterChains) > 0 { + resources = append(resources, outboundListener) + } } // Looping over explicit upstreams is only needed for prepared queries because they do not have discovery chains @@ -295,6 +302,35 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg. return resources, nil } +func makeFilterChainMatchFromAddrs(addrs map[string]struct{}) *envoy_listener_v3.FilterChainMatch { + ranges := make([]*envoy_core_v3.CidrRange, 0) + + for addr := range addrs { + ip := net.ParseIP(addr) + if ip == nil { + continue + } + + pfxLen := uint32(32) + if ip.To4() == nil { + pfxLen = 128 + } + ranges = append(ranges, &envoy_core_v3.CidrRange{ + AddressPrefix: addr, + PrefixLen: &wrappers.UInt32Value{Value: pfxLen}, + }) + } + + // The match rules are stable sorted to avoid draining if the list is provided out of order + sort.SliceStable(ranges, func(i, j int) bool { + return ranges[i].AddressPrefix < ranges[j].AddressPrefix + }) + + return &envoy_listener_v3.FilterChainMatch{ + PrefixRanges: ranges, + } +} + func parseCheckPath(check structs.CheckType) (structs.ExposePath, error) { var path structs.ExposePath @@ -1258,7 +1294,10 @@ func (s *ResourceGenerator) makeUpstreamFilterChainForDiscoveryChain( if overrideCluster != "" { useRDS = false clusterName = overrideCluster - filterName = overrideCluster + + if destination == "" { + filterName = overrideCluster + } } opts := listenerFilterOpts{ diff --git a/agent/xds/listeners_test.go b/agent/xds/listeners_test.go index fa3e36979..b104877f6 100644 --- a/agent/xds/listeners_test.go +++ b/agent/xds/listeners_test.go @@ -584,6 +584,61 @@ func TestListenersFromSnapshot(t *testing.T) { connect.TestClusterID+".consul", "dc1", nil) }, }, + { + name: "transparent-proxy-dial-instances-directly", + create: proxycfg.TestConfigSnapshot, + setup: func(snap *proxycfg.ConfigSnapshot) { + snap.Proxy.Mode = structs.ProxyModeTransparent + + snap.ConnectProxy.DiscoveryChain["mongo"] = discoverychain.TestCompileConfigEntries( + t, "mongo", "default", "dc1", + connect.TestClusterID+".consul", "dc1", nil) + + snap.ConnectProxy.DiscoveryChain["kafka"] = discoverychain.TestCompileConfigEntries( + t, "kafka", "default", "dc1", + connect.TestClusterID+".consul", "dc1", nil) + + kafka := structs.NewServiceName("kafka", structs.DefaultEnterpriseMeta()) + mongo := structs.NewServiceName("mongo", structs.DefaultEnterpriseMeta()) + + // We add a filter chains for each passthrough service name. + // The filter chain will route to a cluster with the same SNI name. + snap.ConnectProxy.PassthroughUpstreams = map[string]proxycfg.ServicePassthroughAddrs{ + kafka.String(): { + SNI: "kafka.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul", + Addrs: map[string]struct{}{ + "9.9.9.9": {}, + }, + }, + mongo.String(): { + SNI: "mongo.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul", + Addrs: map[string]struct{}{ + "10.10.10.10": {}, + "10.10.10.12": {}, + }, + }, + } + + // There should still be a filter chain for mongo's virtual address + snap.ConnectProxy.WatchedUpstreamEndpoints["mongo"] = map[string]structs.CheckServiceNodes{ + "mongo.default.dc1": { + structs.CheckServiceNode{ + Node: &structs.Node{ + Datacenter: "dc1", + }, + Service: &structs.NodeService{ + Service: "mongo", + Address: "7.7.7.7", + Port: 27017, + TaggedAddresses: map[string]structs.ServiceAddress{ + "virtual": {Address: "6.6.6.6"}, + }, + }, + }, + }, + } + }, + }, } latestEnvoyVersion := proxysupport.EnvoyVersions[0] diff --git a/agent/xds/server.go b/agent/xds/server.go index 259b01437..8e6037116 100644 --- a/agent/xds/server.go +++ b/agent/xds/server.go @@ -96,8 +96,9 @@ const ( // OriginalDestinationClusterName is the name we give to the passthrough // cluster which redirects transparently-proxied requests to their original - // destination. This cluster prevents Consul from blocking connections to - // destinations outside of the catalog when in transparent proxy mode. + // destination outside the mesh. This cluster prevents Consul from blocking + // connections to destinations outside of the catalog when in transparent + // proxy mode. OriginalDestinationClusterName = "original-destination" // DefaultAuthCheckFrequency is the default value for diff --git a/agent/xds/testdata/clusters/transparent-proxy catalog destinations only.envoy-1-18-x.golden b/agent/xds/testdata/clusters/transparent-proxy-catalog-destinations-only.envoy-1-18-x.golden similarity index 100% rename from agent/xds/testdata/clusters/transparent-proxy catalog destinations only.envoy-1-18-x.golden rename to agent/xds/testdata/clusters/transparent-proxy-catalog-destinations-only.envoy-1-18-x.golden diff --git a/agent/xds/testdata/clusters/transparent-proxy catalog destinations only.v2compat.envoy-1-16-x.golden b/agent/xds/testdata/clusters/transparent-proxy-catalog-destinations-only.v2compat.envoy-1-16-x.golden similarity index 100% rename from agent/xds/testdata/clusters/transparent-proxy catalog destinations only.v2compat.envoy-1-16-x.golden rename to agent/xds/testdata/clusters/transparent-proxy-catalog-destinations-only.v2compat.envoy-1-16-x.golden diff --git a/agent/xds/testdata/clusters/transparent-proxy-dial-instances-directly.envoy-1-18-x.golden b/agent/xds/testdata/clusters/transparent-proxy-dial-instances-directly.envoy-1-18-x.golden new file mode 100644 index 000000000..2dfba6613 --- /dev/null +++ b/agent/xds/testdata/clusters/transparent-proxy-dial-instances-directly.envoy-1-18-x.golden @@ -0,0 +1,260 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "altStatName": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": { + + }, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "circuitBreakers": { + + }, + "outlierDetection": { + + }, + "commonLbConfig": { + "healthyPanicThreshold": { + + } + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "sni": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": { + + }, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "circuitBreakers": { + + }, + "outlierDetection": { + + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "sni": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "local_app", + "type": "STATIC", + "connectTimeout": "5s", + "loadAssignment": { + "clusterName": "local_app", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 8080 + } + } + } + } + ] + } + ] + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "mongo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "altStatName": "mongo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": { + + }, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "circuitBreakers": { + + }, + "outlierDetection": { + + }, + "commonLbConfig": { + "healthyPanicThreshold": { + + } + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "sni": "mongo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "original-destination", + "type": "ORIGINAL_DST", + "connectTimeout": "5s", + "lbPolicy": "CLUSTER_PROVIDED" + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "passthrough~kafka.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul", + "type": "ORIGINAL_DST", + "connectTimeout": "5s", + "lbPolicy": "CLUSTER_PROVIDED", + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "sni": "kafka.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "passthrough~mongo.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul", + "type": "ORIGINAL_DST", + "connectTimeout": "5s", + "lbPolicy": "CLUSTER_PROVIDED", + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "sni": "mongo.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul" + } + } + } + ], + "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/clusters/transparent-proxy-dial-instances-directly.v2compat.envoy-1-16-x.golden b/agent/xds/testdata/clusters/transparent-proxy-dial-instances-directly.v2compat.envoy-1-16-x.golden new file mode 100644 index 000000000..26c586fc9 --- /dev/null +++ b/agent/xds/testdata/clusters/transparent-proxy-dial-instances-directly.v2compat.envoy-1-16-x.golden @@ -0,0 +1,260 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Cluster", + "name": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "altStatName": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": { + + }, + "resourceApiVersion": "V2" + } + }, + "connectTimeout": "5s", + "circuitBreakers": { + + }, + "outlierDetection": { + + }, + "commonLbConfig": { + "healthyPanicThreshold": { + + } + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "sni": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Cluster", + "name": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": { + + }, + "resourceApiVersion": "V2" + } + }, + "connectTimeout": "5s", + "circuitBreakers": { + + }, + "outlierDetection": { + + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "sni": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Cluster", + "name": "local_app", + "type": "STATIC", + "connectTimeout": "5s", + "loadAssignment": { + "clusterName": "local_app", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 8080 + } + } + } + } + ] + } + ] + } + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Cluster", + "name": "mongo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "altStatName": "mongo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": { + + }, + "resourceApiVersion": "V2" + } + }, + "connectTimeout": "5s", + "circuitBreakers": { + + }, + "outlierDetection": { + + }, + "commonLbConfig": { + "healthyPanicThreshold": { + + } + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "sni": "mongo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Cluster", + "name": "original-destination", + "type": "ORIGINAL_DST", + "connectTimeout": "5s", + "lbPolicy": "CLUSTER_PROVIDED" + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Cluster", + "name": "passthrough~kafka.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul", + "type": "ORIGINAL_DST", + "connectTimeout": "5s", + "lbPolicy": "CLUSTER_PROVIDED", + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "sni": "kafka.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Cluster", + "name": "passthrough~mongo.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul", + "type": "ORIGINAL_DST", + "connectTimeout": "5s", + "lbPolicy": "CLUSTER_PROVIDED", + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "sni": "mongo.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul" + } + } + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Cluster", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/transparent-proxy-dial-instances-directly.envoy-1-18-x.golden b/agent/xds/testdata/listeners/transparent-proxy-dial-instances-directly.envoy-1-18-x.golden new file mode 100644 index 000000000..3de39f7cb --- /dev/null +++ b/agent/xds/testdata/listeners/transparent-proxy-dial-instances-directly.envoy-1-18-x.golden @@ -0,0 +1,213 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.db.default.dc1", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "outbound_listener:127.0.0.1:15001", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 15001 + } + }, + "filterChains": [ + { + "filterChainMatch": { + "prefixRanges": [ + { + "addressPrefix": "10.10.10.10", + "prefixLen": 32 + }, + { + "addressPrefix": "10.10.10.12", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.mongo.default.dc1", + "cluster": "passthrough~mongo.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul" + } + } + ] + }, + { + "filterChainMatch": { + "prefixRanges": [ + { + "addressPrefix": "6.6.6.6", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.mongo.default.dc1", + "cluster": "mongo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + ] + }, + { + "filterChainMatch": { + "prefixRanges": [ + { + "addressPrefix": "9.9.9.9", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.kafka.default.dc1", + "cluster": "passthrough~kafka.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul" + } + } + ] + }, + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.original-destination", + "cluster": "original-destination" + } + } + ] + } + ], + "listenerFilters": [ + { + "name": "envoy.filters.listener.original_dst" + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.prepared_query_geo-cache", + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul" + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "public_listener:0.0.0.0:9999", + "address": { + "socketAddress": { + "address": "0.0.0.0", + "portValue": 9999 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", + "rules": { + + }, + "statPrefix": "connect_authz" + } + }, + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "public_listener", + "cluster": "local_app" + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + } + } + } + ], + "trafficDirection": "INBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/transparent-proxy-dial-instances-directly.v2compat.envoy-1-16-x.golden b/agent/xds/testdata/listeners/transparent-proxy-dial-instances-directly.v2compat.envoy-1-16-x.golden new file mode 100644 index 000000000..ab37095ab --- /dev/null +++ b/agent/xds/testdata/listeners/transparent-proxy-dial-instances-directly.v2compat.envoy-1-16-x.golden @@ -0,0 +1,213 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy", + "statPrefix": "upstream.db.default.dc1", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "outbound_listener:127.0.0.1:15001", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 15001 + } + }, + "filterChains": [ + { + "filterChainMatch": { + "prefixRanges": [ + { + "addressPrefix": "10.10.10.10", + "prefixLen": 32 + }, + { + "addressPrefix": "10.10.10.12", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy", + "statPrefix": "upstream.mongo.default.dc1", + "cluster": "passthrough~mongo.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul" + } + } + ] + }, + { + "filterChainMatch": { + "prefixRanges": [ + { + "addressPrefix": "6.6.6.6", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy", + "statPrefix": "upstream.mongo.default.dc1", + "cluster": "mongo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + ] + }, + { + "filterChainMatch": { + "prefixRanges": [ + { + "addressPrefix": "9.9.9.9", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy", + "statPrefix": "upstream.kafka.default.dc1", + "cluster": "passthrough~kafka.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul" + } + } + ] + }, + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy", + "statPrefix": "upstream.original-destination", + "cluster": "original-destination" + } + } + ] + } + ], + "listenerFilters": [ + { + "name": "envoy.filters.listener.original_dst" + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy", + "statPrefix": "upstream.prepared_query_geo-cache", + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul" + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "public_listener:0.0.0.0:9999", + "address": { + "socketAddress": { + "address": "0.0.0.0", + "portValue": 9999 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC", + "rules": { + + }, + "statPrefix": "connect_authz" + } + }, + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy", + "statPrefix": "public_listener", + "cluster": "local_app" + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + } + } + } + ], + "trafficDirection": "INBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/api/config_entry.go b/api/config_entry.go index 5047d07a5..f339149a7 100644 --- a/api/config_entry.go +++ b/api/config_entry.go @@ -84,6 +84,11 @@ const ( type TransparentProxyConfig struct { // The port of the listener where outbound application traffic is being redirected to. OutboundListenerPort int `json:",omitempty" alias:"outbound_listener_port"` + + // DialedDirectly indicates whether transparent proxies can dial this proxy instance directly. + // The discovery chain is not considered when dialing a service instance directly. + // This setting is useful when addressing stateful services, such as a database cluster with a leader node. + DialedDirectly bool `json:",omitempty" alias:"dialed_directly"` } // ExposeConfig describes HTTP paths to expose through Envoy outside of Connect. diff --git a/api/config_entry_test.go b/api/config_entry_test.go index 1abfcc181..2c5f8c20f 100644 --- a/api/config_entry_test.go +++ b/api/config_entry_test.go @@ -358,7 +358,8 @@ func TestDecodeConfigEntry(t *testing.T) { }, "Mode": "transparent", "TransparentProxy": { - "OutboundListenerPort": 808 + "OutboundListenerPort": 808, + "DialedDirectly": true } } `, @@ -379,8 +380,11 @@ func TestDecodeConfigEntry(t *testing.T) { MeshGateway: MeshGatewayConfig{ Mode: MeshGatewayModeRemote, }, - Mode: ProxyModeTransparent, - TransparentProxy: &TransparentProxyConfig{OutboundListenerPort: 808}, + Mode: ProxyModeTransparent, + TransparentProxy: &TransparentProxyConfig{ + OutboundListenerPort: 808, + DialedDirectly: true, + }, }, }, { @@ -400,7 +404,8 @@ func TestDecodeConfigEntry(t *testing.T) { }, "Mode": "transparent", "TransparentProxy": { - "OutboundListenerPort": 808 + "OutboundListenerPort": 808, + "DialedDirectly": true }, "UpstreamConfig": { "Overrides": [ @@ -448,8 +453,11 @@ func TestDecodeConfigEntry(t *testing.T) { MeshGateway: MeshGatewayConfig{ Mode: MeshGatewayModeRemote, }, - Mode: ProxyModeTransparent, - TransparentProxy: &TransparentProxyConfig{OutboundListenerPort: 808}, + Mode: ProxyModeTransparent, + TransparentProxy: &TransparentProxyConfig{ + OutboundListenerPort: 808, + DialedDirectly: true, + }, UpstreamConfig: &UpstreamConfiguration{ Overrides: []*UpstreamConfig{ { diff --git a/command/config/write/config_write_test.go b/command/config/write/config_write_test.go index 20f20af43..64d5687bc 100644 --- a/command/config/write/config_write_test.go +++ b/command/config/write/config_write_test.go @@ -216,6 +216,7 @@ func TestParseConfigEntry(t *testing.T) { mode = "direct" transparent_proxy = { outbound_listener_port = 10101 + dialed_directly = true } `, camel: ` @@ -238,6 +239,7 @@ func TestParseConfigEntry(t *testing.T) { Mode = "direct" TransparentProxy = { outbound_listener_port = 10101 + dialed_directly = true } `, snakeJSON: ` @@ -260,7 +262,8 @@ func TestParseConfigEntry(t *testing.T) { }, "mode": "direct", "transparent_proxy": { - "outbound_listener_port": 10101 + "outbound_listener_port": 10101, + "dialed_directly": true } } `, @@ -284,7 +287,8 @@ func TestParseConfigEntry(t *testing.T) { }, "Mode": "direct", "TransparentProxy": { - "OutboundListenerPort": 10101 + "OutboundListenerPort": 10101, + "DialedDirectly": true } } `, @@ -308,6 +312,7 @@ func TestParseConfigEntry(t *testing.T) { Mode: api.ProxyModeDirect, TransparentProxy: &api.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, }, expectJSON: &api.ProxyConfigEntry{ @@ -330,6 +335,7 @@ func TestParseConfigEntry(t *testing.T) { Mode: api.ProxyModeDirect, TransparentProxy: &api.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, }, }, @@ -495,6 +501,7 @@ func TestParseConfigEntry(t *testing.T) { mode = "direct" transparent_proxy = { outbound_listener_port = 10101 + dialed_directly = true } upstream_config { overrides = [ @@ -553,6 +560,7 @@ func TestParseConfigEntry(t *testing.T) { Mode = "direct" TransparentProxy = { outbound_listener_port = 10101 + dialed_directly = true } UpstreamConfig { Overrides = [ @@ -611,7 +619,8 @@ func TestParseConfigEntry(t *testing.T) { }, "mode": "direct", "transparent_proxy": { - "outbound_listener_port": 10101 + "outbound_listener_port": 10101, + "dialed_directly": true }, "upstream_config": { "overrides": [ @@ -671,7 +680,8 @@ func TestParseConfigEntry(t *testing.T) { }, "Mode": "direct", "TransparentProxy": { - "OutboundListenerPort": 10101 + "OutboundListenerPort": 10101, + "DialedDirectly": true }, "UpstreamConfig": { "Overrides": [ @@ -731,6 +741,7 @@ func TestParseConfigEntry(t *testing.T) { Mode: api.ProxyModeDirect, TransparentProxy: &api.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, UpstreamConfig: &api.UpstreamConfiguration{ Overrides: []*api.UpstreamConfig{ diff --git a/command/connect/envoy/bootstrap_config.go b/command/connect/envoy/bootstrap_config.go index 28cd7ac9b..12a623b22 100644 --- a/command/connect/envoy/bootstrap_config.go +++ b/command/connect/envoy/bootstrap_config.go @@ -352,40 +352,41 @@ func resourceTagSpecifiers(omitDeprecatedTags bool) ([]string, error) { // - cluster.f8f8f8f8~pong.default.dc2.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul.bind_errors: 0 // - cluster.v2.pong.default.dc2.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul.bind_errors: 0 // - cluster.f8f8f8f8~v2.pong.default.dc2.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul.bind_errors: 0 + // - cluster.passthrough~pong.default.dc2.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul.bind_errors: 0 {"consul.destination.custom_hash", - fmt.Sprintf(`^cluster\.((?:(%s)~)?(?:%s\.)?%s\.%s\.%s\.%s\.%s\.consul\.)`, + fmt.Sprintf(`^cluster\.(?:passthrough~)?((?:(%s)~)?(?:%s\.)?%s\.%s\.%s\.%s\.%s\.consul\.)`, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment)}, {"consul.destination.service_subset", - fmt.Sprintf(`^cluster\.((?:%s~)?(?:(%s)\.)?%s\.%s\.%s\.%s\.%s\.consul\.)`, + fmt.Sprintf(`^cluster\.(?:passthrough~)?((?:%s~)?(?:(%s)\.)?%s\.%s\.%s\.%s\.%s\.consul\.)`, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment)}, {"consul.destination.service", - fmt.Sprintf(`^cluster\.((?:%s~)?(?:%s\.)?(%s)\.%s\.%s\.%s\.%s\.consul\.)`, + fmt.Sprintf(`^cluster\.(?:passthrough~)?((?:%s~)?(?:%s\.)?(%s)\.%s\.%s\.%s\.%s\.consul\.)`, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment)}, {"consul.destination.namespace", - fmt.Sprintf(`^cluster\.((?:%s~)?(?:%s\.)?%s\.(%s)\.%s\.%s\.%s\.consul\.)`, + fmt.Sprintf(`^cluster\.(?:passthrough~)?((?:%s~)?(?:%s\.)?%s\.(%s)\.%s\.%s\.%s\.consul\.)`, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment)}, {"consul.destination.datacenter", - fmt.Sprintf(`^cluster\.((?:%s~)?(?:%s\.)?%s\.%s\.(%s)\.%s\.%s\.consul\.)`, + fmt.Sprintf(`^cluster\.(?:passthrough~)?((?:%s~)?(?:%s\.)?%s\.%s\.(%s)\.%s\.%s\.consul\.)`, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment)}, {"consul.destination.routing_type", - fmt.Sprintf(`^cluster\.((?:%s~)?(?:%s\.)?%s\.%s\.%s\.(%s)\.%s\.consul\.)`, + fmt.Sprintf(`^cluster\.(?:passthrough~)?((?:%s~)?(?:%s\.)?%s\.%s\.%s\.(%s)\.%s\.consul\.)`, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment)}, {"consul.destination.trust_domain", - fmt.Sprintf(`^cluster\.((?:%s~)?(?:%s\.)?%s\.%s\.%s\.%s\.(%s)\.consul\.)`, + fmt.Sprintf(`^cluster\.(?:passthrough~)?((?:%s~)?(?:%s\.)?%s\.%s\.%s\.%s\.(%s)\.consul\.)`, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment)}, {"consul.destination.target", - fmt.Sprintf(`^cluster\.(((?:%s~)?(?:%s\.)?%s\.%s\.%s)\.%s\.%s\.consul\.)`, + fmt.Sprintf(`^cluster\.(?:passthrough~)?(((?:%s~)?(?:%s\.)?%s\.%s\.%s)\.%s\.%s\.consul\.)`, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment)}, {"consul.destination.full_target", - fmt.Sprintf(`^cluster\.(((?:%s~)?(?:%s\.)?%s\.%s\.%s\.%s\.%s)\.consul\.)`, + fmt.Sprintf(`^cluster\.(?:passthrough~)?(((?:%s~)?(?:%s\.)?%s\.%s\.%s\.%s\.%s)\.consul\.)`, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment)}, // Upstream listener metrics are prefixed by consul.upstream diff --git a/command/connect/envoy/testdata/CONSUL_HTTP_ADDR-with-https-scheme-enables-tls.golden b/command/connect/envoy/testdata/CONSUL_HTTP_ADDR-with-https-scheme-enables-tls.golden index cd52a65cc..861b59ab9 100644 --- a/command/connect/envoy/testdata/CONSUL_HTTP_ADDR-with-https-scheme-enables-tls.golden +++ b/command/connect/envoy/testdata/CONSUL_HTTP_ADDR-with-https-scheme-enables-tls.golden @@ -62,39 +62,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/access-log-path.golden b/command/connect/envoy/testdata/access-log-path.golden index e65515893..393a924db 100644 --- a/command/connect/envoy/testdata/access-log-path.golden +++ b/command/connect/envoy/testdata/access-log-path.golden @@ -49,39 +49,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/defaults.golden b/command/connect/envoy/testdata/defaults.golden index 6b989665f..c094ddc15 100644 --- a/command/connect/envoy/testdata/defaults.golden +++ b/command/connect/envoy/testdata/defaults.golden @@ -49,39 +49,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/existing-ca-file.golden b/command/connect/envoy/testdata/existing-ca-file.golden index 494752b35..c74249dcf 100644 --- a/command/connect/envoy/testdata/existing-ca-file.golden +++ b/command/connect/envoy/testdata/existing-ca-file.golden @@ -62,39 +62,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/existing-ca-path.golden b/command/connect/envoy/testdata/existing-ca-path.golden index 88618fc5b..d83c138d9 100644 --- a/command/connect/envoy/testdata/existing-ca-path.golden +++ b/command/connect/envoy/testdata/existing-ca-path.golden @@ -62,39 +62,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/extra_-multiple.golden b/command/connect/envoy/testdata/extra_-multiple.golden index 06cd5215d..b16e5e248 100644 --- a/command/connect/envoy/testdata/extra_-multiple.golden +++ b/command/connect/envoy/testdata/extra_-multiple.golden @@ -71,39 +71,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/extra_-single.golden b/command/connect/envoy/testdata/extra_-single.golden index 503226e17..b2617052f 100644 --- a/command/connect/envoy/testdata/extra_-single.golden +++ b/command/connect/envoy/testdata/extra_-single.golden @@ -62,39 +62,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/grpc-addr-config.golden b/command/connect/envoy/testdata/grpc-addr-config.golden index 9082d485d..34ed73682 100644 --- a/command/connect/envoy/testdata/grpc-addr-config.golden +++ b/command/connect/envoy/testdata/grpc-addr-config.golden @@ -49,39 +49,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/grpc-addr-env.golden b/command/connect/envoy/testdata/grpc-addr-env.golden index 9082d485d..34ed73682 100644 --- a/command/connect/envoy/testdata/grpc-addr-env.golden +++ b/command/connect/envoy/testdata/grpc-addr-env.golden @@ -49,39 +49,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/grpc-addr-flag.golden b/command/connect/envoy/testdata/grpc-addr-flag.golden index 9082d485d..34ed73682 100644 --- a/command/connect/envoy/testdata/grpc-addr-flag.golden +++ b/command/connect/envoy/testdata/grpc-addr-flag.golden @@ -49,39 +49,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/grpc-addr-unix.golden b/command/connect/envoy/testdata/grpc-addr-unix.golden index 053d1c008..798cbb38b 100644 --- a/command/connect/envoy/testdata/grpc-addr-unix.golden +++ b/command/connect/envoy/testdata/grpc-addr-unix.golden @@ -48,39 +48,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/ingress-gateway-address-specified.golden b/command/connect/envoy/testdata/ingress-gateway-address-specified.golden index 99da5e21b..2b11eeb35 100644 --- a/command/connect/envoy/testdata/ingress-gateway-address-specified.golden +++ b/command/connect/envoy/testdata/ingress-gateway-address-specified.golden @@ -135,39 +135,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/ingress-gateway-no-auto-register.golden b/command/connect/envoy/testdata/ingress-gateway-no-auto-register.golden index d2c4b37e4..f3fe7a54b 100644 --- a/command/connect/envoy/testdata/ingress-gateway-no-auto-register.golden +++ b/command/connect/envoy/testdata/ingress-gateway-no-auto-register.golden @@ -135,39 +135,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/ingress-gateway-register-with-service-and-proxy-id.golden b/command/connect/envoy/testdata/ingress-gateway-register-with-service-and-proxy-id.golden index 4caf58dd4..da6a17501 100644 --- a/command/connect/envoy/testdata/ingress-gateway-register-with-service-and-proxy-id.golden +++ b/command/connect/envoy/testdata/ingress-gateway-register-with-service-and-proxy-id.golden @@ -135,39 +135,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/ingress-gateway-register-with-service-without-proxy-id.golden b/command/connect/envoy/testdata/ingress-gateway-register-with-service-without-proxy-id.golden index e7bbde807..ef9138e40 100644 --- a/command/connect/envoy/testdata/ingress-gateway-register-with-service-without-proxy-id.golden +++ b/command/connect/envoy/testdata/ingress-gateway-register-with-service-without-proxy-id.golden @@ -135,39 +135,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/ingress-gateway.golden b/command/connect/envoy/testdata/ingress-gateway.golden index da76ef79b..6f5b6c7a1 100644 --- a/command/connect/envoy/testdata/ingress-gateway.golden +++ b/command/connect/envoy/testdata/ingress-gateway.golden @@ -135,39 +135,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/prometheus-metrics.golden b/command/connect/envoy/testdata/prometheus-metrics.golden index e4157e9c8..6c6799e4e 100644 --- a/command/connect/envoy/testdata/prometheus-metrics.golden +++ b/command/connect/envoy/testdata/prometheus-metrics.golden @@ -135,39 +135,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/token-arg.golden b/command/connect/envoy/testdata/token-arg.golden index 248790500..3e33edadb 100644 --- a/command/connect/envoy/testdata/token-arg.golden +++ b/command/connect/envoy/testdata/token-arg.golden @@ -49,39 +49,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/token-env.golden b/command/connect/envoy/testdata/token-env.golden index 248790500..3e33edadb 100644 --- a/command/connect/envoy/testdata/token-env.golden +++ b/command/connect/envoy/testdata/token-env.golden @@ -49,39 +49,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/token-file-arg.golden b/command/connect/envoy/testdata/token-file-arg.golden index 248790500..3e33edadb 100644 --- a/command/connect/envoy/testdata/token-file-arg.golden +++ b/command/connect/envoy/testdata/token-file-arg.golden @@ -49,39 +49,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/token-file-env.golden b/command/connect/envoy/testdata/token-file-env.golden index 248790500..3e33edadb 100644 --- a/command/connect/envoy/testdata/token-file-env.golden +++ b/command/connect/envoy/testdata/token-file-env.golden @@ -49,39 +49,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/zipkin-tracing-config.golden b/command/connect/envoy/testdata/zipkin-tracing-config.golden index 15b796e26..5a6cc29d0 100644 --- a/command/connect/envoy/testdata/zipkin-tracing-config.golden +++ b/command/connect/envoy/testdata/zipkin-tracing-config.golden @@ -73,39 +73,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/proto/pbservice/service.gen.go b/proto/pbservice/service.gen.go index f6cc1e578..1a8c3e9c1 100644 --- a/proto/pbservice/service.gen.go +++ b/proto/pbservice/service.gen.go @@ -131,11 +131,13 @@ func NewServiceDefinitionFromStructs(t structs.ServiceDefinition) ServiceDefinit func TransparentProxyConfigToStructs(s TransparentProxyConfig) structs.TransparentProxyConfig { var t structs.TransparentProxyConfig t.OutboundListenerPort = int(s.OutboundListenerPort) + t.DialedDirectly = s.DialedDirectly return t } func NewTransparentProxyConfigFromStructs(t structs.TransparentProxyConfig) TransparentProxyConfig { var s TransparentProxyConfig s.OutboundListenerPort = int32(t.OutboundListenerPort) + s.DialedDirectly = t.DialedDirectly return s } func UpstreamToStructs(s Upstream) structs.Upstream { diff --git a/proto/pbservice/service.pb.go b/proto/pbservice/service.pb.go index 7a0cb6ba0..a7736dfb3 100644 --- a/proto/pbservice/service.pb.go +++ b/proto/pbservice/service.pb.go @@ -402,6 +402,10 @@ var xxx_messageInfo_MeshGatewayConfig proto.InternalMessageInfo type TransparentProxyConfig struct { // mog: func-to=int func-from=int32 OutboundListenerPort int32 `protobuf:"varint,1,opt,name=OutboundListenerPort,proto3" json:"OutboundListenerPort,omitempty"` + // DialedDirectly indicates whether transparent proxies can dial this proxy instance directly. + // The discovery chain is not considered when dialing a service instance directly. + // This setting is useful when addressing stateful services, such as a database cluster with a leader node. + DialedDirectly bool `protobuf:"varint,2,opt,name=DialedDirectly,proto3" json:"DialedDirectly,omitempty"` } func (m *TransparentProxyConfig) Reset() { *m = TransparentProxyConfig{} } @@ -615,81 +619,82 @@ func init() { func init() { proto.RegisterFile("proto/pbservice/service.proto", fileDescriptor_cbb99233b75fb80b) } var fileDescriptor_cbb99233b75fb80b = []byte{ - // 1179 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x56, 0x4f, 0x6f, 0x1b, 0x45, - 0x14, 0xf7, 0xfa, 0x4f, 0x6c, 0xbf, 0x94, 0x34, 0x99, 0x98, 0xb0, 0x84, 0xd6, 0x49, 0x2d, 0x84, - 0x22, 0x88, 0xec, 0x36, 0x51, 0x09, 0xad, 0x54, 0x24, 0x12, 0x07, 0x54, 0x35, 0x69, 0xcd, 0xc6, - 0xa8, 0x02, 0x89, 0xc3, 0x78, 0x3d, 0x59, 0xaf, 0x62, 0xef, 0x58, 0x3b, 0xe3, 0xd0, 0x7c, 0x0b, - 0x6e, 0x70, 0xe5, 0xc0, 0x9d, 0x8f, 0x91, 0x63, 0x8f, 0x9c, 0x22, 0x48, 0xbe, 0x45, 0x4e, 0x68, - 0xde, 0xcc, 0x6e, 0xd6, 0xeb, 0x25, 0x2a, 0x9c, 0x3c, 0xf3, 0x7e, 0xef, 0xf7, 0x66, 0xfc, 0xde, - 0xef, 0xbd, 0x59, 0xb8, 0x3f, 0x0e, 0xb9, 0xe4, 0xad, 0x71, 0x4f, 0xb0, 0xf0, 0xd4, 0x77, 0x59, - 0xcb, 0xfc, 0x36, 0xd1, 0x4e, 0xaa, 0x31, 0xb0, 0x7a, 0xcf, 0xe3, 0xdc, 0x1b, 0xb2, 0x16, 0x02, - 0xbd, 0xc9, 0x71, 0x4b, 0xc8, 0x70, 0xe2, 0x4a, 0xed, 0xb8, 0xfa, 0x51, 0x14, 0xc7, 0xe5, 0xa3, - 0x11, 0x0f, 0x5a, 0xfa, 0xc7, 0x80, 0x0f, 0xd2, 0x87, 0x0c, 0x18, 0x1d, 0xca, 0x81, 0x3b, 0x60, - 0xee, 0x89, 0x71, 0xa9, 0x79, 0xdc, 0xe3, 0xda, 0x4d, 0xad, 0xb4, 0xb5, 0xf1, 0x7b, 0x09, 0xc8, - 0x1e, 0x0f, 0x02, 0xe6, 0xca, 0x4e, 0xc8, 0xdf, 0x9c, 0xed, 0xf1, 0xe0, 0xd8, 0xf7, 0xc8, 0xe7, - 0xb0, 0xd2, 0x66, 0x42, 0xfa, 0x01, 0x95, 0x3e, 0x0f, 0x8e, 0x74, 0xd0, 0x97, 0x74, 0xc4, 0x6c, - 0x6b, 0xdd, 0xda, 0xa8, 0x3a, 0xff, 0x82, 0x92, 0x2d, 0xa8, 0xcd, 0x22, 0xcf, 0xdb, 0x76, 0x1e, - 0x59, 0x99, 0x18, 0x79, 0x08, 0xcb, 0x07, 0xdc, 0xa5, 0x43, 0x63, 0xf9, 0xaa, 0xdf, 0x0f, 0x99, - 0x10, 0x76, 0x01, 0x29, 0x59, 0x10, 0xf9, 0x14, 0x16, 0x93, 0xe6, 0x0e, 0x0f, 0xa5, 0x5d, 0x5c, - 0xb7, 0x36, 0x4a, 0xce, 0x8c, 0x9d, 0x3c, 0x86, 0x39, 0xfd, 0x9f, 0xec, 0xd2, 0xba, 0xb5, 0x31, - 0xbf, 0xf5, 0x41, 0x53, 0x67, 0xb9, 0x19, 0x65, 0xb9, 0x79, 0x84, 0x59, 0xde, 0x2d, 0x9e, 0x5f, - 0xac, 0x59, 0x8e, 0x71, 0x26, 0x3b, 0x50, 0xfd, 0x6e, 0x2c, 0x64, 0xc8, 0xe8, 0x48, 0xd8, 0x73, - 0xeb, 0x85, 0x8d, 0xf9, 0xad, 0xe5, 0x66, 0x9c, 0xde, 0x66, 0x84, 0x21, 0x2b, 0xe7, 0xdc, 0xf8, - 0x92, 0x36, 0xcc, 0x1f, 0x32, 0x31, 0xf8, 0x86, 0x4a, 0xf6, 0x13, 0x3d, 0xb3, 0xcb, 0x78, 0xe8, - 0xbd, 0x04, 0x35, 0x81, 0xea, 0xb3, 0x4c, 0x8c, 0x24, 0x4d, 0xdd, 0x7a, 0xff, 0xcd, 0x98, 0x0b, - 0x66, 0x57, 0xcc, 0xad, 0x6f, 0x02, 0x68, 0x60, 0x8a, 0x6b, 0x9c, 0xc9, 0x0b, 0x28, 0x1e, 0xf2, - 0x3e, 0xb3, 0xab, 0x2a, 0x77, 0xbb, 0x3b, 0xd7, 0x17, 0x6b, 0xdb, 0x9e, 0x2f, 0x07, 0x93, 0x5e, - 0xd3, 0xe5, 0xa3, 0xd6, 0x80, 0x8a, 0x81, 0xef, 0xf2, 0x70, 0xdc, 0x72, 0x79, 0x20, 0x26, 0xc3, - 0x16, 0xf5, 0x58, 0x20, 0x8d, 0xca, 0x44, 0x13, 0xeb, 0xaf, 0xe8, 0x0e, 0x06, 0x21, 0x47, 0xb0, - 0xd8, 0x0d, 0x69, 0x20, 0xc6, 0x34, 0x64, 0x81, 0x56, 0x87, 0x0d, 0x78, 0x9b, 0x07, 0x89, 0xdb, - 0xa4, 0x5d, 0xa6, 0xee, 0x35, 0x13, 0x40, 0x09, 0x2b, 0x59, 0xa2, 0x23, 0xee, 0x9e, 0x30, 0xd9, - 0xa1, 0x72, 0x60, 0xcf, 0x6b, 0x61, 0x65, 0xa3, 0x8d, 0x5f, 0x8a, 0x50, 0x89, 0x92, 0x4c, 0x36, - 0xe0, 0x6e, 0x42, 0x49, 0xdd, 0xb3, 0x71, 0x24, 0xcb, 0xb4, 0x39, 0xa5, 0x47, 0x25, 0x51, 0x31, - 0xa6, 0x2e, 0xcb, 0xd0, 0x63, 0x8c, 0xa5, 0xa2, 0xa3, 0xe8, 0x0b, 0x33, 0xd1, 0x51, 0xed, 0x75, - 0x80, 0x36, 0x95, 0xd4, 0x65, 0x81, 0x64, 0x21, 0x2a, 0xb0, 0xea, 0x24, 0x2c, 0xb1, 0x4e, 0x77, - 0xfd, 0xa0, 0x1f, 0xc9, 0xba, 0x84, 0x5e, 0x33, 0x76, 0xf2, 0x31, 0xbc, 0x17, 0xdb, 0x50, 0xd0, - 0x73, 0x28, 0xe8, 0x69, 0x63, 0x42, 0xcd, 0xe5, 0xff, 0xa2, 0xe6, 0x94, 0x28, 0x2b, 0xff, 0x4f, - 0x94, 0x0f, 0x61, 0x79, 0x8f, 0x05, 0x32, 0xa4, 0xc3, 0xa1, 0xf1, 0x9a, 0x84, 0xac, 0x8f, 0x62, - 0xab, 0x38, 0x59, 0x50, 0xdc, 0xda, 0xea, 0xfe, 0x89, 0x52, 0x43, 0xa2, 0xb5, 0xa7, 0xa1, 0x0c, - 0x06, 0x0a, 0x7a, 0x3e, 0x93, 0xa1, 0xa0, 0x46, 0x00, 0x0b, 0x46, 0x2e, 0x66, 0x8e, 0x91, 0x15, - 0x98, 0x7b, 0x49, 0xa5, 0x7f, 0xaa, 0x55, 0x51, 0x71, 0xcc, 0x8e, 0xb4, 0x61, 0xe1, 0xc8, 0xef, - 0x33, 0x97, 0x86, 0x86, 0x80, 0x75, 0x9d, 0x4e, 0x84, 0x41, 0xda, 0xec, 0xd8, 0x0f, 0x7c, 0x55, - 0x68, 0x27, 0xc5, 0x69, 0x7c, 0x0f, 0x77, 0x92, 0x1d, 0xa8, 0x4e, 0xdb, 0x53, 0x63, 0x56, 0x44, - 0xa7, 0xe9, 0x1d, 0x79, 0x04, 0x25, 0xf5, 0x8f, 0x84, 0x9d, 0xc7, 0xe9, 0xf1, 0xfe, 0x4c, 0x07, - 0x2b, 0xd4, 0xa4, 0x59, 0x7b, 0x36, 0xfe, 0xb0, 0x00, 0x6e, 0x30, 0xd2, 0x80, 0x3b, 0x07, 0xbe, - 0x90, 0x2c, 0x60, 0x21, 0x2a, 0xc2, 0x42, 0x45, 0x4c, 0xd9, 0x08, 0x81, 0x22, 0xa6, 0x54, 0x0b, - 0x1a, 0xd7, 0xb1, 0x94, 0xd4, 0x06, 0x89, 0x85, 0x84, 0x94, 0x22, 0x23, 0x59, 0x85, 0x4a, 0x47, - 0x89, 0xc6, 0xe5, 0x43, 0x23, 0xdd, 0x78, 0xaf, 0x5a, 0xa0, 0x43, 0x43, 0xc1, 0xfa, 0x5f, 0x87, - 0x7c, 0x84, 0xff, 0x07, 0x75, 0x5b, 0x71, 0xd2, 0xe6, 0xc6, 0x31, 0x2c, 0xcd, 0x68, 0x87, 0x7c, - 0x6b, 0xc6, 0x10, 0x36, 0xe5, 0xee, 0xb3, 0xeb, 0x8b, 0xb5, 0x27, 0xef, 0x3e, 0x86, 0x12, 0xe1, - 0x6e, 0x86, 0x51, 0xe3, 0x00, 0x56, 0xb2, 0x27, 0x8d, 0x6a, 0xf1, 0x57, 0x13, 0xd9, 0xe3, 0x93, - 0xa0, 0x9f, 0x91, 0xad, 0x4c, 0xac, 0xf1, 0x5b, 0x19, 0x96, 0x66, 0x2a, 0x4d, 0x0e, 0xa1, 0xf8, - 0xc2, 0x0f, 0xfa, 0xe6, 0xda, 0x4f, 0xae, 0x2f, 0xd6, 0x1e, 0xbf, 0xfb, 0xb5, 0x4d, 0x38, 0x15, - 0xc0, 0xc1, 0x30, 0x64, 0x01, 0xf2, 0xf1, 0xcb, 0x97, 0x7f, 0xde, 0x56, 0xa5, 0x4a, 0x0c, 0x13, - 0x5c, 0x2b, 0x5b, 0x97, 0x7a, 0xc2, 0x2e, 0xae, 0x17, 0x94, 0x4d, 0xad, 0x89, 0x0d, 0xe5, 0xe9, - 0x61, 0x11, 0x6d, 0x09, 0x85, 0xbb, 0x5d, 0xea, 0x79, 0x2c, 0x1a, 0x1a, 0x4c, 0xd8, 0x8b, 0x28, - 0xae, 0x47, 0xb7, 0x29, 0xb8, 0x99, 0xe2, 0xec, 0x07, 0x32, 0x3c, 0x33, 0xc2, 0x4b, 0xc7, 0x23, - 0x4f, 0xa1, 0x78, 0xc8, 0x24, 0x35, 0x4f, 0xde, 0x27, 0xb7, 0xc6, 0x55, 0x8e, 0x18, 0xcc, 0x41, - 0x0e, 0x6a, 0x51, 0x65, 0xbe, 0x8c, 0x99, 0xc7, 0xb5, 0x1a, 0x91, 0x89, 0xc6, 0x27, 0x7a, 0x44, - 0x4e, 0xf5, 0x7b, 0x49, 0xeb, 0x4b, 0xcf, 0xa4, 0x5a, 0xe2, 0x40, 0xb4, 0xab, 0x29, 0x1e, 0x35, - 0x09, 0x1a, 0xc8, 0x66, 0xdc, 0x6f, 0x55, 0xbc, 0x63, 0x26, 0x25, 0xee, 0xc2, 0x4d, 0x28, 0xbf, - 0x66, 0xbe, 0x37, 0x90, 0xc2, 0xbc, 0x5d, 0x24, 0xe1, 0x6e, 0x10, 0x27, 0x72, 0x21, 0x35, 0x28, - 0x75, 0xf9, 0x09, 0x0b, 0xcc, 0xbc, 0xd1, 0x1b, 0xb2, 0x09, 0x4b, 0xfb, 0x01, 0xed, 0x0d, 0x59, - 0x97, 0x7a, 0xaf, 0x4e, 0x59, 0x18, 0xfa, 0x7d, 0x66, 0xdf, 0xc1, 0x7e, 0x98, 0x05, 0xc8, 0x36, - 0x94, 0xf4, 0x5b, 0xb9, 0x80, 0xe7, 0xdd, 0x4f, 0x5e, 0x6f, 0xe6, 0x43, 0xcb, 0xd1, 0xbe, 0x6a, - 0x34, 0xed, 0xab, 0x27, 0x63, 0x1c, 0xfa, 0x82, 0x61, 0x01, 0x96, 0x90, 0xbd, 0xd2, 0x34, 0x9f, - 0x79, 0xd3, 0xa8, 0xc9, 0x48, 0x8a, 0x43, 0xb6, 0xa1, 0x6c, 0x8e, 0xb0, 0xef, 0x22, 0xfd, 0xc3, - 0xd9, 0xfa, 0x19, 0x07, 0x27, 0xf2, 0x5c, 0xfd, 0x11, 0x6a, 0x59, 0x02, 0x21, 0x8b, 0x50, 0x38, - 0x61, 0x67, 0xe6, 0x61, 0x55, 0x4b, 0xd2, 0x82, 0xd2, 0x29, 0x1d, 0x4e, 0xf4, 0xeb, 0x99, 0x19, - 0xdc, 0x84, 0x70, 0xb4, 0xdf, 0xd3, 0xfc, 0x17, 0xd6, 0xea, 0x0e, 0x54, 0x63, 0x9d, 0x64, 0xc4, - 0xac, 0x25, 0x63, 0x56, 0x13, 0xc4, 0xc6, 0x97, 0xf1, 0x5c, 0x8f, 0xe4, 0x9f, 0x68, 0x0c, 0x6b, - 0xba, 0x31, 0x22, 0xe5, 0xe5, 0x6f, 0x94, 0xd7, 0x78, 0x16, 0x57, 0x5e, 0x11, 0x3b, 0x54, 0x08, - 0x3f, 0xf0, 0xcc, 0x54, 0x88, 0xb6, 0x0a, 0x79, 0x4d, 0xc3, 0x40, 0x21, 0x9a, 0x1b, 0x6d, 0x77, - 0x0f, 0xcf, 0xff, 0xae, 0xe7, 0xce, 0x2f, 0xeb, 0xd6, 0xdb, 0xcb, 0xba, 0xf5, 0xd7, 0x65, 0xdd, - 0xfa, 0xf9, 0xaa, 0x9e, 0xfb, 0xf5, 0xaa, 0x9e, 0x7b, 0x7b, 0x55, 0xcf, 0xfd, 0x79, 0x55, 0xcf, - 0xfd, 0xf0, 0xd9, 0x6d, 0xc3, 0x21, 0xf5, 0x3d, 0xde, 0x9b, 0x43, 0xc3, 0xf6, 0x3f, 0x01, 0x00, - 0x00, 0xff, 0xff, 0x44, 0x39, 0xad, 0x45, 0x0e, 0x0c, 0x00, 0x00, + // 1200 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x96, 0xcf, 0x6e, 0x1b, 0xb7, + 0x13, 0xc7, 0xb5, 0xfa, 0x63, 0x49, 0xe3, 0xfc, 0x1c, 0x9b, 0xd1, 0xcf, 0xdd, 0xba, 0x89, 0xec, + 0x08, 0x45, 0x60, 0xb4, 0x86, 0x94, 0xd8, 0x48, 0xdd, 0x04, 0x48, 0x81, 0xda, 0x72, 0x8b, 0x20, + 0x71, 0xa2, 0xae, 0x55, 0x04, 0x2d, 0xd0, 0x03, 0xb5, 0xa2, 0x57, 0x0b, 0x4b, 0x4b, 0x61, 0x49, + 0xb9, 0xd1, 0x5b, 0xf4, 0xd6, 0x5e, 0x7b, 0xe8, 0xbd, 0x8f, 0xe1, 0x63, 0x8e, 0x3d, 0x19, 0xad, + 0xfd, 0x16, 0x3e, 0x15, 0x1c, 0x72, 0xd7, 0xab, 0xd5, 0xd6, 0x48, 0x7b, 0x12, 0x39, 0xdf, 0x99, + 0x21, 0x97, 0xfc, 0xcc, 0x50, 0x70, 0x6f, 0x1c, 0x72, 0xc9, 0x5b, 0xe3, 0x9e, 0x60, 0xe1, 0xa9, + 0xef, 0xb2, 0x96, 0xf9, 0x6d, 0xa2, 0x9d, 0x54, 0x63, 0x61, 0xed, 0xae, 0xc7, 0xb9, 0x37, 0x64, + 0x2d, 0x14, 0x7a, 0x93, 0xe3, 0x96, 0x90, 0xe1, 0xc4, 0x95, 0xda, 0x71, 0xed, 0xa3, 0x28, 0x8f, + 0xcb, 0x47, 0x23, 0x1e, 0xb4, 0xf4, 0x8f, 0x11, 0xef, 0xa7, 0x17, 0x19, 0x30, 0x3a, 0x94, 0x03, + 0x77, 0xc0, 0xdc, 0x13, 0xe3, 0x52, 0xf3, 0xb8, 0xc7, 0xb5, 0x9b, 0x1a, 0x69, 0x6b, 0xe3, 0xb7, + 0x12, 0x90, 0x7d, 0x1e, 0x04, 0xcc, 0x95, 0x9d, 0x90, 0xbf, 0x9d, 0xee, 0xf3, 0xe0, 0xd8, 0xf7, + 0xc8, 0x67, 0xb0, 0xda, 0x66, 0x42, 0xfa, 0x01, 0x95, 0x3e, 0x0f, 0x8e, 0x74, 0xd2, 0x57, 0x74, + 0xc4, 0x6c, 0x6b, 0xc3, 0xda, 0xac, 0x3a, 0xff, 0xa0, 0x92, 0x6d, 0xa8, 0xcd, 0x2b, 0xcf, 0xdb, + 0x76, 0x1e, 0xa3, 0x32, 0x35, 0xf2, 0x10, 0xee, 0xbc, 0xe4, 0x2e, 0x1d, 0x1a, 0xcb, 0x97, 0xfd, + 0x7e, 0xc8, 0x84, 0xb0, 0x0b, 0x18, 0x92, 0x25, 0x91, 0x4f, 0x60, 0x39, 0x69, 0xee, 0xf0, 0x50, + 0xda, 0xc5, 0x0d, 0x6b, 0xb3, 0xe4, 0xcc, 0xd9, 0xc9, 0x63, 0x58, 0xd0, 0xdf, 0x64, 0x97, 0x36, + 0xac, 0xcd, 0xc5, 0xed, 0x0f, 0x9a, 0xfa, 0x94, 0x9b, 0xd1, 0x29, 0x37, 0x8f, 0xf0, 0x94, 0xf7, + 0x8a, 0x67, 0xe7, 0xeb, 0x96, 0x63, 0x9c, 0xc9, 0x2e, 0x54, 0xbf, 0x1d, 0x0b, 0x19, 0x32, 0x3a, + 0x12, 0xf6, 0xc2, 0x46, 0x61, 0x73, 0x71, 0xfb, 0x4e, 0x33, 0x3e, 0xde, 0x66, 0xa4, 0x61, 0x54, + 0xce, 0xb9, 0xf6, 0x25, 0x6d, 0x58, 0x3c, 0x64, 0x62, 0xf0, 0x35, 0x95, 0xec, 0x47, 0x3a, 0xb5, + 0xcb, 0xb8, 0xe8, 0xdd, 0x44, 0x68, 0x42, 0xd5, 0x6b, 0x99, 0x1c, 0xc9, 0x30, 0xb5, 0xeb, 0x83, + 0xb7, 0x63, 0x2e, 0x98, 0x5d, 0x31, 0xbb, 0xbe, 0x4e, 0xa0, 0x85, 0x99, 0x58, 0xe3, 0x4c, 0x5e, + 0x40, 0xf1, 0x90, 0xf7, 0x99, 0x5d, 0x55, 0x67, 0xb7, 0xb7, 0x7b, 0x75, 0xbe, 0xbe, 0xe3, 0xf9, + 0x72, 0x30, 0xe9, 0x35, 0x5d, 0x3e, 0x6a, 0x0d, 0xa8, 0x18, 0xf8, 0x2e, 0x0f, 0xc7, 0x2d, 0x97, + 0x07, 0x62, 0x32, 0x6c, 0x51, 0x8f, 0x05, 0xd2, 0x50, 0x26, 0x9a, 0x78, 0xff, 0x2a, 0xdc, 0xc1, + 0x24, 0xe4, 0x08, 0x96, 0xbb, 0x21, 0x0d, 0xc4, 0x98, 0x86, 0x2c, 0xd0, 0x74, 0xd8, 0x80, 0xbb, + 0xb9, 0x9f, 0xd8, 0x4d, 0xda, 0x65, 0x66, 0x5f, 0x73, 0x09, 0x14, 0x58, 0xc9, 0x2b, 0x3a, 0xe2, + 0xee, 0x09, 0x93, 0x1d, 0x2a, 0x07, 0xf6, 0xa2, 0x06, 0x2b, 0x5b, 0x6d, 0xfc, 0x5c, 0x84, 0x4a, + 0x74, 0xc8, 0x64, 0x13, 0x6e, 0x27, 0x48, 0xea, 0x4e, 0xc7, 0x11, 0x96, 0x69, 0x73, 0x8a, 0x47, + 0x85, 0xa8, 0x18, 0x53, 0x97, 0x65, 0xf0, 0x18, 0x6b, 0xa9, 0xec, 0x08, 0x7d, 0x61, 0x2e, 0x3b, + 0xd2, 0x5e, 0x07, 0x68, 0x53, 0x49, 0x5d, 0x16, 0x48, 0x16, 0x22, 0x81, 0x55, 0x27, 0x61, 0x89, + 0x39, 0xdd, 0xf3, 0x83, 0x7e, 0x84, 0x75, 0x09, 0xbd, 0xe6, 0xec, 0xe4, 0x63, 0xf8, 0x5f, 0x6c, + 0x43, 0xa0, 0x17, 0x10, 0xe8, 0x59, 0x63, 0x82, 0xe6, 0xf2, 0xbf, 0xa1, 0x39, 0x05, 0x65, 0xe5, + 0xbf, 0x41, 0xf9, 0x10, 0xee, 0xec, 0xb3, 0x40, 0x86, 0x74, 0x38, 0x34, 0x5e, 0x93, 0x90, 0xf5, + 0x11, 0xb6, 0x8a, 0x93, 0x25, 0xc5, 0xa5, 0xad, 0xf6, 0x9f, 0xb8, 0x6a, 0x48, 0x94, 0xf6, 0xac, + 0x94, 0x11, 0x81, 0x40, 0x2f, 0x66, 0x46, 0x28, 0xa9, 0x11, 0xc0, 0x92, 0xc1, 0xc5, 0xf4, 0x31, + 0xb2, 0x0a, 0x0b, 0xaf, 0xa8, 0xf4, 0x4f, 0x35, 0x15, 0x15, 0xc7, 0xcc, 0x48, 0x1b, 0x96, 0x8e, + 0xfc, 0x3e, 0x73, 0x69, 0x68, 0x02, 0xf0, 0x5e, 0x67, 0x0f, 0xc2, 0x28, 0x6d, 0x76, 0xec, 0x07, + 0xbe, 0xba, 0x68, 0x27, 0x15, 0xd3, 0xf8, 0x0e, 0x6e, 0x25, 0x2b, 0x50, 0xad, 0xb6, 0xaf, 0xda, + 0xac, 0x88, 0x56, 0xd3, 0x33, 0xf2, 0x08, 0x4a, 0xea, 0x8b, 0x84, 0x9d, 0xc7, 0xee, 0xf1, 0xff, + 0xb9, 0x0a, 0x56, 0xaa, 0x39, 0x66, 0xed, 0xd9, 0xf8, 0xdd, 0x02, 0xb8, 0xd6, 0x48, 0x03, 0x6e, + 0xbd, 0xf4, 0x85, 0x64, 0x01, 0x0b, 0x91, 0x08, 0x0b, 0x89, 0x98, 0xb1, 0x11, 0x02, 0x45, 0x3c, + 0x52, 0x0d, 0x34, 0x8e, 0x63, 0x94, 0xd4, 0x04, 0x03, 0x0b, 0x09, 0x94, 0x22, 0x23, 0x59, 0x83, + 0x4a, 0x47, 0x41, 0xe3, 0xf2, 0xa1, 0x41, 0x37, 0x9e, 0xab, 0x12, 0xe8, 0xd0, 0x50, 0xb0, 0xfe, + 0x57, 0x21, 0x1f, 0xe1, 0xf7, 0x20, 0xb7, 0x15, 0x27, 0x6d, 0x6e, 0x1c, 0xc3, 0xca, 0x1c, 0x3b, + 0xe4, 0x1b, 0xd3, 0x86, 0xb0, 0x28, 0xf7, 0x9e, 0x5d, 0x9d, 0xaf, 0x3f, 0x79, 0xff, 0x36, 0x94, + 0x48, 0x77, 0xdd, 0x8c, 0x1a, 0x12, 0x56, 0xb3, 0x3b, 0x8d, 0x2a, 0xf1, 0xd7, 0x13, 0xd9, 0xe3, + 0x93, 0xa0, 0x9f, 0x71, 0x5a, 0x99, 0x1a, 0x79, 0x00, 0x4b, 0x6d, 0x9f, 0x0e, 0x59, 0xbf, 0xed, + 0x87, 0xcc, 0x95, 0xc3, 0x29, 0x9e, 0x5f, 0xc5, 0x49, 0x59, 0x1b, 0xbf, 0x96, 0x61, 0x65, 0x8e, + 0x08, 0x72, 0x08, 0xc5, 0x17, 0x7e, 0xd0, 0x37, 0x9f, 0xf7, 0xe4, 0xea, 0x7c, 0xfd, 0xf1, 0xfb, + 0x7f, 0x9e, 0x49, 0xa7, 0x12, 0x38, 0x98, 0x86, 0x2c, 0x41, 0x3e, 0x7e, 0x21, 0xf3, 0xcf, 0xdb, + 0xea, 0x4a, 0x13, 0x4d, 0x07, 0xc7, 0xca, 0xd6, 0xa5, 0x9e, 0xb0, 0x8b, 0x1b, 0x05, 0x65, 0x53, + 0x63, 0x62, 0x43, 0x79, 0xb6, 0xa9, 0x44, 0x53, 0x42, 0xe1, 0x76, 0x97, 0x7a, 0x1e, 0x8b, 0x9a, + 0x0b, 0x13, 0xf6, 0x32, 0x42, 0xf8, 0xe8, 0x26, 0xd2, 0x9b, 0xa9, 0x98, 0x83, 0x40, 0x86, 0x53, + 0x03, 0x68, 0x3a, 0x1f, 0x79, 0x0a, 0xc5, 0x43, 0x26, 0xa9, 0x79, 0x1a, 0x1f, 0xdc, 0x98, 0x57, + 0x39, 0x62, 0x32, 0x07, 0x63, 0x90, 0x59, 0x75, 0x43, 0x65, 0xbc, 0x21, 0x1c, 0xab, 0x56, 0x9a, + 0x68, 0x10, 0x44, 0xb7, 0xd2, 0x99, 0xbe, 0x50, 0xd2, 0x1c, 0xea, 0xde, 0x55, 0x4b, 0x2c, 0x88, + 0x76, 0xd5, 0xed, 0xa3, 0x62, 0x42, 0x03, 0xd9, 0x8a, 0xeb, 0xb2, 0x8a, 0x7b, 0xcc, 0x0c, 0x89, + 0xab, 0x75, 0x0b, 0xca, 0x6f, 0x98, 0xef, 0x0d, 0xa4, 0x30, 0x6f, 0x1c, 0x49, 0xb8, 0x1b, 0xc5, + 0x89, 0x5c, 0x48, 0x0d, 0x4a, 0x5d, 0x7e, 0xc2, 0x02, 0xd3, 0x97, 0xf4, 0x84, 0x6c, 0xc1, 0xca, + 0x41, 0x40, 0x7b, 0x43, 0xd6, 0xa5, 0xde, 0xeb, 0x53, 0x16, 0x86, 0x7e, 0x9f, 0xd9, 0xb7, 0x10, + 0xac, 0x79, 0x81, 0xec, 0x40, 0x49, 0xbf, 0xa9, 0x4b, 0xb8, 0xde, 0xbd, 0xe4, 0xf6, 0xe6, 0xfe, + 0x90, 0x39, 0xda, 0x57, 0xb5, 0xb0, 0x03, 0xf5, 0xb4, 0x8c, 0x43, 0x5f, 0x30, 0xbc, 0x80, 0x15, + 0x8c, 0x5e, 0x6d, 0x9a, 0xbf, 0x83, 0xb3, 0xaa, 0x39, 0x91, 0x54, 0x0c, 0xd9, 0x81, 0xb2, 0x59, + 0xc2, 0xbe, 0x8d, 0xe1, 0x1f, 0xce, 0xdf, 0x9f, 0x71, 0x70, 0x22, 0xcf, 0xb5, 0x1f, 0xa0, 0x96, + 0x05, 0x08, 0x59, 0x86, 0xc2, 0x09, 0x9b, 0x9a, 0x07, 0x58, 0x0d, 0x49, 0x0b, 0x4a, 0xa7, 0x74, + 0x38, 0xd1, 0xaf, 0x6c, 0x66, 0x72, 0x93, 0xc2, 0xd1, 0x7e, 0x4f, 0xf3, 0x9f, 0x5b, 0x6b, 0xbb, + 0x50, 0x8d, 0x39, 0xc9, 0xc8, 0x59, 0x4b, 0xe6, 0xac, 0x26, 0x02, 0x1b, 0x5f, 0xc4, 0xfd, 0x3f, + 0xc2, 0x3f, 0x51, 0x18, 0xd6, 0x6c, 0x61, 0x44, 0xe4, 0xe5, 0xaf, 0xc9, 0x6b, 0x3c, 0x8b, 0x6f, + 0x5e, 0x05, 0x76, 0xa8, 0x10, 0x7e, 0xe0, 0x99, 0xee, 0x11, 0x4d, 0x95, 0xf2, 0x86, 0x86, 0x81, + 0x52, 0x74, 0x6c, 0x34, 0xdd, 0x3b, 0x3c, 0xfb, 0xab, 0x9e, 0x3b, 0xbb, 0xa8, 0x5b, 0xef, 0x2e, + 0xea, 0xd6, 0x9f, 0x17, 0x75, 0xeb, 0xa7, 0xcb, 0x7a, 0xee, 0x97, 0xcb, 0x7a, 0xee, 0xdd, 0x65, + 0x3d, 0xf7, 0xc7, 0x65, 0x3d, 0xf7, 0xfd, 0xa7, 0x37, 0x35, 0x87, 0xd4, 0xff, 0xf6, 0xde, 0x02, + 0x1a, 0x76, 0xfe, 0x0e, 0x00, 0x00, 0xff, 0xff, 0x70, 0xa5, 0x21, 0xd2, 0x36, 0x0c, 0x00, 0x00, } func (m *ConnectProxyConfig) Marshal() (dAtA []byte, err error) { @@ -1119,6 +1124,16 @@ func (m *TransparentProxyConfig) MarshalToSizedBuffer(dAtA []byte) (int, error) _ = i var l int _ = l + if m.DialedDirectly { + i-- + if m.DialedDirectly { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x10 + } if m.OutboundListenerPort != 0 { i = encodeVarintService(dAtA, i, uint64(m.OutboundListenerPort)) i-- @@ -1593,6 +1608,9 @@ func (m *TransparentProxyConfig) Size() (n int) { if m.OutboundListenerPort != 0 { n += 1 + sovService(uint64(m.OutboundListenerPort)) } + if m.DialedDirectly { + n += 2 + } return n } @@ -3027,6 +3045,26 @@ func (m *TransparentProxyConfig) Unmarshal(dAtA []byte) error { break } } + case 2: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field DialedDirectly", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowService + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.DialedDirectly = bool(v != 0) default: iNdEx = preIndex skippy, err := skipService(dAtA[iNdEx:]) diff --git a/proto/pbservice/service.proto b/proto/pbservice/service.proto index 3f95a79aa..e8e050115 100644 --- a/proto/pbservice/service.proto +++ b/proto/pbservice/service.proto @@ -218,6 +218,11 @@ message MeshGatewayConfig { message TransparentProxyConfig { // mog: func-to=int func-from=int32 int32 OutboundListenerPort = 1; + + // DialedDirectly indicates whether transparent proxies can dial this proxy instance directly. + // The discovery chain is not considered when dialing a service instance directly. + // This setting is useful when addressing stateful services, such as a database cluster with a leader node. + bool DialedDirectly = 2; } // ServiceDefinition is used to JSON decode the Service definitions. For diff --git a/website/content/docs/connect/config-entries/mesh.mdx b/website/content/docs/connect/config-entries/mesh.mdx index 932f78ada..b47443682 100644 --- a/website/content/docs/connect/config-entries/mesh.mdx +++ b/website/content/docs/connect/config-entries/mesh.mdx @@ -63,7 +63,8 @@ TransparentProxy { - `CatalogDestinationsOnly` `(bool: false)` - Determines whether sidecar proxies operating in transparent mode can proxy traffic to IP addresses not registered in Consul's catalog. If enabled, traffic will only be proxied - to upstreams with service registrations in the catalog. + to upstreams with service registrations in the catalog. If disabled, requests will be proxied as-is to the + original destination IP address. Consul will not encrypt the connection. ## ACLs diff --git a/website/content/docs/connect/config-entries/proxy-defaults.mdx b/website/content/docs/connect/config-entries/proxy-defaults.mdx index 4009d925d..24b27c0a0 100644 --- a/website/content/docs/connect/config-entries/proxy-defaults.mdx +++ b/website/content/docs/connect/config-entries/proxy-defaults.mdx @@ -233,6 +233,14 @@ spec: description: `The port the proxy should listen on for outbound traffic. This must be the port where outbound application traffic is captured and redirected to.`, }, + { + name: 'DialedDirectly', + type: 'bool: false', + description: `Determines whether this proxy instance's IP address can be dialed directly by transparent proxies. + Typically transparent proxies dial upstreams using the "virtual" tagged address, which load balances + across instances. Dialing individual instances can be helpful in cases like stateful services such + as a database cluster with a leader. `, + }, ], yaml: false, }, diff --git a/website/content/docs/connect/config-entries/service-defaults.mdx b/website/content/docs/connect/config-entries/service-defaults.mdx index 96a5ef0f2..9a326bac9 100644 --- a/website/content/docs/connect/config-entries/service-defaults.mdx +++ b/website/content/docs/connect/config-entries/service-defaults.mdx @@ -453,6 +453,14 @@ UpstreamConfig = { description: `The port the proxy should listen on for outbound traffic. This must be the port where outbound application traffic is redirected to.`, }, + { + name: 'DialedDirectly', + type: 'bool: false', + description: `Determines whether this proxy instance's IP address can be dialed directly by transparent proxies. + Typically transparent proxies dial upstreams using the "virtual" tagged address, which load balances + across instances. Dialing individual instances can be helpful in cases like stateful services such + as a database cluster with a leader. `, + }, ], yaml: false, }, diff --git a/website/content/docs/connect/registration/service-registration.mdx b/website/content/docs/connect/registration/service-registration.mdx index cf88ceb94..7ea5b470d 100644 --- a/website/content/docs/connect/registration/service-registration.mdx +++ b/website/content/docs/connect/registration/service-registration.mdx @@ -238,12 +238,20 @@ registrations](/docs/agent/services#service-definition-parameter-case). ```json { - "outbound_listener_port": 22500 + "outbound_listener_port": 22500, + "dialed_directly": true } ``` - `outbound_listener_port` `(int: 15001)` - The port the proxy should listen on for outbound traffic. This must be the port where outbound application traffic is captured and redirected to. +- `dialed_directly` `(bool: false)` - Determines whether this proxy instance's IP address can be dialed + directly by transparent proxies. Typically transparent proxies dial upstreams using the "virtual" + tagged address, which load balances across instances. Dialing individual instances can be helpful + in cases like stateful services such as a database cluster with a leader. + + ~> **Note:** Dynamic routing rules such as failovers and redirects do not apply to services dialed directly. + Additionally, the connection is proxied using a TCP proxy with a connection timeout of 5 seconds. ### Mesh Gateway Configuration Reference diff --git a/website/content/docs/connect/transparent-proxy.mdx b/website/content/docs/connect/transparent-proxy.mdx index 69b800eab..0099dbe15 100644 --- a/website/content/docs/connect/transparent-proxy.mdx +++ b/website/content/docs/connect/transparent-proxy.mdx @@ -20,9 +20,9 @@ implicitly from Service Intentions. Explicit upstreams are still supported in th registration](/docs/connect/registration/service-registration) on VMs and via the [annotation](/docs/k8s/connect#consul-hashicorp-com-connect-service-upstreams) in Kubernetes. -To support transparent proxying, Consul now supports a command +To support transparent proxying, Consul's CLI now has a command [`consul connect redirect-traffic`](/commands/connect/redirect-traffic) to redirect traffic through an inbound and -outbound listener on the sidecar. It also watches Service Intentions and configures the Envoy proxy with the appropriate +outbound listener on the sidecar. Consul also watches Service Intentions and configures the Envoy proxy with the appropriate upstream IPs. If the default ACL policy is "allow", then Service Intentions are not required. In Consul on Kubernetes, the traffic redirection command is automatically set up via an init container. @@ -103,7 +103,11 @@ spec: ## Known Beta Limitations * There is no first class support for transparent proxying on VMs. -* Traffic can only be transparently proxied within a Consul datacenter. +* Traffic can only be transparently proxied when the address dialed corresponds to the address of a service in the +transparent proxy's datacenter. Cross-datacenter transparent proxying is only possible using service-resolver +configuration entries that resolve to remote datacenters. +* When dialing headless services the request will be proxied using a plain TCP proxy with a 5s connection timeout. +Currently the upstream's protocol and connection timeout are not considered. ## Using Transparent Proxy @@ -149,3 +153,16 @@ it can dial `sample-app.default.svc.cluster.local`, using If ACLs with default "deny" policy are enabled, it also needs a [ServiceIntention](/docs/connect/config-entries/service-intentions) allowing it to talk to `sample-app`. + +### Headless Services +For services that are not addressed using a virtual cluster IP, the upstream service must be +configured using the [DialedDirectly](/docs/connect/config-entries/service-defaults#dialeddirectly) +option. + +Individual instance addresses can then be discovered using DNS, and dialed through the transparent proxy. +When this mode is enabled on the upstream, connect certificates will be presented for mTLS and +intentions will be enforced at the destination. + +Note that when dialing individual instances HTTP routing rules configured with config entries +will **not** be considered. The transparent proxy acts as a TCP proxy to the original +destination IP address.