Update xDS Listeners with SDS support

This commit is contained in:
Paul Banks 2021-08-24 14:10:16 +01:00
parent 8548e15f1b
commit 8a4254a894
23 changed files with 2819 additions and 14 deletions

View File

@ -26,6 +26,7 @@ import (
"github.com/golang/protobuf/proto"
"github.com/golang/protobuf/ptypes"
"github.com/golang/protobuf/ptypes/any"
"github.com/golang/protobuf/ptypes/duration"
"github.com/golang/protobuf/ptypes/wrappers"
"github.com/hashicorp/consul/agent/connect"
@ -511,12 +512,68 @@ func (s *ResourceGenerator) listenersFromSnapshotGateway(cfgSnap *proxycfg.Confi
return resources, err
}
func resolveListenerSDSConfig(cfgSnap *proxycfg.ConfigSnapshot, listenerKey proxycfg.IngressListenerKey) (*structs.GatewayTLSSDSConfig, error) {
gwSDS := cfgSnap.IngressGateway.TLSConfig.SDS
listenerCfg, ok := cfgSnap.IngressGateway.Listeners[listenerKey]
if !ok {
return nil, fmt.Errorf("no listener config found for listener on port %d", listenerKey.Port)
}
var mergedCfg structs.GatewayTLSSDSConfig
if gwSDS != nil {
mergedCfg.ClusterName = gwSDS.ClusterName
mergedCfg.CertResource = gwSDS.CertResource
}
if listenerCfg.TLS != nil && listenerCfg.TLS.SDS != nil {
if listenerCfg.TLS.SDS.ClusterName != "" {
mergedCfg.ClusterName = listenerCfg.TLS.SDS.ClusterName
}
if listenerCfg.TLS.SDS.CertResource != "" {
mergedCfg.CertResource = listenerCfg.TLS.SDS.CertResource
}
}
// Validate. Either merged should have both fields empty or both set. Other
// cases shouldn't be possible as we validate them at input but be robust to
// bugs later.
switch {
case mergedCfg.ClusterName == "" && mergedCfg.CertResource == "":
return nil, nil
case mergedCfg.ClusterName != "" && mergedCfg.CertResource != "":
return &mergedCfg, nil
case mergedCfg.ClusterName == "" && mergedCfg.CertResource != "":
return nil, fmt.Errorf("missing SDS cluster name for listener on port %d", listenerKey.Port)
case mergedCfg.ClusterName != "" && mergedCfg.CertResource == "":
return nil, fmt.Errorf("missing SDS cert resource for listener on port %d", listenerKey.Port)
}
return &mergedCfg, nil
}
func (s *ResourceGenerator) makeIngressGatewayListeners(address string, cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message, error) {
var resources []proto.Message
for listenerKey, upstreams := range cfgSnap.IngressGateway.Upstreams {
var tlsContext *envoy_tls_v3.DownstreamTlsContext
if cfgSnap.IngressGateway.TLSEnabled {
sdsCfg, err := resolveListenerSDSConfig(cfgSnap, listenerKey)
if err != nil {
return nil, err
}
if sdsCfg != nil {
// Set up listener TLS from SDS
tlsContext = &envoy_tls_v3.DownstreamTlsContext{
CommonTlsContext: makeCommonTLSContextFromSDS(cfgSnap, *sdsCfg),
RequireClientCertificate: &wrappers.BoolValue{Value: false},
}
} else if cfgSnap.IngressGateway.TLSConfig.Enabled {
tlsContext = &envoy_tls_v3.DownstreamTlsContext{
CommonTlsContext: makeCommonTLSContextFromLeaf(cfgSnap, cfgSnap.Leaf()),
RequireClientCertificate: &wrappers.BoolValue{Value: false},
@ -557,29 +614,136 @@ func (s *ResourceGenerator) makeIngressGatewayListeners(address string, cfgSnap
routePath: "",
httpAuthzFilter: nil,
}
filter, err := makeListenerFilter(opts)
// Generate any filter chains needed for services with custom TLS certs
// via SDS.
sniFilterChains, err := makeSDSOverrideFilterChains(cfgSnap, listenerKey, opts)
if err != nil {
return nil, err
}
// If there are any sni filter chains, we need a TLS inspector filter!
if len(sniFilterChains) > 0 {
tlsInspector, err := makeTLSInspectorListenerFilter()
if err != nil {
return nil, err
}
listener.ListenerFilters = []*envoy_listener_v3.ListenerFilter{tlsInspector}
}
listener.FilterChains = sniFilterChains
// See if there are other services that didn't have specific SNI-matching
// filter chains. If so add a default filterchain to serve them.
if len(sniFilterChains) < len(upstreams) {
defaultFilter, err := makeListenerFilter(opts)
if err != nil {
return nil, err
}
transportSocket, err := makeDownstreamTLSTransportSocket(tlsContext)
if err != nil {
return nil, err
}
listener.FilterChains = append(listener.FilterChains,
&envoy_listener_v3.FilterChain{
Filters: []*envoy_listener_v3.Filter{
defaultFilter,
},
TransportSocket: transportSocket,
})
}
resources = append(resources, listener)
}
}
return resources, nil
}
func routeNameForUpstream(l structs.IngressListener, s structs.IngressService) (string, error) {
key := proxycfg.IngressListenerKeyFromListener(l)
// If the upsteam service doesn't have any TLS overrides then it can just use
// the combined filterchain with all the merged routes.
if !ingressServiceHasSDSOverrides(s) {
return key.RouteName(), nil
}
// Return a specific route for this service as it needs a custom FilterChain
// to serve it's custom cert so we should attach it's routes to a separate
// Route too.
return fmt.Sprintf("%s_%s", key.RouteName(), s.ToServiceName().ToServiceID().String()), nil
}
func ingressServiceHasSDSOverrides(s structs.IngressService) bool {
return s.TLS != nil &&
s.TLS.SDS != nil &&
s.TLS.SDS.CertResource != ""
}
// ingress services that specify custom TLS certs via SDS overrides need to get
// their own filter chain and routes. This will generate all the extra filter
// chains an ingress listener needs. It maybe be empty and expects the default
// catch-all chain and route to contain all the other services that share the
// default TLS config.
func makeSDSOverrideFilterChains(cfgSnap *proxycfg.ConfigSnapshot,
listenerKey proxycfg.IngressListenerKey,
filterOpts listenerFilterOpts) ([]*envoy_listener_v3.FilterChain, error) {
listenerCfg, ok := cfgSnap.IngressGateway.Listeners[listenerKey]
if !ok {
return nil, fmt.Errorf("no listener config found for listener on port %d", listenerKey.Port)
}
var chains []*envoy_listener_v3.FilterChain
for _, svc := range listenerCfg.Services {
if ingressServiceHasSDSOverrides(svc) {
if len(svc.Hosts) < 1 {
// Shouldn't be possible with validation but be careful
return nil, fmt.Errorf("no hosts specified with SDS certificate (service %q on listener on port %d)",
svc.ToServiceName().ToServiceID().String(), listenerKey.Port)
}
// Service has a certificate resource override. Return a new filter chain
// with the right TLS cert and a filter that will load only the routes for
// this service.
routeName, err := routeNameForUpstream(listenerCfg, svc)
if err != nil {
return nil, err
}
filterOpts.filterName = routeName
filterOpts.routeName = routeName
filter, err := makeListenerFilter(filterOpts)
if err != nil {
return nil, err
}
tlsContext := &envoy_tls_v3.DownstreamTlsContext{
CommonTlsContext: makeCommonTLSContextFromSDS(cfgSnap, *svc.TLS.SDS),
RequireClientCertificate: &wrappers.BoolValue{Value: false},
}
transportSocket, err := makeDownstreamTLSTransportSocket(tlsContext)
if err != nil {
return nil, err
}
listener.FilterChains = []*envoy_listener_v3.FilterChain{
{
Filters: []*envoy_listener_v3.Filter{
filter,
},
TransportSocket: transportSocket,
chain := &envoy_listener_v3.FilterChain{
// Only match traffic for this service's hosts.
FilterChainMatch: makeSNIFilterChainMatch(svc.Hosts...),
Filters: []*envoy_listener_v3.Filter{
filter,
},
TransportSocket: transportSocket,
}
resources = append(resources, listener)
chains = append(chains, chain)
}
}
return resources, nil
return chains, nil
}
// makeListener returns a listener with name and bind details set. Filters must
@ -1584,9 +1748,9 @@ func makeTLSInspectorListenerFilter() (*envoy_listener_v3.ListenerFilter, error)
return &envoy_listener_v3.ListenerFilter{Name: "envoy.filters.listener.tls_inspector"}, nil
}
func makeSNIFilterChainMatch(sniMatch string) *envoy_listener_v3.FilterChainMatch {
func makeSNIFilterChainMatch(sniMatches ...string) *envoy_listener_v3.FilterChainMatch {
return &envoy_listener_v3.FilterChainMatch{
ServerNames: []string{sniMatch},
ServerNames: sniMatches,
}
}
@ -1763,7 +1927,6 @@ func makeCommonTLSContextFromLeaf(cfgSnap *proxycfg.ConfigSnapshot, leaf *struct
return nil
}
// TODO(banks): verify this actually works with Envoy (docs are not clear).
rootPEMS := ""
for _, root := range cfgSnap.Roots.Roots {
rootPEMS += ca.EnsureTrailingNewline(root.RootCert)
@ -1798,6 +1961,38 @@ func makeCommonTLSContextFromLeaf(cfgSnap *proxycfg.ConfigSnapshot, leaf *struct
}
}
func makeCommonTLSContextFromSDS(cfgSnap *proxycfg.ConfigSnapshot, sdsCfg structs.GatewayTLSSDSConfig) *envoy_tls_v3.CommonTlsContext {
return &envoy_tls_v3.CommonTlsContext{
TlsParams: &envoy_tls_v3.TlsParameters{},
TlsCertificateSdsSecretConfigs: []*envoy_tls_v3.SdsSecretConfig{
{
Name: sdsCfg.CertResource,
SdsConfig: &envoy_core_v3.ConfigSource{
ConfigSourceSpecifier: &envoy_core_v3.ConfigSource_ApiConfigSource{
ApiConfigSource: &envoy_core_v3.ApiConfigSource{
ApiType: envoy_core_v3.ApiConfigSource_GRPC,
TransportApiVersion: envoy_core_v3.ApiVersion_V3,
// Note ClusterNames can't be set here - that's only for REST type
// we need a full GRPC config instead.
GrpcServices: []*envoy_core_v3.GrpcService{
{
TargetSpecifier: &envoy_core_v3.GrpcService_EnvoyGrpc_{
EnvoyGrpc: &envoy_core_v3.GrpcService_EnvoyGrpc{
ClusterName: sdsCfg.ClusterName,
},
},
Timeout: &duration.Duration{Seconds: 5},
},
},
},
},
ResourceApiVersion: envoy_core_v3.ApiVersion_V3,
},
},
},
}
}
func makeDownstreamTLSTransportSocket(tlsContext *envoy_tls_v3.DownstreamTlsContext) (*envoy_core_v3.TransportSocket, error) {
if tlsContext == nil {
return nil, nil

View File

@ -485,6 +485,10 @@ func TestListenersFromSnapshot(t *testing.T) {
},
},
}
snap.IngressGateway.Listeners = map[proxycfg.IngressListenerKey]structs.IngressListener{
{Protocol: "http", Port: 8080}: {},
{Protocol: "http", Port: 443}: {},
}
},
},
{
@ -499,6 +503,251 @@ func TestListenersFromSnapshot(t *testing.T) {
create: proxycfg.TestConfigSnapshotIngressWithTLSListener,
setup: nil,
},
{
name: "ingress-with-sds-listener-gw-level",
create: proxycfg.TestConfigSnapshotIngressWithGatewaySDS,
setup: nil,
},
{
name: "ingress-with-sds-listener-listener-level",
create: proxycfg.TestConfigSnapshotIngressWithGatewaySDS,
setup: func(snap *proxycfg.ConfigSnapshot) {
snap.IngressGateway.Upstreams = map[proxycfg.IngressListenerKey]structs.Upstreams{
{Protocol: "tcp", Port: 8080}: {
{
DestinationName: "foo",
LocalBindPort: 8080,
},
},
}
snap.IngressGateway.Listeners = map[proxycfg.IngressListenerKey]structs.IngressListener{
{Protocol: "tcp", Port: 8080}: {
Port: 8080,
TLS: &structs.GatewayTLSConfig{
SDS: &structs.GatewayTLSSDSConfig{
// Override the cert, fall back to the cluster at gw level. We
// don't test every possible valid combination here since we
// already did that in TestResolveListenerSDSConfig. This is
// just an extra check to make sure that data is plumbed through
// correctly.
CertResource: "listener-cert",
},
},
},
}
},
},
{
name: "ingress-with-sds-listener-gw-level-http",
create: proxycfg.TestConfigSnapshotIngressWithGatewaySDS,
setup: func(snap *proxycfg.ConfigSnapshot) {
snap.IngressGateway.Upstreams = map[proxycfg.IngressListenerKey]structs.Upstreams{
{Protocol: "http", Port: 8080}: {
{
DestinationName: "foo",
LocalBindPort: 8080,
},
},
}
snap.IngressGateway.Listeners = map[proxycfg.IngressListenerKey]structs.IngressListener{
{Protocol: "http", Port: 8080}: {
Port: 8080,
TLS: &structs.GatewayTLSConfig{
SDS: &structs.GatewayTLSSDSConfig{
// Override the cert, fall back to the cluster at gw level. We
// don't test every possible valid combination here since we
// already did that in TestResolveListenerSDSConfig. This is
// just an extra check to make sure that data is plumbed through
// correctly.
CertResource: "listener-cert",
},
},
},
}
},
},
{
name: "ingress-with-sds-listener-gw-level-mixed-tls",
create: proxycfg.TestConfigSnapshotIngressWithGatewaySDS,
setup: func(snap *proxycfg.ConfigSnapshot) {
// Disable GW-level defaults so we can mix TLS and non-TLS listeners
snap.IngressGateway.TLSConfig.SDS = nil
// Setup two TCP listeners, one with and one without SDS config
snap.IngressGateway.Upstreams = map[proxycfg.IngressListenerKey]structs.Upstreams{
{Protocol: "tcp", Port: 8080}: {
{
DestinationName: "secure",
LocalBindPort: 8080,
},
},
{Protocol: "tcp", Port: 9090}: {
{
DestinationName: "insecure",
LocalBindPort: 9090,
},
},
}
snap.IngressGateway.Listeners = map[proxycfg.IngressListenerKey]structs.IngressListener{
{Protocol: "tcp", Port: 8080}: {
Port: 8080,
TLS: &structs.GatewayTLSConfig{
SDS: &structs.GatewayTLSSDSConfig{
ClusterName: "listener-sds-cluster",
CertResource: "listener-cert",
},
},
},
{Protocol: "tcp", Port: 9090}: {
Port: 9090,
TLS: nil,
},
}
},
},
{
name: "ingress-with-sds-service-level",
create: proxycfg.TestConfigSnapshotIngressWithGatewaySDS,
setup: func(snap *proxycfg.ConfigSnapshot) {
// Disable GW-level defaults so we can test only service-level
snap.IngressGateway.TLSConfig.SDS = nil
// Setup http listeners, one multiple services with SDS
snap.IngressGateway.Upstreams = map[proxycfg.IngressListenerKey]structs.Upstreams{
{Protocol: "http", Port: 8080}: {
{
DestinationName: "s1",
LocalBindPort: 8080,
},
{
DestinationName: "s2",
LocalBindPort: 8080,
},
},
}
snap.IngressGateway.Listeners = map[proxycfg.IngressListenerKey]structs.IngressListener{
{Protocol: "http", Port: 8080}: {
Port: 8080,
Services: []structs.IngressService{
{
Name: "s1",
Hosts: []string{"s1.example.com"},
TLS: &structs.GatewayServiceTLSConfig{
SDS: &structs.GatewayTLSSDSConfig{
ClusterName: "sds-cluster-1",
CertResource: "s1.example.com-cert",
},
},
},
{
Name: "s2",
Hosts: []string{"s2.example.com"},
TLS: &structs.GatewayServiceTLSConfig{
SDS: &structs.GatewayTLSSDSConfig{
ClusterName: "sds-cluster-2",
CertResource: "s2.example.com-cert",
},
},
},
},
TLS: nil, // no listener-level SDS config
},
}
},
},
{
name: "ingress-with-sds-listener+service-level",
create: proxycfg.TestConfigSnapshotIngressWithGatewaySDS,
setup: func(snap *proxycfg.ConfigSnapshot) {
// Disable GW-level defaults so we can test only service-level
snap.IngressGateway.TLSConfig.SDS = nil
// Setup http listeners, one multiple services with SDS
snap.IngressGateway.Upstreams = map[proxycfg.IngressListenerKey]structs.Upstreams{
{Protocol: "http", Port: 8080}: {
{
DestinationName: "s1",
LocalBindPort: 8080,
},
{
DestinationName: "s2",
LocalBindPort: 8080,
},
},
}
snap.IngressGateway.Listeners = map[proxycfg.IngressListenerKey]structs.IngressListener{
{Protocol: "http", Port: 8080}: {
Port: 8080,
Services: []structs.IngressService{
{
Name: "s1",
Hosts: []string{"s1.example.com"},
TLS: &structs.GatewayServiceTLSConfig{
SDS: &structs.GatewayTLSSDSConfig{
ClusterName: "sds-cluster-1",
CertResource: "s1.example.com-cert",
},
},
},
{
Name: "s2",
// s2 uses the default listener cert
},
},
TLS: &structs.GatewayTLSConfig{
SDS: &structs.GatewayTLSSDSConfig{
ClusterName: "sds-cluster-2",
CertResource: "*.example.com-cert",
},
},
},
}
},
},
{
name: "ingress-with-sds-service-level-mixed-no-tls",
create: proxycfg.TestConfigSnapshotIngressWithGatewaySDS,
setup: func(snap *proxycfg.ConfigSnapshot) {
// Disable GW-level defaults so we can test only service-level
snap.IngressGateway.TLSConfig.SDS = nil
// Setup http listeners, one multiple services with SDS
snap.IngressGateway.Upstreams = map[proxycfg.IngressListenerKey]structs.Upstreams{
{Protocol: "http", Port: 8080}: {
{
DestinationName: "s1",
LocalBindPort: 8080,
},
{
DestinationName: "s2",
LocalBindPort: 8080,
},
},
}
snap.IngressGateway.Listeners = map[proxycfg.IngressListenerKey]structs.IngressListener{
{Protocol: "http", Port: 8080}: {
Port: 8080,
Services: []structs.IngressService{
{
Name: "s1",
Hosts: []string{"s1.example.com"},
TLS: &structs.GatewayServiceTLSConfig{
SDS: &structs.GatewayTLSSDSConfig{
ClusterName: "sds-cluster-1",
CertResource: "s1.example.com-cert",
},
},
},
{
Name: "s2",
// s2 has no SDS config so should be non-TLS
},
},
TLS: nil, // No listener level TLS setup either
},
}
},
},
{
name: "transparent-proxy",
create: proxycfg.TestConfigSnapshot,
@ -706,6 +955,17 @@ func TestListenersFromSnapshot(t *testing.T) {
gName += ".v2compat"
// It's easy to miss a new type that encodes a version from just
// looking at the golden files so lets make it an error here. If
// there are ever false positives we can maybe include an allow list
// here as it seems safer to assume something was missed than to
// assume we'll notice the golden file being wrong. Note the first
// one matches both resourceApiVersion and transportApiVersion. I
// left it as a suffix in case there are other field names that
// follow that convention now or in the future.
require.NotContains(t, gotJSON, `ApiVersion": "V3"`)
require.NotContains(t, gotJSON, `type.googleapis.com/envoy.api.v3`)
require.JSONEq(t, goldenEnvoy(t, filepath.Join("listeners", gName), envoyVersion, latestEnvoyVersion_v2, gotJSON), gotJSON)
})
})
@ -844,3 +1104,158 @@ var _ ConfigFetcher = (configFetcherFunc)(nil)
func (f configFetcherFunc) AdvertiseAddrLAN() string {
return f()
}
func TestResolveListenerSDSConfig(t *testing.T) {
type testCase struct {
name string
gwSDS *structs.GatewayTLSSDSConfig
lisSDS *structs.GatewayTLSSDSConfig
want *structs.GatewayTLSSDSConfig
wantErr string
}
run := func(tc testCase) {
// fake a snapshot with just the data we care about
snap := proxycfg.TestConfigSnapshotIngressWithGatewaySDS(t)
// Override TLS configs
snap.IngressGateway.TLSConfig.SDS = tc.gwSDS
var key proxycfg.IngressListenerKey
for k, lisCfg := range snap.IngressGateway.Listeners {
if tc.lisSDS == nil {
lisCfg.TLS = nil
} else {
lisCfg.TLS = &structs.GatewayTLSConfig{
SDS: tc.lisSDS,
}
}
// Override listener cfg in map
snap.IngressGateway.Listeners[k] = lisCfg
// Save the last key doesn't matter which as we set same listener config
// for all.
key = k
}
got, err := resolveListenerSDSConfig(snap, key)
if tc.wantErr != "" {
require.Error(t, err)
require.Contains(t, err.Error(), tc.wantErr)
} else {
require.NoError(t, err)
require.Equal(t, tc.want, got)
}
}
cases := []testCase{
{
name: "no SDS config",
gwSDS: nil,
lisSDS: nil,
want: nil,
},
{
name: "all cluster-level SDS config",
gwSDS: &structs.GatewayTLSSDSConfig{
ClusterName: "cluster",
CertResource: "cert",
},
lisSDS: nil,
want: &structs.GatewayTLSSDSConfig{
ClusterName: "cluster",
CertResource: "cert",
},
},
{
name: "all listener-level SDS config",
gwSDS: nil,
lisSDS: &structs.GatewayTLSSDSConfig{
ClusterName: "cluster",
CertResource: "cert",
},
want: &structs.GatewayTLSSDSConfig{
ClusterName: "cluster",
CertResource: "cert",
},
},
{
name: "mixed level SDS config",
gwSDS: &structs.GatewayTLSSDSConfig{
ClusterName: "cluster",
},
lisSDS: &structs.GatewayTLSSDSConfig{
CertResource: "cert",
},
want: &structs.GatewayTLSSDSConfig{
ClusterName: "cluster",
CertResource: "cert",
},
},
{
name: "override cert",
gwSDS: &structs.GatewayTLSSDSConfig{
ClusterName: "cluster",
CertResource: "gw-cert",
},
lisSDS: &structs.GatewayTLSSDSConfig{
CertResource: "lis-cert",
},
want: &structs.GatewayTLSSDSConfig{
ClusterName: "cluster",
CertResource: "lis-cert",
},
},
{
name: "override both",
gwSDS: &structs.GatewayTLSSDSConfig{
ClusterName: "gw-cluster",
CertResource: "gw-cert",
},
lisSDS: &structs.GatewayTLSSDSConfig{
ClusterName: "lis-cluster",
CertResource: "lis-cert",
},
want: &structs.GatewayTLSSDSConfig{
ClusterName: "lis-cluster",
CertResource: "lis-cert",
},
},
{
name: "missing cluster listener",
gwSDS: nil,
lisSDS: &structs.GatewayTLSSDSConfig{
CertResource: "lis-cert",
},
wantErr: "missing SDS cluster name",
},
{
name: "missing cert listener",
gwSDS: nil,
lisSDS: &structs.GatewayTLSSDSConfig{
ClusterName: "cluster",
},
wantErr: "missing SDS cert resource",
},
{
name: "missing cluster gw",
gwSDS: &structs.GatewayTLSSDSConfig{
CertResource: "lis-cert",
},
lisSDS: nil,
wantErr: "missing SDS cluster name",
},
{
name: "missing cert gw",
gwSDS: &structs.GatewayTLSSDSConfig{
ClusterName: "cluster",
},
lisSDS: nil,
wantErr: "missing SDS cert resource",
},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
run(tc)
})
}
}

View File

@ -0,0 +1,154 @@
{
"versionInfo": "00000001",
"resources": [
{
"@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
"name": "http:1.2.3.4:8080",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 8080
}
},
"filterChains": [
{
"filterChainMatch": {
"serverNames": [
"s1.example.com"
]
},
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080_s1",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V3"
},
"routeConfigName": "8080_s1"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "s1.example.com-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "sds-cluster-1"
},
"timeout": "5s"
}
]
},
"resourceApiVersion": "V3"
}
}
]
},
"requireClientCertificate": false
}
}
},
{
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V3"
},
"routeConfigName": "8080"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "*.example.com-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "sds-cluster-2"
},
"timeout": "5s"
}
]
},
"resourceApiVersion": "V3"
}
}
]
},
"requireClientCertificate": false
}
}
}
],
"listenerFilters": [
{
"name": "envoy.filters.listener.tls_inspector"
}
],
"trafficDirection": "OUTBOUND"
}
],
"typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener",
"nonce": "00000001"
}

View File

@ -0,0 +1,154 @@
{
"versionInfo": "00000001",
"resources": [
{
"@type": "type.googleapis.com/envoy.api.v2.Listener",
"name": "http:1.2.3.4:8080",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 8080
}
},
"filterChains": [
{
"filterChainMatch": {
"serverNames": [
"s1.example.com"
]
},
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080_s1",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V2"
},
"routeConfigName": "8080_s1"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "s1.example.com-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V2",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "sds-cluster-1"
},
"timeout": "5s"
}
]
},
"resourceApiVersion": "V2"
}
}
]
},
"requireClientCertificate": false
}
}
},
{
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V2"
},
"routeConfigName": "8080"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "*.example.com-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V2",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "sds-cluster-2"
},
"timeout": "5s"
}
]
},
"resourceApiVersion": "V2"
}
}
]
},
"requireClientCertificate": false
}
}
}
],
"listenerFilters": [
{
"name": "envoy.filters.listener.tls_inspector"
}
],
"trafficDirection": "OUTBOUND"
}
],
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
"nonce": "00000001"
}

View File

@ -0,0 +1,82 @@
{
"versionInfo": "00000001",
"resources": [
{
"@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
"name": "http:1.2.3.4:8080",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 8080
}
},
"filterChains": [
{
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V3"
},
"routeConfigName": "8080"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "listener-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "sds-cluster"
},
"timeout": "5s"
}
]
},
"resourceApiVersion": "V3"
}
}
]
},
"requireClientCertificate": false
}
}
}
],
"trafficDirection": "OUTBOUND"
}
],
"typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener",
"nonce": "00000001"
}

View File

@ -0,0 +1,82 @@
{
"versionInfo": "00000001",
"resources": [
{
"@type": "type.googleapis.com/envoy.api.v2.Listener",
"name": "http:1.2.3.4:8080",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 8080
}
},
"filterChains": [
{
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V2"
},
"routeConfigName": "8080"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "listener-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V2",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "sds-cluster"
},
"timeout": "5s"
}
]
},
"resourceApiVersion": "V2"
}
}
]
},
"requireClientCertificate": false
}
}
}
],
"trafficDirection": "OUTBOUND"
}
],
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
"nonce": "00000001"
}

View File

@ -0,0 +1,89 @@
{
"versionInfo": "00000001",
"resources": [
{
"@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
"name": "insecure:1.2.3.4:9090",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 9090
}
},
"filterChains": [
{
"filters": [
{
"name": "envoy.filters.network.tcp_proxy",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
"statPrefix": "upstream.insecure.default.dc1",
"cluster": "insecure.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
}
}
]
}
],
"trafficDirection": "OUTBOUND"
},
{
"@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
"name": "secure:1.2.3.4:8080",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 8080
}
},
"filterChains": [
{
"filters": [
{
"name": "envoy.filters.network.tcp_proxy",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
"statPrefix": "upstream.secure.default.dc1",
"cluster": "secure.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "listener-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "listener-sds-cluster"
},
"timeout": "5s"
}
]
},
"resourceApiVersion": "V3"
}
}
]
},
"requireClientCertificate": false
}
}
}
],
"trafficDirection": "OUTBOUND"
}
],
"typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener",
"nonce": "00000001"
}

View File

@ -0,0 +1,89 @@
{
"versionInfo": "00000001",
"resources": [
{
"@type": "type.googleapis.com/envoy.api.v2.Listener",
"name": "insecure:1.2.3.4:9090",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 9090
}
},
"filterChains": [
{
"filters": [
{
"name": "envoy.filters.network.tcp_proxy",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy",
"statPrefix": "upstream.insecure.default.dc1",
"cluster": "insecure.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
}
}
]
}
],
"trafficDirection": "OUTBOUND"
},
{
"@type": "type.googleapis.com/envoy.api.v2.Listener",
"name": "secure:1.2.3.4:8080",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 8080
}
},
"filterChains": [
{
"filters": [
{
"name": "envoy.filters.network.tcp_proxy",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy",
"statPrefix": "upstream.secure.default.dc1",
"cluster": "secure.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "listener-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V2",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "listener-sds-cluster"
},
"timeout": "5s"
}
]
},
"resourceApiVersion": "V2"
}
}
]
},
"requireClientCertificate": false
}
}
}
],
"trafficDirection": "OUTBOUND"
}
],
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
"nonce": "00000001"
}

View File

@ -0,0 +1,64 @@
{
"versionInfo": "00000001",
"resources": [
{
"@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
"name": "db:1.2.3.4:9191",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 9191
}
},
"filterChains": [
{
"filters": [
{
"name": "envoy.filters.network.tcp_proxy",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
"statPrefix": "upstream.db.default.dc1",
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "cert-resource",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "sds-cluster"
},
"timeout": "5s"
}
]
},
"resourceApiVersion": "V3"
}
}
]
},
"requireClientCertificate": false
}
}
}
],
"trafficDirection": "OUTBOUND"
}
],
"typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener",
"nonce": "00000001"
}

View File

@ -0,0 +1,64 @@
{
"versionInfo": "00000001",
"resources": [
{
"@type": "type.googleapis.com/envoy.api.v2.Listener",
"name": "db:1.2.3.4:9191",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 9191
}
},
"filterChains": [
{
"filters": [
{
"name": "envoy.filters.network.tcp_proxy",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy",
"statPrefix": "upstream.db.default.dc1",
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "cert-resource",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V2",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "sds-cluster"
},
"timeout": "5s"
}
]
},
"resourceApiVersion": "V2"
}
}
]
},
"requireClientCertificate": false
}
}
}
],
"trafficDirection": "OUTBOUND"
}
],
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
"nonce": "00000001"
}

View File

@ -0,0 +1,142 @@
{
"versionInfo": "00000001",
"resources": [
{
"@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
"name": "http:1.2.3.4:8080",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 8080
}
},
"filterChains": [
{
"filterChainMatch": {
"serverNames": [
"s1.example.com"
]
},
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080_s1",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V3"
},
"routeConfigName": "8080_s1"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "s1.example.com-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"clusterNames": [
"sds-cluster-1"
]
}
}
}
]
},
"requireClientCertificate": false
}
}
},
{
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V3"
},
"routeConfigName": "8080"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "*.example.com-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"clusterNames": [
"sds-cluster-2"
]
}
}
}
]
},
"requireClientCertificate": false
}
}
}
],
"listenerFilters": [
{
"name": "envoy.filters.listener.tls_inspector"
}
],
"trafficDirection": "OUTBOUND"
}
],
"typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener",
"nonce": "00000001"
}

View File

@ -0,0 +1,144 @@
{
"versionInfo": "00000001",
"resources": [
{
"@type": "type.googleapis.com/envoy.api.v2.Listener",
"name": "http:1.2.3.4:8080",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 8080
}
},
"filterChains": [
{
"filterChainMatch": {
"serverNames": [
"s1.example.com"
]
},
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080_s1",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V2"
},
"routeConfigName": "8080_s1"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "s1.example.com-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V2",
"clusterNames": [
"sds-cluster-1"
]
},
"resourceApiVersion": "V2"
}
}
]
},
"requireClientCertificate": false
}
}
},
{
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V2"
},
"routeConfigName": "8080"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "*.example.com-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V2",
"clusterNames": [
"sds-cluster-2"
]
},
"resourceApiVersion": "V2"
}
}
]
},
"requireClientCertificate": false
}
}
}
],
"listenerFilters": [
{
"name": "envoy.filters.listener.tls_inspector"
}
],
"trafficDirection": "OUTBOUND"
}
],
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
"nonce": "00000001"
}

View File

@ -0,0 +1,64 @@
{
"versionInfo": "00000001",
"resources": [
{
"@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
"name": "foo:1.2.3.4:8080",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 8080
}
},
"filterChains": [
{
"filters": [
{
"name": "envoy.filters.network.tcp_proxy",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
"statPrefix": "upstream.foo.default.dc1",
"cluster": "foo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "listener-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "sds-cluster"
},
"timeout": "5s"
}
]
},
"resourceApiVersion": "V3"
}
}
]
},
"requireClientCertificate": false
}
}
}
],
"trafficDirection": "OUTBOUND"
}
],
"typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener",
"nonce": "00000001"
}

View File

@ -0,0 +1,64 @@
{
"versionInfo": "00000001",
"resources": [
{
"@type": "type.googleapis.com/envoy.api.v2.Listener",
"name": "foo:1.2.3.4:8080",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 8080
}
},
"filterChains": [
{
"filters": [
{
"name": "envoy.filters.network.tcp_proxy",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy",
"statPrefix": "upstream.foo.default.dc1",
"cluster": "foo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "listener-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V2",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "sds-cluster"
},
"timeout": "5s"
}
]
},
"resourceApiVersion": "V2"
}
}
]
},
"requireClientCertificate": false
}
}
}
],
"trafficDirection": "OUTBOUND"
}
],
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
"nonce": "00000001"
}

View File

@ -0,0 +1,147 @@
{
"versionInfo": "00000001",
"resources": [
{
"@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
"name": "http:1.2.3.4:8080",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 8080
}
},
"filterChains": [
{
"filterChainMatch": {
"serverNames": [
"s1.example.com"
]
},
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080_s1",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V3"
},
"routeConfigName": "8080_s1"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "s1.example.com-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"clusterNames": [
"sds-cluster-1"
]
}
}
}
]
},
"requireClientCertificate": false
}
}
},
{
"filterChainMatch": {
"serverNames": [
"s2.example.com"
]
},
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080_s2",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V3"
},
"routeConfigName": "8080_s2"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "s2.example.com-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"clusterNames": [
"sds-cluster-2"
]
}
}
}
]
},
"requireClientCertificate": false
}
}
}
],
"listenerFilters": [
{
"name": "envoy.filters.listener.tls_inspector"
}
],
"trafficDirection": "OUTBOUND"
}
],
"typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener",
"nonce": "00000001"
}

View File

@ -0,0 +1,149 @@
{
"versionInfo": "00000001",
"resources": [
{
"@type": "type.googleapis.com/envoy.api.v2.Listener",
"name": "http:1.2.3.4:8080",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 8080
}
},
"filterChains": [
{
"filterChainMatch": {
"serverNames": [
"s1.example.com"
]
},
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080_s1",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V2"
},
"routeConfigName": "8080_s1"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "s1.example.com-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V2",
"clusterNames": [
"sds-cluster-1"
]
},
"resourceApiVersion": "V2"
}
}
]
},
"requireClientCertificate": false
}
}
},
{
"filterChainMatch": {
"serverNames": [
"s2.example.com"
]
},
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080_s2",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V2"
},
"routeConfigName": "8080_s2"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "s2.example.com-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V2",
"clusterNames": [
"sds-cluster-2"
]
},
"resourceApiVersion": "V2"
}
}
]
},
"requireClientCertificate": false
}
}
}
],
"listenerFilters": [
{
"name": "envoy.filters.listener.tls_inspector"
}
],
"trafficDirection": "OUTBOUND"
}
],
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
"nonce": "00000001"
}

View File

@ -0,0 +1,58 @@
{
"versionInfo": "00000001",
"resources": [
{
"@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
"name": "db:1.2.3.4:9191",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 9191
}
},
"filterChains": [
{
"filters": [
{
"name": "envoy.filters.network.tcp_proxy",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
"statPrefix": "upstream.db.default.dc1",
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "cert-resource",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"clusterNames": [
"sds-cluster"
]
}
}
}
]
},
"requireClientCertificate": false
}
}
}
],
"trafficDirection": "OUTBOUND"
}
],
"typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener",
"nonce": "00000001"
}

View File

@ -0,0 +1,58 @@
{
"versionInfo": "00000001",
"resources": [
{
"@type": "type.googleapis.com/envoy.api.v2.Listener",
"name": "db:1.2.3.4:9191",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 9191
}
},
"filterChains": [
{
"filters": [
{
"name": "envoy.filters.network.tcp_proxy",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy",
"statPrefix": "upstream.db.default.dc1",
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "cert-resource",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"clusterNames": [
"sds-cluster"
]
}
}
}
]
},
"requireClientCertificate": false
}
}
}
],
"trafficDirection": "OUTBOUND"
}
],
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
"nonce": "00000001"
}

View File

@ -0,0 +1,122 @@
{
"versionInfo": "00000001",
"resources": [
{
"@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
"name": "http:1.2.3.4:8080",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 8080
}
},
"filterChains": [
{
"filterChainMatch": {
"serverNames": [
"s1.example.com"
]
},
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080_s1",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V3"
},
"routeConfigName": "8080_s1"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "s1.example.com-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "sds-cluster-1"
},
"timeout": "5s"
}
]
},
"resourceApiVersion": "V3"
}
}
]
},
"requireClientCertificate": false
}
}
},
{
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V3"
},
"routeConfigName": "8080"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
]
}
],
"listenerFilters": [
{
"name": "envoy.filters.listener.tls_inspector"
}
],
"trafficDirection": "OUTBOUND"
}
],
"typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener",
"nonce": "00000001"
}

View File

@ -0,0 +1,122 @@
{
"versionInfo": "00000001",
"resources": [
{
"@type": "type.googleapis.com/envoy.api.v2.Listener",
"name": "http:1.2.3.4:8080",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 8080
}
},
"filterChains": [
{
"filterChainMatch": {
"serverNames": [
"s1.example.com"
]
},
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080_s1",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V2"
},
"routeConfigName": "8080_s1"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "s1.example.com-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V2",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "sds-cluster-1"
},
"timeout": "5s"
}
]
},
"resourceApiVersion": "V2"
}
}
]
},
"requireClientCertificate": false
}
}
},
{
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V2"
},
"routeConfigName": "8080"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
]
}
],
"listenerFilters": [
{
"name": "envoy.filters.listener.tls_inspector"
}
],
"trafficDirection": "OUTBOUND"
}
],
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
"nonce": "00000001"
}

View File

@ -0,0 +1,159 @@
{
"versionInfo": "00000001",
"resources": [
{
"@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
"name": "http:1.2.3.4:8080",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 8080
}
},
"filterChains": [
{
"filterChainMatch": {
"serverNames": [
"s1.example.com"
]
},
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080_s1",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V3"
},
"routeConfigName": "8080_s1"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "s1.example.com-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "sds-cluster-1"
},
"timeout": "5s"
}
]
},
"resourceApiVersion": "V3"
}
}
]
},
"requireClientCertificate": false
}
}
},
{
"filterChainMatch": {
"serverNames": [
"s2.example.com"
]
},
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080_s2",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V3"
},
"routeConfigName": "8080_s2"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "s2.example.com-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "sds-cluster-2"
},
"timeout": "5s"
}
]
},
"resourceApiVersion": "V3"
}
}
]
},
"requireClientCertificate": false
}
}
}
],
"listenerFilters": [
{
"name": "envoy.filters.listener.tls_inspector"
}
],
"trafficDirection": "OUTBOUND"
}
],
"typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener",
"nonce": "00000001"
}

View File

@ -0,0 +1,159 @@
{
"versionInfo": "00000001",
"resources": [
{
"@type": "type.googleapis.com/envoy.api.v2.Listener",
"name": "http:1.2.3.4:8080",
"address": {
"socketAddress": {
"address": "1.2.3.4",
"portValue": 8080
}
},
"filterChains": [
{
"filterChainMatch": {
"serverNames": [
"s1.example.com"
]
},
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080_s1",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V2"
},
"routeConfigName": "8080_s1"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "s1.example.com-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V2",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "sds-cluster-1"
},
"timeout": "5s"
}
]
},
"resourceApiVersion": "V2"
}
}
]
},
"requireClientCertificate": false
}
}
},
{
"filterChainMatch": {
"serverNames": [
"s2.example.com"
]
},
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
"statPrefix": "ingress_upstream_8080_s2",
"rds": {
"configSource": {
"ads": {
},
"resourceApiVersion": "V2"
},
"routeConfigName": "8080_s2"
},
"httpFilters": [
{
"name": "envoy.filters.http.router"
}
],
"tracing": {
"randomSampling": {
}
}
}
}
],
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext",
"commonTlsContext": {
"tlsParams": {
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "s2.example.com-cert",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V2",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "sds-cluster-2"
},
"timeout": "5s"
}
]
},
"resourceApiVersion": "V2"
}
}
]
},
"requireClientCertificate": false
}
}
}
],
"listenerFilters": [
{
"name": "envoy.filters.listener.tls_inspector"
}
],
"trafficDirection": "OUTBOUND"
}
],
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
"nonce": "00000001"
}

View File

@ -440,7 +440,14 @@ func convertTypedConfigsToV2(pb proto.Message) error {
return nil
case *envoy_core_v2.ConfigSource:
if x.ConfigSourceSpecifier != nil {
if _, ok := x.ConfigSourceSpecifier.(*envoy_core_v2.ConfigSource_Ads); !ok {
switch spec := x.ConfigSourceSpecifier.(type) {
case *envoy_core_v2.ConfigSource_Ads:
// Nothing else to do
break
case *envoy_core_v2.ConfigSource_ApiConfigSource:
spec.ApiConfigSource.TransportApiVersion = envoy_core_v2.ApiVersion_V2
break
default:
return fmt.Errorf("%T: ConfigSourceSpecifier type %T not handled", x, x.ConfigSourceSpecifier)
}
}
@ -491,8 +498,30 @@ func convertTypedConfigsToV2(pb proto.Message) error {
case *envoy_http_rbac_v2.RBAC:
return nil
case *envoy_tls_v2.UpstreamTlsContext:
if x.CommonTlsContext != nil {
if err := convertTypedConfigsToV2(x.CommonTlsContext); err != nil {
return fmt.Errorf("%T: %w", x, err)
}
}
return nil
case *envoy_tls_v2.DownstreamTlsContext:
if x.CommonTlsContext != nil {
if err := convertTypedConfigsToV2(x.CommonTlsContext); err != nil {
return fmt.Errorf("%T: %w", x, err)
}
}
return nil
case *envoy_tls_v2.CommonTlsContext:
for _, sds := range x.TlsCertificateSdsSecretConfigs {
if err := convertTypedConfigsToV2(sds); err != nil {
return fmt.Errorf("%T: %w", x, err)
}
}
return nil
case *envoy_tls_v2.SdsSecretConfig:
if err := convertTypedConfigsToV2(x.SdsConfig); err != nil {
return fmt.Errorf("%T: %w", x, err)
}
return nil
case *envoy_grpc_stats_v2.FilterConfig:
return nil