diff --git a/agent/xds/listeners.go b/agent/xds/listeners.go index 43510b204..0d64cf08d 100644 --- a/agent/xds/listeners.go +++ b/agent/xds/listeners.go @@ -26,6 +26,7 @@ import ( "github.com/golang/protobuf/proto" "github.com/golang/protobuf/ptypes" "github.com/golang/protobuf/ptypes/any" + "github.com/golang/protobuf/ptypes/duration" "github.com/golang/protobuf/ptypes/wrappers" "github.com/hashicorp/consul/agent/connect" @@ -511,12 +512,68 @@ func (s *ResourceGenerator) listenersFromSnapshotGateway(cfgSnap *proxycfg.Confi return resources, err } +func resolveListenerSDSConfig(cfgSnap *proxycfg.ConfigSnapshot, listenerKey proxycfg.IngressListenerKey) (*structs.GatewayTLSSDSConfig, error) { + gwSDS := cfgSnap.IngressGateway.TLSConfig.SDS + + listenerCfg, ok := cfgSnap.IngressGateway.Listeners[listenerKey] + if !ok { + return nil, fmt.Errorf("no listener config found for listener on port %d", listenerKey.Port) + } + + var mergedCfg structs.GatewayTLSSDSConfig + + if gwSDS != nil { + mergedCfg.ClusterName = gwSDS.ClusterName + mergedCfg.CertResource = gwSDS.CertResource + } + + if listenerCfg.TLS != nil && listenerCfg.TLS.SDS != nil { + if listenerCfg.TLS.SDS.ClusterName != "" { + mergedCfg.ClusterName = listenerCfg.TLS.SDS.ClusterName + } + if listenerCfg.TLS.SDS.CertResource != "" { + mergedCfg.CertResource = listenerCfg.TLS.SDS.CertResource + } + } + + // Validate. Either merged should have both fields empty or both set. Other + // cases shouldn't be possible as we validate them at input but be robust to + // bugs later. + switch { + case mergedCfg.ClusterName == "" && mergedCfg.CertResource == "": + return nil, nil + + case mergedCfg.ClusterName != "" && mergedCfg.CertResource != "": + return &mergedCfg, nil + + case mergedCfg.ClusterName == "" && mergedCfg.CertResource != "": + return nil, fmt.Errorf("missing SDS cluster name for listener on port %d", listenerKey.Port) + + case mergedCfg.ClusterName != "" && mergedCfg.CertResource == "": + return nil, fmt.Errorf("missing SDS cert resource for listener on port %d", listenerKey.Port) + } + + return &mergedCfg, nil +} + func (s *ResourceGenerator) makeIngressGatewayListeners(address string, cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message, error) { var resources []proto.Message for listenerKey, upstreams := range cfgSnap.IngressGateway.Upstreams { var tlsContext *envoy_tls_v3.DownstreamTlsContext - if cfgSnap.IngressGateway.TLSEnabled { + + sdsCfg, err := resolveListenerSDSConfig(cfgSnap, listenerKey) + if err != nil { + return nil, err + } + + if sdsCfg != nil { + // Set up listener TLS from SDS + tlsContext = &envoy_tls_v3.DownstreamTlsContext{ + CommonTlsContext: makeCommonTLSContextFromSDS(cfgSnap, *sdsCfg), + RequireClientCertificate: &wrappers.BoolValue{Value: false}, + } + } else if cfgSnap.IngressGateway.TLSConfig.Enabled { tlsContext = &envoy_tls_v3.DownstreamTlsContext{ CommonTlsContext: makeCommonTLSContextFromLeaf(cfgSnap, cfgSnap.Leaf()), RequireClientCertificate: &wrappers.BoolValue{Value: false}, @@ -557,29 +614,136 @@ func (s *ResourceGenerator) makeIngressGatewayListeners(address string, cfgSnap routePath: "", httpAuthzFilter: nil, } - filter, err := makeListenerFilter(opts) + + // Generate any filter chains needed for services with custom TLS certs + // via SDS. + sniFilterChains, err := makeSDSOverrideFilterChains(cfgSnap, listenerKey, opts) if err != nil { return nil, err } + // If there are any sni filter chains, we need a TLS inspector filter! + if len(sniFilterChains) > 0 { + tlsInspector, err := makeTLSInspectorListenerFilter() + if err != nil { + return nil, err + } + listener.ListenerFilters = []*envoy_listener_v3.ListenerFilter{tlsInspector} + } + + listener.FilterChains = sniFilterChains + + // See if there are other services that didn't have specific SNI-matching + // filter chains. If so add a default filterchain to serve them. + if len(sniFilterChains) < len(upstreams) { + defaultFilter, err := makeListenerFilter(opts) + if err != nil { + return nil, err + } + + transportSocket, err := makeDownstreamTLSTransportSocket(tlsContext) + if err != nil { + return nil, err + } + listener.FilterChains = append(listener.FilterChains, + &envoy_listener_v3.FilterChain{ + Filters: []*envoy_listener_v3.Filter{ + defaultFilter, + }, + TransportSocket: transportSocket, + }) + } + + resources = append(resources, listener) + } + } + + return resources, nil +} + +func routeNameForUpstream(l structs.IngressListener, s structs.IngressService) (string, error) { + key := proxycfg.IngressListenerKeyFromListener(l) + + // If the upsteam service doesn't have any TLS overrides then it can just use + // the combined filterchain with all the merged routes. + if !ingressServiceHasSDSOverrides(s) { + return key.RouteName(), nil + } + + // Return a specific route for this service as it needs a custom FilterChain + // to serve it's custom cert so we should attach it's routes to a separate + // Route too. + return fmt.Sprintf("%s_%s", key.RouteName(), s.ToServiceName().ToServiceID().String()), nil +} + +func ingressServiceHasSDSOverrides(s structs.IngressService) bool { + return s.TLS != nil && + s.TLS.SDS != nil && + s.TLS.SDS.CertResource != "" +} + +// ingress services that specify custom TLS certs via SDS overrides need to get +// their own filter chain and routes. This will generate all the extra filter +// chains an ingress listener needs. It maybe be empty and expects the default +// catch-all chain and route to contain all the other services that share the +// default TLS config. +func makeSDSOverrideFilterChains(cfgSnap *proxycfg.ConfigSnapshot, + listenerKey proxycfg.IngressListenerKey, + filterOpts listenerFilterOpts) ([]*envoy_listener_v3.FilterChain, error) { + + listenerCfg, ok := cfgSnap.IngressGateway.Listeners[listenerKey] + if !ok { + return nil, fmt.Errorf("no listener config found for listener on port %d", listenerKey.Port) + } + + var chains []*envoy_listener_v3.FilterChain + + for _, svc := range listenerCfg.Services { + if ingressServiceHasSDSOverrides(svc) { + if len(svc.Hosts) < 1 { + // Shouldn't be possible with validation but be careful + return nil, fmt.Errorf("no hosts specified with SDS certificate (service %q on listener on port %d)", + svc.ToServiceName().ToServiceID().String(), listenerKey.Port) + } + + // Service has a certificate resource override. Return a new filter chain + // with the right TLS cert and a filter that will load only the routes for + // this service. + routeName, err := routeNameForUpstream(listenerCfg, svc) + if err != nil { + return nil, err + } + filterOpts.filterName = routeName + filterOpts.routeName = routeName + filter, err := makeListenerFilter(filterOpts) + if err != nil { + return nil, err + } + + tlsContext := &envoy_tls_v3.DownstreamTlsContext{ + CommonTlsContext: makeCommonTLSContextFromSDS(cfgSnap, *svc.TLS.SDS), + RequireClientCertificate: &wrappers.BoolValue{Value: false}, + } + transportSocket, err := makeDownstreamTLSTransportSocket(tlsContext) if err != nil { return nil, err } - listener.FilterChains = []*envoy_listener_v3.FilterChain{ - { - Filters: []*envoy_listener_v3.Filter{ - filter, - }, - TransportSocket: transportSocket, + chain := &envoy_listener_v3.FilterChain{ + // Only match traffic for this service's hosts. + FilterChainMatch: makeSNIFilterChainMatch(svc.Hosts...), + Filters: []*envoy_listener_v3.Filter{ + filter, }, + TransportSocket: transportSocket, } - resources = append(resources, listener) + + chains = append(chains, chain) } } - return resources, nil + return chains, nil } // makeListener returns a listener with name and bind details set. Filters must @@ -1584,9 +1748,9 @@ func makeTLSInspectorListenerFilter() (*envoy_listener_v3.ListenerFilter, error) return &envoy_listener_v3.ListenerFilter{Name: "envoy.filters.listener.tls_inspector"}, nil } -func makeSNIFilterChainMatch(sniMatch string) *envoy_listener_v3.FilterChainMatch { +func makeSNIFilterChainMatch(sniMatches ...string) *envoy_listener_v3.FilterChainMatch { return &envoy_listener_v3.FilterChainMatch{ - ServerNames: []string{sniMatch}, + ServerNames: sniMatches, } } @@ -1763,7 +1927,6 @@ func makeCommonTLSContextFromLeaf(cfgSnap *proxycfg.ConfigSnapshot, leaf *struct return nil } - // TODO(banks): verify this actually works with Envoy (docs are not clear). rootPEMS := "" for _, root := range cfgSnap.Roots.Roots { rootPEMS += ca.EnsureTrailingNewline(root.RootCert) @@ -1798,6 +1961,38 @@ func makeCommonTLSContextFromLeaf(cfgSnap *proxycfg.ConfigSnapshot, leaf *struct } } +func makeCommonTLSContextFromSDS(cfgSnap *proxycfg.ConfigSnapshot, sdsCfg structs.GatewayTLSSDSConfig) *envoy_tls_v3.CommonTlsContext { + return &envoy_tls_v3.CommonTlsContext{ + TlsParams: &envoy_tls_v3.TlsParameters{}, + TlsCertificateSdsSecretConfigs: []*envoy_tls_v3.SdsSecretConfig{ + { + Name: sdsCfg.CertResource, + SdsConfig: &envoy_core_v3.ConfigSource{ + ConfigSourceSpecifier: &envoy_core_v3.ConfigSource_ApiConfigSource{ + ApiConfigSource: &envoy_core_v3.ApiConfigSource{ + ApiType: envoy_core_v3.ApiConfigSource_GRPC, + TransportApiVersion: envoy_core_v3.ApiVersion_V3, + // Note ClusterNames can't be set here - that's only for REST type + // we need a full GRPC config instead. + GrpcServices: []*envoy_core_v3.GrpcService{ + { + TargetSpecifier: &envoy_core_v3.GrpcService_EnvoyGrpc_{ + EnvoyGrpc: &envoy_core_v3.GrpcService_EnvoyGrpc{ + ClusterName: sdsCfg.ClusterName, + }, + }, + Timeout: &duration.Duration{Seconds: 5}, + }, + }, + }, + }, + ResourceApiVersion: envoy_core_v3.ApiVersion_V3, + }, + }, + }, + } +} + func makeDownstreamTLSTransportSocket(tlsContext *envoy_tls_v3.DownstreamTlsContext) (*envoy_core_v3.TransportSocket, error) { if tlsContext == nil { return nil, nil diff --git a/agent/xds/listeners_test.go b/agent/xds/listeners_test.go index 977343578..a3664db84 100644 --- a/agent/xds/listeners_test.go +++ b/agent/xds/listeners_test.go @@ -485,6 +485,10 @@ func TestListenersFromSnapshot(t *testing.T) { }, }, } + snap.IngressGateway.Listeners = map[proxycfg.IngressListenerKey]structs.IngressListener{ + {Protocol: "http", Port: 8080}: {}, + {Protocol: "http", Port: 443}: {}, + } }, }, { @@ -499,6 +503,251 @@ func TestListenersFromSnapshot(t *testing.T) { create: proxycfg.TestConfigSnapshotIngressWithTLSListener, setup: nil, }, + { + name: "ingress-with-sds-listener-gw-level", + create: proxycfg.TestConfigSnapshotIngressWithGatewaySDS, + setup: nil, + }, + { + name: "ingress-with-sds-listener-listener-level", + create: proxycfg.TestConfigSnapshotIngressWithGatewaySDS, + setup: func(snap *proxycfg.ConfigSnapshot) { + snap.IngressGateway.Upstreams = map[proxycfg.IngressListenerKey]structs.Upstreams{ + {Protocol: "tcp", Port: 8080}: { + { + DestinationName: "foo", + LocalBindPort: 8080, + }, + }, + } + snap.IngressGateway.Listeners = map[proxycfg.IngressListenerKey]structs.IngressListener{ + {Protocol: "tcp", Port: 8080}: { + Port: 8080, + TLS: &structs.GatewayTLSConfig{ + SDS: &structs.GatewayTLSSDSConfig{ + // Override the cert, fall back to the cluster at gw level. We + // don't test every possible valid combination here since we + // already did that in TestResolveListenerSDSConfig. This is + // just an extra check to make sure that data is plumbed through + // correctly. + CertResource: "listener-cert", + }, + }, + }, + } + }, + }, + { + name: "ingress-with-sds-listener-gw-level-http", + create: proxycfg.TestConfigSnapshotIngressWithGatewaySDS, + setup: func(snap *proxycfg.ConfigSnapshot) { + snap.IngressGateway.Upstreams = map[proxycfg.IngressListenerKey]structs.Upstreams{ + {Protocol: "http", Port: 8080}: { + { + DestinationName: "foo", + LocalBindPort: 8080, + }, + }, + } + snap.IngressGateway.Listeners = map[proxycfg.IngressListenerKey]structs.IngressListener{ + {Protocol: "http", Port: 8080}: { + Port: 8080, + TLS: &structs.GatewayTLSConfig{ + SDS: &structs.GatewayTLSSDSConfig{ + // Override the cert, fall back to the cluster at gw level. We + // don't test every possible valid combination here since we + // already did that in TestResolveListenerSDSConfig. This is + // just an extra check to make sure that data is plumbed through + // correctly. + CertResource: "listener-cert", + }, + }, + }, + } + }, + }, + { + name: "ingress-with-sds-listener-gw-level-mixed-tls", + create: proxycfg.TestConfigSnapshotIngressWithGatewaySDS, + setup: func(snap *proxycfg.ConfigSnapshot) { + // Disable GW-level defaults so we can mix TLS and non-TLS listeners + snap.IngressGateway.TLSConfig.SDS = nil + + // Setup two TCP listeners, one with and one without SDS config + snap.IngressGateway.Upstreams = map[proxycfg.IngressListenerKey]structs.Upstreams{ + {Protocol: "tcp", Port: 8080}: { + { + DestinationName: "secure", + LocalBindPort: 8080, + }, + }, + {Protocol: "tcp", Port: 9090}: { + { + DestinationName: "insecure", + LocalBindPort: 9090, + }, + }, + } + snap.IngressGateway.Listeners = map[proxycfg.IngressListenerKey]structs.IngressListener{ + {Protocol: "tcp", Port: 8080}: { + Port: 8080, + TLS: &structs.GatewayTLSConfig{ + SDS: &structs.GatewayTLSSDSConfig{ + ClusterName: "listener-sds-cluster", + CertResource: "listener-cert", + }, + }, + }, + {Protocol: "tcp", Port: 9090}: { + Port: 9090, + TLS: nil, + }, + } + }, + }, + { + name: "ingress-with-sds-service-level", + create: proxycfg.TestConfigSnapshotIngressWithGatewaySDS, + setup: func(snap *proxycfg.ConfigSnapshot) { + // Disable GW-level defaults so we can test only service-level + snap.IngressGateway.TLSConfig.SDS = nil + + // Setup http listeners, one multiple services with SDS + snap.IngressGateway.Upstreams = map[proxycfg.IngressListenerKey]structs.Upstreams{ + {Protocol: "http", Port: 8080}: { + { + DestinationName: "s1", + LocalBindPort: 8080, + }, + { + DestinationName: "s2", + LocalBindPort: 8080, + }, + }, + } + snap.IngressGateway.Listeners = map[proxycfg.IngressListenerKey]structs.IngressListener{ + {Protocol: "http", Port: 8080}: { + Port: 8080, + Services: []structs.IngressService{ + { + Name: "s1", + Hosts: []string{"s1.example.com"}, + TLS: &structs.GatewayServiceTLSConfig{ + SDS: &structs.GatewayTLSSDSConfig{ + ClusterName: "sds-cluster-1", + CertResource: "s1.example.com-cert", + }, + }, + }, + { + Name: "s2", + Hosts: []string{"s2.example.com"}, + TLS: &structs.GatewayServiceTLSConfig{ + SDS: &structs.GatewayTLSSDSConfig{ + ClusterName: "sds-cluster-2", + CertResource: "s2.example.com-cert", + }, + }, + }, + }, + TLS: nil, // no listener-level SDS config + }, + } + }, + }, + { + name: "ingress-with-sds-listener+service-level", + create: proxycfg.TestConfigSnapshotIngressWithGatewaySDS, + setup: func(snap *proxycfg.ConfigSnapshot) { + // Disable GW-level defaults so we can test only service-level + snap.IngressGateway.TLSConfig.SDS = nil + + // Setup http listeners, one multiple services with SDS + snap.IngressGateway.Upstreams = map[proxycfg.IngressListenerKey]structs.Upstreams{ + {Protocol: "http", Port: 8080}: { + { + DestinationName: "s1", + LocalBindPort: 8080, + }, + { + DestinationName: "s2", + LocalBindPort: 8080, + }, + }, + } + snap.IngressGateway.Listeners = map[proxycfg.IngressListenerKey]structs.IngressListener{ + {Protocol: "http", Port: 8080}: { + Port: 8080, + Services: []structs.IngressService{ + { + Name: "s1", + Hosts: []string{"s1.example.com"}, + TLS: &structs.GatewayServiceTLSConfig{ + SDS: &structs.GatewayTLSSDSConfig{ + ClusterName: "sds-cluster-1", + CertResource: "s1.example.com-cert", + }, + }, + }, + { + Name: "s2", + // s2 uses the default listener cert + }, + }, + TLS: &structs.GatewayTLSConfig{ + SDS: &structs.GatewayTLSSDSConfig{ + ClusterName: "sds-cluster-2", + CertResource: "*.example.com-cert", + }, + }, + }, + } + }, + }, + { + name: "ingress-with-sds-service-level-mixed-no-tls", + create: proxycfg.TestConfigSnapshotIngressWithGatewaySDS, + setup: func(snap *proxycfg.ConfigSnapshot) { + // Disable GW-level defaults so we can test only service-level + snap.IngressGateway.TLSConfig.SDS = nil + + // Setup http listeners, one multiple services with SDS + snap.IngressGateway.Upstreams = map[proxycfg.IngressListenerKey]structs.Upstreams{ + {Protocol: "http", Port: 8080}: { + { + DestinationName: "s1", + LocalBindPort: 8080, + }, + { + DestinationName: "s2", + LocalBindPort: 8080, + }, + }, + } + snap.IngressGateway.Listeners = map[proxycfg.IngressListenerKey]structs.IngressListener{ + {Protocol: "http", Port: 8080}: { + Port: 8080, + Services: []structs.IngressService{ + { + Name: "s1", + Hosts: []string{"s1.example.com"}, + TLS: &structs.GatewayServiceTLSConfig{ + SDS: &structs.GatewayTLSSDSConfig{ + ClusterName: "sds-cluster-1", + CertResource: "s1.example.com-cert", + }, + }, + }, + { + Name: "s2", + // s2 has no SDS config so should be non-TLS + }, + }, + TLS: nil, // No listener level TLS setup either + }, + } + }, + }, { name: "transparent-proxy", create: proxycfg.TestConfigSnapshot, @@ -706,6 +955,17 @@ func TestListenersFromSnapshot(t *testing.T) { gName += ".v2compat" + // It's easy to miss a new type that encodes a version from just + // looking at the golden files so lets make it an error here. If + // there are ever false positives we can maybe include an allow list + // here as it seems safer to assume something was missed than to + // assume we'll notice the golden file being wrong. Note the first + // one matches both resourceApiVersion and transportApiVersion. I + // left it as a suffix in case there are other field names that + // follow that convention now or in the future. + require.NotContains(t, gotJSON, `ApiVersion": "V3"`) + require.NotContains(t, gotJSON, `type.googleapis.com/envoy.api.v3`) + require.JSONEq(t, goldenEnvoy(t, filepath.Join("listeners", gName), envoyVersion, latestEnvoyVersion_v2, gotJSON), gotJSON) }) }) @@ -844,3 +1104,158 @@ var _ ConfigFetcher = (configFetcherFunc)(nil) func (f configFetcherFunc) AdvertiseAddrLAN() string { return f() } + +func TestResolveListenerSDSConfig(t *testing.T) { + type testCase struct { + name string + gwSDS *structs.GatewayTLSSDSConfig + lisSDS *structs.GatewayTLSSDSConfig + want *structs.GatewayTLSSDSConfig + wantErr string + } + + run := func(tc testCase) { + // fake a snapshot with just the data we care about + snap := proxycfg.TestConfigSnapshotIngressWithGatewaySDS(t) + // Override TLS configs + snap.IngressGateway.TLSConfig.SDS = tc.gwSDS + var key proxycfg.IngressListenerKey + for k, lisCfg := range snap.IngressGateway.Listeners { + if tc.lisSDS == nil { + lisCfg.TLS = nil + } else { + lisCfg.TLS = &structs.GatewayTLSConfig{ + SDS: tc.lisSDS, + } + } + // Override listener cfg in map + snap.IngressGateway.Listeners[k] = lisCfg + // Save the last key doesn't matter which as we set same listener config + // for all. + key = k + } + + got, err := resolveListenerSDSConfig(snap, key) + if tc.wantErr != "" { + require.Error(t, err) + require.Contains(t, err.Error(), tc.wantErr) + } else { + require.NoError(t, err) + require.Equal(t, tc.want, got) + } + } + + cases := []testCase{ + { + name: "no SDS config", + gwSDS: nil, + lisSDS: nil, + want: nil, + }, + { + name: "all cluster-level SDS config", + gwSDS: &structs.GatewayTLSSDSConfig{ + ClusterName: "cluster", + CertResource: "cert", + }, + lisSDS: nil, + want: &structs.GatewayTLSSDSConfig{ + ClusterName: "cluster", + CertResource: "cert", + }, + }, + { + name: "all listener-level SDS config", + gwSDS: nil, + lisSDS: &structs.GatewayTLSSDSConfig{ + ClusterName: "cluster", + CertResource: "cert", + }, + want: &structs.GatewayTLSSDSConfig{ + ClusterName: "cluster", + CertResource: "cert", + }, + }, + { + name: "mixed level SDS config", + gwSDS: &structs.GatewayTLSSDSConfig{ + ClusterName: "cluster", + }, + lisSDS: &structs.GatewayTLSSDSConfig{ + CertResource: "cert", + }, + want: &structs.GatewayTLSSDSConfig{ + ClusterName: "cluster", + CertResource: "cert", + }, + }, + { + name: "override cert", + gwSDS: &structs.GatewayTLSSDSConfig{ + ClusterName: "cluster", + CertResource: "gw-cert", + }, + lisSDS: &structs.GatewayTLSSDSConfig{ + CertResource: "lis-cert", + }, + want: &structs.GatewayTLSSDSConfig{ + ClusterName: "cluster", + CertResource: "lis-cert", + }, + }, + { + name: "override both", + gwSDS: &structs.GatewayTLSSDSConfig{ + ClusterName: "gw-cluster", + CertResource: "gw-cert", + }, + lisSDS: &structs.GatewayTLSSDSConfig{ + ClusterName: "lis-cluster", + CertResource: "lis-cert", + }, + want: &structs.GatewayTLSSDSConfig{ + ClusterName: "lis-cluster", + CertResource: "lis-cert", + }, + }, + { + name: "missing cluster listener", + gwSDS: nil, + lisSDS: &structs.GatewayTLSSDSConfig{ + CertResource: "lis-cert", + }, + wantErr: "missing SDS cluster name", + }, + { + name: "missing cert listener", + gwSDS: nil, + lisSDS: &structs.GatewayTLSSDSConfig{ + ClusterName: "cluster", + }, + wantErr: "missing SDS cert resource", + }, + { + name: "missing cluster gw", + gwSDS: &structs.GatewayTLSSDSConfig{ + CertResource: "lis-cert", + }, + lisSDS: nil, + wantErr: "missing SDS cluster name", + }, + { + name: "missing cert gw", + gwSDS: &structs.GatewayTLSSDSConfig{ + ClusterName: "cluster", + }, + lisSDS: nil, + wantErr: "missing SDS cert resource", + }, + } + + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + run(tc) + }) + } + +} diff --git a/agent/xds/testdata/listeners/ingress-with-sds-listener+service-level.envoy-1-18-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-listener+service-level.envoy-1-18-x.golden new file mode 100644 index 000000000..b5531913d --- /dev/null +++ b/agent/xds/testdata/listeners/ingress-with-sds-listener+service-level.envoy-1-18-x.golden @@ -0,0 +1,154 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "http:1.2.3.4:8080", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 8080 + } + }, + "filterChains": [ + { + "filterChainMatch": { + "serverNames": [ + "s1.example.com" + ] + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080_s1", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V3" + }, + "routeConfigName": "8080_s1" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "s1.example.com-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V3", + "grpcServices": [ + { + "envoyGrpc": { + "clusterName": "sds-cluster-1" + }, + "timeout": "5s" + } + ] + }, + "resourceApiVersion": "V3" + } + } + ] + }, + "requireClientCertificate": false + } + } + }, + { + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V3" + }, + "routeConfigName": "8080" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "*.example.com-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V3", + "grpcServices": [ + { + "envoyGrpc": { + "clusterName": "sds-cluster-2" + }, + "timeout": "5s" + } + ] + }, + "resourceApiVersion": "V3" + } + } + ] + }, + "requireClientCertificate": false + } + } + } + ], + "listenerFilters": [ + { + "name": "envoy.filters.listener.tls_inspector" + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/ingress-with-sds-listener+service-level.v2compat.envoy-1-16-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-listener+service-level.v2compat.envoy-1-16-x.golden new file mode 100644 index 000000000..b3d8cf47f --- /dev/null +++ b/agent/xds/testdata/listeners/ingress-with-sds-listener+service-level.v2compat.envoy-1-16-x.golden @@ -0,0 +1,154 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "http:1.2.3.4:8080", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 8080 + } + }, + "filterChains": [ + { + "filterChainMatch": { + "serverNames": [ + "s1.example.com" + ] + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080_s1", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V2" + }, + "routeConfigName": "8080_s1" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "s1.example.com-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V2", + "grpcServices": [ + { + "envoyGrpc": { + "clusterName": "sds-cluster-1" + }, + "timeout": "5s" + } + ] + }, + "resourceApiVersion": "V2" + } + } + ] + }, + "requireClientCertificate": false + } + } + }, + { + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V2" + }, + "routeConfigName": "8080" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "*.example.com-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V2", + "grpcServices": [ + { + "envoyGrpc": { + "clusterName": "sds-cluster-2" + }, + "timeout": "5s" + } + ] + }, + "resourceApiVersion": "V2" + } + } + ] + }, + "requireClientCertificate": false + } + } + } + ], + "listenerFilters": [ + { + "name": "envoy.filters.listener.tls_inspector" + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/ingress-with-sds-listener-gw-level-http.envoy-1-18-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-listener-gw-level-http.envoy-1-18-x.golden new file mode 100644 index 000000000..e858c2afb --- /dev/null +++ b/agent/xds/testdata/listeners/ingress-with-sds-listener-gw-level-http.envoy-1-18-x.golden @@ -0,0 +1,82 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "http:1.2.3.4:8080", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 8080 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V3" + }, + "routeConfigName": "8080" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "listener-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V3", + "grpcServices": [ + { + "envoyGrpc": { + "clusterName": "sds-cluster" + }, + "timeout": "5s" + } + ] + }, + "resourceApiVersion": "V3" + } + } + ] + }, + "requireClientCertificate": false + } + } + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/ingress-with-sds-listener-gw-level-http.v2compat.envoy-1-16-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-listener-gw-level-http.v2compat.envoy-1-16-x.golden new file mode 100644 index 000000000..2593dd6f7 --- /dev/null +++ b/agent/xds/testdata/listeners/ingress-with-sds-listener-gw-level-http.v2compat.envoy-1-16-x.golden @@ -0,0 +1,82 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "http:1.2.3.4:8080", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 8080 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V2" + }, + "routeConfigName": "8080" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "listener-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V2", + "grpcServices": [ + { + "envoyGrpc": { + "clusterName": "sds-cluster" + }, + "timeout": "5s" + } + ] + }, + "resourceApiVersion": "V2" + } + } + ] + }, + "requireClientCertificate": false + } + } + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/ingress-with-sds-listener-gw-level-mixed-tls.envoy-1-18-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-listener-gw-level-mixed-tls.envoy-1-18-x.golden new file mode 100644 index 000000000..bc3fd55f0 --- /dev/null +++ b/agent/xds/testdata/listeners/ingress-with-sds-listener-gw-level-mixed-tls.envoy-1-18-x.golden @@ -0,0 +1,89 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "insecure:1.2.3.4:9090", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 9090 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.insecure.default.dc1", + "cluster": "insecure.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "secure:1.2.3.4:8080", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 8080 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.secure.default.dc1", + "cluster": "secure.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "listener-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V3", + "grpcServices": [ + { + "envoyGrpc": { + "clusterName": "listener-sds-cluster" + }, + "timeout": "5s" + } + ] + }, + "resourceApiVersion": "V3" + } + } + ] + }, + "requireClientCertificate": false + } + } + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/ingress-with-sds-listener-gw-level-mixed-tls.v2compat.envoy-1-16-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-listener-gw-level-mixed-tls.v2compat.envoy-1-16-x.golden new file mode 100644 index 000000000..0f5a97afe --- /dev/null +++ b/agent/xds/testdata/listeners/ingress-with-sds-listener-gw-level-mixed-tls.v2compat.envoy-1-16-x.golden @@ -0,0 +1,89 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "insecure:1.2.3.4:9090", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 9090 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy", + "statPrefix": "upstream.insecure.default.dc1", + "cluster": "insecure.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "secure:1.2.3.4:8080", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 8080 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy", + "statPrefix": "upstream.secure.default.dc1", + "cluster": "secure.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "listener-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V2", + "grpcServices": [ + { + "envoyGrpc": { + "clusterName": "listener-sds-cluster" + }, + "timeout": "5s" + } + ] + }, + "resourceApiVersion": "V2" + } + } + ] + }, + "requireClientCertificate": false + } + } + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/ingress-with-sds-listener-gw-level.envoy-1-18-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-listener-gw-level.envoy-1-18-x.golden new file mode 100644 index 000000000..9a7b96e23 --- /dev/null +++ b/agent/xds/testdata/listeners/ingress-with-sds-listener-gw-level.envoy-1-18-x.golden @@ -0,0 +1,64 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "db:1.2.3.4:9191", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.db.default.dc1", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "cert-resource", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V3", + "grpcServices": [ + { + "envoyGrpc": { + "clusterName": "sds-cluster" + }, + "timeout": "5s" + } + ] + }, + "resourceApiVersion": "V3" + } + } + ] + }, + "requireClientCertificate": false + } + } + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/ingress-with-sds-listener-gw-level.v2compat.envoy-1-16-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-listener-gw-level.v2compat.envoy-1-16-x.golden new file mode 100644 index 000000000..773fdf9c8 --- /dev/null +++ b/agent/xds/testdata/listeners/ingress-with-sds-listener-gw-level.v2compat.envoy-1-16-x.golden @@ -0,0 +1,64 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:1.2.3.4:9191", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy", + "statPrefix": "upstream.db.default.dc1", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "cert-resource", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V2", + "grpcServices": [ + { + "envoyGrpc": { + "clusterName": "sds-cluster" + }, + "timeout": "5s" + } + ] + }, + "resourceApiVersion": "V2" + } + } + ] + }, + "requireClientCertificate": false + } + } + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/ingress-with-sds-listener-listener+service-level.envoy-1-18-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-listener-listener+service-level.envoy-1-18-x.golden new file mode 100644 index 000000000..70b620018 --- /dev/null +++ b/agent/xds/testdata/listeners/ingress-with-sds-listener-listener+service-level.envoy-1-18-x.golden @@ -0,0 +1,142 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "http:1.2.3.4:8080", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 8080 + } + }, + "filterChains": [ + { + "filterChainMatch": { + "serverNames": [ + "s1.example.com" + ] + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080_s1", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V3" + }, + "routeConfigName": "8080_s1" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "s1.example.com-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V3", + "clusterNames": [ + "sds-cluster-1" + ] + } + } + } + ] + }, + "requireClientCertificate": false + } + } + }, + { + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V3" + }, + "routeConfigName": "8080" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "*.example.com-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V3", + "clusterNames": [ + "sds-cluster-2" + ] + } + } + } + ] + }, + "requireClientCertificate": false + } + } + } + ], + "listenerFilters": [ + { + "name": "envoy.filters.listener.tls_inspector" + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/ingress-with-sds-listener-listener+service-level.v2compat.envoy-1-16-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-listener-listener+service-level.v2compat.envoy-1-16-x.golden new file mode 100644 index 000000000..3eb45c4f3 --- /dev/null +++ b/agent/xds/testdata/listeners/ingress-with-sds-listener-listener+service-level.v2compat.envoy-1-16-x.golden @@ -0,0 +1,144 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "http:1.2.3.4:8080", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 8080 + } + }, + "filterChains": [ + { + "filterChainMatch": { + "serverNames": [ + "s1.example.com" + ] + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080_s1", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V2" + }, + "routeConfigName": "8080_s1" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "s1.example.com-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V2", + "clusterNames": [ + "sds-cluster-1" + ] + }, + "resourceApiVersion": "V2" + } + } + ] + }, + "requireClientCertificate": false + } + } + }, + { + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V2" + }, + "routeConfigName": "8080" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "*.example.com-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V2", + "clusterNames": [ + "sds-cluster-2" + ] + }, + "resourceApiVersion": "V2" + } + } + ] + }, + "requireClientCertificate": false + } + } + } + ], + "listenerFilters": [ + { + "name": "envoy.filters.listener.tls_inspector" + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/ingress-with-sds-listener-listener-level.envoy-1-18-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-listener-listener-level.envoy-1-18-x.golden new file mode 100644 index 000000000..2d11ca1a0 --- /dev/null +++ b/agent/xds/testdata/listeners/ingress-with-sds-listener-listener-level.envoy-1-18-x.golden @@ -0,0 +1,64 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "foo:1.2.3.4:8080", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 8080 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.foo.default.dc1", + "cluster": "foo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "listener-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V3", + "grpcServices": [ + { + "envoyGrpc": { + "clusterName": "sds-cluster" + }, + "timeout": "5s" + } + ] + }, + "resourceApiVersion": "V3" + } + } + ] + }, + "requireClientCertificate": false + } + } + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/ingress-with-sds-listener-listener-level.v2compat.envoy-1-16-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-listener-listener-level.v2compat.envoy-1-16-x.golden new file mode 100644 index 000000000..f39803525 --- /dev/null +++ b/agent/xds/testdata/listeners/ingress-with-sds-listener-listener-level.v2compat.envoy-1-16-x.golden @@ -0,0 +1,64 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "foo:1.2.3.4:8080", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 8080 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy", + "statPrefix": "upstream.foo.default.dc1", + "cluster": "foo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "listener-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V2", + "grpcServices": [ + { + "envoyGrpc": { + "clusterName": "sds-cluster" + }, + "timeout": "5s" + } + ] + }, + "resourceApiVersion": "V2" + } + } + ] + }, + "requireClientCertificate": false + } + } + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/ingress-with-sds-listener-service-level.envoy-1-18-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-listener-service-level.envoy-1-18-x.golden new file mode 100644 index 000000000..c88741451 --- /dev/null +++ b/agent/xds/testdata/listeners/ingress-with-sds-listener-service-level.envoy-1-18-x.golden @@ -0,0 +1,147 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "http:1.2.3.4:8080", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 8080 + } + }, + "filterChains": [ + { + "filterChainMatch": { + "serverNames": [ + "s1.example.com" + ] + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080_s1", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V3" + }, + "routeConfigName": "8080_s1" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "s1.example.com-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V3", + "clusterNames": [ + "sds-cluster-1" + ] + } + } + } + ] + }, + "requireClientCertificate": false + } + } + }, + { + "filterChainMatch": { + "serverNames": [ + "s2.example.com" + ] + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080_s2", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V3" + }, + "routeConfigName": "8080_s2" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "s2.example.com-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V3", + "clusterNames": [ + "sds-cluster-2" + ] + } + } + } + ] + }, + "requireClientCertificate": false + } + } + } + ], + "listenerFilters": [ + { + "name": "envoy.filters.listener.tls_inspector" + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/ingress-with-sds-listener-service-level.v2compat.envoy-1-16-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-listener-service-level.v2compat.envoy-1-16-x.golden new file mode 100644 index 000000000..4c53a0af2 --- /dev/null +++ b/agent/xds/testdata/listeners/ingress-with-sds-listener-service-level.v2compat.envoy-1-16-x.golden @@ -0,0 +1,149 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "http:1.2.3.4:8080", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 8080 + } + }, + "filterChains": [ + { + "filterChainMatch": { + "serverNames": [ + "s1.example.com" + ] + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080_s1", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V2" + }, + "routeConfigName": "8080_s1" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "s1.example.com-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V2", + "clusterNames": [ + "sds-cluster-1" + ] + }, + "resourceApiVersion": "V2" + } + } + ] + }, + "requireClientCertificate": false + } + } + }, + { + "filterChainMatch": { + "serverNames": [ + "s2.example.com" + ] + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080_s2", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V2" + }, + "routeConfigName": "8080_s2" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "s2.example.com-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V2", + "clusterNames": [ + "sds-cluster-2" + ] + }, + "resourceApiVersion": "V2" + } + } + ] + }, + "requireClientCertificate": false + } + } + } + ], + "listenerFilters": [ + { + "name": "envoy.filters.listener.tls_inspector" + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/ingress-with-sds-listener.envoy-1-18-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-listener.envoy-1-18-x.golden new file mode 100644 index 000000000..aff11429c --- /dev/null +++ b/agent/xds/testdata/listeners/ingress-with-sds-listener.envoy-1-18-x.golden @@ -0,0 +1,58 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "db:1.2.3.4:9191", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.db.default.dc1", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "cert-resource", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V3", + "clusterNames": [ + "sds-cluster" + ] + } + } + } + ] + }, + "requireClientCertificate": false + } + } + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/ingress-with-sds-listener.v2compat.envoy-1-16-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-listener.v2compat.envoy-1-16-x.golden new file mode 100644 index 000000000..0013a1a29 --- /dev/null +++ b/agent/xds/testdata/listeners/ingress-with-sds-listener.v2compat.envoy-1-16-x.golden @@ -0,0 +1,58 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:1.2.3.4:9191", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy", + "statPrefix": "upstream.db.default.dc1", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "cert-resource", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V3", + "clusterNames": [ + "sds-cluster" + ] + } + } + } + ] + }, + "requireClientCertificate": false + } + } + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/ingress-with-sds-service-level-mixed-no-tls.envoy-1-18-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-service-level-mixed-no-tls.envoy-1-18-x.golden new file mode 100644 index 000000000..dbfb9f40e --- /dev/null +++ b/agent/xds/testdata/listeners/ingress-with-sds-service-level-mixed-no-tls.envoy-1-18-x.golden @@ -0,0 +1,122 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "http:1.2.3.4:8080", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 8080 + } + }, + "filterChains": [ + { + "filterChainMatch": { + "serverNames": [ + "s1.example.com" + ] + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080_s1", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V3" + }, + "routeConfigName": "8080_s1" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "s1.example.com-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V3", + "grpcServices": [ + { + "envoyGrpc": { + "clusterName": "sds-cluster-1" + }, + "timeout": "5s" + } + ] + }, + "resourceApiVersion": "V3" + } + } + ] + }, + "requireClientCertificate": false + } + } + }, + { + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V3" + }, + "routeConfigName": "8080" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ] + } + ], + "listenerFilters": [ + { + "name": "envoy.filters.listener.tls_inspector" + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/ingress-with-sds-service-level-mixed-no-tls.v2compat.envoy-1-16-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-service-level-mixed-no-tls.v2compat.envoy-1-16-x.golden new file mode 100644 index 000000000..e6717b87b --- /dev/null +++ b/agent/xds/testdata/listeners/ingress-with-sds-service-level-mixed-no-tls.v2compat.envoy-1-16-x.golden @@ -0,0 +1,122 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "http:1.2.3.4:8080", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 8080 + } + }, + "filterChains": [ + { + "filterChainMatch": { + "serverNames": [ + "s1.example.com" + ] + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080_s1", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V2" + }, + "routeConfigName": "8080_s1" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "s1.example.com-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V2", + "grpcServices": [ + { + "envoyGrpc": { + "clusterName": "sds-cluster-1" + }, + "timeout": "5s" + } + ] + }, + "resourceApiVersion": "V2" + } + } + ] + }, + "requireClientCertificate": false + } + } + }, + { + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V2" + }, + "routeConfigName": "8080" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ] + } + ], + "listenerFilters": [ + { + "name": "envoy.filters.listener.tls_inspector" + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/ingress-with-sds-service-level.envoy-1-18-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-service-level.envoy-1-18-x.golden new file mode 100644 index 000000000..cc7c0c30c --- /dev/null +++ b/agent/xds/testdata/listeners/ingress-with-sds-service-level.envoy-1-18-x.golden @@ -0,0 +1,159 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "http:1.2.3.4:8080", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 8080 + } + }, + "filterChains": [ + { + "filterChainMatch": { + "serverNames": [ + "s1.example.com" + ] + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080_s1", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V3" + }, + "routeConfigName": "8080_s1" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "s1.example.com-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V3", + "grpcServices": [ + { + "envoyGrpc": { + "clusterName": "sds-cluster-1" + }, + "timeout": "5s" + } + ] + }, + "resourceApiVersion": "V3" + } + } + ] + }, + "requireClientCertificate": false + } + } + }, + { + "filterChainMatch": { + "serverNames": [ + "s2.example.com" + ] + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080_s2", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V3" + }, + "routeConfigName": "8080_s2" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "s2.example.com-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V3", + "grpcServices": [ + { + "envoyGrpc": { + "clusterName": "sds-cluster-2" + }, + "timeout": "5s" + } + ] + }, + "resourceApiVersion": "V3" + } + } + ] + }, + "requireClientCertificate": false + } + } + } + ], + "listenerFilters": [ + { + "name": "envoy.filters.listener.tls_inspector" + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/ingress-with-sds-service-level.v2compat.envoy-1-16-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-service-level.v2compat.envoy-1-16-x.golden new file mode 100644 index 000000000..148147647 --- /dev/null +++ b/agent/xds/testdata/listeners/ingress-with-sds-service-level.v2compat.envoy-1-16-x.golden @@ -0,0 +1,159 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "http:1.2.3.4:8080", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 8080 + } + }, + "filterChains": [ + { + "filterChainMatch": { + "serverNames": [ + "s1.example.com" + ] + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080_s1", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V2" + }, + "routeConfigName": "8080_s1" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "s1.example.com-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V2", + "grpcServices": [ + { + "envoyGrpc": { + "clusterName": "sds-cluster-1" + }, + "timeout": "5s" + } + ] + }, + "resourceApiVersion": "V2" + } + } + ] + }, + "requireClientCertificate": false + } + } + }, + { + "filterChainMatch": { + "serverNames": [ + "s2.example.com" + ] + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager", + "statPrefix": "ingress_upstream_8080_s2", + "rds": { + "configSource": { + "ads": { + + }, + "resourceApiVersion": "V2" + }, + "routeConfigName": "8080_s2" + }, + "httpFilters": [ + { + "name": "envoy.filters.http.router" + } + ], + "tracing": { + "randomSampling": { + + } + } + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificateSdsSecretConfigs": [ + { + "name": "s2.example.com-cert", + "sdsConfig": { + "apiConfigSource": { + "apiType": "GRPC", + "transportApiVersion": "V2", + "grpcServices": [ + { + "envoyGrpc": { + "clusterName": "sds-cluster-2" + }, + "timeout": "5s" + } + ] + }, + "resourceApiVersion": "V2" + } + } + ] + }, + "requireClientCertificate": false + } + } + } + ], + "listenerFilters": [ + { + "name": "envoy.filters.listener.tls_inspector" + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/version_compat.go b/agent/xds/version_compat.go index aa4ad55eb..c75eda075 100644 --- a/agent/xds/version_compat.go +++ b/agent/xds/version_compat.go @@ -440,7 +440,14 @@ func convertTypedConfigsToV2(pb proto.Message) error { return nil case *envoy_core_v2.ConfigSource: if x.ConfigSourceSpecifier != nil { - if _, ok := x.ConfigSourceSpecifier.(*envoy_core_v2.ConfigSource_Ads); !ok { + switch spec := x.ConfigSourceSpecifier.(type) { + case *envoy_core_v2.ConfigSource_Ads: + // Nothing else to do + break + case *envoy_core_v2.ConfigSource_ApiConfigSource: + spec.ApiConfigSource.TransportApiVersion = envoy_core_v2.ApiVersion_V2 + break + default: return fmt.Errorf("%T: ConfigSourceSpecifier type %T not handled", x, x.ConfigSourceSpecifier) } } @@ -491,8 +498,30 @@ func convertTypedConfigsToV2(pb proto.Message) error { case *envoy_http_rbac_v2.RBAC: return nil case *envoy_tls_v2.UpstreamTlsContext: + if x.CommonTlsContext != nil { + if err := convertTypedConfigsToV2(x.CommonTlsContext); err != nil { + return fmt.Errorf("%T: %w", x, err) + } + } return nil case *envoy_tls_v2.DownstreamTlsContext: + if x.CommonTlsContext != nil { + if err := convertTypedConfigsToV2(x.CommonTlsContext); err != nil { + return fmt.Errorf("%T: %w", x, err) + } + } + return nil + case *envoy_tls_v2.CommonTlsContext: + for _, sds := range x.TlsCertificateSdsSecretConfigs { + if err := convertTypedConfigsToV2(sds); err != nil { + return fmt.Errorf("%T: %w", x, err) + } + } + return nil + case *envoy_tls_v2.SdsSecretConfig: + if err := convertTypedConfigsToV2(x.SdsConfig); err != nil { + return fmt.Errorf("%T: %w", x, err) + } return nil case *envoy_grpc_stats_v2.FilterConfig: return nil