From a500262a77fec48b078f9c86a76e3ffb97a7d585 Mon Sep 17 00:00:00 2001 From: Chris Piraino Date: Thu, 7 May 2020 17:04:06 -0500 Subject: [PATCH] Compute all valid DNSSANs for ingress gateways For DNSSANs we take into account the following and compute the appropriate wildcard values: - source datacenter - namespaces - alt domains --- agent/proxycfg/state.go | 46 ++++++++++++++++++++++++++++-------- agent/proxycfg/state_test.go | 2 ++ 2 files changed, 38 insertions(+), 10 deletions(-) diff --git a/agent/proxycfg/state.go b/agent/proxycfg/state.go index 5119c01d1..bf2617322 100644 --- a/agent/proxycfg/state.go +++ b/agent/proxycfg/state.go @@ -1429,20 +1429,46 @@ func (s *state) watchIngressDiscoveryChain(snap *ConfigSnapshot, u structs.Upstr return nil } -func (s *state) watchIngressLeafCert(snap *ConfigSnapshot) error { - if !snap.IngressGateway.TLSSet || !snap.IngressGateway.HostsSet { +func (s *state) generateIngressDNSSANs(snap *ConfigSnapshot) []string { + // Update our leaf cert watch with wildcard entries for our DNS domains as well as any + // configured custom hostnames from the service. + if !snap.IngressGateway.TLSEnabled { return nil } - // Update our leaf cert watch with wildcard entries for our DNS domains as well as any - // configured custom hostnames from the service. var dnsNames []string - if snap.IngressGateway.TLSEnabled { - dnsNames = append(dnsNames, fmt.Sprintf("*.ingress.%s", s.dnsConfig.Domain)) - if s.dnsConfig.AltDomain != "" { - dnsNames = append(dnsNames, fmt.Sprintf("*.ingress.%s", s.dnsConfig.AltDomain)) + namespaces := make(map[string]struct{}) + for _, upstreams := range snap.IngressGateway.Upstreams { + for _, u := range upstreams { + namespaces[u.DestinationNamespace] = struct{}{} } - dnsNames = append(dnsNames, snap.IngressGateway.Hosts...) + } + + for ns := range namespaces { + // The default namespace is special cased in DNS resolution, so special + // case it here. + if ns == structs.IntentionDefaultNamespace { + ns = "" + } else { + ns = ns + "." + } + + dnsNames = append(dnsNames, fmt.Sprintf("*.ingress.%s%s", ns, s.dnsConfig.Domain)) + dnsNames = append(dnsNames, fmt.Sprintf("*.ingress.%s%s.%s", ns, s.source.Datacenter, s.dnsConfig.Domain)) + if s.dnsConfig.AltDomain != "" { + dnsNames = append(dnsNames, fmt.Sprintf("*.ingress.%s%s", ns, s.dnsConfig.AltDomain)) + dnsNames = append(dnsNames, fmt.Sprintf("*.ingress.%s%s.%s", ns, s.source.Datacenter, s.dnsConfig.AltDomain)) + } + } + + dnsNames = append(dnsNames, snap.IngressGateway.Hosts...) + + return dnsNames +} + +func (s *state) watchIngressLeafCert(snap *ConfigSnapshot) error { + if !snap.IngressGateway.TLSSet || !snap.IngressGateway.HostsSet { + return nil } // Watch the leaf cert @@ -1454,7 +1480,7 @@ func (s *state) watchIngressLeafCert(snap *ConfigSnapshot) error { Datacenter: s.source.Datacenter, Token: s.token, Service: s.service, - DNSSAN: dnsNames, + DNSSAN: s.generateIngressDNSSANs(snap), EnterpriseMeta: s.proxyID.EnterpriseMeta, }, leafWatchID, s.ch) if err != nil { diff --git a/agent/proxycfg/state_test.go b/agent/proxycfg/state_test.go index 0fd19c129..05e471e10 100644 --- a/agent/proxycfg/state_test.go +++ b/agent/proxycfg/state_test.go @@ -929,7 +929,9 @@ func TestState_WatchesAndUpdates(t *testing.T) { leafWatchID: genVerifyLeafWatchWithDNSSANs("ingress-gateway", "dc1", []string{ "test.example.com", "*.ingress.consul.", + "*.ingress.dc1.consul.", "*.ingress.alt.consul.", + "*.ingress.dc1.alt.consul.", }), }, events: []cache.UpdateEvent{