luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

Compute all valid DNSSANs for ingress gateways 

For DNSSANs we take into account the following and compute the
appropriate wildcard values:
- source datacenter
- namespaces
- alt domains
This commit is contained in:
Chris Piraino 2020-05-07 17:04:06 -05:00 committed by Kyle Havlovitz
parent 964e55e45e
commit a500262a77
2 changed files with 38 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
agent/proxycfg/state.go
View File

@ -1429,20 +1429,46 @@ func (s *state) watchIngressDiscoveryChain(snap *ConfigSnapshot, u structs.Upstr
return nil return nil
} }
func (s *state) watchIngressLeafCert(snap *ConfigSnapshot) error { func (s *state) generateIngressDNSSANs(snap *ConfigSnapshot) []string {
if !snap.IngressGateway.TLSSet || !snap.IngressGateway.HostsSet { // Update our leaf cert watch with wildcard entries for our DNS domains as well as any
// configured custom hostnames from the service.
if !snap.IngressGateway.TLSEnabled {
return nil return nil
} }
// Update our leaf cert watch with wildcard entries for our DNS domains as well as any
// configured custom hostnames from the service.
var dnsNames []string var dnsNames []string
if snap.IngressGateway.TLSEnabled { namespaces := make(map[string]struct{})
dnsNames = append(dnsNames, fmt.Sprintf("*.ingress.%s", s.dnsConfig.Domain)) for _, upstreams := range snap.IngressGateway.Upstreams {
if s.dnsConfig.AltDomain != "" { for _, u := range upstreams {
dnsNames = append(dnsNames, fmt.Sprintf("*.ingress.%s", s.dnsConfig.AltDomain)) namespaces[u.DestinationNamespace] = struct{}{}
} }
}
for ns := range namespaces {
// The default namespace is special cased in DNS resolution, so special
// case it here.
if ns == structs.IntentionDefaultNamespace {
ns = ""
} else {
ns = ns + "."
}
dnsNames = append(dnsNames, fmt.Sprintf("*.ingress.%s%s", ns, s.dnsConfig.Domain))
dnsNames = append(dnsNames, fmt.Sprintf("*.ingress.%s%s.%s", ns, s.source.Datacenter, s.dnsConfig.Domain))
if s.dnsConfig.AltDomain != "" {
dnsNames = append(dnsNames, fmt.Sprintf("*.ingress.%s%s", ns, s.dnsConfig.AltDomain))
dnsNames = append(dnsNames, fmt.Sprintf("*.ingress.%s%s.%s", ns, s.source.Datacenter, s.dnsConfig.AltDomain))
}
}
dnsNames = append(dnsNames, snap.IngressGateway.Hosts...) dnsNames = append(dnsNames, snap.IngressGateway.Hosts...)
return dnsNames
}
func (s *state) watchIngressLeafCert(snap *ConfigSnapshot) error {
if !snap.IngressGateway.TLSSet || !snap.IngressGateway.HostsSet {
return nil
} }
// Watch the leaf cert // Watch the leaf cert
@ -1454,7 +1480,7 @@ func (s *state) watchIngressLeafCert(snap *ConfigSnapshot) error {
Datacenter: s.source.Datacenter, Datacenter: s.source.Datacenter,
Token: s.token, Token: s.token,
Service: s.service, Service: s.service,
DNSSAN: dnsNames, DNSSAN: s.generateIngressDNSSANs(snap),
EnterpriseMeta: s.proxyID.EnterpriseMeta, EnterpriseMeta: s.proxyID.EnterpriseMeta,
}, leafWatchID, s.ch) }, leafWatchID, s.ch)
if err != nil { if err != nil {

2
agent/proxycfg/state_test.go
View File

@ -929,7 +929,9 @@ func TestState_WatchesAndUpdates(t *testing.T) {
leafWatchID: genVerifyLeafWatchWithDNSSANs("ingress-gateway", "dc1", []string{ leafWatchID: genVerifyLeafWatchWithDNSSANs("ingress-gateway", "dc1", []string{
"test.example.com", "test.example.com",
"*.ingress.consul.", "*.ingress.consul.",
"*.ingress.dc1.consul.",
"*.ingress.alt.consul.", "*.ingress.alt.consul.",
"*.ingress.dc1.alt.consul.",
}), }),
}, },
events: []cache.UpdateEvent{ events: []cache.UpdateEvent{