diff --git a/.changelog/12878.txt b/.changelog/12878.txt index e740998b9..8d06d3440 100644 --- a/.changelog/12878.txt +++ b/.changelog/12878.txt @@ -1,3 +1,3 @@ ```release-note:improvement -agent: Envoy now inserts x-forwarded-client-cert for incoming proxy connections -``` \ No newline at end of file +xds: Envoy now inserts x-forwarded-client-cert for incoming proxy connections +``` diff --git a/agent/structs/config_entry_mesh.go b/agent/structs/config_entry_mesh.go index 980b81ca5..868c07a9f 100644 --- a/agent/structs/config_entry_mesh.go +++ b/agent/structs/config_entry_mesh.go @@ -44,6 +44,10 @@ type MeshDirectionalTLSConfig struct { CipherSuites []types.TLSCipherSuite `json:",omitempty" alias:"cipher_suites"` } +type MeshHTTPConfig struct { + SanitizeXForwardedClientCert bool `alias:"sanitize_x_forwarded_client_cert"` +} + func (e *MeshConfigEntry) GetKind() string { return MeshConfig } diff --git a/website/content/docs/connect/config-entries/mesh.mdx b/website/content/docs/connect/config-entries/mesh.mdx index 2cbfe3f58..a9da7a1ad 100644 --- a/website/content/docs/connect/config-entries/mesh.mdx +++ b/website/content/docs/connect/config-entries/mesh.mdx @@ -368,8 +368,9 @@ Note that the Kubernetes example does not include a `partition` field. Configura name: 'SanitizeXForwardedClientCert', yaml: false, type: 'bool: ', - description: `Set the envoy forwardClientCertDetails to SANITIZE everywhere. Ordinarily Consul will configure Envoy to - insert x-forwarded-client-cert headers where appropriate. This returns Consul to the pre 1.12.1 behavior`, + description: `Set the envoy \`forward_client_cert_details\` option to \`SANITIZE\` for all proxies. This + configures Envoy to not send the \`x-forwarded-client-cert\` header to the next hop. If + unspecified or \`false\`, the XFCC header is propagated to upstream applications.`, }, ], },