From eb2b40b22d90b531372ecd4f9cc22e7435630bac Mon Sep 17 00:00:00 2001 From: Freddy Date: Tue, 9 Nov 2021 14:43:51 -0700 Subject: [PATCH] Update filter chain creation for sidecar/ingress listeners (#11245) The duo of `makeUpstreamFilterChainForDiscoveryChain` and `makeListenerForDiscoveryChain` were really hard to reason about, and led to concealing a bug in their branching logic. There were several issues here: - They tried to accomplish too much: determining filter name, cluster name, and whether RDS should be used. - They embedded logic to handle significantly different kinds of upstream listeners (passthrough, prepared query, typical services, and catch-all) - They needed to coalesce different data sources (Upstream and CompiledDiscoveryChain) Rather than handling all of those tasks inside of these functions, this PR pulls out the RDS/clusterName/filterName logic. This refactor also fixed a bug with the handling of [UpstreamDefaults](https://www.consul.io/docs/connect/config-entries/service-defaults#defaults). These defaults get stored as UpstreamConfig in the proxy snapshot with a DestinationName of "*", since they apply to all upstreams. However, this wildcard destination name must not be used when creating the name of the associated upstream cluster. The coalescing logic in the original functions here was in some situations creating clusters with a `*.` prefix, which is not a valid destination. --- .changelog/11245.txt | 3 + agent/proxycfg/state.go | 3 +- agent/proxycfg/state_test.go | 1 + agent/xds/listeners.go | 333 +++++------------- agent/xds/listeners_ingress.go | 47 ++- agent/xds/listeners_test.go | 43 ++- ...roxy-upstream-defaults.envoy-1-20-x.golden | 119 +++++++ ...istener-listener-level.envoy-1-20-x.golden | 6 +- 8 files changed, 289 insertions(+), 266 deletions(-) create mode 100644 .changelog/11245.txt create mode 100644 agent/xds/testdata/listeners/connect-proxy-upstream-defaults.envoy-1-20-x.golden diff --git a/.changelog/11245.txt b/.changelog/11245.txt new file mode 100644 index 000000000..aacdb1def --- /dev/null +++ b/.changelog/11245.txt @@ -0,0 +1,3 @@ +```release-note:bug +connect: fix issue with attempting to generate an invalid upstream cluster from UpstreamConfig.Defaults. +``` \ No newline at end of file diff --git a/agent/proxycfg/state.go b/agent/proxycfg/state.go index cd3000353..237279b99 100644 --- a/agent/proxycfg/state.go +++ b/agent/proxycfg/state.go @@ -114,11 +114,12 @@ func copyProxyConfig(ns *structs.NodeService) (structs.ConnectProxyConfig, error for idx := range proxyCfg.Upstreams { us := &proxyCfg.Upstreams[idx] if us.DestinationType != structs.UpstreamDestTypePreparedQuery && us.DestinationNamespace == "" { - // default the upstreams target namespace to the namespace of the proxy + // default the upstreams target namespace and partition to those of the proxy // doing this here prevents needing much more complex logic a bunch of other // places and makes tracking these upstreams simpler as we can dedup them // with the maps tracking upstream ids being watched. proxyCfg.Upstreams[idx].DestinationNamespace = ns.EnterpriseMeta.NamespaceOrDefault() + proxyCfg.Upstreams[idx].DestinationPartition = ns.EnterpriseMeta.PartitionOrDefault() } } diff --git a/agent/proxycfg/state_test.go b/agent/proxycfg/state_test.go index b4d1fc202..b172fdee8 100644 --- a/agent/proxycfg/state_test.go +++ b/agent/proxycfg/state_test.go @@ -1686,6 +1686,7 @@ func TestState_WatchesAndUpdates(t *testing.T) { db.String(): { DestinationName: "db", DestinationNamespace: structs.IntentionDefaultNamespace, + DestinationPartition: structs.IntentionDefaultNamespace, }, } require.Equal(t, expectUpstreams, snap.ConnectProxy.UpstreamConfig) diff --git a/agent/xds/listeners.go b/agent/xds/listeners.go index 276ea58f7..1b1292d64 100644 --- a/agent/xds/listeners.go +++ b/agent/xds/listeners.go @@ -107,17 +107,31 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg. continue } + // RDS, Envoy's Route Discovery Service, is only used for HTTP services with a customized discovery chain. + useRDS := chain.Protocol != "tcp" && !chain.IsDefault() + + var clusterName string + if !useRDS { + // When not using RDS we must generate a cluster name to attach to the filter chain. + // With RDS, cluster names get attached to the dynamic routes instead. + target, err := simpleChainTarget(chain) + if err != nil { + return nil, err + } + clusterName = CustomizeClusterName(target.Name, chain) + } + + filterName := fmt.Sprintf("%s.%s.%s.%s", chain.ServiceName, chain.Namespace, chain.Partition, chain.Datacenter) + // Generate the upstream listeners for when they are explicitly set with a local bind port or socket path - if outboundListener == nil || (upstreamCfg != nil && upstreamCfg.HasLocalPortOrSocket()) { - filterChain, err := s.makeUpstreamFilterChainForDiscoveryChain( - id, - "", - cfg.Protocol, - upstreamCfg, - chain, - cfgSnap, - nil, - ) + if upstreamCfg != nil && upstreamCfg.HasLocalPortOrSocket() { + filterChain, err := s.makeUpstreamFilterChain(filterChainOpts{ + routeName: id, + clusterName: clusterName, + filterName: filterName, + protocol: cfg.Protocol, + useRDS: useRDS, + }) if err != nil { return nil, err } @@ -135,15 +149,14 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg. // The rest of this loop is used exclusively for transparent proxies. // Below we create a filter chain per upstream, rather than a listener per upstream // as we do for explicit upstreams above. - filterChain, err := s.makeUpstreamFilterChainForDiscoveryChain( - id, - "", - cfg.Protocol, - upstreamCfg, - chain, - cfgSnap, - nil, - ) + + filterChain, err := s.makeUpstreamFilterChain(filterChainOpts{ + routeName: id, + clusterName: clusterName, + filterName: filterName, + protocol: cfg.Protocol, + useRDS: useRDS, + }) if err != nil { return nil, err } @@ -188,17 +201,13 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg. DestinationPartition: sn.PartitionOrDefault(), } - filterChain, err := s.makeUpstreamFilterChainForDiscoveryChain( - "", - "passthrough~"+passthrough.SNI, + filterName := fmt.Sprintf("%s.%s.%s.%s", u.DestinationName, u.DestinationNamespace, u.DestinationPartition, cfgSnap.Datacenter) - // TODO(tproxy) This should use the protocol configured on the upstream's config entry - "tcp", - &u, - nil, - cfgSnap, - nil, - ) + filterChain, err := s.makeUpstreamFilterChain(filterChainOpts{ + clusterName: "passthrough~" + passthrough.SNI, + filterName: filterName, + protocol: "tcp", + }) if err != nil { return nil, err } @@ -219,15 +228,11 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg. if cfgSnap.ConnectProxy.MeshConfig == nil || !cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.MeshDestinationsOnly { - filterChain, err := s.makeUpstreamFilterChainForDiscoveryChain( - "", - OriginalDestinationClusterName, - "tcp", - nil, - nil, - cfgSnap, - nil, - ) + filterChain, err := s.makeUpstreamFilterChain(filterChainOpts{ + clusterName: OriginalDestinationClusterName, + filterName: OriginalDestinationClusterName, + protocol: "tcp", + }) if err != nil { return nil, err } @@ -268,15 +273,13 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg. upstreamListener := makeListener(id, u, envoy_core_v3.TrafficDirection_OUTBOUND) - filterChain, err := s.makeUpstreamFilterChainForDiscoveryChain( - id, - "", - cfg.Protocol, - u, - nil, - cfgSnap, - nil, - ) + filterChain, err := s.makeUpstreamFilterChain(filterChainOpts{ + // TODO (SNI partition) add partition for upstream SNI + clusterName: connect.UpstreamSNI(u, "", cfgSnap.Datacenter, cfgSnap.Roots.TrustDomain), + filterName: id, + routeName: id, + protocol: cfg.Protocol, + }) if err != nil { return nil, err } @@ -1212,112 +1215,32 @@ func (s *ResourceGenerator) makeMeshGatewayListener(name, addr string, port int, return l, nil } -func (s *ResourceGenerator) makeUpstreamFilterChainForDiscoveryChain( - id string, - overrideCluster string, - protocol string, - u *structs.Upstream, - chain *structs.CompiledDiscoveryChain, - cfgSnap *proxycfg.ConfigSnapshot, - tlsContext *envoy_tls_v3.DownstreamTlsContext, -) (*envoy_listener_v3.FilterChain, error) { - // TODO (freddy) Make this actually legible - useRDS := true +type filterChainOpts struct { + routeName string + clusterName string + filterName string + protocol string + useRDS bool + tlsContext *envoy_tls_v3.DownstreamTlsContext +} - var ( - clusterName string - destination, datacenter, partition, namespace string - ) - - // TODO (SNI partition) add partition for SNI - if chain != nil { - destination, datacenter, partition, namespace = chain.ServiceName, chain.Datacenter, chain.Partition, chain.Namespace - } - if (chain == nil || chain.IsDefault()) && u != nil { - useRDS = false - - if datacenter == "" { - datacenter = u.Datacenter - } - if datacenter == "" { - datacenter = cfgSnap.Datacenter - } - if destination == "" { - destination = u.DestinationName - } - if partition == "" { - partition = u.DestinationPartition - } - if namespace == "" { - namespace = u.DestinationNamespace - } - - sni := connect.UpstreamSNI(u, "", datacenter, cfgSnap.Roots.TrustDomain) - clusterName = CustomizeClusterName(sni, chain) - - } else { - if protocol == "tcp" && chain != nil { - useRDS = false - - startNode := chain.Nodes[chain.StartNode] - if startNode == nil { - return nil, fmt.Errorf("missing first node in compiled discovery chain for: %s", chain.ServiceName) - } - if startNode.Type != structs.DiscoveryGraphNodeTypeResolver { - return nil, fmt.Errorf("unexpected first node in discovery chain using protocol=%q: %s", protocol, startNode.Type) - } - targetID := startNode.Resolver.Target - target := chain.Targets[targetID] - - clusterName = CustomizeClusterName(target.Name, chain) - } - } - - // Default the namespace to match how SNIs are generated - if namespace == "" { - namespace = structs.IntentionDefaultNamespace - } - - // Default the partition to match how SNIs are generated - if partition == "" { - partition = structs.IntentionDefaultNamespace - } - - filterName := fmt.Sprintf("%s.%s.%s.%s", destination, namespace, partition, datacenter) - if u != nil && u.DestinationType == structs.UpstreamDestTypePreparedQuery { - // Avoid encoding dc and namespace for prepared queries. - // Those are defined in the query itself and are not available here. - filterName = id - } - if overrideCluster != "" { - useRDS = false - clusterName = overrideCluster - - if destination == "" { - filterName = overrideCluster - } - } - - opts := listenerFilterOpts{ - useRDS: useRDS, - protocol: protocol, - filterName: filterName, - routeName: id, - cluster: clusterName, - statPrefix: "upstream.", - routePath: "", - ingressGateway: false, - httpAuthzFilter: nil, - } - filter, err := makeListenerFilter(opts) - if err != nil { - return nil, err - } - transportSocket, err := makeDownstreamTLSTransportSocket(tlsContext) +func (s *ResourceGenerator) makeUpstreamFilterChain(opts filterChainOpts) (*envoy_listener_v3.FilterChain, error) { + filter, err := makeListenerFilter(listenerFilterOpts{ + useRDS: opts.useRDS, + protocol: opts.protocol, + filterName: opts.filterName, + routeName: opts.routeName, + cluster: opts.clusterName, + statPrefix: "upstream.", + }) if err != nil { return nil, err } + transportSocket, err := makeDownstreamTLSTransportSocket(opts.tlsContext) + if err != nil { + return nil, err + } return &envoy_listener_v3.FilterChain{ Filters: []*envoy_listener_v3.Filter{ filter, @@ -1326,111 +1249,19 @@ func (s *ResourceGenerator) makeUpstreamFilterChainForDiscoveryChain( }, nil } -// TODO(freddy) Replace in favor of new function above. Currently in use for ingress gateways. -func (s *ResourceGenerator) makeUpstreamListenerForDiscoveryChain( - u *structs.Upstream, - address string, - chain *structs.CompiledDiscoveryChain, - cfgSnap *proxycfg.ConfigSnapshot, - tlsContext *envoy_tls_v3.DownstreamTlsContext, -) (proto.Message, error) { - - // Best understanding is this only makes sense for port listeners.... - if u.LocalBindSocketPath != "" { - return nil, fmt.Errorf("makeUpstreamListenerForDiscoveryChain not supported for unix domain sockets %s %+v", - address, u) +// simpleChainTarget returns the discovery target for a chain with a single node. +// A chain can have a single target if it is for a TCP service or an HTTP service without +// multiple splits/routes/failovers. +func simpleChainTarget(chain *structs.CompiledDiscoveryChain) (*structs.DiscoveryTarget, error) { + startNode := chain.Nodes[chain.StartNode] + if startNode == nil { + return nil, fmt.Errorf("missing first node in compiled discovery chain for: %s", chain.ServiceName) } - - upstreamID := u.Identifier() - l := makePortListenerWithDefault(upstreamID, address, u.LocalBindPort, envoy_core_v3.TrafficDirection_OUTBOUND) - cfg := s.getAndModifyUpstreamConfigForListener(upstreamID, u, chain) - if cfg.EnvoyListenerJSON != "" { - return makeListenerFromUserConfig(cfg.EnvoyListenerJSON) + if startNode.Type != structs.DiscoveryGraphNodeTypeResolver { + return nil, fmt.Errorf("expected discovery chain with single node, found unexpected start node: %s", startNode.Type) } - - useRDS := true - var ( - clusterName string - destination, datacenter, partition, namespace string - ) - if chain == nil || chain.IsDefault() { - useRDS = false - - dc := u.Datacenter - if dc == "" { - dc = cfgSnap.Datacenter - } - destination, datacenter, partition, namespace = u.DestinationName, dc, u.DestinationPartition, u.DestinationNamespace - - sni := connect.UpstreamSNI(u, "", dc, cfgSnap.Roots.TrustDomain) - clusterName = CustomizeClusterName(sni, chain) - - } else { - destination, datacenter, partition, namespace = chain.ServiceName, chain.Datacenter, chain.Partition, chain.Namespace - - if cfg.Protocol == "tcp" { - useRDS = false - - startNode := chain.Nodes[chain.StartNode] - if startNode == nil { - return nil, fmt.Errorf("missing first node in compiled discovery chain for: %s", chain.ServiceName) - } - if startNode.Type != structs.DiscoveryGraphNodeTypeResolver { - return nil, fmt.Errorf("unexpected first node in discovery chain using protocol=%q: %s", cfg.Protocol, startNode.Type) - } - targetID := startNode.Resolver.Target - target := chain.Targets[targetID] - - clusterName = CustomizeClusterName(target.Name, chain) - } - } - - // Default the namespace to match how SNIs are generated - if namespace == "" { - namespace = structs.IntentionDefaultNamespace - } - - // Default the partition to match how SNIs are generated - if partition == "" { - partition = structs.IntentionDefaultNamespace - } - filterName := fmt.Sprintf("%s.%s.%s.%s", destination, namespace, partition, datacenter) - - if u.DestinationType == structs.UpstreamDestTypePreparedQuery { - // Avoid encoding dc and namespace for prepared queries. - // Those are defined in the query itself and are not available here. - filterName = upstreamID - } - - opts := listenerFilterOpts{ - useRDS: useRDS, - protocol: cfg.Protocol, - filterName: filterName, - routeName: upstreamID, - cluster: clusterName, - statPrefix: "upstream.", - routePath: "", - httpAuthzFilter: nil, - } - filter, err := makeListenerFilter(opts) - if err != nil { - return nil, err - } - - transportSocket, err := makeDownstreamTLSTransportSocket(tlsContext) - if err != nil { - return nil, err - } - - l.FilterChains = []*envoy_listener_v3.FilterChain{ - { - Filters: []*envoy_listener_v3.Filter{ - filter, - }, - TransportSocket: transportSocket, - }, - } - return l, nil + targetID := startNode.Resolver.Target + return chain.Targets[targetID], nil } func (s *ResourceGenerator) getAndModifyUpstreamConfigForListener(id string, u *structs.Upstream, chain *structs.CompiledDiscoveryChain) structs.UpstreamConfig { diff --git a/agent/xds/listeners_ingress.go b/agent/xds/listeners_ingress.go index 5a494fe99..7668bd02e 100644 --- a/agent/xds/listeners_ingress.go +++ b/agent/xds/listeners_ingress.go @@ -2,7 +2,6 @@ package xds import ( "fmt" - envoy_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" envoy_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3" envoy_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" @@ -54,19 +53,47 @@ func (s *ResourceGenerator) makeIngressGatewayListeners(address string, cfgSnap id := u.Identifier() chain := cfgSnap.IngressGateway.DiscoveryChain[id] + if chain == nil { + // Wait until a chain is present in the snapshot. + continue + } - var upstreamListener proto.Message - upstreamListener, err := s.makeUpstreamListenerForDiscoveryChain( - &u, - address, - chain, - cfgSnap, - tlsContext, - ) + cfg := s.getAndModifyUpstreamConfigForListener(id, &u, chain) + + // RDS, Envoy's Route Discovery Service, is only used for HTTP services with a customized discovery chain. + // TODO(freddy): Why can the protocol of the listener be overridden here? + useRDS := cfg.Protocol != "tcp" && !chain.IsDefault() + + var clusterName string + if !useRDS { + // When not using RDS we must generate a cluster name to attach to the filter chain. + // With RDS, cluster names get attached to the dynamic routes instead. + target, err := simpleChainTarget(chain) + if err != nil { + return nil, err + } + clusterName = CustomizeClusterName(target.Name, chain) + } + + filterName := fmt.Sprintf("%s.%s.%s.%s", chain.ServiceName, chain.Namespace, chain.Partition, chain.Datacenter) + + l := makePortListenerWithDefault(id, address, u.LocalBindPort, envoy_core_v3.TrafficDirection_OUTBOUND) + filterChain, err := s.makeUpstreamFilterChain(filterChainOpts{ + routeName: id, + useRDS: useRDS, + clusterName: clusterName, + filterName: filterName, + protocol: cfg.Protocol, + tlsContext: tlsContext, + }) if err != nil { return nil, err } - resources = append(resources, upstreamListener) + l.FilterChains = []*envoy_listener_v3.FilterChain{ + filterChain, + } + resources = append(resources, l) + } else { // If multiple upstreams share this port, make a special listener for the protocol. listener := makePortListener(listenerKey.Protocol, address, listenerKey.Port, envoy_core_v3.TrafficDirection_OUTBOUND) diff --git a/agent/xds/listeners_test.go b/agent/xds/listeners_test.go index aa7bf512a..c082d41ea 100644 --- a/agent/xds/listeners_test.go +++ b/agent/xds/listeners_test.go @@ -259,6 +259,23 @@ func TestListenersFromSnapshot(t *testing.T) { create: proxycfg.TestConfigSnapshotDiscoveryChainWithFailoverThroughLocalGateway, setup: nil, }, + { + name: "connect-proxy-upstream-defaults", + create: proxycfg.TestConfigSnapshot, + setup: func(snap *proxycfg.ConfigSnapshot) { + for _, v := range snap.ConnectProxy.UpstreamConfig { + // Prepared queries do not get centrally configured upstream defaults merged into them. + if v.DestinationType == structs.UpstreamDestTypePreparedQuery { + continue + } + // Represent upstream config as if it came from centrally configured upstream defaults. + // The name/namespace must not make it onto the cluster name attached to the outbound listener. + v.CentrallyConfigured = true + v.DestinationNamespace = structs.WildcardSpecifier + v.DestinationName = structs.WildcardSpecifier + } + }, + }, { name: "expose-paths-local-app-paths", create: proxycfg.TestConfigSnapshotExposeConfig, @@ -567,7 +584,7 @@ func TestListenersFromSnapshot(t *testing.T) { snap.IngressGateway.Upstreams = map[proxycfg.IngressListenerKey]structs.Upstreams{ {Protocol: "tcp", Port: 8080}: { { - DestinationName: "foo", + DestinationName: "db", LocalBindPort: 8080, }, }, @@ -640,6 +657,30 @@ func TestListenersFromSnapshot(t *testing.T) { }, }, } + + // Every ingress upstream has an associated discovery chain in the snapshot + secureChain := discoverychain.TestCompileConfigEntries( + t, + "secure", + "default", + "default", + "dc1", + connect.TestClusterID+".consul", + nil, + ) + snap.IngressGateway.DiscoveryChain["secure"] = secureChain + + insecureChain := discoverychain.TestCompileConfigEntries( + t, + "insecure", + "default", + "default", + "dc1", + connect.TestClusterID+".consul", + nil, + ) + snap.IngressGateway.DiscoveryChain["insecure"] = insecureChain + snap.IngressGateway.Listeners = map[proxycfg.IngressListenerKey]structs.IngressListener{ {Protocol: "tcp", Port: 8080}: { Port: 8080, diff --git a/agent/xds/testdata/listeners/connect-proxy-upstream-defaults.envoy-1-20-x.golden b/agent/xds/testdata/listeners/connect-proxy-upstream-defaults.envoy-1-20-x.golden new file mode 100644 index 000000000..57d50f71c --- /dev/null +++ b/agent/xds/testdata/listeners/connect-proxy-upstream-defaults.envoy-1-20-x.golden @@ -0,0 +1,119 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.db.default.default.dc1", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.prepared_query_geo-cache", + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul" + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "public_listener:0.0.0.0:9999", + "address": { + "socketAddress": { + "address": "0.0.0.0", + "portValue": 9999 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", + "rules": { + + }, + "statPrefix": "connect_authz" + } + }, + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "public_listener", + "cluster": "local_app" + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + } + } + } + ], + "trafficDirection": "INBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/ingress-with-sds-listener-listener-level.envoy-1-20-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-listener-listener-level.envoy-1-20-x.golden index 8e223cf3e..aabf3d6f9 100644 --- a/agent/xds/testdata/listeners/ingress-with-sds-listener-listener-level.envoy-1-20-x.golden +++ b/agent/xds/testdata/listeners/ingress-with-sds-listener-listener-level.envoy-1-20-x.golden @@ -3,7 +3,7 @@ "resources": [ { "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", - "name": "foo:1.2.3.4:8080", + "name": "db:1.2.3.4:8080", "address": { "socketAddress": { "address": "1.2.3.4", @@ -17,8 +17,8 @@ "name": "envoy.filters.network.tcp_proxy", "typedConfig": { "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", - "statPrefix": "upstream.foo.default.default.dc1", - "cluster": "foo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + "statPrefix": "upstream.db.default.default.dc1", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" } } ],