xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
This commit is contained in:
parent
a7a8b8d6d9
commit
f2b8bf109c
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:feature
|
||||||
|
xds: use envoy's rbac filter to handle intentions entirely within envoy
|
||||||
|
```
|
|
@ -548,6 +548,16 @@ func (a *Agent) Start(ctx context.Context) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var intentionDefaultAllow bool
|
||||||
|
switch a.config.ACLDefaultPolicy {
|
||||||
|
case "allow":
|
||||||
|
intentionDefaultAllow = true
|
||||||
|
case "deny":
|
||||||
|
intentionDefaultAllow = false
|
||||||
|
default:
|
||||||
|
return fmt.Errorf("unexpected ACL default policy value of %q", a.config.ACLDefaultPolicy)
|
||||||
|
}
|
||||||
|
|
||||||
// Start the proxy config manager.
|
// Start the proxy config manager.
|
||||||
a.proxyConfig, err = proxycfg.NewManager(proxycfg.ManagerConfig{
|
a.proxyConfig, err = proxycfg.NewManager(proxycfg.ManagerConfig{
|
||||||
Cache: a.cache,
|
Cache: a.cache,
|
||||||
|
@ -563,6 +573,7 @@ func (a *Agent) Start(ctx context.Context) error {
|
||||||
AltDomain: a.config.DNSAltDomain,
|
AltDomain: a.config.DNSAltDomain,
|
||||||
},
|
},
|
||||||
TLSConfigurator: a.tlsConfigurator,
|
TLSConfigurator: a.tlsConfigurator,
|
||||||
|
IntentionDefaultAllow: intentionDefaultAllow,
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -655,7 +666,6 @@ func (a *Agent) listenAndServeGRPC() error {
|
||||||
xdsServer := &xds.Server{
|
xdsServer := &xds.Server{
|
||||||
Logger: a.logger,
|
Logger: a.logger,
|
||||||
CfgMgr: a.proxyConfig,
|
CfgMgr: a.proxyConfig,
|
||||||
Authz: a,
|
|
||||||
ResolveToken: a.resolveToken,
|
ResolveToken: a.resolveToken,
|
||||||
CheckFetcher: a,
|
CheckFetcher: a,
|
||||||
CfgFetcher: a,
|
CfgFetcher: a,
|
||||||
|
|
|
@ -1009,10 +1009,5 @@ func defaultIfEmpty(val, defaultVal string) string {
|
||||||
}
|
}
|
||||||
|
|
||||||
func enableAdvancedRoutingForProtocol(protocol string) bool {
|
func enableAdvancedRoutingForProtocol(protocol string) bool {
|
||||||
switch protocol {
|
return structs.IsProtocolHTTPLike(protocol)
|
||||||
case "http", "http2", "grpc":
|
|
||||||
return true
|
|
||||||
default:
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -70,6 +70,11 @@ type ManagerConfig struct {
|
||||||
// logger is the agent's logger to be used for logging logs.
|
// logger is the agent's logger to be used for logging logs.
|
||||||
Logger hclog.Logger
|
Logger hclog.Logger
|
||||||
TLSConfigurator *tlsutil.Configurator
|
TLSConfigurator *tlsutil.Configurator
|
||||||
|
|
||||||
|
// IntentionDefaultAllow is set by the agent so that we can pass this
|
||||||
|
// information to proxies that need to make intention decisions on their
|
||||||
|
// own.
|
||||||
|
IntentionDefaultAllow bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewManager constructs a manager from the provided agent cache.
|
// NewManager constructs a manager from the provided agent cache.
|
||||||
|
@ -192,6 +197,7 @@ func (m *Manager) ensureProxyServiceLocked(ns *structs.NodeService, token string
|
||||||
state.cache = m.Cache
|
state.cache = m.Cache
|
||||||
state.source = m.Source
|
state.source = m.Source
|
||||||
state.dnsConfig = m.DNSConfig
|
state.dnsConfig = m.DNSConfig
|
||||||
|
state.intentionDefaultAllow = m.IntentionDefaultAllow
|
||||||
if m.TLSConfigurator != nil {
|
if m.TLSConfigurator != nil {
|
||||||
state.serverSNIFn = m.TLSConfigurator.ServerSNI
|
state.serverSNIFn = m.TLSConfigurator.ServerSNI
|
||||||
}
|
}
|
||||||
|
|
|
@ -221,6 +221,8 @@ func TestManager_BasicLifecycle(t *testing.T) {
|
||||||
},
|
},
|
||||||
PreparedQueryEndpoints: map[string]structs.CheckServiceNodes{},
|
PreparedQueryEndpoints: map[string]structs.CheckServiceNodes{},
|
||||||
WatchedServiceChecks: map[structs.ServiceID][]structs.CheckType{},
|
WatchedServiceChecks: map[structs.ServiceID][]structs.CheckType{},
|
||||||
|
Intentions: TestIntentions().Matches[0],
|
||||||
|
IntentionsSet: true,
|
||||||
},
|
},
|
||||||
Datacenter: "dc1",
|
Datacenter: "dc1",
|
||||||
},
|
},
|
||||||
|
@ -269,6 +271,8 @@ func TestManager_BasicLifecycle(t *testing.T) {
|
||||||
},
|
},
|
||||||
PreparedQueryEndpoints: map[string]structs.CheckServiceNodes{},
|
PreparedQueryEndpoints: map[string]structs.CheckServiceNodes{},
|
||||||
WatchedServiceChecks: map[structs.ServiceID][]structs.CheckType{},
|
WatchedServiceChecks: map[structs.ServiceID][]structs.CheckType{},
|
||||||
|
Intentions: TestIntentions().Matches[0],
|
||||||
|
IntentionsSet: true,
|
||||||
},
|
},
|
||||||
Datacenter: "dc1",
|
Datacenter: "dc1",
|
||||||
},
|
},
|
||||||
|
@ -286,7 +290,7 @@ func TestManager_BasicLifecycle(t *testing.T) {
|
||||||
// Setup initial values
|
// Setup initial values
|
||||||
types.roots.Set(rootsCacheKey, roots)
|
types.roots.Set(rootsCacheKey, roots)
|
||||||
types.leaf.Set(leafCacheKey, leaf)
|
types.leaf.Set(leafCacheKey, leaf)
|
||||||
types.intentions.Set(intentionCacheKey, TestIntentions(t))
|
types.intentions.Set(intentionCacheKey, TestIntentions())
|
||||||
tt.setup(t, types)
|
tt.setup(t, types)
|
||||||
|
|
||||||
expectSnapCopy, err := copystructure.Copy(tt.expectSnap)
|
expectSnapCopy, err := copystructure.Copy(tt.expectSnap)
|
||||||
|
@ -334,7 +338,7 @@ func testManager_BasicLifecycle(
|
||||||
state.TriggerSyncChanges = func() {}
|
state.TriggerSyncChanges = func() {}
|
||||||
|
|
||||||
// Create manager
|
// Create manager
|
||||||
m, err := NewManager(ManagerConfig{c, state, source, DNSConfig{}, logger, nil})
|
m, err := NewManager(ManagerConfig{c, state, source, DNSConfig{}, logger, nil, false})
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
|
|
||||||
// And run it
|
// And run it
|
||||||
|
|
|
@ -42,6 +42,12 @@ type configSnapshotConnectProxy struct {
|
||||||
|
|
||||||
WatchedServiceChecks map[structs.ServiceID][]structs.CheckType // TODO: missing garbage collection
|
WatchedServiceChecks map[structs.ServiceID][]structs.CheckType // TODO: missing garbage collection
|
||||||
PreparedQueryEndpoints map[string]structs.CheckServiceNodes // DEPRECATED:see:WatchedUpstreamEndpoints
|
PreparedQueryEndpoints map[string]structs.CheckServiceNodes // DEPRECATED:see:WatchedUpstreamEndpoints
|
||||||
|
|
||||||
|
// NOTE: Intentions stores a list of lists as returned by the Intentions
|
||||||
|
// Match RPC. So far we only use the first list as the list of matching
|
||||||
|
// intentions.
|
||||||
|
Intentions structs.Intentions
|
||||||
|
IntentionsSet bool
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *configSnapshotConnectProxy) IsEmpty() bool {
|
func (c *configSnapshotConnectProxy) IsEmpty() bool {
|
||||||
|
@ -49,6 +55,7 @@ func (c *configSnapshotConnectProxy) IsEmpty() bool {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
return c.Leaf == nil &&
|
return c.Leaf == nil &&
|
||||||
|
!c.IntentionsSet &&
|
||||||
len(c.DiscoveryChain) == 0 &&
|
len(c.DiscoveryChain) == 0 &&
|
||||||
len(c.WatchedUpstreams) == 0 &&
|
len(c.WatchedUpstreams) == 0 &&
|
||||||
len(c.WatchedUpstreamEndpoints) == 0 &&
|
len(c.WatchedUpstreamEndpoints) == 0 &&
|
||||||
|
@ -71,6 +78,14 @@ type configSnapshotTerminatingGateway struct {
|
||||||
// are no longer linked to the gateway.
|
// are no longer linked to the gateway.
|
||||||
WatchedIntentions map[structs.ServiceName]context.CancelFunc
|
WatchedIntentions map[structs.ServiceName]context.CancelFunc
|
||||||
|
|
||||||
|
// NOTE: Intentions stores a map of list of lists as returned by the Intentions
|
||||||
|
// Match RPC. So far we only use the first list as the list of matching
|
||||||
|
// intentions.
|
||||||
|
//
|
||||||
|
// A key being present implies that we have gotten at least one watch reply for the
|
||||||
|
// service. This is logically the same as ConnectProxy.IntentionsSet==true
|
||||||
|
Intentions map[structs.ServiceName]structs.Intentions
|
||||||
|
|
||||||
// WatchedLeaves is a map of ServiceName to a cancel function.
|
// WatchedLeaves is a map of ServiceName to a cancel function.
|
||||||
// This cancel function is tied to the watch of leaf certs for linked services.
|
// This cancel function is tied to the watch of leaf certs for linked services.
|
||||||
// As with WatchedServices, leaf watches will be cancelled when services
|
// As with WatchedServices, leaf watches will be cancelled when services
|
||||||
|
@ -82,6 +97,16 @@ type configSnapshotTerminatingGateway struct {
|
||||||
// on the service that the caller is trying to reach.
|
// on the service that the caller is trying to reach.
|
||||||
ServiceLeaves map[structs.ServiceName]*structs.IssuedCert
|
ServiceLeaves map[structs.ServiceName]*structs.IssuedCert
|
||||||
|
|
||||||
|
// WatchedConfigs is a map of ServiceName to a cancel function. This cancel
|
||||||
|
// function is tied to the watch of service configs for linked services. As
|
||||||
|
// with WatchedServices, service config watches will be cancelled when
|
||||||
|
// services are no longer linked to the gateway.
|
||||||
|
WatchedConfigs map[structs.ServiceName]context.CancelFunc
|
||||||
|
|
||||||
|
// ServiceConfigs is a map of service name to the resolved service config
|
||||||
|
// for that service.
|
||||||
|
ServiceConfigs map[structs.ServiceName]*structs.ServiceConfigResponse
|
||||||
|
|
||||||
// WatchedResolvers is a map of ServiceName to a cancel function.
|
// WatchedResolvers is a map of ServiceName to a cancel function.
|
||||||
// This cancel function is tied to the watch of resolvers for linked services.
|
// This cancel function is tied to the watch of resolvers for linked services.
|
||||||
// As with WatchedServices, resolver watches will be cancelled when services
|
// As with WatchedServices, resolver watches will be cancelled when services
|
||||||
|
@ -91,6 +116,7 @@ type configSnapshotTerminatingGateway struct {
|
||||||
// ServiceResolvers is a map of service name to an associated
|
// ServiceResolvers is a map of service name to an associated
|
||||||
// service-resolver config entry for that service.
|
// service-resolver config entry for that service.
|
||||||
ServiceResolvers map[structs.ServiceName]*structs.ServiceResolverConfigEntry
|
ServiceResolvers map[structs.ServiceName]*structs.ServiceResolverConfigEntry
|
||||||
|
ServiceResolversSet map[structs.ServiceName]bool
|
||||||
|
|
||||||
// ServiceGroups is a map of service name to the service instances of that
|
// ServiceGroups is a map of service name to the service instances of that
|
||||||
// service in the local datacenter.
|
// service in the local datacenter.
|
||||||
|
@ -106,6 +132,38 @@ type configSnapshotTerminatingGateway struct {
|
||||||
HostnameServices map[structs.ServiceName]structs.CheckServiceNodes
|
HostnameServices map[structs.ServiceName]structs.CheckServiceNodes
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ValidServices returns the list of service keys that have enough data to be emitted.
|
||||||
|
func (c *configSnapshotTerminatingGateway) ValidServices() []structs.ServiceName {
|
||||||
|
out := make([]structs.ServiceName, 0, len(c.ServiceGroups))
|
||||||
|
for svc := range c.ServiceGroups {
|
||||||
|
// It only counts if ALL of our watches have come back (with data or not).
|
||||||
|
|
||||||
|
// Skip the service if we don't know if there is a resolver or not.
|
||||||
|
if _, ok := c.ServiceResolversSet[svc]; !ok {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// Skip the service if we don't have a cert to present for mTLS.
|
||||||
|
if cert, ok := c.ServiceLeaves[svc]; !ok || cert == nil {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// Skip the service if we haven't gotten our intentions yet.
|
||||||
|
if _, intentionsSet := c.Intentions[svc]; !intentionsSet {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// Skip the service if we haven't gotten our service config yet to know
|
||||||
|
// the protocol.
|
||||||
|
if _, ok := c.ServiceConfigs[svc]; !ok {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
out = append(out, svc)
|
||||||
|
}
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
func (c *configSnapshotTerminatingGateway) IsEmpty() bool {
|
func (c *configSnapshotTerminatingGateway) IsEmpty() bool {
|
||||||
if c == nil {
|
if c == nil {
|
||||||
return true
|
return true
|
||||||
|
@ -113,10 +171,14 @@ func (c *configSnapshotTerminatingGateway) IsEmpty() bool {
|
||||||
return len(c.ServiceLeaves) == 0 &&
|
return len(c.ServiceLeaves) == 0 &&
|
||||||
len(c.WatchedLeaves) == 0 &&
|
len(c.WatchedLeaves) == 0 &&
|
||||||
len(c.WatchedIntentions) == 0 &&
|
len(c.WatchedIntentions) == 0 &&
|
||||||
|
len(c.Intentions) == 0 &&
|
||||||
len(c.ServiceGroups) == 0 &&
|
len(c.ServiceGroups) == 0 &&
|
||||||
len(c.WatchedServices) == 0 &&
|
len(c.WatchedServices) == 0 &&
|
||||||
len(c.ServiceResolvers) == 0 &&
|
len(c.ServiceResolvers) == 0 &&
|
||||||
|
len(c.ServiceResolversSet) == 0 &&
|
||||||
len(c.WatchedResolvers) == 0 &&
|
len(c.WatchedResolvers) == 0 &&
|
||||||
|
len(c.ServiceConfigs) == 0 &&
|
||||||
|
len(c.WatchedConfigs) == 0 &&
|
||||||
len(c.GatewayServices) == 0 &&
|
len(c.GatewayServices) == 0 &&
|
||||||
len(c.HostnameServices) == 0
|
len(c.HostnameServices) == 0
|
||||||
}
|
}
|
||||||
|
@ -261,6 +323,7 @@ type ConfigSnapshot struct {
|
||||||
TaggedAddresses map[string]structs.ServiceAddress
|
TaggedAddresses map[string]structs.ServiceAddress
|
||||||
Proxy structs.ConnectProxyConfig
|
Proxy structs.ConnectProxyConfig
|
||||||
Datacenter string
|
Datacenter string
|
||||||
|
IntentionDefaultAllow bool
|
||||||
|
|
||||||
ServerSNIFn ServerSNIFunc
|
ServerSNIFn ServerSNIFunc
|
||||||
Roots *structs.IndexedCARoots
|
Roots *structs.IndexedCARoots
|
||||||
|
@ -276,24 +339,28 @@ type ConfigSnapshot struct {
|
||||||
|
|
||||||
// ingress-gateway specific
|
// ingress-gateway specific
|
||||||
IngressGateway configSnapshotIngressGateway
|
IngressGateway configSnapshotIngressGateway
|
||||||
|
|
||||||
// Skip intentions for now as we don't push those down yet, just pre-warm them.
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Valid returns whether or not the snapshot has all required fields filled yet.
|
// Valid returns whether or not the snapshot has all required fields filled yet.
|
||||||
func (s *ConfigSnapshot) Valid() bool {
|
func (s *ConfigSnapshot) Valid() bool {
|
||||||
switch s.Kind {
|
switch s.Kind {
|
||||||
case structs.ServiceKindConnectProxy:
|
case structs.ServiceKindConnectProxy:
|
||||||
return s.Roots != nil && s.ConnectProxy.Leaf != nil
|
return s.Roots != nil &&
|
||||||
|
s.ConnectProxy.Leaf != nil &&
|
||||||
|
s.ConnectProxy.IntentionsSet
|
||||||
|
|
||||||
case structs.ServiceKindTerminatingGateway:
|
case structs.ServiceKindTerminatingGateway:
|
||||||
return s.Roots != nil
|
return s.Roots != nil
|
||||||
|
|
||||||
case structs.ServiceKindMeshGateway:
|
case structs.ServiceKindMeshGateway:
|
||||||
if s.ServiceMeta[structs.MetaWANFederationKey] == "1" {
|
if s.ServiceMeta[structs.MetaWANFederationKey] == "1" {
|
||||||
if len(s.MeshGateway.ConsulServers) == 0 {
|
if len(s.MeshGateway.ConsulServers) == 0 {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return s.Roots != nil && (s.MeshGateway.WatchedServicesSet || len(s.MeshGateway.ServiceGroups) > 0)
|
return s.Roots != nil &&
|
||||||
|
(s.MeshGateway.WatchedServicesSet || len(s.MeshGateway.ServiceGroups) > 0)
|
||||||
|
|
||||||
case structs.ServiceKindIngressGateway:
|
case structs.ServiceKindIngressGateway:
|
||||||
return s.Roots != nil &&
|
return s.Roots != nil &&
|
||||||
s.IngressGateway.Leaf != nil &&
|
s.IngressGateway.Leaf != nil &&
|
||||||
|
@ -323,6 +390,8 @@ func (s *ConfigSnapshot) Clone() (*ConfigSnapshot, error) {
|
||||||
snap.TerminatingGateway.WatchedServices = nil
|
snap.TerminatingGateway.WatchedServices = nil
|
||||||
snap.TerminatingGateway.WatchedIntentions = nil
|
snap.TerminatingGateway.WatchedIntentions = nil
|
||||||
snap.TerminatingGateway.WatchedLeaves = nil
|
snap.TerminatingGateway.WatchedLeaves = nil
|
||||||
|
snap.TerminatingGateway.WatchedConfigs = nil
|
||||||
|
snap.TerminatingGateway.WatchedResolvers = nil
|
||||||
case structs.ServiceKindMeshGateway:
|
case structs.ServiceKindMeshGateway:
|
||||||
snap.MeshGateway.WatchedDatacenters = nil
|
snap.MeshGateway.WatchedDatacenters = nil
|
||||||
snap.MeshGateway.WatchedServices = nil
|
snap.MeshGateway.WatchedServices = nil
|
||||||
|
|
|
@ -37,6 +37,7 @@ const (
|
||||||
gatewayConfigWatchID = "gateway-config"
|
gatewayConfigWatchID = "gateway-config"
|
||||||
externalServiceIDPrefix = "external-service:"
|
externalServiceIDPrefix = "external-service:"
|
||||||
serviceLeafIDPrefix = "service-leaf:"
|
serviceLeafIDPrefix = "service-leaf:"
|
||||||
|
serviceConfigIDPrefix = "service-config:"
|
||||||
serviceResolverIDPrefix = "service-resolver:"
|
serviceResolverIDPrefix = "service-resolver:"
|
||||||
serviceIntentionsIDPrefix = "service-intentions:"
|
serviceIntentionsIDPrefix = "service-intentions:"
|
||||||
svcChecksWatchIDPrefix = cachetype.ServiceHTTPChecksName + ":"
|
svcChecksWatchIDPrefix = cachetype.ServiceHTTPChecksName + ":"
|
||||||
|
@ -55,6 +56,7 @@ type state struct {
|
||||||
cache CacheNotifier
|
cache CacheNotifier
|
||||||
dnsConfig DNSConfig
|
dnsConfig DNSConfig
|
||||||
serverSNIFn ServerSNIFunc
|
serverSNIFn ServerSNIFunc
|
||||||
|
intentionDefaultAllow bool
|
||||||
|
|
||||||
// ctx and cancel store the context created during initWatches call
|
// ctx and cancel store the context created during initWatches call
|
||||||
ctx context.Context
|
ctx context.Context
|
||||||
|
@ -533,6 +535,7 @@ func (s *state) initialConfigSnapshot() ConfigSnapshot {
|
||||||
Proxy: s.proxyCfg,
|
Proxy: s.proxyCfg,
|
||||||
Datacenter: s.source.Datacenter,
|
Datacenter: s.source.Datacenter,
|
||||||
ServerSNIFn: s.serverSNIFn,
|
ServerSNIFn: s.serverSNIFn,
|
||||||
|
IntentionDefaultAllow: s.intentionDefaultAllow,
|
||||||
}
|
}
|
||||||
|
|
||||||
switch s.kind {
|
switch s.kind {
|
||||||
|
@ -546,12 +549,16 @@ func (s *state) initialConfigSnapshot() ConfigSnapshot {
|
||||||
snap.ConnectProxy.PreparedQueryEndpoints = make(map[string]structs.CheckServiceNodes)
|
snap.ConnectProxy.PreparedQueryEndpoints = make(map[string]structs.CheckServiceNodes)
|
||||||
case structs.ServiceKindTerminatingGateway:
|
case structs.ServiceKindTerminatingGateway:
|
||||||
snap.TerminatingGateway.WatchedServices = make(map[structs.ServiceName]context.CancelFunc)
|
snap.TerminatingGateway.WatchedServices = make(map[structs.ServiceName]context.CancelFunc)
|
||||||
snap.TerminatingGateway.WatchedLeaves = make(map[structs.ServiceName]context.CancelFunc)
|
|
||||||
snap.TerminatingGateway.WatchedIntentions = make(map[structs.ServiceName]context.CancelFunc)
|
snap.TerminatingGateway.WatchedIntentions = make(map[structs.ServiceName]context.CancelFunc)
|
||||||
snap.TerminatingGateway.WatchedResolvers = make(map[structs.ServiceName]context.CancelFunc)
|
snap.TerminatingGateway.Intentions = make(map[structs.ServiceName]structs.Intentions)
|
||||||
|
snap.TerminatingGateway.WatchedLeaves = make(map[structs.ServiceName]context.CancelFunc)
|
||||||
snap.TerminatingGateway.ServiceLeaves = make(map[structs.ServiceName]*structs.IssuedCert)
|
snap.TerminatingGateway.ServiceLeaves = make(map[structs.ServiceName]*structs.IssuedCert)
|
||||||
snap.TerminatingGateway.ServiceGroups = make(map[structs.ServiceName]structs.CheckServiceNodes)
|
snap.TerminatingGateway.WatchedConfigs = make(map[structs.ServiceName]context.CancelFunc)
|
||||||
|
snap.TerminatingGateway.ServiceConfigs = make(map[structs.ServiceName]*structs.ServiceConfigResponse)
|
||||||
|
snap.TerminatingGateway.WatchedResolvers = make(map[structs.ServiceName]context.CancelFunc)
|
||||||
snap.TerminatingGateway.ServiceResolvers = make(map[structs.ServiceName]*structs.ServiceResolverConfigEntry)
|
snap.TerminatingGateway.ServiceResolvers = make(map[structs.ServiceName]*structs.ServiceResolverConfigEntry)
|
||||||
|
snap.TerminatingGateway.ServiceResolversSet = make(map[structs.ServiceName]bool)
|
||||||
|
snap.TerminatingGateway.ServiceGroups = make(map[structs.ServiceName]structs.CheckServiceNodes)
|
||||||
snap.TerminatingGateway.GatewayServices = make(map[structs.ServiceName]structs.GatewayService)
|
snap.TerminatingGateway.GatewayServices = make(map[structs.ServiceName]structs.GatewayService)
|
||||||
snap.TerminatingGateway.HostnameServices = make(map[structs.ServiceName]structs.CheckServiceNodes)
|
snap.TerminatingGateway.HostnameServices = make(map[structs.ServiceName]structs.CheckServiceNodes)
|
||||||
case structs.ServiceKindMeshGateway:
|
case structs.ServiceKindMeshGateway:
|
||||||
|
@ -691,7 +698,17 @@ func (s *state) handleUpdateConnectProxy(u cache.UpdateEvent, snap *ConfigSnapsh
|
||||||
}
|
}
|
||||||
snap.Roots = roots
|
snap.Roots = roots
|
||||||
case u.CorrelationID == intentionsWatchID:
|
case u.CorrelationID == intentionsWatchID:
|
||||||
// no-op: Intentions don't get stored in the snapshot, calls to ConnectAuthorize will fetch them from the cache
|
resp, ok := u.Result.(*structs.IndexedIntentionMatches)
|
||||||
|
if !ok {
|
||||||
|
return fmt.Errorf("invalid type for response: %T", u.Result)
|
||||||
|
}
|
||||||
|
if len(resp.Matches) > 0 {
|
||||||
|
// RPC supports matching multiple services at once but we only ever
|
||||||
|
// query with the one service we represent currently so just pick
|
||||||
|
// the one result set up.
|
||||||
|
snap.ConnectProxy.Intentions = resp.Matches[0]
|
||||||
|
}
|
||||||
|
snap.ConnectProxy.IntentionsSet = true
|
||||||
|
|
||||||
case strings.HasPrefix(u.CorrelationID, "upstream:"+preparedQueryIDPrefix):
|
case strings.HasPrefix(u.CorrelationID, "upstream:"+preparedQueryIDPrefix):
|
||||||
resp, ok := u.Result.(*structs.PreparedQueryExecuteResponse)
|
resp, ok := u.Result.(*structs.PreparedQueryExecuteResponse)
|
||||||
|
@ -1000,6 +1017,28 @@ func (s *state) handleUpdateTerminatingGateway(u cache.UpdateEvent, snap *Config
|
||||||
snap.TerminatingGateway.WatchedLeaves[svc.Service] = cancel
|
snap.TerminatingGateway.WatchedLeaves[svc.Service] = cancel
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Watch service configs for the service.
|
||||||
|
// These are used to determine the protocol for the target service.
|
||||||
|
if _, ok := snap.TerminatingGateway.WatchedConfigs[svc.Service]; !ok {
|
||||||
|
ctx, cancel := context.WithCancel(s.ctx)
|
||||||
|
err := s.cache.Notify(ctx, cachetype.ResolvedServiceConfigName, &structs.ServiceConfigRequest{
|
||||||
|
Datacenter: s.source.Datacenter,
|
||||||
|
QueryOptions: structs.QueryOptions{Token: s.token},
|
||||||
|
Name: svc.Service.Name,
|
||||||
|
EnterpriseMeta: svc.Service.EnterpriseMeta,
|
||||||
|
}, serviceConfigIDPrefix+svc.Service.String(), s.ch)
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
logger.Error("failed to register watch for a resolved service config",
|
||||||
|
"service", svc.Service.String(),
|
||||||
|
"error", err,
|
||||||
|
)
|
||||||
|
cancel()
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
snap.TerminatingGateway.WatchedConfigs[svc.Service] = cancel
|
||||||
|
}
|
||||||
|
|
||||||
// Watch service resolvers for the service
|
// Watch service resolvers for the service
|
||||||
// These are used to create clusters and endpoints for the service subsets
|
// These are used to create clusters and endpoints for the service subsets
|
||||||
if _, ok := snap.TerminatingGateway.WatchedResolvers[svc.Service]; !ok {
|
if _, ok := snap.TerminatingGateway.WatchedResolvers[svc.Service]; !ok {
|
||||||
|
@ -1058,12 +1097,23 @@ func (s *state) handleUpdateTerminatingGateway(u cache.UpdateEvent, snap *Config
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Cancel service config watches for services that were not in the update
|
||||||
|
for sn, cancelFn := range snap.TerminatingGateway.WatchedConfigs {
|
||||||
|
if _, ok := svcMap[sn]; !ok {
|
||||||
|
logger.Debug("canceling watch for resolved service config", "service", sn.String())
|
||||||
|
delete(snap.TerminatingGateway.WatchedConfigs, sn)
|
||||||
|
delete(snap.TerminatingGateway.ServiceConfigs, sn)
|
||||||
|
cancelFn()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Cancel service-resolver watches for services that were not in the update
|
// Cancel service-resolver watches for services that were not in the update
|
||||||
for sn, cancelFn := range snap.TerminatingGateway.WatchedResolvers {
|
for sn, cancelFn := range snap.TerminatingGateway.WatchedResolvers {
|
||||||
if _, ok := svcMap[sn]; !ok {
|
if _, ok := svcMap[sn]; !ok {
|
||||||
logger.Debug("canceling watch for service-resolver", "service", sn.String())
|
logger.Debug("canceling watch for service-resolver", "service", sn.String())
|
||||||
delete(snap.TerminatingGateway.WatchedResolvers, sn)
|
delete(snap.TerminatingGateway.WatchedResolvers, sn)
|
||||||
delete(snap.TerminatingGateway.ServiceResolvers, sn)
|
delete(snap.TerminatingGateway.ServiceResolvers, sn)
|
||||||
|
delete(snap.TerminatingGateway.ServiceResolversSet, sn)
|
||||||
cancelFn()
|
cancelFn()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1073,9 +1123,7 @@ func (s *state) handleUpdateTerminatingGateway(u cache.UpdateEvent, snap *Config
|
||||||
if _, ok := svcMap[sn]; !ok {
|
if _, ok := svcMap[sn]; !ok {
|
||||||
logger.Debug("canceling watch for intention", "service", sn.String())
|
logger.Debug("canceling watch for intention", "service", sn.String())
|
||||||
delete(snap.TerminatingGateway.WatchedIntentions, sn)
|
delete(snap.TerminatingGateway.WatchedIntentions, sn)
|
||||||
|
delete(snap.TerminatingGateway.Intentions, sn)
|
||||||
// No additional deletions needed, since intentions aren't stored in snapshot
|
|
||||||
|
|
||||||
cancelFn()
|
cancelFn()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1105,21 +1153,43 @@ func (s *state) handleUpdateTerminatingGateway(u cache.UpdateEvent, snap *Config
|
||||||
sn := structs.ServiceNameFromString(strings.TrimPrefix(u.CorrelationID, serviceLeafIDPrefix))
|
sn := structs.ServiceNameFromString(strings.TrimPrefix(u.CorrelationID, serviceLeafIDPrefix))
|
||||||
snap.TerminatingGateway.ServiceLeaves[sn] = leaf
|
snap.TerminatingGateway.ServiceLeaves[sn] = leaf
|
||||||
|
|
||||||
case strings.HasPrefix(u.CorrelationID, "service-resolver:"):
|
case strings.HasPrefix(u.CorrelationID, serviceConfigIDPrefix):
|
||||||
|
serviceConfig, ok := u.Result.(*structs.ServiceConfigResponse)
|
||||||
|
if !ok {
|
||||||
|
return fmt.Errorf("invalid type for response: %T", u.Result)
|
||||||
|
}
|
||||||
|
|
||||||
|
sn := structs.ServiceNameFromString(strings.TrimPrefix(u.CorrelationID, serviceConfigIDPrefix))
|
||||||
|
snap.TerminatingGateway.ServiceConfigs[sn] = serviceConfig
|
||||||
|
|
||||||
|
case strings.HasPrefix(u.CorrelationID, serviceResolverIDPrefix):
|
||||||
configEntries, ok := u.Result.(*structs.IndexedConfigEntries)
|
configEntries, ok := u.Result.(*structs.IndexedConfigEntries)
|
||||||
if !ok {
|
if !ok {
|
||||||
return fmt.Errorf("invalid type for response: %T", u.Result)
|
return fmt.Errorf("invalid type for response: %T", u.Result)
|
||||||
}
|
}
|
||||||
|
sn := structs.ServiceNameFromString(strings.TrimPrefix(u.CorrelationID, serviceResolverIDPrefix))
|
||||||
// There should only ever be one entry for a service resolver within a namespace
|
// There should only ever be one entry for a service resolver within a namespace
|
||||||
if len(configEntries.Entries) == 1 {
|
if len(configEntries.Entries) == 1 {
|
||||||
if resolver, ok := configEntries.Entries[0].(*structs.ServiceResolverConfigEntry); ok {
|
if resolver, ok := configEntries.Entries[0].(*structs.ServiceResolverConfigEntry); ok {
|
||||||
snap.TerminatingGateway.ServiceResolvers[structs.NewServiceName(resolver.Name, &resolver.EnterpriseMeta)] = resolver
|
snap.TerminatingGateway.ServiceResolvers[sn] = resolver
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
snap.TerminatingGateway.ServiceResolversSet[sn] = true
|
||||||
|
|
||||||
|
case strings.HasPrefix(u.CorrelationID, serviceIntentionsIDPrefix):
|
||||||
|
resp, ok := u.Result.(*structs.IndexedIntentionMatches)
|
||||||
|
if !ok {
|
||||||
|
return fmt.Errorf("invalid type for response: %T", u.Result)
|
||||||
|
}
|
||||||
|
|
||||||
// nolint: staticcheck // github.com/dominikh/go-tools/issues/580
|
sn := structs.ServiceNameFromString(strings.TrimPrefix(u.CorrelationID, serviceIntentionsIDPrefix))
|
||||||
case strings.HasPrefix(u.CorrelationID, serviceIntentionsIDPrefix):
|
|
||||||
// no-op: Intentions don't get stored in the snapshot, calls to ConnectAuthorize will fetch them from the cache
|
if len(resp.Matches) > 0 {
|
||||||
|
// RPC supports matching multiple services at once but we only ever
|
||||||
|
// query with the one service we represent currently so just pick
|
||||||
|
// the one result set up.
|
||||||
|
snap.TerminatingGateway.Intentions[sn] = resp.Matches[0]
|
||||||
|
}
|
||||||
|
|
||||||
default:
|
default:
|
||||||
// do nothing
|
// do nothing
|
||||||
|
|
|
@ -223,6 +223,17 @@ func genVerifyResolverWatch(expectedService, expectedDatacenter, expectedKind st
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func genVerifyResolvedConfigWatch(expectedService string, expectedDatacenter string) verifyWatchRequest {
|
||||||
|
return func(t testing.TB, cacheType string, request cache.Request) {
|
||||||
|
require.Equal(t, cachetype.ResolvedServiceConfigName, cacheType)
|
||||||
|
|
||||||
|
reqReal, ok := request.(*structs.ServiceConfigRequest)
|
||||||
|
require.True(t, ok)
|
||||||
|
require.Equal(t, expectedDatacenter, reqReal.Datacenter)
|
||||||
|
require.Equal(t, expectedService, reqReal.Name)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func genVerifyIntentionWatch(expectedService string, expectedDatacenter string) verifyWatchRequest {
|
func genVerifyIntentionWatch(expectedService string, expectedDatacenter string) verifyWatchRequest {
|
||||||
return func(t testing.TB, cacheType string, request cache.Request) {
|
return func(t testing.TB, cacheType string, request cache.Request) {
|
||||||
require.Equal(t, cachetype.IntentionMatchName, cacheType)
|
require.Equal(t, cachetype.IntentionMatchName, cacheType)
|
||||||
|
@ -422,6 +433,8 @@ func TestState_WatchesAndUpdates(t *testing.T) {
|
||||||
ns.Proxy.MeshGateway.Mode = meshGatewayProxyConfigValue
|
ns.Proxy.MeshGateway.Mode = meshGatewayProxyConfigValue
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ixnMatch := TestIntentions()
|
||||||
|
|
||||||
stage0 := verificationStage{
|
stage0 := verificationStage{
|
||||||
requiredWatches: map[string]verifyWatchRequest{
|
requiredWatches: map[string]verifyWatchRequest{
|
||||||
rootsWatchID: genVerifyRootsWatch("dc1"),
|
rootsWatchID: genVerifyRootsWatch("dc1"),
|
||||||
|
@ -481,6 +494,11 @@ func TestState_WatchesAndUpdates(t *testing.T) {
|
||||||
Result: issuedCert,
|
Result: issuedCert,
|
||||||
Err: nil,
|
Err: nil,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
CorrelationID: intentionsWatchID,
|
||||||
|
Result: ixnMatch,
|
||||||
|
Err: nil,
|
||||||
|
},
|
||||||
{
|
{
|
||||||
CorrelationID: "discovery-chain:api",
|
CorrelationID: "discovery-chain:api",
|
||||||
Result: &structs.DiscoveryChainResponse{
|
Result: &structs.DiscoveryChainResponse{
|
||||||
|
@ -555,6 +573,9 @@ func TestState_WatchesAndUpdates(t *testing.T) {
|
||||||
|
|
||||||
require.Len(t, snap.ConnectProxy.WatchedServiceChecks, 0, "%+v", snap.ConnectProxy.WatchedServiceChecks)
|
require.Len(t, snap.ConnectProxy.WatchedServiceChecks, 0, "%+v", snap.ConnectProxy.WatchedServiceChecks)
|
||||||
require.Len(t, snap.ConnectProxy.PreparedQueryEndpoints, 0, "%+v", snap.ConnectProxy.PreparedQueryEndpoints)
|
require.Len(t, snap.ConnectProxy.PreparedQueryEndpoints, 0, "%+v", snap.ConnectProxy.PreparedQueryEndpoints)
|
||||||
|
|
||||||
|
require.True(t, snap.ConnectProxy.IntentionsSet)
|
||||||
|
require.Equal(t, ixnMatch.Matches[0], snap.ConnectProxy.Intentions)
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -581,6 +602,9 @@ func TestState_WatchesAndUpdates(t *testing.T) {
|
||||||
|
|
||||||
require.Len(t, snap.ConnectProxy.WatchedServiceChecks, 0, "%+v", snap.ConnectProxy.WatchedServiceChecks)
|
require.Len(t, snap.ConnectProxy.WatchedServiceChecks, 0, "%+v", snap.ConnectProxy.WatchedServiceChecks)
|
||||||
require.Len(t, snap.ConnectProxy.PreparedQueryEndpoints, 0, "%+v", snap.ConnectProxy.PreparedQueryEndpoints)
|
require.Len(t, snap.ConnectProxy.PreparedQueryEndpoints, 0, "%+v", snap.ConnectProxy.PreparedQueryEndpoints)
|
||||||
|
|
||||||
|
require.True(t, snap.ConnectProxy.IntentionsSet)
|
||||||
|
require.Equal(t, ixnMatch.Matches[0], snap.ConnectProxy.Intentions)
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -599,9 +623,46 @@ func TestState_WatchesAndUpdates(t *testing.T) {
|
||||||
db := structs.NewServiceName("db", nil)
|
db := structs.NewServiceName("db", nil)
|
||||||
dbStr := db.String()
|
dbStr := db.String()
|
||||||
|
|
||||||
|
billing := structs.NewServiceName("billing", nil)
|
||||||
|
|
||||||
api := structs.NewServiceName("api", nil)
|
api := structs.NewServiceName("api", nil)
|
||||||
apiStr := api.String()
|
apiStr := api.String()
|
||||||
|
|
||||||
|
dbIxnMatch := &structs.IndexedIntentionMatches{
|
||||||
|
Matches: []structs.Intentions{
|
||||||
|
[]*structs.Intention{
|
||||||
|
{
|
||||||
|
ID: "abc-123",
|
||||||
|
SourceNS: "default",
|
||||||
|
SourceName: "api",
|
||||||
|
DestinationNS: "default",
|
||||||
|
DestinationName: "db",
|
||||||
|
Action: structs.IntentionActionAllow,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
dbConfig := &structs.ServiceConfigResponse{
|
||||||
|
ProxyConfig: map[string]interface{}{
|
||||||
|
"protocol": "grpc",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
dbResolver := &structs.IndexedConfigEntries{
|
||||||
|
Kind: structs.ServiceResolver,
|
||||||
|
Entries: []structs.ConfigEntry{
|
||||||
|
&structs.ServiceResolverConfigEntry{
|
||||||
|
Name: "db",
|
||||||
|
Kind: structs.ServiceResolver,
|
||||||
|
Redirect: &structs.ServiceResolverRedirect{
|
||||||
|
Service: "db",
|
||||||
|
Datacenter: "dc2",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
cases := map[string]testCase{
|
cases := map[string]testCase{
|
||||||
"initial-gateway": {
|
"initial-gateway": {
|
||||||
ns: structs.NodeService{
|
ns: structs.NodeService{
|
||||||
|
@ -1105,7 +1166,7 @@ func TestState_WatchesAndUpdates(t *testing.T) {
|
||||||
Result: &structs.IndexedGatewayServices{
|
Result: &structs.IndexedGatewayServices{
|
||||||
Services: structs.GatewayServices{
|
Services: structs.GatewayServices{
|
||||||
{
|
{
|
||||||
Service: structs.NewServiceName("db", nil),
|
Service: db,
|
||||||
Gateway: structs.NewServiceName("terminating-gateway", nil),
|
Gateway: structs.NewServiceName("terminating-gateway", nil),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1115,7 +1176,10 @@ func TestState_WatchesAndUpdates(t *testing.T) {
|
||||||
},
|
},
|
||||||
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
|
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
|
||||||
require.True(t, snap.Valid(), "gateway with service list is valid")
|
require.True(t, snap.Valid(), "gateway with service list is valid")
|
||||||
|
require.Len(t, snap.TerminatingGateway.ValidServices(), 0)
|
||||||
|
|
||||||
require.Len(t, snap.TerminatingGateway.WatchedServices, 1)
|
require.Len(t, snap.TerminatingGateway.WatchedServices, 1)
|
||||||
|
require.Contains(t, snap.TerminatingGateway.WatchedServices, db)
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -1125,15 +1189,15 @@ func TestState_WatchesAndUpdates(t *testing.T) {
|
||||||
Result: &structs.IndexedGatewayServices{
|
Result: &structs.IndexedGatewayServices{
|
||||||
Services: structs.GatewayServices{
|
Services: structs.GatewayServices{
|
||||||
{
|
{
|
||||||
Service: structs.NewServiceName("db", nil),
|
Service: db,
|
||||||
Gateway: structs.NewServiceName("terminating-gateway", nil),
|
Gateway: structs.NewServiceName("terminating-gateway", nil),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Service: structs.NewServiceName("billing", nil),
|
Service: billing,
|
||||||
Gateway: structs.NewServiceName("terminating-gateway", nil),
|
Gateway: structs.NewServiceName("terminating-gateway", nil),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Service: structs.NewServiceName("api", nil),
|
Service: api,
|
||||||
Gateway: structs.NewServiceName("terminating-gateway", nil),
|
Gateway: structs.NewServiceName("terminating-gateway", nil),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1142,11 +1206,9 @@ func TestState_WatchesAndUpdates(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
|
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
|
||||||
db := structs.NewServiceName("db", nil)
|
|
||||||
billing := structs.NewServiceName("billing", nil)
|
|
||||||
api := structs.NewServiceName("api", nil)
|
|
||||||
|
|
||||||
require.True(t, snap.Valid(), "gateway with service list is valid")
|
require.True(t, snap.Valid(), "gateway with service list is valid")
|
||||||
|
require.Len(t, snap.TerminatingGateway.ValidServices(), 0)
|
||||||
|
|
||||||
require.Len(t, snap.TerminatingGateway.WatchedServices, 3)
|
require.Len(t, snap.TerminatingGateway.WatchedServices, 3)
|
||||||
require.Contains(t, snap.TerminatingGateway.WatchedServices, db)
|
require.Contains(t, snap.TerminatingGateway.WatchedServices, db)
|
||||||
require.Contains(t, snap.TerminatingGateway.WatchedServices, billing)
|
require.Contains(t, snap.TerminatingGateway.WatchedServices, billing)
|
||||||
|
@ -1162,6 +1224,11 @@ func TestState_WatchesAndUpdates(t *testing.T) {
|
||||||
require.Contains(t, snap.TerminatingGateway.WatchedLeaves, billing)
|
require.Contains(t, snap.TerminatingGateway.WatchedLeaves, billing)
|
||||||
require.Contains(t, snap.TerminatingGateway.WatchedLeaves, api)
|
require.Contains(t, snap.TerminatingGateway.WatchedLeaves, api)
|
||||||
|
|
||||||
|
require.Len(t, snap.TerminatingGateway.WatchedConfigs, 3)
|
||||||
|
require.Contains(t, snap.TerminatingGateway.WatchedConfigs, db)
|
||||||
|
require.Contains(t, snap.TerminatingGateway.WatchedConfigs, billing)
|
||||||
|
require.Contains(t, snap.TerminatingGateway.WatchedConfigs, api)
|
||||||
|
|
||||||
require.Len(t, snap.TerminatingGateway.WatchedResolvers, 3)
|
require.Len(t, snap.TerminatingGateway.WatchedResolvers, 3)
|
||||||
require.Contains(t, snap.TerminatingGateway.WatchedResolvers, db)
|
require.Contains(t, snap.TerminatingGateway.WatchedResolvers, db)
|
||||||
require.Contains(t, snap.TerminatingGateway.WatchedResolvers, billing)
|
require.Contains(t, snap.TerminatingGateway.WatchedResolvers, billing)
|
||||||
|
@ -1198,8 +1265,11 @@ func TestState_WatchesAndUpdates(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
|
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
|
||||||
|
require.True(t, snap.Valid(), "gateway with service list is valid")
|
||||||
|
require.Len(t, snap.TerminatingGateway.ValidServices(), 0)
|
||||||
|
|
||||||
require.Len(t, snap.TerminatingGateway.ServiceGroups, 1)
|
require.Len(t, snap.TerminatingGateway.ServiceGroups, 1)
|
||||||
require.Equal(t, snap.TerminatingGateway.ServiceGroups[structs.NewServiceName("db", nil)],
|
require.Equal(t, snap.TerminatingGateway.ServiceGroups[db],
|
||||||
structs.CheckServiceNodes{
|
structs.CheckServiceNodes{
|
||||||
{
|
{
|
||||||
Node: &structs.Node{
|
Node: &structs.Node{
|
||||||
|
@ -1263,6 +1333,9 @@ func TestState_WatchesAndUpdates(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
|
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
|
||||||
|
require.True(t, snap.Valid(), "gateway with service list is valid")
|
||||||
|
require.Len(t, snap.TerminatingGateway.ValidServices(), 0)
|
||||||
|
|
||||||
require.Len(t, snap.TerminatingGateway.ServiceGroups, 2)
|
require.Len(t, snap.TerminatingGateway.ServiceGroups, 2)
|
||||||
expect := structs.CheckServiceNodes{
|
expect := structs.CheckServiceNodes{
|
||||||
{
|
{
|
||||||
|
@ -1299,11 +1372,10 @@ func TestState_WatchesAndUpdates(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
sn := structs.NewServiceName("api", nil)
|
require.Equal(t, snap.TerminatingGateway.ServiceGroups[api], expect)
|
||||||
require.Equal(t, snap.TerminatingGateway.ServiceGroups[sn], expect)
|
|
||||||
|
|
||||||
// The instance in node3 should not be present in HostnameDatacenters because it has a valid IP
|
// The instance in node3 should not be present in HostnameDatacenters because it has a valid IP
|
||||||
require.ElementsMatch(t, snap.TerminatingGateway.HostnameServices[sn], expect[:2])
|
require.ElementsMatch(t, snap.TerminatingGateway.HostnameServices[api], expect[:2])
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -1318,7 +1390,50 @@ func TestState_WatchesAndUpdates(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
|
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
|
||||||
require.Equal(t, snap.TerminatingGateway.ServiceLeaves[structs.NewServiceName("db", nil)], issuedCert)
|
require.True(t, snap.Valid(), "gateway with service list is valid")
|
||||||
|
require.Len(t, snap.TerminatingGateway.ValidServices(), 0)
|
||||||
|
|
||||||
|
require.Equal(t, snap.TerminatingGateway.ServiceLeaves[db], issuedCert)
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
requiredWatches: map[string]verifyWatchRequest{
|
||||||
|
serviceIntentionsIDPrefix + dbStr: genVerifyIntentionWatch("db", "dc1"),
|
||||||
|
},
|
||||||
|
events: []cache.UpdateEvent{
|
||||||
|
{
|
||||||
|
CorrelationID: serviceIntentionsIDPrefix + dbStr,
|
||||||
|
Result: dbIxnMatch,
|
||||||
|
Err: nil,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
|
||||||
|
require.True(t, snap.Valid(), "gateway with service list is valid")
|
||||||
|
require.Len(t, snap.TerminatingGateway.ValidServices(), 0)
|
||||||
|
|
||||||
|
require.Len(t, snap.TerminatingGateway.Intentions, 1)
|
||||||
|
dbIxn, ok := snap.TerminatingGateway.Intentions[db]
|
||||||
|
require.True(t, ok)
|
||||||
|
require.Equal(t, dbIxnMatch.Matches[0], dbIxn)
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
requiredWatches: map[string]verifyWatchRequest{
|
||||||
|
serviceConfigIDPrefix + dbStr: genVerifyResolvedConfigWatch("db", "dc1"),
|
||||||
|
},
|
||||||
|
events: []cache.UpdateEvent{
|
||||||
|
{
|
||||||
|
CorrelationID: serviceConfigIDPrefix + dbStr,
|
||||||
|
Result: dbConfig,
|
||||||
|
Err: nil,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
|
||||||
|
require.True(t, snap.Valid(), "gateway with service list is valid")
|
||||||
|
require.Len(t, snap.TerminatingGateway.ValidServices(), 0)
|
||||||
|
|
||||||
|
require.Len(t, snap.TerminatingGateway.ServiceConfigs, 1)
|
||||||
|
require.Equal(t, snap.TerminatingGateway.ServiceConfigs[db], dbConfig)
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -1328,32 +1443,20 @@ func TestState_WatchesAndUpdates(t *testing.T) {
|
||||||
events: []cache.UpdateEvent{
|
events: []cache.UpdateEvent{
|
||||||
{
|
{
|
||||||
CorrelationID: "service-resolver:" + dbStr,
|
CorrelationID: "service-resolver:" + dbStr,
|
||||||
Result: &structs.IndexedConfigEntries{
|
Result: dbResolver,
|
||||||
Kind: structs.ServiceResolver,
|
|
||||||
Entries: []structs.ConfigEntry{
|
|
||||||
&structs.ServiceResolverConfigEntry{
|
|
||||||
Name: "db",
|
|
||||||
Kind: structs.ServiceResolver,
|
|
||||||
Redirect: &structs.ServiceResolverRedirect{
|
|
||||||
Service: "db",
|
|
||||||
Datacenter: "dc2",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
Err: nil,
|
Err: nil,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
|
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
|
||||||
want := &structs.ServiceResolverConfigEntry{
|
require.True(t, snap.Valid(), "gateway with service list is valid")
|
||||||
Kind: structs.ServiceResolver,
|
// Finally we have everything we need
|
||||||
Name: "db",
|
require.Equal(t, []structs.ServiceName{db}, snap.TerminatingGateway.ValidServices())
|
||||||
Redirect: &structs.ServiceResolverRedirect{
|
|
||||||
Service: "db",
|
require.Len(t, snap.TerminatingGateway.ServiceResolversSet, 1)
|
||||||
Datacenter: "dc2",
|
require.True(t, snap.TerminatingGateway.ServiceResolversSet[db])
|
||||||
},
|
|
||||||
}
|
require.Len(t, snap.TerminatingGateway.ServiceResolvers, 1)
|
||||||
require.Equal(t, want, snap.TerminatingGateway.ServiceResolvers[structs.NewServiceName("db", nil)])
|
require.Equal(t, dbResolver.Entries[0], snap.TerminatingGateway.ServiceResolvers[db])
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -1363,7 +1466,7 @@ func TestState_WatchesAndUpdates(t *testing.T) {
|
||||||
Result: &structs.IndexedGatewayServices{
|
Result: &structs.IndexedGatewayServices{
|
||||||
Services: structs.GatewayServices{
|
Services: structs.GatewayServices{
|
||||||
{
|
{
|
||||||
Service: structs.NewServiceName("billing", nil),
|
Service: billing,
|
||||||
Gateway: structs.NewServiceName("terminating-gateway", nil),
|
Gateway: structs.NewServiceName("terminating-gateway", nil),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1372,9 +1475,8 @@ func TestState_WatchesAndUpdates(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
|
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
|
||||||
billing := structs.NewServiceName("billing", nil)
|
|
||||||
|
|
||||||
require.True(t, snap.Valid(), "gateway with service list is valid")
|
require.True(t, snap.Valid(), "gateway with service list is valid")
|
||||||
|
require.Len(t, snap.TerminatingGateway.ValidServices(), 0)
|
||||||
|
|
||||||
// All the watches should have been cancelled for db
|
// All the watches should have been cancelled for db
|
||||||
require.Len(t, snap.TerminatingGateway.WatchedServices, 1)
|
require.Len(t, snap.TerminatingGateway.WatchedServices, 1)
|
||||||
|
|
|
@ -99,7 +99,7 @@ func TestLeafForCA(t testing.T, ca *structs.CARoot) *structs.IssuedCert {
|
||||||
|
|
||||||
// TestIntentions returns a sample intentions match result useful to
|
// TestIntentions returns a sample intentions match result useful to
|
||||||
// mocking service discovery cache results.
|
// mocking service discovery cache results.
|
||||||
func TestIntentions(t testing.T) *structs.IndexedIntentionMatches {
|
func TestIntentions() *structs.IndexedIntentionMatches {
|
||||||
return &structs.IndexedIntentionMatches{
|
return &structs.IndexedIntentionMatches{
|
||||||
Matches: []structs.Intentions{
|
Matches: []structs.Intentions{
|
||||||
[]*structs.Intention{
|
[]*structs.Intention{
|
||||||
|
@ -685,6 +685,8 @@ func TestConfigSnapshot(t testing.T) *ConfigSnapshot {
|
||||||
PreparedQueryEndpoints: map[string]structs.CheckServiceNodes{
|
PreparedQueryEndpoints: map[string]structs.CheckServiceNodes{
|
||||||
"prepared_query:geo-cache": TestUpstreamNodes(t),
|
"prepared_query:geo-cache": TestUpstreamNodes(t),
|
||||||
},
|
},
|
||||||
|
Intentions: nil, // no intentions defined
|
||||||
|
IntentionsSet: true,
|
||||||
},
|
},
|
||||||
Datacenter: "dc1",
|
Datacenter: "dc1",
|
||||||
}
|
}
|
||||||
|
@ -1793,6 +1795,12 @@ func testConfigSnapshotTerminatingGateway(t testing.T, populateServices bool) *C
|
||||||
db: dbNodes,
|
db: dbNodes,
|
||||||
cache: cacheNodes,
|
cache: cacheNodes,
|
||||||
},
|
},
|
||||||
|
ServiceResolversSet: map[structs.ServiceName]bool{
|
||||||
|
web: true,
|
||||||
|
api: true,
|
||||||
|
db: true,
|
||||||
|
cache: true,
|
||||||
|
},
|
||||||
GatewayServices: map[structs.ServiceName]structs.GatewayService{
|
GatewayServices: map[structs.ServiceName]structs.GatewayService{
|
||||||
web: {
|
web: {
|
||||||
Service: web,
|
Service: web,
|
||||||
|
@ -1817,20 +1825,43 @@ func testConfigSnapshotTerminatingGateway(t testing.T, populateServices bool) *C
|
||||||
cache: {cacheNodes[0], cacheNodes[1]},
|
cache: {cacheNodes[0], cacheNodes[1]},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
snap.TerminatingGateway.ServiceConfigs = map[structs.ServiceName]*structs.ServiceConfigResponse{
|
||||||
|
web: {
|
||||||
|
ProxyConfig: map[string]interface{}{"protocol": "tcp"},
|
||||||
|
},
|
||||||
|
api: {
|
||||||
|
ProxyConfig: map[string]interface{}{"protocol": "tcp"},
|
||||||
|
},
|
||||||
|
db: {
|
||||||
|
ProxyConfig: map[string]interface{}{"protocol": "tcp"},
|
||||||
|
},
|
||||||
|
cache: {
|
||||||
|
ProxyConfig: map[string]interface{}{"protocol": "tcp"},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
snap.TerminatingGateway.Intentions = map[structs.ServiceName]structs.Intentions{
|
||||||
|
// no intentions defined for thse services
|
||||||
|
web: nil,
|
||||||
|
api: nil,
|
||||||
|
db: nil,
|
||||||
|
cache: nil,
|
||||||
|
}
|
||||||
|
|
||||||
snap.TerminatingGateway.ServiceLeaves = map[structs.ServiceName]*structs.IssuedCert{
|
snap.TerminatingGateway.ServiceLeaves = map[structs.ServiceName]*structs.IssuedCert{
|
||||||
structs.NewServiceName("web", nil): {
|
web: {
|
||||||
CertPEM: golden(t, "test-leaf-cert"),
|
CertPEM: golden(t, "test-leaf-cert"),
|
||||||
PrivateKeyPEM: golden(t, "test-leaf-key"),
|
PrivateKeyPEM: golden(t, "test-leaf-key"),
|
||||||
},
|
},
|
||||||
structs.NewServiceName("api", nil): {
|
api: {
|
||||||
CertPEM: golden(t, "alt-test-leaf-cert"),
|
CertPEM: golden(t, "alt-test-leaf-cert"),
|
||||||
PrivateKeyPEM: golden(t, "alt-test-leaf-key"),
|
PrivateKeyPEM: golden(t, "alt-test-leaf-key"),
|
||||||
},
|
},
|
||||||
structs.NewServiceName("db", nil): {
|
db: {
|
||||||
CertPEM: golden(t, "db-test-leaf-cert"),
|
CertPEM: golden(t, "db-test-leaf-cert"),
|
||||||
PrivateKeyPEM: golden(t, "db-test-leaf-key"),
|
PrivateKeyPEM: golden(t, "db-test-leaf-key"),
|
||||||
},
|
},
|
||||||
structs.NewServiceName("cache", nil): {
|
cache: {
|
||||||
CertPEM: golden(t, "cache-test-leaf-cert"),
|
CertPEM: golden(t, "cache-test-leaf-cert"),
|
||||||
PrivateKeyPEM: golden(t, "cache-test-leaf-key"),
|
PrivateKeyPEM: golden(t, "cache-test-leaf-key"),
|
||||||
},
|
},
|
||||||
|
|
|
@ -1212,3 +1212,12 @@ func defaultIfEmpty(val, defaultVal string) string {
|
||||||
}
|
}
|
||||||
return defaultVal
|
return defaultVal
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func IsProtocolHTTPLike(protocol string) bool {
|
||||||
|
switch protocol {
|
||||||
|
case "http", "http2", "grpc":
|
||||||
|
return true
|
||||||
|
default:
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -8,6 +8,7 @@ import (
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/hashicorp/consul/acl"
|
"github.com/hashicorp/consul/acl"
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -1162,3 +1163,12 @@ func TestValidateServiceSubset(t *testing.T) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestIsProtocolHTTPLike(t *testing.T) {
|
||||||
|
assert.False(t, IsProtocolHTTPLike(""))
|
||||||
|
assert.False(t, IsProtocolHTTPLike("tcp"))
|
||||||
|
|
||||||
|
assert.True(t, IsProtocolHTTPLike("http"))
|
||||||
|
assert.True(t, IsProtocolHTTPLike("http2"))
|
||||||
|
assert.True(t, IsProtocolHTTPLike("grpc"))
|
||||||
|
}
|
||||||
|
|
|
@ -359,6 +359,14 @@ func (x *Intention) EstimateSize() int {
|
||||||
return size
|
return size
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (x *Intention) SourceServiceName() ServiceName {
|
||||||
|
return NewServiceName(x.SourceName, x.SourceEnterpriseMeta())
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *Intention) DestinationServiceName() ServiceName {
|
||||||
|
return NewServiceName(x.DestinationName, x.DestinationEnterpriseMeta())
|
||||||
|
}
|
||||||
|
|
||||||
// IntentionAction is the action that the intention represents. This
|
// IntentionAction is the action that the intention represents. This
|
||||||
// can be "allow" or "deny".
|
// can be "allow" or "deny".
|
||||||
type IntentionAction string
|
type IntentionAction string
|
||||||
|
|
|
@ -6,6 +6,14 @@ import (
|
||||||
"github.com/hashicorp/consul/acl"
|
"github.com/hashicorp/consul/acl"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func (ixn *Intention) SourceEnterpriseMeta() *EnterpriseMeta {
|
||||||
|
return DefaultEnterpriseMeta()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ixn *Intention) DestinationEnterpriseMeta() *EnterpriseMeta {
|
||||||
|
return DefaultEnterpriseMeta()
|
||||||
|
}
|
||||||
|
|
||||||
// FillAuthzContext can fill in an acl.AuthorizerContext object to setup
|
// FillAuthzContext can fill in an acl.AuthorizerContext object to setup
|
||||||
// extra parameters for ACL enforcement. In OSS there is currently nothing
|
// extra parameters for ACL enforcement. In OSS there is currently nothing
|
||||||
// extra to be done.
|
// extra to be done.
|
||||||
|
|
|
@ -9,6 +9,7 @@ import (
|
||||||
|
|
||||||
envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2"
|
envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2"
|
||||||
"github.com/golang/protobuf/jsonpb"
|
"github.com/golang/protobuf/jsonpb"
|
||||||
|
"github.com/golang/protobuf/proto"
|
||||||
"github.com/hashicorp/go-version"
|
"github.com/hashicorp/go-version"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
)
|
)
|
||||||
|
@ -55,11 +56,15 @@ func golden(t *testing.T, name, subname, got string) string {
|
||||||
}
|
}
|
||||||
|
|
||||||
func responseToJSON(t *testing.T, r *envoy.DiscoveryResponse) string {
|
func responseToJSON(t *testing.T, r *envoy.DiscoveryResponse) string {
|
||||||
|
return protoToJSON(t, r)
|
||||||
|
}
|
||||||
|
|
||||||
|
func protoToJSON(t *testing.T, pb proto.Message) string {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
m := jsonpb.Marshaler{
|
m := jsonpb.Marshaler{
|
||||||
Indent: " ",
|
Indent: " ",
|
||||||
}
|
}
|
||||||
gotJSON, err := m.MarshalToString(r)
|
gotJSON, err := m.MarshalToString(pb)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
return gotJSON
|
return gotJSON
|
||||||
}
|
}
|
||||||
|
|
|
@ -15,7 +15,6 @@ import (
|
||||||
envoycore "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
|
envoycore "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
|
||||||
envoylistener "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener"
|
envoylistener "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener"
|
||||||
envoyroute "github.com/envoyproxy/go-control-plane/envoy/api/v2/route"
|
envoyroute "github.com/envoyproxy/go-control-plane/envoy/api/v2/route"
|
||||||
extauthz "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/ext_authz/v2"
|
|
||||||
envoyhttp "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/http_connection_manager/v2"
|
envoyhttp "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/http_connection_manager/v2"
|
||||||
envoytcp "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/tcp_proxy/v2"
|
envoytcp "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/tcp_proxy/v2"
|
||||||
envoytype "github.com/envoyproxy/go-control-plane/envoy/type"
|
envoytype "github.com/envoyproxy/go-control-plane/envoy/type"
|
||||||
|
@ -23,6 +22,7 @@ import (
|
||||||
"github.com/envoyproxy/go-control-plane/pkg/wellknown"
|
"github.com/envoyproxy/go-control-plane/pkg/wellknown"
|
||||||
"github.com/golang/protobuf/jsonpb"
|
"github.com/golang/protobuf/jsonpb"
|
||||||
"github.com/golang/protobuf/proto"
|
"github.com/golang/protobuf/proto"
|
||||||
|
pbtypes "github.com/golang/protobuf/ptypes"
|
||||||
"github.com/golang/protobuf/ptypes/any"
|
"github.com/golang/protobuf/ptypes/any"
|
||||||
pbstruct "github.com/golang/protobuf/ptypes/struct"
|
pbstruct "github.com/golang/protobuf/ptypes/struct"
|
||||||
"github.com/golang/protobuf/ptypes/wrappers"
|
"github.com/golang/protobuf/ptypes/wrappers"
|
||||||
|
@ -313,8 +313,17 @@ func (s *Server) makeIngressGatewayListeners(address string, cfgSnap *proxycfg.C
|
||||||
} else {
|
} else {
|
||||||
// If multiple upstreams share this port, make a special listener for the protocol.
|
// If multiple upstreams share this port, make a special listener for the protocol.
|
||||||
listener := makeListener(listenerKey.Protocol, address, listenerKey.Port)
|
listener := makeListener(listenerKey.Protocol, address, listenerKey.Port)
|
||||||
filter, err := makeListenerFilter(
|
opts := listenerFilterOpts{
|
||||||
true, listenerKey.Protocol, listenerKey.RouteName(), "", "ingress_upstream_", "", false)
|
useRDS: true,
|
||||||
|
protocol: listenerKey.Protocol,
|
||||||
|
filterName: listenerKey.RouteName(),
|
||||||
|
cluster: "",
|
||||||
|
statPrefix: "ingress_upstream_",
|
||||||
|
routePath: "",
|
||||||
|
ingress: false,
|
||||||
|
httpAuthzFilter: nil,
|
||||||
|
}
|
||||||
|
filter, err := makeListenerFilter(opts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -395,23 +404,104 @@ func makeListenerFromUserConfig(configJSON string) (*envoy.Listener, error) {
|
||||||
return &l, err
|
return &l, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Ensure that the first filter in each filter chain of a public listener is the
|
// Ensure that the first filter in each filter chain of a public listener is
|
||||||
// authz filter to prevent unauthorized access and that every filter chain uses
|
// the authz filter to prevent unauthorized access.
|
||||||
// our TLS certs. We might allow users to work around this later if there is a
|
func (s *Server) injectConnectFilters(_ connectionInfo, cfgSnap *proxycfg.ConfigSnapshot, listener *envoy.Listener) error {
|
||||||
// good use case but this is actually a feature for now as it allows them to
|
authzFilter, err := makeRBACNetworkFilter(
|
||||||
// specify custom listener params in config but still get our certs delivered
|
cfgSnap.ConnectProxy.Intentions,
|
||||||
// dynamically and intentions enforced without coming up with some complicated
|
cfgSnap.IntentionDefaultAllow,
|
||||||
// templating/merging solution.
|
)
|
||||||
func injectConnectFilters(cInfo connectionInfo, cfgSnap *proxycfg.ConfigSnapshot, listener *envoy.Listener) error {
|
|
||||||
authFilter, err := makeExtAuthFilter(cInfo.Token)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
for idx := range listener.FilterChains {
|
for idx := range listener.FilterChains {
|
||||||
// Insert our authz filter before any others
|
// Insert our authz filter before any others
|
||||||
listener.FilterChains[idx].Filters =
|
listener.FilterChains[idx].Filters =
|
||||||
append([]*envoylistener.Filter{authFilter}, listener.FilterChains[idx].Filters...)
|
append([]*envoylistener.Filter{
|
||||||
|
authzFilter,
|
||||||
|
}, listener.FilterChains[idx].Filters...)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
const httpConnectionManagerNewName = "envoy.filters.network.http_connection_manager"
|
||||||
|
|
||||||
|
// Locate the existing http connect manager L4 filter and inject our RBAC filter at the top.
|
||||||
|
func (s *Server) injectHTTPFilterOnFilterChains(
|
||||||
|
listener *envoy.Listener,
|
||||||
|
authzFilter *envoyhttp.HttpFilter,
|
||||||
|
) error {
|
||||||
|
for chainIdx, chain := range listener.FilterChains {
|
||||||
|
var (
|
||||||
|
hcmFilter *envoylistener.Filter
|
||||||
|
hcmFilterIdx int
|
||||||
|
)
|
||||||
|
|
||||||
|
for filterIdx, filter := range chain.Filters {
|
||||||
|
if filter.Name == wellknown.HTTPConnectionManager ||
|
||||||
|
filter.Name == httpConnectionManagerNewName {
|
||||||
|
hcmFilter = filter
|
||||||
|
hcmFilterIdx = filterIdx
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if hcmFilter == nil {
|
||||||
|
return fmt.Errorf(
|
||||||
|
"filter chain %d lacks either a %q or %q filter",
|
||||||
|
chainIdx,
|
||||||
|
wellknown.HTTPConnectionManager,
|
||||||
|
httpConnectionManagerNewName,
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
var (
|
||||||
|
hcm envoyhttp.HttpConnectionManager
|
||||||
|
isTyped bool
|
||||||
|
)
|
||||||
|
switch x := hcmFilter.ConfigType.(type) {
|
||||||
|
case *envoylistener.Filter_Config:
|
||||||
|
if err := conversion.StructToMessage(x.Config, &hcm); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
isTyped = false
|
||||||
|
case *envoylistener.Filter_TypedConfig:
|
||||||
|
if err := pbtypes.UnmarshalAny(x.TypedConfig, &hcm); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
isTyped = true
|
||||||
|
default:
|
||||||
|
return fmt.Errorf(
|
||||||
|
"filter chain %d has a %q filter with an unsupported config type: %T",
|
||||||
|
chainIdx,
|
||||||
|
hcmFilter.Name,
|
||||||
|
x,
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Insert our authz filter before any others
|
||||||
|
hcm.HttpFilters = append([]*envoyhttp.HttpFilter{
|
||||||
|
authzFilter,
|
||||||
|
}, hcm.HttpFilters...)
|
||||||
|
|
||||||
|
// And persist the modified filter.
|
||||||
|
newFilter, err := makeFilter(hcmFilter.Name, &hcm, isTyped)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
chain.Filters[hcmFilterIdx] = newFilter
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Ensure every filter chain uses our TLS certs. We might allow users to work
|
||||||
|
// around this later if there is a good use case but this is actually a feature
|
||||||
|
// for now as it allows them to specify custom listener params in config but
|
||||||
|
// still get our certs delivered dynamically and intentions enforced without
|
||||||
|
// coming up with some complicated templating/merging solution.
|
||||||
|
func (s *Server) injectConnectTLSOnFilterChains(_ connectionInfo, cfgSnap *proxycfg.ConfigSnapshot, listener *envoy.Listener) error {
|
||||||
|
for idx := range listener.FilterChains {
|
||||||
listener.FilterChains[idx].TlsContext = &envoyauth.DownstreamTlsContext{
|
listener.FilterChains[idx].TlsContext = &envoyauth.DownstreamTlsContext{
|
||||||
CommonTlsContext: makeCommonTLSContextFromLeaf(cfgSnap, cfgSnap.Leaf()),
|
CommonTlsContext: makeCommonTLSContextFromLeaf(cfgSnap, cfgSnap.Leaf()),
|
||||||
RequireClientCertificate: &wrappers.BoolValue{Value: true},
|
RequireClientCertificate: &wrappers.BoolValue{Value: true},
|
||||||
|
@ -436,9 +526,12 @@ func (s *Server) makePublicListener(cInfo connectionInfo, cfgSnap *proxycfg.Conf
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return l, err
|
return l, err
|
||||||
}
|
}
|
||||||
// In the happy path don't return yet as we need to inject TLS config still.
|
// In the happy path don't return yet as we need to inject TLS and authz config still.
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// This controls if we do L4 or L7 intention checks.
|
||||||
|
useHTTPFilter := structs.IsProtocolHTTPLike(cfg.Protocol)
|
||||||
|
|
||||||
if l == nil {
|
if l == nil {
|
||||||
// No user config, use default listener
|
// No user config, use default listener
|
||||||
addr := cfgSnap.Address
|
addr := cfgSnap.Address
|
||||||
|
@ -460,8 +553,27 @@ func (s *Server) makePublicListener(cInfo connectionInfo, cfgSnap *proxycfg.Conf
|
||||||
|
|
||||||
l = makeListener(PublicListenerName, addr, port)
|
l = makeListener(PublicListenerName, addr, port)
|
||||||
|
|
||||||
filter, err := makeListenerFilter(
|
opts := listenerFilterOpts{
|
||||||
false, cfg.Protocol, "public_listener", LocalAppClusterName, "", "", true)
|
useRDS: false,
|
||||||
|
protocol: cfg.Protocol,
|
||||||
|
filterName: "public_listener",
|
||||||
|
cluster: LocalAppClusterName,
|
||||||
|
statPrefix: "",
|
||||||
|
routePath: "",
|
||||||
|
ingress: true,
|
||||||
|
}
|
||||||
|
|
||||||
|
if useHTTPFilter {
|
||||||
|
opts.httpAuthzFilter, err = makeRBACHTTPFilter(
|
||||||
|
cfgSnap.ConnectProxy.Intentions,
|
||||||
|
cfgSnap.IntentionDefaultAllow,
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
filter, err := makeListenerFilter(opts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -472,9 +584,39 @@ func (s *Server) makePublicListener(cInfo connectionInfo, cfgSnap *proxycfg.Conf
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
} else if useHTTPFilter {
|
||||||
|
httpAuthzFilter, err := makeRBACHTTPFilter(
|
||||||
|
cfgSnap.ConnectProxy.Intentions,
|
||||||
|
cfgSnap.IntentionDefaultAllow,
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// We're using the listener escape hatch, so try our best to inject the
|
||||||
|
// HTTP RBAC filter, but if we can't then just inject the RBAC Network
|
||||||
|
// filter instead.
|
||||||
|
if err := s.injectHTTPFilterOnFilterChains(l, httpAuthzFilter); err != nil {
|
||||||
|
s.Logger.Warn(
|
||||||
|
"could not inject the HTTP RBAC filter to enforce intentions on user-provided 'envoy_public_listener_json' config; falling back on the RBAC network filter instead",
|
||||||
|
"proxy", cfgSnap.ProxyID,
|
||||||
|
"error", err,
|
||||||
|
)
|
||||||
|
useHTTPFilter = false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if !useHTTPFilter {
|
||||||
|
if err := s.injectConnectFilters(cInfo, cfgSnap, l); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := s.injectConnectTLSOnFilterChains(cInfo, cfgSnap, l); err != nil {
|
||||||
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
err = injectConnectFilters(cInfo, cfgSnap, l)
|
|
||||||
return l, err
|
return l, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -505,7 +647,17 @@ func (s *Server) makeExposedCheckListener(cfgSnap *proxycfg.ConfigSnapshot, clus
|
||||||
|
|
||||||
filterName := fmt.Sprintf("exposed_path_filter_%s_%d", strippedPath, path.ListenerPort)
|
filterName := fmt.Sprintf("exposed_path_filter_%s_%d", strippedPath, path.ListenerPort)
|
||||||
|
|
||||||
f, err := makeListenerFilter(false, path.Protocol, filterName, cluster, "", path.Path, true)
|
opts := listenerFilterOpts{
|
||||||
|
useRDS: false,
|
||||||
|
protocol: path.Protocol,
|
||||||
|
filterName: filterName,
|
||||||
|
cluster: cluster,
|
||||||
|
statPrefix: "",
|
||||||
|
routePath: path.Path,
|
||||||
|
ingress: true,
|
||||||
|
httpAuthzFilter: nil,
|
||||||
|
}
|
||||||
|
f, err := makeListenerFilter(opts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -557,20 +709,35 @@ func (s *Server) makeTerminatingGatewayListener(
|
||||||
|
|
||||||
// Make a FilterChain for each linked service
|
// Make a FilterChain for each linked service
|
||||||
// Match on the cluster name,
|
// Match on the cluster name,
|
||||||
for svc := range cfgSnap.TerminatingGateway.ServiceGroups {
|
for _, svc := range cfgSnap.TerminatingGateway.ValidServices() {
|
||||||
clusterName := connect.ServiceSNI(svc.Name, "", svc.NamespaceOrDefault(), cfgSnap.Datacenter, cfgSnap.Roots.TrustDomain)
|
clusterName := connect.ServiceSNI(svc.Name, "", svc.NamespaceOrDefault(), cfgSnap.Datacenter, cfgSnap.Roots.TrustDomain)
|
||||||
|
|
||||||
|
// Resolvers are optional.
|
||||||
resolver, hasResolver := cfgSnap.TerminatingGateway.ServiceResolvers[svc]
|
resolver, hasResolver := cfgSnap.TerminatingGateway.ServiceResolvers[svc]
|
||||||
|
|
||||||
// Skip the service if we don't have a cert to present for mTLS
|
intentions := cfgSnap.TerminatingGateway.Intentions[svc]
|
||||||
if cert, ok := cfgSnap.TerminatingGateway.ServiceLeaves[svc]; !ok || cert == nil {
|
svcConfig := cfgSnap.TerminatingGateway.ServiceConfigs[svc]
|
||||||
// TODO (gateways) (freddy) Should the error suggest that the issue may be ACLs? (need service:write on service)
|
|
||||||
s.Logger.Named(logging.TerminatingGateway).
|
cfg, err := ParseProxyConfig(svcConfig.ProxyConfig)
|
||||||
Error("no client certificate available for linked service, skipping filter chain creation",
|
if err != nil {
|
||||||
"service", svc.String(), "error", err)
|
// Don't hard fail on a config typo, just warn. The parse func returns
|
||||||
continue
|
// default config if there is an error so it's safe to continue.
|
||||||
|
s.Logger.Named(logging.TerminatingGateway).Warn(
|
||||||
|
"failed to parse Connect.Proxy.Config for linked service",
|
||||||
|
"service", svc.String(),
|
||||||
|
"error", err,
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
clusterChain, err := s.sniFilterChainTerminatingGateway(cInfo, cfgSnap, name, clusterName, svc)
|
clusterChain, err := s.makeFilterChainTerminatingGateway(
|
||||||
|
cInfo,
|
||||||
|
cfgSnap,
|
||||||
|
name,
|
||||||
|
clusterName,
|
||||||
|
svc,
|
||||||
|
intentions,
|
||||||
|
cfg.Protocol,
|
||||||
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to make filter chain for cluster %q: %v", clusterName, err)
|
return nil, fmt.Errorf("failed to make filter chain for cluster %q: %v", clusterName, err)
|
||||||
}
|
}
|
||||||
|
@ -580,13 +747,21 @@ func (s *Server) makeTerminatingGatewayListener(
|
||||||
if hasResolver {
|
if hasResolver {
|
||||||
// generate 1 filter chain for each service subset
|
// generate 1 filter chain for each service subset
|
||||||
for subsetName := range resolver.Subsets {
|
for subsetName := range resolver.Subsets {
|
||||||
clusterName := connect.ServiceSNI(svc.Name, subsetName, svc.NamespaceOrDefault(), cfgSnap.Datacenter, cfgSnap.Roots.TrustDomain)
|
subsetClusterName := connect.ServiceSNI(svc.Name, subsetName, svc.NamespaceOrDefault(), cfgSnap.Datacenter, cfgSnap.Roots.TrustDomain)
|
||||||
|
|
||||||
clusterChain, err := s.sniFilterChainTerminatingGateway(cInfo, cfgSnap, name, clusterName, svc)
|
subsetClusterChain, err := s.makeFilterChainTerminatingGateway(
|
||||||
|
cInfo,
|
||||||
|
cfgSnap,
|
||||||
|
name,
|
||||||
|
subsetClusterName,
|
||||||
|
svc,
|
||||||
|
intentions,
|
||||||
|
cfg.Protocol,
|
||||||
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to make filter chain for cluster %q: %v", clusterName, err)
|
return nil, fmt.Errorf("failed to make filter chain for cluster %q: %v", subsetClusterName, err)
|
||||||
}
|
}
|
||||||
l.FilterChains = append(l.FilterChains, clusterChain)
|
l.FilterChains = append(l.FilterChains, subsetClusterChain)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -608,41 +783,70 @@ func (s *Server) makeTerminatingGatewayListener(
|
||||||
return l, nil
|
return l, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Server) sniFilterChainTerminatingGateway(
|
func (s *Server) makeFilterChainTerminatingGateway(
|
||||||
cInfo connectionInfo,
|
_ connectionInfo,
|
||||||
cfgSnap *proxycfg.ConfigSnapshot,
|
cfgSnap *proxycfg.ConfigSnapshot,
|
||||||
listener, cluster string,
|
listener, cluster string,
|
||||||
service structs.ServiceName,
|
service structs.ServiceName,
|
||||||
|
intentions structs.Intentions,
|
||||||
|
protocol string,
|
||||||
) (*envoylistener.FilterChain, error) {
|
) (*envoylistener.FilterChain, error) {
|
||||||
|
filterChain := &envoylistener.FilterChain{
|
||||||
authFilter, err := makeExtAuthFilter(cInfo.Token)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
sniCluster, err := makeSNIClusterFilter()
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
// The cluster name here doesn't matter as the sni_cluster filter will fill it in for us.
|
|
||||||
statPrefix := fmt.Sprintf("terminating_gateway_%s_%s_", service.NamespaceOrDefault(), service.Name)
|
|
||||||
tcpProxy, err := makeTCPProxyFilter(listener, "", statPrefix)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
return &envoylistener.FilterChain{
|
|
||||||
FilterChainMatch: makeSNIFilterChainMatch(cluster),
|
FilterChainMatch: makeSNIFilterChainMatch(cluster),
|
||||||
Filters: []*envoylistener.Filter{
|
Filters: make([]*envoylistener.Filter, 0, 3),
|
||||||
authFilter,
|
|
||||||
sniCluster,
|
|
||||||
tcpProxy,
|
|
||||||
},
|
|
||||||
TlsContext: &envoyauth.DownstreamTlsContext{
|
TlsContext: &envoyauth.DownstreamTlsContext{
|
||||||
CommonTlsContext: makeCommonTLSContextFromLeaf(cfgSnap, cfgSnap.TerminatingGateway.ServiceLeaves[service]),
|
CommonTlsContext: makeCommonTLSContextFromLeaf(cfgSnap, cfgSnap.TerminatingGateway.ServiceLeaves[service]),
|
||||||
RequireClientCertificate: &wrappers.BoolValue{Value: true},
|
RequireClientCertificate: &wrappers.BoolValue{Value: true},
|
||||||
},
|
},
|
||||||
}, err
|
}
|
||||||
|
|
||||||
|
// This controls if we do L4 or L7 intention checks.
|
||||||
|
useHTTPFilter := structs.IsProtocolHTTPLike(protocol)
|
||||||
|
|
||||||
|
// If this is L4, the first filter we setup is to do intention checks.
|
||||||
|
if !useHTTPFilter {
|
||||||
|
authFilter, err := makeRBACNetworkFilter(
|
||||||
|
intentions,
|
||||||
|
cfgSnap.IntentionDefaultAllow,
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
filterChain.Filters = append(filterChain.Filters, authFilter)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Lastly we setup the actual proxying component. For L4 this is a straight
|
||||||
|
// tcp proxy. For L7 this is a very hands-off HTTP proxy just to inject an
|
||||||
|
// HTTP filter to do intention checks here instead.
|
||||||
|
statPrefix := fmt.Sprintf("terminating_gateway_%s_%s_", service.NamespaceOrDefault(), service.Name)
|
||||||
|
opts := listenerFilterOpts{
|
||||||
|
useRDS: false,
|
||||||
|
protocol: protocol,
|
||||||
|
filterName: listener,
|
||||||
|
cluster: cluster,
|
||||||
|
statPrefix: statPrefix,
|
||||||
|
routePath: "",
|
||||||
|
ingress: false,
|
||||||
|
}
|
||||||
|
|
||||||
|
if useHTTPFilter {
|
||||||
|
var err error
|
||||||
|
opts.httpAuthzFilter, err = makeRBACHTTPFilter(
|
||||||
|
intentions,
|
||||||
|
cfgSnap.IntentionDefaultAllow,
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
filter, err := makeListenerFilter(opts)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
filterChain.Filters = append(filterChain.Filters, filter)
|
||||||
|
|
||||||
|
return filterChain, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Server) makeMeshGatewayListener(name, addr string, port int, cfgSnap *proxycfg.ConfigSnapshot) (*envoy.Listener, error) {
|
func (s *Server) makeMeshGatewayListener(name, addr string, port int, cfgSnap *proxycfg.ConfigSnapshot) (*envoy.Listener, error) {
|
||||||
|
@ -791,8 +995,17 @@ func (s *Server) makeUpstreamListenerForDiscoveryChain(
|
||||||
clusterName = CustomizeClusterName(target.Name, chain)
|
clusterName = CustomizeClusterName(target.Name, chain)
|
||||||
}
|
}
|
||||||
|
|
||||||
filter, err := makeListenerFilter(
|
opts := listenerFilterOpts{
|
||||||
useRDS, cfg.Protocol, upstreamID, clusterName, "upstream_", "", false)
|
useRDS: useRDS,
|
||||||
|
protocol: cfg.Protocol,
|
||||||
|
filterName: upstreamID,
|
||||||
|
cluster: clusterName,
|
||||||
|
statPrefix: "upstream_",
|
||||||
|
routePath: "",
|
||||||
|
ingress: false,
|
||||||
|
httpAuthzFilter: nil,
|
||||||
|
}
|
||||||
|
filter, err := makeListenerFilter(opts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -855,26 +1068,34 @@ func getAndModifyUpstreamConfigForListener(logger hclog.Logger, u *structs.Upstr
|
||||||
return cfg
|
return cfg
|
||||||
}
|
}
|
||||||
|
|
||||||
func makeListenerFilter(
|
type listenerFilterOpts struct {
|
||||||
useRDS bool,
|
useRDS bool
|
||||||
protocol, filterName, cluster, statPrefix, routePath string, ingress bool) (*envoylistener.Filter, error) {
|
protocol string
|
||||||
|
filterName string
|
||||||
|
cluster string
|
||||||
|
statPrefix string
|
||||||
|
routePath string
|
||||||
|
ingress bool
|
||||||
|
httpAuthzFilter *envoyhttp.HttpFilter
|
||||||
|
}
|
||||||
|
|
||||||
switch protocol {
|
func makeListenerFilter(opts listenerFilterOpts) (*envoylistener.Filter, error) {
|
||||||
|
switch opts.protocol {
|
||||||
case "grpc":
|
case "grpc":
|
||||||
return makeHTTPFilter(useRDS, filterName, cluster, statPrefix, routePath, ingress, true, true)
|
return makeHTTPFilter(opts.useRDS, opts.filterName, opts.cluster, opts.statPrefix, opts.routePath, opts.ingress, true, true, opts.httpAuthzFilter)
|
||||||
case "http2":
|
case "http2":
|
||||||
return makeHTTPFilter(useRDS, filterName, cluster, statPrefix, routePath, ingress, false, true)
|
return makeHTTPFilter(opts.useRDS, opts.filterName, opts.cluster, opts.statPrefix, opts.routePath, opts.ingress, false, true, opts.httpAuthzFilter)
|
||||||
case "http":
|
case "http":
|
||||||
return makeHTTPFilter(useRDS, filterName, cluster, statPrefix, routePath, ingress, false, false)
|
return makeHTTPFilter(opts.useRDS, opts.filterName, opts.cluster, opts.statPrefix, opts.routePath, opts.ingress, false, false, opts.httpAuthzFilter)
|
||||||
case "tcp":
|
case "tcp":
|
||||||
fallthrough
|
fallthrough
|
||||||
default:
|
default:
|
||||||
if useRDS {
|
if opts.useRDS {
|
||||||
return nil, fmt.Errorf("RDS is not compatible with the tcp proxy filter")
|
return nil, fmt.Errorf("RDS is not compatible with the tcp proxy filter")
|
||||||
} else if cluster == "" {
|
} else if opts.cluster == "" {
|
||||||
return nil, fmt.Errorf("cluster name is required for a tcp proxy filter")
|
return nil, fmt.Errorf("cluster name is required for a tcp proxy filter")
|
||||||
}
|
}
|
||||||
return makeTCPProxyFilter(filterName, cluster, statPrefix)
|
return makeTCPProxyFilter(opts.filterName, opts.cluster, opts.statPrefix)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -898,7 +1119,7 @@ func makeTCPProxyFilter(filterName, cluster, statPrefix string) (*envoylistener.
|
||||||
StatPrefix: makeStatPrefix("tcp", statPrefix, filterName),
|
StatPrefix: makeStatPrefix("tcp", statPrefix, filterName),
|
||||||
ClusterSpecifier: &envoytcp.TcpProxy_Cluster{Cluster: cluster},
|
ClusterSpecifier: &envoytcp.TcpProxy_Cluster{Cluster: cluster},
|
||||||
}
|
}
|
||||||
return makeFilter("envoy.tcp_proxy", cfg)
|
return makeFilter("envoy.tcp_proxy", cfg, false)
|
||||||
}
|
}
|
||||||
|
|
||||||
func makeStatPrefix(protocol, prefix, filterName string) string {
|
func makeStatPrefix(protocol, prefix, filterName string) string {
|
||||||
|
@ -912,6 +1133,7 @@ func makeHTTPFilter(
|
||||||
useRDS bool,
|
useRDS bool,
|
||||||
filterName, cluster, statPrefix, routePath string,
|
filterName, cluster, statPrefix, routePath string,
|
||||||
ingress, grpc, http2 bool,
|
ingress, grpc, http2 bool,
|
||||||
|
authzFilter *envoyhttp.HttpFilter,
|
||||||
) (*envoylistener.Filter, error) {
|
) (*envoylistener.Filter, error) {
|
||||||
op := envoyhttp.HttpConnectionManager_Tracing_INGRESS
|
op := envoyhttp.HttpConnectionManager_Tracing_INGRESS
|
||||||
if !ingress {
|
if !ingress {
|
||||||
|
@ -1001,43 +1223,37 @@ func makeHTTPFilter(
|
||||||
cfg.Http2ProtocolOptions = &envoycore.Http2ProtocolOptions{}
|
cfg.Http2ProtocolOptions = &envoycore.Http2ProtocolOptions{}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Like injectConnectFilters for L4, here we ensure that the first filter
|
||||||
|
// (other than the "envoy.grpc_http1_bridge" filter) in the http filter
|
||||||
|
// chain of a public listener is the authz filter to prevent unauthorized
|
||||||
|
// access and that every filter chain uses our TLS certs.
|
||||||
|
if authzFilter != nil {
|
||||||
|
cfg.HttpFilters = append([]*envoyhttp.HttpFilter{authzFilter}, cfg.HttpFilters...)
|
||||||
|
}
|
||||||
|
|
||||||
if grpc {
|
if grpc {
|
||||||
// Add grpc bridge before router
|
// Add grpc bridge before router and authz
|
||||||
cfg.HttpFilters = append([]*envoyhttp.HttpFilter{{
|
cfg.HttpFilters = append([]*envoyhttp.HttpFilter{{
|
||||||
Name: "envoy.grpc_http1_bridge",
|
Name: "envoy.grpc_http1_bridge",
|
||||||
ConfigType: &envoyhttp.HttpFilter_Config{Config: &pbstruct.Struct{}},
|
ConfigType: &envoyhttp.HttpFilter_Config{Config: &pbstruct.Struct{}},
|
||||||
}}, cfg.HttpFilters...)
|
}}, cfg.HttpFilters...)
|
||||||
}
|
}
|
||||||
|
|
||||||
return makeFilter("envoy.http_connection_manager", cfg)
|
return makeFilter("envoy.http_connection_manager", cfg, false)
|
||||||
}
|
}
|
||||||
|
|
||||||
func makeExtAuthFilter(token string) (*envoylistener.Filter, error) {
|
func makeFilter(name string, cfg proto.Message, typed bool) (*envoylistener.Filter, error) {
|
||||||
cfg := &extauthz.ExtAuthz{
|
filter := &envoylistener.Filter{
|
||||||
StatPrefix: "connect_authz",
|
Name: name,
|
||||||
GrpcService: &envoycore.GrpcService{
|
}
|
||||||
// Attach token header so we can authorize the callbacks. Technically
|
if typed {
|
||||||
// authorize is not really protected data but we locked down the HTTP
|
any, err := pbtypes.MarshalAny(cfg)
|
||||||
// implementation to need service:write and since we have the token that
|
if err != nil {
|
||||||
// has that it's pretty reasonable to set it up here.
|
return nil, err
|
||||||
InitialMetadata: []*envoycore.HeaderValue{
|
|
||||||
{
|
|
||||||
Key: "x-consul-token",
|
|
||||||
Value: token,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
TargetSpecifier: &envoycore.GrpcService_EnvoyGrpc_{
|
|
||||||
EnvoyGrpc: &envoycore.GrpcService_EnvoyGrpc{
|
|
||||||
ClusterName: LocalAgentClusterName,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
FailureModeAllow: false,
|
|
||||||
}
|
}
|
||||||
return makeFilter("envoy.ext_authz", cfg)
|
|
||||||
}
|
|
||||||
|
|
||||||
func makeFilter(name string, cfg proto.Message) (*envoylistener.Filter, error) {
|
filter.ConfigType = &envoylistener.Filter_TypedConfig{TypedConfig: any}
|
||||||
|
} else {
|
||||||
// Ridiculous dance to make that struct into pbstruct.Struct by... encoding it
|
// Ridiculous dance to make that struct into pbstruct.Struct by... encoding it
|
||||||
// as JSON and decoding again!!
|
// as JSON and decoding again!!
|
||||||
cfgStruct, err := conversion.MessageToStruct(cfg)
|
cfgStruct, err := conversion.MessageToStruct(cfg)
|
||||||
|
@ -1045,9 +1261,23 @@ func makeFilter(name string, cfg proto.Message) (*envoylistener.Filter, error) {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
return &envoylistener.Filter{
|
filter.ConfigType = &envoylistener.Filter_Config{Config: cfgStruct}
|
||||||
|
}
|
||||||
|
|
||||||
|
return filter, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func makeEnvoyHTTPFilter(name string, cfg proto.Message) (*envoyhttp.HttpFilter, error) {
|
||||||
|
// Ridiculous dance to make that struct into pbstruct.Struct by... encoding it
|
||||||
|
// as JSON and decoding again!!
|
||||||
|
cfgStruct, err := conversion.MessageToStruct(cfg)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return &envoyhttp.HttpFilter{
|
||||||
Name: name,
|
Name: name,
|
||||||
ConfigType: &envoylistener.Filter_Config{Config: cfgStruct},
|
ConfigType: &envoyhttp.HttpFilter_Config{Config: cfgStruct},
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -2,13 +2,13 @@ package xds
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"fmt"
|
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"sort"
|
"sort"
|
||||||
"testing"
|
"testing"
|
||||||
"text/template"
|
"text/template"
|
||||||
|
|
||||||
envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2"
|
envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2"
|
||||||
|
"github.com/envoyproxy/go-control-plane/pkg/wellknown"
|
||||||
"github.com/hashicorp/consul/agent/proxycfg"
|
"github.com/hashicorp/consul/agent/proxycfg"
|
||||||
"github.com/hashicorp/consul/agent/structs"
|
"github.com/hashicorp/consul/agent/structs"
|
||||||
"github.com/hashicorp/consul/agent/xds/proxysupport"
|
"github.com/hashicorp/consul/agent/xds/proxysupport"
|
||||||
|
@ -80,6 +80,66 @@ func TestListenersFromSnapshot(t *testing.T) {
|
||||||
})
|
})
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "custom-public-listener-http",
|
||||||
|
create: proxycfg.TestConfigSnapshot,
|
||||||
|
setup: func(snap *proxycfg.ConfigSnapshot) {
|
||||||
|
snap.Proxy.Config["protocol"] = "http"
|
||||||
|
snap.Proxy.Config["envoy_public_listener_json"] =
|
||||||
|
customHTTPListenerJSON(t, customHTTPListenerJSONOptions{
|
||||||
|
Name: "custom-public-listen",
|
||||||
|
})
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "custom-public-listener-http-typed",
|
||||||
|
create: proxycfg.TestConfigSnapshot,
|
||||||
|
setup: func(snap *proxycfg.ConfigSnapshot) {
|
||||||
|
snap.Proxy.Config["protocol"] = "http"
|
||||||
|
snap.Proxy.Config["envoy_public_listener_json"] =
|
||||||
|
customHTTPListenerJSON(t, customHTTPListenerJSONOptions{
|
||||||
|
Name: "custom-public-listen",
|
||||||
|
TypedConfig: true,
|
||||||
|
})
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "custom-public-listener-http-2",
|
||||||
|
create: proxycfg.TestConfigSnapshot,
|
||||||
|
setup: func(snap *proxycfg.ConfigSnapshot) {
|
||||||
|
snap.Proxy.Config["protocol"] = "http"
|
||||||
|
snap.Proxy.Config["envoy_public_listener_json"] =
|
||||||
|
customHTTPListenerJSON(t, customHTTPListenerJSONOptions{
|
||||||
|
Name: "custom-public-listen",
|
||||||
|
HTTPConnectionManagerName: httpConnectionManagerNewName,
|
||||||
|
})
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "custom-public-listener-http-2-typed",
|
||||||
|
create: proxycfg.TestConfigSnapshot,
|
||||||
|
setup: func(snap *proxycfg.ConfigSnapshot) {
|
||||||
|
snap.Proxy.Config["protocol"] = "http"
|
||||||
|
snap.Proxy.Config["envoy_public_listener_json"] =
|
||||||
|
customHTTPListenerJSON(t, customHTTPListenerJSONOptions{
|
||||||
|
Name: "custom-public-listen",
|
||||||
|
HTTPConnectionManagerName: httpConnectionManagerNewName,
|
||||||
|
TypedConfig: true,
|
||||||
|
})
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "custom-public-listener-http-missing",
|
||||||
|
create: proxycfg.TestConfigSnapshot,
|
||||||
|
setup: func(snap *proxycfg.ConfigSnapshot) {
|
||||||
|
snap.Proxy.Config["protocol"] = "http"
|
||||||
|
snap.Proxy.Config["envoy_public_listener_json"] =
|
||||||
|
customListenerJSON(t, customListenerJSONOptions{
|
||||||
|
Name: "custom-public-listen",
|
||||||
|
IncludeType: false,
|
||||||
|
})
|
||||||
|
},
|
||||||
|
},
|
||||||
{
|
{
|
||||||
name: "custom-public-listener-typed",
|
name: "custom-public-listener-typed",
|
||||||
create: proxycfg.TestConfigSnapshot,
|
create: proxycfg.TestConfigSnapshot,
|
||||||
|
@ -500,11 +560,7 @@ func TestListenersFromSnapshot(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func expectListenerJSONResources(t *testing.T, snap *proxycfg.ConfigSnapshot, token string) map[string]string {
|
func expectListenerJSONResources(t *testing.T, snap *proxycfg.ConfigSnapshot) map[string]string {
|
||||||
tokenVal := ""
|
|
||||||
if token != "" {
|
|
||||||
tokenVal = fmt.Sprintf(",\n"+`"value": "%s"`, token)
|
|
||||||
}
|
|
||||||
return map[string]string{
|
return map[string]string{
|
||||||
"public_listener": `{
|
"public_listener": `{
|
||||||
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
@ -520,18 +576,9 @@ func expectListenerJSONResources(t *testing.T, snap *proxycfg.ConfigSnapshot, to
|
||||||
"tlsContext": ` + expectedPublicTLSContextJSON(t, snap) + `,
|
"tlsContext": ` + expectedPublicTLSContextJSON(t, snap) + `,
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token"
|
|
||||||
` + tokenVal + `
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
@ -622,14 +669,13 @@ func expectListenerJSONFromResources(snap *proxycfg.ConfigSnapshot, v, n uint64,
|
||||||
}`
|
}`
|
||||||
}
|
}
|
||||||
|
|
||||||
func expectListenerJSON(t *testing.T, snap *proxycfg.ConfigSnapshot, token string, v, n uint64) string {
|
func expectListenerJSON(t *testing.T, snap *proxycfg.ConfigSnapshot, v, n uint64) string {
|
||||||
return expectListenerJSONFromResources(snap, v, n, expectListenerJSONResources(t, snap, token))
|
return expectListenerJSONFromResources(snap, v, n, expectListenerJSONResources(t, snap))
|
||||||
}
|
}
|
||||||
|
|
||||||
type customListenerJSONOptions struct {
|
type customListenerJSONOptions struct {
|
||||||
Name string
|
Name string
|
||||||
IncludeType bool
|
IncludeType bool
|
||||||
OverrideAuthz bool
|
|
||||||
TLSContext string
|
TLSContext string
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -650,25 +696,6 @@ const customListenerJSONTpl = `{
|
||||||
"tlsContext": {{ .TLSContext }},
|
"tlsContext": {{ .TLSContext }},
|
||||||
{{- end }}
|
{{- end }}
|
||||||
"filters": [
|
"filters": [
|
||||||
{{ if .OverrideAuthz -}}
|
|
||||||
{
|
|
||||||
"name": "envoy.ext_authz",
|
|
||||||
"config": {
|
|
||||||
"grpc_service": {
|
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"stat_prefix": "connect_authz"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{{- end }}
|
|
||||||
{
|
{
|
||||||
"name": "envoy.tcp_proxy",
|
"name": "envoy.tcp_proxy",
|
||||||
"config": {
|
"config": {
|
||||||
|
@ -681,12 +708,82 @@ const customListenerJSONTpl = `{
|
||||||
]
|
]
|
||||||
}`
|
}`
|
||||||
|
|
||||||
var customListenerJSONTemplate = template.Must(template.New("").Parse(customListenerJSONTpl))
|
type customHTTPListenerJSONOptions struct {
|
||||||
|
Name string
|
||||||
|
HTTPConnectionManagerName string
|
||||||
|
TypedConfig bool
|
||||||
|
}
|
||||||
|
|
||||||
|
const customHTTPListenerJSONTpl = `{
|
||||||
|
"name": "{{ .Name }}",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "11.11.11.11",
|
||||||
|
"portValue": 11111
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "{{ .HTTPConnectionManagerName }}",
|
||||||
|
{{ if .TypedConfig -}}
|
||||||
|
"typedConfig": {
|
||||||
|
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
|
||||||
|
{{ else -}}
|
||||||
|
"config": {
|
||||||
|
{{- end }}
|
||||||
|
"http_filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.router"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"route_config": {
|
||||||
|
"name": "public_listener",
|
||||||
|
"virtual_hosts": [
|
||||||
|
{
|
||||||
|
"domains": [
|
||||||
|
"*"
|
||||||
|
],
|
||||||
|
"name": "public_listener",
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"prefix": "/"
|
||||||
|
},
|
||||||
|
"route": {
|
||||||
|
"cluster": "random-cluster"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}`
|
||||||
|
|
||||||
|
var (
|
||||||
|
customListenerJSONTemplate = template.Must(template.New("").Parse(customListenerJSONTpl))
|
||||||
|
customHTTPListenerJSONTemplate = template.Must(template.New("").Parse(customHTTPListenerJSONTpl))
|
||||||
|
)
|
||||||
|
|
||||||
func customListenerJSON(t *testing.T, opts customListenerJSONOptions) string {
|
func customListenerJSON(t *testing.T, opts customListenerJSONOptions) string {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
var buf bytes.Buffer
|
var buf bytes.Buffer
|
||||||
err := customListenerJSONTemplate.Execute(&buf, opts)
|
require.NoError(t, customListenerJSONTemplate.Execute(&buf, opts))
|
||||||
require.NoError(t, err)
|
return buf.String()
|
||||||
|
}
|
||||||
|
|
||||||
|
func customHTTPListenerJSON(t *testing.T, opts customHTTPListenerJSONOptions) string {
|
||||||
|
t.Helper()
|
||||||
|
if opts.HTTPConnectionManagerName == "" {
|
||||||
|
opts.HTTPConnectionManagerName = wellknown.HTTPConnectionManager
|
||||||
|
}
|
||||||
|
var buf bytes.Buffer
|
||||||
|
require.NoError(t, customHTTPListenerJSONTemplate.Execute(&buf, opts))
|
||||||
return buf.String()
|
return buf.String()
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,374 @@
|
||||||
|
package xds
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"sort"
|
||||||
|
|
||||||
|
envoylistener "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener"
|
||||||
|
envoyhttprbac "github.com/envoyproxy/go-control-plane/envoy/config/filter/http/rbac/v2"
|
||||||
|
envoyhttp "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/http_connection_manager/v2"
|
||||||
|
envoynetrbac "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/rbac/v2"
|
||||||
|
envoyrbac "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v2"
|
||||||
|
envoymatcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher"
|
||||||
|
"github.com/hashicorp/consul/agent/structs"
|
||||||
|
)
|
||||||
|
|
||||||
|
func makeRBACNetworkFilter(intentions structs.Intentions, intentionDefaultAllow bool) (*envoylistener.Filter, error) {
|
||||||
|
rules, err := makeRBACRules(intentions, intentionDefaultAllow)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
cfg := &envoynetrbac.RBAC{
|
||||||
|
StatPrefix: "connect_authz",
|
||||||
|
Rules: rules,
|
||||||
|
}
|
||||||
|
return makeFilter("envoy.filters.network.rbac", cfg, false)
|
||||||
|
}
|
||||||
|
|
||||||
|
func makeRBACHTTPFilter(intentions structs.Intentions, intentionDefaultAllow bool) (*envoyhttp.HttpFilter, error) {
|
||||||
|
rules, err := makeRBACRules(intentions, intentionDefaultAllow)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
cfg := &envoyhttprbac.RBAC{
|
||||||
|
Rules: rules,
|
||||||
|
}
|
||||||
|
return makeEnvoyHTTPFilter("envoy.filters.http.rbac", cfg)
|
||||||
|
}
|
||||||
|
|
||||||
|
type rbacIntention struct {
|
||||||
|
Source structs.ServiceName
|
||||||
|
NotSources []structs.ServiceName
|
||||||
|
Allow bool
|
||||||
|
Precedence int
|
||||||
|
Skip bool
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *rbacIntention) Simplify() {
|
||||||
|
r.NotSources = simplifyNotSourceSlice(r.NotSources)
|
||||||
|
}
|
||||||
|
|
||||||
|
func simplifyNotSourceSlice(notSources []structs.ServiceName) []structs.ServiceName {
|
||||||
|
if len(notSources) <= 1 {
|
||||||
|
return notSources
|
||||||
|
}
|
||||||
|
|
||||||
|
// Collapse NotSources elements together if any element is a subset of
|
||||||
|
// another.
|
||||||
|
|
||||||
|
// Sort, keeping the least wildcarded elements first.
|
||||||
|
sort.SliceStable(notSources, func(i, j int) bool {
|
||||||
|
return countWild(notSources[i]) < countWild(notSources[j])
|
||||||
|
})
|
||||||
|
|
||||||
|
keep := make([]structs.ServiceName, 0, len(notSources))
|
||||||
|
for i := 0; i < len(notSources); i++ {
|
||||||
|
si := notSources[i]
|
||||||
|
remove := false
|
||||||
|
for j := i + 1; j < len(notSources); j++ {
|
||||||
|
sj := notSources[j]
|
||||||
|
|
||||||
|
if ixnSourceMatches(si, sj) {
|
||||||
|
remove = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if !remove {
|
||||||
|
keep = append(keep, si)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return keep
|
||||||
|
}
|
||||||
|
|
||||||
|
// makeRBACRules translates Consul intentions into RBAC Policies for Envoy.
|
||||||
|
//
|
||||||
|
// Consul lets you define up to 9 different kinds of intentions that apply at
|
||||||
|
// different levels of precedence (this is limited to 4 if not using Consul
|
||||||
|
// Enterprise). Each intention in this flat list (sorted by precedence) can either
|
||||||
|
// be an allow rule or a deny rule. Here’s a concrete example of this at work:
|
||||||
|
//
|
||||||
|
// intern/trusted-app => billing/payment-svc : ALLOW (prec=9)
|
||||||
|
// intern/* => billing/payment-svc : DENY (prec=8)
|
||||||
|
// */* => billing/payment-svc : ALLOW (prec=7)
|
||||||
|
// ::: ACL default policy ::: : DENY (prec=N/A)
|
||||||
|
//
|
||||||
|
// In contrast, Envoy lets you either configure a filter to be based on an
|
||||||
|
// allow-list or a deny-list based on the action attribute of the RBAC rules
|
||||||
|
// struct.
|
||||||
|
//
|
||||||
|
// On the surface it would seem that the configuration model of Consul
|
||||||
|
// intentions is incompatible with that of Envoy’s RBAC engine. For any given
|
||||||
|
// destination service Consul’s model requires evaluating a list of rules and
|
||||||
|
// short circuiting later rules once an earlier rule matches. After a rule is
|
||||||
|
// found to match then we decide if it is allow/deny. Envoy on the other hand
|
||||||
|
// requires the rules to express all conditions to allow access or all conditions
|
||||||
|
// to deny access.
|
||||||
|
//
|
||||||
|
// Despite the surface incompatibility it is possible to marry these two
|
||||||
|
// models. For clarity I’ll rewrite the earlier example intentions in an
|
||||||
|
// abbreviated form:
|
||||||
|
//
|
||||||
|
// A : ALLOW
|
||||||
|
// B : DENY
|
||||||
|
// C : ALLOW
|
||||||
|
// <default> : DENY
|
||||||
|
//
|
||||||
|
// 1. Given that the overall intention default is set to deny, we start by
|
||||||
|
// choosing to build an allow-list in Envoy (this is also the variant that I find
|
||||||
|
// easier to think about).
|
||||||
|
// 2. Next we traverse the list in precedence order (top down) and any DENY
|
||||||
|
// intentions are combined with later intentions using logical operations.
|
||||||
|
// 3. Now that all of the intentions result in the same action (allow) we have
|
||||||
|
// successfully removed precedence and we can express this in as a set of Envoy
|
||||||
|
// RBAC policies.
|
||||||
|
//
|
||||||
|
// After this the earlier A/B/C/default list becomes:
|
||||||
|
//
|
||||||
|
// A : ALLOW
|
||||||
|
// C AND NOT(B) : ALLOW
|
||||||
|
// <default> : DENY
|
||||||
|
//
|
||||||
|
// Which really is just an allow-list of [A, C AND NOT(B)]
|
||||||
|
func makeRBACRules(intentions structs.Intentions, intentionDefaultAllow bool) (*envoyrbac.RBAC, error) {
|
||||||
|
// Note that we DON'T explicitly validate the trust-domain matches ours.
|
||||||
|
//
|
||||||
|
// For now we don't validate the trust domain of the _destination_ at all.
|
||||||
|
// The RBAC policies below ignore the trust domain and it's implicit that
|
||||||
|
// the request is for the correct cluster. We might want to reconsider this
|
||||||
|
// later but plumbing in additional machinery to check the clusterID here
|
||||||
|
// is not really necessary for now unless the Envoys are badly configured.
|
||||||
|
// Our threat model _requires_ correctly configured and well behaved
|
||||||
|
// proxies given that they have ACLs to fetch certs and so can do whatever
|
||||||
|
// they want including not authorizing traffic at all or routing it do a
|
||||||
|
// different service than they auth'd against.
|
||||||
|
|
||||||
|
// TODO(banks,rb): Implement revocation list checking?
|
||||||
|
|
||||||
|
// Omit any lower-precedence intentions that share the same source.
|
||||||
|
intentions = removeSameSourceIntentions(intentions)
|
||||||
|
|
||||||
|
// First build up just the basic principal matches.
|
||||||
|
rbacIxns := make([]*rbacIntention, 0, len(intentions))
|
||||||
|
for _, ixn := range intentions {
|
||||||
|
rbacIxns = append(rbacIxns, &rbacIntention{
|
||||||
|
Source: ixn.SourceServiceName(),
|
||||||
|
Allow: (ixn.Action == structs.IntentionActionAllow),
|
||||||
|
Precedence: ixn.Precedence,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// Normalize: if we are in default-deny then all intentions must be allows and vice versa
|
||||||
|
|
||||||
|
var rbacAction envoyrbac.RBAC_Action
|
||||||
|
if intentionDefaultAllow {
|
||||||
|
// The RBAC policies deny access to principals. The rest is allowed.
|
||||||
|
// This is block-list style access control.
|
||||||
|
rbacAction = envoyrbac.RBAC_DENY
|
||||||
|
} else {
|
||||||
|
// The RBAC policies grant access to principals. The rest is denied.
|
||||||
|
// This is safe-list style access control. This is the default type.
|
||||||
|
rbacAction = envoyrbac.RBAC_ALLOW
|
||||||
|
}
|
||||||
|
|
||||||
|
// First walk backwards and if we encounter an intention with an action
|
||||||
|
// that is the same as the default intention action, add it to all
|
||||||
|
// subsequent statements (via AND NOT $x) and mark the rule itself for
|
||||||
|
// erasure.
|
||||||
|
//
|
||||||
|
// i.e. for a default-deny setup we look for denies.
|
||||||
|
if len(rbacIxns) > 0 {
|
||||||
|
for i := len(rbacIxns) - 1; i >= 0; i-- {
|
||||||
|
if rbacIxns[i].Allow == intentionDefaultAllow {
|
||||||
|
for j := i + 1; j < len(rbacIxns); j++ {
|
||||||
|
if rbacIxns[j].Skip {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
// [i] is the intention candidate that we are distributing
|
||||||
|
// [j] is the thing to maybe NOT [i] from
|
||||||
|
if ixnSourceMatches(rbacIxns[i].Source, rbacIxns[j].Source) {
|
||||||
|
rbacIxns[j].NotSources = append(rbacIxns[j].NotSources, rbacIxns[i].Source)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// since this is default-FOO, any trailing FOO intentions will just evaporate
|
||||||
|
rbacIxns[i].Skip = true // mark for deletion
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// At this point precedence doesn't matter since all roads lead to the same action.
|
||||||
|
|
||||||
|
var principals []*envoyrbac.Principal
|
||||||
|
for _, rbacIxn := range rbacIxns {
|
||||||
|
if rbacIxn.Skip {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// NOTE: at this point "rbacIxn.Allow != intentionDefaultAllow"
|
||||||
|
|
||||||
|
rbacIxn.Simplify()
|
||||||
|
|
||||||
|
if len(rbacIxn.NotSources) > 0 {
|
||||||
|
andIDs := make([]*envoyrbac.Principal, 0, len(rbacIxn.NotSources)+1)
|
||||||
|
andIDs = append(andIDs, idPrincipal(rbacIxn.Source))
|
||||||
|
for _, src := range rbacIxn.NotSources {
|
||||||
|
andIDs = append(andIDs, notPrincipal(
|
||||||
|
idPrincipal(src),
|
||||||
|
))
|
||||||
|
}
|
||||||
|
principals = append(principals, andPrincipals(andIDs))
|
||||||
|
} else {
|
||||||
|
principals = append(principals, idPrincipal(rbacIxn.Source))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
rbac := &envoyrbac.RBAC{
|
||||||
|
Action: rbacAction,
|
||||||
|
}
|
||||||
|
if len(principals) > 0 {
|
||||||
|
policy := &envoyrbac.Policy{
|
||||||
|
Principals: principals,
|
||||||
|
Permissions: []*envoyrbac.Permission{anyPermission()},
|
||||||
|
}
|
||||||
|
rbac.Policies = map[string]*envoyrbac.Policy{
|
||||||
|
"consul-intentions": policy,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return rbac, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func removeSameSourceIntentions(intentions structs.Intentions) structs.Intentions {
|
||||||
|
if len(intentions) < 2 {
|
||||||
|
return intentions
|
||||||
|
}
|
||||||
|
|
||||||
|
var (
|
||||||
|
out = make(structs.Intentions, 0, len(intentions))
|
||||||
|
changed = false
|
||||||
|
seenSource = make(map[structs.ServiceName]struct{})
|
||||||
|
)
|
||||||
|
for _, ixn := range intentions {
|
||||||
|
sn := ixn.SourceServiceName()
|
||||||
|
if _, ok := seenSource[sn]; ok {
|
||||||
|
// A higher precedence intention already used this exact source
|
||||||
|
// definition with a different destination.
|
||||||
|
changed = true
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
seenSource[sn] = struct{}{}
|
||||||
|
out = append(out, ixn)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !changed {
|
||||||
|
return intentions
|
||||||
|
}
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
|
type sourceMatch int
|
||||||
|
|
||||||
|
const (
|
||||||
|
sourceMatchIgnore sourceMatch = 0
|
||||||
|
sourceMatchSuperset sourceMatch = 1
|
||||||
|
matchSameSubset sourceMatch = 2
|
||||||
|
)
|
||||||
|
|
||||||
|
// ixnSourceMatches deterines if the 'tester' service name is matched by the
|
||||||
|
// 'against' service name via wildcard rules.
|
||||||
|
//
|
||||||
|
// For instance:
|
||||||
|
// - (web, api) => false, because these have no wildcards
|
||||||
|
// - (web, *) => true, because "all services" includes "web"
|
||||||
|
// - (default/web, default/*) => true, because "all services in the default NS" includes "default/web"
|
||||||
|
// - (default/*, */*) => true, "any service in any NS" includes "all services in the default NS"
|
||||||
|
func ixnSourceMatches(tester, against structs.ServiceName) bool {
|
||||||
|
// We assume that we can't have the same intention twice before arriving
|
||||||
|
// here.
|
||||||
|
numWildTester := countWild(tester)
|
||||||
|
numWildAgainst := countWild(against)
|
||||||
|
|
||||||
|
if numWildTester == numWildAgainst {
|
||||||
|
return false
|
||||||
|
} else if numWildTester > numWildAgainst {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
matchesNS := tester.NamespaceOrDefault() == against.NamespaceOrDefault() || against.NamespaceOrDefault() == structs.WildcardSpecifier
|
||||||
|
matchesName := tester.Name == against.Name || against.Name == structs.WildcardSpecifier
|
||||||
|
return matchesNS && matchesName
|
||||||
|
}
|
||||||
|
|
||||||
|
// countWild counts the number of wildcard values in the given namespace and name.
|
||||||
|
func countWild(src structs.ServiceName) int {
|
||||||
|
// If NS is wildcard, it must be 2 since wildcards only follow exact
|
||||||
|
if src.NamespaceOrDefault() == structs.WildcardSpecifier {
|
||||||
|
return 2
|
||||||
|
}
|
||||||
|
|
||||||
|
// Same reasoning as above, a wildcard can only follow an exact value
|
||||||
|
// and an exact value cannot follow a wildcard, so if name is a wildcard
|
||||||
|
// we must have exactly one.
|
||||||
|
if src.Name == structs.WildcardSpecifier {
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
func andPrincipals(ids []*envoyrbac.Principal) *envoyrbac.Principal {
|
||||||
|
return &envoyrbac.Principal{
|
||||||
|
Identifier: &envoyrbac.Principal_AndIds{
|
||||||
|
AndIds: &envoyrbac.Principal_Set{
|
||||||
|
Ids: ids,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func notPrincipal(id *envoyrbac.Principal) *envoyrbac.Principal {
|
||||||
|
return &envoyrbac.Principal{
|
||||||
|
Identifier: &envoyrbac.Principal_NotId{
|
||||||
|
NotId: id,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func idPrincipal(src structs.ServiceName) *envoyrbac.Principal {
|
||||||
|
pattern := makeSpiffePattern(src.NamespaceOrDefault(), src.Name)
|
||||||
|
|
||||||
|
return &envoyrbac.Principal{
|
||||||
|
Identifier: &envoyrbac.Principal_Authenticated_{
|
||||||
|
Authenticated: &envoyrbac.Principal_Authenticated{
|
||||||
|
PrincipalName: &envoymatcher.StringMatcher{
|
||||||
|
MatchPattern: &envoymatcher.StringMatcher_SafeRegex{
|
||||||
|
SafeRegex: makeEnvoyRegexMatch(pattern),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
func makeSpiffePattern(sourceNS, sourceName string) string {
|
||||||
|
const (
|
||||||
|
anyPath = `[^/]+`
|
||||||
|
spiffeTemplate = `^spiffe://%s/ns/%s/dc/%s/svc/%s$`
|
||||||
|
)
|
||||||
|
switch {
|
||||||
|
case sourceNS != structs.WildcardSpecifier && sourceName != structs.WildcardSpecifier:
|
||||||
|
return fmt.Sprintf(spiffeTemplate, anyPath, sourceNS, anyPath, sourceName)
|
||||||
|
case sourceNS != structs.WildcardSpecifier && sourceName == structs.WildcardSpecifier:
|
||||||
|
return fmt.Sprintf(spiffeTemplate, anyPath, sourceNS, anyPath, anyPath)
|
||||||
|
case sourceNS == structs.WildcardSpecifier && sourceName == structs.WildcardSpecifier:
|
||||||
|
return fmt.Sprintf(spiffeTemplate, anyPath, anyPath, anyPath, anyPath)
|
||||||
|
default:
|
||||||
|
panic(fmt.Sprintf("not possible to have a wildcarded namespace %q but an exact service %q", sourceNS, sourceName))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func anyPermission() *envoyrbac.Permission {
|
||||||
|
return &envoyrbac.Permission{
|
||||||
|
Rule: &envoyrbac.Permission_Any{Any: true},
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,259 @@
|
||||||
|
package xds
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"path/filepath"
|
||||||
|
"sort"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/hashicorp/consul/agent/structs"
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestMakeRBACNetworkFilter(t *testing.T) {
|
||||||
|
testIntention := func(t *testing.T, src, dst string, action structs.IntentionAction) *structs.Intention {
|
||||||
|
t.Helper()
|
||||||
|
ixn := structs.TestIntention(t)
|
||||||
|
ixn.SourceName = src
|
||||||
|
ixn.DestinationName = dst
|
||||||
|
ixn.Action = action
|
||||||
|
ixn.UpdatePrecedence()
|
||||||
|
return ixn
|
||||||
|
}
|
||||||
|
testSourceIntention := func(src string, action structs.IntentionAction) *structs.Intention {
|
||||||
|
return testIntention(t, src, "api", action)
|
||||||
|
}
|
||||||
|
sorted := func(ixns ...*structs.Intention) structs.Intentions {
|
||||||
|
sort.SliceStable(ixns, func(i, j int) bool {
|
||||||
|
return ixns[j].Precedence < ixns[i].Precedence
|
||||||
|
})
|
||||||
|
return structs.Intentions(ixns)
|
||||||
|
}
|
||||||
|
|
||||||
|
tests := map[string]struct {
|
||||||
|
intentionDefaultAllow bool
|
||||||
|
intentions structs.Intentions
|
||||||
|
}{
|
||||||
|
"default-deny-mixed-precedence": {
|
||||||
|
intentionDefaultAllow: false,
|
||||||
|
intentions: sorted(
|
||||||
|
testIntention(t, "web", "api", structs.IntentionActionAllow),
|
||||||
|
testIntention(t, "*", "api", structs.IntentionActionDeny),
|
||||||
|
testIntention(t, "web", "*", structs.IntentionActionDeny),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
"default-deny-service-wildcard-allow": {
|
||||||
|
intentionDefaultAllow: false,
|
||||||
|
intentions: sorted(
|
||||||
|
testSourceIntention("*", structs.IntentionActionAllow),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
"default-allow-service-wildcard-deny": {
|
||||||
|
intentionDefaultAllow: true,
|
||||||
|
intentions: sorted(
|
||||||
|
testSourceIntention("*", structs.IntentionActionDeny),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
"default-deny-one-allow": {
|
||||||
|
intentionDefaultAllow: false,
|
||||||
|
intentions: sorted(
|
||||||
|
testSourceIntention("web", structs.IntentionActionAllow),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
"default-allow-one-deny": {
|
||||||
|
intentionDefaultAllow: true,
|
||||||
|
intentions: sorted(
|
||||||
|
testSourceIntention("web", structs.IntentionActionDeny),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
"default-deny-allow-deny": {
|
||||||
|
intentionDefaultAllow: false,
|
||||||
|
intentions: sorted(
|
||||||
|
testSourceIntention("web", structs.IntentionActionDeny),
|
||||||
|
testSourceIntention("*", structs.IntentionActionAllow),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
"default-deny-kitchen-sink": {
|
||||||
|
intentionDefaultAllow: false,
|
||||||
|
intentions: sorted(
|
||||||
|
// (double exact)
|
||||||
|
testSourceIntention("web", structs.IntentionActionAllow),
|
||||||
|
testSourceIntention("unsafe", structs.IntentionActionDeny),
|
||||||
|
testSourceIntention("cron", structs.IntentionActionAllow),
|
||||||
|
// and we invert the default-ness of the whole thing
|
||||||
|
testSourceIntention("*", structs.IntentionActionAllow),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
"default-allow-kitchen-sink": {
|
||||||
|
intentionDefaultAllow: true,
|
||||||
|
intentions: sorted(
|
||||||
|
// (double exact)
|
||||||
|
testSourceIntention("web", structs.IntentionActionDeny),
|
||||||
|
testSourceIntention("unsafe", structs.IntentionActionAllow),
|
||||||
|
testSourceIntention("cron", structs.IntentionActionDeny),
|
||||||
|
// and we invert the default-ness of the whole thing
|
||||||
|
testSourceIntention("*", structs.IntentionActionDeny),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for name, tt := range tests {
|
||||||
|
tt := tt
|
||||||
|
t.Run(name, func(t *testing.T) {
|
||||||
|
filter, err := makeRBACNetworkFilter(tt.intentions, tt.intentionDefaultAllow)
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
gotJSON := protoToJSON(t, filter)
|
||||||
|
|
||||||
|
require.JSONEq(t, golden(t, filepath.Join("rbac", name), "", gotJSON), gotJSON)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestRemoveSameSourceIntentions(t *testing.T) {
|
||||||
|
testIntention := func(t *testing.T, src, dst string) *structs.Intention {
|
||||||
|
t.Helper()
|
||||||
|
ixn := structs.TestIntention(t)
|
||||||
|
ixn.SourceName = src
|
||||||
|
ixn.DestinationName = dst
|
||||||
|
ixn.UpdatePrecedence()
|
||||||
|
return ixn
|
||||||
|
}
|
||||||
|
sorted := func(ixns ...*structs.Intention) structs.Intentions {
|
||||||
|
sort.SliceStable(ixns, func(i, j int) bool {
|
||||||
|
return ixns[j].Precedence < ixns[i].Precedence
|
||||||
|
})
|
||||||
|
return structs.Intentions(ixns)
|
||||||
|
}
|
||||||
|
tests := map[string]struct {
|
||||||
|
in structs.Intentions
|
||||||
|
expect structs.Intentions
|
||||||
|
}{
|
||||||
|
"empty": {},
|
||||||
|
"one": {
|
||||||
|
in: sorted(
|
||||||
|
testIntention(t, "*", "*"),
|
||||||
|
),
|
||||||
|
expect: sorted(
|
||||||
|
testIntention(t, "*", "*"),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
"two with no match": {
|
||||||
|
in: sorted(
|
||||||
|
testIntention(t, "*", "foo"),
|
||||||
|
testIntention(t, "bar", "*"),
|
||||||
|
),
|
||||||
|
expect: sorted(
|
||||||
|
testIntention(t, "*", "foo"),
|
||||||
|
testIntention(t, "bar", "*"),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
"two with match, exact": {
|
||||||
|
in: sorted(
|
||||||
|
testIntention(t, "bar", "foo"),
|
||||||
|
testIntention(t, "bar", "*"),
|
||||||
|
),
|
||||||
|
expect: sorted(
|
||||||
|
testIntention(t, "bar", "foo"),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
"two with match, wildcard": {
|
||||||
|
in: sorted(
|
||||||
|
testIntention(t, "*", "foo"),
|
||||||
|
testIntention(t, "*", "*"),
|
||||||
|
),
|
||||||
|
expect: sorted(
|
||||||
|
testIntention(t, "*", "foo"),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for name, tc := range tests {
|
||||||
|
tc := tc
|
||||||
|
t.Run(name, func(t *testing.T) {
|
||||||
|
got := removeSameSourceIntentions(tc.in)
|
||||||
|
require.Equal(t, tc.expect, got)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestSimplifyNotSourceSlice(t *testing.T) {
|
||||||
|
tests := map[string]struct {
|
||||||
|
in []string
|
||||||
|
expect []string
|
||||||
|
}{
|
||||||
|
"empty": {},
|
||||||
|
"one": {
|
||||||
|
[]string{"bar"},
|
||||||
|
[]string{"bar"},
|
||||||
|
},
|
||||||
|
"two with no match": {
|
||||||
|
[]string{"foo", "bar"},
|
||||||
|
[]string{"foo", "bar"},
|
||||||
|
},
|
||||||
|
"two with match": {
|
||||||
|
[]string{"*", "bar"},
|
||||||
|
[]string{"*"},
|
||||||
|
},
|
||||||
|
"three with two matches down to one": {
|
||||||
|
[]string{"*", "foo", "bar"},
|
||||||
|
[]string{"*"},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for name, tc := range tests {
|
||||||
|
tc := tc
|
||||||
|
t.Run(name, func(t *testing.T) {
|
||||||
|
got := simplifyNotSourceSlice(makeServiceNameSlice(tc.in))
|
||||||
|
require.Equal(t, makeServiceNameSlice(tc.expect), got)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestIxnSourceMatches(t *testing.T) {
|
||||||
|
tests := []struct {
|
||||||
|
tester, against string
|
||||||
|
matches bool
|
||||||
|
}{
|
||||||
|
// identical precedence
|
||||||
|
{"web", "api", false},
|
||||||
|
{"*", "*", false},
|
||||||
|
// backwards precedence
|
||||||
|
{"*", "web", false},
|
||||||
|
// name wildcards
|
||||||
|
{"web", "*", true},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, tc := range tests {
|
||||||
|
t.Run(fmt.Sprintf("%s cmp %s", tc.tester, tc.against), func(t *testing.T) {
|
||||||
|
matches := ixnSourceMatches(
|
||||||
|
structs.ServiceNameFromString(tc.tester),
|
||||||
|
structs.ServiceNameFromString(tc.against),
|
||||||
|
)
|
||||||
|
assert.Equal(t, tc.matches, matches)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func makeServiceNameSlice(slice []string) []structs.ServiceName {
|
||||||
|
if len(slice) == 0 {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
var out []structs.ServiceName
|
||||||
|
for _, src := range slice {
|
||||||
|
out = append(out, structs.ServiceNameFromString(src))
|
||||||
|
}
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
|
func unmakeServiceNameSlice(slice []structs.ServiceName) []string {
|
||||||
|
if len(slice) == 0 {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
var out []string
|
||||||
|
for _, src := range slice {
|
||||||
|
out = append(out, src.String())
|
||||||
|
}
|
||||||
|
return out
|
||||||
|
}
|
|
@ -3,6 +3,7 @@ package xds
|
||||||
import (
|
import (
|
||||||
envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2"
|
envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2"
|
||||||
envoycore "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
|
envoycore "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
|
||||||
|
envoymatcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher"
|
||||||
"github.com/golang/protobuf/proto"
|
"github.com/golang/protobuf/proto"
|
||||||
"github.com/golang/protobuf/ptypes/any"
|
"github.com/golang/protobuf/ptypes/any"
|
||||||
"github.com/golang/protobuf/ptypes/wrappers"
|
"github.com/golang/protobuf/ptypes/wrappers"
|
||||||
|
@ -56,3 +57,12 @@ func makeUint32Value(n int) *wrappers.UInt32Value {
|
||||||
func makeBoolValue(n bool) *wrappers.BoolValue {
|
func makeBoolValue(n bool) *wrappers.BoolValue {
|
||||||
return &wrappers.BoolValue{Value: n}
|
return &wrappers.BoolValue{Value: n}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func makeEnvoyRegexMatch(patt string) *envoymatcher.RegexMatcher {
|
||||||
|
return &envoymatcher.RegexMatcher{
|
||||||
|
EngineType: &envoymatcher.RegexMatcher_GoogleRe2{
|
||||||
|
GoogleRe2: &envoymatcher.RegexMatcher_GoogleRE2{},
|
||||||
|
},
|
||||||
|
Regex: patt,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -458,12 +458,3 @@ func makeRouteActionForSplitter(splits []*structs.DiscoverySplit, chain *structs
|
||||||
},
|
},
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func makeEnvoyRegexMatch(patt string) *envoymatcher.RegexMatcher {
|
|
||||||
return &envoymatcher.RegexMatcher{
|
|
||||||
EngineType: &envoymatcher.RegexMatcher_GoogleRe2{
|
|
||||||
GoogleRe2: &envoymatcher.RegexMatcher_GoogleRE2{},
|
|
||||||
},
|
|
||||||
Regex: patt,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
|
@ -9,19 +9,14 @@ import (
|
||||||
|
|
||||||
envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2"
|
envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2"
|
||||||
envoycore "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
|
envoycore "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
|
||||||
envoyauthz "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2"
|
|
||||||
envoyauthzalpha "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2alpha"
|
|
||||||
envoydisco "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v2"
|
envoydisco "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v2"
|
||||||
"github.com/golang/protobuf/proto"
|
"github.com/golang/protobuf/proto"
|
||||||
"github.com/hashicorp/consul/acl"
|
"github.com/hashicorp/consul/acl"
|
||||||
"github.com/hashicorp/consul/agent/cache"
|
|
||||||
"github.com/hashicorp/consul/agent/connect"
|
|
||||||
"github.com/hashicorp/consul/agent/proxycfg"
|
"github.com/hashicorp/consul/agent/proxycfg"
|
||||||
"github.com/hashicorp/consul/agent/structs"
|
"github.com/hashicorp/consul/agent/structs"
|
||||||
"github.com/hashicorp/consul/logging"
|
"github.com/hashicorp/consul/logging"
|
||||||
"github.com/hashicorp/consul/tlsutil"
|
"github.com/hashicorp/consul/tlsutil"
|
||||||
"github.com/hashicorp/go-hclog"
|
"github.com/hashicorp/go-hclog"
|
||||||
rpcstatus "google.golang.org/genproto/googleapis/rpc/status"
|
|
||||||
"google.golang.org/grpc"
|
"google.golang.org/grpc"
|
||||||
"google.golang.org/grpc/codes"
|
"google.golang.org/grpc/codes"
|
||||||
"google.golang.org/grpc/credentials"
|
"google.golang.org/grpc/credentials"
|
||||||
|
@ -92,13 +87,6 @@ const (
|
||||||
// coupling this to the agent.
|
// coupling this to the agent.
|
||||||
type ACLResolverFunc func(id string) (acl.Authorizer, error)
|
type ACLResolverFunc func(id string) (acl.Authorizer, error)
|
||||||
|
|
||||||
// ConnectAuthz is the interface the agent needs to expose to be able to re-use
|
|
||||||
// the authorization logic between both APIs.
|
|
||||||
type ConnectAuthz interface {
|
|
||||||
// ConnectAuthorize is implemented by Agent.ConnectAuthorize
|
|
||||||
ConnectAuthorize(token string, req *structs.ConnectAuthorizeRequest) (authz bool, reason string, m *cache.ResultMeta, err error)
|
|
||||||
}
|
|
||||||
|
|
||||||
// ServiceChecks is the interface the agent needs to expose
|
// ServiceChecks is the interface the agent needs to expose
|
||||||
// for the xDS server to fetch a service's HTTP check definitions
|
// for the xDS server to fetch a service's HTTP check definitions
|
||||||
type HTTPCheckFetcher interface {
|
type HTTPCheckFetcher interface {
|
||||||
|
@ -119,16 +107,14 @@ type ConfigManager interface {
|
||||||
Watch(proxyID structs.ServiceID) (<-chan *proxycfg.ConfigSnapshot, proxycfg.CancelFunc)
|
Watch(proxyID structs.ServiceID) (<-chan *proxycfg.ConfigSnapshot, proxycfg.CancelFunc)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Server represents a gRPC server that can handle both XDS and ext_authz
|
// Server represents a gRPC server that can handle xDS requests from Envoy. All
|
||||||
// requests from Envoy. All of it's public members must be set before the gRPC
|
// of it's public members must be set before the gRPC server is started.
|
||||||
// server is started.
|
|
||||||
//
|
//
|
||||||
// A full description of the XDS protocol can be found at
|
// A full description of the XDS protocol can be found at
|
||||||
// https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol
|
// https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol
|
||||||
type Server struct {
|
type Server struct {
|
||||||
Logger hclog.Logger
|
Logger hclog.Logger
|
||||||
CfgMgr ConfigManager
|
CfgMgr ConfigManager
|
||||||
Authz ConnectAuthz
|
|
||||||
ResolveToken ACLResolverFunc
|
ResolveToken ACLResolverFunc
|
||||||
// AuthCheckFrequency is how often we should re-check the credentials used
|
// AuthCheckFrequency is how often we should re-check the credentials used
|
||||||
// during a long-lived gRPC Stream after it has been initially established.
|
// during a long-lived gRPC Stream after it has been initially established.
|
||||||
|
@ -490,90 +476,7 @@ func (s *Server) DeltaAggregatedResources(_ envoydisco.AggregatedDiscoveryServic
|
||||||
return errors.New("not implemented")
|
return errors.New("not implemented")
|
||||||
}
|
}
|
||||||
|
|
||||||
func deniedResponse(reason string) (*envoyauthz.CheckResponse, error) {
|
// GRPCServer returns a server instance that can handle xDS requests.
|
||||||
return &envoyauthz.CheckResponse{
|
|
||||||
Status: &rpcstatus.Status{
|
|
||||||
Code: int32(codes.PermissionDenied),
|
|
||||||
Message: "Denied: " + reason,
|
|
||||||
},
|
|
||||||
}, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// Check implements envoyauthz.AuthorizationServer.
|
|
||||||
func (s *Server) Check(ctx context.Context, r *envoyauthz.CheckRequest) (*envoyauthz.CheckResponse, error) {
|
|
||||||
// Sanity checks
|
|
||||||
if r.Attributes == nil || r.Attributes.Source == nil || r.Attributes.Destination == nil {
|
|
||||||
return nil, status.Error(codes.InvalidArgument, "source and destination attributes are required")
|
|
||||||
}
|
|
||||||
if r.Attributes.Source.Principal == "" || r.Attributes.Destination.Principal == "" {
|
|
||||||
return nil, status.Error(codes.InvalidArgument, "source and destination Principal are required")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Parse destination to know the target service
|
|
||||||
dest, err := connect.ParseCertURIFromString(r.Attributes.Destination.Principal)
|
|
||||||
if err != nil {
|
|
||||||
s.Logger.Debug("Connect AuthZ DENIED: bad destination URI", "source", r.Attributes.Source.Principal, "destination",
|
|
||||||
r.Attributes.Destination.Principal)
|
|
||||||
// Treat this as an auth error since Envoy has sent something it considers
|
|
||||||
// valid, it's just not an identity we trust.
|
|
||||||
return deniedResponse("Destination Principal is not a valid Connect identity")
|
|
||||||
}
|
|
||||||
|
|
||||||
destID, ok := dest.(*connect.SpiffeIDService)
|
|
||||||
if !ok {
|
|
||||||
s.Logger.Debug("Connect AuthZ DENIED: bad destination service ID", "source", r.Attributes.Source.Principal, "destination",
|
|
||||||
r.Attributes.Destination.Principal)
|
|
||||||
return deniedResponse("Destination Principal is not a valid Service identity")
|
|
||||||
}
|
|
||||||
|
|
||||||
// For now we don't validate the trust domain of the _destination_ at all -
|
|
||||||
// the HTTP Authorize endpoint just accepts a target _service_ and it's
|
|
||||||
// implicit that the request is for the correct cluster. We might want to
|
|
||||||
// reconsider this later but plumbing in additional machinery to check the
|
|
||||||
// clusterID here is not really necessary for now unless Envoys are badly
|
|
||||||
// configured. Our threat model _requires_ correctly configured and well
|
|
||||||
// behaved proxies given that they have ACLs to fetch certs and so can do
|
|
||||||
// whatever they want including not authorizing traffic at all or routing it
|
|
||||||
// do a different service than they auth'd against.
|
|
||||||
|
|
||||||
// Create an authz request
|
|
||||||
req := &structs.ConnectAuthorizeRequest{
|
|
||||||
Target: destID.Service,
|
|
||||||
EnterpriseMeta: *destID.GetEnterpriseMeta(),
|
|
||||||
ClientCertURI: r.Attributes.Source.Principal,
|
|
||||||
// TODO(banks): need Envoy to support sending cert serial/hash to enforce
|
|
||||||
// revocation later.
|
|
||||||
}
|
|
||||||
token := tokenFromContext(ctx)
|
|
||||||
authed, reason, _, err := s.Authz.ConnectAuthorize(token, req)
|
|
||||||
if err != nil {
|
|
||||||
if err == acl.ErrPermissionDenied {
|
|
||||||
s.Logger.Debug("Connect AuthZ failed ACL check", "error", err, "source", r.Attributes.Source.Principal,
|
|
||||||
"dest", r.Attributes.Destination.Principal)
|
|
||||||
return nil, status.Error(codes.PermissionDenied, err.Error())
|
|
||||||
}
|
|
||||||
s.Logger.Debug("Connect AuthZ failed", "error", err, "source", r.Attributes.Source.Principal,
|
|
||||||
"destination", r.Attributes.Destination.Principal)
|
|
||||||
return nil, status.Error(codes.Internal, err.Error())
|
|
||||||
}
|
|
||||||
if !authed {
|
|
||||||
s.Logger.Debug("Connect AuthZ DENIED", "source", r.Attributes.Source.Principal,
|
|
||||||
"destination", r.Attributes.Destination.Principal, "reason", reason)
|
|
||||||
return deniedResponse(reason)
|
|
||||||
}
|
|
||||||
|
|
||||||
s.Logger.Debug("Connect AuthZ ALLOWED", "source", r.Attributes.Source.Principal,
|
|
||||||
"destination", r.Attributes.Destination.Principal, "reason", reason)
|
|
||||||
return &envoyauthz.CheckResponse{
|
|
||||||
Status: &rpcstatus.Status{
|
|
||||||
Code: int32(codes.OK),
|
|
||||||
Message: "ALLOWED: " + reason,
|
|
||||||
},
|
|
||||||
}, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// GRPCServer returns a server instance that can handle XDS and ext_authz
|
|
||||||
// requests.
|
|
||||||
func (s *Server) GRPCServer(tlsConfigurator *tlsutil.Configurator) (*grpc.Server, error) {
|
func (s *Server) GRPCServer(tlsConfigurator *tlsutil.Configurator) (*grpc.Server, error) {
|
||||||
opts := []grpc.ServerOption{
|
opts := []grpc.ServerOption{
|
||||||
grpc.MaxConcurrentStreams(2048),
|
grpc.MaxConcurrentStreams(2048),
|
||||||
|
@ -587,15 +490,5 @@ func (s *Server) GRPCServer(tlsConfigurator *tlsutil.Configurator) (*grpc.Server
|
||||||
srv := grpc.NewServer(opts...)
|
srv := grpc.NewServer(opts...)
|
||||||
envoydisco.RegisterAggregatedDiscoveryServiceServer(srv, s)
|
envoydisco.RegisterAggregatedDiscoveryServiceServer(srv, s)
|
||||||
|
|
||||||
// Envoy 1.10 changed the package for ext_authz from v2alpha to v2. We still
|
|
||||||
// need to be compatible with 1.9.1 and earlier which only uses v2alpha. While
|
|
||||||
// there is a deprecated compatibility shim option in 1.10, we want to support
|
|
||||||
// first class. Fortunately they are wire-compatible so we can just register a
|
|
||||||
// single service implementation (using the new v2 package definitions) but
|
|
||||||
// using the old v2alpha regiatration function which just exports it on the
|
|
||||||
// old path as well.
|
|
||||||
envoyauthz.RegisterAuthorizationServer(srv, s)
|
|
||||||
envoyauthzalpha.RegisterAuthorizationServer(srv, s)
|
|
||||||
|
|
||||||
return srv, nil
|
return srv, nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,8 +1,6 @@
|
||||||
package xds
|
package xds
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
|
||||||
"errors"
|
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
"sync/atomic"
|
"sync/atomic"
|
||||||
|
@ -12,7 +10,6 @@ import (
|
||||||
envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2"
|
envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
"google.golang.org/grpc/codes"
|
"google.golang.org/grpc/codes"
|
||||||
"google.golang.org/grpc/metadata"
|
|
||||||
"google.golang.org/grpc/status"
|
"google.golang.org/grpc/status"
|
||||||
|
|
||||||
"github.com/hashicorp/consul/acl"
|
"github.com/hashicorp/consul/acl"
|
||||||
|
@ -91,22 +88,6 @@ func (m *testManager) AssertWatchCancelled(t *testing.T, proxyID structs.Service
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// ConnectAuthorize implements ConnectAuthz
|
|
||||||
func (m *testManager) ConnectAuthorize(token string, req *structs.ConnectAuthorizeRequest) (authz bool, reason string, meta *cache.ResultMeta, err error) {
|
|
||||||
m.Lock()
|
|
||||||
defer m.Unlock()
|
|
||||||
if res, ok := m.authz[token]; ok {
|
|
||||||
if res.validate != nil {
|
|
||||||
if err := res.validate(req); err != nil {
|
|
||||||
return false, "", nil, err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return res.authz, res.reason, res.m, res.err
|
|
||||||
}
|
|
||||||
// Default allow but with reason that won't match by accident in a test case
|
|
||||||
return true, "OK: allowed by default test implementation", nil, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestServer_StreamAggregatedResources_BasicProtocol(t *testing.T) {
|
func TestServer_StreamAggregatedResources_BasicProtocol(t *testing.T) {
|
||||||
logger := testutil.Logger(t)
|
logger := testutil.Logger(t)
|
||||||
mgr := newTestManager(t)
|
mgr := newTestManager(t)
|
||||||
|
@ -120,7 +101,6 @@ func TestServer_StreamAggregatedResources_BasicProtocol(t *testing.T) {
|
||||||
s := Server{
|
s := Server{
|
||||||
Logger: logger,
|
Logger: logger,
|
||||||
CfgMgr: mgr,
|
CfgMgr: mgr,
|
||||||
Authz: mgr,
|
|
||||||
ResolveToken: aclResolve,
|
ResolveToken: aclResolve,
|
||||||
}
|
}
|
||||||
s.Initialize()
|
s.Initialize()
|
||||||
|
@ -170,7 +150,7 @@ func TestServer_StreamAggregatedResources_BasicProtocol(t *testing.T) {
|
||||||
envoy.SendReq(t, EndpointType, 1, 2)
|
envoy.SendReq(t, EndpointType, 1, 2)
|
||||||
|
|
||||||
// And should get a response immediately.
|
// And should get a response immediately.
|
||||||
assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, "", 1, 3))
|
assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, 1, 3))
|
||||||
|
|
||||||
// Now send Route request along with next listener one
|
// Now send Route request along with next listener one
|
||||||
envoy.SendReq(t, RouteType, 0, 0)
|
envoy.SendReq(t, RouteType, 0, 0)
|
||||||
|
@ -197,7 +177,7 @@ func TestServer_StreamAggregatedResources_BasicProtocol(t *testing.T) {
|
||||||
// which is reasonable anyway to ensure consistency of the config Envoy sees.
|
// which is reasonable anyway to ensure consistency of the config Envoy sees.
|
||||||
assertResponseSent(t, envoy.stream.sendCh, expectClustersJSON(snap, 2, 4))
|
assertResponseSent(t, envoy.stream.sendCh, expectClustersJSON(snap, 2, 4))
|
||||||
assertResponseSent(t, envoy.stream.sendCh, expectEndpointsJSON(2, 5))
|
assertResponseSent(t, envoy.stream.sendCh, expectEndpointsJSON(2, 5))
|
||||||
assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, "", 2, 6))
|
assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, 2, 6))
|
||||||
|
|
||||||
// Let's pretend that Envoy doesn't like that new listener config. It will ACK
|
// Let's pretend that Envoy doesn't like that new listener config. It will ACK
|
||||||
// all the others (same version) but NACK the listener. This is the most
|
// all the others (same version) but NACK the listener. This is the most
|
||||||
|
@ -234,7 +214,7 @@ func TestServer_StreamAggregatedResources_BasicProtocol(t *testing.T) {
|
||||||
|
|
||||||
assertResponseSent(t, envoy.stream.sendCh, expectClustersJSON(snap, 3, 7))
|
assertResponseSent(t, envoy.stream.sendCh, expectClustersJSON(snap, 3, 7))
|
||||||
assertResponseSent(t, envoy.stream.sendCh, expectEndpointsJSON(3, 8))
|
assertResponseSent(t, envoy.stream.sendCh, expectEndpointsJSON(3, 8))
|
||||||
assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, "", 3, 9))
|
assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, 3, 9))
|
||||||
}
|
}
|
||||||
|
|
||||||
func expectEndpointsJSON(v, n uint64) string {
|
func expectEndpointsJSON(v, n uint64) string {
|
||||||
|
@ -474,7 +454,6 @@ func TestServer_StreamAggregatedResources_ACLEnforcement(t *testing.T) {
|
||||||
s := Server{
|
s := Server{
|
||||||
Logger: logger,
|
Logger: logger,
|
||||||
CfgMgr: mgr,
|
CfgMgr: mgr,
|
||||||
Authz: mgr,
|
|
||||||
ResolveToken: aclResolve,
|
ResolveToken: aclResolve,
|
||||||
}
|
}
|
||||||
s.Initialize()
|
s.Initialize()
|
||||||
|
@ -501,7 +480,7 @@ func TestServer_StreamAggregatedResources_ACLEnforcement(t *testing.T) {
|
||||||
envoy.SendReq(t, ListenerType, 0, 0)
|
envoy.SendReq(t, ListenerType, 0, 0)
|
||||||
|
|
||||||
if !tt.wantDenied {
|
if !tt.wantDenied {
|
||||||
assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, tt.token, 1, 1))
|
assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, 1, 1))
|
||||||
// Close the client stream since all is well. We _don't_ do this in the
|
// Close the client stream since all is well. We _don't_ do this in the
|
||||||
// expected error case because we want to verify the error closes the
|
// expected error case because we want to verify the error closes the
|
||||||
// stream from server side.
|
// stream from server side.
|
||||||
|
@ -549,7 +528,6 @@ func TestServer_StreamAggregatedResources_ACLTokenDeleted_StreamTerminatedDuring
|
||||||
s := Server{
|
s := Server{
|
||||||
Logger: logger,
|
Logger: logger,
|
||||||
CfgMgr: mgr,
|
CfgMgr: mgr,
|
||||||
Authz: mgr,
|
|
||||||
ResolveToken: aclResolve,
|
ResolveToken: aclResolve,
|
||||||
AuthCheckFrequency: 1 * time.Hour, // make sure this doesn't kick in
|
AuthCheckFrequency: 1 * time.Hour, // make sure this doesn't kick in
|
||||||
}
|
}
|
||||||
|
@ -641,7 +619,6 @@ func TestServer_StreamAggregatedResources_ACLTokenDeleted_StreamTerminatedInBack
|
||||||
s := Server{
|
s := Server{
|
||||||
Logger: logger,
|
Logger: logger,
|
||||||
CfgMgr: mgr,
|
CfgMgr: mgr,
|
||||||
Authz: mgr,
|
|
||||||
ResolveToken: aclResolve,
|
ResolveToken: aclResolve,
|
||||||
AuthCheckFrequency: 100 * time.Millisecond, // Make this short.
|
AuthCheckFrequency: 100 * time.Millisecond, // Make this short.
|
||||||
}
|
}
|
||||||
|
@ -716,144 +693,6 @@ func TestServer_StreamAggregatedResources_ACLTokenDeleted_StreamTerminatedInBack
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// This tests the ext_authz service method that implements connect authz.
|
|
||||||
func TestServer_Check(t *testing.T) {
|
|
||||||
|
|
||||||
tests := []struct {
|
|
||||||
name string
|
|
||||||
source string
|
|
||||||
dest string
|
|
||||||
sourcePrincipal string
|
|
||||||
destPrincipal string
|
|
||||||
authzResult connectAuthzResult
|
|
||||||
wantErr bool
|
|
||||||
wantErrCode codes.Code
|
|
||||||
wantDenied bool
|
|
||||||
wantReason string
|
|
||||||
}{
|
|
||||||
{
|
|
||||||
name: "auth allowed",
|
|
||||||
source: "web",
|
|
||||||
dest: "db",
|
|
||||||
authzResult: connectAuthzResult{true, "default allow", nil, nil, nil},
|
|
||||||
wantDenied: false,
|
|
||||||
wantReason: "default allow",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "auth denied",
|
|
||||||
source: "web",
|
|
||||||
dest: "db",
|
|
||||||
authzResult: connectAuthzResult{false, "default deny", nil, nil, nil},
|
|
||||||
wantDenied: true,
|
|
||||||
wantReason: "default deny",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "no source",
|
|
||||||
sourcePrincipal: "",
|
|
||||||
dest: "db",
|
|
||||||
// Should never make it to authz call.
|
|
||||||
wantErr: true,
|
|
||||||
wantErrCode: codes.InvalidArgument,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "no dest",
|
|
||||||
source: "web",
|
|
||||||
dest: "",
|
|
||||||
// Should never make it to authz call.
|
|
||||||
wantErr: true,
|
|
||||||
wantErrCode: codes.InvalidArgument,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "dest invalid format",
|
|
||||||
source: "web",
|
|
||||||
destPrincipal: "not-a-spiffe-id",
|
|
||||||
// Should never make it to authz call.
|
|
||||||
wantDenied: true,
|
|
||||||
wantReason: "Destination Principal is not a valid Connect identity",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "dest not a service URI",
|
|
||||||
source: "web",
|
|
||||||
destPrincipal: "spiffe://trust-domain.consul",
|
|
||||||
// Should never make it to authz call.
|
|
||||||
wantDenied: true,
|
|
||||||
wantReason: "Destination Principal is not a valid Service identity",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "ACL not got permission for authz call",
|
|
||||||
source: "web",
|
|
||||||
dest: "db",
|
|
||||||
authzResult: connectAuthzResult{false, "", nil, acl.ErrPermissionDenied, nil},
|
|
||||||
wantErr: true,
|
|
||||||
wantErrCode: codes.PermissionDenied,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "Random error running authz",
|
|
||||||
source: "web",
|
|
||||||
dest: "db",
|
|
||||||
authzResult: connectAuthzResult{false, "", nil, errors.New("gremlin attack"), nil},
|
|
||||||
wantErr: true,
|
|
||||||
wantErrCode: codes.Internal,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, tt := range tests {
|
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
|
||||||
token := "my-real-acl-token"
|
|
||||||
logger := testutil.Logger(t)
|
|
||||||
mgr := newTestManager(t)
|
|
||||||
|
|
||||||
// Setup expected auth result against that token no lock as no other
|
|
||||||
// goroutine is touching this yet.
|
|
||||||
mgr.authz[token] = tt.authzResult
|
|
||||||
|
|
||||||
aclResolve := func(id string) (acl.Authorizer, error) {
|
|
||||||
return nil, nil
|
|
||||||
}
|
|
||||||
envoy := NewTestEnvoy(t, "web-sidecar-proxy", token)
|
|
||||||
defer envoy.Close()
|
|
||||||
|
|
||||||
s := Server{
|
|
||||||
Logger: logger,
|
|
||||||
CfgMgr: mgr,
|
|
||||||
Authz: mgr,
|
|
||||||
ResolveToken: aclResolve,
|
|
||||||
}
|
|
||||||
s.Initialize()
|
|
||||||
|
|
||||||
// Create a context with the correct token
|
|
||||||
ctx := metadata.NewIncomingContext(context.Background(),
|
|
||||||
metadata.Pairs("x-consul-token", token))
|
|
||||||
|
|
||||||
r := TestCheckRequest(t, tt.source, tt.dest)
|
|
||||||
// If sourcePrincipal is set override, or if source is also not set
|
|
||||||
// explicitly override to empty.
|
|
||||||
if tt.sourcePrincipal != "" || tt.source == "" {
|
|
||||||
r.Attributes.Source.Principal = tt.sourcePrincipal
|
|
||||||
}
|
|
||||||
if tt.destPrincipal != "" || tt.dest == "" {
|
|
||||||
r.Attributes.Destination.Principal = tt.destPrincipal
|
|
||||||
}
|
|
||||||
resp, err := s.Check(ctx, r)
|
|
||||||
// Denied is not an error
|
|
||||||
if tt.wantErr {
|
|
||||||
require.Error(t, err)
|
|
||||||
grpcStatus := status.Convert(err)
|
|
||||||
require.Equal(t, tt.wantErrCode, grpcStatus.Code())
|
|
||||||
require.Nil(t, resp)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
require.NoError(t, err)
|
|
||||||
if tt.wantDenied {
|
|
||||||
require.Equal(t, int32(codes.PermissionDenied), resp.Status.Code)
|
|
||||||
} else {
|
|
||||||
require.Equal(t, int32(codes.OK), resp.Status.Code)
|
|
||||||
}
|
|
||||||
require.Contains(t, resp.Status.Message, tt.wantReason)
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestServer_StreamAggregatedResources_IngressEmptyResponse(t *testing.T) {
|
func TestServer_StreamAggregatedResources_IngressEmptyResponse(t *testing.T) {
|
||||||
logger := testutil.Logger(t)
|
logger := testutil.Logger(t)
|
||||||
mgr := newTestManager(t)
|
mgr := newTestManager(t)
|
||||||
|
@ -867,7 +706,6 @@ func TestServer_StreamAggregatedResources_IngressEmptyResponse(t *testing.T) {
|
||||||
s := Server{
|
s := Server{
|
||||||
Logger: logger,
|
Logger: logger,
|
||||||
CfgMgr: mgr,
|
CfgMgr: mgr,
|
||||||
Authz: mgr,
|
|
||||||
ResolveToken: aclResolve,
|
ResolveToken: aclResolve,
|
||||||
}
|
}
|
||||||
s.Initialize()
|
s.Initialize()
|
||||||
|
|
|
@ -106,18 +106,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -106,18 +106,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -106,18 +106,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -106,18 +106,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -106,18 +106,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -106,18 +106,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -106,18 +106,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -106,18 +106,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -99,18 +99,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -99,18 +99,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -99,18 +99,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -99,18 +99,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -101,18 +101,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -101,18 +101,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -101,18 +101,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -101,18 +101,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
131
agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-12-x.golden
vendored
Normal file
131
agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-12-x.golden
vendored
Normal file
|
@ -0,0 +1,131 @@
|
||||||
|
{
|
||||||
|
"versionInfo": "00000001",
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "custom-public-listen",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "11.11.11.11",
|
||||||
|
"portValue": 11111
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"tlsContext": {
|
||||||
|
"commonTlsContext": {
|
||||||
|
"tlsParams": {
|
||||||
|
|
||||||
|
},
|
||||||
|
"tlsCertificates": [
|
||||||
|
{
|
||||||
|
"certificateChain": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
|
||||||
|
},
|
||||||
|
"privateKey": {
|
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"validationContext": {
|
||||||
|
"trustedCa": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"requireClientCertificate": true
|
||||||
|
},
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.filters.network.http_connection_manager",
|
||||||
|
"typedConfig": {
|
||||||
|
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
|
||||||
|
"routeConfig": {
|
||||||
|
"name": "public_listener",
|
||||||
|
"virtualHosts": [
|
||||||
|
{
|
||||||
|
"name": "public_listener",
|
||||||
|
"domains": [
|
||||||
|
"*"
|
||||||
|
],
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"prefix": "/"
|
||||||
|
},
|
||||||
|
"route": {
|
||||||
|
"cluster": "random-cluster"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"httpFilters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.filters.http.rbac",
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "envoy.router"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "db:127.0.0.1:9191",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.0.0.1",
|
||||||
|
"portValue": 9191
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_db_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "prepared_query:geo-cache:127.10.10.10:8181",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.10.10.10",
|
||||||
|
"portValue": 8181
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_prepared_query_geo-cache_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"nonce": "00000001"
|
||||||
|
}
|
131
agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-13-x.golden
vendored
Normal file
131
agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-13-x.golden
vendored
Normal file
|
@ -0,0 +1,131 @@
|
||||||
|
{
|
||||||
|
"versionInfo": "00000001",
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "custom-public-listen",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "11.11.11.11",
|
||||||
|
"portValue": 11111
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"tlsContext": {
|
||||||
|
"commonTlsContext": {
|
||||||
|
"tlsParams": {
|
||||||
|
|
||||||
|
},
|
||||||
|
"tlsCertificates": [
|
||||||
|
{
|
||||||
|
"certificateChain": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
|
||||||
|
},
|
||||||
|
"privateKey": {
|
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"validationContext": {
|
||||||
|
"trustedCa": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"requireClientCertificate": true
|
||||||
|
},
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.filters.network.http_connection_manager",
|
||||||
|
"typedConfig": {
|
||||||
|
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
|
||||||
|
"routeConfig": {
|
||||||
|
"name": "public_listener",
|
||||||
|
"virtualHosts": [
|
||||||
|
{
|
||||||
|
"name": "public_listener",
|
||||||
|
"domains": [
|
||||||
|
"*"
|
||||||
|
],
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"prefix": "/"
|
||||||
|
},
|
||||||
|
"route": {
|
||||||
|
"cluster": "random-cluster"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"httpFilters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.filters.http.rbac",
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "envoy.router"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "db:127.0.0.1:9191",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.0.0.1",
|
||||||
|
"portValue": 9191
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_db_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "prepared_query:geo-cache:127.10.10.10:8181",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.10.10.10",
|
||||||
|
"portValue": 8181
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_prepared_query_geo-cache_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"nonce": "00000001"
|
||||||
|
}
|
131
agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-14-x.golden
vendored
Normal file
131
agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-14-x.golden
vendored
Normal file
|
@ -0,0 +1,131 @@
|
||||||
|
{
|
||||||
|
"versionInfo": "00000001",
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "custom-public-listen",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "11.11.11.11",
|
||||||
|
"portValue": 11111
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"tlsContext": {
|
||||||
|
"commonTlsContext": {
|
||||||
|
"tlsParams": {
|
||||||
|
|
||||||
|
},
|
||||||
|
"tlsCertificates": [
|
||||||
|
{
|
||||||
|
"certificateChain": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
|
||||||
|
},
|
||||||
|
"privateKey": {
|
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"validationContext": {
|
||||||
|
"trustedCa": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"requireClientCertificate": true
|
||||||
|
},
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.filters.network.http_connection_manager",
|
||||||
|
"typedConfig": {
|
||||||
|
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
|
||||||
|
"routeConfig": {
|
||||||
|
"name": "public_listener",
|
||||||
|
"virtualHosts": [
|
||||||
|
{
|
||||||
|
"name": "public_listener",
|
||||||
|
"domains": [
|
||||||
|
"*"
|
||||||
|
],
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"prefix": "/"
|
||||||
|
},
|
||||||
|
"route": {
|
||||||
|
"cluster": "random-cluster"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"httpFilters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.filters.http.rbac",
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "envoy.router"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "db:127.0.0.1:9191",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.0.0.1",
|
||||||
|
"portValue": 9191
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_db_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "prepared_query:geo-cache:127.10.10.10:8181",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.10.10.10",
|
||||||
|
"portValue": 8181
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_prepared_query_geo-cache_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"nonce": "00000001"
|
||||||
|
}
|
131
agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-15-x.golden
vendored
Normal file
131
agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-15-x.golden
vendored
Normal file
|
@ -0,0 +1,131 @@
|
||||||
|
{
|
||||||
|
"versionInfo": "00000001",
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "custom-public-listen",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "11.11.11.11",
|
||||||
|
"portValue": 11111
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"tlsContext": {
|
||||||
|
"commonTlsContext": {
|
||||||
|
"tlsParams": {
|
||||||
|
|
||||||
|
},
|
||||||
|
"tlsCertificates": [
|
||||||
|
{
|
||||||
|
"certificateChain": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
|
||||||
|
},
|
||||||
|
"privateKey": {
|
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"validationContext": {
|
||||||
|
"trustedCa": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"requireClientCertificate": true
|
||||||
|
},
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.filters.network.http_connection_manager",
|
||||||
|
"typedConfig": {
|
||||||
|
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
|
||||||
|
"routeConfig": {
|
||||||
|
"name": "public_listener",
|
||||||
|
"virtualHosts": [
|
||||||
|
{
|
||||||
|
"name": "public_listener",
|
||||||
|
"domains": [
|
||||||
|
"*"
|
||||||
|
],
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"prefix": "/"
|
||||||
|
},
|
||||||
|
"route": {
|
||||||
|
"cluster": "random-cluster"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"httpFilters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.filters.http.rbac",
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "envoy.router"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "db:127.0.0.1:9191",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.0.0.1",
|
||||||
|
"portValue": 9191
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_db_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "prepared_query:geo-cache:127.10.10.10:8181",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.10.10.10",
|
||||||
|
"portValue": 8181
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_prepared_query_geo-cache_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"nonce": "00000001"
|
||||||
|
}
|
130
agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-12-x.golden
vendored
Normal file
130
agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-12-x.golden
vendored
Normal file
|
@ -0,0 +1,130 @@
|
||||||
|
{
|
||||||
|
"versionInfo": "00000001",
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "custom-public-listen",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "11.11.11.11",
|
||||||
|
"portValue": 11111
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"tlsContext": {
|
||||||
|
"commonTlsContext": {
|
||||||
|
"tlsParams": {
|
||||||
|
|
||||||
|
},
|
||||||
|
"tlsCertificates": [
|
||||||
|
{
|
||||||
|
"certificateChain": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
|
||||||
|
},
|
||||||
|
"privateKey": {
|
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"validationContext": {
|
||||||
|
"trustedCa": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"requireClientCertificate": true
|
||||||
|
},
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.filters.network.http_connection_manager",
|
||||||
|
"config": {
|
||||||
|
"http_filters": [
|
||||||
|
{
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"name": "envoy.filters.http.rbac"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "envoy.router"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"route_config": {
|
||||||
|
"name": "public_listener",
|
||||||
|
"virtual_hosts": [
|
||||||
|
{
|
||||||
|
"domains": [
|
||||||
|
"*"
|
||||||
|
],
|
||||||
|
"name": "public_listener",
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"prefix": "/"
|
||||||
|
},
|
||||||
|
"route": {
|
||||||
|
"cluster": "random-cluster"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "db:127.0.0.1:9191",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.0.0.1",
|
||||||
|
"portValue": 9191
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_db_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "prepared_query:geo-cache:127.10.10.10:8181",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.10.10.10",
|
||||||
|
"portValue": 8181
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_prepared_query_geo-cache_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"nonce": "00000001"
|
||||||
|
}
|
130
agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-13-x.golden
vendored
Normal file
130
agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-13-x.golden
vendored
Normal file
|
@ -0,0 +1,130 @@
|
||||||
|
{
|
||||||
|
"versionInfo": "00000001",
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "custom-public-listen",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "11.11.11.11",
|
||||||
|
"portValue": 11111
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"tlsContext": {
|
||||||
|
"commonTlsContext": {
|
||||||
|
"tlsParams": {
|
||||||
|
|
||||||
|
},
|
||||||
|
"tlsCertificates": [
|
||||||
|
{
|
||||||
|
"certificateChain": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
|
||||||
|
},
|
||||||
|
"privateKey": {
|
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"validationContext": {
|
||||||
|
"trustedCa": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"requireClientCertificate": true
|
||||||
|
},
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.filters.network.http_connection_manager",
|
||||||
|
"config": {
|
||||||
|
"http_filters": [
|
||||||
|
{
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"name": "envoy.filters.http.rbac"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "envoy.router"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"route_config": {
|
||||||
|
"name": "public_listener",
|
||||||
|
"virtual_hosts": [
|
||||||
|
{
|
||||||
|
"domains": [
|
||||||
|
"*"
|
||||||
|
],
|
||||||
|
"name": "public_listener",
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"prefix": "/"
|
||||||
|
},
|
||||||
|
"route": {
|
||||||
|
"cluster": "random-cluster"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "db:127.0.0.1:9191",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.0.0.1",
|
||||||
|
"portValue": 9191
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_db_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "prepared_query:geo-cache:127.10.10.10:8181",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.10.10.10",
|
||||||
|
"portValue": 8181
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_prepared_query_geo-cache_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"nonce": "00000001"
|
||||||
|
}
|
130
agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-14-x.golden
vendored
Normal file
130
agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-14-x.golden
vendored
Normal file
|
@ -0,0 +1,130 @@
|
||||||
|
{
|
||||||
|
"versionInfo": "00000001",
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "custom-public-listen",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "11.11.11.11",
|
||||||
|
"portValue": 11111
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"tlsContext": {
|
||||||
|
"commonTlsContext": {
|
||||||
|
"tlsParams": {
|
||||||
|
|
||||||
|
},
|
||||||
|
"tlsCertificates": [
|
||||||
|
{
|
||||||
|
"certificateChain": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
|
||||||
|
},
|
||||||
|
"privateKey": {
|
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"validationContext": {
|
||||||
|
"trustedCa": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"requireClientCertificate": true
|
||||||
|
},
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.filters.network.http_connection_manager",
|
||||||
|
"config": {
|
||||||
|
"http_filters": [
|
||||||
|
{
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"name": "envoy.filters.http.rbac"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "envoy.router"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"route_config": {
|
||||||
|
"name": "public_listener",
|
||||||
|
"virtual_hosts": [
|
||||||
|
{
|
||||||
|
"domains": [
|
||||||
|
"*"
|
||||||
|
],
|
||||||
|
"name": "public_listener",
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"prefix": "/"
|
||||||
|
},
|
||||||
|
"route": {
|
||||||
|
"cluster": "random-cluster"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "db:127.0.0.1:9191",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.0.0.1",
|
||||||
|
"portValue": 9191
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_db_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "prepared_query:geo-cache:127.10.10.10:8181",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.10.10.10",
|
||||||
|
"portValue": 8181
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_prepared_query_geo-cache_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"nonce": "00000001"
|
||||||
|
}
|
130
agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-15-x.golden
vendored
Normal file
130
agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-15-x.golden
vendored
Normal file
|
@ -0,0 +1,130 @@
|
||||||
|
{
|
||||||
|
"versionInfo": "00000001",
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "custom-public-listen",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "11.11.11.11",
|
||||||
|
"portValue": 11111
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"tlsContext": {
|
||||||
|
"commonTlsContext": {
|
||||||
|
"tlsParams": {
|
||||||
|
|
||||||
|
},
|
||||||
|
"tlsCertificates": [
|
||||||
|
{
|
||||||
|
"certificateChain": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
|
||||||
|
},
|
||||||
|
"privateKey": {
|
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"validationContext": {
|
||||||
|
"trustedCa": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"requireClientCertificate": true
|
||||||
|
},
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.filters.network.http_connection_manager",
|
||||||
|
"config": {
|
||||||
|
"http_filters": [
|
||||||
|
{
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"name": "envoy.filters.http.rbac"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "envoy.router"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"route_config": {
|
||||||
|
"name": "public_listener",
|
||||||
|
"virtual_hosts": [
|
||||||
|
{
|
||||||
|
"domains": [
|
||||||
|
"*"
|
||||||
|
],
|
||||||
|
"name": "public_listener",
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"prefix": "/"
|
||||||
|
},
|
||||||
|
"route": {
|
||||||
|
"cluster": "random-cluster"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "db:127.0.0.1:9191",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.0.0.1",
|
||||||
|
"portValue": 9191
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_db_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "prepared_query:geo-cache:127.10.10.10:8181",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.10.10.10",
|
||||||
|
"portValue": 8181
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_prepared_query_geo-cache_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"nonce": "00000001"
|
||||||
|
}
|
107
agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-12-x.golden
vendored
Normal file
107
agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-12-x.golden
vendored
Normal file
|
@ -0,0 +1,107 @@
|
||||||
|
{
|
||||||
|
"versionInfo": "00000001",
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "custom-public-listen",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "11.11.11.11",
|
||||||
|
"portValue": 11111
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"tlsContext": {
|
||||||
|
"commonTlsContext": {
|
||||||
|
"tlsParams": {
|
||||||
|
|
||||||
|
},
|
||||||
|
"tlsCertificates": [
|
||||||
|
{
|
||||||
|
"certificateChain": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
|
||||||
|
},
|
||||||
|
"privateKey": {
|
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"validationContext": {
|
||||||
|
"trustedCa": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"requireClientCertificate": true
|
||||||
|
},
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.filters.network.rbac",
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
},
|
||||||
|
"stat_prefix": "connect_authz"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "random-cluster",
|
||||||
|
"stat_prefix": "foo-stats"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "db:127.0.0.1:9191",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.0.0.1",
|
||||||
|
"portValue": 9191
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_db_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "prepared_query:geo-cache:127.10.10.10:8181",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.10.10.10",
|
||||||
|
"portValue": 8181
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_prepared_query_geo-cache_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"nonce": "00000001"
|
||||||
|
}
|
107
agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-13-x.golden
vendored
Normal file
107
agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-13-x.golden
vendored
Normal file
|
@ -0,0 +1,107 @@
|
||||||
|
{
|
||||||
|
"versionInfo": "00000001",
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "custom-public-listen",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "11.11.11.11",
|
||||||
|
"portValue": 11111
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"tlsContext": {
|
||||||
|
"commonTlsContext": {
|
||||||
|
"tlsParams": {
|
||||||
|
|
||||||
|
},
|
||||||
|
"tlsCertificates": [
|
||||||
|
{
|
||||||
|
"certificateChain": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
|
||||||
|
},
|
||||||
|
"privateKey": {
|
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"validationContext": {
|
||||||
|
"trustedCa": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"requireClientCertificate": true
|
||||||
|
},
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.filters.network.rbac",
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
},
|
||||||
|
"stat_prefix": "connect_authz"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "random-cluster",
|
||||||
|
"stat_prefix": "foo-stats"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "db:127.0.0.1:9191",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.0.0.1",
|
||||||
|
"portValue": 9191
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_db_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "prepared_query:geo-cache:127.10.10.10:8181",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.10.10.10",
|
||||||
|
"portValue": 8181
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_prepared_query_geo-cache_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"nonce": "00000001"
|
||||||
|
}
|
107
agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-14-x.golden
vendored
Normal file
107
agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-14-x.golden
vendored
Normal file
|
@ -0,0 +1,107 @@
|
||||||
|
{
|
||||||
|
"versionInfo": "00000001",
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "custom-public-listen",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "11.11.11.11",
|
||||||
|
"portValue": 11111
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"tlsContext": {
|
||||||
|
"commonTlsContext": {
|
||||||
|
"tlsParams": {
|
||||||
|
|
||||||
|
},
|
||||||
|
"tlsCertificates": [
|
||||||
|
{
|
||||||
|
"certificateChain": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
|
||||||
|
},
|
||||||
|
"privateKey": {
|
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"validationContext": {
|
||||||
|
"trustedCa": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"requireClientCertificate": true
|
||||||
|
},
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.filters.network.rbac",
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
},
|
||||||
|
"stat_prefix": "connect_authz"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "random-cluster",
|
||||||
|
"stat_prefix": "foo-stats"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "db:127.0.0.1:9191",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.0.0.1",
|
||||||
|
"portValue": 9191
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_db_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "prepared_query:geo-cache:127.10.10.10:8181",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.10.10.10",
|
||||||
|
"portValue": 8181
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_prepared_query_geo-cache_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"nonce": "00000001"
|
||||||
|
}
|
107
agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-15-x.golden
vendored
Normal file
107
agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-15-x.golden
vendored
Normal file
|
@ -0,0 +1,107 @@
|
||||||
|
{
|
||||||
|
"versionInfo": "00000001",
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "custom-public-listen",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "11.11.11.11",
|
||||||
|
"portValue": 11111
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"tlsContext": {
|
||||||
|
"commonTlsContext": {
|
||||||
|
"tlsParams": {
|
||||||
|
|
||||||
|
},
|
||||||
|
"tlsCertificates": [
|
||||||
|
{
|
||||||
|
"certificateChain": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
|
||||||
|
},
|
||||||
|
"privateKey": {
|
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"validationContext": {
|
||||||
|
"trustedCa": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"requireClientCertificate": true
|
||||||
|
},
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.filters.network.rbac",
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
},
|
||||||
|
"stat_prefix": "connect_authz"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "random-cluster",
|
||||||
|
"stat_prefix": "foo-stats"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "db:127.0.0.1:9191",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.0.0.1",
|
||||||
|
"portValue": 9191
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_db_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "prepared_query:geo-cache:127.10.10.10:8181",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.10.10.10",
|
||||||
|
"portValue": 8181
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_prepared_query_geo-cache_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"nonce": "00000001"
|
||||||
|
}
|
131
agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-12-x.golden
vendored
Normal file
131
agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-12-x.golden
vendored
Normal file
|
@ -0,0 +1,131 @@
|
||||||
|
{
|
||||||
|
"versionInfo": "00000001",
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "custom-public-listen",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "11.11.11.11",
|
||||||
|
"portValue": 11111
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"tlsContext": {
|
||||||
|
"commonTlsContext": {
|
||||||
|
"tlsParams": {
|
||||||
|
|
||||||
|
},
|
||||||
|
"tlsCertificates": [
|
||||||
|
{
|
||||||
|
"certificateChain": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
|
||||||
|
},
|
||||||
|
"privateKey": {
|
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"validationContext": {
|
||||||
|
"trustedCa": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"requireClientCertificate": true
|
||||||
|
},
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.http_connection_manager",
|
||||||
|
"typedConfig": {
|
||||||
|
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
|
||||||
|
"routeConfig": {
|
||||||
|
"name": "public_listener",
|
||||||
|
"virtualHosts": [
|
||||||
|
{
|
||||||
|
"name": "public_listener",
|
||||||
|
"domains": [
|
||||||
|
"*"
|
||||||
|
],
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"prefix": "/"
|
||||||
|
},
|
||||||
|
"route": {
|
||||||
|
"cluster": "random-cluster"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"httpFilters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.filters.http.rbac",
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "envoy.router"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "db:127.0.0.1:9191",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.0.0.1",
|
||||||
|
"portValue": 9191
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_db_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "prepared_query:geo-cache:127.10.10.10:8181",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.10.10.10",
|
||||||
|
"portValue": 8181
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_prepared_query_geo-cache_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"nonce": "00000001"
|
||||||
|
}
|
131
agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-13-x.golden
vendored
Normal file
131
agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-13-x.golden
vendored
Normal file
|
@ -0,0 +1,131 @@
|
||||||
|
{
|
||||||
|
"versionInfo": "00000001",
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "custom-public-listen",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "11.11.11.11",
|
||||||
|
"portValue": 11111
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"tlsContext": {
|
||||||
|
"commonTlsContext": {
|
||||||
|
"tlsParams": {
|
||||||
|
|
||||||
|
},
|
||||||
|
"tlsCertificates": [
|
||||||
|
{
|
||||||
|
"certificateChain": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
|
||||||
|
},
|
||||||
|
"privateKey": {
|
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"validationContext": {
|
||||||
|
"trustedCa": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"requireClientCertificate": true
|
||||||
|
},
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.http_connection_manager",
|
||||||
|
"typedConfig": {
|
||||||
|
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
|
||||||
|
"routeConfig": {
|
||||||
|
"name": "public_listener",
|
||||||
|
"virtualHosts": [
|
||||||
|
{
|
||||||
|
"name": "public_listener",
|
||||||
|
"domains": [
|
||||||
|
"*"
|
||||||
|
],
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"prefix": "/"
|
||||||
|
},
|
||||||
|
"route": {
|
||||||
|
"cluster": "random-cluster"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"httpFilters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.filters.http.rbac",
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "envoy.router"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "db:127.0.0.1:9191",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.0.0.1",
|
||||||
|
"portValue": 9191
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_db_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "prepared_query:geo-cache:127.10.10.10:8181",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.10.10.10",
|
||||||
|
"portValue": 8181
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_prepared_query_geo-cache_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"nonce": "00000001"
|
||||||
|
}
|
131
agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-14-x.golden
vendored
Normal file
131
agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-14-x.golden
vendored
Normal file
|
@ -0,0 +1,131 @@
|
||||||
|
{
|
||||||
|
"versionInfo": "00000001",
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "custom-public-listen",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "11.11.11.11",
|
||||||
|
"portValue": 11111
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"tlsContext": {
|
||||||
|
"commonTlsContext": {
|
||||||
|
"tlsParams": {
|
||||||
|
|
||||||
|
},
|
||||||
|
"tlsCertificates": [
|
||||||
|
{
|
||||||
|
"certificateChain": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
|
||||||
|
},
|
||||||
|
"privateKey": {
|
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"validationContext": {
|
||||||
|
"trustedCa": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"requireClientCertificate": true
|
||||||
|
},
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.http_connection_manager",
|
||||||
|
"typedConfig": {
|
||||||
|
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
|
||||||
|
"routeConfig": {
|
||||||
|
"name": "public_listener",
|
||||||
|
"virtualHosts": [
|
||||||
|
{
|
||||||
|
"name": "public_listener",
|
||||||
|
"domains": [
|
||||||
|
"*"
|
||||||
|
],
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"prefix": "/"
|
||||||
|
},
|
||||||
|
"route": {
|
||||||
|
"cluster": "random-cluster"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"httpFilters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.filters.http.rbac",
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "envoy.router"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "db:127.0.0.1:9191",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.0.0.1",
|
||||||
|
"portValue": 9191
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_db_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "prepared_query:geo-cache:127.10.10.10:8181",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.10.10.10",
|
||||||
|
"portValue": 8181
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_prepared_query_geo-cache_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"nonce": "00000001"
|
||||||
|
}
|
131
agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-15-x.golden
vendored
Normal file
131
agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-15-x.golden
vendored
Normal file
|
@ -0,0 +1,131 @@
|
||||||
|
{
|
||||||
|
"versionInfo": "00000001",
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "custom-public-listen",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "11.11.11.11",
|
||||||
|
"portValue": 11111
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"tlsContext": {
|
||||||
|
"commonTlsContext": {
|
||||||
|
"tlsParams": {
|
||||||
|
|
||||||
|
},
|
||||||
|
"tlsCertificates": [
|
||||||
|
{
|
||||||
|
"certificateChain": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
|
||||||
|
},
|
||||||
|
"privateKey": {
|
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"validationContext": {
|
||||||
|
"trustedCa": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"requireClientCertificate": true
|
||||||
|
},
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.http_connection_manager",
|
||||||
|
"typedConfig": {
|
||||||
|
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
|
||||||
|
"routeConfig": {
|
||||||
|
"name": "public_listener",
|
||||||
|
"virtualHosts": [
|
||||||
|
{
|
||||||
|
"name": "public_listener",
|
||||||
|
"domains": [
|
||||||
|
"*"
|
||||||
|
],
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"prefix": "/"
|
||||||
|
},
|
||||||
|
"route": {
|
||||||
|
"cluster": "random-cluster"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"httpFilters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.filters.http.rbac",
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "envoy.router"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "db:127.0.0.1:9191",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.0.0.1",
|
||||||
|
"portValue": 9191
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_db_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "prepared_query:geo-cache:127.10.10.10:8181",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.10.10.10",
|
||||||
|
"portValue": 8181
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_prepared_query_geo-cache_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"nonce": "00000001"
|
||||||
|
}
|
130
agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-12-x.golden
vendored
Normal file
130
agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-12-x.golden
vendored
Normal file
|
@ -0,0 +1,130 @@
|
||||||
|
{
|
||||||
|
"versionInfo": "00000001",
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "custom-public-listen",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "11.11.11.11",
|
||||||
|
"portValue": 11111
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"tlsContext": {
|
||||||
|
"commonTlsContext": {
|
||||||
|
"tlsParams": {
|
||||||
|
|
||||||
|
},
|
||||||
|
"tlsCertificates": [
|
||||||
|
{
|
||||||
|
"certificateChain": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
|
||||||
|
},
|
||||||
|
"privateKey": {
|
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"validationContext": {
|
||||||
|
"trustedCa": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"requireClientCertificate": true
|
||||||
|
},
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.http_connection_manager",
|
||||||
|
"config": {
|
||||||
|
"http_filters": [
|
||||||
|
{
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"name": "envoy.filters.http.rbac"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "envoy.router"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"route_config": {
|
||||||
|
"name": "public_listener",
|
||||||
|
"virtual_hosts": [
|
||||||
|
{
|
||||||
|
"domains": [
|
||||||
|
"*"
|
||||||
|
],
|
||||||
|
"name": "public_listener",
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"prefix": "/"
|
||||||
|
},
|
||||||
|
"route": {
|
||||||
|
"cluster": "random-cluster"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "db:127.0.0.1:9191",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.0.0.1",
|
||||||
|
"portValue": 9191
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_db_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "prepared_query:geo-cache:127.10.10.10:8181",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.10.10.10",
|
||||||
|
"portValue": 8181
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_prepared_query_geo-cache_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"nonce": "00000001"
|
||||||
|
}
|
130
agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-13-x.golden
vendored
Normal file
130
agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-13-x.golden
vendored
Normal file
|
@ -0,0 +1,130 @@
|
||||||
|
{
|
||||||
|
"versionInfo": "00000001",
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "custom-public-listen",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "11.11.11.11",
|
||||||
|
"portValue": 11111
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"tlsContext": {
|
||||||
|
"commonTlsContext": {
|
||||||
|
"tlsParams": {
|
||||||
|
|
||||||
|
},
|
||||||
|
"tlsCertificates": [
|
||||||
|
{
|
||||||
|
"certificateChain": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
|
||||||
|
},
|
||||||
|
"privateKey": {
|
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"validationContext": {
|
||||||
|
"trustedCa": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"requireClientCertificate": true
|
||||||
|
},
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.http_connection_manager",
|
||||||
|
"config": {
|
||||||
|
"http_filters": [
|
||||||
|
{
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"name": "envoy.filters.http.rbac"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "envoy.router"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"route_config": {
|
||||||
|
"name": "public_listener",
|
||||||
|
"virtual_hosts": [
|
||||||
|
{
|
||||||
|
"domains": [
|
||||||
|
"*"
|
||||||
|
],
|
||||||
|
"name": "public_listener",
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"prefix": "/"
|
||||||
|
},
|
||||||
|
"route": {
|
||||||
|
"cluster": "random-cluster"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "db:127.0.0.1:9191",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.0.0.1",
|
||||||
|
"portValue": 9191
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_db_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "prepared_query:geo-cache:127.10.10.10:8181",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.10.10.10",
|
||||||
|
"portValue": 8181
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_prepared_query_geo-cache_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"nonce": "00000001"
|
||||||
|
}
|
130
agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-14-x.golden
vendored
Normal file
130
agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-14-x.golden
vendored
Normal file
|
@ -0,0 +1,130 @@
|
||||||
|
{
|
||||||
|
"versionInfo": "00000001",
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "custom-public-listen",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "11.11.11.11",
|
||||||
|
"portValue": 11111
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"tlsContext": {
|
||||||
|
"commonTlsContext": {
|
||||||
|
"tlsParams": {
|
||||||
|
|
||||||
|
},
|
||||||
|
"tlsCertificates": [
|
||||||
|
{
|
||||||
|
"certificateChain": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
|
||||||
|
},
|
||||||
|
"privateKey": {
|
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"validationContext": {
|
||||||
|
"trustedCa": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"requireClientCertificate": true
|
||||||
|
},
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.http_connection_manager",
|
||||||
|
"config": {
|
||||||
|
"http_filters": [
|
||||||
|
{
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"name": "envoy.filters.http.rbac"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "envoy.router"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"route_config": {
|
||||||
|
"name": "public_listener",
|
||||||
|
"virtual_hosts": [
|
||||||
|
{
|
||||||
|
"domains": [
|
||||||
|
"*"
|
||||||
|
],
|
||||||
|
"name": "public_listener",
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"prefix": "/"
|
||||||
|
},
|
||||||
|
"route": {
|
||||||
|
"cluster": "random-cluster"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "db:127.0.0.1:9191",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.0.0.1",
|
||||||
|
"portValue": 9191
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_db_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "prepared_query:geo-cache:127.10.10.10:8181",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.10.10.10",
|
||||||
|
"portValue": 8181
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_prepared_query_geo-cache_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"nonce": "00000001"
|
||||||
|
}
|
130
agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-15-x.golden
vendored
Normal file
130
agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-15-x.golden
vendored
Normal file
|
@ -0,0 +1,130 @@
|
||||||
|
{
|
||||||
|
"versionInfo": "00000001",
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "custom-public-listen",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "11.11.11.11",
|
||||||
|
"portValue": 11111
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"tlsContext": {
|
||||||
|
"commonTlsContext": {
|
||||||
|
"tlsParams": {
|
||||||
|
|
||||||
|
},
|
||||||
|
"tlsCertificates": [
|
||||||
|
{
|
||||||
|
"certificateChain": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
|
||||||
|
},
|
||||||
|
"privateKey": {
|
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"validationContext": {
|
||||||
|
"trustedCa": {
|
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"requireClientCertificate": true
|
||||||
|
},
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.http_connection_manager",
|
||||||
|
"config": {
|
||||||
|
"http_filters": [
|
||||||
|
{
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"name": "envoy.filters.http.rbac"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "envoy.router"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"route_config": {
|
||||||
|
"name": "public_listener",
|
||||||
|
"virtual_hosts": [
|
||||||
|
{
|
||||||
|
"domains": [
|
||||||
|
"*"
|
||||||
|
],
|
||||||
|
"name": "public_listener",
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"prefix": "/"
|
||||||
|
},
|
||||||
|
"route": {
|
||||||
|
"cluster": "random-cluster"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "db:127.0.0.1:9191",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.0.0.1",
|
||||||
|
"portValue": 9191
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_db_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"@type": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"name": "prepared_query:geo-cache:127.10.10.10:8181",
|
||||||
|
"address": {
|
||||||
|
"socketAddress": {
|
||||||
|
"address": "127.10.10.10",
|
||||||
|
"portValue": 8181
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"filterChains": [
|
||||||
|
{
|
||||||
|
"filters": [
|
||||||
|
{
|
||||||
|
"name": "envoy.tcp_proxy",
|
||||||
|
"config": {
|
||||||
|
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
|
||||||
|
"stat_prefix": "upstream_prepared_query_geo-cache_tcp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"typeUrl": "type.googleapis.com/envoy.api.v2.Listener",
|
||||||
|
"nonce": "00000001"
|
||||||
|
}
|
|
@ -37,18 +37,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -37,18 +37,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -37,18 +37,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -37,18 +37,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -83,18 +83,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -121,18 +121,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -121,18 +121,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -121,18 +121,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -121,18 +121,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -123,18 +123,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -123,18 +123,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -123,18 +123,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -123,18 +123,9 @@
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
{
|
||||||
"name": "envoy.ext_authz",
|
"name": "envoy.filters.network.rbac",
|
||||||
"config": {
|
"config": {
|
||||||
"grpc_service": {
|
"rules": {
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"stat_prefix": "connect_authz"
|
"stat_prefix": "connect_authz"
|
||||||
}
|
}
|
||||||
|
|
|
@ -82,27 +82,17 @@
|
||||||
"requireClientCertificate": true
|
"requireClientCertificate": true
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
|
||||||
"name": "envoy.ext_authz",
|
|
||||||
"config": {
|
|
||||||
"grpc_service": {
|
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"stat_prefix": "connect_authz"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"name": "envoy.http_connection_manager",
|
"name": "envoy.http_connection_manager",
|
||||||
"config": {
|
"config": {
|
||||||
"http_filters": [
|
"http_filters": [
|
||||||
|
{
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"name": "envoy.filters.http.rbac"
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"name": "envoy.router"
|
"name": "envoy.router"
|
||||||
}
|
}
|
||||||
|
|
|
@ -82,27 +82,17 @@
|
||||||
"requireClientCertificate": true
|
"requireClientCertificate": true
|
||||||
},
|
},
|
||||||
"filters": [
|
"filters": [
|
||||||
{
|
|
||||||
"name": "envoy.ext_authz",
|
|
||||||
"config": {
|
|
||||||
"grpc_service": {
|
|
||||||
"envoy_grpc": {
|
|
||||||
"cluster_name": "local_agent"
|
|
||||||
},
|
|
||||||
"initial_metadata": [
|
|
||||||
{
|
|
||||||
"key": "x-consul-token",
|
|
||||||
"value": "my-token"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"stat_prefix": "connect_authz"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"name": "envoy.http_connection_manager",
|
"name": "envoy.http_connection_manager",
|
||||||
"config": {
|
"config": {
|
||||||
"http_filters": [
|
"http_filters": [
|
||||||
|
{
|
||||||
|
"config": {
|
||||||
|
"rules": {
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"name": "envoy.filters.http.rbac"
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"name": "envoy.router"
|
"name": "envoy.router"
|
||||||
}
|
}
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue