luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

Rename CatalogDestinationsOnly (#10397) 

CatalogDestinationsOnly is a passthrough that would enable dialing
addresses outside of Consul's catalog. However, when this flag is set to
true only _connect_ endpoints for services can be dialed.

This flag is being renamed to signal that non-Connect endpoints can't be
dialed by transparent proxies when the value is set to true.
This commit is contained in:
Freddy 2021-06-14 14:15:09 -06:00 committed by GitHub
parent b050232abb
commit f399fd2add
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 35 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
agent/config/runtime_test.go
View File

@ -4196,7 +4196,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
"gir": "zim"
},
"transparent_proxy": {
"catalog_destinations_only": true
"mesh_destinations_only": true
}
}
]
@ -4212,7 +4212,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
"gir" = "zim"
}
transparent_proxy {
catalog_destinations_only = true
mesh_destinations_only = true
}
}
}
@ -4228,7 +4228,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
},
EnterpriseMeta: *defaultEntMeta,
TransparentProxy: structs.TransparentProxyMeshConfig{
CatalogDestinationsOnly: true,
MeshDestinationsOnly: true,
},
},
}
@ -4247,7 +4247,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
"gir": "zim"
},
"TransparentProxy": {
"CatalogDestinationsOnly": true
"MeshDestinationsOnly": true
}
}
]
@ -4263,7 +4263,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
"gir" = "zim"
}
TransparentProxy {
CatalogDestinationsOnly = true
MeshDestinationsOnly = true
}
}
}
@ -4279,7 +4279,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
},
EnterpriseMeta: *defaultEntMeta,
TransparentProxy: structs.TransparentProxyMeshConfig{
CatalogDestinationsOnly: true,
MeshDestinationsOnly: true,
},
},
}

4
agent/config_endpoint_test.go
View File

@ -53,7 +53,7 @@ func TestConfig_Get(t *testing.T) {
Datacenter: "dc1",
Entry: &structs.MeshConfigEntry{
TransparentProxy: structs.TransparentProxyMeshConfig{
CatalogDestinationsOnly: true,
MeshDestinationsOnly: true,
},
Meta: map[string]string{
"key1": "value1",
@ -128,7 +128,7 @@ func TestConfig_Get(t *testing.T) {
{
"Kind": "mesh",
"TransparentProxy": {
"CatalogDestinationsOnly": true
"MeshDestinationsOnly": true
},
"Meta":{
"key1": "value1",

2
agent/consul/fsm/snapshot_oss_test.go
View File

@ -429,7 +429,7 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) {
// mesh config entry
meshConfig := &structs.MeshConfigEntry{
TransparentProxy: structs.TransparentProxyMeshConfig{
CatalogDestinationsOnly: true,
MeshDestinationsOnly: true,
},
}
require.NoError(t, fsm.state.EnsureConfigEntry(27, meshConfig))

4
agent/structs/config_entry_mesh.go
View File

@ -20,9 +20,9 @@ type MeshConfigEntry struct {
// TransparentProxyMeshConfig contains cluster-wide options pertaining to
// TPROXY mode when enabled.
type TransparentProxyMeshConfig struct {
// CatalogDestinationsOnly can be used to disable the pass-through that
// MeshDestinationsOnly can be used to disable the pass-through that
// allows traffic to destinations outside of the mesh.
CatalogDestinationsOnly bool `alias:"catalog_destinations_only"`
MeshDestinationsOnly bool `alias:"mesh_destinations_only"`
}
func (e *MeshConfigEntry) GetKind() string {

6
agent/structs/config_entry_test.go
View File

@ -1316,7 +1316,7 @@ func TestDecodeConfigEntry(t *testing.T) {
"gir" = "zim"
}
transparent_proxy {
catalog_destinations_only = true
mesh_destinations_only = true
}
`,
camel: `
@ -1326,7 +1326,7 @@ func TestDecodeConfigEntry(t *testing.T) {
"gir" = "zim"
}
TransparentProxy {
CatalogDestinationsOnly = true
MeshDestinationsOnly = true
}
`,
expect: &MeshConfigEntry{
@ -1335,7 +1335,7 @@ func TestDecodeConfigEntry(t *testing.T) {
"gir": "zim",
},
TransparentProxy: TransparentProxyMeshConfig{
CatalogDestinationsOnly: true,
MeshDestinationsOnly: true,
},
},
},

2
agent/xds/clusters.go
View File

@ -178,7 +178,7 @@ func makePassthroughClusters(cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message,
clusters := make([]proto.Message, 0, len(cfgSnap.ConnectProxy.PassthroughUpstreams)+1)
if cfgSnap.ConnectProxy.MeshConfig == nil ||
!cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.CatalogDestinationsOnly {
!cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.MeshDestinationsOnly {
clusters = append(clusters, &envoy_cluster_v3.Cluster{
Name: OriginalDestinationClusterName,

2
agent/xds/clusters_test.go
View File

@ -656,7 +656,7 @@ func TestClustersFromSnapshot(t *testing.T) {
snap.ConnectProxy.MeshConfigSet = true
snap.ConnectProxy.MeshConfig = &structs.MeshConfigEntry{
TransparentProxy: structs.TransparentProxyMeshConfig{
CatalogDestinationsOnly: true,
MeshDestinationsOnly: true,
},
}
},

4
agent/xds/listeners.go
View File

@ -212,9 +212,9 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg.
outboundListener.FilterChains[j].FilterChainMatch.PrefixRanges[0].AddressPrefix
})
// Add a catch-all filter chain that acts as a TCP proxy to non-catalog destinations
// Add a catch-all filter chain that acts as a TCP proxy to destinations outside the mesh
if cfgSnap.ConnectProxy.MeshConfig == nil ||
!cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.CatalogDestinationsOnly {
!cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.MeshDestinationsOnly {
filterChain, err := s.makeUpstreamFilterChainForDiscoveryChain(
"",

2
agent/xds/listeners_test.go
View File

@ -551,7 +551,7 @@ func TestListenersFromSnapshot(t *testing.T) {
snap.ConnectProxy.MeshConfigSet = true
snap.ConnectProxy.MeshConfig = &structs.MeshConfigEntry{
TransparentProxy: structs.TransparentProxyMeshConfig{
CatalogDestinationsOnly: true,
MeshDestinationsOnly: true,
},
}

2
api/config_entry_cluster.go
View File

@ -11,7 +11,7 @@ type MeshConfigEntry struct {
}
type TransparentProxyMeshConfig struct {
CatalogDestinationsOnly bool `alias:"catalog_destinations_only"`
MeshDestinationsOnly bool `alias:"mesh_destinations_only"`
}
func (e *MeshConfigEntry) GetKind() string {

6
api/config_entry_test.go
View File

@ -199,7 +199,7 @@ func TestAPI_ConfigEntries(t *testing.T) {
t.Run("Mesh", func(t *testing.T) {
mesh := &MeshConfigEntry{
TransparentProxy: TransparentProxyMeshConfig{CatalogDestinationsOnly: true},
TransparentProxy: TransparentProxyMeshConfig{MeshDestinationsOnly: true},
Meta: map[string]string{
"foo": "bar",
"gir": "zim",
@ -1213,7 +1213,7 @@ func TestDecodeConfigEntry(t *testing.T) {
"gir": "zim"
},
"TransparentProxy": {
"CatalogDestinationsOnly": true
"MeshDestinationsOnly": true
}
}
`,
@ -1223,7 +1223,7 @@ func TestDecodeConfigEntry(t *testing.T) {
"gir": "zim",
},
TransparentProxy: TransparentProxyMeshConfig{
CatalogDestinationsOnly: true,
MeshDestinationsOnly: true,
},
},
},

12
command/config/write/config_write_test.go
View File

@ -124,7 +124,7 @@ meta {
"gir" = "zim"
}
transparent_proxy {
catalog_destinations_only = true
mesh_destinations_only = true
}
`)
@ -2674,7 +2674,7 @@ func TestParseConfigEntry(t *testing.T) {
"gir" = "zim"
}
transparent_proxy {
catalog_destinations_only = true
mesh_destinations_only = true
}
`,
camel: `
@ -2684,7 +2684,7 @@ func TestParseConfigEntry(t *testing.T) {
"gir" = "zim"
}
TransparentProxy {
CatalogDestinationsOnly = true
MeshDestinationsOnly = true
}
`,
snakeJSON: `
@ -2695,7 +2695,7 @@ func TestParseConfigEntry(t *testing.T) {
"gir": "zim"
},
"transparent_proxy": {
"catalog_destinations_only": true
"mesh_destinations_only": true
}
}
`,
@ -2707,7 +2707,7 @@ func TestParseConfigEntry(t *testing.T) {
"gir": "zim"
},
"TransparentProxy": {
"CatalogDestinationsOnly": true
"MeshDestinationsOnly": true
}
}
`,
@ -2717,7 +2717,7 @@ func TestParseConfigEntry(t *testing.T) {
"gir": "zim",
},
TransparentProxy: api.TransparentProxyMeshConfig{
CatalogDestinationsOnly: true,
MeshDestinationsOnly: true,
},
},
},

12
website/content/docs/connect/config-entries/mesh.mdx
View File

@ -18,7 +18,7 @@ Settings in this config entry apply across all namespaces and federated datacent
## Sample Config Entries
### Proxy traffic to catalog destinations only
### Only allow transparent proxies to dial addresses in the mesh.
<Tabs>
<Tab heading="HCL">
@ -27,7 +27,7 @@ Settings in this config entry apply across all namespaces and federated datacent
Kind = "mesh"
TransparentProxy {
CatalogDestinationsOnly = true
MeshDestinationsOnly = true
}
```
@ -42,7 +42,7 @@ Kind = "mesh"
Namespace = "default" # Can only be set to "default".
TransparentProxy {
CatalogDestinationsOnly = true
MeshDestinationsOnly = true
}
```
@ -61,9 +61,9 @@ TransparentProxy {
- `TransparentProxy` `(TransparentProxyConfig: <optional>)` - Controls configuration specific to proxies in
`transparent` [mode](/docs/connect/config-entries/service-defaults#mode). Added in v1.10.0.
- `CatalogDestinationsOnly` `(bool: false)` - Determines whether sidecar proxies operating in transparent mode can
proxy traffic to IP addresses not registered in Consul's catalog. If enabled, traffic will only be proxied
to upstreams with service registrations in the catalog. If disabled, requests will be proxied as-is to the
- `MeshDestinationsOnly` `(bool: false)` - Determines whether sidecar proxies operating in transparent mode can
proxy traffic to IP addresses not registered in Consul's mesh. If enabled, traffic will only be proxied
to upstream proxies or Connect-native services. If disabled, requests will be proxied as-is to the
original destination IP address. Consul will not encrypt the connection.
## ACLs