open-consul

Commit Graph

Author	SHA1	Message	Date
Kyle Havlovitz	c31554ec64	Fix syntax for bootstrap sds secret config	2022-07-06 09:53:40 -07:00
R.B. Boyer	7672532b05	xds: modify rbac rules to use the XFCC header for peered L7 enforcement (#13629 ) When the protocol is http-like, and an intention has a peered source then the normal RBAC mTLS SAN field check is replaces with a joint combo of: mTLS SAN field must be the service's local mesh gateway leaf cert AND the first XFCC header (from the MGW) must have a URI field that matches the original intention source Also: - Update the regex program limit to be much higher than the teeny defaults, since the RBAC regex constructions are more complicated now. - Fix a few stray panics in xds generation.	2022-06-29 10:29:54 -05:00
Kyle Havlovitz	7c5ef2aa3f	command: Add TLS support for envoy prometheus endpoint	2022-06-16 17:53:05 -07:00

Author

SHA1

Message

Date

Kyle Havlovitz

c31554ec64

Fix syntax for bootstrap sds secret config

2022-07-06 09:53:40 -07:00

R.B. Boyer

7672532b05

xds: modify rbac rules to use the XFCC header for peered L7 enforcement (#13629 )

When the protocol is http-like, and an intention has a peered source
then the normal RBAC mTLS SAN field check is replaces with a joint combo
of:

    mTLS SAN field must be the service's local mesh gateway leaf cert
      AND
    the first XFCC header (from the MGW) must have a URI field that matches the original intention source

Also:

- Update the regex program limit to be much higher than the teeny
  defaults, since the RBAC regex constructions are more complicated now.

- Fix a few stray panics in xds generation.

2022-06-29 10:29:54 -05:00

Kyle Havlovitz

7c5ef2aa3f

command: Add TLS support for envoy prometheus endpoint

2022-06-16 17:53:05 -07:00

3 Commits