bc10055edc
The importing peer will need to know what SNI and SPIFFE name corresponds to each exported service. Additionally it will need to know at a high level the protocol in use (L4/L7) to generate the appropriate connection pool and local metrics. For replicated connect synthetic entities we edit the `Connect{}` part of a `NodeService` to have a new section: { "PeerMeta": { "SNI": [ "web.default.default.owt.external.183150d5-1033-3672-c426-c29205a576b8.consul" ], "SpiffeID": [ "spiffe://183150d5-1033-3672-c426-c29205a576b8.consul/ns/default/dc/dc1/svc/web" ], "Protocol": "tcp" } } This data is then replicated and saved as-is at the importing side. Both SNI and SpiffeID are slices for now until I can be sure we don't need them for how mesh gateways will ultimately work.
94 lines
2.7 KiB
Go
94 lines
2.7 KiB
Go
package connect
|
|
|
|
import (
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
)
|
|
|
|
const (
|
|
internal = "internal"
|
|
version = "v1"
|
|
internalVersion = internal + "-" + version
|
|
external = "external"
|
|
)
|
|
|
|
func UpstreamSNI(u *structs.Upstream, subset string, dc string, trustDomain string) string {
|
|
if u.Datacenter != "" {
|
|
dc = u.Datacenter
|
|
}
|
|
|
|
if u.DestinationType == structs.UpstreamDestTypePreparedQuery {
|
|
return QuerySNI(u.DestinationName, dc, trustDomain)
|
|
}
|
|
// TODO(peering): account for peer here?
|
|
return ServiceSNI(u.DestinationName, subset, u.DestinationNamespace, u.DestinationPartition, dc, trustDomain)
|
|
}
|
|
|
|
func GatewaySNI(dc string, partition, trustDomain string) string {
|
|
if partition == "" {
|
|
// TODO(partitions) Make default available in OSS as a constant for uses like this one
|
|
partition = "default"
|
|
}
|
|
|
|
switch partition {
|
|
case "default":
|
|
return dotJoin(dc, internal, trustDomain)
|
|
default:
|
|
return dotJoin(partition, dc, internalVersion, trustDomain)
|
|
}
|
|
}
|
|
|
|
func ServiceSNI(service string, subset string, namespace string, partition string, datacenter string, trustDomain string) string {
|
|
if namespace == "" {
|
|
namespace = structs.IntentionDefaultNamespace
|
|
}
|
|
if partition == "" {
|
|
// TODO(partitions) Make default available in OSS as a constant for uses like this one
|
|
partition = "default"
|
|
}
|
|
|
|
switch partition {
|
|
case "default":
|
|
if subset == "" {
|
|
return dotJoin(service, namespace, datacenter, internal, trustDomain)
|
|
} else {
|
|
return dotJoin(subset, service, namespace, datacenter, internal, trustDomain)
|
|
}
|
|
default:
|
|
if subset == "" {
|
|
return dotJoin(service, namespace, partition, datacenter, internalVersion, trustDomain)
|
|
} else {
|
|
return dotJoin(subset, service, namespace, partition, datacenter, internalVersion, trustDomain)
|
|
}
|
|
}
|
|
}
|
|
|
|
func PeeredServiceSNI(service, namespace, partition, peerName, trustDomain string) string {
|
|
if peerName == "" {
|
|
panic("peer name is a requirement for this function and does not make sense without it")
|
|
}
|
|
if namespace == "" {
|
|
namespace = structs.IntentionDefaultNamespace
|
|
}
|
|
if partition == "" {
|
|
// TODO(partitions) Make default available in OSS as a constant for uses like this one
|
|
partition = "default"
|
|
}
|
|
|
|
return dotJoin(service, namespace, partition, peerName, external, trustDomain)
|
|
}
|
|
|
|
func dotJoin(parts ...string) string {
|
|
return strings.Join(parts, ".")
|
|
}
|
|
|
|
func QuerySNI(service string, datacenter string, trustDomain string) string {
|
|
return fmt.Sprintf("%s.default.%s.query.%s", service, datacenter, trustDomain)
|
|
}
|
|
|
|
func TargetSNI(target *structs.DiscoveryTarget, trustDomain string) string {
|
|
return ServiceSNI(target.Service, target.ServiceSubset, target.Namespace, target.Partition, target.Datacenter, trustDomain)
|
|
}
|