4cb251497f
When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
52 lines
1.2 KiB
Go
52 lines
1.2 KiB
Go
package connect
|
|
|
|
import (
|
|
"fmt"
|
|
"net/url"
|
|
|
|
"github.com/hashicorp/consul/acl"
|
|
)
|
|
|
|
// SpiffeIDService is the structure to represent the SPIFFE ID for a service.
|
|
type SpiffeIDService struct {
|
|
Host string
|
|
Partition string
|
|
Namespace string
|
|
Datacenter string
|
|
Service string
|
|
}
|
|
|
|
func (id SpiffeIDService) NamespaceOrDefault() string {
|
|
return acl.NamespaceOrDefault(id.Namespace)
|
|
}
|
|
|
|
func (id SpiffeIDService) MatchesPartition(partition string) bool {
|
|
return id.PartitionOrDefault() == acl.PartitionOrDefault(partition)
|
|
}
|
|
|
|
// URI returns the *url.URL for this SPIFFE ID.
|
|
func (id SpiffeIDService) URI() *url.URL {
|
|
var result url.URL
|
|
result.Scheme = "spiffe"
|
|
result.Host = id.Host
|
|
result.Path = id.uriPath()
|
|
return &result
|
|
}
|
|
|
|
func (id SpiffeIDService) uriPath() string {
|
|
path := fmt.Sprintf("/ns/%s/dc/%s/svc/%s",
|
|
id.NamespaceOrDefault(),
|
|
id.Datacenter,
|
|
id.Service,
|
|
)
|
|
|
|
// Although OSS has no support for partitions, it still needs to be able to
|
|
// handle exportedPartition from peered Consul Enterprise clusters in order
|
|
// to generate the correct SpiffeID.
|
|
// We intentionally avoid using pbpartition.DefaultName here to be OSS friendly.
|
|
if ap := id.PartitionOrDefault(); ap != "" && ap != "default" {
|
|
return "/ap/" + ap + path
|
|
}
|
|
return path
|
|
}
|