7672532b05
When the protocol is http-like, and an intention has a peered source
then the normal RBAC mTLS SAN field check is replaces with a joint combo
of:
mTLS SAN field must be the service's local mesh gateway leaf cert
AND
the first XFCC header (from the MGW) must have a URI field that matches the original intention source
Also:
- Update the regex program limit to be much higher than the teeny
defaults, since the RBAC regex constructions are more complicated now.
- Fix a few stray panics in xds generation.
|
||
|---|---|---|
| .. | ||
| acl | ||
| agent | ||
| catalog | ||
| cli | ||
| config | ||
| connect | ||
| debug | ||
| event | ||
| exec | ||
| flags | ||
| forceleave | ||
| helpers | ||
| info | ||
| intention | ||
| join | ||
| keygen | ||
| keyring | ||
| kv | ||
| leave | ||
| lock | ||
| login | ||
| logout | ||
| maint | ||
| members | ||
| monitor | ||
| operator | ||
| reload | ||
| rtt | ||
| services | ||
| snapshot | ||
| tls | ||
| validate | ||
| version | ||
| watch | ||
| registry.go | ||
| registry_oss.go | ||