d8d89d4b59
This implements permissive mTLS , which allows toggling services into "permissive" mTLS mode. Permissive mTLS mode allows incoming "non Consul-mTLS" traffic to be forward unmodified to the application. * Update service-defaults and proxy-defaults config entries with a MutualTLSMode field * Update the mesh config entry with an AllowEnablingPermissiveMutualTLS field and implement the necessary validation. AllowEnablingPermissiveMutualTLS must be true to allow changing to MutualTLSMode=permissive, but this does not require that all proxy-defaults and service-defaults are currently in strict mode. * Update xDS listener config to add a "permissive filter chain" when MutualTLSMode=permissive for a particular service. The permissive filter chain matches incoming traffic by the destination port. If the destination port matches the service port from the catalog, then no mTLS is required and the traffic sent is forwarded unmodified to the application.
91 lines
2.9 KiB
Go
91 lines
2.9 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
package api
|
|
|
|
import (
|
|
"encoding/json"
|
|
)
|
|
|
|
// MeshConfigEntry manages the global configuration for all service mesh
|
|
// proxies.
|
|
type MeshConfigEntry struct {
|
|
// Partition is the partition the MeshConfigEntry applies to.
|
|
// Partitioning is a Consul Enterprise feature.
|
|
Partition string `json:",omitempty"`
|
|
|
|
// Namespace is the namespace the MeshConfigEntry applies to.
|
|
// Namespacing is a Consul Enterprise feature.
|
|
Namespace string `json:",omitempty"`
|
|
|
|
// TransparentProxy applies configuration specific to proxies
|
|
// in transparent mode.
|
|
TransparentProxy TransparentProxyMeshConfig `alias:"transparent_proxy"`
|
|
|
|
// AllowEnablingPermissiveMutualTLS must be true in order to allow setting
|
|
// MutualTLSMode=permissive in either service-defaults or proxy-defaults.
|
|
AllowEnablingPermissiveMutualTLS bool `json:",omitempty" alias:"allow_enabling_permissive_mutual_tls"`
|
|
|
|
TLS *MeshTLSConfig `json:",omitempty"`
|
|
|
|
HTTP *MeshHTTPConfig `json:",omitempty"`
|
|
|
|
Peering *PeeringMeshConfig `json:",omitempty"`
|
|
|
|
Meta map[string]string `json:",omitempty"`
|
|
|
|
// CreateIndex is the Raft index this entry was created at. This is a
|
|
// read-only field.
|
|
CreateIndex uint64
|
|
|
|
// ModifyIndex is used for the Check-And-Set operations and can also be fed
|
|
// back into the WaitIndex of the QueryOptions in order to perform blocking
|
|
// queries.
|
|
ModifyIndex uint64
|
|
}
|
|
|
|
type TransparentProxyMeshConfig struct {
|
|
MeshDestinationsOnly bool `alias:"mesh_destinations_only"`
|
|
}
|
|
|
|
type MeshTLSConfig struct {
|
|
Incoming *MeshDirectionalTLSConfig `json:",omitempty"`
|
|
Outgoing *MeshDirectionalTLSConfig `json:",omitempty"`
|
|
}
|
|
|
|
type MeshDirectionalTLSConfig struct {
|
|
TLSMinVersion string `json:",omitempty" alias:"tls_min_version"`
|
|
TLSMaxVersion string `json:",omitempty" alias:"tls_max_version"`
|
|
CipherSuites []string `json:",omitempty" alias:"cipher_suites"`
|
|
}
|
|
|
|
type MeshHTTPConfig struct {
|
|
SanitizeXForwardedClientCert bool `alias:"sanitize_x_forwarded_client_cert"`
|
|
}
|
|
|
|
type PeeringMeshConfig struct {
|
|
PeerThroughMeshGateways bool `json:",omitempty" alias:"peer_through_mesh_gateways"`
|
|
}
|
|
|
|
func (e *MeshConfigEntry) GetKind() string { return MeshConfig }
|
|
func (e *MeshConfigEntry) GetName() string { return MeshConfigMesh }
|
|
func (e *MeshConfigEntry) GetPartition() string { return e.Partition }
|
|
func (e *MeshConfigEntry) GetNamespace() string { return e.Namespace }
|
|
func (e *MeshConfigEntry) GetMeta() map[string]string { return e.Meta }
|
|
func (e *MeshConfigEntry) GetCreateIndex() uint64 { return e.CreateIndex }
|
|
func (e *MeshConfigEntry) GetModifyIndex() uint64 { return e.ModifyIndex }
|
|
|
|
// MarshalJSON adds the Kind field so that the JSON can be decoded back into the
|
|
// correct type.
|
|
func (e *MeshConfigEntry) MarshalJSON() ([]byte, error) {
|
|
type Alias MeshConfigEntry
|
|
source := &struct {
|
|
Kind string
|
|
*Alias
|
|
}{
|
|
Kind: MeshConfig,
|
|
Alias: (*Alias)(e),
|
|
}
|
|
return json.Marshal(source)
|
|
}
|