luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity
open-consul/agent/connect
History
Freddy 6ef38eaea7
Configure upstream TLS context with peer root certs (#13321) 
For mTLS to work between two proxies in peered clusters with different root CAs,
proxies need to configure their outbound listener to use different root certificates
for validation.

Up until peering was introduced proxies would only ever use one set of root certificates
to validate all mesh traffic, both inbound and outbound. Now an upstream proxy
may have a leaf certificate signed by a CA that's different from the dialing proxy's.

This PR makes changes to proxycfg and xds so that the upstream TLS validation
uses different root certificates depending on which cluster is being dialed.
 		2022-06-01 15:53:52 -06:00
..
ca Configure upstream TLS context with peer root certs (#13321) 2022-06-01 15:53:52 -06:00
authz.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
authz_test.go Remove ent checks from oss test 2021-09-16 14:53:28 -06:00
common_names.go connect/ca: cease including the common name field in generated certs (#10424) 2021-06-25 13:00:00 -05:00
csr.go ConnectCA.Sign gRPC Endpoint (#12787) 2022-04-14 14:26:14 +01:00
generate.go ca: examine the full chain in newCARoot 2022-02-17 18:21:30 -05:00
generate_test.go bulk rewrite using this script 2022-01-20 10:46:23 -06:00
parsing.go ca: examine the full chain in newCARoot 2022-02-17 18:21:30 -05:00
sni.go peering: replicate expected SNI, SPIFFE, and service protocol to peers (#13218) 2022-05-25 12:37:44 -05:00
sni_test.go peering: replicate expected SNI, SPIFFE, and service protocol to peers (#13218) 2022-05-25 12:37:44 -05:00
testing_ca.go peering: replicate expected SNI, SPIFFE, and service protocol to peers (#13218) 2022-05-25 12:37:44 -05:00
testing_ca_test.go bulk rewrite using this script 2022-01-20 10:46:23 -06:00
testing_spiffe.go connect: Add logic for updating secondary DC intermediate on config set 2020-11-13 14:33:44 -08:00
uri.go auto-config: ensure the feature works properly with partitions (#11699) 2021-12-01 13:32:34 -06:00
uri_agent.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
uri_agent_oss.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
uri_agent_oss_test.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
uri_service.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
uri_service_oss.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
uri_service_oss_test.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
uri_signing.go ca: accept only the cluster ID to SpiffeIDSigningForCluster 2021-11-16 16:57:21 -05:00
uri_signing_test.go ca: accept only the cluster ID to SpiffeIDSigningForCluster 2021-11-16 16:57:21 -05:00
uri_test.go auto-config: ensure the feature works properly with partitions (#11699) 2021-12-01 13:32:34 -06:00
x509_patch.go connect/ca: cease including the common name field in generated certs (#10424) 2021-06-25 13:00:00 -05:00
x509_patch_test.go connect/ca: cease including the common name field in generated certs (#10424) 2021-06-25 13:00:00 -05:00