open-consul/agent/xds
Mark Anderson d8f4cc5537 Add x-forwarded-client-cert headers
Description
Add x-fowarded-client-cert information on trusted incoming connections.

Envoy provides support forwarding and annotating the
x-forwarded-client-cert header via the forward_client_cert_details
set_current_client_cert_details filter fields. It would be helpful for
consul to support this directly in its config. The escape hatches are
a bit cumbersome for this purpose.

This has been implemented on incoming connections to envoy. Outgoing
(from the local service through the sidecar) will not have a
certificate, and so are left alone.

A service on an incoming connection will now get headers something like this:

```
X-Forwarded-Client-Cert:[By=spiffe://efad7282-d9b2-3298-f6d8-38b37fb58df3.consul/ns/default/dc/dc1/svc/counting;Hash=61ad5cbdfcb50f5a3ec0ca60923d61613c149a9d4495010a64175c05a0268ab2;Cert="-----BEGIN%20CERTIFICATE-----%0AMIICHDCCAcOgAwIBAgIBCDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMTli%0AYXdyb2YuY29uc3VsLmNhLmVmYWQ3MjgyLmNvbnN1bDAeFw0yMjA0MjkwMzE0NTBa%0AFw0yMjA1MDIwMzE0NTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVIZ7Y%0AZEXfbOGBfxGa7Vuok1MIng%2FuzLQK2xLVlSTIPDbO5hstTGP%2B%2FGx182PYFP3jYqk5%0Aq6rYWe1wiPNMA30Io4H8MIH5MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgrp4q50oX%0AHHghMbxz5Bk8OJFWMdfgH0Upr350WlhyxvkwKwYDVR0jBCQwIoAgUe6uERAIj%2FLM%0AyuFzDc3Wbp9TGAKBJYAwyhF14ToOQCMwYgYDVR0RAQH%2FBFgwVoZUc3BpZmZlOi8v%0AZWZhZDcyODItZDliMi0zMjk4LWY2ZDgtMzhiMzdmYjU4ZGYzLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL2RjMS9zdmMvZGFzaGJvYXJkMAoGCCqGSM49BAMCA0cAMEQCIDwb%0AFlchufggNTijnQ5SUcvTZrWlZyq%2FrdVC20nbbmWLAiAVshNNv1xBqJI1NmY2HI9n%0AgRMfb8aEPVSuxEHhqy57eQ%3D%3D%0A-----END%20CERTIFICATE-----%0A";Chain="-----BEGIN%20CERTIFICATE-----%0AMIICHDCCAcOgAwIBAgIBCDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMTli%0AYXdyb2YuY29uc3VsLmNhLmVmYWQ3MjgyLmNvbnN1bDAeFw0yMjA0MjkwMzE0NTBa%0AFw0yMjA1MDIwMzE0NTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVIZ7Y%0AZEXfbOGBfxGa7Vuok1MIng%2FuzLQK2xLVlSTIPDbO5hstTGP%2B%2FGx182PYFP3jYqk5%0Aq6rYWe1wiPNMA30Io4H8MIH5MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgrp4q50oX%0AHHghMbxz5Bk8OJFWMdfgH0Upr350WlhyxvkwKwYDVR0jBCQwIoAgUe6uERAIj%2FLM%0AyuFzDc3Wbp9TGAKBJYAwyhF14ToOQCMwYgYDVR0RAQH%2FBFgwVoZUc3BpZmZlOi8v%0AZWZhZDcyODItZDliMi0zMjk4LWY2ZDgtMzhiMzdmYjU4ZGYzLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL2RjMS9zdmMvZGFzaGJvYXJkMAoGCCqGSM49BAMCA0cAMEQCIDwb%0AFlchufggNTijnQ5SUcvTZrWlZyq%2FrdVC20nbbmWLAiAVshNNv1xBqJI1NmY2HI9n%0AgRMfb8aEPVSuxEHhqy57eQ%3D%3D%0A-----END%20CERTIFICATE-----%0A";Subject="";URI=spiffe://efad7282-d9b2-3298-f6d8-38b37fb58df3.consul/ns/default/dc/dc1/svc/dashboard]
```

Closes #12852
2022-05-04 08:50:58 -07:00
..
proxysupport connect: Add Envoy 1.22 to integration tests, remove Envoy 1.18 (#12805) 2022-04-18 09:36:07 -07:00
serverlessplugin Implement routing and intentions for AWS Lambdas 2022-04-13 11:45:25 -04:00
testdata Add x-forwarded-client-cert headers 2022-05-04 08:50:58 -07:00
xdscommon Implement routing and intentions for AWS Lambdas 2022-04-13 11:45:25 -04:00
clusters.go xds: ensure that all connect timeout configs can apply equally to tproxy direct dial connections (#12711) 2022-04-07 16:58:21 -05:00
clusters_test.go
config.go
config_test.go
delta.go connect: Add Envoy 1.22 to integration tests, remove Envoy 1.18 (#12805) 2022-04-18 09:36:07 -07:00
delta_test.go connect: Add Envoy 1.22 to integration tests, remove Envoy 1.18 (#12805) 2022-04-18 09:36:07 -07:00
endpoints.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
endpoints_test.go
envoy_versioning.go connect: Add Envoy 1.22 to integration tests, remove Envoy 1.18 (#12805) 2022-04-18 09:36:07 -07:00
envoy_versioning_test.go connect: Add Envoy 1.22 to integration tests, remove Envoy 1.18 (#12805) 2022-04-18 09:36:07 -07:00
failover_math.go
failover_math_test.go
golden_test.go connect: Add Envoy 1.21.1 to support matrix, remove 1.17.4 (#12777) 2022-04-14 10:44:42 -07:00
listeners.go Add x-forwarded-client-cert headers 2022-05-04 08:50:58 -07:00
listeners_ingress.go
listeners_test.go Add x-forwarded-client-cert headers 2022-05-04 08:50:58 -07:00
naming.go
net_fallback.go
net_linux.go
protocol_trace.go
rbac.go
rbac_test.go
resources.go
response.go
routes.go
routes_test.go
server.go WatchRoots gRPC endpoint (#12678) 2022-04-05 15:26:14 +01:00
server_oss.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
serverless_plugin_oss_test.go Implement routing and intentions for AWS Lambdas 2022-04-13 11:45:25 -04:00
testing.go
xds.go
xds_protocol_helpers_test.go connect: Add Envoy 1.22 to integration tests, remove Envoy 1.18 (#12805) 2022-04-18 09:36:07 -07:00
z_xds_packages.go
z_xds_packages_test.go