luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity
open-consul/agent/xds
History
Mark Anderson d8f4cc5537 Add x-forwarded-client-cert headers 
Description
Add x-fowarded-client-cert information on trusted incoming connections.

Envoy provides support forwarding and annotating the
x-forwarded-client-cert header via the forward_client_cert_details
set_current_client_cert_details filter fields. It would be helpful for
consul to support this directly in its config. The escape hatches are
a bit cumbersome for this purpose.

This has been implemented on incoming connections to envoy. Outgoing
(from the local service through the sidecar) will not have a
certificate, and so are left alone.

A service on an incoming connection will now get headers something like this:

```
X-Forwarded-Client-Cert:[By=spiffe://efad7282-d9b2-3298-f6d8-38b37fb58df3.consul/ns/default/dc/dc1/svc/counting;Hash=61ad5cbdfcb50f5a3ec0ca60923d61613c149a9d4495010a64175c05a0268ab2;Cert="-----BEGIN%20CERTIFICATE-----%0AMIICHDCCAcOgAwIBAgIBCDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMTli%0AYXdyb2YuY29uc3VsLmNhLmVmYWQ3MjgyLmNvbnN1bDAeFw0yMjA0MjkwMzE0NTBa%0AFw0yMjA1MDIwMzE0NTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVIZ7Y%0AZEXfbOGBfxGa7Vuok1MIng%2FuzLQK2xLVlSTIPDbO5hstTGP%2B%2FGx182PYFP3jYqk5%0Aq6rYWe1wiPNMA30Io4H8MIH5MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgrp4q50oX%0AHHghMbxz5Bk8OJFWMdfgH0Upr350WlhyxvkwKwYDVR0jBCQwIoAgUe6uERAIj%2FLM%0AyuFzDc3Wbp9TGAKBJYAwyhF14ToOQCMwYgYDVR0RAQH%2FBFgwVoZUc3BpZmZlOi8v%0AZWZhZDcyODItZDliMi0zMjk4LWY2ZDgtMzhiMzdmYjU4ZGYzLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL2RjMS9zdmMvZGFzaGJvYXJkMAoGCCqGSM49BAMCA0cAMEQCIDwb%0AFlchufggNTijnQ5SUcvTZrWlZyq%2FrdVC20nbbmWLAiAVshNNv1xBqJI1NmY2HI9n%0AgRMfb8aEPVSuxEHhqy57eQ%3D%3D%0A-----END%20CERTIFICATE-----%0A";Chain="-----BEGIN%20CERTIFICATE-----%0AMIICHDCCAcOgAwIBAgIBCDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMTli%0AYXdyb2YuY29uc3VsLmNhLmVmYWQ3MjgyLmNvbnN1bDAeFw0yMjA0MjkwMzE0NTBa%0AFw0yMjA1MDIwMzE0NTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVIZ7Y%0AZEXfbOGBfxGa7Vuok1MIng%2FuzLQK2xLVlSTIPDbO5hstTGP%2B%2FGx182PYFP3jYqk5%0Aq6rYWe1wiPNMA30Io4H8MIH5MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgrp4q50oX%0AHHghMbxz5Bk8OJFWMdfgH0Upr350WlhyxvkwKwYDVR0jBCQwIoAgUe6uERAIj%2FLM%0AyuFzDc3Wbp9TGAKBJYAwyhF14ToOQCMwYgYDVR0RAQH%2FBFgwVoZUc3BpZmZlOi8v%0AZWZhZDcyODItZDliMi0zMjk4LWY2ZDgtMzhiMzdmYjU4ZGYzLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL2RjMS9zdmMvZGFzaGJvYXJkMAoGCCqGSM49BAMCA0cAMEQCIDwb%0AFlchufggNTijnQ5SUcvTZrWlZyq%2FrdVC20nbbmWLAiAVshNNv1xBqJI1NmY2HI9n%0AgRMfb8aEPVSuxEHhqy57eQ%3D%3D%0A-----END%20CERTIFICATE-----%0A";Subject="";URI=spiffe://efad7282-d9b2-3298-f6d8-38b37fb58df3.consul/ns/default/dc/dc1/svc/dashboard]
```

Closes #12852
 		2022-05-04 08:50:58 -07:00
..
proxysupport connect: Add Envoy 1.22 to integration tests, remove Envoy 1.18 (#12805) 2022-04-18 09:36:07 -07:00
serverlessplugin Implement routing and intentions for AWS Lambdas 2022-04-13 11:45:25 -04:00
testdata Add x-forwarded-client-cert headers 2022-05-04 08:50:58 -07:00
xdscommon Implement routing and intentions for AWS Lambdas 2022-04-13 11:45:25 -04:00
clusters.go xds: ensure that all connect timeout configs can apply equally to tproxy direct dial connections (#12711) 2022-04-07 16:58:21 -05:00
clusters_test.go Use the GatewayService SNI field for upstream SAN validation 2022-03-31 13:54:25 -07:00
config.go Support Incremental xDS mode (#9855) 2021-04-29 13:54:05 -05:00
config_test.go Support Incremental xDS mode (#9855) 2021-04-29 13:54:05 -05:00
delta.go connect: Add Envoy 1.22 to integration tests, remove Envoy 1.18 (#12805) 2022-04-18 09:36:07 -07:00
delta_test.go connect: Add Envoy 1.22 to integration tests, remove Envoy 1.18 (#12805) 2022-04-18 09:36:07 -07:00
endpoints.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
endpoints_test.go Make an xdscommon package that will be shared between Consul and Envoy plugins 2022-03-08 14:57:23 -05:00
envoy_versioning.go connect: Add Envoy 1.22 to integration tests, remove Envoy 1.18 (#12805) 2022-04-18 09:36:07 -07:00
envoy_versioning_test.go connect: Add Envoy 1.22 to integration tests, remove Envoy 1.18 (#12805) 2022-04-18 09:36:07 -07:00
failover_math.go xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) 2021-02-26 16:23:15 -06:00
failover_math_test.go partition dicovery chains (#10983) 2021-09-07 16:29:32 -04:00
golden_test.go connect: Add Envoy 1.21.1 to support matrix, remove 1.17.4 (#12777) 2022-04-14 10:44:42 -07:00
listeners.go Add x-forwarded-client-cert headers 2022-05-04 08:50:58 -07:00
listeners_ingress.go xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry (#12601) 2022-03-30 13:43:59 -05:00
listeners_test.go Add x-forwarded-client-cert headers 2022-05-04 08:50:58 -07:00
naming.go connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package (#6340) 2019-08-19 13:03:03 -05:00
net_fallback.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
net_linux.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
protocol_trace.go Support Incremental xDS mode (#9855) 2021-04-29 13:54:05 -05:00
rbac.go Update spiffe ID patterns used for RBAC 2021-09-14 11:00:03 -06:00
rbac_test.go connect: Remove support for Envoy 1.16 (#11354) 2021-10-27 18:51:35 -07:00
resources.go Make an xdscommon package that will be shared between Consul and Envoy plugins 2022-03-08 14:57:23 -05:00
response.go Continue working through proxy and agent 2021-05-04 12:41:43 -07:00
routes.go server: ensure that service-defaults meta is incorporated into the discovery chain response (#12511) 2022-03-30 10:04:18 -05:00
routes_test.go Make an xdscommon package that will be shared between Consul and Envoy plugins 2022-03-08 14:57:23 -05:00
server.go WatchRoots gRPC endpoint (#12678) 2022-04-05 15:26:14 +01:00
server_oss.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
serverless_plugin_oss_test.go Implement routing and intentions for AWS Lambdas 2022-04-13 11:45:25 -04:00
testing.go xds: fix for delta xDS reconnect bug in LDS/CDS (#12174) 2022-01-25 11:24:27 -06:00
xds.go Remove unused customEDSClusterJSON 2020-03-27 15:38:16 -04:00
xds_protocol_helpers_test.go connect: Add Envoy 1.22 to integration tests, remove Envoy 1.18 (#12805) 2022-04-18 09:36:07 -07:00
z_xds_packages.go Bump go-control-plane 2022-03-30 13:11:27 -04:00
z_xds_packages_test.go xds: ensure that all envoyproxy/go-control-plane protobuf symbols are linked into the final binary (#10131) 2021-04-29 14:58:26 -05:00