7672532b05
When the protocol is http-like, and an intention has a peered source
then the normal RBAC mTLS SAN field check is replaces with a joint combo
of:
mTLS SAN field must be the service's local mesh gateway leaf cert
AND
the first XFCC header (from the MGW) must have a URI field that matches the original intention source
Also:
- Update the regex program limit to be much higher than the teeny
defaults, since the RBAC regex constructions are more complicated now.
- Fix a few stray panics in xds generation.
|
||
|---|---|---|
| .. | ||
| pipe-bootstrap | ||
| testdata | ||
| bootstrap_config.go | ||
| bootstrap_config_test.go | ||
| bootstrap_tpl.go | ||
| envoy.go | ||
| envoy_oss_test.go | ||
| envoy_test.go | ||
| exec_test.go | ||
| exec_unix.go | ||
| exec_unsupported.go | ||
| flags.go | ||
| flags_test.go | ||