open-consul/agent/consul
R.B. Boyer ee5eb5a960
state: prohibit changing an exported tcp discovery chain in a way that would break SAN validation (#13727)
For L4/tcp exported services the mesh gateways will not be terminating
TLS. A caller in one peer will be directly establishing TLS connections
to the ultimate exported service in the other peer.

The caller will be doing SAN validation using the replicated SpiffeID
values shipped from the exporting side. There are a class of discovery
chain edits that could be done on the exporting side that would cause
the introduction of a new SpiffeID value. In between the time of the
config entry update on the exporting side and the importing side getting
updated peer stream data requests to the exported service would fail due
to SAN validation errors.

This is unacceptable so instead prohibit the exporting peer from making
changes that would break peering in this way.
2022-07-12 11:17:33 -05:00
..
auth acl: gRPC login and logout endpoints (#12935) 2022-05-04 17:38:45 +01:00
authmethod acl: Adjust region handling in AWS IAM auth method (#12774) 2022-04-13 14:31:37 -05:00
autopilotevents test: update mockery use to put mocks into test files (#13656) 2022-07-05 16:57:15 -05:00
discoverychain xds: ensure that all connect timeout configs can apply equally to tproxy direct dial connections (#12711) 2022-04-07 16:58:21 -05:00
fsm proxycfg: server-local intentions data source 2022-07-04 10:48:36 +01:00
prepared_query peering: initial sync (#12842) 2022-04-21 17:34:40 -05:00
state state: prohibit changing an exported tcp discovery chain in a way that would break SAN validation (#13727) 2022-07-12 11:17:33 -05:00
stream proxycfg: server-local config entry data sources 2022-07-04 10:48:36 +01:00
testdata ca: examine the full chain in newCARoot 2022-02-17 18:21:30 -05:00
usagemetrics Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
wanfed grpc: ensure that streaming gRPC requests work over mesh gateway based wan federation (#10838) 2021-08-24 16:28:44 -05:00
watch test: update mockery use to put mocks into test files (#13656) 2022-07-05 16:57:15 -05:00
acl.go proxycfg: server-local intention upstreams data source 2022-07-04 10:48:36 +01:00
acl_authmethod.go acl: gRPC login and logout endpoints (#12935) 2022-05-04 17:38:45 +01:00
acl_authmethod_oss.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
acl_client.go Merge pull request #12165 from hashicorp/dnephin/acl-resolve-token 2022-01-31 13:27:49 -05:00
acl_endpoint.go proxycfg: server-local intention upstreams data source 2022-07-04 10:48:36 +01:00
acl_endpoint_legacy.go acl: remove most of the rest of structs/acl_legacy.go 2021-10-25 17:20:06 -04:00
acl_endpoint_oss.go acl: gRPC login and logout endpoints (#12935) 2022-05-04 17:38:45 +01:00
acl_endpoint_test.go proxycfg: server-local intention upstreams data source 2022-07-04 10:48:36 +01:00
acl_oss.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
acl_oss_test.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
acl_replication.go acl: remove legacy ACL replication 2021-09-03 12:42:06 -04:00
acl_replication_test.go proxycfg: server-local intention upstreams data source 2022-07-04 10:48:36 +01:00
acl_replication_types.go proxycfg: server-local intention upstreams data source 2022-07-04 10:48:36 +01:00
acl_server.go acl: gRPC login and logout endpoints (#12935) 2022-05-04 17:38:45 +01:00
acl_server_oss.go acl: gRPC login and logout endpoints (#12935) 2022-05-04 17:38:45 +01:00
acl_test.go proxycfg: server-local intention upstreams data source 2022-07-04 10:48:36 +01:00
acl_token_exp.go acl: gRPC login and logout endpoints (#12935) 2022-05-04 17:38:45 +01:00
acl_token_exp_test.go [OSS] Remove remaining references to master (#11827) 2022-01-20 12:47:50 +00:00
auto_config_backend.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
auto_config_backend_test.go [OSS] Remove remaining references to master (#11827) 2022-01-20 12:47:50 +00:00
auto_config_endpoint.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
auto_config_endpoint_test.go peering: initial sync (#12842) 2022-04-21 17:34:40 -05:00
auto_encrypt_endpoint.go rpc: remove unnecessary arg to ForwardRPC 2021-05-06 13:30:07 -04:00
auto_encrypt_endpoint_test.go Support per-listener TLS configuration ⚙️ (#12504) 2022-03-18 10:46:58 +00:00
autopilot.go proxycfg: server-local config entry data sources 2022-07-04 10:48:36 +01:00
autopilot_oss.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
autopilot_test.go Add event generation for autopilot state updates (#12626) 2022-04-19 13:03:03 -04:00
catalog_endpoint.go Add new index for PeeredServiceName and ServiceVirtualIP (#13582) 2022-06-24 14:38:39 -04:00
catalog_endpoint_test.go Move ACLResolveResult into acl/resolver package (#13467) 2022-06-17 10:24:43 +01:00
client.go Add timeout to Client RPC calls (#11500) 2022-04-21 16:21:35 -04:00
client_serf.go partitions: various refactors to support partitioning the serf LAN pool (#11568) 2021-11-15 09:51:14 -06:00
client_test.go proxycfg: server-local config entry data sources 2022-07-04 10:48:36 +01:00
cluster_test.go Vendor in rpc mono repo for net/rpc fork, go-msgpack, msgpackrpc. (#12311) 2022-02-14 09:45:45 -08:00
config.go server: broadcast the public grpc port using lan serf and update the consul service in the catalog with the same data (#13687) 2022-07-07 13:55:41 -05:00
config_endpoint.go Add support for merge-central-config query param (#13001) 2022-05-25 13:20:17 -07:00
config_endpoint_test.go feat: tgtwy xDS generation for destinations 2022-06-16 16:17:49 -04:00
config_oss.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
config_replication.go [sync oss] add net/rpc interceptor implementation (#12573) 2022-03-17 16:02:26 -07:00
config_replication_test.go server: partly fix config entry replication issue that prevents replication in some circumstances (#12307) 2022-02-23 17:27:48 -06:00
config_test.go partitions: various refactors to support partitioning the serf LAN pool (#11568) 2021-11-15 09:51:14 -06:00
connect_ca_endpoint.go ConnectCA.Sign gRPC Endpoint (#12787) 2022-04-14 14:26:14 +01:00
connect_ca_endpoint_test.go add general runstep test helper instead of copying it all over the place (#13013) 2022-05-10 15:25:51 -05:00
coordinate_endpoint.go Bulk acl message fixup oss (#12470) 2022-03-10 18:48:27 -08:00
coordinate_endpoint_test.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
discovery_chain_endpoint.go Bulk acl message fixup oss (#12470) 2022-03-10 18:48:27 -08:00
discovery_chain_endpoint_test.go add general runstep test helper instead of copying it all over the place (#13013) 2022-05-10 15:25:51 -05:00
enterprise_client_oss.go partitions: various refactors to support partitioning the serf LAN pool (#11568) 2021-11-15 09:51:14 -06:00
enterprise_config_oss.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
enterprise_server_oss.go Add leader routine to clean up peerings 2022-06-14 15:36:50 -06:00
enterprise_server_oss_test.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
federation_state_endpoint.go Bulk acl message fixup oss (#12470) 2022-03-10 18:48:27 -08:00
federation_state_endpoint_test.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
federation_state_replication.go [sync oss] add net/rpc interceptor implementation (#12573) 2022-03-17 16:02:26 -07:00
federation_state_replication_test.go
filter.go acl: some acl authz refactors for nodes (#10909) 2021-08-25 13:43:11 -05:00
filter_test.go acl: remove id and revision from Policy constructors 2021-11-05 15:45:08 -04:00
flood.go
gateway_locator.go rpc: improve docs for blockingQuery 2022-02-15 14:20:14 -05:00
gateway_locator_test.go rpc: improve docs for blockingQuery 2022-02-15 14:20:14 -05:00
grpc_integration_test.go acl: gRPC login and logout endpoints (#12935) 2022-05-04 17:38:45 +01:00
health_endpoint.go Add support for merge-central-config query param (#13001) 2022-05-25 13:20:17 -07:00
health_endpoint_test.go add general runstep test helper instead of copying it all over the place (#13013) 2022-05-10 15:25:51 -05:00
helper_test.go Fix ENT drift in files (#13647) 2022-06-29 16:53:22 -04:00
intention_endpoint.go peering: block Intention.Apply ops (#13451) 2022-06-16 12:07:28 -07:00
intention_endpoint_test.go peering: block Intention.Apply ops (#13451) 2022-06-16 12:07:28 -07:00
internal_endpoint.go Add internal endpoint to fetch peered upstream candidates from VirtualIP table (#13642) 2022-06-29 16:34:58 -04:00
internal_endpoint_test.go Fix ENT drift in files (#13647) 2022-06-29 16:53:22 -04:00
issue_test.go peering: initial sync (#12842) 2022-04-21 17:34:40 -05:00
kvs_endpoint.go Move ACLResolveResult into acl/resolver package (#13467) 2022-06-17 10:24:43 +01:00
kvs_endpoint_test.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
leader.go server: broadcast the public grpc port using lan serf and update the consul service in the catalog with the same data (#13687) 2022-07-07 13:55:41 -05:00
leader_connect.go Add virtual IP generation for term gateway backed services 2022-01-12 12:08:49 -08:00
leader_connect_ca.go xds: mesh gateways now have their own leaf certificate when involved in a peering (#13460) 2022-06-15 14:36:18 -05:00
leader_connect_ca_test.go Configure upstream TLS context with peer root certs (#13321) 2022-06-01 15:53:52 -06:00
leader_connect_test.go add general runstep test helper instead of copying it all over the place (#13013) 2022-05-10 15:25:51 -05:00
leader_federation_state_ae.go peering: initial sync (#12842) 2022-04-21 17:34:40 -05:00
leader_federation_state_ae_test.go Rename ACLMasterToken => ACLInitialManagementToken (#11746) 2021-12-07 12:39:28 +00:00
leader_intentions.go [sync oss] add net/rpc interceptor implementation (#12573) 2022-03-17 16:02:26 -07:00
leader_intentions_oss.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
leader_intentions_oss_test.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
leader_intentions_test.go configentry: make a new package to hold shared config entry structs that aren't used for RPC or the FSM (#12384) 2022-02-22 10:36:36 -06:00
leader_metrics.go ca: use the new leaf signing lookup func in leader metrics 2022-01-06 16:55:49 -05:00
leader_oss_test.go partitions: various refactors to support partitioning the serf LAN pool (#11568) 2021-11-15 09:51:14 -06:00
leader_peering.go peering: move peer replication to the external gRPC port (#13698) 2022-07-08 12:01:13 -05:00
leader_peering_test.go peering: move peer replication to the external gRPC port (#13698) 2022-07-08 12:01:13 -05:00
leader_test.go Add new index for PeeredServiceName and ServiceVirtualIP (#13582) 2022-06-24 14:38:39 -04:00
logging.go
logging_test.go bulk rewrite using this script 2022-01-20 10:46:23 -06:00
merge.go catalog: compare node names case insensitively in more places (#12444) 2022-02-24 16:54:47 -06:00
merge_oss.go partitions: various refactors to support partitioning the serf LAN pool (#11568) 2021-11-15 09:51:14 -06:00
merge_oss_test.go partitions: various refactors to support partitioning the serf LAN pool (#11568) 2021-11-15 09:51:14 -06:00
merge_service_config.go feat: tgtwy xDS generation for destinations 2022-06-16 16:17:49 -04:00
merge_service_config_test.go Add support for merge-central-config query param (#13001) 2022-05-25 13:20:17 -07:00
merge_test.go catalog: compare node names case insensitively in more places (#12444) 2022-02-24 16:54:47 -06:00
operator_autopilot_endpoint.go Enable running autopilot state updates on all servers (#12617) 2022-04-07 10:48:48 -04:00
operator_autopilot_endpoint_test.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
operator_endpoint.go
operator_raft_endpoint.go Bulk acl message fixup oss (#12470) 2022-03-10 18:48:27 -08:00
operator_raft_endpoint_test.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
options.go proxycfg: server-local config entry data sources 2022-07-04 10:48:36 +01:00
options_oss.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
peering_backend.go Return error if ServerAddresses is empty (#13714) 2022-07-12 11:09:00 -04:00
peering_backend_oss.go peering: move peer replication to the external gRPC port (#13698) 2022-07-08 12:01:13 -05:00
peering_backend_oss_test.go peering: allow protobuf requests to populate the default partition or namespace (#13398) 2022-06-08 11:55:18 -05:00
peering_backend_test.go add general runstep test helper instead of copying it all over the place (#13013) 2022-05-10 15:25:51 -05:00
prepared_query_endpoint.go proxycfg: server-local intention upstreams data source 2022-07-04 10:48:36 +01:00
prepared_query_endpoint_test.go proxycfg: server-local intention upstreams data source 2022-07-04 10:48:36 +01:00
raft_rpc.go rpc: authorize raft requests (#10925) 2021-08-26 15:04:32 -07:00
replication.go Apply suggestions from code review 2022-01-26 12:24:13 -05:00
replication_test.go Move some things around to allow for license updating via config reload 2021-05-25 09:57:50 -04:00
rpc.go [sync oss] add net/rpc interceptor implementation (#12573) 2022-03-17 16:02:26 -07:00
rpc_test.go proxycfg: server-local config entry data sources 2022-07-04 10:48:36 +01:00
rtt.go agent: ensure that most agent behavior correctly respects partition configuration (#10880) 2021-08-19 15:09:42 -05:00
rtt_test.go Vendor in rpc mono repo for net/rpc fork, go-msgpack, msgpackrpc. (#12311) 2022-02-14 09:45:45 -08:00
segment_oss.go partitions: various refactors to support partitioning the serf LAN pool (#11568) 2021-11-15 09:51:14 -06:00
serf_filter.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
serf_test.go
server.go peering: move peer replication to the external gRPC port (#13698) 2022-07-08 12:01:13 -05:00
server_connect.go Configure upstream TLS context with peer root certs (#13321) 2022-06-01 15:53:52 -06:00
server_lookup.go
server_lookup_test.go
server_oss.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
server_overview.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
server_overview_test.go oss: Add overview UI internal endpoint 2022-03-22 17:05:09 -07:00
server_register.go Add support for merge-central-config query param (#13001) 2022-05-25 13:20:17 -07:00
server_serf.go server: broadcast the public grpc port using lan serf and update the consul service in the catalog with the same data (#13687) 2022-07-07 13:55:41 -05:00
server_test.go peering: move peer replication to the external gRPC port (#13698) 2022-07-08 12:01:13 -05:00
session_endpoint.go Bulk acl message fixup oss (#12470) 2022-03-10 18:48:27 -08:00
session_endpoint_test.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
session_timers.go
session_timers_test.go
session_ttl.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
session_ttl_test.go Vendor in rpc mono repo for net/rpc fork, go-msgpack, msgpackrpc. (#12311) 2022-02-14 09:45:45 -08:00
snapshot_endpoint.go Bulk acl message fixup oss (#12470) 2022-03-10 18:48:27 -08:00
snapshot_endpoint_test.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
stats_fetcher.go introduce EmptyReadRequest for status_endpoint (#12653) 2022-03-29 18:05:45 -07:00
stats_fetcher_test.go Maybe fix another data race in a test 2020-12-22 18:53:54 -05:00
status_endpoint.go introduce EmptyReadRequest for status_endpoint (#12653) 2022-03-29 18:05:45 -07:00
status_endpoint_test.go Support per-listener TLS configuration ⚙️ (#12504) 2022-03-18 10:46:58 +00:00
subscribe_backend.go Move to using a shared EventPublisher (#12673) 2022-04-12 09:47:42 -04:00
subscribe_backend_test.go proxycfg: server-local config entry data sources 2022-07-04 10:48:36 +01:00
system_metadata.go [sync oss] add net/rpc interceptor implementation (#12573) 2022-03-17 16:02:26 -07:00
system_metadata_test.go testing: Revert assertion for virtual IP flag (#11932) 2022-01-04 11:24:56 -05:00
txn_endpoint.go Move ACLResolveResult into acl/resolver package (#13467) 2022-06-17 10:24:43 +01:00
txn_endpoint_test.go Enable servers to configure arbitrary proxies from the catalog (#13244) 2022-05-27 12:38:52 +01:00
util.go catalog: compare node names case insensitively in more places (#12444) 2022-02-24 16:54:47 -06:00
util_test.go acl: remove legacy ACL upgrades from Server 2021-09-29 15:19:23 -04:00