status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
consul/agent/structs/config_entry_mesh.go

232 lines
6.2 KiB
Go
Raw Normal View History

copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files
2023-03-28 18:39:22 +00:00
// Copyright (c) HashiCorp, Inc.
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
2023-08-11 13:12:13 +00:00
// SPDX-License-Identifier: BUSL-1.1
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files
2023-03-28 18:39:22 +00:00
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
package structs
import (
config-entry: use custom MarshalJSON for mesh type So that the Kind field is added to the JSON object.
2021-04-29 21:44:32 +00:00
"encoding/json"
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
"fmt"
"github.com/hashicorp/consul/acl"
xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry (#12601) - `tls.incoming`: applies to the inbound mTLS targeting the public listener on `connect-proxy` and `terminating-gateway` envoy instances - `tls.outgoing`: applies to the outbound mTLS dialing upstreams from `connect-proxy` and `ingress-gateway` envoy instances Fixes #11966
2022-03-30 18:43:59 +00:00
"github.com/hashicorp/consul/types"
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
)
Rename "cluster" config entry to "mesh" (#10127) This config entry is being renamed primarily because in k8s the name cluster could be confusing given that the config entry applies across federated datacenters. Additionally, this config entry will only apply to Consul as a service mesh, so the more generic "cluster" name is not needed.
2021-04-28 22:13:29 +00:00
type MeshConfigEntry struct {
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
// TransparentProxy contains cluster-wide options pertaining to TPROXY mode
// when enabled.
Rename "cluster" config entry to "mesh" (#10127) This config entry is being renamed primarily because in k8s the name cluster could be confusing given that the config entry applies across federated datacenters. Additionally, this config entry will only apply to Consul as a service mesh, so the more generic "cluster" name is not needed.
2021-04-28 22:13:29 +00:00
TransparentProxy TransparentProxyMeshConfig `alias:"transparent_proxy"`
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
Permissive mTLS (#17035) This implements permissive mTLS , which allows toggling services into "permissive" mTLS mode. Permissive mTLS mode allows incoming "non Consul-mTLS" traffic to be forward unmodified to the application. * Update service-defaults and proxy-defaults config entries with a MutualTLSMode field * Update the mesh config entry with an AllowEnablingPermissiveMutualTLS field and implement the necessary validation. AllowEnablingPermissiveMutualTLS must be true to allow changing to MutualTLSMode=permissive, but this does not require that all proxy-defaults and service-defaults are currently in strict mode. * Update xDS listener config to add a "permissive filter chain" when MutualTLSMode=permissive for a particular service. The permissive filter chain matches incoming traffic by the destination port. If the destination port matches the service port from the catalog, then no mTLS is required and the traffic sent is forwarded unmodified to the application.
2023-04-19 19:45:00 +00:00
// AllowEnablingPermissiveMutualTLS must be true in order to allow setting
// MutualTLSMode=permissive in either service-defaults or proxy-defaults.
AllowEnablingPermissiveMutualTLS bool `json:",omitempty" alias:"allow_enabling_permissive_mutual_tls"`
xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry (#12601) - `tls.incoming`: applies to the inbound mTLS targeting the public listener on `connect-proxy` and `terminating-gateway` envoy instances - `tls.outgoing`: applies to the outbound mTLS dialing upstreams from `connect-proxy` and `ingress-gateway` envoy instances Fixes #11966
2022-03-30 18:43:59 +00:00
TLS *MeshTLSConfig `json:",omitempty"`
Add x-forwarded-client-cert headers Description Add x-fowarded-client-cert information on trusted incoming connections. Envoy provides support forwarding and annotating the x-forwarded-client-cert header via the forward_client_cert_details set_current_client_cert_details filter fields. It would be helpful for consul to support this directly in its config. The escape hatches are a bit cumbersome for this purpose. This has been implemented on incoming connections to envoy. Outgoing (from the local service through the sidecar) will not have a certificate, and so are left alone. A service on an incoming connection will now get headers something like this: ``` X-Forwarded-Client-Cert:[By=spiffe://efad7282-d9b2-3298-f6d8-38b37fb58df3.consul/ns/default/dc/dc1/svc/counting;Hash=61ad5cbdfcb50f5a3ec0ca60923d61613c149a9d4495010a64175c05a0268ab2;Cert="-----BEGIN%20CERTIFICATE-----%0AMIICHDCCAcOgAwIBAgIBCDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMTli%0AYXdyb2YuY29uc3VsLmNhLmVmYWQ3MjgyLmNvbnN1bDAeFw0yMjA0MjkwMzE0NTBa%0AFw0yMjA1MDIwMzE0NTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVIZ7Y%0AZEXfbOGBfxGa7Vuok1MIng%2FuzLQK2xLVlSTIPDbO5hstTGP%2B%2FGx182PYFP3jYqk5%0Aq6rYWe1wiPNMA30Io4H8MIH5MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgrp4q50oX%0AHHghMbxz5Bk8OJFWMdfgH0Upr350WlhyxvkwKwYDVR0jBCQwIoAgUe6uERAIj%2FLM%0AyuFzDc3Wbp9TGAKBJYAwyhF14ToOQCMwYgYDVR0RAQH%2FBFgwVoZUc3BpZmZlOi8v%0AZWZhZDcyODItZDliMi0zMjk4LWY2ZDgtMzhiMzdmYjU4ZGYzLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL2RjMS9zdmMvZGFzaGJvYXJkMAoGCCqGSM49BAMCA0cAMEQCIDwb%0AFlchufggNTijnQ5SUcvTZrWlZyq%2FrdVC20nbbmWLAiAVshNNv1xBqJI1NmY2HI9n%0AgRMfb8aEPVSuxEHhqy57eQ%3D%3D%0A-----END%20CERTIFICATE-----%0A";Chain="-----BEGIN%20CERTIFICATE-----%0AMIICHDCCAcOgAwIBAgIBCDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMTli%0AYXdyb2YuY29uc3VsLmNhLmVmYWQ3MjgyLmNvbnN1bDAeFw0yMjA0MjkwMzE0NTBa%0AFw0yMjA1MDIwMzE0NTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVIZ7Y%0AZEXfbOGBfxGa7Vuok1MIng%2FuzLQK2xLVlSTIPDbO5hstTGP%2B%2FGx182PYFP3jYqk5%0Aq6rYWe1wiPNMA30Io4H8MIH5MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgrp4q50oX%0AHHghMbxz5Bk8OJFWMdfgH0Upr350WlhyxvkwKwYDVR0jBCQwIoAgUe6uERAIj%2FLM%0AyuFzDc3Wbp9TGAKBJYAwyhF14ToOQCMwYgYDVR0RAQH%2FBFgwVoZUc3BpZmZlOi8v%0AZWZhZDcyODItZDliMi0zMjk4LWY2ZDgtMzhiMzdmYjU4ZGYzLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL2RjMS9zdmMvZGFzaGJvYXJkMAoGCCqGSM49BAMCA0cAMEQCIDwb%0AFlchufggNTijnQ5SUcvTZrWlZyq%2FrdVC20nbbmWLAiAVshNNv1xBqJI1NmY2HI9n%0AgRMfb8aEPVSuxEHhqy57eQ%3D%3D%0A-----END%20CERTIFICATE-----%0A";Subject="";URI=spiffe://efad7282-d9b2-3298-f6d8-38b37fb58df3.consul/ns/default/dc/dc1/svc/dashboard] ``` Closes #12852
2022-04-26 20:46:29 +00:00
HTTP *MeshHTTPConfig `json:",omitempty"`
feat: add PeerThroughMeshGateways to mesh config
2022-09-02 20:52:11 +00:00
Peering *PeeringMeshConfig `json:",omitempty"`
Manual Structs fixup Change things by hand that I couldn't figure out how to automate Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-03-13 03:55:53 +00:00
Meta map[string]string `json:",omitempty"`
Hash based config entry replication (#19795) * add a hash to config entries when normalizing * add GetHash and implement comparing hashes * only update if the Hash is different * only update if the Hash is different and not 0 * fix proto to include the Hash * fix proto gen * buf format * add SetHash and fix tests * fix config load tests * fix state test and config test * recalculate hash when restoring config entries * fix snapshot restore test * add changelog * fix missing normalize, fix proto indexes and add normalize test
2023-12-12 13:29:13 +00:00
Hash uint64 `json:",omitempty" hash:"ignore"`
Manual Structs fixup Change things by hand that I couldn't figure out how to automate Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-03-13 03:55:53 +00:00
acl.EnterpriseMeta `hcl:",squash" mapstructure:",squash"`
Hash based config entry replication (#19795) * add a hash to config entries when normalizing * add GetHash and implement comparing hashes * only update if the Hash is different * only update if the Hash is different and not 0 * fix proto to include the Hash * fix proto gen * buf format * add SetHash and fix tests * fix config load tests * fix state test and config test * recalculate hash when restoring config entries * fix snapshot restore test * add changelog * fix missing normalize, fix proto indexes and add normalize test
2023-12-12 13:29:13 +00:00
RaftIndex `hash:"ignore"`
}
func (e *MeshConfigEntry) SetHash(h uint64) {
e.Hash = h
}
func (e *MeshConfigEntry) GetHash() uint64 {
return e.Hash
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
}
Rename "cluster" config entry to "mesh" (#10127) This config entry is being renamed primarily because in k8s the name cluster could be confusing given that the config entry applies across federated datacenters. Additionally, this config entry will only apply to Consul as a service mesh, so the more generic "cluster" name is not needed.
2021-04-28 22:13:29 +00:00
// TransparentProxyMeshConfig contains cluster-wide options pertaining to
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
// TPROXY mode when enabled.
Rename "cluster" config entry to "mesh" (#10127) This config entry is being renamed primarily because in k8s the name cluster could be confusing given that the config entry applies across federated datacenters. Additionally, this config entry will only apply to Consul as a service mesh, so the more generic "cluster" name is not needed.
2021-04-28 22:13:29 +00:00
type TransparentProxyMeshConfig struct {
Rename CatalogDestinationsOnly (#10397) CatalogDestinationsOnly is a passthrough that would enable dialing addresses outside of Consul's catalog. However, when this flag is set to true only _connect_ endpoints for services can be dialed. This flag is being renamed to signal that non-Connect endpoints can't be dialed by transparent proxies when the value is set to true.
2021-06-14 20:15:09 +00:00
// MeshDestinationsOnly can be used to disable the pass-through that
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
// allows traffic to destinations outside of the mesh.
Rename CatalogDestinationsOnly (#10397) CatalogDestinationsOnly is a passthrough that would enable dialing addresses outside of Consul's catalog. However, when this flag is set to true only _connect_ endpoints for services can be dialed. This flag is being renamed to signal that non-Connect endpoints can't be dialed by transparent proxies when the value is set to true.
2021-06-14 20:15:09 +00:00
MeshDestinationsOnly bool `alias:"mesh_destinations_only"`
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
}
xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry (#12601) - `tls.incoming`: applies to the inbound mTLS targeting the public listener on `connect-proxy` and `terminating-gateway` envoy instances - `tls.outgoing`: applies to the outbound mTLS dialing upstreams from `connect-proxy` and `ingress-gateway` envoy instances Fixes #11966
2022-03-30 18:43:59 +00:00
type MeshTLSConfig struct {
Incoming *MeshDirectionalTLSConfig `json:",omitempty"`
Outgoing *MeshDirectionalTLSConfig `json:",omitempty"`
}
type MeshDirectionalTLSConfig struct {
TLSMinVersion types.TLSVersion `json:",omitempty" alias:"tls_min_version"`
TLSMaxVersion types.TLSVersion `json:",omitempty" alias:"tls_max_version"`
// Define a subset of cipher suites to restrict
// Only applicable to connections negotiated via TLS 1.2 or earlier
CipherSuites []types.TLSCipherSuite `json:",omitempty" alias:"cipher_suites"`
}
Docs and changelog edits Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-05-02 16:35:34 +00:00
type MeshHTTPConfig struct {
SanitizeXForwardedClientCert bool `alias:"sanitize_x_forwarded_client_cert"`
}
feat: add PeerThroughMeshGateways to mesh config
2022-09-02 20:52:11 +00:00
// PeeringMeshConfig contains cluster-wide options pertaining to peering.
type PeeringMeshConfig struct {
// PeerThroughMeshGateways determines whether peering traffic between
// control planes should flow through mesh gateways. If enabled,
// Consul servers will advertise mesh gateway addresses as their own.
// Additionally, mesh gateways will configure themselves to expose
// the local servers using a peering-specific SNI.
PeerThroughMeshGateways bool `alias:"peer_through_mesh_gateways"`
}
Rename "cluster" config entry to "mesh" (#10127) This config entry is being renamed primarily because in k8s the name cluster could be confusing given that the config entry applies across federated datacenters. Additionally, this config entry will only apply to Consul as a service mesh, so the more generic "cluster" name is not needed.
2021-04-28 22:13:29 +00:00
func (e *MeshConfigEntry) GetKind() string {
return MeshConfig
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
}
Rename "cluster" config entry to "mesh" (#10127) This config entry is being renamed primarily because in k8s the name cluster could be confusing given that the config entry applies across federated datacenters. Additionally, this config entry will only apply to Consul as a service mesh, so the more generic "cluster" name is not needed.
2021-04-28 22:13:29 +00:00
func (e *MeshConfigEntry) GetName() string {
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
if e == nil {
return ""
}
config-entry: remove Kind and Name field from Mesh config entry No config entry needs a Kind field. It is only used to determine the Go type to target. As we introduce new config entries (like this one) we can remove the kind field and have the GetKind method return the single supported value. In this case (similar to proxy-defaults) the Name field is also unnecessary. We always use the same value. So we can omit the name field entirely.
2021-04-29 19:54:27 +00:00
return MeshConfigMesh
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
}
Rename "cluster" config entry to "mesh" (#10127) This config entry is being renamed primarily because in k8s the name cluster could be confusing given that the config entry applies across federated datacenters. Additionally, this config entry will only apply to Consul as a service mesh, so the more generic "cluster" name is not needed.
2021-04-28 22:13:29 +00:00
func (e *MeshConfigEntry) GetMeta() map[string]string {
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
if e == nil {
return nil
}
return e.Meta
}
Rename "cluster" config entry to "mesh" (#10127) This config entry is being renamed primarily because in k8s the name cluster could be confusing given that the config entry applies across federated datacenters. Additionally, this config entry will only apply to Consul as a service mesh, so the more generic "cluster" name is not needed.
2021-04-28 22:13:29 +00:00
func (e *MeshConfigEntry) Normalize() error {
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
if e == nil {
return fmt.Errorf("config entry is nil")
}
e.EnterpriseMeta.Normalize()
Hash based config entry replication (#19795) * add a hash to config entries when normalizing * add GetHash and implement comparing hashes * only update if the Hash is different * only update if the Hash is different and not 0 * fix proto to include the Hash * fix proto gen * buf format * add SetHash and fix tests * fix config load tests * fix state test and config test * recalculate hash when restoring config entries * fix snapshot restore test * add changelog * fix missing normalize, fix proto indexes and add normalize test
2023-12-12 13:29:13 +00:00
h, err := HashConfigEntry(e)
if err != nil {
return err
}
e.Hash = h
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
return nil
}
Rename "cluster" config entry to "mesh" (#10127) This config entry is being renamed primarily because in k8s the name cluster could be confusing given that the config entry applies across federated datacenters. Additionally, this config entry will only apply to Consul as a service mesh, so the more generic "cluster" name is not needed.
2021-04-28 22:13:29 +00:00
func (e *MeshConfigEntry) Validate() error {
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
if e == nil {
return fmt.Errorf("config entry is nil")
}
xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry (#12601) - `tls.incoming`: applies to the inbound mTLS targeting the public listener on `connect-proxy` and `terminating-gateway` envoy instances - `tls.outgoing`: applies to the outbound mTLS dialing upstreams from `connect-proxy` and `ingress-gateway` envoy instances Fixes #11966
2022-03-30 18:43:59 +00:00
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
if err := validateConfigEntryMeta(e.Meta); err != nil {
return err
}
xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry (#12601) - `tls.incoming`: applies to the inbound mTLS targeting the public listener on `connect-proxy` and `terminating-gateway` envoy instances - `tls.outgoing`: applies to the outbound mTLS dialing upstreams from `connect-proxy` and `ingress-gateway` envoy instances Fixes #11966
2022-03-30 18:43:59 +00:00
if e.TLS != nil {
if e.TLS.Incoming != nil {
if err := validateMeshDirectionalTLSConfig(e.TLS.Incoming); err != nil {
return fmt.Errorf("error in incoming TLS configuration: %v", err)
}
}
if e.TLS.Outgoing != nil {
if err := validateMeshDirectionalTLSConfig(e.TLS.Outgoing); err != nil {
return fmt.Errorf("error in outgoing TLS configuration: %v", err)
}
}
}
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
return e.validateEnterpriseMeta()
}
Refactor config checks oss (#12550) Currently the config_entry.go subsystem delegates authorization decisions via the ConfigEntry interface CanRead and CanWrite code. Unfortunately this returns a true/false value and loses the details of the source. This is not helpful, especially since it the config subsystem can be more complex to understand, since it covers so many domains. This refactors CanRead/CanWrite to return a structured error message (PermissionDenied or the like) with more details about the reason for denial. Part of #12241 Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-03-11 21:45:51 +00:00
func (e *MeshConfigEntry) CanRead(authz acl.Authorizer) error {
return nil
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
}
Refactor config checks oss (#12550) Currently the config_entry.go subsystem delegates authorization decisions via the ConfigEntry interface CanRead and CanWrite code. Unfortunately this returns a true/false value and loses the details of the source. This is not helpful, especially since it the config subsystem can be more complex to understand, since it covers so many domains. This refactors CanRead/CanWrite to return a structured error message (PermissionDenied or the like) with more details about the reason for denial. Part of #12241 Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-03-11 21:45:51 +00:00
func (e *MeshConfigEntry) CanWrite(authz acl.Authorizer) error {
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
var authzContext acl.AuthorizerContext
e.FillAuthzContext(&authzContext)
Refactor config checks oss (#12550) Currently the config_entry.go subsystem delegates authorization decisions via the ConfigEntry interface CanRead and CanWrite code. Unfortunately this returns a true/false value and loses the details of the source. This is not helpful, especially since it the config subsystem can be more complex to understand, since it covers so many domains. This refactors CanRead/CanWrite to return a structured error message (PermissionDenied or the like) with more details about the reason for denial. Part of #12241 Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-03-11 21:45:51 +00:00
return authz.ToAllowAuthorizer().MeshWriteAllowed(&authzContext)
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
}
Rename "cluster" config entry to "mesh" (#10127) This config entry is being renamed primarily because in k8s the name cluster could be confusing given that the config entry applies across federated datacenters. Additionally, this config entry will only apply to Consul as a service mesh, so the more generic "cluster" name is not needed.
2021-04-28 22:13:29 +00:00
func (e *MeshConfigEntry) GetRaftIndex() *RaftIndex {
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
if e == nil {
return &RaftIndex{}
}
return &e.RaftIndex
}
Manual Structs fixup Change things by hand that I couldn't figure out how to automate Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-03-13 03:55:53 +00:00
func (e *MeshConfigEntry) GetEnterpriseMeta() *acl.EnterpriseMeta {
connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled (#9973) This adds a new config entry kind "cluster" with a single special name "cluster" where this can be controlled.
2021-04-06 18:19:59 +00:00
if e == nil {
return nil
}
return &e.EnterpriseMeta
}
config-entry: use custom MarshalJSON for mesh type So that the Kind field is added to the JSON object.
2021-04-29 21:44:32 +00:00
// MarshalJSON adds the Kind field so that the JSON can be decoded back into the
// correct type.
// This method is implemented on the structs type (as apposed to the api type)
// because that is what the API currently uses to return a response.
func (e *MeshConfigEntry) MarshalJSON() ([]byte, error) {
type Alias MeshConfigEntry
source := &struct {
Kind string
*Alias
}{
Kind: MeshConfig,
Alias: (*Alias)(e),
}
return json.Marshal(source)
}
xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry (#12601) - `tls.incoming`: applies to the inbound mTLS targeting the public listener on `connect-proxy` and `terminating-gateway` envoy instances - `tls.outgoing`: applies to the outbound mTLS dialing upstreams from `connect-proxy` and `ingress-gateway` envoy instances Fixes #11966
2022-03-30 18:43:59 +00:00
Update xds generation for peering over mesh gws This commit adds the xDS resources needed for INBOUND traffic from peer clusters: - 1 filter chain for all inbound peering requests. - 1 cluster for all inbound peering requests. - 1 endpoint per voting server with the gRPC TLS port configured. There is one filter chain and cluster because unlike with WAN federation, peer clusters will not attempt to dial individual servers. Peer clusters will only dial the local mesh gateway addresses.
2022-09-23 03:14:25 +00:00
func (e *MeshConfigEntry) PeerThroughMeshGateways() bool {
if e == nil || e.Peering == nil {
return false
}
return e.Peering.PeerThroughMeshGateways
}
xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry (#12601) - `tls.incoming`: applies to the inbound mTLS targeting the public listener on `connect-proxy` and `terminating-gateway` envoy instances - `tls.outgoing`: applies to the outbound mTLS dialing upstreams from `connect-proxy` and `ingress-gateway` envoy instances Fixes #11966
2022-03-30 18:43:59 +00:00
func validateMeshDirectionalTLSConfig(cfg *MeshDirectionalTLSConfig) error {
if cfg == nil {
return nil
}
return validateTLSConfig(cfg.TLSMinVersion, cfg.TLSMaxVersion, cfg.CipherSuites)
}
func validateTLSConfig(
tlsMinVersion types.TLSVersion,
tlsMaxVersion types.TLSVersion,
cipherSuites []types.TLSCipherSuite,
) error {
if tlsMinVersion != types.TLSVersionUnspecified {
if err := types.ValidateTLSVersion(tlsMinVersion); err != nil {
return err
}
}
if tlsMaxVersion != types.TLSVersionUnspecified {
if err := types.ValidateTLSVersion(tlsMaxVersion); err != nil {
return err
}
if tlsMinVersion != types.TLSVersionUnspecified {
if err, maxLessThanMin := tlsMaxVersion.LessThan(tlsMinVersion); err == nil && maxLessThanMin {
return fmt.Errorf("configuring max version %s less than the configured min version %s is invalid", tlsMaxVersion, tlsMinVersion)
}
}
}
if len(cipherSuites) != 0 {
if _, ok := types.TLSVersionsWithConfigurableCipherSuites[tlsMinVersion]; !ok {
return fmt.Errorf("configuring CipherSuites is only applicable to connections negotiated with TLS 1.2 or earlier, TLSMinVersion is set to %s", tlsMinVersion)
}
// NOTE: it would be nice to emit a warning but not return an error from
// here if TLSMaxVersion is unspecified, TLS_AUTO or TLSv1_3
if err := types.ValidateEnvoyCipherSuites(cipherSuites); err != nil {
return err
}
}
return nil
}