diff --git a/.changelog/20802.txt b/.changelog/20802.txt new file mode 100644 index 0000000000..16a8267b5f --- /dev/null +++ b/.changelog/20802.txt @@ -0,0 +1,3 @@ +```release-note:improvement +connect: Add ability to disable Auto Host Header Rewrite on Terminating Gateway at the service level +``` \ No newline at end of file diff --git a/agent/catalog_endpoint_test.go b/agent/catalog_endpoint_test.go index 10b1c8b887..5a5b2433d5 100644 --- a/agent/catalog_endpoint_test.go +++ b/agent/catalog_endpoint_test.go @@ -1938,11 +1938,12 @@ func TestCatalog_GatewayServices_Terminating(t *testing.T) { SNI: "my-domain", }, { - Name: "*", - CAFile: "ca.crt", - CertFile: "client.crt", - KeyFile: "client.key", - SNI: "my-alt-domain", + Name: "*", + CAFile: "ca.crt", + CertFile: "client.crt", + KeyFile: "client.key", + SNI: "my-alt-domain", + DisableAutoHostRewrite: true, }, }, }, @@ -1965,23 +1966,25 @@ func TestCatalog_GatewayServices_Terminating(t *testing.T) { expect := structs.GatewayServices{ { - Service: structs.NewServiceName("api", nil), - Gateway: structs.NewServiceName("terminating", nil), - GatewayKind: structs.ServiceKindTerminatingGateway, - CAFile: "api/ca.crt", - CertFile: "api/client.crt", - KeyFile: "api/client.key", - SNI: "my-domain", + Service: structs.NewServiceName("api", nil), + Gateway: structs.NewServiceName("terminating", nil), + GatewayKind: structs.ServiceKindTerminatingGateway, + CAFile: "api/ca.crt", + CertFile: "api/client.crt", + KeyFile: "api/client.key", + SNI: "my-domain", + AutoHostRewrite: true, }, { - Service: structs.NewServiceName("redis", nil), - Gateway: structs.NewServiceName("terminating", nil), - GatewayKind: structs.ServiceKindTerminatingGateway, - CAFile: "ca.crt", - CertFile: "client.crt", - KeyFile: "client.key", - SNI: "my-alt-domain", - FromWildcard: true, + Service: structs.NewServiceName("redis", nil), + Gateway: structs.NewServiceName("terminating", nil), + GatewayKind: structs.ServiceKindTerminatingGateway, + CAFile: "ca.crt", + CertFile: "client.crt", + KeyFile: "client.key", + SNI: "my-alt-domain", + FromWildcard: true, + AutoHostRewrite: false, }, } diff --git a/agent/consul/catalog_endpoint_test.go b/agent/consul/catalog_endpoint_test.go index 628ad83ae4..d1fb2a6e97 100644 --- a/agent/consul/catalog_endpoint_test.go +++ b/agent/consul/catalog_endpoint_test.go @@ -3187,33 +3187,36 @@ func TestCatalog_GatewayServices_TerminatingGateway(t *testing.T) { expect := structs.GatewayServices{ { - Service: structs.NewServiceName("api", nil), - Gateway: structs.NewServiceName("gateway", nil), - GatewayKind: structs.ServiceKindTerminatingGateway, - CAFile: "api/ca.crt", - CertFile: "api/client.crt", - KeyFile: "api/client.key", - SNI: "my-domain", - ServiceKind: structs.GatewayServiceKindService, + Service: structs.NewServiceName("api", nil), + Gateway: structs.NewServiceName("gateway", nil), + GatewayKind: structs.ServiceKindTerminatingGateway, + CAFile: "api/ca.crt", + CertFile: "api/client.crt", + KeyFile: "api/client.key", + SNI: "my-domain", + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, { - Service: structs.NewServiceName("db", nil), - Gateway: structs.NewServiceName("gateway", nil), - GatewayKind: structs.ServiceKindTerminatingGateway, - CAFile: "", - CertFile: "", - KeyFile: "", - ServiceKind: structs.GatewayServiceKindService, + Service: structs.NewServiceName("db", nil), + Gateway: structs.NewServiceName("gateway", nil), + GatewayKind: structs.ServiceKindTerminatingGateway, + CAFile: "", + CertFile: "", + KeyFile: "", + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, { - Service: structs.NewServiceName("redis", nil), - Gateway: structs.NewServiceName("gateway", nil), - GatewayKind: structs.ServiceKindTerminatingGateway, - CAFile: "ca.crt", - CertFile: "client.crt", - KeyFile: "client.key", - SNI: "my-alt-domain", - FromWildcard: true, + Service: structs.NewServiceName("redis", nil), + Gateway: structs.NewServiceName("gateway", nil), + GatewayKind: structs.ServiceKindTerminatingGateway, + CAFile: "ca.crt", + CertFile: "client.crt", + KeyFile: "client.key", + SNI: "my-alt-domain", + FromWildcard: true, + AutoHostRewrite: true, }, } @@ -3345,10 +3348,11 @@ func TestCatalog_GatewayServices_BothGateways(t *testing.T) { expect := structs.GatewayServices{ { - Service: structs.NewServiceName("api", nil), - Gateway: structs.NewServiceName("gateway", nil), - GatewayKind: structs.ServiceKindTerminatingGateway, - ServiceKind: structs.GatewayServiceKindService, + Service: structs.NewServiceName("api", nil), + Gateway: structs.NewServiceName("gateway", nil), + GatewayKind: structs.ServiceKindTerminatingGateway, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, } @@ -3568,16 +3572,18 @@ service "gateway" { expect := structs.GatewayServices{ { - Service: structs.NewServiceName("db", nil), - Gateway: structs.NewServiceName("gateway", nil), - GatewayKind: structs.ServiceKindTerminatingGateway, - ServiceKind: structs.GatewayServiceKindService, + Service: structs.NewServiceName("db", nil), + Gateway: structs.NewServiceName("gateway", nil), + GatewayKind: structs.ServiceKindTerminatingGateway, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, { - Service: structs.NewServiceName("db_replica", nil), - Gateway: structs.NewServiceName("gateway", nil), - GatewayKind: structs.ServiceKindTerminatingGateway, - ServiceKind: structs.GatewayServiceKindUnknown, + Service: structs.NewServiceName("db_replica", nil), + Gateway: structs.NewServiceName("gateway", nil), + GatewayKind: structs.ServiceKindTerminatingGateway, + ServiceKind: structs.GatewayServiceKindUnknown, + AutoHostRewrite: true, }, } diff --git a/agent/consul/internal_endpoint_test.go b/agent/consul/internal_endpoint_test.go index a7f1328101..e4b9a14b70 100644 --- a/agent/consul/internal_endpoint_test.go +++ b/agent/consul/internal_endpoint_test.go @@ -1217,10 +1217,11 @@ func TestInternal_GatewayServiceDump_Terminating(t *testing.T) { }, }, GatewayService: &structs.GatewayService{ - Gateway: structs.NewServiceName("terminating-gateway", nil), - Service: structs.NewServiceName("db", nil), - GatewayKind: "terminating-gateway", - ServiceKind: structs.GatewayServiceKindService, + Gateway: structs.NewServiceName("terminating-gateway", nil), + Service: structs.NewServiceName("db", nil), + GatewayKind: "terminating-gateway", + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, }, { @@ -1251,21 +1252,23 @@ func TestInternal_GatewayServiceDump_Terminating(t *testing.T) { }, }, GatewayService: &structs.GatewayService{ - Gateway: structs.NewServiceName("terminating-gateway", nil), - Service: structs.NewServiceName("db", nil), - GatewayKind: "terminating-gateway", - ServiceKind: structs.GatewayServiceKindService, + Gateway: structs.NewServiceName("terminating-gateway", nil), + Service: structs.NewServiceName("db", nil), + GatewayKind: "terminating-gateway", + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, }, { // Only GatewayService should be returned when linked service isn't registered GatewayService: &structs.GatewayService{ - Gateway: structs.NewServiceName("terminating-gateway", nil), - Service: structs.NewServiceName("redis", nil), - GatewayKind: "terminating-gateway", - CAFile: "/etc/certs/ca.pem", - CertFile: "/etc/certs/cert.pem", - KeyFile: "/etc/certs/key.pem", + Gateway: structs.NewServiceName("terminating-gateway", nil), + Service: structs.NewServiceName("redis", nil), + GatewayKind: "terminating-gateway", + CAFile: "/etc/certs/ca.pem", + CertFile: "/etc/certs/cert.pem", + KeyFile: "/etc/certs/key.pem", + AutoHostRewrite: true, }, }, } diff --git a/agent/consul/state/catalog.go b/agent/consul/state/catalog.go index b89f2c727e..ce40fda3e0 100644 --- a/agent/consul/state/catalog.go +++ b/agent/consul/state/catalog.go @@ -3757,14 +3757,15 @@ func terminatingConfigGatewayServices( return false, nil, fmt.Errorf("failed to get gateway service kind for service %s: %v", svc.Name, err) } mapping := &structs.GatewayService{ - Gateway: gateway, - Service: structs.NewServiceName(svc.Name, &svc.EnterpriseMeta), - GatewayKind: structs.ServiceKindTerminatingGateway, - KeyFile: svc.KeyFile, - CertFile: svc.CertFile, - CAFile: svc.CAFile, - SNI: svc.SNI, - ServiceKind: kind, + Gateway: gateway, + Service: structs.NewServiceName(svc.Name, &svc.EnterpriseMeta), + GatewayKind: structs.ServiceKindTerminatingGateway, + KeyFile: svc.KeyFile, + CertFile: svc.CertFile, + CAFile: svc.CAFile, + SNI: svc.SNI, + ServiceKind: kind, + AutoHostRewrite: !svc.DisableAutoHostRewrite, } gatewayServices = append(gatewayServices, mapping) diff --git a/agent/consul/state/catalog_test.go b/agent/consul/state/catalog_test.go index f18b9beae8..cef608bc1c 100644 --- a/agent/consul/state/catalog_test.go +++ b/agent/consul/state/catalog_test.go @@ -5197,7 +5197,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) { CreateIndex: 21, ModifyIndex: 21, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, { Service: structs.NewServiceName("db", nil), @@ -5207,7 +5208,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) { CreateIndex: 21, ModifyIndex: 21, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, } assert.Equal(t, expect, out) @@ -5241,7 +5243,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) { CreateIndex: 21, ModifyIndex: 21, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, { Service: structs.NewServiceName("db", nil), @@ -5251,7 +5254,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) { CreateIndex: 21, ModifyIndex: 21, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, } assert.Equal(t, expect, out) @@ -5302,7 +5306,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) { CreateIndex: 22, ModifyIndex: 22, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, { Service: structs.NewServiceName("db", nil), @@ -5312,7 +5317,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) { CreateIndex: 22, ModifyIndex: 22, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, } assert.Equal(t, expect, out) @@ -5340,7 +5346,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) { CreateIndex: 22, ModifyIndex: 22, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, { Service: structs.NewServiceName("db", nil), @@ -5350,7 +5357,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) { CreateIndex: 22, ModifyIndex: 22, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, { Service: structs.NewServiceName("redis", nil), @@ -5365,7 +5373,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) { CreateIndex: 23, ModifyIndex: 23, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, } assert.Equal(t, expect, out) @@ -5393,7 +5402,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) { CreateIndex: 22, ModifyIndex: 22, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, { Service: structs.NewServiceName("db", nil), @@ -5403,7 +5413,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) { CreateIndex: 22, ModifyIndex: 22, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, } assert.Equal(t, expect, out) @@ -5435,7 +5446,8 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) { CreateIndex: 25, ModifyIndex: 25, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, } assert.Equal(t, expect, out) @@ -5467,6 +5479,7 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) { CreateIndex: 26, ModifyIndex: 26, }, + AutoHostRewrite: true, }, { Service: structs.NewServiceName("db", nil), @@ -5477,6 +5490,7 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) { CreateIndex: 26, ModifyIndex: 26, }, + AutoHostRewrite: true, }, } assert.Equal(t, expect, out) @@ -5504,6 +5518,7 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) { CreateIndex: 26, ModifyIndex: 26, }, + AutoHostRewrite: true, }, { Service: structs.NewServiceName("db", nil), @@ -5514,6 +5529,7 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) { CreateIndex: 26, ModifyIndex: 26, }, + AutoHostRewrite: true, }, { Service: structs.NewServiceName("destination1", nil), @@ -5525,6 +5541,7 @@ func TestStateStore_GatewayServices_Terminating(t *testing.T) { CreateIndex: 27, ModifyIndex: 27, }, + AutoHostRewrite: true, }, } assert.ElementsMatch(t, expectWildcardIncludesDest, out) @@ -6018,7 +6035,8 @@ func TestStateStore_GatewayServices_ServiceDeletion(t *testing.T) { CreateIndex: 19, ModifyIndex: 19, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, } assert.Equal(t, expect, out) @@ -6040,6 +6058,7 @@ func TestStateStore_GatewayServices_ServiceDeletion(t *testing.T) { CreateIndex: 20, ModifyIndex: 20, }, + AutoHostRewrite: true, }, { Service: structs.NewServiceName("db", nil), @@ -6050,6 +6069,7 @@ func TestStateStore_GatewayServices_ServiceDeletion(t *testing.T) { CreateIndex: 20, ModifyIndex: 20, }, + AutoHostRewrite: true, }, } assert.Equal(t, expect, out) @@ -6077,6 +6097,7 @@ func TestStateStore_GatewayServices_ServiceDeletion(t *testing.T) { CreateIndex: 19, ModifyIndex: 20, }, + AutoHostRewrite: true, }, } assert.Equal(t, expect, out) @@ -6097,6 +6118,7 @@ func TestStateStore_GatewayServices_ServiceDeletion(t *testing.T) { CreateIndex: 20, ModifyIndex: 20, }, + AutoHostRewrite: true, }, } assert.Equal(t, expect, out) @@ -7016,6 +7038,7 @@ func TestStateStore_DumpGatewayServices(t *testing.T) { // Read everything back. ws = memdb.NewWatchSet() idx, out, err := s.DumpGatewayServices(ws) + fmt.Println(out) assert.Nil(t, err) assert.Equal(t, idx, uint64(21)) assert.Len(t, out, 2) @@ -7033,7 +7056,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) { CreateIndex: 21, ModifyIndex: 21, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, { Service: structs.NewServiceName("db", nil), @@ -7043,7 +7067,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) { CreateIndex: 21, ModifyIndex: 21, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, } assert.Equal(t, expect, out) @@ -7077,6 +7102,7 @@ func TestStateStore_DumpGatewayServices(t *testing.T) { assert.False(t, watchFired(ws)) idx, out, err := s.DumpGatewayServices(ws) + fmt.Println(out) assert.Nil(t, err) assert.Equal(t, idx, uint64(21)) assert.Len(t, out, 2) @@ -7094,7 +7120,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) { CreateIndex: 21, ModifyIndex: 21, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, { Service: structs.NewServiceName("db", nil), @@ -7104,7 +7131,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) { CreateIndex: 21, ModifyIndex: 21, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, } assert.Equal(t, expect, out) @@ -7134,7 +7162,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) { CreateIndex: 21, ModifyIndex: 21, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, { Service: structs.NewServiceName("db", nil), @@ -7144,7 +7173,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) { CreateIndex: 21, ModifyIndex: 21, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, { Service: structs.NewServiceName("redis", nil), @@ -7159,7 +7189,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) { CreateIndex: 22, ModifyIndex: 22, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, } assert.Equal(t, expect, out) @@ -7189,7 +7220,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) { CreateIndex: 21, ModifyIndex: 21, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, { Service: structs.NewServiceName("db", nil), @@ -7199,7 +7231,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) { CreateIndex: 21, ModifyIndex: 21, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, } assert.Equal(t, expect, out) @@ -7233,7 +7266,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) { CreateIndex: 24, ModifyIndex: 24, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, } assert.Equal(t, expect, out) @@ -7291,7 +7325,8 @@ func TestStateStore_DumpGatewayServices(t *testing.T) { CreateIndex: 24, ModifyIndex: 24, }, - ServiceKind: structs.GatewayServiceKindService, + ServiceKind: structs.GatewayServiceKindService, + AutoHostRewrite: true, }, { Service: structs.NewServiceName("api", nil), diff --git a/agent/consul/state/config_entry_test.go b/agent/consul/state/config_entry_test.go index c1bd3e35de..f2794d5043 100644 --- a/agent/consul/state/config_entry_test.go +++ b/agent/consul/state/config_entry_test.go @@ -772,6 +772,7 @@ func TestStore_ServiceDefaults_Kind_Destination_Wildcard(t *testing.T) { CreateIndex: 8, ModifyIndex: 8, }, + AutoHostRewrite: true, }, } require.Equal(t, expected, gatewayServices) @@ -819,6 +820,7 @@ func TestStore_ServiceDefaults_Kind_Destination_Wildcard(t *testing.T) { CreateIndex: 7, ModifyIndex: 7, }, + AutoHostRewrite: true, }, } require.Equal(t, expected, gatewayServices) @@ -843,6 +845,7 @@ func TestStore_ServiceDefaults_Kind_Destination_Wildcard(t *testing.T) { CreateIndex: 7, ModifyIndex: 9, }, + AutoHostRewrite: true, }, } require.Equal(t, expected, gatewayServices) diff --git a/agent/proxycfg/testing_terminating_gateway.go b/agent/proxycfg/testing_terminating_gateway.go index 4b4f086e6e..8fb02ffe67 100644 --- a/agent/proxycfg/testing_terminating_gateway.go +++ b/agent/proxycfg/testing_terminating_gateway.go @@ -160,20 +160,24 @@ func TestConfigSnapshotTerminatingGateway(t testing.T, populateServices bool, ns tgtwyServices = append(tgtwyServices, &structs.GatewayService{ - Service: web, - CAFile: "ca.cert.pem", + Service: web, + CAFile: "ca.cert.pem", + AutoHostRewrite: true, }, &structs.GatewayService{ - Service: api, - CAFile: "ca.cert.pem", - CertFile: "api.cert.pem", - KeyFile: "api.key.pem", + Service: api, + CAFile: "ca.cert.pem", + CertFile: "api.cert.pem", + KeyFile: "api.key.pem", + AutoHostRewrite: true, }, &structs.GatewayService{ - Service: db, + Service: db, + AutoHostRewrite: true, }, &structs.GatewayService{ - Service: cache, + Service: cache, + AutoHostRewrite: true, }, ) @@ -359,26 +363,31 @@ func TestConfigSnapshotTerminatingGatewayDestinations(t testing.T, populateDesti if populateDestinations { tgtwyServices = append(tgtwyServices, &structs.GatewayService{ - Service: externalIPTCP, - ServiceKind: structs.GatewayServiceKindDestination, + Service: externalIPTCP, + ServiceKind: structs.GatewayServiceKindDestination, + AutoHostRewrite: true, }, &structs.GatewayService{ - Service: externalHostnameTCP, - ServiceKind: structs.GatewayServiceKindDestination, + Service: externalHostnameTCP, + ServiceKind: structs.GatewayServiceKindDestination, + AutoHostRewrite: true, }, &structs.GatewayService{ - Service: externalIPHTTP, - ServiceKind: structs.GatewayServiceKindDestination, + Service: externalIPHTTP, + ServiceKind: structs.GatewayServiceKindDestination, + AutoHostRewrite: true, }, &structs.GatewayService{ - Service: externalHostnameHTTP, - ServiceKind: structs.GatewayServiceKindDestination, + Service: externalHostnameHTTP, + ServiceKind: structs.GatewayServiceKindDestination, + AutoHostRewrite: true, }, &structs.GatewayService{ - Service: externalHostnameWithSNI, - ServiceKind: structs.GatewayServiceKindDestination, - CAFile: "cert.pem", - SNI: "api.test.com", + Service: externalHostnameWithSNI, + ServiceKind: structs.GatewayServiceKindDestination, + CAFile: "cert.pem", + SNI: "api.test.com", + AutoHostRewrite: true, }, ) @@ -713,16 +722,18 @@ func TestConfigSnapshotTerminatingGatewaySNI(t testing.T) *ConfigSnapshot { Result: &structs.IndexedGatewayServices{ Services: []*structs.GatewayService{ { - Service: structs.NewServiceName("web", nil), - CAFile: "ca.cert.pem", - SNI: "foo.com", + Service: structs.NewServiceName("web", nil), + CAFile: "ca.cert.pem", + SNI: "foo.com", + AutoHostRewrite: true, }, { - Service: structs.NewServiceName("api", nil), - CAFile: "ca.cert.pem", - CertFile: "api.cert.pem", - KeyFile: "api.key.pem", - SNI: "bar.com", + Service: structs.NewServiceName("api", nil), + CAFile: "ca.cert.pem", + CertFile: "api.cert.pem", + KeyFile: "api.key.pem", + SNI: "bar.com", + AutoHostRewrite: true, }, }, }, @@ -739,8 +750,9 @@ func TestConfigSnapshotTerminatingGatewayHTTP2(t testing.T) *ConfigSnapshot { Result: &structs.IndexedGatewayServices{ Services: []*structs.GatewayService{ { - Service: web, - CAFile: "ca.cert.pem", + Service: web, + CAFile: "ca.cert.pem", + AutoHostRewrite: true, }, }, }, @@ -799,8 +811,9 @@ func TestConfigSnapshotTerminatingGatewaySubsetsHTTP2(t testing.T) *ConfigSnapsh Result: &structs.IndexedGatewayServices{ Services: []*structs.GatewayService{ { - Service: web, - CAFile: "ca.cert.pem", + Service: web, + CAFile: "ca.cert.pem", + AutoHostRewrite: true, }, }, }, diff --git a/agent/structs/config_entry_gateways.go b/agent/structs/config_entry_gateways.go index e3ccfbbb35..a15b42a013 100644 --- a/agent/structs/config_entry_gateways.go +++ b/agent/structs/config_entry_gateways.go @@ -518,6 +518,9 @@ type LinkedService struct { // SNI is the optional name to specify during the TLS handshake with a linked service SNI string `json:",omitempty"` + //DisableAutoHostRewrite disables terminating gateways auto host rewrite feature when set to true. + DisableAutoHostRewrite bool `json:",omitempty"` + acl.EnterpriseMeta `hcl:",squash" mapstructure:",squash"` } @@ -668,6 +671,7 @@ type GatewayService struct { FromWildcard bool `json:",omitempty"` ServiceKind GatewayServiceKind `json:",omitempty"` RaftIndex + AutoHostRewrite bool `json:",omitempty"` } type GatewayServices []*GatewayService @@ -715,14 +719,15 @@ func (g *GatewayService) Clone() *GatewayService { Port: g.Port, Protocol: g.Protocol, // See https://github.com/go101/go101/wiki/How-to-efficiently-clone-a-slice%3F - Hosts: append(g.Hosts[:0:0], g.Hosts...), - CAFile: g.CAFile, - CertFile: g.CertFile, - KeyFile: g.KeyFile, - SNI: g.SNI, - FromWildcard: g.FromWildcard, - RaftIndex: g.RaftIndex, - ServiceKind: g.ServiceKind, + Hosts: append(g.Hosts[:0:0], g.Hosts...), + CAFile: g.CAFile, + CertFile: g.CertFile, + KeyFile: g.KeyFile, + SNI: g.SNI, + FromWildcard: g.FromWildcard, + RaftIndex: g.RaftIndex, + ServiceKind: g.ServiceKind, + AutoHostRewrite: g.AutoHostRewrite, } } diff --git a/agent/xds/routes.go b/agent/xds/routes.go index 3d05e2a21a..41309b674e 100644 --- a/agent/xds/routes.go +++ b/agent/xds/routes.go @@ -158,11 +158,13 @@ func (s *ResourceGenerator) routesForTerminatingGateway(cfgSnap *proxycfg.Config "error", err, ) } + service := cfgSnap.TerminatingGateway.GatewayServices[svc] + autoHostRewrite := service.AutoHostRewrite if !structs.IsProtocolHTTPLike(cfg.Protocol) { // Routes can only be defined for HTTP services continue } - routes, err := s.makeRoutes(cfgSnap, svc, clusterName, true) + routes, err := s.makeRoutes(cfgSnap, svc, clusterName, autoHostRewrite) if err != nil { return nil, err } @@ -231,7 +233,7 @@ func (s *ResourceGenerator) makeRoutes( // If there is a service-resolver for this service then also setup routes for each subset for name := range resolver.Subsets { clusterName = connect.ServiceSNI(svc.Name, name, svc.NamespaceOrDefault(), svc.PartitionOrDefault(), cfgSnap.Datacenter, cfgSnap.Roots.TrustDomain) - route, err := makeNamedDefaultRouteWithLB(clusterName, lb, resolver.RequestTimeout, true) + route, err := makeNamedDefaultRouteWithLB(clusterName, lb, resolver.RequestTimeout, autoHostRewrite) if err != nil { s.Logger.Error("failed to make route", "cluster", clusterName, "error", err) return nil, err diff --git a/api/config_entry_gateways.go b/api/config_entry_gateways.go index baf274e2da..ba2bac19ef 100644 --- a/api/config_entry_gateways.go +++ b/api/config_entry_gateways.go @@ -195,6 +195,9 @@ type TerminatingGatewayConfigEntry struct { type LinkedService struct { // Referencing other partitions is not supported. + //DisableAutoHostRewrite disables terminating gateways auto host rewrite feature when set to true. + DisableAutoHostRewrite bool `json:",omitempty"` + // Namespace is where the service is registered. Namespace string `json:",omitempty"` diff --git a/website/content/docs/connect/config-entries/terminating-gateway.mdx b/website/content/docs/connect/config-entries/terminating-gateway.mdx index 36b1a2dc20..4512cf1a81 100644 --- a/website/content/docs/connect/config-entries/terminating-gateway.mdx +++ b/website/content/docs/connect/config-entries/terminating-gateway.mdx @@ -679,6 +679,12 @@ spec: `An optional hostname or domain name to specify during the TLS handshake. This option will also configure [strict SAN matching](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-certificatevalidationcontext-match-typed-subject-alt-names), which requires the external services to have certificates with SANs, not having which will result in \`CERTIFICATE_VERIFY_FAILED\` error.`, }, + { + name: 'DisableAutoHostRewrite', + type: 'bool: ""', + description: + 'When set to true, Terminating Gateway will not modify the incoming requests host header for this service.', + }, ], }, ]}