[APIGW] NET-5017 JWT Cleanup/Status Conditions (#18700)

* Fixes issues in setting status

* Update golden files for changes to xds generation to not use deprecated
methods

* Fixed default for validation of JWT for route
This commit is contained in:
John Maguire 2023-09-07 15:03:09 -04:00 committed by GitHub
parent acd9b3d1c4
commit 2c244b6f42
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
95 changed files with 2950 additions and 2958 deletions

View File

@ -236,7 +236,17 @@ func (r *apiGatewayReconciler) reconcileGateway(_ context.Context, req controlle
return err
}
meta := newGatewayMeta(gateway, bound)
_, jwtProvidersConfigEntries, err := store.ConfigEntriesByKind(nil, structs.JWTProvider, wildcardMeta())
if err != nil {
return err
}
jwtProviders := make(map[string]*structs.JWTProviderConfigEntry, len(jwtProvidersConfigEntries))
for _, provider := range jwtProvidersConfigEntries {
jwtProviders[provider.GetName()] = provider.(*structs.JWTProviderConfigEntry)
}
meta := newGatewayMeta(gateway, bound, jwtProviders)
certificateErrors, err := meta.checkCertificates(store)
if err != nil {
@ -244,22 +254,22 @@ func (r *apiGatewayReconciler) reconcileGateway(_ context.Context, req controlle
return err
}
jwtErrors, err := meta.checkJWTProviders(store)
jwtErrors, err := meta.checkJWTProviders()
if err != nil {
logger.Warn("error checking gateway JWT Providers", "error", err)
return err
}
// set each listener as having valid certs, then overwrite that status condition
// set each listener as having resolved refs, then overwrite that status condition
// if there are any certificate errors
meta.eachListener(func(listener *structs.APIGatewayListener, bound *structs.BoundAPIGatewayListener) error {
meta.eachListener(func(_ *structs.APIGatewayListener, bound *structs.BoundAPIGatewayListener) error {
listenerRef := structs.ResourceReference{
Kind: structs.APIGateway,
Name: meta.BoundGateway.Name,
SectionName: bound.Name,
EnterpriseMeta: meta.BoundGateway.EnterpriseMeta,
}
updater.SetCondition(validCertificate(listenerRef))
updater.SetCondition(resolvedRefs(listenerRef))
return nil
})
@ -267,9 +277,14 @@ func (r *apiGatewayReconciler) reconcileGateway(_ context.Context, req controlle
updater.SetCondition(invalidCertificate(ref, err))
}
for ref, err := range jwtErrors {
updater.SetCondition(invalidJWTProvider(ref, err))
}
if len(certificateErrors) > 0 {
updater.SetCondition(invalidCertificates())
}
if len(jwtErrors) > 0 {
updater.SetCondition(invalidJWTProviders())
}
@ -477,13 +492,6 @@ func (r *apiGatewayReconciler) reconcileRoute(_ context.Context, req controller.
updater.SetCondition(routeNoUpstreams())
}
if httpRoute, ok := route.(*structs.HTTPRouteConfigEntry); ok {
err := validateJWTForRoute(store, updater, httpRoute)
if err != nil {
return err
}
}
// the route is valid, attempt to bind it to all gateways
r.logger.Trace("binding routes to gateway")
modifiedGateways, boundRefs, bindErrors := bindRoutesToGateways(route, meta...)
@ -584,6 +592,10 @@ type gatewayMeta struct {
// the map values are pointers so that we can update them directly
// and have the changes propagate back to the container gateways.
boundListeners map[string]*structs.BoundAPIGatewayListener
// jwtProviders holds the list of all the JWT Providers in a given partition
// we expect this list to be relatively small so we're okay with holding them all
// in memory
jwtProviders map[string]*structs.JWTProviderConfigEntry
}
// getAllGatewayMeta returns a pre-constructed list of all valid gateway and state
@ -599,6 +611,16 @@ func getAllGatewayMeta(store *state.Store) ([]*gatewayMeta, error) {
return nil, err
}
_, jwtProvidersConfigEntries, err := store.ConfigEntriesByKind(nil, structs.JWTProvider, wildcardMeta())
if err != nil {
return nil, err
}
jwtProviders := make(map[string]*structs.JWTProviderConfigEntry, len(jwtProvidersConfigEntries))
for _, provider := range jwtProvidersConfigEntries {
jwtProviders[provider.GetName()] = provider.(*structs.JWTProviderConfigEntry)
}
meta := make([]*gatewayMeta, 0, len(boundGateways))
for _, b := range boundGateways {
bound := b.(*structs.BoundAPIGatewayConfigEntry)
@ -608,6 +630,7 @@ func getAllGatewayMeta(store *state.Store) ([]*gatewayMeta, error) {
meta = append(meta, (&gatewayMeta{
BoundGateway: bound,
Gateway: gateway,
jwtProviders: jwtProviders,
}).initialize())
break
}
@ -662,6 +685,14 @@ func (g *gatewayMeta) updateRouteBinding(route structs.BoundRoute) (bool, []stru
if err != nil {
errors[ref] = err
}
if httpRoute, ok := route.(*structs.HTTPRouteConfigEntry); ok {
var jwtErrors map[structs.ResourceReference]error
didBind, jwtErrors = g.validateJWTForRoute(httpRoute)
for ref, err := range jwtErrors {
errors[ref] = err
}
}
if didBind {
refDidBind = true
listenerBound[listener.Name] = true
@ -673,6 +704,7 @@ func (g *gatewayMeta) updateRouteBinding(route structs.BoundRoute) (bool, []stru
if !refDidBind && errors[ref] == nil {
errors[ref] = fmt.Errorf("failed to bind route %s to gateway %s with listener '%s'", route.GetName(), g.Gateway.Name, ref.SectionName)
}
if refDidBind {
boundRefs = append(boundRefs, ref)
}
@ -845,7 +877,7 @@ func (g *gatewayMeta) initialize() *gatewayMeta {
}
// newGatewayMeta returns an object that wraps the given APIGateway and BoundAPIGateway
func newGatewayMeta(gateway *structs.APIGatewayConfigEntry, bound structs.ConfigEntry) *gatewayMeta {
func newGatewayMeta(gateway *structs.APIGatewayConfigEntry, bound structs.ConfigEntry, jwtProviders map[string]*structs.JWTProviderConfigEntry) *gatewayMeta {
var b *structs.BoundAPIGatewayConfigEntry
if bound == nil {
b = &structs.BoundAPIGatewayConfigEntry{
@ -871,6 +903,7 @@ func newGatewayMeta(gateway *structs.APIGatewayConfigEntry, bound structs.Config
return (&gatewayMeta{
BoundGateway: b,
Gateway: gateway,
jwtProviders: jwtProviders,
}).initialize()
}
@ -888,7 +921,7 @@ func gatewayAccepted() structs.Condition {
// invalidCertificate returns a condition used when a gateway references a
// certificate that does not exist. It takes a ref used to scope the condition
// to a given APIGateway listener.
func validCertificate(ref structs.ResourceReference) structs.Condition {
func resolvedRefs(ref structs.ResourceReference) structs.Condition {
return structs.NewGatewayCondition(
api.GatewayConditionResolvedRefs,
api.ConditionStatusTrue,
@ -995,18 +1028,6 @@ func gatewayNotFound(ref structs.ResourceReference) structs.Condition {
)
}
// jwtProviderNotFound marks a Route as having failed to bind to a referenced APIGateway due to
// one or more of the referenced JWT providers not existing (or having not been reconciled yet)
func jwtProviderNotFound(ref structs.ResourceReference, err error) structs.Condition {
return structs.NewRouteCondition(
api.RouteConditionBound,
api.ConditionStatusFalse,
api.RouteReasonGatewayNotFound,
err.Error(),
ref,
)
}
// routeUnbound marks the route as having failed to bind to the referenced APIGateway
func routeUnbound(ref structs.ResourceReference, err error) structs.Condition {
return structs.NewRouteCondition(

View File

@ -18,10 +18,10 @@ func (r *apiGatewayReconciler) enqueueJWTProviderReferencedGatewaysAndHTTPRoutes
return nil
}
func (m *gatewayMeta) checkJWTProviders(_ *state.Store) (map[structs.ResourceReference]error, error) {
func (m *gatewayMeta) checkJWTProviders() (map[structs.ResourceReference]error, error) {
return nil, nil
}
func validateJWTForRoute(_ *state.Store, _ *structs.StatusUpdater, _ *structs.HTTPRouteConfigEntry) error {
return nil
func (m *gatewayMeta) validateJWTForRoute(_ *structs.HTTPRouteConfigEntry) (bool, map[structs.ResourceReference]error) {
return true, nil
}

View File

@ -2013,7 +2013,7 @@ func TestAPIGatewayController(t *testing.T) {
EnterpriseMeta: *defaultMeta,
SectionName: "listener",
}),
validCertificate(structs.ResourceReference{
resolvedRefs(structs.ResourceReference{
Kind: structs.APIGateway,
Name: "gateway",
EnterpriseMeta: *defaultMeta,
@ -2111,7 +2111,7 @@ func TestAPIGatewayController(t *testing.T) {
EnterpriseMeta: *defaultMeta,
SectionName: "listener",
}),
validCertificate(structs.ResourceReference{
resolvedRefs(structs.ResourceReference{
Kind: structs.APIGateway,
Name: "gateway",
EnterpriseMeta: *defaultMeta,
@ -2240,7 +2240,7 @@ func TestAPIGatewayController(t *testing.T) {
EnterpriseMeta: *defaultMeta,
SectionName: "listener",
}),
validCertificate(structs.ResourceReference{
resolvedRefs(structs.ResourceReference{
Kind: structs.APIGateway,
Name: "gateway",
EnterpriseMeta: *defaultMeta,
@ -2389,7 +2389,7 @@ func TestAPIGatewayController(t *testing.T) {
EnterpriseMeta: *defaultMeta,
SectionName: "listener",
}),
validCertificate(structs.ResourceReference{
resolvedRefs(structs.ResourceReference{
Kind: structs.APIGateway,
Name: "gateway",
EnterpriseMeta: *defaultMeta,
@ -2536,7 +2536,7 @@ func TestAPIGatewayController(t *testing.T) {
EnterpriseMeta: *defaultMeta,
SectionName: "listener",
}),
validCertificate(structs.ResourceReference{
resolvedRefs(structs.ResourceReference{
Kind: structs.APIGateway,
Name: "gateway",
EnterpriseMeta: *defaultMeta,
@ -2700,12 +2700,12 @@ func TestAPIGatewayController(t *testing.T) {
Name: "gateway",
SectionName: "tcp-listener",
}),
validCertificate(structs.ResourceReference{
resolvedRefs(structs.ResourceReference{
Kind: structs.APIGateway,
Name: "gateway",
SectionName: "http-listener",
}),
validCertificate(structs.ResourceReference{
resolvedRefs(structs.ResourceReference{
Kind: structs.APIGateway,
Name: "gateway",
SectionName: "tcp-listener",
@ -3054,7 +3054,7 @@ func TestAPIGatewayController(t *testing.T) {
Name: "gateway",
SectionName: "http-listener",
}),
validCertificate(structs.ResourceReference{
resolvedRefs(structs.ResourceReference{
Kind: structs.APIGateway,
Name: "gateway",
SectionName: "http-listener",
@ -3407,7 +3407,7 @@ func TestAPIGatewayController(t *testing.T) {
Name: "gateway",
SectionName: "http-listener",
}),
validCertificate(structs.ResourceReference{
resolvedRefs(structs.ResourceReference{
Kind: structs.APIGateway,
Name: "gateway",
SectionName: "http-listener",
@ -3504,12 +3504,12 @@ func TestAPIGatewayController(t *testing.T) {
},
Status: structs.Status{
Conditions: []structs.Condition{
validCertificate(structs.ResourceReference{
resolvedRefs(structs.ResourceReference{
Kind: structs.APIGateway,
Name: "gateway",
SectionName: "listener-1",
}),
validCertificate(structs.ResourceReference{
resolvedRefs(structs.ResourceReference{
Kind: structs.APIGateway,
Name: "gateway",
SectionName: "listener-2",
@ -3728,7 +3728,7 @@ func TestAPIGatewayController(t *testing.T) {
Name: "gateway",
SectionName: "invalid-listener",
}, errors.New("certificate \"missing certificate\" not found")),
validCertificate(structs.ResourceReference{
resolvedRefs(structs.ResourceReference{
Kind: structs.APIGateway,
Name: "gateway",
SectionName: "valid-listener",
@ -3834,7 +3834,7 @@ func TestAPIGatewayController(t *testing.T) {
Name: "gateway",
SectionName: "http-listener",
}),
validCertificate(structs.ResourceReference{
resolvedRefs(structs.ResourceReference{
Kind: structs.APIGateway,
Name: "gateway",
SectionName: "http-listener",

View File

@ -1248,21 +1248,44 @@ func convertPermission(perm *structs.IntentionPermission) *envoy_rbac_v3.Permiss
switch {
case hdr.Exact != "":
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_ExactMatch{
ExactMatch: hdr.Exact,
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_StringMatch{
StringMatch: &envoy_matcher_v3.StringMatcher{
MatchPattern: &envoy_matcher_v3.StringMatcher_Exact{
Exact: hdr.Exact,
},
IgnoreCase: false,
},
}
case hdr.Regex != "":
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_SafeRegexMatch{
SafeRegexMatch: response.MakeEnvoyRegexMatch(hdr.Regex),
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_StringMatch{
StringMatch: &envoy_matcher_v3.StringMatcher{
MatchPattern: &envoy_matcher_v3.StringMatcher_SafeRegex{
SafeRegex: response.MakeEnvoyRegexMatch(hdr.Regex),
},
IgnoreCase: false,
},
}
case hdr.Prefix != "":
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_PrefixMatch{
PrefixMatch: hdr.Prefix,
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_StringMatch{
StringMatch: &envoy_matcher_v3.StringMatcher{
MatchPattern: &envoy_matcher_v3.StringMatcher_Prefix{
Prefix: hdr.Prefix,
},
IgnoreCase: false,
},
}
case hdr.Suffix != "":
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_SuffixMatch{
SuffixMatch: hdr.Suffix,
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_StringMatch{
StringMatch: &envoy_matcher_v3.StringMatcher{
MatchPattern: &envoy_matcher_v3.StringMatcher_Suffix{
Suffix: hdr.Suffix,
},
IgnoreCase: false,
},
}
case hdr.Present:
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_PresentMatch{
PresentMatch: true,

View File

@ -833,21 +833,44 @@ func makeRouteMatchForDiscoveryRoute(discoveryRoute *structs.DiscoveryRoute) *en
switch {
case hdr.Exact != "":
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_ExactMatch{
ExactMatch: hdr.Exact,
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_StringMatch{
StringMatch: &envoy_matcher_v3.StringMatcher{
MatchPattern: &envoy_matcher_v3.StringMatcher_Exact{
Exact: hdr.Exact,
},
IgnoreCase: false,
},
}
case hdr.Regex != "":
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_SafeRegexMatch{
SafeRegexMatch: response.MakeEnvoyRegexMatch(hdr.Regex),
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_StringMatch{
StringMatch: &envoy_matcher_v3.StringMatcher{
MatchPattern: &envoy_matcher_v3.StringMatcher_SafeRegex{
SafeRegex: response.MakeEnvoyRegexMatch(hdr.Regex),
},
IgnoreCase: false,
},
}
case hdr.Prefix != "":
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_PrefixMatch{
PrefixMatch: hdr.Prefix,
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_StringMatch{
StringMatch: &envoy_matcher_v3.StringMatcher{
MatchPattern: &envoy_matcher_v3.StringMatcher_Prefix{
Prefix: hdr.Prefix,
},
IgnoreCase: false,
},
}
case hdr.Suffix != "":
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_SuffixMatch{
SuffixMatch: hdr.Suffix,
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_StringMatch{
StringMatch: &envoy_matcher_v3.StringMatcher{
MatchPattern: &envoy_matcher_v3.StringMatcher_Suffix{
Suffix: hdr.Suffix,
},
IgnoreCase: false,
},
}
case hdr.Present:
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_PresentMatch{
PresentMatch: true,

View File

@ -19,9 +19,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
@ -32,9 +30,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -16,9 +16,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
@ -31,9 +29,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
@ -44,9 +40,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -19,9 +19,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
@ -32,9 +30,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
@ -61,9 +57,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -16,9 +16,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
@ -31,9 +29,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
@ -44,9 +40,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -16,9 +16,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}
@ -28,9 +26,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
@ -43,9 +39,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
@ -56,9 +50,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
@ -70,9 +62,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$"
}
}
@ -84,9 +74,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}

View File

@ -16,9 +16,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}
@ -28,9 +26,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
@ -43,9 +39,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
@ -56,9 +50,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
@ -70,9 +62,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$"
}
}
@ -84,9 +74,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}

View File

@ -16,9 +16,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -16,9 +16,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -16,9 +16,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -20,9 +20,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -16,9 +16,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -16,9 +16,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}

View File

@ -16,9 +16,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}

View File

@ -39,9 +39,7 @@
"urlPath": {
"path": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "/v[123]"
}
}
@ -51,9 +49,7 @@
"header": {
"name": ":method",
"safeRegexMatch": {
"googleRe2": {
},
"googleRe2": {},
"regex": "GET|HEAD|OPTIONS"
}
}
@ -97,31 +93,37 @@
{
"header": {
"name": "x-bar",
"exactMatch": "xyz"
"stringMatch": {
"exact": "xyz"
}
}
},
{
"header": {
"name": "x-dib",
"prefixMatch": "gaz"
"stringMatch": {
"prefix": "gaz"
}
}
},
{
"header": {
"name": "x-gir",
"suffixMatch": "zim"
"stringMatch": {
"suffix": "zim"
}
}
},
{
"header": {
"name": "x-zim",
"safeRegexMatch": {
"googleRe2": {
},
"stringMatch": {
"safeRegex": {
"googleRe2": {},
"regex": "gi[rR]"
}
}
}
},
{
"header": {
@ -133,32 +135,38 @@
{
"header": {
"name": "z-bar",
"exactMatch": "xyz",
"stringMatch": {
"exact": "xyz"
},
"invertMatch": true
}
},
{
"header": {
"name": "z-dib",
"prefixMatch": "gaz",
"stringMatch": {
"prefix": "gaz"
},
"invertMatch": true
}
},
{
"header": {
"name": "z-gir",
"suffixMatch": "zim",
"stringMatch": {
"suffix": "zim"
},
"invertMatch": true
}
},
{
"header": {
"name": "z-zim",
"safeRegexMatch": {
"googleRe2": {
},
"stringMatch": {
"safeRegex": {
"googleRe2": {},
"regex": "gi[rR]"
}
},
"invertMatch": true
}
@ -174,9 +182,7 @@
"urlPath": {
"path": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "/v[123]"
}
}
@ -186,9 +192,7 @@
"header": {
"name": ":method",
"safeRegexMatch": {
"googleRe2": {
},
"googleRe2": {},
"regex": "GET|HEAD|OPTIONS"
}
}
@ -224,9 +228,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -16,9 +16,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -42,9 +42,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -16,9 +16,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -18,9 +18,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
@ -31,9 +29,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -18,9 +18,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
@ -31,9 +29,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -19,9 +19,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -2,9 +2,7 @@
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {
},
"rules": {},
"statPrefix": "connect_authz"
}
}

View File

@ -2,8 +2,6 @@
"name": "envoy.filters.http.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC",
"rules": {
}
"rules": {}
}
}

View File

@ -2,9 +2,7 @@
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {
},
"rules": {},
"statPrefix": "connect_authz"
}
}

View File

@ -15,9 +15,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}
@ -27,9 +25,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
@ -42,9 +38,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
@ -55,9 +49,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
@ -69,9 +61,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$"
}
}
@ -83,9 +73,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}

View File

@ -15,9 +15,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}
@ -27,9 +25,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
@ -42,9 +38,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
@ -55,9 +49,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
@ -69,9 +61,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$"
}
}
@ -83,9 +73,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}

View File

@ -15,9 +15,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -15,9 +15,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -15,9 +15,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -15,9 +15,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -19,9 +19,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -2,9 +2,7 @@
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {
},
"rules": {},
"statPrefix": "connect_authz"
}
}

View File

@ -2,8 +2,6 @@
"name": "envoy.filters.http.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC",
"rules": {
}
"rules": {}
}
}

View File

@ -2,9 +2,7 @@
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {
},
"rules": {},
"statPrefix": "connect_authz"
}
}

View File

@ -15,9 +15,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
@ -30,9 +28,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/gateway/mesh/dc/[^/]+$"
}
}
@ -46,9 +42,7 @@
"name": "x-forwarded-client-cert",
"stringMatch": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^[^,]+;URI=spiffe://peer1.domain/ap/part1/ns/default/dc/[^/]+/svc/[^/]+(?:,.*)?$"
}
}
@ -60,9 +54,7 @@
"name": "x-forwarded-client-cert",
"stringMatch": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^[^,]+;URI=spiffe://peer1.domain/ap/part1/ns/default/dc/[^/]+/svc/web(?:,.*)?$"
}
}

View File

@ -15,9 +15,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
@ -30,9 +28,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://peer1.domain/ap/part1/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
@ -43,9 +39,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://peer1.domain/ap/part1/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -15,9 +15,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}

View File

@ -15,9 +15,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}

View File

@ -38,9 +38,7 @@
"urlPath": {
"path": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "/v[123]"
}
}
@ -50,9 +48,7 @@
"header": {
"name": ":method",
"safeRegexMatch": {
"googleRe2": {
},
"googleRe2": {},
"regex": "GET|HEAD|OPTIONS"
}
}
@ -96,31 +92,37 @@
{
"header": {
"name": "x-bar",
"exactMatch": "xyz"
"stringMatch": {
"exact": "xyz"
}
}
},
{
"header": {
"name": "x-dib",
"prefixMatch": "gaz"
"stringMatch": {
"prefix": "gaz"
}
}
},
{
"header": {
"name": "x-gir",
"suffixMatch": "zim"
"stringMatch": {
"suffix": "zim"
}
}
},
{
"header": {
"name": "x-zim",
"safeRegexMatch": {
"googleRe2": {
},
"stringMatch": {
"safeRegex": {
"googleRe2": {},
"regex": "gi[rR]"
}
}
}
},
{
"header": {
@ -132,32 +134,38 @@
{
"header": {
"name": "z-bar",
"exactMatch": "xyz",
"stringMatch": {
"exact": "xyz"
},
"invertMatch": true
}
},
{
"header": {
"name": "z-dib",
"prefixMatch": "gaz",
"stringMatch": {
"prefix": "gaz"
},
"invertMatch": true
}
},
{
"header": {
"name": "z-gir",
"suffixMatch": "zim",
"stringMatch": {
"suffix": "zim"
},
"invertMatch": true
}
},
{
"header": {
"name": "z-zim",
"safeRegexMatch": {
"googleRe2": {
},
"stringMatch": {
"safeRegex": {
"googleRe2": {},
"regex": "gi[rR]"
}
},
"invertMatch": true
}
@ -173,9 +181,7 @@
"urlPath": {
"path": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "/v[123]"
}
}
@ -185,9 +191,7 @@
"header": {
"name": ":method",
"safeRegexMatch": {
"googleRe2": {
},
"googleRe2": {},
"regex": "GET|HEAD|OPTIONS"
}
}
@ -223,9 +227,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -2,9 +2,7 @@
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {
},
"rules": {},
"statPrefix": "connect_authz"
}
}

View File

@ -43,9 +43,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -2,9 +2,7 @@
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {
},
"rules": {},
"statPrefix": "connect_authz"
}
}

View File

@ -23,8 +23,12 @@
"metadata": {
"filter": "envoy.filters.http.jwt_authn",
"path": [
{"key": "jwt_payload_okta"},
{"key": "iss"}
{
"key": "jwt_payload_okta"
},
{
"key": "iss"
}
],
"value": {
"stringMatch": {
@ -37,8 +41,12 @@
"metadata": {
"filter": "envoy.filters.http.jwt_authn",
"path": [
{"key": "jwt_payload_okta"},
{"key": "roles"}
{
"key": "jwt_payload_okta"
},
{
"key": "roles"
}
],
"value": {
"stringMatch": {

View File

@ -2,9 +2,7 @@
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {
},
"rules": {},
"statPrefix": "connect_authz"
}
}

View File

@ -18,9 +18,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
@ -31,10 +29,14 @@
"ids": [
{
"metadata": {
"filter":"envoy.filters.http.jwt_authn",
"filter": "envoy.filters.http.jwt_authn",
"path": [
{"key": "jwt_payload_okta"},
{"key": "iss"}
{
"key": "jwt_payload_okta"
},
{
"key": "iss"
}
],
"value": {
"stringMatch": {
@ -45,10 +47,14 @@
},
{
"metadata": {
"filter":"envoy.filters.http.jwt_authn",
"filter": "envoy.filters.http.jwt_authn",
"path": [
{"key": "jwt_payload_okta"},
{"key": "roles"}
{
"key": "jwt_payload_okta"
},
{
"key": "roles"
}
],
"value": {
"stringMatch": {

View File

@ -15,9 +15,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}

View File

@ -23,8 +23,12 @@
"metadata": {
"filter": "envoy.filters.http.jwt_authn",
"path": [
{"key": "jwt_payload_auth0"},
{"key": "iss"}
{
"key": "jwt_payload_auth0"
},
{
"key": "iss"
}
],
"value": {
"stringMatch": {
@ -37,9 +41,15 @@
"metadata": {
"filter": "envoy.filters.http.jwt_authn",
"path": [
{"key": "jwt_payload_auth0"},
{"key": "perms"},
{"key": "role"}
{
"key": "jwt_payload_auth0"
},
{
"key": "perms"
},
{
"key": "role"
}
],
"value": {
"stringMatch": {
@ -86,8 +96,12 @@
"metadata": {
"filter": "envoy.filters.http.jwt_authn",
"path": [
{"key": "jwt_payload_auth0"},
{"key": "iss"}
{
"key": "jwt_payload_auth0"
},
{
"key": "iss"
}
],
"value": {
"stringMatch": {
@ -100,9 +114,15 @@
"metadata": {
"filter": "envoy.filters.http.jwt_authn",
"path": [
{"key": "jwt_payload_auth0"},
{"key": "perms"},
{"key": "role"}
{
"key": "jwt_payload_auth0"
},
{
"key": "perms"
},
{
"key": "role"
}
],
"value": {
"stringMatch": {
@ -126,9 +146,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
@ -139,10 +157,14 @@
"ids": [
{
"metadata": {
"filter":"envoy.filters.http.jwt_authn",
"filter": "envoy.filters.http.jwt_authn",
"path": [
{"key": "jwt_payload_okta"},
{"key": "iss"}
{
"key": "jwt_payload_okta"
},
{
"key": "iss"
}
],
"value": {
"stringMatch": {
@ -153,10 +175,14 @@
},
{
"metadata": {
"filter":"envoy.filters.http.jwt_authn",
"filter": "envoy.filters.http.jwt_authn",
"path": [
{"key": "jwt_payload_okta"},
{"key": "roles"}
{
"key": "jwt_payload_okta"
},
{
"key": "roles"
}
],
"value": {
"stringMatch": {

View File

@ -2,9 +2,7 @@
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {
},
"rules": {},
"statPrefix": "connect_authz"
}
}

View File

@ -23,8 +23,12 @@
"metadata": {
"filter": "envoy.filters.http.jwt_authn",
"path": [
{"key": "jwt_payload_auth0"},
{"key": "iss"}
{
"key": "jwt_payload_auth0"
},
{
"key": "iss"
}
],
"value": {
"stringMatch": {
@ -37,9 +41,15 @@
"metadata": {
"filter": "envoy.filters.http.jwt_authn",
"path": [
{"key": "jwt_payload_auth0"},
{"key": "perms"},
{"key": "role"}
{
"key": "jwt_payload_auth0"
},
{
"key": "perms"
},
{
"key": "role"
}
],
"value": {
"stringMatch": {
@ -85,9 +95,7 @@
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
@ -98,10 +106,14 @@
"ids": [
{
"metadata": {
"filter":"envoy.filters.http.jwt_authn",
"filter": "envoy.filters.http.jwt_authn",
"path": [
{"key": "jwt_payload_okta"},
{"key": "iss"}
{
"key": "jwt_payload_okta"
},
{
"key": "iss"
}
],
"value": {
"stringMatch": {
@ -112,10 +124,14 @@
},
{
"metadata": {
"filter":"envoy.filters.http.jwt_authn",
"filter": "envoy.filters.http.jwt_authn",
"path": [
{"key": "jwt_payload_okta"},
{"key": "roles"}
{
"key": "jwt_payload_okta"
},
{
"key": "roles"
}
],
"value": {
"stringMatch": {

View File

@ -2,9 +2,7 @@
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {
},
"rules": {},
"statPrefix": "connect_authz"
}
}

View File

@ -30,9 +30,7 @@
{
"match": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "/regex"
}
},
@ -75,7 +73,9 @@
"headers": [
{
"name": "x-debug",
"exactMatch": "exact"
"stringMatch": {
"exact": "exact"
}
}
]
},
@ -89,7 +89,9 @@
"headers": [
{
"name": "x-debug",
"prefixMatch": "prefix"
"stringMatch": {
"prefix": "prefix"
}
}
]
},
@ -103,7 +105,9 @@
"headers": [
{
"name": "x-debug",
"suffixMatch": "suffix"
"stringMatch": {
"suffix": "suffix"
}
}
]
},
@ -117,13 +121,13 @@
"headers": [
{
"name": "x-debug",
"safeRegexMatch": {
"googleRe2": {
},
"stringMatch": {
"safeRegex": {
"googleRe2": {},
"regex": "regex"
}
}
}
]
},
"route": {
@ -137,9 +141,7 @@
{
"name": ":method",
"safeRegexMatch": {
"googleRe2": {
},
"googleRe2": {},
"regex": "GET|PUT"
}
}
@ -155,14 +157,14 @@
"headers": [
{
"name": "x-debug",
"exactMatch": "exact"
"stringMatch": {
"exact": "exact"
}
},
{
"name": ":method",
"safeRegexMatch": {
"googleRe2": {
},
"googleRe2": {},
"regex": "GET|PUT"
}
}
@ -196,9 +198,7 @@
"name": "secretparam2",
"stringMatch": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "regex"
}
}

View File

@ -31,9 +31,7 @@
{
"match": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "/regex"
}
},
@ -76,7 +74,9 @@
"headers": [
{
"name": "x-debug",
"exactMatch": "exact"
"stringMatch": {
"exact": "exact"
}
}
]
},
@ -90,7 +90,9 @@
"headers": [
{
"name": "x-debug",
"prefixMatch": "prefix"
"stringMatch": {
"prefix": "prefix"
}
}
]
},
@ -104,7 +106,9 @@
"headers": [
{
"name": "x-debug",
"suffixMatch": "suffix"
"stringMatch": {
"suffix": "suffix"
}
}
]
},
@ -118,13 +122,13 @@
"headers": [
{
"name": "x-debug",
"safeRegexMatch": {
"googleRe2": {
},
"stringMatch": {
"safeRegex": {
"googleRe2": {},
"regex": "regex"
}
}
}
]
},
"route": {
@ -138,9 +142,7 @@
{
"name": ":method",
"safeRegexMatch": {
"googleRe2": {
},
"googleRe2": {},
"regex": "GET|PUT"
}
}
@ -156,14 +158,14 @@
"headers": [
{
"name": "x-debug",
"exactMatch": "exact"
"stringMatch": {
"exact": "exact"
}
},
{
"name": ":method",
"safeRegexMatch": {
"googleRe2": {
},
"googleRe2": {},
"regex": "GET|PUT"
}
}
@ -197,9 +199,7 @@
"name": "secretparam2",
"stringMatch": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "regex"
}
}

View File

@ -31,9 +31,7 @@
{
"match": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "/regex"
}
},
@ -76,7 +74,9 @@
"headers": [
{
"name": "x-debug",
"exactMatch": "exact"
"stringMatch": {
"exact": "exact"
}
}
]
},
@ -90,7 +90,9 @@
"headers": [
{
"name": "x-debug",
"prefixMatch": "prefix"
"stringMatch": {
"prefix": "prefix"
}
}
]
},
@ -104,7 +106,9 @@
"headers": [
{
"name": "x-debug",
"suffixMatch": "suffix"
"stringMatch": {
"suffix": "suffix"
}
}
]
},
@ -118,13 +122,13 @@
"headers": [
{
"name": "x-debug",
"safeRegexMatch": {
"googleRe2": {
},
"stringMatch": {
"safeRegex": {
"googleRe2": {},
"regex": "regex"
}
}
}
]
},
"route": {
@ -138,9 +142,7 @@
{
"name": ":method",
"safeRegexMatch": {
"googleRe2": {
},
"googleRe2": {},
"regex": "GET|PUT"
}
}
@ -156,14 +158,14 @@
"headers": [
{
"name": "x-debug",
"exactMatch": "exact"
"stringMatch": {
"exact": "exact"
}
},
{
"name": ":method",
"safeRegexMatch": {
"googleRe2": {
},
"googleRe2": {},
"regex": "GET|PUT"
}
}
@ -197,9 +199,7 @@
"name": "secretparam2",
"stringMatch": {
"safeRegex": {
"googleRe2": {
},
"googleRe2": {},
"regex": "regex"
}
}

View File

@ -5,13 +5,15 @@ package xdsv2
import (
"fmt"
"strings"
envoy_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
envoy_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
"google.golang.org/protobuf/types/known/wrapperspb"
"github.com/hashicorp/consul/agent/xds/response"
"github.com/hashicorp/consul/envoyextensions/xdscommon"
"github.com/hashicorp/consul/proto-public/pbmesh/v1alpha1/pbproxystate"
"google.golang.org/protobuf/types/known/wrapperspb"
"strings"
envoy_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
"google.golang.org/protobuf/proto"
@ -37,7 +39,6 @@ func (pr *ProxyResources) makeEnvoyRoute(name string) (*envoy_route_v3.RouteConf
if !ok {
// This should not happen with a valid proxy state.
return nil, fmt.Errorf("could not find route in ProxyState: %s", name)
}
return route, nil
}
@ -45,7 +46,6 @@ func (pr *ProxyResources) makeEnvoyRoute(name string) (*envoy_route_v3.RouteConf
// makeEnvoyRouteConfigFromProxystateRoute converts the proxystate representation of a Route into Envoy proto message
// form. We don't throw any errors here, since the proxystate has already been validated.
func (pr *ProxyResources) makeEnvoyRouteConfigFromProxystateRoute(name string, psRoute *pbproxystate.Route) *envoy_route_v3.RouteConfiguration {
envoyRouteConfig := &envoy_route_v3.RouteConfiguration{
Name: name,
// ValidateClusters defaults to true when defined statically and false
@ -158,21 +158,44 @@ func makeEnvoyHeaderMatcherFromProxystateHeaderMatch(psMatch *pbproxystate.Heade
switch psMatch.Match.(type) {
case *pbproxystate.HeaderMatch_Exact:
envoyHeaderMatcher.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_ExactMatch{
ExactMatch: psMatch.GetExact(),
envoyHeaderMatcher.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_StringMatch{
StringMatch: &envoy_matcher_v3.StringMatcher{
MatchPattern: &envoy_matcher_v3.StringMatcher_Exact{
Exact: psMatch.GetExact(),
},
IgnoreCase: false,
},
}
case *pbproxystate.HeaderMatch_Regex:
envoyHeaderMatcher.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_SafeRegexMatch{
SafeRegexMatch: makeEnvoyRegexMatch(psMatch.GetRegex()),
envoyHeaderMatcher.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_StringMatch{
StringMatch: &envoy_matcher_v3.StringMatcher{
MatchPattern: &envoy_matcher_v3.StringMatcher_SafeRegex{
SafeRegex: response.MakeEnvoyRegexMatch(psMatch.GetRegex()),
},
IgnoreCase: false,
},
}
case *pbproxystate.HeaderMatch_Prefix:
envoyHeaderMatcher.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_PrefixMatch{
PrefixMatch: psMatch.GetPrefix(),
envoyHeaderMatcher.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_StringMatch{
StringMatch: &envoy_matcher_v3.StringMatcher{
MatchPattern: &envoy_matcher_v3.StringMatcher_Prefix{
Prefix: psMatch.GetPrefix(),
},
IgnoreCase: false,
},
}
case *pbproxystate.HeaderMatch_Suffix:
envoyHeaderMatcher.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_SuffixMatch{
SuffixMatch: psMatch.GetSuffix(),
envoyHeaderMatcher.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_StringMatch{
StringMatch: &envoy_matcher_v3.StringMatcher{
MatchPattern: &envoy_matcher_v3.StringMatcher_Suffix{
Suffix: psMatch.GetSuffix(),
},
IgnoreCase: false,
},
}
case *pbproxystate.HeaderMatch_Present:
envoyHeaderMatcher.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_PresentMatch{
PresentMatch: true,
@ -308,7 +331,6 @@ func makeEnvoyClusterWeightFromProxystateWeightedCluster(cluster *pbproxystate.L
}
func injectEnvoyClusterWeightWithProxystateHeaderMutation(envoyClusterWeight *envoy_route_v3.WeightedCluster_ClusterWeight, mutation *pbproxystate.HeaderMutation) {
mutation.GetAction()
switch mutation.GetAction().(type) {
case *pbproxystate.HeaderMutation_RequestHeaderAdd:
@ -374,7 +396,6 @@ func injectEnvoyRouteActionWithProxystateDestinationConfig(envoyAction *envoy_ro
}
func makeEnvoyHashPolicyFromProxystateLBHashPolicy(psPolicy *pbproxystate.LoadBalancerHashPolicy) *envoy_route_v3.RouteAction_HashPolicy {
switch psPolicy.GetPolicy().(type) {
case *pbproxystate.LoadBalancerHashPolicy_ConnectionProperties:
return &envoy_route_v3.RouteAction_HashPolicy{
@ -433,7 +454,6 @@ func makeEnvoyRetryPolicyFromProxystateRetryPolicy(psRetryPolicy *pbproxystate.R
}
func injectEnvoyRouteRuleWithProxystateHeaderMutation(envoyRouteRule *envoy_route_v3.Route, mutation *pbproxystate.HeaderMutation) {
mutation.GetAction()
switch mutation.GetAction().(type) {
case *pbproxystate.HeaderMutation_RequestHeaderAdd:
@ -479,7 +499,6 @@ func injectEnvoyRouteRuleWithProxystateHeaderMutation(envoyRouteRule *envoy_rout
}
func injectEnvoyVirtualHostWithProxystateHeaderMutation(envoyVirtualHost *envoy_route_v3.VirtualHost, mutation *pbproxystate.HeaderMutation) {
mutation.GetAction()
switch mutation.GetAction().(type) {
case *pbproxystate.HeaderMutation_RequestHeaderAdd: