From 31b95c747b381d6c4b49e440560b4bbf28bd8cd8 Mon Sep 17 00:00:00 2001 From: "R.B. Boyer" <4903+rboyer@users.noreply.github.com> Date: Wed, 29 Jun 2022 10:29:54 -0500 Subject: [PATCH] xds: modify rbac rules to use the XFCC header for peered L7 enforcement (#13629) When the protocol is http-like, and an intention has a peered source then the normal RBAC mTLS SAN field check is replaces with a joint combo of: mTLS SAN field must be the service's local mesh gateway leaf cert AND the first XFCC header (from the MGW) must have a URI field that matches the original intention source Also: - Update the regex program limit to be much higher than the teeny defaults, since the RBAC regex constructions are more complicated now. - Fix a few stray panics in xds generation. --- agent/proxycfg/snapshot.go | 10 +- agent/xds/listeners.go | 34 ++- agent/xds/rbac.go | 168 +++++++++++-- agent/xds/rbac_test.go | 18 +- agent/xds/routes.go | 6 +- ...splitter-crossing-partitions.latest.golden | 232 ------------------ ...splitter-crossing-partitions.latest.golden | 187 -------------- ...splitter-crossing-partitions.latest.golden | 152 ------------ ...eny-peered-kitchen-sink--httpfilter.golden | 38 ++- ...splitter-crossing-partitions.latest.golden | 46 ---- command/connect/envoy/bootstrap_tpl.go | 10 + ..._ADDR-with-https-scheme-enables-tls.golden | 10 + .../envoy/testdata/access-log-path.golden | 10 + .../envoy/testdata/defaults-nodemeta.golden | 10 + .../connect/envoy/testdata/defaults.golden | 10 + .../deprecated-grpc-addr-config.golden | 10 + .../envoy/testdata/existing-ca-file.golden | 10 + .../envoy/testdata/existing-ca-path.golden | 10 + .../envoy/testdata/extra_-multiple.golden | 10 + .../envoy/testdata/extra_-single.golden | 10 + .../envoy/testdata/grpc-addr-env.golden | 10 + .../envoy/testdata/grpc-addr-flag.golden | 10 + .../envoy/testdata/grpc-addr-unix.golden | 10 + .../ingress-gateway-address-specified.golden | 10 + .../ingress-gateway-no-auto-register.golden | 10 + .../testdata/ingress-gateway-nodemeta.golden | 10 + ...-register-with-service-and-proxy-id.golden | 10 + ...ister-with-service-without-proxy-id.golden | 10 + .../envoy/testdata/ingress-gateway.golden | 10 + .../prometheus-metrics-tls-ca-file.golden | 10 + .../prometheus-metrics-tls-ca-path.golden | 10 + .../envoy/testdata/prometheus-metrics.golden | 10 + .../testdata/stats-config-override.golden | 10 + .../connect/envoy/testdata/token-arg.golden | 10 + .../connect/envoy/testdata/token-env.golden | 10 + .../envoy/testdata/token-file-arg.golden | 10 + .../envoy/testdata/token-file-env.golden | 10 + .../envoy/testdata/xds-addr-config.golden | 10 + .../testdata/zipkin-tracing-config.golden | 10 + 39 files changed, 526 insertions(+), 655 deletions(-) delete mode 100644 agent/xds/testdata/clusters/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden delete mode 100644 agent/xds/testdata/endpoints/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden delete mode 100644 agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden delete mode 100644 agent/xds/testdata/routes/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden diff --git a/agent/proxycfg/snapshot.go b/agent/proxycfg/snapshot.go index 7af7d3fd33..c52a99a811 100644 --- a/agent/proxycfg/snapshot.go +++ b/agent/proxycfg/snapshot.go @@ -425,9 +425,17 @@ func (c *ConfigSnapshot) MeshGatewayValidExportedServices() []structs.ServiceNam if _, ok := c.MeshGateway.ExportedServicesWithPeers[svc]; !ok { continue // not possible } - if _, ok := c.MeshGateway.DiscoveryChain[svc]; !ok { + + chain, ok := c.MeshGateway.DiscoveryChain[svc] + if !ok { continue // ignore; not ready } + + if structs.IsProtocolHTTPLike(chain.Protocol) { + if c.MeshGateway.Leaf == nil { + continue // ignore; not ready + } + } out = append(out, svc) } return out diff --git a/agent/xds/listeners.go b/agent/xds/listeners.go index b828b5380f..1bf8e4e6c4 100644 --- a/agent/xds/listeners.go +++ b/agent/xds/listeners.go @@ -697,7 +697,11 @@ func (s *ResourceGenerator) injectConnectFilters(cfgSnap *proxycfg.ConfigSnapsho authzFilter, err := makeRBACNetworkFilter( cfgSnap.ConnectProxy.Intentions, cfgSnap.IntentionDefaultAllow, - cfgSnap.Roots.TrustDomain, + rbacLocalInfo{ + trustDomain: cfgSnap.Roots.TrustDomain, + datacenter: cfgSnap.Datacenter, + partition: cfgSnap.ProxyID.PartitionOrDefault(), + }, cfgSnap.ConnectProxy.InboundPeerTrustBundles, ) if err != nil { @@ -953,7 +957,11 @@ func (s *ResourceGenerator) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot httpAuthzFilter, err := makeRBACHTTPFilter( cfgSnap.ConnectProxy.Intentions, cfgSnap.IntentionDefaultAllow, - cfgSnap.Roots.TrustDomain, + rbacLocalInfo{ + trustDomain: cfgSnap.Roots.TrustDomain, + datacenter: cfgSnap.Datacenter, + partition: cfgSnap.ProxyID.PartitionOrDefault(), + }, cfgSnap.ConnectProxy.InboundPeerTrustBundles, ) if err != nil { @@ -1011,7 +1019,11 @@ func (s *ResourceGenerator) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot filterOpts.httpAuthzFilter, err = makeRBACHTTPFilter( cfgSnap.ConnectProxy.Intentions, cfgSnap.IntentionDefaultAllow, - cfgSnap.Roots.TrustDomain, + rbacLocalInfo{ + trustDomain: cfgSnap.Roots.TrustDomain, + datacenter: cfgSnap.Datacenter, + partition: cfgSnap.ProxyID.PartitionOrDefault(), + }, cfgSnap.ConnectProxy.InboundPeerTrustBundles, ) if err != nil { @@ -1310,7 +1322,11 @@ func (s *ResourceGenerator) makeFilterChainTerminatingGateway(cfgSnap *proxycfg. authFilter, err := makeRBACNetworkFilter( intentions, cfgSnap.IntentionDefaultAllow, - cfgSnap.Roots.TrustDomain, + rbacLocalInfo{ + trustDomain: cfgSnap.Roots.TrustDomain, + datacenter: cfgSnap.Datacenter, + partition: cfgSnap.ProxyID.PartitionOrDefault(), + }, nil, // TODO(peering): verify intentions w peers don't apply to terminatingGateway ) if err != nil { @@ -1348,7 +1364,11 @@ func (s *ResourceGenerator) makeFilterChainTerminatingGateway(cfgSnap *proxycfg. opts.httpAuthzFilter, err = makeRBACHTTPFilter( intentions, cfgSnap.IntentionDefaultAllow, - cfgSnap.Roots.TrustDomain, + rbacLocalInfo{ + trustDomain: cfgSnap.Roots.TrustDomain, + datacenter: cfgSnap.Datacenter, + partition: cfgSnap.ProxyID.PartitionOrDefault(), + }, nil, // TODO(peering): verify intentions w peers don't apply to terminatingGateway ) if err != nil { @@ -1522,6 +1542,10 @@ func (s *ResourceGenerator) makeMeshGatewayPeerFilterChain( useRDS = useHTTPFilter ) + if useHTTPFilter && cfgSnap.MeshGateway.Leaf == nil { + return nil, nil // ignore; not ready + } + var clusterName string if !useRDS { // When not using RDS we must generate a cluster name to attach to the filter chain. diff --git a/agent/xds/rbac.go b/agent/xds/rbac.go index c5a6511502..11b37fc321 100644 --- a/agent/xds/rbac.go +++ b/agent/xds/rbac.go @@ -21,10 +21,10 @@ import ( func makeRBACNetworkFilter( intentions structs.Intentions, intentionDefaultAllow bool, - trustDomain string, + localInfo rbacLocalInfo, peerTrustBundles []*pbpeering.PeeringTrustBundle, ) (*envoy_listener_v3.Filter, error) { - rules, err := makeRBACRules(intentions, intentionDefaultAllow, trustDomain, false, peerTrustBundles) + rules, err := makeRBACRules(intentions, intentionDefaultAllow, localInfo, false, peerTrustBundles) if err != nil { return nil, err } @@ -39,10 +39,10 @@ func makeRBACNetworkFilter( func makeRBACHTTPFilter( intentions structs.Intentions, intentionDefaultAllow bool, - trustDomain string, + localInfo rbacLocalInfo, peerTrustBundles []*pbpeering.PeeringTrustBundle, ) (*envoy_http_v3.HttpFilter, error) { - rules, err := makeRBACRules(intentions, intentionDefaultAllow, trustDomain, true, peerTrustBundles) + rules, err := makeRBACRules(intentions, intentionDefaultAllow, localInfo, true, peerTrustBundles) if err != nil { return nil, err } @@ -55,7 +55,7 @@ func makeRBACHTTPFilter( func intentionListToIntermediateRBACForm( intentions structs.Intentions, - trustDomain string, + localInfo rbacLocalInfo, isHTTP bool, trustBundlesByPeer map[string]*pbpeering.PeeringTrustBundle, ) []*rbacIntention { @@ -75,13 +75,13 @@ func intentionListToIntermediateRBACForm( continue } - rixn := intentionToIntermediateRBACForm(ixn, trustDomain, isHTTP, trustBundle) + rixn := intentionToIntermediateRBACForm(ixn, localInfo, isHTTP, trustBundle) rbacIxns = append(rbacIxns, rixn) } return rbacIxns } -func removeSourcePrecedence(rbacIxns []*rbacIntention, intentionDefaultAction intentionAction) []*rbacIntention { +func removeSourcePrecedence(rbacIxns []*rbacIntention, intentionDefaultAction intentionAction, localInfo rbacLocalInfo) []*rbacIntention { if len(rbacIxns) == 0 { return nil } @@ -124,17 +124,17 @@ func removeSourcePrecedence(rbacIxns []*rbacIntention, intentionDefaultAction in continue } - rixn.ComputedPrincipal = rixn.FlattenPrincipal() + rixn.ComputedPrincipal = rixn.FlattenPrincipal(localInfo) out = append(out, rixn) } return out } -func removeIntentionPrecedence(rbacIxns []*rbacIntention, intentionDefaultAction intentionAction) []*rbacIntention { +func removeIntentionPrecedence(rbacIxns []*rbacIntention, intentionDefaultAction intentionAction, localInfo rbacLocalInfo) []*rbacIntention { // Remove source precedence. After this completes precedence doesn't matter // between any two intentions. - rbacIxns = removeSourcePrecedence(rbacIxns, intentionDefaultAction) + rbacIxns = removeSourcePrecedence(rbacIxns, intentionDefaultAction, localInfo) numRetained := 0 for _, rbacIxn := range rbacIxns { @@ -213,12 +213,17 @@ func removePermissionPrecedence(perms []*rbacPermission, intentionDefaultAction return out } -func intentionToIntermediateRBACForm(ixn *structs.Intention, trustDomain string, isHTTP bool, bundle *pbpeering.PeeringTrustBundle) *rbacIntention { +func intentionToIntermediateRBACForm( + ixn *structs.Intention, + localInfo rbacLocalInfo, + isHTTP bool, + bundle *pbpeering.PeeringTrustBundle, +) *rbacIntention { rixn := &rbacIntention{ Source: rbacService{ ServiceName: ixn.SourceServiceName(), Peer: ixn.SourcePeer, - TrustDomain: trustDomain, + TrustDomain: localInfo.trustDomain, }, Precedence: ixn.Precedence, } @@ -299,7 +304,30 @@ type rbacIntention struct { ComputedPrincipal *envoy_rbac_v3.Principal } -func (r *rbacIntention) FlattenPrincipal() *envoy_rbac_v3.Principal { +func (r *rbacIntention) FlattenPrincipal(localInfo rbacLocalInfo) *envoy_rbac_v3.Principal { + if !localInfo.expectXFCC { + return r.flattenPrincipalFromCert() + + } else if r.Source.Peer == "" { + // NOTE: ixnSourceMatches should enforce that all of Source and NotSources + // are peered or not-peered, so we only need to look at the Source element. + return r.flattenPrincipalFromCert() // intention is not relevant to peering + } + + // If this intention is an L7 peered one, then it is exclusively resolvable + // using XFCC, rather than the TLS SAN field. + fromXFCC := r.flattenPrincipalFromXFCC() + + // Use of the XFCC one is gated on coming directly from our own gateways. + gwIDPattern := makeSpiffeMeshGatewayPattern(localInfo.trustDomain, localInfo.partition) + + return andPrincipals([]*envoy_rbac_v3.Principal{ + authenticatedPatternPrincipal(gwIDPattern), + fromXFCC, + }) +} + +func (r *rbacIntention) flattenPrincipalFromCert() *envoy_rbac_v3.Principal { r.NotSources = simplifyNotSourceSlice(r.NotSources) if len(r.NotSources) == 0 { @@ -316,6 +344,23 @@ func (r *rbacIntention) FlattenPrincipal() *envoy_rbac_v3.Principal { return andPrincipals(andIDs) } +func (r *rbacIntention) flattenPrincipalFromXFCC() *envoy_rbac_v3.Principal { + r.NotSources = simplifyNotSourceSlice(r.NotSources) + + if len(r.NotSources) == 0 { + return xfccPrincipal(r.Source) + } + + andIDs := make([]*envoy_rbac_v3.Principal, 0, len(r.NotSources)+1) + andIDs = append(andIDs, xfccPrincipal(r.Source)) + for _, src := range r.NotSources { + andIDs = append(andIDs, notPrincipal( + xfccPrincipal(src), + )) + } + return andPrincipals(andIDs) +} + type rbacPermission struct { Definition *structs.IntentionPermission @@ -378,6 +423,13 @@ func simplifyNotSourceSlice(notSources []rbacService) []rbacService { return keep } +type rbacLocalInfo struct { + trustDomain string + datacenter string + partition string + expectXFCC bool +} + // makeRBACRules translates Consul intentions into RBAC Policies for Envoy. // // Consul lets you define up to 9 different kinds of intentions that apply at @@ -430,7 +482,7 @@ func simplifyNotSourceSlice(notSources []rbacService) []rbacService { func makeRBACRules( intentions structs.Intentions, intentionDefaultAllow bool, - trustDomain string, + localInfo rbacLocalInfo, isHTTP bool, peerTrustBundles []*pbpeering.PeeringTrustBundle, ) (*envoy_rbac_v3.RBAC, error) { @@ -443,8 +495,17 @@ func makeRBACRules( trustBundlesByPeer[ptb.PeerName] = ptb } + if isHTTP && len(peerTrustBundles) > 0 { + for _, ixn := range intentions { + if ixn.SourcePeer != "" { + localInfo.expectXFCC = true + break + } + } + } + // First build up just the basic principal matches. - rbacIxns := intentionListToIntermediateRBACForm(intentions, trustDomain, isHTTP, trustBundlesByPeer) + rbacIxns := intentionListToIntermediateRBACForm(intentions, localInfo, isHTTP, trustBundlesByPeer) // Normalize: if we are in default-deny then all intentions must be allows and vice versa intentionDefaultAction := intentionActionFromBool(intentionDefaultAllow) @@ -461,7 +522,7 @@ func makeRBACRules( } // Remove source and permissions precedence. - rbacIxns = removeIntentionPrecedence(rbacIxns, intentionDefaultAction) + rbacIxns = removeIntentionPrecedence(rbacIxns, intentionDefaultAction, localInfo) // For L4: we should generate one big Policy listing all Principals // For L7: we should generate one Policy per Principal and list all of the Permissions @@ -482,7 +543,7 @@ func makeRBACRules( // For L7: we should generate one Policy per Principal and list all of the Permissions policy := &envoy_rbac_v3.Policy{ - Principals: []*envoy_rbac_v3.Principal{rbacIxn.ComputedPrincipal}, + Principals: optimizePrincipals([]*envoy_rbac_v3.Principal{rbacIxn.ComputedPrincipal}), Permissions: make([]*envoy_rbac_v3.Permission, 0, len(rbacIxn.Permissions)), } for _, perm := range rbacIxn.Permissions { @@ -496,7 +557,7 @@ func makeRBACRules( } if len(principalsL4) > 0 { rbac.Policies["consul-intentions-layer4"] = &envoy_rbac_v3.Policy{ - Principals: principalsL4, + Principals: optimizePrincipals(principalsL4), Permissions: []*envoy_rbac_v3.Permission{anyPermission()}, } } @@ -507,6 +568,20 @@ func makeRBACRules( return rbac, nil } +func optimizePrincipals(orig []*envoy_rbac_v3.Principal) []*envoy_rbac_v3.Principal { + // If they are all ORs, then OR them together. + var orIds []*envoy_rbac_v3.Principal + for _, p := range orig { + or, ok := p.Identifier.(*envoy_rbac_v3.Principal_OrIds) + if !ok { + return orig + } + orIds = append(orIds, or.OrIds.Ids...) + } + + return []*envoy_rbac_v3.Principal{orPrincipals(orIds)} +} + // removeSameSourceIntentions will iterate over intentions and remove any lower precedence // intentions that share the same source. Intentions are sorted by descending precedence // so once a source has been seen, additional intentions with the same source can be dropped. @@ -613,6 +688,16 @@ func andPrincipals(ids []*envoy_rbac_v3.Principal) *envoy_rbac_v3.Principal { } } +func orPrincipals(ids []*envoy_rbac_v3.Principal) *envoy_rbac_v3.Principal { + return &envoy_rbac_v3.Principal{ + Identifier: &envoy_rbac_v3.Principal_OrIds{ + OrIds: &envoy_rbac_v3.Principal_Set{ + Ids: ids, + }, + }, + } +} + func notPrincipal(id *envoy_rbac_v3.Principal) *envoy_rbac_v3.Principal { return &envoy_rbac_v3.Principal{ Identifier: &envoy_rbac_v3.Principal_NotId{ @@ -623,7 +708,10 @@ func notPrincipal(id *envoy_rbac_v3.Principal) *envoy_rbac_v3.Principal { func idPrincipal(src rbacService) *envoy_rbac_v3.Principal { pattern := makeSpiffePattern(src) + return authenticatedPatternPrincipal(pattern) +} +func authenticatedPatternPrincipal(pattern string) *envoy_rbac_v3.Principal { return &envoy_rbac_v3.Principal{ Identifier: &envoy_rbac_v3.Principal_Authenticated_{ Authenticated: &envoy_rbac_v3.Principal_Authenticated{ @@ -637,6 +725,39 @@ func idPrincipal(src rbacService) *envoy_rbac_v3.Principal { } } +func xfccPrincipal(src rbacService) *envoy_rbac_v3.Principal { + // Same match we normally would use. + idPattern := makeSpiffePattern(src) + + // Remove the leading ^ and trailing $. + idPattern = idPattern[1 : len(idPattern)-1] + + // Anchor to the first XFCC component + pattern := `^[^,]+;URI=` + idPattern + `(?:,.*)?$` + + // By=spiffe://8c7db6d3-e4ee-aa8c-488c-dbedd3772b78.consul/gateway/mesh/dc/dc2; + // Hash=2a2db78ac351a05854a0abd350631bf98cc0eb827d21f4ed5935ccd287779eb6; + // Cert="-----BEGIN%20CERTIFICATE-----"; + // Chain="-----BEGIN%20CERTIFICATE-----"; + // Subject=""; + // URI=spiffe://5583c38e-c1c0-fd1e-2079-170bb2f396ad.consul/ns/default/dc/dc1/svc/pong, + + return &envoy_rbac_v3.Principal{ + Identifier: &envoy_rbac_v3.Principal_Header{ + Header: &envoy_route_v3.HeaderMatcher{ + Name: "x-forwarded-client-cert", + HeaderMatchSpecifier: &envoy_route_v3.HeaderMatcher_StringMatch{ + StringMatch: &envoy_matcher_v3.StringMatcher{ + MatchPattern: &envoy_matcher_v3.StringMatcher_SafeRegex{ + SafeRegex: makeEnvoyRegexMatch(pattern), + }, + }, + }, + }, + }, + } +} + const anyPath = `[^/]+` func makeSpiffePattern(src rbacService) string { @@ -688,6 +809,17 @@ func makeSpiffePattern(src rbacService) string { return fmt.Sprintf(`^%s://%s%s$`, id.URI().Scheme, id.Host, id.URI().Path) } +func makeSpiffeMeshGatewayPattern(gwTrustDomain, gwPartition string) string { + id := connect.SpiffeIDMeshGateway{ + Host: gwTrustDomain, + Partition: gwPartition, + // Datacenter is not verified by RBAC, so we match on any value. + Datacenter: anyPath, + } + + return fmt.Sprintf(`^%s://%s%s$`, id.URI().Scheme, id.Host, id.URI().Path) +} + func anyPermission() *envoy_rbac_v3.Permission { return &envoy_rbac_v3.Permission{ Rule: &envoy_rbac_v3.Permission_Any{Any: true}, diff --git a/agent/xds/rbac_test.go b/agent/xds/rbac_test.go index 81fb32ad87..dd850e2f4e 100644 --- a/agent/xds/rbac_test.go +++ b/agent/xds/rbac_test.go @@ -440,11 +440,16 @@ func TestRemoveIntentionPrecedence(t *testing.T) { }, } + testLocalInfo := rbacLocalInfo{ + trustDomain: testTrustDomain, + datacenter: "dc1", + } + for name, tt := range tests { t.Run(name, func(t *testing.T) { - rbacIxns := intentionListToIntermediateRBACForm(tt.intentions, testTrustDomain, tt.http, testPeerTrustBundle) + rbacIxns := intentionListToIntermediateRBACForm(tt.intentions, testLocalInfo, tt.http, testPeerTrustBundle) intentionDefaultAction := intentionActionFromBool(tt.intentionDefaultAllow) - rbacIxns = removeIntentionPrecedence(rbacIxns, intentionDefaultAction) + rbacIxns = removeIntentionPrecedence(rbacIxns, intentionDefaultAction, testLocalInfo) require.Equal(t, tt.expect, rbacIxns) }) @@ -797,11 +802,16 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { }, } + testLocalInfo := rbacLocalInfo{ + trustDomain: testTrustDomain, + datacenter: "dc1", + } + for name, tt := range tests { tt := tt t.Run(name, func(t *testing.T) { t.Run("network filter", func(t *testing.T) { - filter, err := makeRBACNetworkFilter(tt.intentions, tt.intentionDefaultAllow, testTrustDomain, testPeerTrustBundle) + filter, err := makeRBACNetworkFilter(tt.intentions, tt.intentionDefaultAllow, testLocalInfo, testPeerTrustBundle) require.NoError(t, err) t.Run("current", func(t *testing.T) { @@ -811,7 +821,7 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { }) }) t.Run("http filter", func(t *testing.T) { - filter, err := makeRBACHTTPFilter(tt.intentions, tt.intentionDefaultAllow, testTrustDomain, testPeerTrustBundle) + filter, err := makeRBACHTTPFilter(tt.intentions, tt.intentionDefaultAllow, testLocalInfo, testPeerTrustBundle) require.NoError(t, err) t.Run("current", func(t *testing.T) { diff --git a/agent/xds/routes.go b/agent/xds/routes.go index 42be5b53b2..6f9e2214c1 100644 --- a/agent/xds/routes.go +++ b/agent/xds/routes.go @@ -139,7 +139,11 @@ func (s *ResourceGenerator) routesForMeshGateway(cfgSnap *proxycfg.ConfigSnapsho chain := cfgSnap.MeshGateway.DiscoveryChain[svc] if !structs.IsProtocolHTTPLike(chain.Protocol) { - continue + continue // ignore; not relevant + } + + if cfgSnap.MeshGateway.Leaf == nil { + continue // ignore; not ready } uid := proxycfg.NewUpstreamIDFromServiceName(svc) diff --git a/agent/xds/testdata/clusters/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden b/agent/xds/testdata/clusters/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden deleted file mode 100644 index f5081bd7ff..0000000000 --- a/agent/xds/testdata/clusters/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden +++ /dev/null @@ -1,232 +0,0 @@ -{ - "versionInfo": "00000001", - "resources": [ - { - "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", - "name": "alt.default.ap1.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul", - "type": "EDS", - "edsClusterConfig": { - "edsConfig": { - "ads": { - - }, - "resourceApiVersion": "V3" - } - }, - "connectTimeout": "5s", - "outlierDetection": { - - } - }, - { - "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", - "name": "ap2.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul", - "type": "EDS", - "edsClusterConfig": { - "edsConfig": { - "ads": { - - }, - "resourceApiVersion": "V3" - } - }, - "connectTimeout": "5s", - "outlierDetection": { - - } - }, - { - "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", - "name": "db.default.ap1.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul", - "type": "EDS", - "edsClusterConfig": { - "edsConfig": { - "ads": { - - }, - "resourceApiVersion": "V3" - } - }, - "connectTimeout": "5s", - "outlierDetection": { - - } - }, - { - "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", - "name": "exported~alt.default.ap1.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul", - "altStatName": "exported~alt.default.ap1.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul", - "type": "EDS", - "edsClusterConfig": { - "edsConfig": { - "ads": { - - }, - "resourceApiVersion": "V3" - } - }, - "connectTimeout": "5s", - "circuitBreakers": { - - }, - "outlierDetection": { - - }, - "commonLbConfig": { - "healthyPanicThreshold": { - - } - }, - "transportSocket": { - "name": "tls", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", - "commonTlsContext": { - "tlsParams": { - - }, - "tlsCertificates": [ - { - "certificateChain": { - "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" - }, - "privateKey": { - "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" - } - } - ], - "validationContext": { - "trustedCa": { - "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" - }, - "matchSubjectAltNames": [ - { - "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ap/ap1/ns/default/dc/dc1/svc/alt" - } - ] - } - }, - "sni": "alt.default.ap1.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul" - } - } - }, - { - "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", - "name": "exported~cross.default.ap2.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul", - "altStatName": "exported~cross.default.ap2.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul", - "type": "EDS", - "edsClusterConfig": { - "edsConfig": { - "ads": { - - }, - "resourceApiVersion": "V3" - } - }, - "connectTimeout": "5s", - "circuitBreakers": { - - }, - "outlierDetection": { - - }, - "commonLbConfig": { - "healthyPanicThreshold": { - - } - }, - "transportSocket": { - "name": "tls", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", - "commonTlsContext": { - "tlsParams": { - - }, - "tlsCertificates": [ - { - "certificateChain": { - "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" - }, - "privateKey": { - "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" - } - } - ], - "validationContext": { - "trustedCa": { - "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" - }, - "matchSubjectAltNames": [ - { - "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ap/ap2/ns/default/dc/dc1/svc/cross" - } - ] - } - }, - "sni": "cross.default.ap2.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul" - } - } - }, - { - "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", - "name": "exported~db.default.ap1.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul", - "altStatName": "exported~db.default.ap1.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul", - "type": "EDS", - "edsClusterConfig": { - "edsConfig": { - "ads": { - - }, - "resourceApiVersion": "V3" - } - }, - "connectTimeout": "33s", - "circuitBreakers": { - - }, - "outlierDetection": { - - }, - "commonLbConfig": { - "healthyPanicThreshold": { - - } - }, - "transportSocket": { - "name": "tls", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", - "commonTlsContext": { - "tlsParams": { - - }, - "tlsCertificates": [ - { - "certificateChain": { - "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" - }, - "privateKey": { - "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" - } - } - ], - "validationContext": { - "trustedCa": { - "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" - }, - "matchSubjectAltNames": [ - { - "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ap/ap1/ns/default/dc/dc1/svc/db" - } - ] - } - }, - "sni": "db.default.ap1.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul" - } - } - } - ], - "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster", - "nonce": "00000001" -} \ No newline at end of file diff --git a/agent/xds/testdata/endpoints/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden b/agent/xds/testdata/endpoints/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden deleted file mode 100644 index 073d3718fc..0000000000 --- a/agent/xds/testdata/endpoints/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden +++ /dev/null @@ -1,187 +0,0 @@ -{ - "versionInfo": "00000001", - "resources": [ - { - "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", - "clusterName": "alt.default.ap1.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul", - "endpoints": [ - { - "lbEndpoints": [ - { - "endpoint": { - "address": { - "socketAddress": { - "address": "10.10.1.1", - "portValue": 8080 - } - } - }, - "healthStatus": "HEALTHY", - "loadBalancingWeight": 1 - }, - { - "endpoint": { - "address": { - "socketAddress": { - "address": "10.10.1.2", - "portValue": 8080 - } - } - }, - "healthStatus": "HEALTHY", - "loadBalancingWeight": 1 - } - ] - } - ] - }, - { - "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", - "clusterName": "ap2.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul", - "endpoints": [ - { - "lbEndpoints": [ - { - "endpoint": { - "address": { - "socketAddress": { - "address": "172.100.0.14", - "portValue": 8080 - } - } - }, - "healthStatus": "HEALTHY", - "loadBalancingWeight": 1 - } - ] - } - ] - }, - { - "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", - "clusterName": "db.default.ap1.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul", - "endpoints": [ - { - "lbEndpoints": [ - { - "endpoint": { - "address": { - "socketAddress": { - "address": "10.10.1.1", - "portValue": 8080 - } - } - }, - "healthStatus": "HEALTHY", - "loadBalancingWeight": 1 - }, - { - "endpoint": { - "address": { - "socketAddress": { - "address": "10.10.1.2", - "portValue": 8080 - } - } - }, - "healthStatus": "HEALTHY", - "loadBalancingWeight": 1 - } - ] - } - ] - }, - { - "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", - "clusterName": "exported~alt.default.ap1.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul", - "endpoints": [ - { - "lbEndpoints": [ - { - "endpoint": { - "address": { - "socketAddress": { - "address": "10.10.1.1", - "portValue": 8080 - } - } - }, - "healthStatus": "HEALTHY", - "loadBalancingWeight": 1 - }, - { - "endpoint": { - "address": { - "socketAddress": { - "address": "10.10.1.2", - "portValue": 8080 - } - } - }, - "healthStatus": "HEALTHY", - "loadBalancingWeight": 1 - } - ] - } - ] - }, - { - "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", - "clusterName": "exported~cross.default.ap2.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul", - "endpoints": [ - { - "lbEndpoints": [ - { - "endpoint": { - "address": { - "socketAddress": { - "address": "172.100.0.14", - "portValue": 8080 - } - } - }, - "healthStatus": "HEALTHY", - "loadBalancingWeight": 1 - } - ] - } - ] - }, - { - "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", - "clusterName": "exported~db.default.ap1.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul", - "endpoints": [ - { - "lbEndpoints": [ - { - "endpoint": { - "address": { - "socketAddress": { - "address": "10.10.1.1", - "portValue": 8080 - } - } - }, - "healthStatus": "HEALTHY", - "loadBalancingWeight": 1 - }, - { - "endpoint": { - "address": { - "socketAddress": { - "address": "10.10.1.2", - "portValue": 8080 - } - } - }, - "healthStatus": "HEALTHY", - "loadBalancingWeight": 1 - } - ] - } - ] - } - ], - "typeUrl": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", - "nonce": "00000001" -} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden b/agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden deleted file mode 100644 index 6003859738..0000000000 --- a/agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden +++ /dev/null @@ -1,152 +0,0 @@ -{ - "versionInfo": "00000001", - "resources": [ - { - "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", - "name": "default:1.2.3.4:8443", - "address": { - "socketAddress": { - "address": "1.2.3.4", - "portValue": 8443 - } - }, - "filterChains": [ - { - "filterChainMatch": { - "serverNames": [ - "db.default.ap1.peer-a.external.11111111-2222-3333-4444-555555555555.consul" - ] - }, - "filters": [ - { - "name": "envoy.filters.network.http_connection_manager", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", - "statPrefix": "mesh_gateway_local_peered.db.default.ap1.dc1", - "rds": { - "configSource": { - "ads": { - - }, - "resourceApiVersion": "V3" - }, - "routeConfigName": "ap1/default/db" - }, - "httpFilters": [ - { - "name": "envoy.filters.http.router", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" - } - } - ], - "tracing": { - "randomSampling": { - - } - }, - "forwardClientCertDetails": "SANITIZE_SET", - "setCurrentClientCertDetails": { - "subject": true, - "cert": true, - "chain": true, - "dns": true, - "uri": true - } - } - } - ], - "transportSocket": { - "name": "tls", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", - "commonTlsContext": { - "tlsParams": { - - }, - "tlsCertificates": [ - { - "certificateChain": { - "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" - }, - "privateKey": { - "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" - } - } - ], - "validationContext": { - "customValidatorConfig": { - "name": "envoy.tls.cert_validator.spiffe", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig", - "trustDomains": [ - { - "name": "11111111-2222-3333-4444-555555555555.consul", - "trustBundle": { - "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" - } - }, - { - "name": "1c053652-8512-4373-90cf-5a7f6263a994.consul", - "trustBundle": { - "inlineString": "-----BEGIN CERTIFICATE-----\nMIICczCCAdwCCQC3BLnEmLCrSjANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJV\nUzELMAkGA1UECAwCQVoxEjAQBgNVBAcMCUZsYWdzdGFmZjEMMAoGA1UECgwDRm9v\nMRAwDgYDVQQLDAdleGFtcGxlMQ8wDQYDVQQDDAZwZWVyLWExHTAbBgkqhkiG9w0B\nCQEWDmZvb0BwZWVyLWEuY29tMB4XDTIyMDUyNjAxMDQ0NFoXDTIzMDUyNjAxMDQ0\nNFowfjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkFaMRIwEAYDVQQHDAlGbGFnc3Rh\nZmYxDDAKBgNVBAoMA0ZvbzEQMA4GA1UECwwHZXhhbXBsZTEPMA0GA1UEAwwGcGVl\nci1hMR0wGwYJKoZIhvcNAQkBFg5mb29AcGVlci1hLmNvbTCBnzANBgkqhkiG9w0B\nAQEFAAOBjQAwgYkCgYEA2zFYGTbXDAntT5pLTpZ2+VTiqx4J63VRJH1kdu11f0FV\nc2jl1pqCuYDbQXknDU0Pv1Q5y0+nSAihD2KqGS571r+vHQiPtKYPYRqPEe9FzAhR\n2KhWH6v/tk5DG1HqOjV9/zWRKB12gdFNZZqnw/e7NjLNq3wZ2UAwxXip5uJ8uwMC\nAwEAATANBgkqhkiG9w0BAQsFAAOBgQC/CJ9Syf4aL91wZizKTejwouRYoWv4gRAk\nyto45ZcNMHfJ0G2z+XAMl9ZbQsLgXmzAx4IM6y5Jckq8pKC4PEijCjlKTktLHlEy\n0ggmFxtNB1tid2NC8dOzcQ3l45+gDjDqdILhAvLDjlAIebdkqVqb2CfFNW/I2CQH\nZAuKN1aoKA==\n-----END CERTIFICATE-----\n" - } - } - ] - } - } - } - }, - "requireClientCertificate": true - } - } - }, - { - "filterChainMatch": { - "serverNames": [ - "*.ap2.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul" - ] - }, - "filters": [ - { - "name": "envoy.filters.network.tcp_proxy", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", - "statPrefix": "mesh_gateway_remote.default.ap2.dc1", - "cluster": "ap2.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul" - } - } - ] - }, - { - "filters": [ - { - "name": "envoy.filters.network.sni_cluster", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.sni_cluster.v3.SniCluster" - } - }, - { - "name": "envoy.filters.network.tcp_proxy", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", - "statPrefix": "mesh_gateway_local.default", - "cluster": "" - } - } - ] - } - ], - "listenerFilters": [ - { - "name": "envoy.filters.listener.tls_inspector", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector" - } - } - ] - } - ], - "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", - "nonce": "00000001" -} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-peered-kitchen-sink--httpfilter.golden b/agent/xds/testdata/rbac/default-deny-peered-kitchen-sink--httpfilter.golden index 80d977dff0..2ffed83910 100644 --- a/agent/xds/testdata/rbac/default-deny-peered-kitchen-sink--httpfilter.golden +++ b/agent/xds/testdata/rbac/default-deny-peered-kitchen-sink--httpfilter.golden @@ -33,23 +33,43 @@ "googleRe2": { }, - "regex": "^spiffe://peer1.domain/ap/part1/ns/default/dc/[^/]+/svc/[^/]+$" + "regex": "^spiffe://test.consul/gateway/mesh/dc/[^/]+$" } } } }, { - "notId": { - "authenticated": { - "principalName": { - "safeRegex": { - "googleRe2": { + "andIds": { + "ids": [ + { + "header": { + "name": "x-forwarded-client-cert", + "stringMatch": { + "safeRegex": { + "googleRe2": { - }, - "regex": "^spiffe://peer1.domain/ap/part1/ns/default/dc/[^/]+/svc/web$" + }, + "regex": "^[^,]+;URI=spiffe://peer1.domain/ap/part1/ns/default/dc/[^/]+/svc/[^/]+(?:,.*)?$" + } + } + } + }, + { + "notId": { + "header": { + "name": "x-forwarded-client-cert", + "stringMatch": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^[^,]+;URI=spiffe://peer1.domain/ap/part1/ns/default/dc/[^/]+/svc/web(?:,.*)?$" + } + } + } } } - } + ] } } ] diff --git a/agent/xds/testdata/routes/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden b/agent/xds/testdata/routes/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden deleted file mode 100644 index edce6fc1cf..0000000000 --- a/agent/xds/testdata/routes/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden +++ /dev/null @@ -1,46 +0,0 @@ -{ - "versionInfo": "00000001", - "resources": [ - { - "@type": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", - "name": "ap1/default/db", - "virtualHosts": [ - { - "name": "ap1/default/db", - "domains": [ - "*" - ], - "routes": [ - { - "match": { - "prefix": "/" - }, - "route": { - "weightedClusters": { - "clusters": [ - { - "name": "exported~alt.default.ap1.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul", - "weight": 5000 - }, - { - "name": "exported~db.default.ap1.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul", - "weight": 4000 - }, - { - "name": "exported~cross.default.ap2.dc1.internal-v1.11111111-2222-3333-4444-555555555555.consul", - "weight": 1000 - } - ], - "totalWeight": 10000 - } - } - } - ] - } - ], - "validateClusters": true - } - ], - "typeUrl": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", - "nonce": "00000001" -} \ No newline at end of file diff --git a/command/connect/envoy/bootstrap_tpl.go b/command/connect/envoy/bootstrap_tpl.go index e6b71f5480..afb56eb777 100644 --- a/command/connect/envoy/bootstrap_tpl.go +++ b/command/connect/envoy/bootstrap_tpl.go @@ -159,6 +159,16 @@ const bootstrapTemplate = `{ "partition": "{{if ne .Partition ""}}{{ .Partition }}{{else}}default{{end}}" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/CONSUL_HTTP_ADDR-with-https-scheme-enables-tls.golden b/command/connect/envoy/testdata/CONSUL_HTTP_ADDR-with-https-scheme-enables-tls.golden index cfa96e5ef0..388812a6c4 100644 --- a/command/connect/envoy/testdata/CONSUL_HTTP_ADDR-with-https-scheme-enables-tls.golden +++ b/command/connect/envoy/testdata/CONSUL_HTTP_ADDR-with-https-scheme-enables-tls.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/access-log-path.golden b/command/connect/envoy/testdata/access-log-path.golden index a874cb698e..d8a98b3416 100644 --- a/command/connect/envoy/testdata/access-log-path.golden +++ b/command/connect/envoy/testdata/access-log-path.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/defaults-nodemeta.golden b/command/connect/envoy/testdata/defaults-nodemeta.golden index 62adc0032f..35582b4b0e 100644 --- a/command/connect/envoy/testdata/defaults-nodemeta.golden +++ b/command/connect/envoy/testdata/defaults-nodemeta.golden @@ -17,6 +17,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/defaults.golden b/command/connect/envoy/testdata/defaults.golden index 1c3b452ff6..10c372d8fa 100644 --- a/command/connect/envoy/testdata/defaults.golden +++ b/command/connect/envoy/testdata/defaults.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/deprecated-grpc-addr-config.golden b/command/connect/envoy/testdata/deprecated-grpc-addr-config.golden index f59a782edc..2eda566f08 100644 --- a/command/connect/envoy/testdata/deprecated-grpc-addr-config.golden +++ b/command/connect/envoy/testdata/deprecated-grpc-addr-config.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/existing-ca-file.golden b/command/connect/envoy/testdata/existing-ca-file.golden index ff09458487..e47069ea31 100644 --- a/command/connect/envoy/testdata/existing-ca-file.golden +++ b/command/connect/envoy/testdata/existing-ca-file.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/existing-ca-path.golden b/command/connect/envoy/testdata/existing-ca-path.golden index a9fc080fd5..537c50ba4a 100644 --- a/command/connect/envoy/testdata/existing-ca-path.golden +++ b/command/connect/envoy/testdata/existing-ca-path.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/extra_-multiple.golden b/command/connect/envoy/testdata/extra_-multiple.golden index b0689e23b7..736abd7e97 100644 --- a/command/connect/envoy/testdata/extra_-multiple.golden +++ b/command/connect/envoy/testdata/extra_-multiple.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/extra_-single.golden b/command/connect/envoy/testdata/extra_-single.golden index 6a33f0c29b..c517ec6cbf 100644 --- a/command/connect/envoy/testdata/extra_-single.golden +++ b/command/connect/envoy/testdata/extra_-single.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/grpc-addr-env.golden b/command/connect/envoy/testdata/grpc-addr-env.golden index f59a782edc..2eda566f08 100644 --- a/command/connect/envoy/testdata/grpc-addr-env.golden +++ b/command/connect/envoy/testdata/grpc-addr-env.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/grpc-addr-flag.golden b/command/connect/envoy/testdata/grpc-addr-flag.golden index f59a782edc..2eda566f08 100644 --- a/command/connect/envoy/testdata/grpc-addr-flag.golden +++ b/command/connect/envoy/testdata/grpc-addr-flag.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/grpc-addr-unix.golden b/command/connect/envoy/testdata/grpc-addr-unix.golden index 4386445f8b..4c8d908282 100644 --- a/command/connect/envoy/testdata/grpc-addr-unix.golden +++ b/command/connect/envoy/testdata/grpc-addr-unix.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/ingress-gateway-address-specified.golden b/command/connect/envoy/testdata/ingress-gateway-address-specified.golden index d0b0be0dc5..9b711fb81b 100644 --- a/command/connect/envoy/testdata/ingress-gateway-address-specified.golden +++ b/command/connect/envoy/testdata/ingress-gateway-address-specified.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/ingress-gateway-no-auto-register.golden b/command/connect/envoy/testdata/ingress-gateway-no-auto-register.golden index d3cedfb5a7..5a985dff70 100644 --- a/command/connect/envoy/testdata/ingress-gateway-no-auto-register.golden +++ b/command/connect/envoy/testdata/ingress-gateway-no-auto-register.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/ingress-gateway-nodemeta.golden b/command/connect/envoy/testdata/ingress-gateway-nodemeta.golden index 45a024653f..b89277f88e 100644 --- a/command/connect/envoy/testdata/ingress-gateway-nodemeta.golden +++ b/command/connect/envoy/testdata/ingress-gateway-nodemeta.golden @@ -17,6 +17,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/ingress-gateway-register-with-service-and-proxy-id.golden b/command/connect/envoy/testdata/ingress-gateway-register-with-service-and-proxy-id.golden index cb98077ebc..71bca125f1 100644 --- a/command/connect/envoy/testdata/ingress-gateway-register-with-service-and-proxy-id.golden +++ b/command/connect/envoy/testdata/ingress-gateway-register-with-service-and-proxy-id.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/ingress-gateway-register-with-service-without-proxy-id.golden b/command/connect/envoy/testdata/ingress-gateway-register-with-service-without-proxy-id.golden index d23864619d..8a7ac566d0 100644 --- a/command/connect/envoy/testdata/ingress-gateway-register-with-service-without-proxy-id.golden +++ b/command/connect/envoy/testdata/ingress-gateway-register-with-service-without-proxy-id.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/ingress-gateway.golden b/command/connect/envoy/testdata/ingress-gateway.golden index 24dd4392e4..b1af51f0d1 100644 --- a/command/connect/envoy/testdata/ingress-gateway.golden +++ b/command/connect/envoy/testdata/ingress-gateway.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/prometheus-metrics-tls-ca-file.golden b/command/connect/envoy/testdata/prometheus-metrics-tls-ca-file.golden index 239250c72b..64d0951b2f 100644 --- a/command/connect/envoy/testdata/prometheus-metrics-tls-ca-file.golden +++ b/command/connect/envoy/testdata/prometheus-metrics-tls-ca-file.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/prometheus-metrics-tls-ca-path.golden b/command/connect/envoy/testdata/prometheus-metrics-tls-ca-path.golden index c00fa54ed1..34cbbda972 100644 --- a/command/connect/envoy/testdata/prometheus-metrics-tls-ca-path.golden +++ b/command/connect/envoy/testdata/prometheus-metrics-tls-ca-path.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/prometheus-metrics.golden b/command/connect/envoy/testdata/prometheus-metrics.golden index 004ed74896..1aaf948ee4 100644 --- a/command/connect/envoy/testdata/prometheus-metrics.golden +++ b/command/connect/envoy/testdata/prometheus-metrics.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/stats-config-override.golden b/command/connect/envoy/testdata/stats-config-override.golden index 62c8901258..d2a2371f20 100644 --- a/command/connect/envoy/testdata/stats-config-override.golden +++ b/command/connect/envoy/testdata/stats-config-override.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/token-arg.golden b/command/connect/envoy/testdata/token-arg.golden index c5a54a8717..a4a65d422e 100644 --- a/command/connect/envoy/testdata/token-arg.golden +++ b/command/connect/envoy/testdata/token-arg.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/token-env.golden b/command/connect/envoy/testdata/token-env.golden index c5a54a8717..a4a65d422e 100644 --- a/command/connect/envoy/testdata/token-env.golden +++ b/command/connect/envoy/testdata/token-env.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/token-file-arg.golden b/command/connect/envoy/testdata/token-file-arg.golden index c5a54a8717..a4a65d422e 100644 --- a/command/connect/envoy/testdata/token-file-arg.golden +++ b/command/connect/envoy/testdata/token-file-arg.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/token-file-env.golden b/command/connect/envoy/testdata/token-file-env.golden index c5a54a8717..a4a65d422e 100644 --- a/command/connect/envoy/testdata/token-file-env.golden +++ b/command/connect/envoy/testdata/token-file-env.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/xds-addr-config.golden b/command/connect/envoy/testdata/xds-addr-config.golden index f59a782edc..2eda566f08 100644 --- a/command/connect/envoy/testdata/xds-addr-config.golden +++ b/command/connect/envoy/testdata/xds-addr-config.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ { diff --git a/command/connect/envoy/testdata/zipkin-tracing-config.golden b/command/connect/envoy/testdata/zipkin-tracing-config.golden index 8c84471a31..abafce3ced 100644 --- a/command/connect/envoy/testdata/zipkin-tracing-config.golden +++ b/command/connect/envoy/testdata/zipkin-tracing-config.golden @@ -16,6 +16,16 @@ "partition": "default" } }, + "layered_runtime": { + "layers": [ + { + "name": "base", + "static_layer": { + "re2.max_program_size.error_level": 1048576 + } + } + ] + }, "static_resources": { "clusters": [ {