status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'main' of github.com:hashicorp/consul into docs-ecs-mesh-gw

This commit is contained in:
trujillo-adam 2022-06-21 08:53:30 -07:00
parent cf8b0a47c5 b197b38f0d
commit 60d6f7197c
45 changed files with 140 additions and 131 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
agent/proxycfg/connect_proxy.go
View File

@ -22,8 +22,8 @@ func (s *handlerConnectProxy) initialize(ctx context.Context) (ConfigSnapshot, e
snap.ConnectProxy.WatchedDiscoveryChains = make(map[UpstreamID]context.CancelFunc)
snap.ConnectProxy.WatchedUpstreams = make(map[UpstreamID]map[string]context.CancelFunc)
snap.ConnectProxy.WatchedUpstreamEndpoints = make(map[UpstreamID]map[string]structs.CheckServiceNodes)
snap.ConnectProxy.WatchedPeerTrustBundles = make(map[string]context.CancelFunc)
snap.ConnectProxy.PeerTrustBundles = make(map[string]*pbpeering.PeeringTrustBundle)
snap.ConnectProxy.WatchedUpstreamPeerTrustBundles = make(map[string]context.CancelFunc)
snap.ConnectProxy.UpstreamPeerTrustBundles = make(map[string]*pbpeering.PeeringTrustBundle)
snap.ConnectProxy.WatchedGateways = make(map[UpstreamID]map[string]context.CancelFunc)
snap.ConnectProxy.WatchedGatewayEndpoints = make(map[UpstreamID]map[string]structs.CheckServiceNodes)
snap.ConnectProxy.WatchedServiceChecks = make(map[structs.ServiceID][]structs.CheckType)
@ -212,7 +212,7 @@ func (s *handlerConnectProxy) initialize(ctx context.Context) (ConfigSnapshot, e
}
// Check whether a watch for this peer exists to avoid duplicates.
if _, ok := snap.ConnectProxy.WatchedPeerTrustBundles[uid.Peer]; !ok {
if _, ok := snap.ConnectProxy.WatchedUpstreamPeerTrustBundles[uid.Peer]; !ok {
peerCtx, cancel := context.WithCancel(ctx)
if err := s.dataSources.TrustBundle.Notify(peerCtx, &pbpeering.TrustBundleReadRequest{
Name: uid.Peer,
@ -222,7 +222,7 @@ func (s *handlerConnectProxy) initialize(ctx context.Context) (ConfigSnapshot, e
return snap, fmt.Errorf("error while watching trust bundle for peer %q: %w", uid.Peer, err)
}
snap.ConnectProxy.WatchedPeerTrustBundles[uid.Peer] = cancel
snap.ConnectProxy.WatchedUpstreamPeerTrustBundles[uid.Peer] = cancel
}
continue
}
@ -270,7 +270,7 @@ func (s *handlerConnectProxy) handleUpdate(ctx context.Context, u UpdateEvent, s
}
peer := strings.TrimPrefix(u.CorrelationID, peerTrustBundleIDPrefix)
if resp.Bundle != nil {
snap.ConnectProxy.PeerTrustBundles[peer] = resp.Bundle
snap.ConnectProxy.UpstreamPeerTrustBundles[peer] = resp.Bundle
}
case u.CorrelationID == peeringTrustBundlesWatchID:
@ -279,9 +279,9 @@ func (s *handlerConnectProxy) handleUpdate(ctx context.Context, u UpdateEvent, s
return fmt.Errorf("invalid type for response: %T", u.Result)
}
if len(resp.Bundles) > 0 {
snap.ConnectProxy.PeeringTrustBundles = resp.Bundles
snap.ConnectProxy.InboundPeerTrustBundles = resp.Bundles
}
snap.ConnectProxy.PeeringTrustBundlesSet = true
snap.ConnectProxy.InboundPeerTrustBundlesSet = true
case u.CorrelationID == intentionsWatchID:
resp, ok := u.Result.(*structs.IndexedIntentionMatches)

4
agent/proxycfg/manager_test.go
View File

@ -238,7 +238,7 @@ func TestManager_BasicLifecycle(t *testing.T) {
},
PassthroughUpstreams: map[UpstreamID]map[string]map[string]struct{}{},
PassthroughIndices: map[string]indexedTarget{},
PeerTrustBundles: map[string]*pbpeering.PeeringTrustBundle{},
UpstreamPeerTrustBundles: map[string]*pbpeering.PeeringTrustBundle{},
PeerUpstreamEndpoints: map[UpstreamID]structs.CheckServiceNodes{},
PeerUpstreamEndpointsUseHostnames: map[UpstreamID]struct{}{},
},
@ -299,7 +299,7 @@ func TestManager_BasicLifecycle(t *testing.T) {
},
PassthroughUpstreams: map[UpstreamID]map[string]map[string]struct{}{},
PassthroughIndices: map[string]indexedTarget{},
PeerTrustBundles: map[string]*pbpeering.PeeringTrustBundle{},
UpstreamPeerTrustBundles: map[string]*pbpeering.PeeringTrustBundle{},
PeerUpstreamEndpoints: map[UpstreamID]structs.CheckServiceNodes{},
PeerUpstreamEndpointsUseHostnames: map[UpstreamID]struct{}{},
},

26
agent/proxycfg/snapshot.go
View File

@ -44,13 +44,13 @@ type ConfigSnapshotUpstreams struct {
// endpoints of an upstream.
WatchedUpstreamEndpoints map[UpstreamID]map[string]structs.CheckServiceNodes
// WatchedPeerTrustBundles is a map of (PeerName -> CancelFunc) in order to cancel
// WatchedUpstreamPeerTrustBundles is a map of (PeerName -> CancelFunc) in order to cancel
// watches for peer trust bundles any time the list of upstream peers changes.
WatchedPeerTrustBundles map[string]context.CancelFunc
WatchedUpstreamPeerTrustBundles map[string]context.CancelFunc
// PeerTrustBundles is a map of (PeerName -> PeeringTrustBundle).
// UpstreamPeerTrustBundles is a map of (PeerName -> PeeringTrustBundle).
// It is used to store trust bundles for upstream TLS transport sockets.
PeerTrustBundles map[string]*pbpeering.PeeringTrustBundle
UpstreamPeerTrustBundles map[string]*pbpeering.PeeringTrustBundle
// WatchedGateways is a map of UpstreamID -> (map of GatewayKey.String() ->
// CancelFunc) in order to cancel watches for mesh gateways
@ -128,8 +128,8 @@ func gatewayKeyFromString(s string) GatewayKey {
type configSnapshotConnectProxy struct {
ConfigSnapshotUpstreams
PeeringTrustBundlesSet bool
PeeringTrustBundles []*pbpeering.PeeringTrustBundle
InboundPeerTrustBundlesSet bool
InboundPeerTrustBundles []*pbpeering.PeeringTrustBundle
WatchedServiceChecks map[structs.ServiceID][]structs.CheckType // TODO: missing garbage collection
PreparedQueryEndpoints map[UpstreamID]structs.CheckServiceNodes // DEPRECATED:see:WatchedUpstreamEndpoints
@ -152,8 +152,8 @@ func (c *configSnapshotConnectProxy) isEmpty() bool {
len(c.WatchedDiscoveryChains) == 0 &&
len(c.WatchedUpstreams) == 0 &&
len(c.WatchedUpstreamEndpoints) == 0 &&
len(c.WatchedPeerTrustBundles) == 0 &&
len(c.PeerTrustBundles) == 0 &&
len(c.WatchedUpstreamPeerTrustBundles) == 0 &&
len(c.UpstreamPeerTrustBundles) == 0 &&
len(c.WatchedGateways) == 0 &&
len(c.WatchedGatewayEndpoints) == 0 &&
len(c.WatchedServiceChecks) == 0 &&
@ -161,7 +161,7 @@ func (c *configSnapshotConnectProxy) isEmpty() bool {
len(c.UpstreamConfig) == 0 &&
len(c.PassthroughUpstreams) == 0 &&
len(c.IntentionUpstreams) == 0 &&
!c.PeeringTrustBundlesSet &&
!c.InboundPeerTrustBundlesSet &&
!c.MeshConfigSet &&
len(c.PeerUpstreamEndpoints) == 0 &&
len(c.PeerUpstreamEndpointsUseHostnames) == 0
@ -637,7 +637,7 @@ func (s *ConfigSnapshot) Clone() (*ConfigSnapshot, error) {
snap.ConnectProxy.WatchedUpstreams = nil
snap.ConnectProxy.WatchedGateways = nil
snap.ConnectProxy.WatchedDiscoveryChains = nil
snap.ConnectProxy.WatchedPeerTrustBundles = nil
snap.ConnectProxy.WatchedUpstreamPeerTrustBundles = nil
case structs.ServiceKindTerminatingGateway:
snap.TerminatingGateway.WatchedServices = nil
snap.TerminatingGateway.WatchedIntentions = nil
@ -652,7 +652,7 @@ func (s *ConfigSnapshot) Clone() (*ConfigSnapshot, error) {
snap.IngressGateway.WatchedUpstreams = nil
snap.IngressGateway.WatchedGateways = nil
snap.IngressGateway.WatchedDiscoveryChains = nil
snap.IngressGateway.WatchedPeerTrustBundles = nil
snap.IngressGateway.WatchedUpstreamPeerTrustBundles = nil
// only ingress-gateway
snap.IngressGateway.LeafCertWatchCancel = nil
}
@ -676,7 +676,7 @@ func (s *ConfigSnapshot) Leaf() *structs.IssuedCert {
func (s *ConfigSnapshot) PeeringTrustBundles() []*pbpeering.PeeringTrustBundle {
switch s.Kind {
case structs.ServiceKindConnectProxy:
return s.ConnectProxy.PeeringTrustBundles
return s.ConnectProxy.InboundPeerTrustBundles
case structs.ServiceKindMeshGateway:
return s.MeshGateway.PeeringTrustBundles
default:
@ -755,7 +755,7 @@ func (u *ConfigSnapshotUpstreams) PeeredUpstreamIDs() []UpstreamID {
continue
}
if _, ok := u.PeerTrustBundles[uid.Peer]; uid.Peer != "" && !ok {
if _, ok := u.UpstreamPeerTrustBundles[uid.Peer]; uid.Peer != "" && !ok {
// The trust bundle for this upstream is not available yet, skip for now.
continue
}

14
agent/proxycfg/state_test.go
View File

@ -2572,15 +2572,15 @@ func TestState_WatchesAndUpdates(t *testing.T) {
require.Len(t, snap.ConnectProxy.WatchedGateways, 0, "%+v", snap.ConnectProxy.WatchedGateways)
require.Len(t, snap.ConnectProxy.WatchedGatewayEndpoints, 0, "%+v", snap.ConnectProxy.WatchedGatewayEndpoints)
require.Contains(t, snap.ConnectProxy.WatchedPeerTrustBundles, "peer-a", "%+v", snap.ConnectProxy.WatchedPeerTrustBundles)
require.Len(t, snap.ConnectProxy.PeerTrustBundles, 0, "%+v", snap.ConnectProxy.PeerTrustBundles)
require.Contains(t, snap.ConnectProxy.WatchedUpstreamPeerTrustBundles, "peer-a", "%+v", snap.ConnectProxy.WatchedUpstreamPeerTrustBundles)
require.Len(t, snap.ConnectProxy.UpstreamPeerTrustBundles, 0, "%+v", snap.ConnectProxy.UpstreamPeerTrustBundles)
require.Len(t, snap.ConnectProxy.PeerUpstreamEndpoints, 0, "%+v", snap.ConnectProxy.PeerUpstreamEndpoints)
require.Len(t, snap.ConnectProxy.WatchedServiceChecks, 0, "%+v", snap.ConnectProxy.WatchedServiceChecks)
require.Len(t, snap.ConnectProxy.PreparedQueryEndpoints, 0, "%+v", snap.ConnectProxy.PreparedQueryEndpoints)
require.Len(t, snap.ConnectProxy.PeeringTrustBundles, 0, "%+v", snap.ConnectProxy.PeeringTrustBundles)
require.False(t, snap.ConnectProxy.PeeringTrustBundlesSet)
require.Len(t, snap.ConnectProxy.InboundPeerTrustBundles, 0, "%+v", snap.ConnectProxy.InboundPeerTrustBundles)
require.False(t, snap.ConnectProxy.InboundPeerTrustBundlesSet)
},
},
{
@ -2655,7 +2655,7 @@ func TestState_WatchesAndUpdates(t *testing.T) {
require.Equal(t, indexedRoots, snap.Roots)
require.Equal(t, issuedCert, snap.ConnectProxy.Leaf)
prototest.AssertDeepEqual(t, peerTrustBundles.Bundles, snap.ConnectProxy.PeeringTrustBundles)
prototest.AssertDeepEqual(t, peerTrustBundles.Bundles, snap.ConnectProxy.InboundPeerTrustBundles)
require.Len(t, snap.ConnectProxy.DiscoveryChain, 1, "%+v", snap.ConnectProxy.DiscoveryChain)
require.Len(t, snap.ConnectProxy.WatchedUpstreams, 1, "%+v", snap.ConnectProxy.WatchedUpstreams)
@ -2663,8 +2663,8 @@ func TestState_WatchesAndUpdates(t *testing.T) {
require.Len(t, snap.ConnectProxy.WatchedGateways, 1, "%+v", snap.ConnectProxy.WatchedGateways)
require.Len(t, snap.ConnectProxy.WatchedGatewayEndpoints, 1, "%+v", snap.ConnectProxy.WatchedGatewayEndpoints)
require.Contains(t, snap.ConnectProxy.WatchedPeerTrustBundles, "peer-a", "%+v", snap.ConnectProxy.WatchedPeerTrustBundles)
require.Equal(t, peerTrustBundles.Bundles[0], snap.ConnectProxy.PeerTrustBundles["peer-a"], "%+v", snap.ConnectProxy.WatchedPeerTrustBundles)
require.Contains(t, snap.ConnectProxy.WatchedUpstreamPeerTrustBundles, "peer-a", "%+v", snap.ConnectProxy.WatchedUpstreamPeerTrustBundles)
require.Equal(t, peerTrustBundles.Bundles[0], snap.ConnectProxy.UpstreamPeerTrustBundles["peer-a"], "%+v", snap.ConnectProxy.WatchedUpstreamPeerTrustBundles)
require.Len(t, snap.ConnectProxy.PeerUpstreamEndpoints, 1, "%+v", snap.ConnectProxy.PeerUpstreamEndpoints)
require.NotNil(t, snap.ConnectProxy.PeerUpstreamEndpoints[extApiUID])

8
agent/xds/clusters.go
View File

@ -465,9 +465,9 @@ func (s *ResourceGenerator) makeDestinationClusters(cfgSnap *proxycfg.ConfigSnap
cluster := s.makeDynamicForwardProxyCluster(cfgSnap, opts)
// TODO (dans): might be relevant later for TLS addons like CA validation
//if err := s.injectGatewayServiceAddons(cfgSnap, cluster, svc, loadBalancer); err != nil {
// if err := s.injectGatewayServiceAddons(cfgSnap, cluster, svc, loadBalancer); err != nil {
// return nil, err
//}
// }
clusters = append(clusters, cluster)
}
return clusters, nil
@ -695,7 +695,7 @@ func (s *ResourceGenerator) makeUpstreamClusterForPeerService(
rootPEMs := cfgSnap.RootPEMs()
if uid.Peer != "" {
rootPEMs = cfgSnap.ConnectProxy.PeerTrustBundles[uid.Peer].ConcatenatedRootPEMs()
rootPEMs = cfgSnap.ConnectProxy.UpstreamPeerTrustBundles[uid.Peer].ConcatenatedRootPEMs()
}
// Enable TLS upstream with the configured client certificate.
@ -999,7 +999,7 @@ func (s *ResourceGenerator) makeUpstreamClustersForDiscoveryChain(
rootPEMs := cfgSnap.RootPEMs()
if uid.Peer != "" {
rootPEMs = cfgSnap.ConnectProxy.PeerTrustBundles[uid.Peer].ConcatenatedRootPEMs()
rootPEMs = cfgSnap.ConnectProxy.UpstreamPeerTrustBundles[uid.Peer].ConcatenatedRootPEMs()
}
commonTLSContext := makeCommonTLSContext(
cfgSnap.Leaf(),

11
agent/xds/listeners.go
View File

@ -697,7 +697,8 @@ func (s *ResourceGenerator) injectConnectFilters(cfgSnap *proxycfg.ConfigSnapsho
authzFilter, err := makeRBACNetworkFilter(
cfgSnap.ConnectProxy.Intentions,
cfgSnap.IntentionDefaultAllow,
cfgSnap.ConnectProxy.PeerTrustBundles,
cfgSnap.Roots.TrustDomain,
cfgSnap.ConnectProxy.InboundPeerTrustBundles,
)
if err != nil {
return err
@ -952,7 +953,8 @@ func (s *ResourceGenerator) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot
httpAuthzFilter, err := makeRBACHTTPFilter(
cfgSnap.ConnectProxy.Intentions,
cfgSnap.IntentionDefaultAllow,
cfgSnap.ConnectProxy.PeerTrustBundles,
cfgSnap.Roots.TrustDomain,
cfgSnap.ConnectProxy.InboundPeerTrustBundles,
)
if err != nil {
return nil, err
@ -1009,7 +1011,8 @@ func (s *ResourceGenerator) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot
filterOpts.httpAuthzFilter, err = makeRBACHTTPFilter(
cfgSnap.ConnectProxy.Intentions,
cfgSnap.IntentionDefaultAllow,
cfgSnap.ConnectProxy.PeerTrustBundles,
cfgSnap.Roots.TrustDomain,
cfgSnap.ConnectProxy.InboundPeerTrustBundles,
)
if err != nil {
return nil, err
@ -1307,6 +1310,7 @@ func (s *ResourceGenerator) makeFilterChainTerminatingGateway(cfgSnap *proxycfg.
authFilter, err := makeRBACNetworkFilter(
intentions,
cfgSnap.IntentionDefaultAllow,
cfgSnap.Roots.TrustDomain,
nil, // TODO(peering): verify intentions w peers don't apply to terminatingGateway
)
if err != nil {
@ -1344,6 +1348,7 @@ func (s *ResourceGenerator) makeFilterChainTerminatingGateway(cfgSnap *proxycfg.
opts.httpAuthzFilter, err = makeRBACHTTPFilter(
intentions,
cfgSnap.IntentionDefaultAllow,
cfgSnap.Roots.TrustDomain,
nil, // TODO(peering): verify intentions w peers don't apply to terminatingGateway
)
if err != nil {

42
agent/xds/rbac.go
View File

@ -21,9 +21,10 @@ import (
func makeRBACNetworkFilter(
intentions structs.Intentions,
intentionDefaultAllow bool,
peerTrustBundles map[string]*pbpeering.PeeringTrustBundle,
trustDomain string,
peerTrustBundles []*pbpeering.PeeringTrustBundle,
) (*envoy_listener_v3.Filter, error) {
rules, err := makeRBACRules(intentions, intentionDefaultAllow, false, peerTrustBundles)
rules, err := makeRBACRules(intentions, intentionDefaultAllow, trustDomain, false, peerTrustBundles)
if err != nil {
return nil, err
}
@ -38,9 +39,10 @@ func makeRBACNetworkFilter(
func makeRBACHTTPFilter(
intentions structs.Intentions,
intentionDefaultAllow bool,
peerTrustBundles map[string]*pbpeering.PeeringTrustBundle,
trustDomain string,
peerTrustBundles []*pbpeering.PeeringTrustBundle,
) (*envoy_http_v3.HttpFilter, error) {
rules, err := makeRBACRules(intentions, intentionDefaultAllow, true, peerTrustBundles)
rules, err := makeRBACRules(intentions, intentionDefaultAllow, trustDomain, true, peerTrustBundles)
if err != nil {
return nil, err
}
@ -53,6 +55,7 @@ func makeRBACHTTPFilter(
func intentionListToIntermediateRBACForm(
intentions structs.Intentions,
trustDomain string,
isHTTP bool,
trustBundlesByPeer map[string]*pbpeering.PeeringTrustBundle,
) []*rbacIntention {
@ -72,7 +75,7 @@ func intentionListToIntermediateRBACForm(
continue
}
rixn := intentionToIntermediateRBACForm(ixn, isHTTP, trustBundle)
rixn := intentionToIntermediateRBACForm(ixn, trustDomain, isHTTP, trustBundle)
rbacIxns = append(rbacIxns, rixn)
}
return rbacIxns
@ -210,11 +213,12 @@ func removePermissionPrecedence(perms []*rbacPermission, intentionDefaultAction
return out
}
func intentionToIntermediateRBACForm(ixn *structs.Intention, isHTTP bool, bundle *pbpeering.PeeringTrustBundle) *rbacIntention {
func intentionToIntermediateRBACForm(ixn *structs.Intention, trustDomain string, isHTTP bool, bundle *pbpeering.PeeringTrustBundle) *rbacIntention {
rixn := &rbacIntention{
Source: rbacService{
ServiceName: ixn.SourceServiceName(),
Peer: ixn.SourcePeer,
TrustDomain: trustDomain,
},
Precedence: ixn.Precedence,
}
@ -426,25 +430,21 @@ func simplifyNotSourceSlice(notSources []rbacService) []rbacService {
func makeRBACRules(
intentions structs.Intentions,
intentionDefaultAllow bool,
trustDomain string,
isHTTP bool,
peerTrustBundles map[string]*pbpeering.PeeringTrustBundle,
peerTrustBundles []*pbpeering.PeeringTrustBundle,
) (*envoy_rbac_v3.RBAC, error) {
// Note that we DON'T explicitly validate the trust-domain matches ours.
//
// For now we don't validate the trust domain of the _destination_ at all.
// The RBAC policies below ignore the trust domain and it's implicit that
// the request is for the correct cluster. We might want to reconsider this
// later but plumbing in additional machinery to check the clusterID here
// is not really necessary for now unless the Envoys are badly configured.
// Our threat model _requires_ correctly configured and well behaved
// proxies given that they have ACLs to fetch certs and so can do whatever
// they want including not authorizing traffic at all or routing it do a
// different service than they auth'd against.
// TODO(banks,rb): Implement revocation list checking?
// TODO(peering): mkeeler asked that these maps come from proxycfg instead of
// being constructed in xds to save memory allocation and gc pressure. Low priority.
trustBundlesByPeer := make(map[string]*pbpeering.PeeringTrustBundle, len(peerTrustBundles))
for _, ptb := range peerTrustBundles {
trustBundlesByPeer[ptb.PeerName] = ptb
}
// First build up just the basic principal matches.
rbacIxns := intentionListToIntermediateRBACForm(intentions, isHTTP, peerTrustBundles)
rbacIxns := intentionListToIntermediateRBACForm(intentions, trustDomain, isHTTP, trustBundlesByPeer)
// Normalize: if we are in default-deny then all intentions must be allows and vice versa
intentionDefaultAction := intentionActionFromBool(intentionDefaultAllow)
@ -641,7 +641,7 @@ const anyPath = `[^/]+`
func makeSpiffePattern(src rbacService) string {
var (
host = anyPath // TODO(peering): We match trust domain on any value but should be defaulting to the local trust domain
host = src.TrustDomain
ap = src.PartitionOrDefault()
ns = src.NamespaceOrDefault()
svc = src.Name

18
agent/xds/rbac_test.go
View File

@ -58,10 +58,13 @@ func TestRemoveIntentionPrecedence(t *testing.T) {
ExportedPartition: "part1",
},
}
testTrustDomain := "test.consul"
var (
nameWild = rbacService{ServiceName: structs.NewServiceName("*", nil)}
nameWeb = rbacService{ServiceName: structs.NewServiceName("web", nil)}
nameWild = rbacService{ServiceName: structs.NewServiceName("*", nil),
TrustDomain: testTrustDomain}
nameWeb = rbacService{ServiceName: structs.NewServiceName("web", nil),
TrustDomain: testTrustDomain}
nameWildPeered = rbacService{ServiceName: structs.NewServiceName("*", nil),
Peer: "peer1", TrustDomain: "peer1.domain", ExportedPartition: "part1"}
nameWebPeered = rbacService{ServiceName: structs.NewServiceName("web", nil),
@ -439,7 +442,7 @@ func TestRemoveIntentionPrecedence(t *testing.T) {
for name, tt := range tests {
t.Run(name, func(t *testing.T) {
rbacIxns := intentionListToIntermediateRBACForm(tt.intentions, tt.http, testPeerTrustBundle)
rbacIxns := intentionListToIntermediateRBACForm(tt.intentions, testTrustDomain, tt.http, testPeerTrustBundle)
intentionDefaultAction := intentionActionFromBool(tt.intentionDefaultAllow)
rbacIxns = removeIntentionPrecedence(rbacIxns, intentionDefaultAction)
@ -472,13 +475,14 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
ixn.Permissions = perms
return ixn
}
testPeerTrustBundle := map[string]*pbpeering.PeeringTrustBundle{
"peer1": {
testPeerTrustBundle := []*pbpeering.PeeringTrustBundle{
{
PeerName: "peer1",
TrustDomain: "peer1.domain",
ExportedPartition: "part1",
},
}
testTrustDomain := "test.consul"
sorted := func(ixns ...*structs.Intention) structs.Intentions {
sort.SliceStable(ixns, func(i, j int) bool {
return ixns[j].Precedence < ixns[i].Precedence
@ -797,7 +801,7 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
tt := tt
t.Run(name, func(t *testing.T) {
t.Run("network filter", func(t *testing.T) {
filter, err := makeRBACNetworkFilter(tt.intentions, tt.intentionDefaultAllow, testPeerTrustBundle)
filter, err := makeRBACNetworkFilter(tt.intentions, tt.intentionDefaultAllow, testTrustDomain, testPeerTrustBundle)
require.NoError(t, err)
t.Run("current", func(t *testing.T) {
@ -807,7 +811,7 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
})
})
t.Run("http filter", func(t *testing.T) {
filter, err := makeRBACHTTPFilter(tt.intentions, tt.intentionDefaultAllow, testPeerTrustBundle)
filter, err := makeRBACHTTPFilter(tt.intentions, tt.intentionDefaultAllow, testTrustDomain, testPeerTrustBundle)
require.NoError(t, err)
t.Run("current", func(t *testing.T) {

4
agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow--httpfilter.golden vendored
View File

@ -22,7 +22,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
@ -35,7 +35,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

6
agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -34,7 +34,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
@ -47,7 +47,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

6
agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny--httpfilter.golden vendored
View File

@ -22,7 +22,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
@ -35,7 +35,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -64,7 +64,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

6
agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -34,7 +34,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
@ -47,7 +47,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

12
agent/xds/testdata/rbac/default-allow-kitchen-sink--httpfilter.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}
}
@ -31,7 +31,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -46,7 +46,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
@ -59,7 +59,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -73,7 +73,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$"
}
}
}
@ -87,7 +87,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}
}

12
agent/xds/testdata/rbac/default-allow-kitchen-sink.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}
}
@ -31,7 +31,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -46,7 +46,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
@ -59,7 +59,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -73,7 +73,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$"
}
}
}
@ -87,7 +87,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-one-deny--httpfilter.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-one-deny.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-path-allow.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-path-deny--httpfilter.golden vendored
View File

@ -23,7 +23,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-path-deny.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-service-wildcard-deny--httpfilter.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-service-wildcard-deny.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-single-intention-with-kitchen-sink-perms--httpfilter.golden vendored
View File

@ -227,7 +227,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-single-intention-with-kitchen-sink-perms.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-two-path-deny-and-path-allow--httpfilter.golden vendored
View File

@ -45,7 +45,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-two-path-deny-and-path-allow.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

4
agent/xds/testdata/rbac/default-deny-allow-deny--httpfilter.golden vendored
View File

@ -21,7 +21,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
@ -34,7 +34,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

4
agent/xds/testdata/rbac/default-deny-allow-deny.golden vendored
View File

@ -21,7 +21,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
@ -34,7 +34,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow--httpfilter.golden vendored
View File

@ -22,7 +22,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

12
agent/xds/testdata/rbac/default-deny-kitchen-sink--httpfilter.golden vendored
View File

@ -18,7 +18,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}
}
@ -30,7 +30,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -45,7 +45,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
@ -58,7 +58,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -72,7 +72,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$"
}
}
}
@ -86,7 +86,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}
}

12
agent/xds/testdata/rbac/default-deny-kitchen-sink.golden vendored
View File

@ -18,7 +18,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}
}
@ -30,7 +30,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -45,7 +45,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
@ -58,7 +58,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -72,7 +72,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$"
}
}
}
@ -86,7 +86,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-mixed-precedence--httpfilter.golden vendored
View File

@ -18,7 +18,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-mixed-precedence.golden vendored
View File

@ -18,7 +18,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-one-allow--httpfilter.golden vendored
View File

@ -18,7 +18,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-one-allow.golden vendored
View File

@ -18,7 +18,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-path-allow--httpfilter.golden vendored
View File

@ -22,7 +22,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-peered-kitchen-sink--httpfilter.golden vendored
View File

@ -18,7 +18,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-peered-kitchen-sink.golden vendored
View File

@ -18,7 +18,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-service-wildcard-allow--httpfilter.golden vendored
View File

@ -18,7 +18,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-service-wildcard-allow.golden vendored
View File

@ -18,7 +18,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-single-intention-with-kitchen-sink-perms--httpfilter.golden vendored
View File

@ -226,7 +226,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-two-path-deny-and-path-allow--httpfilter.golden vendored
View File

@ -46,7 +46,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
website/content/commands/monitor.mdx
View File

@ -32,6 +32,6 @@ Usage: `consul monitor [options]`
- `-log-level` - The log level of the messages to show. By default this
is "info". This log level can be more verbose than what the agent is
configured to run at. Available log levels are "trace", "debug", "info",
"warn", and "err".
"warn", and "error".
- `-log-json` - Toggles whether the messages are streamed in JSON format.
By default this is false.

2
website/content/commands/snapshot/agent.mdx
View File

@ -229,7 +229,7 @@ if desired.
provided, this will be disabled. Defaults to "72h".
- `-log-level` - Controls verbosity of snapshot agent logs. Valid options are
"TRACE", "DEBUG", "INFO", "WARN", "ERR". Defaults to "INFO".
"trace", "debug", "info", "warn", "error". Defaults to "info".
- `-service` - The service name to used when registering the agent with Consul.
Registering helps monitor running agents and the leader registers an additional

2
website/content/docs/agent/config/cli-flags.mdx
View File

@ -468,7 +468,7 @@ information.
- `-log-level` ((#\_log_level)) - The level of logging to show after the
Consul agent has started. This defaults to "info". The available log levels are
"trace", "debug", "info", "warn", and "err". You can always connect to an agent
"trace", "debug", "info", "warn", and "error". You can always connect to an agent
via [`consul monitor`](/commands/monitor) and use any log level. Also,
the log level can be changed during a config reload.

4
website/content/docs/lambda/index.mdx
View File

@ -26,8 +26,8 @@ also be manually registered into Consul when using Lambda registrator is not pos
See the [Registration page](/docs/lambda/registration) for more information
about registring Lambda functions into Consul.
### Invoking Lambda Functions
### Invoking Lambda Functions from Consul Service Mesh
Lambda functions can be invoked by any mesh service directly from connect proxies or
through terminating gateways. The [Invocation page](/docs/lambda/invocation)
explains how to invoke Lambda functions from Consul connect services.
explains how to invoke Lambda functions from Consul service mesh services.