status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[NET-9098] Narrow scope of peering config on terminating gw filter chain to TCP services (#21054)

This commit is contained in:
Nathan Coleman 2024-05-06 16:21:09 -04:00 committed by GitHub
parent 86b0818c1f
commit b5b3a63183
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 14 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
agent/xds/listeners.go
View File

@ -1759,14 +1759,8 @@ type terminatingGatewayFilterChainOpts struct {
} }
func (s *ResourceGenerator) makeFilterChainTerminatingGateway(cfgSnap *proxycfg.ConfigSnapshot, tgtwyOpts terminatingGatewayFilterChainOpts) (*envoy_listener_v3.FilterChain, error) { func (s *ResourceGenerator) makeFilterChainTerminatingGateway(cfgSnap *proxycfg.ConfigSnapshot, tgtwyOpts terminatingGatewayFilterChainOpts) (*envoy_listener_v3.FilterChain, error) {
// We need to at least match the SNI and use the root PEMs from the local cluster; however, requests coming // We need to at least match the SNI and use the root PEMs from the local cluster
// from peered clusters where the external service is exported to will have their own SNI and root PEMs.
sniMatches := []string{tgtwyOpts.cluster} sniMatches := []string{tgtwyOpts.cluster}
for _, bundle := range tgtwyOpts.peerTrustBundles {
svc := tgtwyOpts.service
sourceSNI := connect.PeeredServiceSNI(svc.Name, svc.NamespaceOrDefault(), svc.PartitionOrDefault(), bundle.PeerName, cfgSnap.Roots.TrustDomain)
sniMatches = append(sniMatches, sourceSNI)
}
tlsContext := &envoy_tls_v3.DownstreamTlsContext{ tlsContext := &envoy_tls_v3.DownstreamTlsContext{
CommonTlsContext: makeCommonTLSContext( CommonTlsContext: makeCommonTLSContext(
@ -1777,9 +1771,19 @@ func (s *ResourceGenerator) makeFilterChainTerminatingGateway(cfgSnap *proxycfg.
RequireClientCertificate: &wrapperspb.BoolValue{Value: true}, RequireClientCertificate: &wrapperspb.BoolValue{Value: true},
} }
err := injectSpiffeValidatorConfigForPeers(cfgSnap, tlsContext.CommonTlsContext, tgtwyOpts.peerTrustBundles) // For TCP connections, TLS is not terminated at the mesh gateway but is instead proxied through;
if err != nil { // therefore, we need to account for callers from other datacenters when setting up our filter chain.
return nil, err if tgtwyOpts.protocol == "tcp" {
for _, bundle := range tgtwyOpts.peerTrustBundles {
svc := tgtwyOpts.service
sourceSNI := connect.PeeredServiceSNI(svc.Name, svc.NamespaceOrDefault(), svc.PartitionOrDefault(), bundle.PeerName, cfgSnap.Roots.TrustDomain)
sniMatches = append(sniMatches, sourceSNI)
}
err := injectSpiffeValidatorConfigForPeers(cfgSnap, tlsContext.CommonTlsContext, tgtwyOpts.peerTrustBundles)
if err != nil {
return nil, err
}
} }
transportSocket, err := makeDownstreamTLSTransportSocket(tlsContext) transportSocket, err := makeDownstreamTLSTransportSocket(tlsContext)