[NET-9098] Narrow scope of peering config on terminating gw filter chain to TCP services (#21054)

This commit is contained in:
Nathan Coleman 2024-05-06 16:21:09 -04:00 committed by GitHub
parent 86b0818c1f
commit b5b3a63183
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 14 additions and 10 deletions

View File

@ -1759,14 +1759,8 @@ type terminatingGatewayFilterChainOpts struct {
}
func (s *ResourceGenerator) makeFilterChainTerminatingGateway(cfgSnap *proxycfg.ConfigSnapshot, tgtwyOpts terminatingGatewayFilterChainOpts) (*envoy_listener_v3.FilterChain, error) {
// We need to at least match the SNI and use the root PEMs from the local cluster; however, requests coming
// from peered clusters where the external service is exported to will have their own SNI and root PEMs.
// We need to at least match the SNI and use the root PEMs from the local cluster
sniMatches := []string{tgtwyOpts.cluster}
for _, bundle := range tgtwyOpts.peerTrustBundles {
svc := tgtwyOpts.service
sourceSNI := connect.PeeredServiceSNI(svc.Name, svc.NamespaceOrDefault(), svc.PartitionOrDefault(), bundle.PeerName, cfgSnap.Roots.TrustDomain)
sniMatches = append(sniMatches, sourceSNI)
}
tlsContext := &envoy_tls_v3.DownstreamTlsContext{
CommonTlsContext: makeCommonTLSContext(
@ -1777,10 +1771,20 @@ func (s *ResourceGenerator) makeFilterChainTerminatingGateway(cfgSnap *proxycfg.
RequireClientCertificate: &wrapperspb.BoolValue{Value: true},
}
// For TCP connections, TLS is not terminated at the mesh gateway but is instead proxied through;
// therefore, we need to account for callers from other datacenters when setting up our filter chain.
if tgtwyOpts.protocol == "tcp" {
for _, bundle := range tgtwyOpts.peerTrustBundles {
svc := tgtwyOpts.service
sourceSNI := connect.PeeredServiceSNI(svc.Name, svc.NamespaceOrDefault(), svc.PartitionOrDefault(), bundle.PeerName, cfgSnap.Roots.TrustDomain)
sniMatches = append(sniMatches, sourceSNI)
}
err := injectSpiffeValidatorConfigForPeers(cfgSnap, tlsContext.CommonTlsContext, tgtwyOpts.peerTrustBundles)
if err != nil {
return nil, err
}
}
transportSocket, err := makeDownstreamTLSTransportSocket(tlsContext)
if err != nil {