status-im/consul
2
0
Fork 0
mirror of https://github.com/status-im/consul.git synced 2025-01-22 19:50:36 +00:00
Code Issues Projects Releases Wiki Activity

peering: always send the mesh gateway SpiffeID even for tcp services (#13728)

Browse Source 
If someone were to switch a peer-exported service from L4 to L7 there
would be a brief SAN validation hiccup as traffic shifted to the mesh
gateway for termination.

This PR sends the mesh gateway SpiffeID down all the time so the clients
always expect a switch.
This commit is contained in:
R.B. Boyer 2022-07-12 11:38:13 -05:00 committed by GitHub
parent f0e6e4e697
commit c5c216008d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 13 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
agent/grpc/public/services/peerstream/stream_test.go
View File

@ -720,6 +720,7 @@ func TestStreamResources_Server_ServiceUpdates(t *testing.T) {
require.Equal(t, "tcp", pm.Protocol) require.Equal(t, "tcp", pm.Protocol)
spiffeIDs := []string{ spiffeIDs := []string{
"spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/mysql", "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/mysql",
"spiffe://11111111-2222-3333-4444-555555555555.consul/gateway/mesh/dc/dc1",
} }
require.Equal(t, spiffeIDs, pm.SpiffeID) require.Equal(t, spiffeIDs, pm.SpiffeID)
}, },

19
agent/grpc/public/services/peerstream/subscription_manager.go
View File

@ -558,6 +558,12 @@ func createDiscoChainHealth(
trustDomain, trustDomain,
) )
gwSpiffeID := connect.SpiffeIDMeshGateway{
Host: trustDomain,
Partition: sn.PartitionOrDefault(),
Datacenter: datacenter,
}
// Create common peer meta. // Create common peer meta.
// //
// TODO(peering): should this be replicated by service and not by instance? // TODO(peering): should this be replicated by service and not by instance?
@ -565,19 +571,14 @@ func createDiscoChainHealth(
SNI: []string{sni}, SNI: []string{sni},
SpiffeID: []string{ SpiffeID: []string{
mainSpiffeIDString, mainSpiffeIDString,
// Always include the gateway id here to facilitate error-free
// L4/L7 upgrade/downgrade scenarios.
gwSpiffeID.URI().String(),
}, },
Protocol: info.Protocol, Protocol: info.Protocol,
} }
if structs.IsProtocolHTTPLike(info.Protocol) { if !structs.IsProtocolHTTPLike(info.Protocol) {
gwSpiffeID := connect.SpiffeIDMeshGateway{
Host: trustDomain,
Partition: sn.PartitionOrDefault(),
Datacenter: datacenter,
}
peerMeta.SpiffeID = append(peerMeta.SpiffeID, gwSpiffeID.URI().String())
} else {
for _, target := range info.TCPTargets { for _, target := range info.TCPTargets {
targetSpiffeID := connect.SpiffeIDService{ targetSpiffeID := connect.SpiffeIDService{
Host: trustDomain, Host: trustDomain,

2
agent/grpc/public/services/peerstream/subscription_manager_test.go
View File

@ -275,6 +275,7 @@ func TestSubscriptionManager_RegisterDeregister(t *testing.T) {
}, },
SpiffeID: []string{ SpiffeID: []string{
"spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/mysql", "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/mysql",
"spiffe://11111111-2222-3333-4444-555555555555.consul/gateway/mesh/dc/dc1",
"spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/failover", "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/failover",
}, },
Protocol: "tcp", Protocol: "tcp",
@ -335,6 +336,7 @@ func TestSubscriptionManager_RegisterDeregister(t *testing.T) {
}, },
SpiffeID: []string{ SpiffeID: []string{
"spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/mysql", "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/mysql",
"spiffe://11111111-2222-3333-4444-555555555555.consul/gateway/mesh/dc/dc1",
}, },
Protocol: "tcp", Protocol: "tcp",
}, },