mirror of https://github.com/status-im/consul.git
Remove intermediate representation of SPIFFE IDs
xDS only ever uses the string representation, so we can avoid passing around connect.SpiffeIDService objects around.
This commit is contained in:
parent
870e7c72d7
commit
c8edec0ab6
|
@ -180,7 +180,6 @@ func makePassthroughClusters(cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message,
|
||||||
}
|
}
|
||||||
|
|
||||||
for targetID := range targetMap {
|
for targetID := range targetMap {
|
||||||
|
|
||||||
uid := proxycfg.NewUpstreamIDFromTargetID(targetID)
|
uid := proxycfg.NewUpstreamIDFromTargetID(targetID)
|
||||||
|
|
||||||
sni := connect.ServiceSNI(
|
sni := connect.ServiceSNI(
|
||||||
|
@ -216,7 +215,7 @@ func makePassthroughClusters(cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message,
|
||||||
cfgSnap.Leaf(),
|
cfgSnap.Leaf(),
|
||||||
makeTLSParametersFromProxyTLSConfig(cfgSnap.MeshConfigTLSOutgoing()),
|
makeTLSParametersFromProxyTLSConfig(cfgSnap.MeshConfigTLSOutgoing()),
|
||||||
)
|
)
|
||||||
err := injectSANMatcher(commonTLSContext, spiffeID)
|
err := injectSANMatcher(commonTLSContext, spiffeID.URI().String())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to inject SAN matcher rules for cluster %q: %v", sni, err)
|
return nil, fmt.Errorf("failed to inject SAN matcher rules for cluster %q: %v", sni, err)
|
||||||
}
|
}
|
||||||
|
@ -399,7 +398,7 @@ func (s *ResourceGenerator) injectGatewayServiceAddons(cfgSnap *proxycfg.ConfigS
|
||||||
}
|
}
|
||||||
if mapping.SNI != "" {
|
if mapping.SNI != "" {
|
||||||
tlsContext.Sni = mapping.SNI
|
tlsContext.Sni = mapping.SNI
|
||||||
if err := injectRawSANMatcher(tlsContext.CommonTlsContext, []string{mapping.SNI}); err != nil {
|
if err := injectSANMatcher(tlsContext.CommonTlsContext, mapping.SNI); err != nil {
|
||||||
return fmt.Errorf("failed to inject SNI matcher into TLS context: %v", err)
|
return fmt.Errorf("failed to inject SNI matcher into TLS context: %v", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -574,7 +573,7 @@ func (s *ResourceGenerator) makeUpstreamClusterForPreparedQuery(upstream structs
|
||||||
|
|
||||||
endpoints := cfgSnap.ConnectProxy.PreparedQueryEndpoints[uid]
|
endpoints := cfgSnap.ConnectProxy.PreparedQueryEndpoints[uid]
|
||||||
var (
|
var (
|
||||||
spiffeIDs = make([]connect.SpiffeIDService, 0)
|
spiffeIDs = make([]string, 0)
|
||||||
seen = make(map[string]struct{})
|
seen = make(map[string]struct{})
|
||||||
)
|
)
|
||||||
for _, e := range endpoints {
|
for _, e := range endpoints {
|
||||||
|
@ -588,13 +587,14 @@ func (s *ResourceGenerator) makeUpstreamClusterForPreparedQuery(upstream structs
|
||||||
if e.Service.Connect.Native {
|
if e.Service.Connect.Native {
|
||||||
name = e.Service.Service
|
name = e.Service.Service
|
||||||
}
|
}
|
||||||
|
|
||||||
spiffeIDs = append(spiffeIDs, connect.SpiffeIDService{
|
spiffeIDs = append(spiffeIDs, connect.SpiffeIDService{
|
||||||
Host: cfgSnap.Roots.TrustDomain,
|
Host: cfgSnap.Roots.TrustDomain,
|
||||||
Namespace: e.Service.NamespaceOrDefault(),
|
Namespace: e.Service.NamespaceOrDefault(),
|
||||||
Partition: e.Service.PartitionOrDefault(),
|
Partition: e.Service.PartitionOrDefault(),
|
||||||
Datacenter: e.Node.Datacenter,
|
Datacenter: e.Node.Datacenter,
|
||||||
Service: name,
|
Service: name,
|
||||||
})
|
}.URI().String())
|
||||||
}
|
}
|
||||||
|
|
||||||
// Enable TLS upstream with the configured client certificate.
|
// Enable TLS upstream with the configured client certificate.
|
||||||
|
@ -683,7 +683,7 @@ func (s *ResourceGenerator) makeUpstreamClustersForDiscoveryChain(
|
||||||
Partition: target.Partition,
|
Partition: target.Partition,
|
||||||
Datacenter: target.Datacenter,
|
Datacenter: target.Datacenter,
|
||||||
Service: target.Service,
|
Service: target.Service,
|
||||||
}
|
}.URI().String()
|
||||||
|
|
||||||
if failoverThroughMeshGateway {
|
if failoverThroughMeshGateway {
|
||||||
actualTargetID := firstHealthyTarget(
|
actualTargetID := firstHealthyTarget(
|
||||||
|
@ -699,9 +699,9 @@ func (s *ResourceGenerator) makeUpstreamClustersForDiscoveryChain(
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
spiffeIDs := []connect.SpiffeIDService{targetSpiffeID}
|
spiffeIDs := []string{targetSpiffeID}
|
||||||
seenIDs := map[string]struct{}{
|
seenIDs := map[string]struct{}{
|
||||||
targetSpiffeID.URI().String(): {},
|
targetSpiffeID: {},
|
||||||
}
|
}
|
||||||
|
|
||||||
if failover != nil {
|
if failover != nil {
|
||||||
|
@ -719,19 +719,19 @@ func (s *ResourceGenerator) makeUpstreamClustersForDiscoveryChain(
|
||||||
Partition: target.Partition,
|
Partition: target.Partition,
|
||||||
Datacenter: target.Datacenter,
|
Datacenter: target.Datacenter,
|
||||||
Service: target.Service,
|
Service: target.Service,
|
||||||
}
|
}.URI().String()
|
||||||
|
|
||||||
// Failover targets might be subsets of the same service, so these are deduplicated.
|
// Failover targets might be subsets of the same service, so these are deduplicated.
|
||||||
if _, ok := seenIDs[id.URI().String()]; ok {
|
if _, ok := seenIDs[id]; ok {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
seenIDs[id.URI().String()] = struct{}{}
|
seenIDs[id] = struct{}{}
|
||||||
|
|
||||||
spiffeIDs = append(spiffeIDs, id)
|
spiffeIDs = append(spiffeIDs, id)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
sort.Slice(spiffeIDs, func(i, j int) bool {
|
sort.Slice(spiffeIDs, func(i, j int) bool {
|
||||||
return spiffeIDs[i].URI().String() < spiffeIDs[j].URI().String()
|
return spiffeIDs[i] < spiffeIDs[j]
|
||||||
})
|
})
|
||||||
|
|
||||||
s.Logger.Debug("generating cluster for", "cluster", clusterName)
|
s.Logger.Debug("generating cluster for", "cluster", clusterName)
|
||||||
|
@ -823,16 +823,7 @@ func (s *ResourceGenerator) makeUpstreamClustersForDiscoveryChain(
|
||||||
}
|
}
|
||||||
|
|
||||||
// injectSANMatcher updates a TLS context so that it verifies the upstream SAN.
|
// injectSANMatcher updates a TLS context so that it verifies the upstream SAN.
|
||||||
func injectSANMatcher(tlsContext *envoy_tls_v3.CommonTlsContext, spiffeIDs ...connect.SpiffeIDService) error {
|
func injectSANMatcher(tlsContext *envoy_tls_v3.CommonTlsContext, matchStrings ...string) error {
|
||||||
var matchStrings []string
|
|
||||||
for _, id := range spiffeIDs {
|
|
||||||
matchStrings = append(matchStrings, id.URI().String())
|
|
||||||
}
|
|
||||||
|
|
||||||
return injectRawSANMatcher(tlsContext, matchStrings)
|
|
||||||
}
|
|
||||||
|
|
||||||
func injectRawSANMatcher(tlsContext *envoy_tls_v3.CommonTlsContext, matchStrings []string) error {
|
|
||||||
validationCtx, ok := tlsContext.ValidationContextType.(*envoy_tls_v3.CommonTlsContext_ValidationContext)
|
validationCtx, ok := tlsContext.ValidationContextType.(*envoy_tls_v3.CommonTlsContext_ValidationContext)
|
||||||
if !ok {
|
if !ok {
|
||||||
return fmt.Errorf("invalid type: expected CommonTlsContext_ValidationContext, got %T",
|
return fmt.Errorf("invalid type: expected CommonTlsContext_ValidationContext, got %T",
|
||||||
|
|
|
@ -234,9 +234,9 @@ func xdsNewUpstreamTransportSocket(
|
||||||
t *testing.T,
|
t *testing.T,
|
||||||
snap *proxycfg.ConfigSnapshot,
|
snap *proxycfg.ConfigSnapshot,
|
||||||
sni string,
|
sni string,
|
||||||
uri ...connect.SpiffeIDService,
|
spiffeID ...string,
|
||||||
) *envoy_core_v3.TransportSocket {
|
) *envoy_core_v3.TransportSocket {
|
||||||
return xdsNewTransportSocket(t, snap, false, false, sni, uri...)
|
return xdsNewTransportSocket(t, snap, false, false, sni, spiffeID...)
|
||||||
}
|
}
|
||||||
|
|
||||||
func xdsNewTransportSocket(
|
func xdsNewTransportSocket(
|
||||||
|
@ -245,7 +245,7 @@ func xdsNewTransportSocket(
|
||||||
downstream bool,
|
downstream bool,
|
||||||
requireClientCert bool,
|
requireClientCert bool,
|
||||||
sni string,
|
sni string,
|
||||||
uri ...connect.SpiffeIDService,
|
spiffeID ...string,
|
||||||
) *envoy_core_v3.TransportSocket {
|
) *envoy_core_v3.TransportSocket {
|
||||||
// Assume just one root for now, can get fancier later if needed.
|
// Assume just one root for now, can get fancier later if needed.
|
||||||
caPEM := snap.Roots.Roots[0].RootCert
|
caPEM := snap.Roots.Roots[0].RootCert
|
||||||
|
@ -262,8 +262,8 @@ func xdsNewTransportSocket(
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
if len(uri) > 0 {
|
if len(spiffeID) > 0 {
|
||||||
require.NoError(t, injectSANMatcher(commonTLSContext, uri...))
|
require.NoError(t, injectSANMatcher(commonTLSContext, spiffeID...))
|
||||||
}
|
}
|
||||||
|
|
||||||
var tlsContext proto.Message
|
var tlsContext proto.Message
|
||||||
|
@ -365,22 +365,22 @@ func makeTestCluster(t *testing.T, snap *proxycfg.ConfigSnapshot, fixtureName st
|
||||||
Namespace: "default",
|
Namespace: "default",
|
||||||
Datacenter: "dc1",
|
Datacenter: "dc1",
|
||||||
Service: "db",
|
Service: "db",
|
||||||
}
|
}.URI().String()
|
||||||
|
|
||||||
geocacheSNI = "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul"
|
geocacheSNI = "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul"
|
||||||
geocacheURIs = []connect.SpiffeIDService{
|
geocacheURIs = []string{
|
||||||
{
|
connect.SpiffeIDService{
|
||||||
Host: "11111111-2222-3333-4444-555555555555.consul",
|
Host: "11111111-2222-3333-4444-555555555555.consul",
|
||||||
Namespace: "default",
|
Namespace: "default",
|
||||||
Datacenter: "dc1",
|
Datacenter: "dc1",
|
||||||
Service: "geo-cache-target",
|
Service: "geo-cache-target",
|
||||||
},
|
}.URI().String(),
|
||||||
{
|
connect.SpiffeIDService{
|
||||||
Host: "11111111-2222-3333-4444-555555555555.consul",
|
Host: "11111111-2222-3333-4444-555555555555.consul",
|
||||||
Namespace: "default",
|
Namespace: "default",
|
||||||
Datacenter: "dc2",
|
Datacenter: "dc2",
|
||||||
Service: "geo-cache-target",
|
Service: "geo-cache-target",
|
||||||
},
|
}.URI().String(),
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue