Add authz filter when creating filterchain

This commit is contained in:
freddygv 2020-04-24 14:24:00 -06:00
parent 034d7d83d4
commit d1e6d668c2
1 changed files with 15 additions and 15 deletions

View File

@ -367,7 +367,7 @@ func makeListenerFromUserConfig(configJSON string) (*envoy.Listener, error) {
// specify custom listener params in config but still get our certs delivered
// dynamically and intentions enforced without coming up with some complicated
// templating/merging solution.
func injectConnectFilters(cfgSnap *proxycfg.ConfigSnapshot, token string, listener *envoy.Listener, setTLS bool) error {
func injectConnectFilters(cfgSnap *proxycfg.ConfigSnapshot, token string, listener *envoy.Listener) error {
authFilter, err := makeExtAuthFilter(token)
if err != nil {
return err
@ -377,11 +377,9 @@ func injectConnectFilters(cfgSnap *proxycfg.ConfigSnapshot, token string, listen
listener.FilterChains[idx].Filters =
append([]envoylistener.Filter{authFilter}, listener.FilterChains[idx].Filters...)
if setTLS {
listener.FilterChains[idx].TlsContext = &envoyauth.DownstreamTlsContext{
CommonTlsContext: makeCommonTLSContext(cfgSnap, cfgSnap.Leaf()),
RequireClientCertificate: &types.BoolValue{Value: true},
}
listener.FilterChains[idx].TlsContext = &envoyauth.DownstreamTlsContext{
CommonTlsContext: makeCommonTLSContext(cfgSnap, cfgSnap.Leaf()),
RequireClientCertificate: &types.BoolValue{Value: true},
}
}
return nil
@ -441,7 +439,7 @@ func (s *Server) makePublicListener(cfgSnap *proxycfg.ConfigSnapshot, token stri
}
}
err = injectConnectFilters(cfgSnap, token, l, true)
err = injectConnectFilters(cfgSnap, token, l)
return l, err
}
@ -580,7 +578,7 @@ func (s *Server) makeTerminatingGatewayListener(name, addr string, port int, cfg
continue
}
clusterChain, err := s.sniFilterChainTerminatingGateway(name, clusterName, svc, cfgSnap)
clusterChain, err := s.sniFilterChainTerminatingGateway(name, clusterName, token, svc, cfgSnap)
if err != nil {
return nil, fmt.Errorf("failed to make filter chain for cluster %q: %v", clusterName, err)
}
@ -592,7 +590,7 @@ func (s *Server) makeTerminatingGatewayListener(name, addr string, port int, cfg
for subsetName := range resolver.Subsets {
clusterName := connect.ServiceSNI(svc.ID, subsetName, svc.NamespaceOrDefault(), cfgSnap.Datacenter, cfgSnap.Roots.TrustDomain)
clusterChain, err := s.sniFilterChainTerminatingGateway(name, clusterName, svc, cfgSnap)
clusterChain, err := s.sniFilterChainTerminatingGateway(name, clusterName, token, svc, cfgSnap)
if err != nil {
return nil, fmt.Errorf("failed to make filter chain for cluster %q: %v", clusterName, err)
}
@ -601,11 +599,6 @@ func (s *Server) makeTerminatingGatewayListener(name, addr string, port int, cfg
}
}
err = injectConnectFilters(cfgSnap, token, l, false)
if err != nil {
return nil, fmt.Errorf("failed to inject authz filer: %v", err)
}
// This fallback catch-all filter ensures a listener will be present for health checks to pass
// Envoy will reset these connections since known endpoints are caught by filter chain matches above
tcpProxy, err := makeTCPProxyFilter(name, "", "terminating_gateway_")
@ -623,7 +616,13 @@ func (s *Server) makeTerminatingGatewayListener(name, addr string, port int, cfg
return l, nil
}
func (s *Server) sniFilterChainTerminatingGateway(listener, cluster string, service structs.ServiceID, cfgSnap *proxycfg.ConfigSnapshot) (envoylistener.FilterChain, error) {
func (s *Server) sniFilterChainTerminatingGateway(listener, cluster, token string, service structs.ServiceID,
cfgSnap *proxycfg.ConfigSnapshot) (envoylistener.FilterChain, error) {
authFilter, err := makeExtAuthFilter(token)
if err != nil {
return envoylistener.FilterChain{}, err
}
sniCluster, err := makeSNIClusterFilter()
if err != nil {
return envoylistener.FilterChain{}, err
@ -638,6 +637,7 @@ func (s *Server) sniFilterChainTerminatingGateway(listener, cluster string, serv
return envoylistener.FilterChain{
FilterChainMatch: makeSNIFilterChainMatch(cluster),
Filters: []envoylistener.Filter{
authFilter,
sniCluster,
tcpProxy,
},