xds: have mesh gateways forward peered SpiffeIDs using the XFCC header (#13625)

2022-06-28 15:32:42 -05:00 · 2022-06-28 15:32:42 -05:00 · de0f9ac519
parent 1a9c86ea8f
commit de0f9ac519
4 changed files with 65 additions and 19 deletions
--- a/agent/xds/listeners.go
+++ b/agent/xds/listeners.go
@ -1538,12 +1538,14 @@ func (s *ResourceGenerator) makeMeshGatewayPeerFilterChain(
 	filterName := fmt.Sprintf("%s.%s.%s.%s", chain.ServiceName, chain.Namespace, chain.Partition, chain.Datacenter)

 	filterChain, err := s.makeUpstreamFilterChain(filterChainOpts{
-		routeName:   uid.EnvoyID(),
-		clusterName: clusterName,
-		filterName:  filterName,
-		protocol:    chain.Protocol,
-		useRDS:      useRDS,
-		statPrefix:  "mesh_gateway_local_peered.",
+		routeName:            uid.EnvoyID(),
+		clusterName:          clusterName,
+		filterName:           filterName,
+		protocol:             chain.Protocol,
+		useRDS:               useRDS,
+		statPrefix:           "mesh_gateway_local_peered.",
+		forwardClientDetails: true,
+		forwardClientPolicy:  envoy_http_v3.HttpConnectionManager_SANITIZE_SET,
 	})
 	if err != nil {
 		return nil, err
@ -1584,13 +1586,15 @@ func (s *ResourceGenerator) makeMeshGatewayPeerFilterChain(
 }

 type filterChainOpts struct {
-	routeName   string
-	clusterName string
-	filterName  string
-	protocol    string
-	useRDS      bool
-	tlsContext  *envoy_tls_v3.DownstreamTlsContext
-	statPrefix  string
+	routeName            string
+	clusterName          string
+	filterName           string
+	protocol             string
+	useRDS               bool
+	tlsContext           *envoy_tls_v3.DownstreamTlsContext
+	statPrefix           string
+	forwardClientDetails bool
+	forwardClientPolicy  envoy_http_v3.HttpConnectionManager_ForwardClientCertDetails
 }

 func (s *ResourceGenerator) makeUpstreamFilterChain(opts filterChainOpts) (*envoy_listener_v3.FilterChain, error) {
@ -1598,12 +1602,14 @@ func (s *ResourceGenerator) makeUpstreamFilterChain(opts filterChainOpts) (*envo
 		opts.statPrefix = "upstream."
 	}
 	filter, err := makeListenerFilter(listenerFilterOpts{
-		useRDS:     opts.useRDS,
-		protocol:   opts.protocol,
-		filterName: opts.filterName,
-		routeName:  opts.routeName,
-		cluster:    opts.clusterName,
-		statPrefix: opts.statPrefix,
+		useRDS:               opts.useRDS,
+		protocol:             opts.protocol,
+		filterName:           opts.filterName,
+		routeName:            opts.routeName,
+		cluster:              opts.clusterName,
+		statPrefix:           opts.statPrefix,
+		forwardClientDetails: opts.forwardClientDetails,
+		forwardClientPolicy:  opts.forwardClientPolicy,
 	})
 	if err != nil {
 		return nil, err
--- a/agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http-with-router.latest.golden
+++ b/agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http-with-router.latest.golden
@ -44,6 +44,14 @@
                  "randomSampling": {

                  }
+                },
+                "forwardClientCertDetails": "SANITIZE_SET",
+                "setCurrentClientCertDetails": {
+                  "subject": true,
+                  "cert": true,
+                  "chain": true,
+                  "dns": true,
+                  "uri": true
                }
              }
            }
--- a/agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden
+++ b/agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden
@ -44,6 +44,14 @@
                  "randomSampling": {

                  }
+                },
+                "forwardClientCertDetails": "SANITIZE_SET",
+                "setCurrentClientCertDetails": {
+                  "subject": true,
+                  "cert": true,
+                  "chain": true,
+                  "dns": true,
+                  "uri": true
                }
              }
            }
--- a/agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http.latest.golden
+++ b/agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http.latest.golden
@ -44,6 +44,14 @@
                  "randomSampling": {

                  }
+                },
+                "forwardClientCertDetails": "SANITIZE_SET",
+                "setCurrentClientCertDetails": {
+                  "subject": true,
+                  "cert": true,
+                  "chain": true,
+                  "dns": true,
+                  "uri": true
                }
              }
            }
@ -126,6 +134,14 @@
                  "randomSampling": {

                  }
+                },
+                "forwardClientCertDetails": "SANITIZE_SET",
+                "setCurrentClientCertDetails": {
+                  "subject": true,
+                  "cert": true,
+                  "chain": true,
+                  "dns": true,
+                  "uri": true
                }
              }
            }
@ -208,6 +224,14 @@
                  "randomSampling": {

                  }
+                },
+                "forwardClientCertDetails": "SANITIZE_SET",
+                "setCurrentClientCertDetails": {
+                  "subject": true,
+                  "cert": true,
+                  "chain": true,
+                  "dns": true,
+                  "uri": true
                }
              }
            }