status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

xds: have mesh gateways forward peered SpiffeIDs using the XFCC header (#13625)

This commit is contained in:
R.B. Boyer 2022-06-28 15:32:42 -05:00 committed by GitHub
parent 1a9c86ea8f
commit de0f9ac519
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 65 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
agent/xds/listeners.go
View File

@ -1544,6 +1544,8 @@ func (s *ResourceGenerator) makeMeshGatewayPeerFilterChain(
protocol: chain.Protocol, protocol: chain.Protocol,
useRDS: useRDS, useRDS: useRDS,
statPrefix: "mesh_gateway_local_peered.", statPrefix: "mesh_gateway_local_peered.",
forwardClientDetails: true,
forwardClientPolicy: envoy_http_v3.HttpConnectionManager_SANITIZE_SET,
}) })
if err != nil { if err != nil {
return nil, err return nil, err
@ -1591,6 +1593,8 @@ type filterChainOpts struct {
useRDS bool useRDS bool
tlsContext *envoy_tls_v3.DownstreamTlsContext tlsContext *envoy_tls_v3.DownstreamTlsContext
statPrefix string statPrefix string
forwardClientDetails bool
forwardClientPolicy envoy_http_v3.HttpConnectionManager_ForwardClientCertDetails
} }
func (s *ResourceGenerator) makeUpstreamFilterChain(opts filterChainOpts) (*envoy_listener_v3.FilterChain, error) { func (s *ResourceGenerator) makeUpstreamFilterChain(opts filterChainOpts) (*envoy_listener_v3.FilterChain, error) {
@ -1604,6 +1608,8 @@ func (s *ResourceGenerator) makeUpstreamFilterChain(opts filterChainOpts) (*envo
routeName: opts.routeName, routeName: opts.routeName,
cluster: opts.clusterName, cluster: opts.clusterName,
statPrefix: opts.statPrefix, statPrefix: opts.statPrefix,
forwardClientDetails: opts.forwardClientDetails,
forwardClientPolicy: opts.forwardClientPolicy,
}) })
if err != nil { if err != nil {
return nil, err return nil, err

8
agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http-with-router.latest.golden vendored
View File

@ -44,6 +44,14 @@
"randomSampling": { "randomSampling": {
} }
},
"forwardClientCertDetails": "SANITIZE_SET",
"setCurrentClientCertDetails": {
"subject": true,
"cert": true,
"chain": true,
"dns": true,
"uri": true
} }
} }
} }

8
agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden vendored
View File

@ -44,6 +44,14 @@
"randomSampling": { "randomSampling": {
} }
},
"forwardClientCertDetails": "SANITIZE_SET",
"setCurrentClientCertDetails": {
"subject": true,
"cert": true,
"chain": true,
"dns": true,
"uri": true
} }
} }
} }

24
agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http.latest.golden vendored
View File

@ -44,6 +44,14 @@
"randomSampling": { "randomSampling": {
} }
},
"forwardClientCertDetails": "SANITIZE_SET",
"setCurrentClientCertDetails": {
"subject": true,
"cert": true,
"chain": true,
"dns": true,
"uri": true
} }
} }
} }
@ -126,6 +134,14 @@
"randomSampling": { "randomSampling": {
} }
},
"forwardClientCertDetails": "SANITIZE_SET",
"setCurrentClientCertDetails": {
"subject": true,
"cert": true,
"chain": true,
"dns": true,
"uri": true
} }
} }
} }
@ -208,6 +224,14 @@
"randomSampling": { "randomSampling": {
} }
},
"forwardClientCertDetails": "SANITIZE_SET",
"setCurrentClientCertDetails": {
"subject": true,
"cert": true,
"chain": true,
"dns": true,
"uri": true
} }
} }
} }