mirror of https://github.com/status-im/consul.git
Pass trust domain to RBAC to validate and fix use of wrong peer trust bundles (#13508)
This commit is contained in:
parent
d870928197
commit
fb5eb20563
|
@ -22,8 +22,8 @@ func (s *handlerConnectProxy) initialize(ctx context.Context) (ConfigSnapshot, e
|
|||
snap.ConnectProxy.WatchedDiscoveryChains = make(map[UpstreamID]context.CancelFunc)
|
||||
snap.ConnectProxy.WatchedUpstreams = make(map[UpstreamID]map[string]context.CancelFunc)
|
||||
snap.ConnectProxy.WatchedUpstreamEndpoints = make(map[UpstreamID]map[string]structs.CheckServiceNodes)
|
||||
snap.ConnectProxy.WatchedPeerTrustBundles = make(map[string]context.CancelFunc)
|
||||
snap.ConnectProxy.PeerTrustBundles = make(map[string]*pbpeering.PeeringTrustBundle)
|
||||
snap.ConnectProxy.WatchedUpstreamPeerTrustBundles = make(map[string]context.CancelFunc)
|
||||
snap.ConnectProxy.UpstreamPeerTrustBundles = make(map[string]*pbpeering.PeeringTrustBundle)
|
||||
snap.ConnectProxy.WatchedGateways = make(map[UpstreamID]map[string]context.CancelFunc)
|
||||
snap.ConnectProxy.WatchedGatewayEndpoints = make(map[UpstreamID]map[string]structs.CheckServiceNodes)
|
||||
snap.ConnectProxy.WatchedServiceChecks = make(map[structs.ServiceID][]structs.CheckType)
|
||||
|
@ -212,7 +212,7 @@ func (s *handlerConnectProxy) initialize(ctx context.Context) (ConfigSnapshot, e
|
|||
}
|
||||
|
||||
// Check whether a watch for this peer exists to avoid duplicates.
|
||||
if _, ok := snap.ConnectProxy.WatchedPeerTrustBundles[uid.Peer]; !ok {
|
||||
if _, ok := snap.ConnectProxy.WatchedUpstreamPeerTrustBundles[uid.Peer]; !ok {
|
||||
peerCtx, cancel := context.WithCancel(ctx)
|
||||
if err := s.dataSources.TrustBundle.Notify(peerCtx, &pbpeering.TrustBundleReadRequest{
|
||||
Name: uid.Peer,
|
||||
|
@ -222,7 +222,7 @@ func (s *handlerConnectProxy) initialize(ctx context.Context) (ConfigSnapshot, e
|
|||
return snap, fmt.Errorf("error while watching trust bundle for peer %q: %w", uid.Peer, err)
|
||||
}
|
||||
|
||||
snap.ConnectProxy.WatchedPeerTrustBundles[uid.Peer] = cancel
|
||||
snap.ConnectProxy.WatchedUpstreamPeerTrustBundles[uid.Peer] = cancel
|
||||
}
|
||||
continue
|
||||
}
|
||||
|
@ -270,7 +270,7 @@ func (s *handlerConnectProxy) handleUpdate(ctx context.Context, u UpdateEvent, s
|
|||
}
|
||||
peer := strings.TrimPrefix(u.CorrelationID, peerTrustBundleIDPrefix)
|
||||
if resp.Bundle != nil {
|
||||
snap.ConnectProxy.PeerTrustBundles[peer] = resp.Bundle
|
||||
snap.ConnectProxy.UpstreamPeerTrustBundles[peer] = resp.Bundle
|
||||
}
|
||||
|
||||
case u.CorrelationID == peeringTrustBundlesWatchID:
|
||||
|
@ -279,9 +279,9 @@ func (s *handlerConnectProxy) handleUpdate(ctx context.Context, u UpdateEvent, s
|
|||
return fmt.Errorf("invalid type for response: %T", u.Result)
|
||||
}
|
||||
if len(resp.Bundles) > 0 {
|
||||
snap.ConnectProxy.PeeringTrustBundles = resp.Bundles
|
||||
snap.ConnectProxy.InboundPeerTrustBundles = resp.Bundles
|
||||
}
|
||||
snap.ConnectProxy.PeeringTrustBundlesSet = true
|
||||
snap.ConnectProxy.InboundPeerTrustBundlesSet = true
|
||||
|
||||
case u.CorrelationID == intentionsWatchID:
|
||||
resp, ok := u.Result.(*structs.IndexedIntentionMatches)
|
||||
|
|
|
@ -238,7 +238,7 @@ func TestManager_BasicLifecycle(t *testing.T) {
|
|||
},
|
||||
PassthroughUpstreams: map[UpstreamID]map[string]map[string]struct{}{},
|
||||
PassthroughIndices: map[string]indexedTarget{},
|
||||
PeerTrustBundles: map[string]*pbpeering.PeeringTrustBundle{},
|
||||
UpstreamPeerTrustBundles: map[string]*pbpeering.PeeringTrustBundle{},
|
||||
PeerUpstreamEndpoints: map[UpstreamID]structs.CheckServiceNodes{},
|
||||
PeerUpstreamEndpointsUseHostnames: map[UpstreamID]struct{}{},
|
||||
},
|
||||
|
@ -299,7 +299,7 @@ func TestManager_BasicLifecycle(t *testing.T) {
|
|||
},
|
||||
PassthroughUpstreams: map[UpstreamID]map[string]map[string]struct{}{},
|
||||
PassthroughIndices: map[string]indexedTarget{},
|
||||
PeerTrustBundles: map[string]*pbpeering.PeeringTrustBundle{},
|
||||
UpstreamPeerTrustBundles: map[string]*pbpeering.PeeringTrustBundle{},
|
||||
PeerUpstreamEndpoints: map[UpstreamID]structs.CheckServiceNodes{},
|
||||
PeerUpstreamEndpointsUseHostnames: map[UpstreamID]struct{}{},
|
||||
},
|
||||
|
|
|
@ -44,13 +44,13 @@ type ConfigSnapshotUpstreams struct {
|
|||
// endpoints of an upstream.
|
||||
WatchedUpstreamEndpoints map[UpstreamID]map[string]structs.CheckServiceNodes
|
||||
|
||||
// WatchedPeerTrustBundles is a map of (PeerName -> CancelFunc) in order to cancel
|
||||
// WatchedUpstreamPeerTrustBundles is a map of (PeerName -> CancelFunc) in order to cancel
|
||||
// watches for peer trust bundles any time the list of upstream peers changes.
|
||||
WatchedPeerTrustBundles map[string]context.CancelFunc
|
||||
WatchedUpstreamPeerTrustBundles map[string]context.CancelFunc
|
||||
|
||||
// PeerTrustBundles is a map of (PeerName -> PeeringTrustBundle).
|
||||
// UpstreamPeerTrustBundles is a map of (PeerName -> PeeringTrustBundle).
|
||||
// It is used to store trust bundles for upstream TLS transport sockets.
|
||||
PeerTrustBundles map[string]*pbpeering.PeeringTrustBundle
|
||||
UpstreamPeerTrustBundles map[string]*pbpeering.PeeringTrustBundle
|
||||
|
||||
// WatchedGateways is a map of UpstreamID -> (map of GatewayKey.String() ->
|
||||
// CancelFunc) in order to cancel watches for mesh gateways
|
||||
|
@ -128,8 +128,8 @@ func gatewayKeyFromString(s string) GatewayKey {
|
|||
type configSnapshotConnectProxy struct {
|
||||
ConfigSnapshotUpstreams
|
||||
|
||||
PeeringTrustBundlesSet bool
|
||||
PeeringTrustBundles []*pbpeering.PeeringTrustBundle
|
||||
InboundPeerTrustBundlesSet bool
|
||||
InboundPeerTrustBundles []*pbpeering.PeeringTrustBundle
|
||||
|
||||
WatchedServiceChecks map[structs.ServiceID][]structs.CheckType // TODO: missing garbage collection
|
||||
PreparedQueryEndpoints map[UpstreamID]structs.CheckServiceNodes // DEPRECATED:see:WatchedUpstreamEndpoints
|
||||
|
@ -152,8 +152,8 @@ func (c *configSnapshotConnectProxy) isEmpty() bool {
|
|||
len(c.WatchedDiscoveryChains) == 0 &&
|
||||
len(c.WatchedUpstreams) == 0 &&
|
||||
len(c.WatchedUpstreamEndpoints) == 0 &&
|
||||
len(c.WatchedPeerTrustBundles) == 0 &&
|
||||
len(c.PeerTrustBundles) == 0 &&
|
||||
len(c.WatchedUpstreamPeerTrustBundles) == 0 &&
|
||||
len(c.UpstreamPeerTrustBundles) == 0 &&
|
||||
len(c.WatchedGateways) == 0 &&
|
||||
len(c.WatchedGatewayEndpoints) == 0 &&
|
||||
len(c.WatchedServiceChecks) == 0 &&
|
||||
|
@ -161,7 +161,7 @@ func (c *configSnapshotConnectProxy) isEmpty() bool {
|
|||
len(c.UpstreamConfig) == 0 &&
|
||||
len(c.PassthroughUpstreams) == 0 &&
|
||||
len(c.IntentionUpstreams) == 0 &&
|
||||
!c.PeeringTrustBundlesSet &&
|
||||
!c.InboundPeerTrustBundlesSet &&
|
||||
!c.MeshConfigSet &&
|
||||
len(c.PeerUpstreamEndpoints) == 0 &&
|
||||
len(c.PeerUpstreamEndpointsUseHostnames) == 0
|
||||
|
@ -637,7 +637,7 @@ func (s *ConfigSnapshot) Clone() (*ConfigSnapshot, error) {
|
|||
snap.ConnectProxy.WatchedUpstreams = nil
|
||||
snap.ConnectProxy.WatchedGateways = nil
|
||||
snap.ConnectProxy.WatchedDiscoveryChains = nil
|
||||
snap.ConnectProxy.WatchedPeerTrustBundles = nil
|
||||
snap.ConnectProxy.WatchedUpstreamPeerTrustBundles = nil
|
||||
case structs.ServiceKindTerminatingGateway:
|
||||
snap.TerminatingGateway.WatchedServices = nil
|
||||
snap.TerminatingGateway.WatchedIntentions = nil
|
||||
|
@ -652,7 +652,7 @@ func (s *ConfigSnapshot) Clone() (*ConfigSnapshot, error) {
|
|||
snap.IngressGateway.WatchedUpstreams = nil
|
||||
snap.IngressGateway.WatchedGateways = nil
|
||||
snap.IngressGateway.WatchedDiscoveryChains = nil
|
||||
snap.IngressGateway.WatchedPeerTrustBundles = nil
|
||||
snap.IngressGateway.WatchedUpstreamPeerTrustBundles = nil
|
||||
// only ingress-gateway
|
||||
snap.IngressGateway.LeafCertWatchCancel = nil
|
||||
}
|
||||
|
@ -676,7 +676,7 @@ func (s *ConfigSnapshot) Leaf() *structs.IssuedCert {
|
|||
func (s *ConfigSnapshot) PeeringTrustBundles() []*pbpeering.PeeringTrustBundle {
|
||||
switch s.Kind {
|
||||
case structs.ServiceKindConnectProxy:
|
||||
return s.ConnectProxy.PeeringTrustBundles
|
||||
return s.ConnectProxy.InboundPeerTrustBundles
|
||||
case structs.ServiceKindMeshGateway:
|
||||
return s.MeshGateway.PeeringTrustBundles
|
||||
default:
|
||||
|
@ -755,7 +755,7 @@ func (u *ConfigSnapshotUpstreams) PeeredUpstreamIDs() []UpstreamID {
|
|||
continue
|
||||
}
|
||||
|
||||
if _, ok := u.PeerTrustBundles[uid.Peer]; uid.Peer != "" && !ok {
|
||||
if _, ok := u.UpstreamPeerTrustBundles[uid.Peer]; uid.Peer != "" && !ok {
|
||||
// The trust bundle for this upstream is not available yet, skip for now.
|
||||
continue
|
||||
}
|
||||
|
|
|
@ -2572,15 +2572,15 @@ func TestState_WatchesAndUpdates(t *testing.T) {
|
|||
require.Len(t, snap.ConnectProxy.WatchedGateways, 0, "%+v", snap.ConnectProxy.WatchedGateways)
|
||||
require.Len(t, snap.ConnectProxy.WatchedGatewayEndpoints, 0, "%+v", snap.ConnectProxy.WatchedGatewayEndpoints)
|
||||
|
||||
require.Contains(t, snap.ConnectProxy.WatchedPeerTrustBundles, "peer-a", "%+v", snap.ConnectProxy.WatchedPeerTrustBundles)
|
||||
require.Len(t, snap.ConnectProxy.PeerTrustBundles, 0, "%+v", snap.ConnectProxy.PeerTrustBundles)
|
||||
require.Contains(t, snap.ConnectProxy.WatchedUpstreamPeerTrustBundles, "peer-a", "%+v", snap.ConnectProxy.WatchedUpstreamPeerTrustBundles)
|
||||
require.Len(t, snap.ConnectProxy.UpstreamPeerTrustBundles, 0, "%+v", snap.ConnectProxy.UpstreamPeerTrustBundles)
|
||||
|
||||
require.Len(t, snap.ConnectProxy.PeerUpstreamEndpoints, 0, "%+v", snap.ConnectProxy.PeerUpstreamEndpoints)
|
||||
|
||||
require.Len(t, snap.ConnectProxy.WatchedServiceChecks, 0, "%+v", snap.ConnectProxy.WatchedServiceChecks)
|
||||
require.Len(t, snap.ConnectProxy.PreparedQueryEndpoints, 0, "%+v", snap.ConnectProxy.PreparedQueryEndpoints)
|
||||
require.Len(t, snap.ConnectProxy.PeeringTrustBundles, 0, "%+v", snap.ConnectProxy.PeeringTrustBundles)
|
||||
require.False(t, snap.ConnectProxy.PeeringTrustBundlesSet)
|
||||
require.Len(t, snap.ConnectProxy.InboundPeerTrustBundles, 0, "%+v", snap.ConnectProxy.InboundPeerTrustBundles)
|
||||
require.False(t, snap.ConnectProxy.InboundPeerTrustBundlesSet)
|
||||
},
|
||||
},
|
||||
{
|
||||
|
@ -2655,7 +2655,7 @@ func TestState_WatchesAndUpdates(t *testing.T) {
|
|||
|
||||
require.Equal(t, indexedRoots, snap.Roots)
|
||||
require.Equal(t, issuedCert, snap.ConnectProxy.Leaf)
|
||||
prototest.AssertDeepEqual(t, peerTrustBundles.Bundles, snap.ConnectProxy.PeeringTrustBundles)
|
||||
prototest.AssertDeepEqual(t, peerTrustBundles.Bundles, snap.ConnectProxy.InboundPeerTrustBundles)
|
||||
|
||||
require.Len(t, snap.ConnectProxy.DiscoveryChain, 1, "%+v", snap.ConnectProxy.DiscoveryChain)
|
||||
require.Len(t, snap.ConnectProxy.WatchedUpstreams, 1, "%+v", snap.ConnectProxy.WatchedUpstreams)
|
||||
|
@ -2663,8 +2663,8 @@ func TestState_WatchesAndUpdates(t *testing.T) {
|
|||
require.Len(t, snap.ConnectProxy.WatchedGateways, 1, "%+v", snap.ConnectProxy.WatchedGateways)
|
||||
require.Len(t, snap.ConnectProxy.WatchedGatewayEndpoints, 1, "%+v", snap.ConnectProxy.WatchedGatewayEndpoints)
|
||||
|
||||
require.Contains(t, snap.ConnectProxy.WatchedPeerTrustBundles, "peer-a", "%+v", snap.ConnectProxy.WatchedPeerTrustBundles)
|
||||
require.Equal(t, peerTrustBundles.Bundles[0], snap.ConnectProxy.PeerTrustBundles["peer-a"], "%+v", snap.ConnectProxy.WatchedPeerTrustBundles)
|
||||
require.Contains(t, snap.ConnectProxy.WatchedUpstreamPeerTrustBundles, "peer-a", "%+v", snap.ConnectProxy.WatchedUpstreamPeerTrustBundles)
|
||||
require.Equal(t, peerTrustBundles.Bundles[0], snap.ConnectProxy.UpstreamPeerTrustBundles["peer-a"], "%+v", snap.ConnectProxy.WatchedUpstreamPeerTrustBundles)
|
||||
|
||||
require.Len(t, snap.ConnectProxy.PeerUpstreamEndpoints, 1, "%+v", snap.ConnectProxy.PeerUpstreamEndpoints)
|
||||
require.NotNil(t, snap.ConnectProxy.PeerUpstreamEndpoints[extApiUID])
|
||||
|
|
|
@ -465,9 +465,9 @@ func (s *ResourceGenerator) makeDestinationClusters(cfgSnap *proxycfg.ConfigSnap
|
|||
cluster := s.makeDynamicForwardProxyCluster(cfgSnap, opts)
|
||||
|
||||
// TODO (dans): might be relevant later for TLS addons like CA validation
|
||||
//if err := s.injectGatewayServiceAddons(cfgSnap, cluster, svc, loadBalancer); err != nil {
|
||||
// if err := s.injectGatewayServiceAddons(cfgSnap, cluster, svc, loadBalancer); err != nil {
|
||||
// return nil, err
|
||||
//}
|
||||
// }
|
||||
clusters = append(clusters, cluster)
|
||||
}
|
||||
return clusters, nil
|
||||
|
@ -695,7 +695,7 @@ func (s *ResourceGenerator) makeUpstreamClusterForPeerService(
|
|||
|
||||
rootPEMs := cfgSnap.RootPEMs()
|
||||
if uid.Peer != "" {
|
||||
rootPEMs = cfgSnap.ConnectProxy.PeerTrustBundles[uid.Peer].ConcatenatedRootPEMs()
|
||||
rootPEMs = cfgSnap.ConnectProxy.UpstreamPeerTrustBundles[uid.Peer].ConcatenatedRootPEMs()
|
||||
}
|
||||
|
||||
// Enable TLS upstream with the configured client certificate.
|
||||
|
@ -999,7 +999,7 @@ func (s *ResourceGenerator) makeUpstreamClustersForDiscoveryChain(
|
|||
|
||||
rootPEMs := cfgSnap.RootPEMs()
|
||||
if uid.Peer != "" {
|
||||
rootPEMs = cfgSnap.ConnectProxy.PeerTrustBundles[uid.Peer].ConcatenatedRootPEMs()
|
||||
rootPEMs = cfgSnap.ConnectProxy.UpstreamPeerTrustBundles[uid.Peer].ConcatenatedRootPEMs()
|
||||
}
|
||||
commonTLSContext := makeCommonTLSContext(
|
||||
cfgSnap.Leaf(),
|
||||
|
|
|
@ -697,7 +697,8 @@ func (s *ResourceGenerator) injectConnectFilters(cfgSnap *proxycfg.ConfigSnapsho
|
|||
authzFilter, err := makeRBACNetworkFilter(
|
||||
cfgSnap.ConnectProxy.Intentions,
|
||||
cfgSnap.IntentionDefaultAllow,
|
||||
cfgSnap.ConnectProxy.PeerTrustBundles,
|
||||
cfgSnap.Roots.TrustDomain,
|
||||
cfgSnap.ConnectProxy.InboundPeerTrustBundles,
|
||||
)
|
||||
if err != nil {
|
||||
return err
|
||||
|
@ -952,7 +953,8 @@ func (s *ResourceGenerator) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot
|
|||
httpAuthzFilter, err := makeRBACHTTPFilter(
|
||||
cfgSnap.ConnectProxy.Intentions,
|
||||
cfgSnap.IntentionDefaultAllow,
|
||||
cfgSnap.ConnectProxy.PeerTrustBundles,
|
||||
cfgSnap.Roots.TrustDomain,
|
||||
cfgSnap.ConnectProxy.InboundPeerTrustBundles,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
@ -1009,7 +1011,8 @@ func (s *ResourceGenerator) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot
|
|||
filterOpts.httpAuthzFilter, err = makeRBACHTTPFilter(
|
||||
cfgSnap.ConnectProxy.Intentions,
|
||||
cfgSnap.IntentionDefaultAllow,
|
||||
cfgSnap.ConnectProxy.PeerTrustBundles,
|
||||
cfgSnap.Roots.TrustDomain,
|
||||
cfgSnap.ConnectProxy.InboundPeerTrustBundles,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
@ -1307,6 +1310,7 @@ func (s *ResourceGenerator) makeFilterChainTerminatingGateway(cfgSnap *proxycfg.
|
|||
authFilter, err := makeRBACNetworkFilter(
|
||||
intentions,
|
||||
cfgSnap.IntentionDefaultAllow,
|
||||
cfgSnap.Roots.TrustDomain,
|
||||
nil, // TODO(peering): verify intentions w peers don't apply to terminatingGateway
|
||||
)
|
||||
if err != nil {
|
||||
|
@ -1344,6 +1348,7 @@ func (s *ResourceGenerator) makeFilterChainTerminatingGateway(cfgSnap *proxycfg.
|
|||
opts.httpAuthzFilter, err = makeRBACHTTPFilter(
|
||||
intentions,
|
||||
cfgSnap.IntentionDefaultAllow,
|
||||
cfgSnap.Roots.TrustDomain,
|
||||
nil, // TODO(peering): verify intentions w peers don't apply to terminatingGateway
|
||||
)
|
||||
if err != nil {
|
||||
|
|
|
@ -21,9 +21,10 @@ import (
|
|||
func makeRBACNetworkFilter(
|
||||
intentions structs.Intentions,
|
||||
intentionDefaultAllow bool,
|
||||
peerTrustBundles map[string]*pbpeering.PeeringTrustBundle,
|
||||
trustDomain string,
|
||||
peerTrustBundles []*pbpeering.PeeringTrustBundle,
|
||||
) (*envoy_listener_v3.Filter, error) {
|
||||
rules, err := makeRBACRules(intentions, intentionDefaultAllow, false, peerTrustBundles)
|
||||
rules, err := makeRBACRules(intentions, intentionDefaultAllow, trustDomain, false, peerTrustBundles)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -38,9 +39,10 @@ func makeRBACNetworkFilter(
|
|||
func makeRBACHTTPFilter(
|
||||
intentions structs.Intentions,
|
||||
intentionDefaultAllow bool,
|
||||
peerTrustBundles map[string]*pbpeering.PeeringTrustBundle,
|
||||
trustDomain string,
|
||||
peerTrustBundles []*pbpeering.PeeringTrustBundle,
|
||||
) (*envoy_http_v3.HttpFilter, error) {
|
||||
rules, err := makeRBACRules(intentions, intentionDefaultAllow, true, peerTrustBundles)
|
||||
rules, err := makeRBACRules(intentions, intentionDefaultAllow, trustDomain, true, peerTrustBundles)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -53,6 +55,7 @@ func makeRBACHTTPFilter(
|
|||
|
||||
func intentionListToIntermediateRBACForm(
|
||||
intentions structs.Intentions,
|
||||
trustDomain string,
|
||||
isHTTP bool,
|
||||
trustBundlesByPeer map[string]*pbpeering.PeeringTrustBundle,
|
||||
) []*rbacIntention {
|
||||
|
@ -72,7 +75,7 @@ func intentionListToIntermediateRBACForm(
|
|||
continue
|
||||
}
|
||||
|
||||
rixn := intentionToIntermediateRBACForm(ixn, isHTTP, trustBundle)
|
||||
rixn := intentionToIntermediateRBACForm(ixn, trustDomain, isHTTP, trustBundle)
|
||||
rbacIxns = append(rbacIxns, rixn)
|
||||
}
|
||||
return rbacIxns
|
||||
|
@ -210,11 +213,12 @@ func removePermissionPrecedence(perms []*rbacPermission, intentionDefaultAction
|
|||
return out
|
||||
}
|
||||
|
||||
func intentionToIntermediateRBACForm(ixn *structs.Intention, isHTTP bool, bundle *pbpeering.PeeringTrustBundle) *rbacIntention {
|
||||
func intentionToIntermediateRBACForm(ixn *structs.Intention, trustDomain string, isHTTP bool, bundle *pbpeering.PeeringTrustBundle) *rbacIntention {
|
||||
rixn := &rbacIntention{
|
||||
Source: rbacService{
|
||||
ServiceName: ixn.SourceServiceName(),
|
||||
Peer: ixn.SourcePeer,
|
||||
TrustDomain: trustDomain,
|
||||
},
|
||||
Precedence: ixn.Precedence,
|
||||
}
|
||||
|
@ -426,25 +430,21 @@ func simplifyNotSourceSlice(notSources []rbacService) []rbacService {
|
|||
func makeRBACRules(
|
||||
intentions structs.Intentions,
|
||||
intentionDefaultAllow bool,
|
||||
trustDomain string,
|
||||
isHTTP bool,
|
||||
peerTrustBundles map[string]*pbpeering.PeeringTrustBundle,
|
||||
peerTrustBundles []*pbpeering.PeeringTrustBundle,
|
||||
) (*envoy_rbac_v3.RBAC, error) {
|
||||
// Note that we DON'T explicitly validate the trust-domain matches ours.
|
||||
//
|
||||
// For now we don't validate the trust domain of the _destination_ at all.
|
||||
// The RBAC policies below ignore the trust domain and it's implicit that
|
||||
// the request is for the correct cluster. We might want to reconsider this
|
||||
// later but plumbing in additional machinery to check the clusterID here
|
||||
// is not really necessary for now unless the Envoys are badly configured.
|
||||
// Our threat model _requires_ correctly configured and well behaved
|
||||
// proxies given that they have ACLs to fetch certs and so can do whatever
|
||||
// they want including not authorizing traffic at all or routing it do a
|
||||
// different service than they auth'd against.
|
||||
|
||||
// TODO(banks,rb): Implement revocation list checking?
|
||||
|
||||
// TODO(peering): mkeeler asked that these maps come from proxycfg instead of
|
||||
// being constructed in xds to save memory allocation and gc pressure. Low priority.
|
||||
trustBundlesByPeer := make(map[string]*pbpeering.PeeringTrustBundle, len(peerTrustBundles))
|
||||
for _, ptb := range peerTrustBundles {
|
||||
trustBundlesByPeer[ptb.PeerName] = ptb
|
||||
}
|
||||
|
||||
// First build up just the basic principal matches.
|
||||
rbacIxns := intentionListToIntermediateRBACForm(intentions, isHTTP, peerTrustBundles)
|
||||
rbacIxns := intentionListToIntermediateRBACForm(intentions, trustDomain, isHTTP, trustBundlesByPeer)
|
||||
|
||||
// Normalize: if we are in default-deny then all intentions must be allows and vice versa
|
||||
intentionDefaultAction := intentionActionFromBool(intentionDefaultAllow)
|
||||
|
@ -641,7 +641,7 @@ const anyPath = `[^/]+`
|
|||
|
||||
func makeSpiffePattern(src rbacService) string {
|
||||
var (
|
||||
host = anyPath // TODO(peering): We match trust domain on any value but should be defaulting to the local trust domain
|
||||
host = src.TrustDomain
|
||||
ap = src.PartitionOrDefault()
|
||||
ns = src.NamespaceOrDefault()
|
||||
svc = src.Name
|
||||
|
|
|
@ -58,10 +58,13 @@ func TestRemoveIntentionPrecedence(t *testing.T) {
|
|||
ExportedPartition: "part1",
|
||||
},
|
||||
}
|
||||
testTrustDomain := "test.consul"
|
||||
|
||||
var (
|
||||
nameWild = rbacService{ServiceName: structs.NewServiceName("*", nil)}
|
||||
nameWeb = rbacService{ServiceName: structs.NewServiceName("web", nil)}
|
||||
nameWild = rbacService{ServiceName: structs.NewServiceName("*", nil),
|
||||
TrustDomain: testTrustDomain}
|
||||
nameWeb = rbacService{ServiceName: structs.NewServiceName("web", nil),
|
||||
TrustDomain: testTrustDomain}
|
||||
nameWildPeered = rbacService{ServiceName: structs.NewServiceName("*", nil),
|
||||
Peer: "peer1", TrustDomain: "peer1.domain", ExportedPartition: "part1"}
|
||||
nameWebPeered = rbacService{ServiceName: structs.NewServiceName("web", nil),
|
||||
|
@ -439,7 +442,7 @@ func TestRemoveIntentionPrecedence(t *testing.T) {
|
|||
|
||||
for name, tt := range tests {
|
||||
t.Run(name, func(t *testing.T) {
|
||||
rbacIxns := intentionListToIntermediateRBACForm(tt.intentions, tt.http, testPeerTrustBundle)
|
||||
rbacIxns := intentionListToIntermediateRBACForm(tt.intentions, testTrustDomain, tt.http, testPeerTrustBundle)
|
||||
intentionDefaultAction := intentionActionFromBool(tt.intentionDefaultAllow)
|
||||
rbacIxns = removeIntentionPrecedence(rbacIxns, intentionDefaultAction)
|
||||
|
||||
|
@ -472,13 +475,14 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
|
|||
ixn.Permissions = perms
|
||||
return ixn
|
||||
}
|
||||
testPeerTrustBundle := map[string]*pbpeering.PeeringTrustBundle{
|
||||
"peer1": {
|
||||
testPeerTrustBundle := []*pbpeering.PeeringTrustBundle{
|
||||
{
|
||||
PeerName: "peer1",
|
||||
TrustDomain: "peer1.domain",
|
||||
ExportedPartition: "part1",
|
||||
},
|
||||
}
|
||||
testTrustDomain := "test.consul"
|
||||
sorted := func(ixns ...*structs.Intention) structs.Intentions {
|
||||
sort.SliceStable(ixns, func(i, j int) bool {
|
||||
return ixns[j].Precedence < ixns[i].Precedence
|
||||
|
@ -797,7 +801,7 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
|
|||
tt := tt
|
||||
t.Run(name, func(t *testing.T) {
|
||||
t.Run("network filter", func(t *testing.T) {
|
||||
filter, err := makeRBACNetworkFilter(tt.intentions, tt.intentionDefaultAllow, testPeerTrustBundle)
|
||||
filter, err := makeRBACNetworkFilter(tt.intentions, tt.intentionDefaultAllow, testTrustDomain, testPeerTrustBundle)
|
||||
require.NoError(t, err)
|
||||
|
||||
t.Run("current", func(t *testing.T) {
|
||||
|
@ -807,7 +811,7 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
|
|||
})
|
||||
})
|
||||
t.Run("http filter", func(t *testing.T) {
|
||||
filter, err := makeRBACHTTPFilter(tt.intentions, tt.intentionDefaultAllow, testPeerTrustBundle)
|
||||
filter, err := makeRBACHTTPFilter(tt.intentions, tt.intentionDefaultAllow, testTrustDomain, testPeerTrustBundle)
|
||||
require.NoError(t, err)
|
||||
|
||||
t.Run("current", func(t *testing.T) {
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -35,7 +35,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -34,7 +34,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -47,7 +47,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -35,7 +35,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -64,7 +64,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -34,7 +34,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -47,7 +47,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -31,7 +31,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -46,7 +46,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -59,7 +59,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -73,7 +73,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -87,7 +87,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -31,7 +31,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -46,7 +46,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -59,7 +59,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -73,7 +73,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -87,7 +87,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -23,7 +23,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -227,7 +227,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -45,7 +45,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -34,7 +34,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -34,7 +34,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -30,7 +30,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -45,7 +45,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -58,7 +58,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -72,7 +72,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -86,7 +86,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -30,7 +30,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -45,7 +45,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -58,7 +58,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -72,7 +72,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -86,7 +86,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -226,7 +226,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -46,7 +46,7 @@
|
|||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue