consul/command/connect/envoy
R.B. Boyer 31b95c747b
xds: modify rbac rules to use the XFCC header for peered L7 enforcement (#13629)
When the protocol is http-like, and an intention has a peered source
then the normal RBAC mTLS SAN field check is replaces with a joint combo
of:

    mTLS SAN field must be the service's local mesh gateway leaf cert
      AND
    the first XFCC header (from the MGW) must have a URI field that matches the original intention source

Also:

- Update the regex program limit to be much higher than the teeny
  defaults, since the RBAC regex constructions are more complicated now.

- Fix a few stray panics in xds generation.
2022-06-29 10:29:54 -05:00
..
pipe-bootstrap envoy: improve comments 2021-06-01 11:35:32 -04:00
testdata xds: modify rbac rules to use the XFCC header for peered L7 enforcement (#13629) 2022-06-29 10:29:54 -05:00
bootstrap_config.go command: Add TLS support for envoy prometheus endpoint 2022-06-16 17:53:05 -07:00
bootstrap_config_test.go command: Add TLS support for envoy prometheus endpoint 2022-06-16 17:53:05 -07:00
bootstrap_tpl.go xds: modify rbac rules to use the XFCC header for peered L7 enforcement (#13629) 2022-06-29 10:29:54 -05:00
envoy.go command: Add TLS support for envoy prometheus endpoint 2022-06-16 17:53:05 -07:00
envoy_oss_test.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
envoy_test.go command: Add TLS support for envoy prometheus endpoint 2022-06-16 17:53:05 -07:00
exec_test.go bulk rewrite using this script 2022-01-20 10:46:23 -06:00
exec_unix.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
exec_unsupported.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
flags.go connect: switch the default gateway port from 443 to 8443 (#9116) 2020-11-06 20:47:29 -05:00
flags_test.go connect: switch the default gateway port from 443 to 8443 (#9116) 2020-11-06 20:47:29 -05:00