mirror of
https://github.com/status-im/consul.git
synced 2025-01-24 20:51:10 +00:00
3e8ec8d18e
Fixes issue: hashicorp/consul#20360 A regression was introduced in hashicorp/consul#19954 where the SAN validation matching was reduced from 4 potential types down to just the URI. Terminating gateways will need to match on many fields depending on user configuration, since they make egress calls outside of the cluster. Having more than one matcher behaves like an OR operation, where any match is sufficient to pass the certificate validation. To maintain backwards compatibility with the old untyped `match_subject_alt_names` Envoy behavior, we should match on all 4 enum types. https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#enum-extensions-transport-sockets-tls-v3-subjectaltnamematcher-santype
264 lines
8.2 KiB
Plaintext
264 lines
8.2 KiB
Plaintext
{
|
|
"nonce": "00000001",
|
|
"resources": [
|
|
{
|
|
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
|
|
"connectTimeout": "5s",
|
|
"loadAssignment": {
|
|
"clusterName": "destination.192-168-0-1.external-IP-TCP.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"endpoints": [
|
|
{
|
|
"lbEndpoints": [
|
|
{
|
|
"endpoint": {
|
|
"address": {
|
|
"socketAddress": {
|
|
"address": "192.168.0.1",
|
|
"portValue": 80
|
|
}
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"name": "destination.192-168-0-1.external-IP-TCP.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"outlierDetection": {},
|
|
"type": "STATIC"
|
|
},
|
|
{
|
|
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
|
|
"connectTimeout": "5s",
|
|
"loadAssignment": {
|
|
"clusterName": "destination.192-168-0-2.external-IP-HTTP.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"endpoints": [
|
|
{
|
|
"lbEndpoints": [
|
|
{
|
|
"endpoint": {
|
|
"address": {
|
|
"socketAddress": {
|
|
"address": "192.168.0.2",
|
|
"portValue": 80
|
|
}
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"name": "destination.192-168-0-2.external-IP-HTTP.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"outlierDetection": {},
|
|
"type": "STATIC"
|
|
},
|
|
{
|
|
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
|
|
"connectTimeout": "5s",
|
|
"loadAssignment": {
|
|
"clusterName": "destination.192-168-0-2.external-IP-TCP.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"endpoints": [
|
|
{
|
|
"lbEndpoints": [
|
|
{
|
|
"endpoint": {
|
|
"address": {
|
|
"socketAddress": {
|
|
"address": "192.168.0.2",
|
|
"portValue": 80
|
|
}
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"name": "destination.192-168-0-2.external-IP-TCP.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"outlierDetection": {},
|
|
"type": "STATIC"
|
|
},
|
|
{
|
|
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
|
|
"connectTimeout": "5s",
|
|
"loadAssignment": {
|
|
"clusterName": "destination.192-168-0-3.external-IP-TCP.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"endpoints": [
|
|
{
|
|
"lbEndpoints": [
|
|
{
|
|
"endpoint": {
|
|
"address": {
|
|
"socketAddress": {
|
|
"address": "192.168.0.3",
|
|
"portValue": 80
|
|
}
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"name": "destination.192-168-0-3.external-IP-TCP.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"outlierDetection": {},
|
|
"type": "STATIC"
|
|
},
|
|
{
|
|
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
|
|
"connectTimeout": "5s",
|
|
"dnsLookupFamily": "V4_ONLY",
|
|
"dnsRefreshRate": "10s",
|
|
"loadAssignment": {
|
|
"clusterName": "destination.api-hashicorp-com.external-hostname-TCP.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"endpoints": [
|
|
{
|
|
"lbEndpoints": [
|
|
{
|
|
"endpoint": {
|
|
"address": {
|
|
"socketAddress": {
|
|
"address": "api.hashicorp.com",
|
|
"portValue": 8089
|
|
}
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"name": "destination.api-hashicorp-com.external-hostname-TCP.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"outlierDetection": {},
|
|
"type": "LOGICAL_DNS"
|
|
},
|
|
{
|
|
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
|
|
"connectTimeout": "5s",
|
|
"dnsLookupFamily": "V4_ONLY",
|
|
"dnsRefreshRate": "10s",
|
|
"loadAssignment": {
|
|
"clusterName": "destination.api-test-com.external-hostname-with-SNI.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"endpoints": [
|
|
{
|
|
"lbEndpoints": [
|
|
{
|
|
"endpoint": {
|
|
"address": {
|
|
"socketAddress": {
|
|
"address": "api.test.com",
|
|
"portValue": 80
|
|
}
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"name": "destination.api-test-com.external-hostname-with-SNI.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"outlierDetection": {},
|
|
"transportSocket": {
|
|
"name": "tls",
|
|
"typedConfig": {
|
|
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
|
|
"commonTlsContext": {
|
|
"tlsParams": {},
|
|
"validationContext": {
|
|
"matchTypedSubjectAltNames": [
|
|
{
|
|
"matcher": {
|
|
"exact": "api.test.com"
|
|
},
|
|
"sanType": "URI"
|
|
},
|
|
{
|
|
"matcher": {
|
|
"exact": "api.test.com"
|
|
},
|
|
"sanType": "DNS"
|
|
},
|
|
{
|
|
"matcher": {
|
|
"exact": "api.test.com"
|
|
},
|
|
"sanType": "EMAIL"
|
|
},
|
|
{
|
|
"matcher": {
|
|
"exact": "api.test.com"
|
|
},
|
|
"sanType": "IP_ADDRESS"
|
|
}
|
|
],
|
|
"trustedCa": {
|
|
"filename": "cert.pem"
|
|
}
|
|
}
|
|
},
|
|
"sni": "api.test.com"
|
|
}
|
|
},
|
|
"type": "LOGICAL_DNS"
|
|
},
|
|
{
|
|
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
|
|
"connectTimeout": "5s",
|
|
"dnsLookupFamily": "V4_ONLY",
|
|
"dnsRefreshRate": "10s",
|
|
"loadAssignment": {
|
|
"clusterName": "destination.httpbin-org.external-hostname-HTTP.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"endpoints": [
|
|
{
|
|
"lbEndpoints": [
|
|
{
|
|
"endpoint": {
|
|
"address": {
|
|
"socketAddress": {
|
|
"address": "httpbin.org",
|
|
"portValue": 80
|
|
}
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"name": "destination.httpbin-org.external-hostname-HTTP.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"outlierDetection": {},
|
|
"type": "LOGICAL_DNS"
|
|
},
|
|
{
|
|
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
|
|
"connectTimeout": "5s",
|
|
"dnsLookupFamily": "V4_ONLY",
|
|
"dnsRefreshRate": "10s",
|
|
"loadAssignment": {
|
|
"clusterName": "destination.web-hashicorp-com.external-hostname-TCP.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"endpoints": [
|
|
{
|
|
"lbEndpoints": [
|
|
{
|
|
"endpoint": {
|
|
"address": {
|
|
"socketAddress": {
|
|
"address": "web.hashicorp.com",
|
|
"portValue": 8089
|
|
}
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"name": "destination.web-hashicorp-com.external-hostname-TCP.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"outlierDetection": {},
|
|
"type": "LOGICAL_DNS"
|
|
}
|
|
],
|
|
"typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
|
|
"versionInfo": "00000001"
|
|
} |