consul/proto
Freddy 74ca6406ea
Configure upstream TLS context with peer root certs (#13321)
For mTLS to work between two proxies in peered clusters with different root CAs,
proxies need to configure their outbound listener to use different root certificates
for validation.

Up until peering was introduced proxies would only ever use one set of root certificates
to validate all mesh traffic, both inbound and outbound. Now an upstream proxy
may have a leaf certificate signed by a CA that's different from the dialing proxy's.

This PR makes changes to proxycfg and xds so that the upstream TLS validation
uses different root certificates depending on which cluster is being dialed.
2022-06-01 15:53:52 -06:00
..
pbacl Specify go_package explicitly 2022-05-24 10:22:53 -07:00
pbautoconf Specify go_package explicitly 2022-05-24 10:22:53 -07:00
pbcommon Specify go_package explicitly 2022-05-24 10:22:53 -07:00
pbconfig Specify go_package explicitly 2022-05-24 10:22:53 -07:00
pbconnect Specify go_package explicitly 2022-05-24 10:22:53 -07:00
pbpeering Configure upstream TLS context with peer root certs (#13321) 2022-06-01 15:53:52 -06:00
pbservice peering: replicate expected SNI, SPIFFE, and service protocol to peers (#13218) 2022-05-25 12:37:44 -05:00
pbstatus Specify go_package explicitly 2022-05-24 10:22:53 -07:00
pbsubscribe Specify go_package explicitly 2022-05-24 10:22:53 -07:00
prototest peering: replicate expected SNI, SPIFFE, and service protocol to peers (#13218) 2022-05-25 12:37:44 -05:00
buf.gen.yaml Migrate from `protoc` to `buf` (#12841) 2022-05-23 10:37:52 -04:00
buf.yaml Migrate from `protoc` to `buf` (#12841) 2022-05-23 10:37:52 -04:00