mirror of
https://github.com/status-im/consul.git
synced 2025-01-23 03:59:18 +00:00
3e8ec8d18e
Fixes issue: hashicorp/consul#20360 A regression was introduced in hashicorp/consul#19954 where the SAN validation matching was reduced from 4 potential types down to just the URI. Terminating gateways will need to match on many fields depending on user configuration, since they make egress calls outside of the cluster. Having more than one matcher behaves like an OR operation, where any match is sufficient to pass the certificate validation. To maintain backwards compatibility with the old untyped `match_subject_alt_names` Envoy behavior, we should match on all 4 enum types. https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#enum-extensions-transport-sockets-tls-v3-subjectaltnamematcher-santype
202 lines
5.7 KiB
Plaintext
202 lines
5.7 KiB
Plaintext
{
|
|
"nonce": "00000001",
|
|
"resources": [
|
|
{
|
|
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
|
|
"connectTimeout": "5s",
|
|
"dnsLookupFamily": "V4_ONLY",
|
|
"dnsRefreshRate": "10s",
|
|
"loadAssignment": {
|
|
"clusterName": "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"endpoints": [
|
|
{
|
|
"lbEndpoints": [
|
|
{
|
|
"endpoint": {
|
|
"address": {
|
|
"socketAddress": {
|
|
"address": "api.altdomain",
|
|
"portValue": 8081
|
|
}
|
|
}
|
|
},
|
|
"healthStatus": "HEALTHY",
|
|
"loadBalancingWeight": 1
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"name": "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"outlierDetection": {},
|
|
"transportSocket": {
|
|
"name": "tls",
|
|
"typedConfig": {
|
|
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
|
|
"commonTlsContext": {
|
|
"tlsCertificates": [
|
|
{
|
|
"certificateChain": {
|
|
"filename": "api.cert.pem"
|
|
},
|
|
"privateKey": {
|
|
"filename": "api.key.pem"
|
|
}
|
|
}
|
|
],
|
|
"tlsParams": {},
|
|
"validationContext": {
|
|
"matchTypedSubjectAltNames": [
|
|
{
|
|
"matcher": {
|
|
"exact": "bar.com"
|
|
},
|
|
"sanType": "URI"
|
|
},
|
|
{
|
|
"matcher": {
|
|
"exact": "bar.com"
|
|
},
|
|
"sanType": "DNS"
|
|
},
|
|
{
|
|
"matcher": {
|
|
"exact": "bar.com"
|
|
},
|
|
"sanType": "EMAIL"
|
|
},
|
|
{
|
|
"matcher": {
|
|
"exact": "bar.com"
|
|
},
|
|
"sanType": "IP_ADDRESS"
|
|
}
|
|
],
|
|
"trustedCa": {
|
|
"filename": "ca.cert.pem"
|
|
}
|
|
}
|
|
},
|
|
"sni": "bar.com"
|
|
}
|
|
},
|
|
"type": "LOGICAL_DNS"
|
|
},
|
|
{
|
|
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
|
|
"connectTimeout": "5s",
|
|
"dnsLookupFamily": "V4_ONLY",
|
|
"dnsRefreshRate": "10s",
|
|
"loadAssignment": {
|
|
"clusterName": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"endpoints": [
|
|
{
|
|
"lbEndpoints": [
|
|
{
|
|
"endpoint": {
|
|
"address": {
|
|
"socketAddress": {
|
|
"address": "cache.mydomain",
|
|
"portValue": 8081
|
|
}
|
|
}
|
|
},
|
|
"healthStatus": "HEALTHY",
|
|
"loadBalancingWeight": 1
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"name": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"outlierDetection": {},
|
|
"type": "LOGICAL_DNS"
|
|
},
|
|
{
|
|
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
|
|
"connectTimeout": "5s",
|
|
"dnsLookupFamily": "V4_ONLY",
|
|
"dnsRefreshRate": "10s",
|
|
"loadAssignment": {
|
|
"clusterName": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"endpoints": [
|
|
{
|
|
"lbEndpoints": [
|
|
{
|
|
"endpoint": {
|
|
"address": {
|
|
"socketAddress": {
|
|
"address": "db.mydomain",
|
|
"portValue": 8081
|
|
}
|
|
}
|
|
},
|
|
"healthStatus": "UNHEALTHY",
|
|
"loadBalancingWeight": 1
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"name": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"outlierDetection": {},
|
|
"type": "LOGICAL_DNS"
|
|
},
|
|
{
|
|
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
|
|
"connectTimeout": "5s",
|
|
"edsClusterConfig": {
|
|
"edsConfig": {
|
|
"ads": {},
|
|
"resourceApiVersion": "V3"
|
|
}
|
|
},
|
|
"name": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
|
|
"outlierDetection": {},
|
|
"transportSocket": {
|
|
"name": "tls",
|
|
"typedConfig": {
|
|
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
|
|
"commonTlsContext": {
|
|
"tlsParams": {},
|
|
"validationContext": {
|
|
"matchTypedSubjectAltNames": [
|
|
{
|
|
"matcher": {
|
|
"exact": "foo.com"
|
|
},
|
|
"sanType": "URI"
|
|
},
|
|
{
|
|
"matcher": {
|
|
"exact": "foo.com"
|
|
},
|
|
"sanType": "DNS"
|
|
},
|
|
{
|
|
"matcher": {
|
|
"exact": "foo.com"
|
|
},
|
|
"sanType": "EMAIL"
|
|
},
|
|
{
|
|
"matcher": {
|
|
"exact": "foo.com"
|
|
},
|
|
"sanType": "IP_ADDRESS"
|
|
}
|
|
],
|
|
"trustedCa": {
|
|
"filename": "ca.cert.pem"
|
|
}
|
|
}
|
|
},
|
|
"sni": "foo.com"
|
|
}
|
|
},
|
|
"type": "EDS"
|
|
}
|
|
],
|
|
"typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
|
|
"versionInfo": "00000001"
|
|
} |