diff --git a/agent/proxycfg/connect_proxy.go b/agent/proxycfg/connect_proxy.go index 0f62767c6b..cdeea5eadc 100644 --- a/agent/proxycfg/connect_proxy.go +++ b/agent/proxycfg/connect_proxy.go @@ -22,8 +22,8 @@ func (s *handlerConnectProxy) initialize(ctx context.Context) (ConfigSnapshot, e snap.ConnectProxy.WatchedDiscoveryChains = make(map[UpstreamID]context.CancelFunc) snap.ConnectProxy.WatchedUpstreams = make(map[UpstreamID]map[string]context.CancelFunc) snap.ConnectProxy.WatchedUpstreamEndpoints = make(map[UpstreamID]map[string]structs.CheckServiceNodes) - snap.ConnectProxy.WatchedPeerTrustBundles = make(map[string]context.CancelFunc) - snap.ConnectProxy.PeerTrustBundles = make(map[string]*pbpeering.PeeringTrustBundle) + snap.ConnectProxy.WatchedUpstreamPeerTrustBundles = make(map[string]context.CancelFunc) + snap.ConnectProxy.UpstreamPeerTrustBundles = make(map[string]*pbpeering.PeeringTrustBundle) snap.ConnectProxy.WatchedGateways = make(map[UpstreamID]map[string]context.CancelFunc) snap.ConnectProxy.WatchedGatewayEndpoints = make(map[UpstreamID]map[string]structs.CheckServiceNodes) snap.ConnectProxy.WatchedServiceChecks = make(map[structs.ServiceID][]structs.CheckType) @@ -212,7 +212,7 @@ func (s *handlerConnectProxy) initialize(ctx context.Context) (ConfigSnapshot, e } // Check whether a watch for this peer exists to avoid duplicates. - if _, ok := snap.ConnectProxy.WatchedPeerTrustBundles[uid.Peer]; !ok { + if _, ok := snap.ConnectProxy.WatchedUpstreamPeerTrustBundles[uid.Peer]; !ok { peerCtx, cancel := context.WithCancel(ctx) if err := s.dataSources.TrustBundle.Notify(peerCtx, &pbpeering.TrustBundleReadRequest{ Name: uid.Peer, @@ -222,7 +222,7 @@ func (s *handlerConnectProxy) initialize(ctx context.Context) (ConfigSnapshot, e return snap, fmt.Errorf("error while watching trust bundle for peer %q: %w", uid.Peer, err) } - snap.ConnectProxy.WatchedPeerTrustBundles[uid.Peer] = cancel + snap.ConnectProxy.WatchedUpstreamPeerTrustBundles[uid.Peer] = cancel } continue } @@ -270,7 +270,7 @@ func (s *handlerConnectProxy) handleUpdate(ctx context.Context, u UpdateEvent, s } peer := strings.TrimPrefix(u.CorrelationID, peerTrustBundleIDPrefix) if resp.Bundle != nil { - snap.ConnectProxy.PeerTrustBundles[peer] = resp.Bundle + snap.ConnectProxy.UpstreamPeerTrustBundles[peer] = resp.Bundle } case u.CorrelationID == peeringTrustBundlesWatchID: @@ -279,9 +279,9 @@ func (s *handlerConnectProxy) handleUpdate(ctx context.Context, u UpdateEvent, s return fmt.Errorf("invalid type for response: %T", u.Result) } if len(resp.Bundles) > 0 { - snap.ConnectProxy.PeeringTrustBundles = resp.Bundles + snap.ConnectProxy.InboundPeerTrustBundles = resp.Bundles } - snap.ConnectProxy.PeeringTrustBundlesSet = true + snap.ConnectProxy.InboundPeerTrustBundlesSet = true case u.CorrelationID == intentionsWatchID: resp, ok := u.Result.(*structs.IndexedIntentionMatches) diff --git a/agent/proxycfg/manager_test.go b/agent/proxycfg/manager_test.go index 08a54b11bf..a62bbf2d35 100644 --- a/agent/proxycfg/manager_test.go +++ b/agent/proxycfg/manager_test.go @@ -238,7 +238,7 @@ func TestManager_BasicLifecycle(t *testing.T) { }, PassthroughUpstreams: map[UpstreamID]map[string]map[string]struct{}{}, PassthroughIndices: map[string]indexedTarget{}, - PeerTrustBundles: map[string]*pbpeering.PeeringTrustBundle{}, + UpstreamPeerTrustBundles: map[string]*pbpeering.PeeringTrustBundle{}, PeerUpstreamEndpoints: map[UpstreamID]structs.CheckServiceNodes{}, PeerUpstreamEndpointsUseHostnames: map[UpstreamID]struct{}{}, }, @@ -299,7 +299,7 @@ func TestManager_BasicLifecycle(t *testing.T) { }, PassthroughUpstreams: map[UpstreamID]map[string]map[string]struct{}{}, PassthroughIndices: map[string]indexedTarget{}, - PeerTrustBundles: map[string]*pbpeering.PeeringTrustBundle{}, + UpstreamPeerTrustBundles: map[string]*pbpeering.PeeringTrustBundle{}, PeerUpstreamEndpoints: map[UpstreamID]structs.CheckServiceNodes{}, PeerUpstreamEndpointsUseHostnames: map[UpstreamID]struct{}{}, }, diff --git a/agent/proxycfg/snapshot.go b/agent/proxycfg/snapshot.go index e405dd369e..e56c169e83 100644 --- a/agent/proxycfg/snapshot.go +++ b/agent/proxycfg/snapshot.go @@ -44,13 +44,13 @@ type ConfigSnapshotUpstreams struct { // endpoints of an upstream. WatchedUpstreamEndpoints map[UpstreamID]map[string]structs.CheckServiceNodes - // WatchedPeerTrustBundles is a map of (PeerName -> CancelFunc) in order to cancel + // WatchedUpstreamPeerTrustBundles is a map of (PeerName -> CancelFunc) in order to cancel // watches for peer trust bundles any time the list of upstream peers changes. - WatchedPeerTrustBundles map[string]context.CancelFunc + WatchedUpstreamPeerTrustBundles map[string]context.CancelFunc - // PeerTrustBundles is a map of (PeerName -> PeeringTrustBundle). + // UpstreamPeerTrustBundles is a map of (PeerName -> PeeringTrustBundle). // It is used to store trust bundles for upstream TLS transport sockets. - PeerTrustBundles map[string]*pbpeering.PeeringTrustBundle + UpstreamPeerTrustBundles map[string]*pbpeering.PeeringTrustBundle // WatchedGateways is a map of UpstreamID -> (map of GatewayKey.String() -> // CancelFunc) in order to cancel watches for mesh gateways @@ -128,8 +128,8 @@ func gatewayKeyFromString(s string) GatewayKey { type configSnapshotConnectProxy struct { ConfigSnapshotUpstreams - PeeringTrustBundlesSet bool - PeeringTrustBundles []*pbpeering.PeeringTrustBundle + InboundPeerTrustBundlesSet bool + InboundPeerTrustBundles []*pbpeering.PeeringTrustBundle WatchedServiceChecks map[structs.ServiceID][]structs.CheckType // TODO: missing garbage collection PreparedQueryEndpoints map[UpstreamID]structs.CheckServiceNodes // DEPRECATED:see:WatchedUpstreamEndpoints @@ -152,8 +152,8 @@ func (c *configSnapshotConnectProxy) isEmpty() bool { len(c.WatchedDiscoveryChains) == 0 && len(c.WatchedUpstreams) == 0 && len(c.WatchedUpstreamEndpoints) == 0 && - len(c.WatchedPeerTrustBundles) == 0 && - len(c.PeerTrustBundles) == 0 && + len(c.WatchedUpstreamPeerTrustBundles) == 0 && + len(c.UpstreamPeerTrustBundles) == 0 && len(c.WatchedGateways) == 0 && len(c.WatchedGatewayEndpoints) == 0 && len(c.WatchedServiceChecks) == 0 && @@ -161,7 +161,7 @@ func (c *configSnapshotConnectProxy) isEmpty() bool { len(c.UpstreamConfig) == 0 && len(c.PassthroughUpstreams) == 0 && len(c.IntentionUpstreams) == 0 && - !c.PeeringTrustBundlesSet && + !c.InboundPeerTrustBundlesSet && !c.MeshConfigSet && len(c.PeerUpstreamEndpoints) == 0 && len(c.PeerUpstreamEndpointsUseHostnames) == 0 @@ -637,7 +637,7 @@ func (s *ConfigSnapshot) Clone() (*ConfigSnapshot, error) { snap.ConnectProxy.WatchedUpstreams = nil snap.ConnectProxy.WatchedGateways = nil snap.ConnectProxy.WatchedDiscoveryChains = nil - snap.ConnectProxy.WatchedPeerTrustBundles = nil + snap.ConnectProxy.WatchedUpstreamPeerTrustBundles = nil case structs.ServiceKindTerminatingGateway: snap.TerminatingGateway.WatchedServices = nil snap.TerminatingGateway.WatchedIntentions = nil @@ -652,7 +652,7 @@ func (s *ConfigSnapshot) Clone() (*ConfigSnapshot, error) { snap.IngressGateway.WatchedUpstreams = nil snap.IngressGateway.WatchedGateways = nil snap.IngressGateway.WatchedDiscoveryChains = nil - snap.IngressGateway.WatchedPeerTrustBundles = nil + snap.IngressGateway.WatchedUpstreamPeerTrustBundles = nil // only ingress-gateway snap.IngressGateway.LeafCertWatchCancel = nil } @@ -676,7 +676,7 @@ func (s *ConfigSnapshot) Leaf() *structs.IssuedCert { func (s *ConfigSnapshot) PeeringTrustBundles() []*pbpeering.PeeringTrustBundle { switch s.Kind { case structs.ServiceKindConnectProxy: - return s.ConnectProxy.PeeringTrustBundles + return s.ConnectProxy.InboundPeerTrustBundles case structs.ServiceKindMeshGateway: return s.MeshGateway.PeeringTrustBundles default: @@ -755,7 +755,7 @@ func (u *ConfigSnapshotUpstreams) PeeredUpstreamIDs() []UpstreamID { continue } - if _, ok := u.PeerTrustBundles[uid.Peer]; uid.Peer != "" && !ok { + if _, ok := u.UpstreamPeerTrustBundles[uid.Peer]; uid.Peer != "" && !ok { // The trust bundle for this upstream is not available yet, skip for now. continue } diff --git a/agent/proxycfg/state_test.go b/agent/proxycfg/state_test.go index 667946283d..b61bc5eab2 100644 --- a/agent/proxycfg/state_test.go +++ b/agent/proxycfg/state_test.go @@ -2572,15 +2572,15 @@ func TestState_WatchesAndUpdates(t *testing.T) { require.Len(t, snap.ConnectProxy.WatchedGateways, 0, "%+v", snap.ConnectProxy.WatchedGateways) require.Len(t, snap.ConnectProxy.WatchedGatewayEndpoints, 0, "%+v", snap.ConnectProxy.WatchedGatewayEndpoints) - require.Contains(t, snap.ConnectProxy.WatchedPeerTrustBundles, "peer-a", "%+v", snap.ConnectProxy.WatchedPeerTrustBundles) - require.Len(t, snap.ConnectProxy.PeerTrustBundles, 0, "%+v", snap.ConnectProxy.PeerTrustBundles) + require.Contains(t, snap.ConnectProxy.WatchedUpstreamPeerTrustBundles, "peer-a", "%+v", snap.ConnectProxy.WatchedUpstreamPeerTrustBundles) + require.Len(t, snap.ConnectProxy.UpstreamPeerTrustBundles, 0, "%+v", snap.ConnectProxy.UpstreamPeerTrustBundles) require.Len(t, snap.ConnectProxy.PeerUpstreamEndpoints, 0, "%+v", snap.ConnectProxy.PeerUpstreamEndpoints) require.Len(t, snap.ConnectProxy.WatchedServiceChecks, 0, "%+v", snap.ConnectProxy.WatchedServiceChecks) require.Len(t, snap.ConnectProxy.PreparedQueryEndpoints, 0, "%+v", snap.ConnectProxy.PreparedQueryEndpoints) - require.Len(t, snap.ConnectProxy.PeeringTrustBundles, 0, "%+v", snap.ConnectProxy.PeeringTrustBundles) - require.False(t, snap.ConnectProxy.PeeringTrustBundlesSet) + require.Len(t, snap.ConnectProxy.InboundPeerTrustBundles, 0, "%+v", snap.ConnectProxy.InboundPeerTrustBundles) + require.False(t, snap.ConnectProxy.InboundPeerTrustBundlesSet) }, }, { @@ -2655,7 +2655,7 @@ func TestState_WatchesAndUpdates(t *testing.T) { require.Equal(t, indexedRoots, snap.Roots) require.Equal(t, issuedCert, snap.ConnectProxy.Leaf) - prototest.AssertDeepEqual(t, peerTrustBundles.Bundles, snap.ConnectProxy.PeeringTrustBundles) + prototest.AssertDeepEqual(t, peerTrustBundles.Bundles, snap.ConnectProxy.InboundPeerTrustBundles) require.Len(t, snap.ConnectProxy.DiscoveryChain, 1, "%+v", snap.ConnectProxy.DiscoveryChain) require.Len(t, snap.ConnectProxy.WatchedUpstreams, 1, "%+v", snap.ConnectProxy.WatchedUpstreams) @@ -2663,8 +2663,8 @@ func TestState_WatchesAndUpdates(t *testing.T) { require.Len(t, snap.ConnectProxy.WatchedGateways, 1, "%+v", snap.ConnectProxy.WatchedGateways) require.Len(t, snap.ConnectProxy.WatchedGatewayEndpoints, 1, "%+v", snap.ConnectProxy.WatchedGatewayEndpoints) - require.Contains(t, snap.ConnectProxy.WatchedPeerTrustBundles, "peer-a", "%+v", snap.ConnectProxy.WatchedPeerTrustBundles) - require.Equal(t, peerTrustBundles.Bundles[0], snap.ConnectProxy.PeerTrustBundles["peer-a"], "%+v", snap.ConnectProxy.WatchedPeerTrustBundles) + require.Contains(t, snap.ConnectProxy.WatchedUpstreamPeerTrustBundles, "peer-a", "%+v", snap.ConnectProxy.WatchedUpstreamPeerTrustBundles) + require.Equal(t, peerTrustBundles.Bundles[0], snap.ConnectProxy.UpstreamPeerTrustBundles["peer-a"], "%+v", snap.ConnectProxy.WatchedUpstreamPeerTrustBundles) require.Len(t, snap.ConnectProxy.PeerUpstreamEndpoints, 1, "%+v", snap.ConnectProxy.PeerUpstreamEndpoints) require.NotNil(t, snap.ConnectProxy.PeerUpstreamEndpoints[extApiUID]) diff --git a/agent/xds/clusters.go b/agent/xds/clusters.go index 2acfa7c10f..feb488a63d 100644 --- a/agent/xds/clusters.go +++ b/agent/xds/clusters.go @@ -465,9 +465,9 @@ func (s *ResourceGenerator) makeDestinationClusters(cfgSnap *proxycfg.ConfigSnap cluster := s.makeDynamicForwardProxyCluster(cfgSnap, opts) // TODO (dans): might be relevant later for TLS addons like CA validation - //if err := s.injectGatewayServiceAddons(cfgSnap, cluster, svc, loadBalancer); err != nil { + // if err := s.injectGatewayServiceAddons(cfgSnap, cluster, svc, loadBalancer); err != nil { // return nil, err - //} + // } clusters = append(clusters, cluster) } return clusters, nil @@ -695,7 +695,7 @@ func (s *ResourceGenerator) makeUpstreamClusterForPeerService( rootPEMs := cfgSnap.RootPEMs() if uid.Peer != "" { - rootPEMs = cfgSnap.ConnectProxy.PeerTrustBundles[uid.Peer].ConcatenatedRootPEMs() + rootPEMs = cfgSnap.ConnectProxy.UpstreamPeerTrustBundles[uid.Peer].ConcatenatedRootPEMs() } // Enable TLS upstream with the configured client certificate. @@ -999,7 +999,7 @@ func (s *ResourceGenerator) makeUpstreamClustersForDiscoveryChain( rootPEMs := cfgSnap.RootPEMs() if uid.Peer != "" { - rootPEMs = cfgSnap.ConnectProxy.PeerTrustBundles[uid.Peer].ConcatenatedRootPEMs() + rootPEMs = cfgSnap.ConnectProxy.UpstreamPeerTrustBundles[uid.Peer].ConcatenatedRootPEMs() } commonTLSContext := makeCommonTLSContext( cfgSnap.Leaf(), diff --git a/agent/xds/listeners.go b/agent/xds/listeners.go index aab41f44bb..a364ecce1c 100644 --- a/agent/xds/listeners.go +++ b/agent/xds/listeners.go @@ -697,7 +697,8 @@ func (s *ResourceGenerator) injectConnectFilters(cfgSnap *proxycfg.ConfigSnapsho authzFilter, err := makeRBACNetworkFilter( cfgSnap.ConnectProxy.Intentions, cfgSnap.IntentionDefaultAllow, - cfgSnap.ConnectProxy.PeerTrustBundles, + cfgSnap.Roots.TrustDomain, + cfgSnap.ConnectProxy.InboundPeerTrustBundles, ) if err != nil { return err @@ -952,7 +953,8 @@ func (s *ResourceGenerator) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot httpAuthzFilter, err := makeRBACHTTPFilter( cfgSnap.ConnectProxy.Intentions, cfgSnap.IntentionDefaultAllow, - cfgSnap.ConnectProxy.PeerTrustBundles, + cfgSnap.Roots.TrustDomain, + cfgSnap.ConnectProxy.InboundPeerTrustBundles, ) if err != nil { return nil, err @@ -1009,7 +1011,8 @@ func (s *ResourceGenerator) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot filterOpts.httpAuthzFilter, err = makeRBACHTTPFilter( cfgSnap.ConnectProxy.Intentions, cfgSnap.IntentionDefaultAllow, - cfgSnap.ConnectProxy.PeerTrustBundles, + cfgSnap.Roots.TrustDomain, + cfgSnap.ConnectProxy.InboundPeerTrustBundles, ) if err != nil { return nil, err @@ -1307,6 +1310,7 @@ func (s *ResourceGenerator) makeFilterChainTerminatingGateway(cfgSnap *proxycfg. authFilter, err := makeRBACNetworkFilter( intentions, cfgSnap.IntentionDefaultAllow, + cfgSnap.Roots.TrustDomain, nil, // TODO(peering): verify intentions w peers don't apply to terminatingGateway ) if err != nil { @@ -1344,6 +1348,7 @@ func (s *ResourceGenerator) makeFilterChainTerminatingGateway(cfgSnap *proxycfg. opts.httpAuthzFilter, err = makeRBACHTTPFilter( intentions, cfgSnap.IntentionDefaultAllow, + cfgSnap.Roots.TrustDomain, nil, // TODO(peering): verify intentions w peers don't apply to terminatingGateway ) if err != nil { diff --git a/agent/xds/rbac.go b/agent/xds/rbac.go index 319c648e3e..c5a6511502 100644 --- a/agent/xds/rbac.go +++ b/agent/xds/rbac.go @@ -21,9 +21,10 @@ import ( func makeRBACNetworkFilter( intentions structs.Intentions, intentionDefaultAllow bool, - peerTrustBundles map[string]*pbpeering.PeeringTrustBundle, + trustDomain string, + peerTrustBundles []*pbpeering.PeeringTrustBundle, ) (*envoy_listener_v3.Filter, error) { - rules, err := makeRBACRules(intentions, intentionDefaultAllow, false, peerTrustBundles) + rules, err := makeRBACRules(intentions, intentionDefaultAllow, trustDomain, false, peerTrustBundles) if err != nil { return nil, err } @@ -38,9 +39,10 @@ func makeRBACNetworkFilter( func makeRBACHTTPFilter( intentions structs.Intentions, intentionDefaultAllow bool, - peerTrustBundles map[string]*pbpeering.PeeringTrustBundle, + trustDomain string, + peerTrustBundles []*pbpeering.PeeringTrustBundle, ) (*envoy_http_v3.HttpFilter, error) { - rules, err := makeRBACRules(intentions, intentionDefaultAllow, true, peerTrustBundles) + rules, err := makeRBACRules(intentions, intentionDefaultAllow, trustDomain, true, peerTrustBundles) if err != nil { return nil, err } @@ -53,6 +55,7 @@ func makeRBACHTTPFilter( func intentionListToIntermediateRBACForm( intentions structs.Intentions, + trustDomain string, isHTTP bool, trustBundlesByPeer map[string]*pbpeering.PeeringTrustBundle, ) []*rbacIntention { @@ -72,7 +75,7 @@ func intentionListToIntermediateRBACForm( continue } - rixn := intentionToIntermediateRBACForm(ixn, isHTTP, trustBundle) + rixn := intentionToIntermediateRBACForm(ixn, trustDomain, isHTTP, trustBundle) rbacIxns = append(rbacIxns, rixn) } return rbacIxns @@ -210,11 +213,12 @@ func removePermissionPrecedence(perms []*rbacPermission, intentionDefaultAction return out } -func intentionToIntermediateRBACForm(ixn *structs.Intention, isHTTP bool, bundle *pbpeering.PeeringTrustBundle) *rbacIntention { +func intentionToIntermediateRBACForm(ixn *structs.Intention, trustDomain string, isHTTP bool, bundle *pbpeering.PeeringTrustBundle) *rbacIntention { rixn := &rbacIntention{ Source: rbacService{ ServiceName: ixn.SourceServiceName(), Peer: ixn.SourcePeer, + TrustDomain: trustDomain, }, Precedence: ixn.Precedence, } @@ -426,25 +430,21 @@ func simplifyNotSourceSlice(notSources []rbacService) []rbacService { func makeRBACRules( intentions structs.Intentions, intentionDefaultAllow bool, + trustDomain string, isHTTP bool, - peerTrustBundles map[string]*pbpeering.PeeringTrustBundle, + peerTrustBundles []*pbpeering.PeeringTrustBundle, ) (*envoy_rbac_v3.RBAC, error) { - // Note that we DON'T explicitly validate the trust-domain matches ours. - // - // For now we don't validate the trust domain of the _destination_ at all. - // The RBAC policies below ignore the trust domain and it's implicit that - // the request is for the correct cluster. We might want to reconsider this - // later but plumbing in additional machinery to check the clusterID here - // is not really necessary for now unless the Envoys are badly configured. - // Our threat model _requires_ correctly configured and well behaved - // proxies given that they have ACLs to fetch certs and so can do whatever - // they want including not authorizing traffic at all or routing it do a - // different service than they auth'd against. - // TODO(banks,rb): Implement revocation list checking? + // TODO(peering): mkeeler asked that these maps come from proxycfg instead of + // being constructed in xds to save memory allocation and gc pressure. Low priority. + trustBundlesByPeer := make(map[string]*pbpeering.PeeringTrustBundle, len(peerTrustBundles)) + for _, ptb := range peerTrustBundles { + trustBundlesByPeer[ptb.PeerName] = ptb + } + // First build up just the basic principal matches. - rbacIxns := intentionListToIntermediateRBACForm(intentions, isHTTP, peerTrustBundles) + rbacIxns := intentionListToIntermediateRBACForm(intentions, trustDomain, isHTTP, trustBundlesByPeer) // Normalize: if we are in default-deny then all intentions must be allows and vice versa intentionDefaultAction := intentionActionFromBool(intentionDefaultAllow) @@ -641,7 +641,7 @@ const anyPath = `[^/]+` func makeSpiffePattern(src rbacService) string { var ( - host = anyPath // TODO(peering): We match trust domain on any value but should be defaulting to the local trust domain + host = src.TrustDomain ap = src.PartitionOrDefault() ns = src.NamespaceOrDefault() svc = src.Name diff --git a/agent/xds/rbac_test.go b/agent/xds/rbac_test.go index 358a91347c..81fb32ad87 100644 --- a/agent/xds/rbac_test.go +++ b/agent/xds/rbac_test.go @@ -58,10 +58,13 @@ func TestRemoveIntentionPrecedence(t *testing.T) { ExportedPartition: "part1", }, } + testTrustDomain := "test.consul" var ( - nameWild = rbacService{ServiceName: structs.NewServiceName("*", nil)} - nameWeb = rbacService{ServiceName: structs.NewServiceName("web", nil)} + nameWild = rbacService{ServiceName: structs.NewServiceName("*", nil), + TrustDomain: testTrustDomain} + nameWeb = rbacService{ServiceName: structs.NewServiceName("web", nil), + TrustDomain: testTrustDomain} nameWildPeered = rbacService{ServiceName: structs.NewServiceName("*", nil), Peer: "peer1", TrustDomain: "peer1.domain", ExportedPartition: "part1"} nameWebPeered = rbacService{ServiceName: structs.NewServiceName("web", nil), @@ -439,7 +442,7 @@ func TestRemoveIntentionPrecedence(t *testing.T) { for name, tt := range tests { t.Run(name, func(t *testing.T) { - rbacIxns := intentionListToIntermediateRBACForm(tt.intentions, tt.http, testPeerTrustBundle) + rbacIxns := intentionListToIntermediateRBACForm(tt.intentions, testTrustDomain, tt.http, testPeerTrustBundle) intentionDefaultAction := intentionActionFromBool(tt.intentionDefaultAllow) rbacIxns = removeIntentionPrecedence(rbacIxns, intentionDefaultAction) @@ -472,13 +475,14 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { ixn.Permissions = perms return ixn } - testPeerTrustBundle := map[string]*pbpeering.PeeringTrustBundle{ - "peer1": { + testPeerTrustBundle := []*pbpeering.PeeringTrustBundle{ + { PeerName: "peer1", TrustDomain: "peer1.domain", ExportedPartition: "part1", }, } + testTrustDomain := "test.consul" sorted := func(ixns ...*structs.Intention) structs.Intentions { sort.SliceStable(ixns, func(i, j int) bool { return ixns[j].Precedence < ixns[i].Precedence @@ -797,7 +801,7 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { tt := tt t.Run(name, func(t *testing.T) { t.Run("network filter", func(t *testing.T) { - filter, err := makeRBACNetworkFilter(tt.intentions, tt.intentionDefaultAllow, testPeerTrustBundle) + filter, err := makeRBACNetworkFilter(tt.intentions, tt.intentionDefaultAllow, testTrustDomain, testPeerTrustBundle) require.NoError(t, err) t.Run("current", func(t *testing.T) { @@ -807,7 +811,7 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { }) }) t.Run("http filter", func(t *testing.T) { - filter, err := makeRBACHTTPFilter(tt.intentions, tt.intentionDefaultAllow, testPeerTrustBundle) + filter, err := makeRBACHTTPFilter(tt.intentions, tt.intentionDefaultAllow, testTrustDomain, testPeerTrustBundle) require.NoError(t, err) t.Run("current", func(t *testing.T) { diff --git a/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow--httpfilter.golden b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow--httpfilter.golden index b44899f2ad..b590b7135d 100644 --- a/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow--httpfilter.golden +++ b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow--httpfilter.golden @@ -22,7 +22,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$" } } } @@ -35,7 +35,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow.golden b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow.golden index 0926767763..51346b03fa 100644 --- a/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow.golden +++ b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow.golden @@ -19,7 +19,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } @@ -34,7 +34,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$" } } } @@ -47,7 +47,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny--httpfilter.golden b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny--httpfilter.golden index 806b19c593..62f4ba97ea 100644 --- a/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny--httpfilter.golden +++ b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny--httpfilter.golden @@ -22,7 +22,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$" } } } @@ -35,7 +35,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } @@ -64,7 +64,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny.golden b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny.golden index 0926767763..51346b03fa 100644 --- a/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny.golden +++ b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny.golden @@ -19,7 +19,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } @@ -34,7 +34,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$" } } } @@ -47,7 +47,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-allow-kitchen-sink--httpfilter.golden b/agent/xds/testdata/rbac/default-allow-kitchen-sink--httpfilter.golden index 7142032292..65da4d27fc 100644 --- a/agent/xds/testdata/rbac/default-allow-kitchen-sink--httpfilter.golden +++ b/agent/xds/testdata/rbac/default-allow-kitchen-sink--httpfilter.golden @@ -19,7 +19,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$" } } } @@ -31,7 +31,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } @@ -46,7 +46,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$" } } } @@ -59,7 +59,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } @@ -73,7 +73,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$" } } } @@ -87,7 +87,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$" } } } diff --git a/agent/xds/testdata/rbac/default-allow-kitchen-sink.golden b/agent/xds/testdata/rbac/default-allow-kitchen-sink.golden index a85359a552..21e94ee14e 100644 --- a/agent/xds/testdata/rbac/default-allow-kitchen-sink.golden +++ b/agent/xds/testdata/rbac/default-allow-kitchen-sink.golden @@ -19,7 +19,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$" } } } @@ -31,7 +31,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } @@ -46,7 +46,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$" } } } @@ -59,7 +59,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } @@ -73,7 +73,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$" } } } @@ -87,7 +87,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$" } } } diff --git a/agent/xds/testdata/rbac/default-allow-one-deny--httpfilter.golden b/agent/xds/testdata/rbac/default-allow-one-deny--httpfilter.golden index 72be1fe601..f315c45e00 100644 --- a/agent/xds/testdata/rbac/default-allow-one-deny--httpfilter.golden +++ b/agent/xds/testdata/rbac/default-allow-one-deny--httpfilter.golden @@ -19,7 +19,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-allow-one-deny.golden b/agent/xds/testdata/rbac/default-allow-one-deny.golden index 05dca90f83..45b6965e08 100644 --- a/agent/xds/testdata/rbac/default-allow-one-deny.golden +++ b/agent/xds/testdata/rbac/default-allow-one-deny.golden @@ -19,7 +19,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-allow-path-allow.golden b/agent/xds/testdata/rbac/default-allow-path-allow.golden index 05dca90f83..45b6965e08 100644 --- a/agent/xds/testdata/rbac/default-allow-path-allow.golden +++ b/agent/xds/testdata/rbac/default-allow-path-allow.golden @@ -19,7 +19,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-allow-path-deny--httpfilter.golden b/agent/xds/testdata/rbac/default-allow-path-deny--httpfilter.golden index 4f64c27346..aa06ebe3d2 100644 --- a/agent/xds/testdata/rbac/default-allow-path-deny--httpfilter.golden +++ b/agent/xds/testdata/rbac/default-allow-path-deny--httpfilter.golden @@ -23,7 +23,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-allow-path-deny.golden b/agent/xds/testdata/rbac/default-allow-path-deny.golden index 05dca90f83..45b6965e08 100644 --- a/agent/xds/testdata/rbac/default-allow-path-deny.golden +++ b/agent/xds/testdata/rbac/default-allow-path-deny.golden @@ -19,7 +19,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-allow-service-wildcard-deny--httpfilter.golden b/agent/xds/testdata/rbac/default-allow-service-wildcard-deny--httpfilter.golden index be70c6725f..0c69fa8458 100644 --- a/agent/xds/testdata/rbac/default-allow-service-wildcard-deny--httpfilter.golden +++ b/agent/xds/testdata/rbac/default-allow-service-wildcard-deny--httpfilter.golden @@ -19,7 +19,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$" } } } diff --git a/agent/xds/testdata/rbac/default-allow-service-wildcard-deny.golden b/agent/xds/testdata/rbac/default-allow-service-wildcard-deny.golden index 1951818cd0..d685342e93 100644 --- a/agent/xds/testdata/rbac/default-allow-service-wildcard-deny.golden +++ b/agent/xds/testdata/rbac/default-allow-service-wildcard-deny.golden @@ -19,7 +19,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$" } } } diff --git a/agent/xds/testdata/rbac/default-allow-single-intention-with-kitchen-sink-perms--httpfilter.golden b/agent/xds/testdata/rbac/default-allow-single-intention-with-kitchen-sink-perms--httpfilter.golden index a3945edbbd..ba1787d12f 100644 --- a/agent/xds/testdata/rbac/default-allow-single-intention-with-kitchen-sink-perms--httpfilter.golden +++ b/agent/xds/testdata/rbac/default-allow-single-intention-with-kitchen-sink-perms--httpfilter.golden @@ -227,7 +227,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-allow-single-intention-with-kitchen-sink-perms.golden b/agent/xds/testdata/rbac/default-allow-single-intention-with-kitchen-sink-perms.golden index 05dca90f83..45b6965e08 100644 --- a/agent/xds/testdata/rbac/default-allow-single-intention-with-kitchen-sink-perms.golden +++ b/agent/xds/testdata/rbac/default-allow-single-intention-with-kitchen-sink-perms.golden @@ -19,7 +19,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-allow-two-path-deny-and-path-allow--httpfilter.golden b/agent/xds/testdata/rbac/default-allow-two-path-deny-and-path-allow--httpfilter.golden index 8eb2021ccc..98f4142098 100644 --- a/agent/xds/testdata/rbac/default-allow-two-path-deny-and-path-allow--httpfilter.golden +++ b/agent/xds/testdata/rbac/default-allow-two-path-deny-and-path-allow--httpfilter.golden @@ -45,7 +45,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-allow-two-path-deny-and-path-allow.golden b/agent/xds/testdata/rbac/default-allow-two-path-deny-and-path-allow.golden index 05dca90f83..45b6965e08 100644 --- a/agent/xds/testdata/rbac/default-allow-two-path-deny-and-path-allow.golden +++ b/agent/xds/testdata/rbac/default-allow-two-path-deny-and-path-allow.golden @@ -19,7 +19,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-deny-allow-deny--httpfilter.golden b/agent/xds/testdata/rbac/default-deny-allow-deny--httpfilter.golden index ee099df847..3e48b7c566 100644 --- a/agent/xds/testdata/rbac/default-deny-allow-deny--httpfilter.golden +++ b/agent/xds/testdata/rbac/default-deny-allow-deny--httpfilter.golden @@ -21,7 +21,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$" } } } @@ -34,7 +34,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-deny-allow-deny.golden b/agent/xds/testdata/rbac/default-deny-allow-deny.golden index b92c68935f..d901cf42cf 100644 --- a/agent/xds/testdata/rbac/default-deny-allow-deny.golden +++ b/agent/xds/testdata/rbac/default-deny-allow-deny.golden @@ -21,7 +21,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$" } } } @@ -34,7 +34,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow--httpfilter.golden b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow--httpfilter.golden index 323526f484..003fdb24be 100644 --- a/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow--httpfilter.golden +++ b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow--httpfilter.golden @@ -22,7 +22,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-deny-kitchen-sink--httpfilter.golden b/agent/xds/testdata/rbac/default-deny-kitchen-sink--httpfilter.golden index f61f892d4c..426404d748 100644 --- a/agent/xds/testdata/rbac/default-deny-kitchen-sink--httpfilter.golden +++ b/agent/xds/testdata/rbac/default-deny-kitchen-sink--httpfilter.golden @@ -18,7 +18,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$" } } } @@ -30,7 +30,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } @@ -45,7 +45,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$" } } } @@ -58,7 +58,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } @@ -72,7 +72,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$" } } } @@ -86,7 +86,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$" } } } diff --git a/agent/xds/testdata/rbac/default-deny-kitchen-sink.golden b/agent/xds/testdata/rbac/default-deny-kitchen-sink.golden index 30d56485cf..912b64d95c 100644 --- a/agent/xds/testdata/rbac/default-deny-kitchen-sink.golden +++ b/agent/xds/testdata/rbac/default-deny-kitchen-sink.golden @@ -18,7 +18,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$" } } } @@ -30,7 +30,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } @@ -45,7 +45,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$" } } } @@ -58,7 +58,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } @@ -72,7 +72,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$" } } } @@ -86,7 +86,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$" } } } diff --git a/agent/xds/testdata/rbac/default-deny-mixed-precedence--httpfilter.golden b/agent/xds/testdata/rbac/default-deny-mixed-precedence--httpfilter.golden index a37549e5ea..c4795f46ef 100644 --- a/agent/xds/testdata/rbac/default-deny-mixed-precedence--httpfilter.golden +++ b/agent/xds/testdata/rbac/default-deny-mixed-precedence--httpfilter.golden @@ -18,7 +18,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-deny-mixed-precedence.golden b/agent/xds/testdata/rbac/default-deny-mixed-precedence.golden index 4bc3c7378c..3fc78b2955 100644 --- a/agent/xds/testdata/rbac/default-deny-mixed-precedence.golden +++ b/agent/xds/testdata/rbac/default-deny-mixed-precedence.golden @@ -18,7 +18,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-deny-one-allow--httpfilter.golden b/agent/xds/testdata/rbac/default-deny-one-allow--httpfilter.golden index a37549e5ea..c4795f46ef 100644 --- a/agent/xds/testdata/rbac/default-deny-one-allow--httpfilter.golden +++ b/agent/xds/testdata/rbac/default-deny-one-allow--httpfilter.golden @@ -18,7 +18,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-deny-one-allow.golden b/agent/xds/testdata/rbac/default-deny-one-allow.golden index 4bc3c7378c..3fc78b2955 100644 --- a/agent/xds/testdata/rbac/default-deny-one-allow.golden +++ b/agent/xds/testdata/rbac/default-deny-one-allow.golden @@ -18,7 +18,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-deny-path-allow--httpfilter.golden b/agent/xds/testdata/rbac/default-deny-path-allow--httpfilter.golden index 323526f484..003fdb24be 100644 --- a/agent/xds/testdata/rbac/default-deny-path-allow--httpfilter.golden +++ b/agent/xds/testdata/rbac/default-deny-path-allow--httpfilter.golden @@ -22,7 +22,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-deny-peered-kitchen-sink--httpfilter.golden b/agent/xds/testdata/rbac/default-deny-peered-kitchen-sink--httpfilter.golden index 304e428ef5..80d977dff0 100644 --- a/agent/xds/testdata/rbac/default-deny-peered-kitchen-sink--httpfilter.golden +++ b/agent/xds/testdata/rbac/default-deny-peered-kitchen-sink--httpfilter.golden @@ -18,7 +18,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-deny-peered-kitchen-sink.golden b/agent/xds/testdata/rbac/default-deny-peered-kitchen-sink.golden index 2d9985759a..eb48015940 100644 --- a/agent/xds/testdata/rbac/default-deny-peered-kitchen-sink.golden +++ b/agent/xds/testdata/rbac/default-deny-peered-kitchen-sink.golden @@ -18,7 +18,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-deny-service-wildcard-allow--httpfilter.golden b/agent/xds/testdata/rbac/default-deny-service-wildcard-allow--httpfilter.golden index 365f970c5e..a65162f24f 100644 --- a/agent/xds/testdata/rbac/default-deny-service-wildcard-allow--httpfilter.golden +++ b/agent/xds/testdata/rbac/default-deny-service-wildcard-allow--httpfilter.golden @@ -18,7 +18,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$" } } } diff --git a/agent/xds/testdata/rbac/default-deny-service-wildcard-allow.golden b/agent/xds/testdata/rbac/default-deny-service-wildcard-allow.golden index fd84452653..3780a9079e 100644 --- a/agent/xds/testdata/rbac/default-deny-service-wildcard-allow.golden +++ b/agent/xds/testdata/rbac/default-deny-service-wildcard-allow.golden @@ -18,7 +18,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$" } } } diff --git a/agent/xds/testdata/rbac/default-deny-single-intention-with-kitchen-sink-perms--httpfilter.golden b/agent/xds/testdata/rbac/default-deny-single-intention-with-kitchen-sink-perms--httpfilter.golden index 694f5858f1..f23112071b 100644 --- a/agent/xds/testdata/rbac/default-deny-single-intention-with-kitchen-sink-perms--httpfilter.golden +++ b/agent/xds/testdata/rbac/default-deny-single-intention-with-kitchen-sink-perms--httpfilter.golden @@ -226,7 +226,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/agent/xds/testdata/rbac/default-deny-two-path-deny-and-path-allow--httpfilter.golden b/agent/xds/testdata/rbac/default-deny-two-path-deny-and-path-allow--httpfilter.golden index aeadff72b9..75534cb10a 100644 --- a/agent/xds/testdata/rbac/default-deny-two-path-deny-and-path-allow--httpfilter.golden +++ b/agent/xds/testdata/rbac/default-deny-two-path-deny-and-path-allow--httpfilter.golden @@ -46,7 +46,7 @@ "googleRe2": { }, - "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$" } } } diff --git a/website/content/commands/monitor.mdx b/website/content/commands/monitor.mdx index 51899cdc53..58abbeedef 100644 --- a/website/content/commands/monitor.mdx +++ b/website/content/commands/monitor.mdx @@ -32,6 +32,6 @@ Usage: `consul monitor [options]` - `-log-level` - The log level of the messages to show. By default this is "info". This log level can be more verbose than what the agent is configured to run at. Available log levels are "trace", "debug", "info", - "warn", and "err". + "warn", and "error". - `-log-json` - Toggles whether the messages are streamed in JSON format. By default this is false. diff --git a/website/content/commands/snapshot/agent.mdx b/website/content/commands/snapshot/agent.mdx index f705253894..136a0f0652 100644 --- a/website/content/commands/snapshot/agent.mdx +++ b/website/content/commands/snapshot/agent.mdx @@ -229,7 +229,7 @@ if desired. provided, this will be disabled. Defaults to "72h". - `-log-level` - Controls verbosity of snapshot agent logs. Valid options are - "TRACE", "DEBUG", "INFO", "WARN", "ERR". Defaults to "INFO". + "trace", "debug", "info", "warn", "error". Defaults to "info". - `-service` - The service name to used when registering the agent with Consul. Registering helps monitor running agents and the leader registers an additional diff --git a/website/content/docs/agent/config/cli-flags.mdx b/website/content/docs/agent/config/cli-flags.mdx index b55f441297..caf3b6444e 100644 --- a/website/content/docs/agent/config/cli-flags.mdx +++ b/website/content/docs/agent/config/cli-flags.mdx @@ -468,7 +468,7 @@ information. - `-log-level` ((#\_log_level)) - The level of logging to show after the Consul agent has started. This defaults to "info". The available log levels are - "trace", "debug", "info", "warn", and "err". You can always connect to an agent + "trace", "debug", "info", "warn", and "error". You can always connect to an agent via [`consul monitor`](/commands/monitor) and use any log level. Also, the log level can be changed during a config reload. diff --git a/website/content/docs/lambda/index.mdx b/website/content/docs/lambda/index.mdx index f95da54961..d8540285e2 100644 --- a/website/content/docs/lambda/index.mdx +++ b/website/content/docs/lambda/index.mdx @@ -26,8 +26,8 @@ also be manually registered into Consul when using Lambda registrator is not pos See the [Registration page](/docs/lambda/registration) for more information about registring Lambda functions into Consul. -### Invoking Lambda Functions +### Invoking Lambda Functions from Consul Service Mesh Lambda functions can be invoked by any mesh service directly from connect proxies or through terminating gateways. The [Invocation page](/docs/lambda/invocation) -explains how to invoke Lambda functions from Consul connect services. +explains how to invoke Lambda functions from Consul service mesh services.