github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

update jwks cluster creation to gracefully handle ipv6

pull/21703/head
jm96441n 2024-09-09 21:51:52 -04:00
parent 3e6f1c1fe1
commit a03603a6e4
1 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
agent/xds/clusters.go
View File

@ -214,9 +214,12 @@ func makeJWTProviderCluster(p *structs.JWTProviderConfigEntry) (*envoy_cluster_v
return nil, err
}
discoveryType := makeJWKSDiscoveryClusterType(p.JSONWebKeySet.Remote)
lookupFamily := makeJWKSClusterDNSLookupFamilyType(discoveryType)
cluster := &envoy_cluster_v3.Cluster{
Name: makeJWKSClusterName(p.Name),
ClusterDiscoveryType: makeJWKSDiscoveryClusterType(p.JSONWebKeySet.Remote),
ClusterDiscoveryType: discoveryType,
DnsLookupFamily: lookupFamily,
LoadAssignment: &envoy_endpoint_v3.ClusterLoadAssignment{
ClusterName: makeJWKSClusterName(p.Name),
Endpoints: []*envoy_endpoint_v3.LocalityLbEndpoints{
@ -278,6 +281,23 @@ func makeJWKSDiscoveryClusterType(r *structs.RemoteJWKS) *envoy_cluster_v3.Clust
return ct
}
func makeJWKSClusterDNSLookupFamilyType(r *envoy_cluster_v3.Cluster_Type) envoy_cluster_v3.Cluster_DnsLookupFamily {
// When using LOGICAL_DNS we want to use the Cluster_ALL lookup family which will fetch all the ip addresses for a given hostname and then
// try to connect to each one and will create the cluster based on the first one that passes.
// When using STRICT_DNS we want to use the CLUSTER_V4_PREFERRED lookup family which will prefer
// creating clusters using ipv4 addresses if those are available.
// Otherwise we fallback to Cluser_AUTO which will use the default behavior, and will be ignored as per the documentation.
// https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily
switch r.Type {
case envoy_cluster_v3.Cluster_LOGICAL_DNS:
return envoy_cluster_v3.Cluster_ALL
case envoy_cluster_v3.Cluster_STRICT_DNS:
return envoy_cluster_v3.Cluster_V4_PREFERRED
default:
return envoy_cluster_v3.Cluster_AUTO
}
}
func makeJWTCertValidationContext(p *structs.JWKSCluster) *envoy_tls_v3.CertificateValidationContext {
vc := &envoy_tls_v3.CertificateValidationContext{}
if p == nil || p.TLSCertificates == nil {