mirror of https://github.com/hashicorp/consul
Chris S. Kim
10 months ago
committed by
GitHub
9 changed files with 628 additions and 24 deletions
@ -0,0 +1,3 @@ |
|||||||
|
```release-note:bug |
||||||
|
mesh: Fix bug where envoy extensions could not be configured with "permissive" mTLS mode. Note that envoy extensions currently do not apply to non-mTLS traffic in permissive mode. |
||||||
|
``` |
@ -0,0 +1,175 @@ |
|||||||
|
{ |
||||||
|
"nonce": "00000001", |
||||||
|
"resources": [ |
||||||
|
{ |
||||||
|
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", |
||||||
|
"altStatName": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", |
||||||
|
"circuitBreakers": {}, |
||||||
|
"commonLbConfig": { |
||||||
|
"healthyPanicThreshold": {} |
||||||
|
}, |
||||||
|
"connectTimeout": "5s", |
||||||
|
"edsClusterConfig": { |
||||||
|
"edsConfig": { |
||||||
|
"ads": {}, |
||||||
|
"resourceApiVersion": "V3" |
||||||
|
} |
||||||
|
}, |
||||||
|
"name": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", |
||||||
|
"outlierDetection": {}, |
||||||
|
"transportSocket": { |
||||||
|
"name": "tls", |
||||||
|
"typedConfig": { |
||||||
|
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", |
||||||
|
"commonTlsContext": { |
||||||
|
"tlsCertificates": [ |
||||||
|
{ |
||||||
|
"certificateChain": { |
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" |
||||||
|
}, |
||||||
|
"privateKey": { |
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" |
||||||
|
} |
||||||
|
} |
||||||
|
], |
||||||
|
"tlsParams": {}, |
||||||
|
"validationContext": { |
||||||
|
"matchTypedSubjectAltNames": [ |
||||||
|
{ |
||||||
|
"matcher": { |
||||||
|
"exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/db" |
||||||
|
}, |
||||||
|
"sanType": "URI" |
||||||
|
} |
||||||
|
], |
||||||
|
"trustedCa": { |
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" |
||||||
|
} |
||||||
|
} |
||||||
|
}, |
||||||
|
"sni": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" |
||||||
|
} |
||||||
|
}, |
||||||
|
"type": "EDS" |
||||||
|
}, |
||||||
|
{ |
||||||
|
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", |
||||||
|
"circuitBreakers": {}, |
||||||
|
"connectTimeout": "5s", |
||||||
|
"edsClusterConfig": { |
||||||
|
"edsConfig": { |
||||||
|
"ads": {}, |
||||||
|
"resourceApiVersion": "V3" |
||||||
|
} |
||||||
|
}, |
||||||
|
"name": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", |
||||||
|
"outlierDetection": {}, |
||||||
|
"transportSocket": { |
||||||
|
"name": "tls", |
||||||
|
"typedConfig": { |
||||||
|
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", |
||||||
|
"commonTlsContext": { |
||||||
|
"tlsCertificates": [ |
||||||
|
{ |
||||||
|
"certificateChain": { |
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" |
||||||
|
}, |
||||||
|
"privateKey": { |
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" |
||||||
|
} |
||||||
|
} |
||||||
|
], |
||||||
|
"tlsParams": {}, |
||||||
|
"validationContext": { |
||||||
|
"matchTypedSubjectAltNames": [ |
||||||
|
{ |
||||||
|
"matcher": { |
||||||
|
"exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target" |
||||||
|
}, |
||||||
|
"sanType": "URI" |
||||||
|
}, |
||||||
|
{ |
||||||
|
"matcher": { |
||||||
|
"exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target" |
||||||
|
}, |
||||||
|
"sanType": "URI" |
||||||
|
} |
||||||
|
], |
||||||
|
"trustedCa": { |
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" |
||||||
|
} |
||||||
|
} |
||||||
|
}, |
||||||
|
"sni": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul" |
||||||
|
} |
||||||
|
}, |
||||||
|
"type": "EDS" |
||||||
|
}, |
||||||
|
{ |
||||||
|
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", |
||||||
|
"connectTimeout": "5s", |
||||||
|
"loadAssignment": { |
||||||
|
"clusterName": "local_app", |
||||||
|
"endpoints": [ |
||||||
|
{ |
||||||
|
"lbEndpoints": [ |
||||||
|
{ |
||||||
|
"endpoint": { |
||||||
|
"address": { |
||||||
|
"socketAddress": { |
||||||
|
"address": "127.0.0.1", |
||||||
|
"portValue": 8080 |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
] |
||||||
|
} |
||||||
|
] |
||||||
|
}, |
||||||
|
"name": "local_app", |
||||||
|
"type": "STATIC" |
||||||
|
}, |
||||||
|
{ |
||||||
|
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", |
||||||
|
"loadAssignment": { |
||||||
|
"clusterName": "local_ext_authz", |
||||||
|
"endpoints": [ |
||||||
|
{ |
||||||
|
"lbEndpoints": [ |
||||||
|
{ |
||||||
|
"endpoint": { |
||||||
|
"address": { |
||||||
|
"socketAddress": { |
||||||
|
"address": "127.0.0.1", |
||||||
|
"portValue": 9191 |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
] |
||||||
|
} |
||||||
|
] |
||||||
|
}, |
||||||
|
"name": "local_ext_authz", |
||||||
|
"type": "STATIC", |
||||||
|
"typedExtensionProtocolOptions": { |
||||||
|
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { |
||||||
|
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", |
||||||
|
"explicitHttpConfig": { |
||||||
|
"http2ProtocolOptions": {} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
}, |
||||||
|
{ |
||||||
|
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", |
||||||
|
"connectTimeout": "5s", |
||||||
|
"lbPolicy": "CLUSTER_PROVIDED", |
||||||
|
"name": "original-destination", |
||||||
|
"type": "ORIGINAL_DST" |
||||||
|
} |
||||||
|
], |
||||||
|
"typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster", |
||||||
|
"versionInfo": "00000001" |
||||||
|
} |
@ -0,0 +1,75 @@ |
|||||||
|
{ |
||||||
|
"nonce": "00000001", |
||||||
|
"resources": [ |
||||||
|
{ |
||||||
|
"@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", |
||||||
|
"clusterName": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", |
||||||
|
"endpoints": [ |
||||||
|
{ |
||||||
|
"lbEndpoints": [ |
||||||
|
{ |
||||||
|
"endpoint": { |
||||||
|
"address": { |
||||||
|
"socketAddress": { |
||||||
|
"address": "10.10.1.1", |
||||||
|
"portValue": 8080 |
||||||
|
} |
||||||
|
} |
||||||
|
}, |
||||||
|
"healthStatus": "HEALTHY", |
||||||
|
"loadBalancingWeight": 1 |
||||||
|
}, |
||||||
|
{ |
||||||
|
"endpoint": { |
||||||
|
"address": { |
||||||
|
"socketAddress": { |
||||||
|
"address": "10.10.1.2", |
||||||
|
"portValue": 8080 |
||||||
|
} |
||||||
|
} |
||||||
|
}, |
||||||
|
"healthStatus": "HEALTHY", |
||||||
|
"loadBalancingWeight": 1 |
||||||
|
} |
||||||
|
] |
||||||
|
} |
||||||
|
] |
||||||
|
}, |
||||||
|
{ |
||||||
|
"@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", |
||||||
|
"clusterName": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", |
||||||
|
"endpoints": [ |
||||||
|
{ |
||||||
|
"lbEndpoints": [ |
||||||
|
{ |
||||||
|
"endpoint": { |
||||||
|
"address": { |
||||||
|
"socketAddress": { |
||||||
|
"address": "10.10.1.1", |
||||||
|
"portValue": 8080 |
||||||
|
} |
||||||
|
} |
||||||
|
}, |
||||||
|
"healthStatus": "HEALTHY", |
||||||
|
"loadBalancingWeight": 1 |
||||||
|
}, |
||||||
|
{ |
||||||
|
"endpoint": { |
||||||
|
"address": { |
||||||
|
"socketAddress": { |
||||||
|
"address": "10.20.1.2", |
||||||
|
"portValue": 8080 |
||||||
|
} |
||||||
|
} |
||||||
|
}, |
||||||
|
"healthStatus": "HEALTHY", |
||||||
|
"loadBalancingWeight": 1 |
||||||
|
} |
||||||
|
] |
||||||
|
} |
||||||
|
] |
||||||
|
} |
||||||
|
], |
||||||
|
"typeUrl": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", |
||||||
|
"versionInfo": "00000001" |
||||||
|
} |
@ -0,0 +1,305 @@ |
|||||||
|
{ |
||||||
|
"nonce": "00000001", |
||||||
|
"resources": [ |
||||||
|
{ |
||||||
|
"@type": "type.googleapis.com/envoy.config.listener.v3.Listener", |
||||||
|
"address": { |
||||||
|
"socketAddress": { |
||||||
|
"address": "127.0.0.1", |
||||||
|
"portValue": 9191 |
||||||
|
} |
||||||
|
}, |
||||||
|
"filterChains": [ |
||||||
|
{ |
||||||
|
"filters": [ |
||||||
|
{ |
||||||
|
"name": "envoy.filters.network.tcp_proxy", |
||||||
|
"typedConfig": { |
||||||
|
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", |
||||||
|
"cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", |
||||||
|
"statPrefix": "upstream.db.default.default.dc1" |
||||||
|
} |
||||||
|
} |
||||||
|
] |
||||||
|
} |
||||||
|
], |
||||||
|
"name": "db:127.0.0.1:9191", |
||||||
|
"trafficDirection": "OUTBOUND" |
||||||
|
}, |
||||||
|
{ |
||||||
|
"@type": "type.googleapis.com/envoy.config.listener.v3.Listener", |
||||||
|
"address": { |
||||||
|
"socketAddress": { |
||||||
|
"address": "127.0.0.1", |
||||||
|
"portValue": 1234 |
||||||
|
} |
||||||
|
}, |
||||||
|
"defaultFilterChain": { |
||||||
|
"filters": [ |
||||||
|
{ |
||||||
|
"name": "envoy.filters.network.tcp_proxy", |
||||||
|
"typedConfig": { |
||||||
|
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", |
||||||
|
"cluster": "original-destination", |
||||||
|
"statPrefix": "upstream.original-destination" |
||||||
|
} |
||||||
|
} |
||||||
|
] |
||||||
|
}, |
||||||
|
"listenerFilters": [ |
||||||
|
{ |
||||||
|
"name": "envoy.filters.listener.original_dst", |
||||||
|
"typedConfig": { |
||||||
|
"@type": "type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst" |
||||||
|
} |
||||||
|
} |
||||||
|
], |
||||||
|
"name": "outbound_listener:127.0.0.1:1234", |
||||||
|
"trafficDirection": "OUTBOUND" |
||||||
|
}, |
||||||
|
{ |
||||||
|
"@type": "type.googleapis.com/envoy.config.listener.v3.Listener", |
||||||
|
"address": { |
||||||
|
"socketAddress": { |
||||||
|
"address": "127.10.10.10", |
||||||
|
"portValue": 8181 |
||||||
|
} |
||||||
|
}, |
||||||
|
"filterChains": [ |
||||||
|
{ |
||||||
|
"filters": [ |
||||||
|
{ |
||||||
|
"name": "envoy.filters.network.tcp_proxy", |
||||||
|
"typedConfig": { |
||||||
|
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", |
||||||
|
"cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", |
||||||
|
"statPrefix": "upstream.prepared_query_geo-cache" |
||||||
|
} |
||||||
|
} |
||||||
|
] |
||||||
|
} |
||||||
|
], |
||||||
|
"name": "prepared_query:geo-cache:127.10.10.10:8181", |
||||||
|
"trafficDirection": "OUTBOUND" |
||||||
|
}, |
||||||
|
{ |
||||||
|
"@type": "type.googleapis.com/envoy.config.listener.v3.Listener", |
||||||
|
"address": { |
||||||
|
"socketAddress": { |
||||||
|
"address": "0.0.0.0", |
||||||
|
"portValue": 9999 |
||||||
|
} |
||||||
|
}, |
||||||
|
"filterChains": [ |
||||||
|
{ |
||||||
|
"filters": [ |
||||||
|
{ |
||||||
|
"name": "envoy.filters.network.http_connection_manager", |
||||||
|
"typedConfig": { |
||||||
|
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", |
||||||
|
"forwardClientCertDetails": "APPEND_FORWARD", |
||||||
|
"httpFilters": [ |
||||||
|
{ |
||||||
|
"name": "envoy.filters.http.rbac", |
||||||
|
"typedConfig": { |
||||||
|
"@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC", |
||||||
|
"rules": {} |
||||||
|
} |
||||||
|
}, |
||||||
|
{ |
||||||
|
"name": "envoy.filters.http.header_to_metadata", |
||||||
|
"typedConfig": { |
||||||
|
"@type": "type.googleapis.com/envoy.extensions.filters.http.header_to_metadata.v3.Config", |
||||||
|
"requestRules": [ |
||||||
|
{ |
||||||
|
"header": "x-forwarded-client-cert", |
||||||
|
"onHeaderPresent": { |
||||||
|
"key": "trust-domain", |
||||||
|
"metadataNamespace": "consul", |
||||||
|
"regexValueRewrite": { |
||||||
|
"pattern": { |
||||||
|
"regex": ".*URI=spiffe://([^/]+.[^/]+)(?:/ap/([^/]+))?/ns/([^/]+)/dc/([^/]+)/svc/([^/;,]+).*" |
||||||
|
}, |
||||||
|
"substitution": "\\1" |
||||||
|
} |
||||||
|
} |
||||||
|
}, |
||||||
|
{ |
||||||
|
"header": "x-forwarded-client-cert", |
||||||
|
"onHeaderPresent": { |
||||||
|
"key": "partition", |
||||||
|
"metadataNamespace": "consul", |
||||||
|
"regexValueRewrite": { |
||||||
|
"pattern": { |
||||||
|
"regex": ".*URI=spiffe://([^/]+.[^/]+)(?:/ap/([^/]+))?/ns/([^/]+)/dc/([^/]+)/svc/([^/;,]+).*" |
||||||
|
}, |
||||||
|
"substitution": "\\2" |
||||||
|
} |
||||||
|
} |
||||||
|
}, |
||||||
|
{ |
||||||
|
"header": "x-forwarded-client-cert", |
||||||
|
"onHeaderPresent": { |
||||||
|
"key": "namespace", |
||||||
|
"metadataNamespace": "consul", |
||||||
|
"regexValueRewrite": { |
||||||
|
"pattern": { |
||||||
|
"regex": ".*URI=spiffe://([^/]+.[^/]+)(?:/ap/([^/]+))?/ns/([^/]+)/dc/([^/]+)/svc/([^/;,]+).*" |
||||||
|
}, |
||||||
|
"substitution": "\\3" |
||||||
|
} |
||||||
|
} |
||||||
|
}, |
||||||
|
{ |
||||||
|
"header": "x-forwarded-client-cert", |
||||||
|
"onHeaderPresent": { |
||||||
|
"key": "datacenter", |
||||||
|
"metadataNamespace": "consul", |
||||||
|
"regexValueRewrite": { |
||||||
|
"pattern": { |
||||||
|
"regex": ".*URI=spiffe://([^/]+.[^/]+)(?:/ap/([^/]+))?/ns/([^/]+)/dc/([^/]+)/svc/([^/;,]+).*" |
||||||
|
}, |
||||||
|
"substitution": "\\4" |
||||||
|
} |
||||||
|
} |
||||||
|
}, |
||||||
|
{ |
||||||
|
"header": "x-forwarded-client-cert", |
||||||
|
"onHeaderPresent": { |
||||||
|
"key": "service", |
||||||
|
"metadataNamespace": "consul", |
||||||
|
"regexValueRewrite": { |
||||||
|
"pattern": { |
||||||
|
"regex": ".*URI=spiffe://([^/]+.[^/]+)(?:/ap/([^/]+))?/ns/([^/]+)/dc/([^/]+)/svc/([^/;,]+).*" |
||||||
|
}, |
||||||
|
"substitution": "\\5" |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
] |
||||||
|
} |
||||||
|
}, |
||||||
|
{ |
||||||
|
"name": "envoy.filters.http.ext_authz", |
||||||
|
"typedConfig": { |
||||||
|
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz", |
||||||
|
"failureModeAllow": true, |
||||||
|
"grpcService": { |
||||||
|
"envoyGrpc": { |
||||||
|
"clusterName": "local_ext_authz" |
||||||
|
} |
||||||
|
}, |
||||||
|
"metadataContextNamespaces": [ |
||||||
|
"consul" |
||||||
|
], |
||||||
|
"statPrefix": "response", |
||||||
|
"transportApiVersion": "V3" |
||||||
|
} |
||||||
|
}, |
||||||
|
{ |
||||||
|
"name": "envoy.filters.http.router", |
||||||
|
"typedConfig": { |
||||||
|
"@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" |
||||||
|
} |
||||||
|
} |
||||||
|
], |
||||||
|
"routeConfig": { |
||||||
|
"name": "public_listener", |
||||||
|
"virtualHosts": [ |
||||||
|
{ |
||||||
|
"domains": [ |
||||||
|
"*" |
||||||
|
], |
||||||
|
"name": "public_listener", |
||||||
|
"routes": [ |
||||||
|
{ |
||||||
|
"match": { |
||||||
|
"prefix": "/" |
||||||
|
}, |
||||||
|
"route": { |
||||||
|
"cluster": "local_app" |
||||||
|
} |
||||||
|
} |
||||||
|
] |
||||||
|
} |
||||||
|
] |
||||||
|
}, |
||||||
|
"setCurrentClientCertDetails": { |
||||||
|
"cert": true, |
||||||
|
"chain": true, |
||||||
|
"dns": true, |
||||||
|
"subject": true, |
||||||
|
"uri": true |
||||||
|
}, |
||||||
|
"statPrefix": "public_listener", |
||||||
|
"tracing": { |
||||||
|
"randomSampling": {} |
||||||
|
}, |
||||||
|
"upgradeConfigs": [ |
||||||
|
{ |
||||||
|
"upgradeType": "websocket" |
||||||
|
} |
||||||
|
] |
||||||
|
} |
||||||
|
} |
||||||
|
], |
||||||
|
"transportSocket": { |
||||||
|
"name": "tls", |
||||||
|
"typedConfig": { |
||||||
|
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", |
||||||
|
"commonTlsContext": { |
||||||
|
"alpnProtocols": [ |
||||||
|
"http/1.1" |
||||||
|
], |
||||||
|
"tlsCertificates": [ |
||||||
|
{ |
||||||
|
"certificateChain": { |
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" |
||||||
|
}, |
||||||
|
"privateKey": { |
||||||
|
"inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" |
||||||
|
} |
||||||
|
} |
||||||
|
], |
||||||
|
"tlsParams": {}, |
||||||
|
"validationContext": { |
||||||
|
"trustedCa": { |
||||||
|
"inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" |
||||||
|
} |
||||||
|
} |
||||||
|
}, |
||||||
|
"requireClientCertificate": true |
||||||
|
} |
||||||
|
} |
||||||
|
}, |
||||||
|
{ |
||||||
|
"filterChainMatch": { |
||||||
|
"destinationPort": 8080 |
||||||
|
}, |
||||||
|
"filters": [ |
||||||
|
{ |
||||||
|
"name": "envoy.filters.network.tcp_proxy", |
||||||
|
"typedConfig": { |
||||||
|
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", |
||||||
|
"cluster": "local_app", |
||||||
|
"statPrefix": "permissive_public_listener" |
||||||
|
} |
||||||
|
} |
||||||
|
] |
||||||
|
} |
||||||
|
], |
||||||
|
"listenerFilters": [ |
||||||
|
{ |
||||||
|
"name": "envoy.filters.listener.original_dst", |
||||||
|
"typedConfig": { |
||||||
|
"@type": "type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst" |
||||||
|
} |
||||||
|
} |
||||||
|
], |
||||||
|
"name": "public_listener:0.0.0.0:9999", |
||||||
|
"trafficDirection": "INBOUND" |
||||||
|
} |
||||||
|
], |
||||||
|
"typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", |
||||||
|
"versionInfo": "00000001" |
||||||
|
} |
@ -0,0 +1,5 @@ |
|||||||
|
{ |
||||||
|
"nonce": "00000001", |
||||||
|
"typeUrl": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", |
||||||
|
"versionInfo": "00000001" |
||||||
|
} |
Loading…
Reference in new issue