From de0f9ac519f8ecb41dd4b310998f6f8b44665f81 Mon Sep 17 00:00:00 2001 From: "R.B. Boyer" <4903+rboyer@users.noreply.github.com> Date: Tue, 28 Jun 2022 15:32:42 -0500 Subject: [PATCH] xds: have mesh gateways forward peered SpiffeIDs using the XFCC header (#13625) --- agent/xds/listeners.go | 44 +++++++++++-------- ...ed-services-http-with-router.latest.golden | 8 ++++ ...splitter-crossing-partitions.latest.golden | 8 ++++ ...xported-peered-services-http.latest.golden | 24 ++++++++++ 4 files changed, 65 insertions(+), 19 deletions(-) diff --git a/agent/xds/listeners.go b/agent/xds/listeners.go index f9495168a5..b828b5380f 100644 --- a/agent/xds/listeners.go +++ b/agent/xds/listeners.go @@ -1538,12 +1538,14 @@ func (s *ResourceGenerator) makeMeshGatewayPeerFilterChain( filterName := fmt.Sprintf("%s.%s.%s.%s", chain.ServiceName, chain.Namespace, chain.Partition, chain.Datacenter) filterChain, err := s.makeUpstreamFilterChain(filterChainOpts{ - routeName: uid.EnvoyID(), - clusterName: clusterName, - filterName: filterName, - protocol: chain.Protocol, - useRDS: useRDS, - statPrefix: "mesh_gateway_local_peered.", + routeName: uid.EnvoyID(), + clusterName: clusterName, + filterName: filterName, + protocol: chain.Protocol, + useRDS: useRDS, + statPrefix: "mesh_gateway_local_peered.", + forwardClientDetails: true, + forwardClientPolicy: envoy_http_v3.HttpConnectionManager_SANITIZE_SET, }) if err != nil { return nil, err @@ -1584,13 +1586,15 @@ func (s *ResourceGenerator) makeMeshGatewayPeerFilterChain( } type filterChainOpts struct { - routeName string - clusterName string - filterName string - protocol string - useRDS bool - tlsContext *envoy_tls_v3.DownstreamTlsContext - statPrefix string + routeName string + clusterName string + filterName string + protocol string + useRDS bool + tlsContext *envoy_tls_v3.DownstreamTlsContext + statPrefix string + forwardClientDetails bool + forwardClientPolicy envoy_http_v3.HttpConnectionManager_ForwardClientCertDetails } func (s *ResourceGenerator) makeUpstreamFilterChain(opts filterChainOpts) (*envoy_listener_v3.FilterChain, error) { @@ -1598,12 +1602,14 @@ func (s *ResourceGenerator) makeUpstreamFilterChain(opts filterChainOpts) (*envo opts.statPrefix = "upstream." } filter, err := makeListenerFilter(listenerFilterOpts{ - useRDS: opts.useRDS, - protocol: opts.protocol, - filterName: opts.filterName, - routeName: opts.routeName, - cluster: opts.clusterName, - statPrefix: opts.statPrefix, + useRDS: opts.useRDS, + protocol: opts.protocol, + filterName: opts.filterName, + routeName: opts.routeName, + cluster: opts.clusterName, + statPrefix: opts.statPrefix, + forwardClientDetails: opts.forwardClientDetails, + forwardClientPolicy: opts.forwardClientPolicy, }) if err != nil { return nil, err diff --git a/agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http-with-router.latest.golden b/agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http-with-router.latest.golden index e6c1280e06..b89506084d 100644 --- a/agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http-with-router.latest.golden +++ b/agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http-with-router.latest.golden @@ -44,6 +44,14 @@ "randomSampling": { } + }, + "forwardClientCertDetails": "SANITIZE_SET", + "setCurrentClientCertDetails": { + "subject": true, + "cert": true, + "chain": true, + "dns": true, + "uri": true } } } diff --git a/agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden b/agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden index 341979b5b9..6003859738 100644 --- a/agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden +++ b/agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http-with-splitter-crossing-partitions.latest.golden @@ -44,6 +44,14 @@ "randomSampling": { } + }, + "forwardClientCertDetails": "SANITIZE_SET", + "setCurrentClientCertDetails": { + "subject": true, + "cert": true, + "chain": true, + "dns": true, + "uri": true } } } diff --git a/agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http.latest.golden b/agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http.latest.golden index cf5ae5a9e5..acb312116d 100644 --- a/agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http.latest.golden +++ b/agent/xds/testdata/listeners/mesh-gateway-with-exported-peered-services-http.latest.golden @@ -44,6 +44,14 @@ "randomSampling": { } + }, + "forwardClientCertDetails": "SANITIZE_SET", + "setCurrentClientCertDetails": { + "subject": true, + "cert": true, + "chain": true, + "dns": true, + "uri": true } } } @@ -126,6 +134,14 @@ "randomSampling": { } + }, + "forwardClientCertDetails": "SANITIZE_SET", + "setCurrentClientCertDetails": { + "subject": true, + "cert": true, + "chain": true, + "dns": true, + "uri": true } } } @@ -208,6 +224,14 @@ "randomSampling": { } + }, + "forwardClientCertDetails": "SANITIZE_SET", + "setCurrentClientCertDetails": { + "subject": true, + "cert": true, + "chain": true, + "dns": true, + "uri": true } } }