Rename CatalogDestinationsOnly (#10397)

CatalogDestinationsOnly is a passthrough that would enable dialing
addresses outside of Consul's catalog. However, when this flag is set to
true only _connect_ endpoints for services can be dialed.

This flag is being renamed to signal that non-Connect endpoints can't be
dialed by transparent proxies when the value is set to true.
pull/10400/head
Freddy 2021-06-14 14:15:09 -06:00 committed by GitHub
parent a2460eea24
commit ffb13f35f1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 35 additions and 35 deletions

View File

@ -4196,7 +4196,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
"gir": "zim" "gir": "zim"
}, },
"transparent_proxy": { "transparent_proxy": {
"catalog_destinations_only": true "mesh_destinations_only": true
} }
} }
] ]
@ -4212,7 +4212,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
"gir" = "zim" "gir" = "zim"
} }
transparent_proxy { transparent_proxy {
catalog_destinations_only = true mesh_destinations_only = true
} }
} }
} }
@ -4228,7 +4228,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
}, },
EnterpriseMeta: *defaultEntMeta, EnterpriseMeta: *defaultEntMeta,
TransparentProxy: structs.TransparentProxyMeshConfig{ TransparentProxy: structs.TransparentProxyMeshConfig{
CatalogDestinationsOnly: true, MeshDestinationsOnly: true,
}, },
}, },
} }
@ -4247,7 +4247,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
"gir": "zim" "gir": "zim"
}, },
"TransparentProxy": { "TransparentProxy": {
"CatalogDestinationsOnly": true "MeshDestinationsOnly": true
} }
} }
] ]
@ -4263,7 +4263,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
"gir" = "zim" "gir" = "zim"
} }
TransparentProxy { TransparentProxy {
CatalogDestinationsOnly = true MeshDestinationsOnly = true
} }
} }
} }
@ -4279,7 +4279,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
}, },
EnterpriseMeta: *defaultEntMeta, EnterpriseMeta: *defaultEntMeta,
TransparentProxy: structs.TransparentProxyMeshConfig{ TransparentProxy: structs.TransparentProxyMeshConfig{
CatalogDestinationsOnly: true, MeshDestinationsOnly: true,
}, },
}, },
} }

View File

@ -53,7 +53,7 @@ func TestConfig_Get(t *testing.T) {
Datacenter: "dc1", Datacenter: "dc1",
Entry: &structs.MeshConfigEntry{ Entry: &structs.MeshConfigEntry{
TransparentProxy: structs.TransparentProxyMeshConfig{ TransparentProxy: structs.TransparentProxyMeshConfig{
CatalogDestinationsOnly: true, MeshDestinationsOnly: true,
}, },
Meta: map[string]string{ Meta: map[string]string{
"key1": "value1", "key1": "value1",
@ -128,7 +128,7 @@ func TestConfig_Get(t *testing.T) {
{ {
"Kind": "mesh", "Kind": "mesh",
"TransparentProxy": { "TransparentProxy": {
"CatalogDestinationsOnly": true "MeshDestinationsOnly": true
}, },
"Meta":{ "Meta":{
"key1": "value1", "key1": "value1",

View File

@ -429,7 +429,7 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) {
// mesh config entry // mesh config entry
meshConfig := &structs.MeshConfigEntry{ meshConfig := &structs.MeshConfigEntry{
TransparentProxy: structs.TransparentProxyMeshConfig{ TransparentProxy: structs.TransparentProxyMeshConfig{
CatalogDestinationsOnly: true, MeshDestinationsOnly: true,
}, },
} }
require.NoError(t, fsm.state.EnsureConfigEntry(27, meshConfig)) require.NoError(t, fsm.state.EnsureConfigEntry(27, meshConfig))

View File

@ -20,9 +20,9 @@ type MeshConfigEntry struct {
// TransparentProxyMeshConfig contains cluster-wide options pertaining to // TransparentProxyMeshConfig contains cluster-wide options pertaining to
// TPROXY mode when enabled. // TPROXY mode when enabled.
type TransparentProxyMeshConfig struct { type TransparentProxyMeshConfig struct {
// CatalogDestinationsOnly can be used to disable the pass-through that // MeshDestinationsOnly can be used to disable the pass-through that
// allows traffic to destinations outside of the mesh. // allows traffic to destinations outside of the mesh.
CatalogDestinationsOnly bool `alias:"catalog_destinations_only"` MeshDestinationsOnly bool `alias:"mesh_destinations_only"`
} }
func (e *MeshConfigEntry) GetKind() string { func (e *MeshConfigEntry) GetKind() string {

View File

@ -1316,7 +1316,7 @@ func TestDecodeConfigEntry(t *testing.T) {
"gir" = "zim" "gir" = "zim"
} }
transparent_proxy { transparent_proxy {
catalog_destinations_only = true mesh_destinations_only = true
} }
`, `,
camel: ` camel: `
@ -1326,7 +1326,7 @@ func TestDecodeConfigEntry(t *testing.T) {
"gir" = "zim" "gir" = "zim"
} }
TransparentProxy { TransparentProxy {
CatalogDestinationsOnly = true MeshDestinationsOnly = true
} }
`, `,
expect: &MeshConfigEntry{ expect: &MeshConfigEntry{
@ -1335,7 +1335,7 @@ func TestDecodeConfigEntry(t *testing.T) {
"gir": "zim", "gir": "zim",
}, },
TransparentProxy: TransparentProxyMeshConfig{ TransparentProxy: TransparentProxyMeshConfig{
CatalogDestinationsOnly: true, MeshDestinationsOnly: true,
}, },
}, },
}, },

View File

@ -178,7 +178,7 @@ func makePassthroughClusters(cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message,
clusters := make([]proto.Message, 0, len(cfgSnap.ConnectProxy.PassthroughUpstreams)+1) clusters := make([]proto.Message, 0, len(cfgSnap.ConnectProxy.PassthroughUpstreams)+1)
if cfgSnap.ConnectProxy.MeshConfig == nil || if cfgSnap.ConnectProxy.MeshConfig == nil ||
!cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.CatalogDestinationsOnly { !cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.MeshDestinationsOnly {
clusters = append(clusters, &envoy_cluster_v3.Cluster{ clusters = append(clusters, &envoy_cluster_v3.Cluster{
Name: OriginalDestinationClusterName, Name: OriginalDestinationClusterName,

View File

@ -656,7 +656,7 @@ func TestClustersFromSnapshot(t *testing.T) {
snap.ConnectProxy.MeshConfigSet = true snap.ConnectProxy.MeshConfigSet = true
snap.ConnectProxy.MeshConfig = &structs.MeshConfigEntry{ snap.ConnectProxy.MeshConfig = &structs.MeshConfigEntry{
TransparentProxy: structs.TransparentProxyMeshConfig{ TransparentProxy: structs.TransparentProxyMeshConfig{
CatalogDestinationsOnly: true, MeshDestinationsOnly: true,
}, },
} }
}, },

View File

@ -212,9 +212,9 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg.
outboundListener.FilterChains[j].FilterChainMatch.PrefixRanges[0].AddressPrefix outboundListener.FilterChains[j].FilterChainMatch.PrefixRanges[0].AddressPrefix
}) })
// Add a catch-all filter chain that acts as a TCP proxy to non-catalog destinations // Add a catch-all filter chain that acts as a TCP proxy to destinations outside the mesh
if cfgSnap.ConnectProxy.MeshConfig == nil || if cfgSnap.ConnectProxy.MeshConfig == nil ||
!cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.CatalogDestinationsOnly { !cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.MeshDestinationsOnly {
filterChain, err := s.makeUpstreamFilterChainForDiscoveryChain( filterChain, err := s.makeUpstreamFilterChainForDiscoveryChain(
"", "",

View File

@ -551,7 +551,7 @@ func TestListenersFromSnapshot(t *testing.T) {
snap.ConnectProxy.MeshConfigSet = true snap.ConnectProxy.MeshConfigSet = true
snap.ConnectProxy.MeshConfig = &structs.MeshConfigEntry{ snap.ConnectProxy.MeshConfig = &structs.MeshConfigEntry{
TransparentProxy: structs.TransparentProxyMeshConfig{ TransparentProxy: structs.TransparentProxyMeshConfig{
CatalogDestinationsOnly: true, MeshDestinationsOnly: true,
}, },
} }

View File

@ -11,7 +11,7 @@ type MeshConfigEntry struct {
} }
type TransparentProxyMeshConfig struct { type TransparentProxyMeshConfig struct {
CatalogDestinationsOnly bool `alias:"catalog_destinations_only"` MeshDestinationsOnly bool `alias:"mesh_destinations_only"`
} }
func (e *MeshConfigEntry) GetKind() string { func (e *MeshConfigEntry) GetKind() string {

View File

@ -199,7 +199,7 @@ func TestAPI_ConfigEntries(t *testing.T) {
t.Run("Mesh", func(t *testing.T) { t.Run("Mesh", func(t *testing.T) {
mesh := &MeshConfigEntry{ mesh := &MeshConfigEntry{
TransparentProxy: TransparentProxyMeshConfig{CatalogDestinationsOnly: true}, TransparentProxy: TransparentProxyMeshConfig{MeshDestinationsOnly: true},
Meta: map[string]string{ Meta: map[string]string{
"foo": "bar", "foo": "bar",
"gir": "zim", "gir": "zim",
@ -1213,7 +1213,7 @@ func TestDecodeConfigEntry(t *testing.T) {
"gir": "zim" "gir": "zim"
}, },
"TransparentProxy": { "TransparentProxy": {
"CatalogDestinationsOnly": true "MeshDestinationsOnly": true
} }
} }
`, `,
@ -1223,7 +1223,7 @@ func TestDecodeConfigEntry(t *testing.T) {
"gir": "zim", "gir": "zim",
}, },
TransparentProxy: TransparentProxyMeshConfig{ TransparentProxy: TransparentProxyMeshConfig{
CatalogDestinationsOnly: true, MeshDestinationsOnly: true,
}, },
}, },
}, },

View File

@ -124,7 +124,7 @@ meta {
"gir" = "zim" "gir" = "zim"
} }
transparent_proxy { transparent_proxy {
catalog_destinations_only = true mesh_destinations_only = true
} }
`) `)
@ -2674,7 +2674,7 @@ func TestParseConfigEntry(t *testing.T) {
"gir" = "zim" "gir" = "zim"
} }
transparent_proxy { transparent_proxy {
catalog_destinations_only = true mesh_destinations_only = true
} }
`, `,
camel: ` camel: `
@ -2684,7 +2684,7 @@ func TestParseConfigEntry(t *testing.T) {
"gir" = "zim" "gir" = "zim"
} }
TransparentProxy { TransparentProxy {
CatalogDestinationsOnly = true MeshDestinationsOnly = true
} }
`, `,
snakeJSON: ` snakeJSON: `
@ -2695,7 +2695,7 @@ func TestParseConfigEntry(t *testing.T) {
"gir": "zim" "gir": "zim"
}, },
"transparent_proxy": { "transparent_proxy": {
"catalog_destinations_only": true "mesh_destinations_only": true
} }
} }
`, `,
@ -2707,7 +2707,7 @@ func TestParseConfigEntry(t *testing.T) {
"gir": "zim" "gir": "zim"
}, },
"TransparentProxy": { "TransparentProxy": {
"CatalogDestinationsOnly": true "MeshDestinationsOnly": true
} }
} }
`, `,
@ -2717,7 +2717,7 @@ func TestParseConfigEntry(t *testing.T) {
"gir": "zim", "gir": "zim",
}, },
TransparentProxy: api.TransparentProxyMeshConfig{ TransparentProxy: api.TransparentProxyMeshConfig{
CatalogDestinationsOnly: true, MeshDestinationsOnly: true,
}, },
}, },
}, },

View File

@ -18,7 +18,7 @@ Settings in this config entry apply across all namespaces and federated datacent
## Sample Config Entries ## Sample Config Entries
### Proxy traffic to catalog destinations only ### Only allow transparent proxies to dial addresses in the mesh.
<Tabs> <Tabs>
<Tab heading="HCL"> <Tab heading="HCL">
@ -27,7 +27,7 @@ Settings in this config entry apply across all namespaces and federated datacent
Kind = "mesh" Kind = "mesh"
TransparentProxy { TransparentProxy {
CatalogDestinationsOnly = true MeshDestinationsOnly = true
} }
``` ```
@ -42,7 +42,7 @@ Kind = "mesh"
Namespace = "default" # Can only be set to "default". Namespace = "default" # Can only be set to "default".
TransparentProxy { TransparentProxy {
CatalogDestinationsOnly = true MeshDestinationsOnly = true
} }
``` ```
@ -61,9 +61,9 @@ TransparentProxy {
- `TransparentProxy` `(TransparentProxyConfig: <optional>)` - Controls configuration specific to proxies in - `TransparentProxy` `(TransparentProxyConfig: <optional>)` - Controls configuration specific to proxies in
`transparent` [mode](/docs/connect/config-entries/service-defaults#mode). Added in v1.10.0. `transparent` [mode](/docs/connect/config-entries/service-defaults#mode). Added in v1.10.0.
- `CatalogDestinationsOnly` `(bool: false)` - Determines whether sidecar proxies operating in transparent mode can - `MeshDestinationsOnly` `(bool: false)` - Determines whether sidecar proxies operating in transparent mode can
proxy traffic to IP addresses not registered in Consul's catalog. If enabled, traffic will only be proxied proxy traffic to IP addresses not registered in Consul's mesh. If enabled, traffic will only be proxied
to upstreams with service registrations in the catalog. If disabled, requests will be proxied as-is to the to upstream proxies or Connect-native services. If disabled, requests will be proxied as-is to the
original destination IP address. Consul will not encrypt the connection. original destination IP address. Consul will not encrypt the connection.
## ACLs ## ACLs