mirror of https://github.com/hashicorp/consul
Rename CatalogDestinationsOnly (#10397)
CatalogDestinationsOnly is a passthrough that would enable dialing addresses outside of Consul's catalog. However, when this flag is set to true only _connect_ endpoints for services can be dialed. This flag is being renamed to signal that non-Connect endpoints can't be dialed by transparent proxies when the value is set to true.pull/10400/head
parent
a2460eea24
commit
ffb13f35f1
|
@ -4196,7 +4196,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
||||||
"gir": "zim"
|
"gir": "zim"
|
||||||
},
|
},
|
||||||
"transparent_proxy": {
|
"transparent_proxy": {
|
||||||
"catalog_destinations_only": true
|
"mesh_destinations_only": true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
@ -4212,7 +4212,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
||||||
"gir" = "zim"
|
"gir" = "zim"
|
||||||
}
|
}
|
||||||
transparent_proxy {
|
transparent_proxy {
|
||||||
catalog_destinations_only = true
|
mesh_destinations_only = true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -4228,7 +4228,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
||||||
},
|
},
|
||||||
EnterpriseMeta: *defaultEntMeta,
|
EnterpriseMeta: *defaultEntMeta,
|
||||||
TransparentProxy: structs.TransparentProxyMeshConfig{
|
TransparentProxy: structs.TransparentProxyMeshConfig{
|
||||||
CatalogDestinationsOnly: true,
|
MeshDestinationsOnly: true,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -4247,7 +4247,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
||||||
"gir": "zim"
|
"gir": "zim"
|
||||||
},
|
},
|
||||||
"TransparentProxy": {
|
"TransparentProxy": {
|
||||||
"CatalogDestinationsOnly": true
|
"MeshDestinationsOnly": true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
@ -4263,7 +4263,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
||||||
"gir" = "zim"
|
"gir" = "zim"
|
||||||
}
|
}
|
||||||
TransparentProxy {
|
TransparentProxy {
|
||||||
CatalogDestinationsOnly = true
|
MeshDestinationsOnly = true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -4279,7 +4279,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
|
||||||
},
|
},
|
||||||
EnterpriseMeta: *defaultEntMeta,
|
EnterpriseMeta: *defaultEntMeta,
|
||||||
TransparentProxy: structs.TransparentProxyMeshConfig{
|
TransparentProxy: structs.TransparentProxyMeshConfig{
|
||||||
CatalogDestinationsOnly: true,
|
MeshDestinationsOnly: true,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
|
@ -53,7 +53,7 @@ func TestConfig_Get(t *testing.T) {
|
||||||
Datacenter: "dc1",
|
Datacenter: "dc1",
|
||||||
Entry: &structs.MeshConfigEntry{
|
Entry: &structs.MeshConfigEntry{
|
||||||
TransparentProxy: structs.TransparentProxyMeshConfig{
|
TransparentProxy: structs.TransparentProxyMeshConfig{
|
||||||
CatalogDestinationsOnly: true,
|
MeshDestinationsOnly: true,
|
||||||
},
|
},
|
||||||
Meta: map[string]string{
|
Meta: map[string]string{
|
||||||
"key1": "value1",
|
"key1": "value1",
|
||||||
|
@ -128,7 +128,7 @@ func TestConfig_Get(t *testing.T) {
|
||||||
{
|
{
|
||||||
"Kind": "mesh",
|
"Kind": "mesh",
|
||||||
"TransparentProxy": {
|
"TransparentProxy": {
|
||||||
"CatalogDestinationsOnly": true
|
"MeshDestinationsOnly": true
|
||||||
},
|
},
|
||||||
"Meta":{
|
"Meta":{
|
||||||
"key1": "value1",
|
"key1": "value1",
|
||||||
|
|
|
@ -429,7 +429,7 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) {
|
||||||
// mesh config entry
|
// mesh config entry
|
||||||
meshConfig := &structs.MeshConfigEntry{
|
meshConfig := &structs.MeshConfigEntry{
|
||||||
TransparentProxy: structs.TransparentProxyMeshConfig{
|
TransparentProxy: structs.TransparentProxyMeshConfig{
|
||||||
CatalogDestinationsOnly: true,
|
MeshDestinationsOnly: true,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
require.NoError(t, fsm.state.EnsureConfigEntry(27, meshConfig))
|
require.NoError(t, fsm.state.EnsureConfigEntry(27, meshConfig))
|
||||||
|
|
|
@ -20,9 +20,9 @@ type MeshConfigEntry struct {
|
||||||
// TransparentProxyMeshConfig contains cluster-wide options pertaining to
|
// TransparentProxyMeshConfig contains cluster-wide options pertaining to
|
||||||
// TPROXY mode when enabled.
|
// TPROXY mode when enabled.
|
||||||
type TransparentProxyMeshConfig struct {
|
type TransparentProxyMeshConfig struct {
|
||||||
// CatalogDestinationsOnly can be used to disable the pass-through that
|
// MeshDestinationsOnly can be used to disable the pass-through that
|
||||||
// allows traffic to destinations outside of the mesh.
|
// allows traffic to destinations outside of the mesh.
|
||||||
CatalogDestinationsOnly bool `alias:"catalog_destinations_only"`
|
MeshDestinationsOnly bool `alias:"mesh_destinations_only"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func (e *MeshConfigEntry) GetKind() string {
|
func (e *MeshConfigEntry) GetKind() string {
|
||||||
|
|
|
@ -1316,7 +1316,7 @@ func TestDecodeConfigEntry(t *testing.T) {
|
||||||
"gir" = "zim"
|
"gir" = "zim"
|
||||||
}
|
}
|
||||||
transparent_proxy {
|
transparent_proxy {
|
||||||
catalog_destinations_only = true
|
mesh_destinations_only = true
|
||||||
}
|
}
|
||||||
`,
|
`,
|
||||||
camel: `
|
camel: `
|
||||||
|
@ -1326,7 +1326,7 @@ func TestDecodeConfigEntry(t *testing.T) {
|
||||||
"gir" = "zim"
|
"gir" = "zim"
|
||||||
}
|
}
|
||||||
TransparentProxy {
|
TransparentProxy {
|
||||||
CatalogDestinationsOnly = true
|
MeshDestinationsOnly = true
|
||||||
}
|
}
|
||||||
`,
|
`,
|
||||||
expect: &MeshConfigEntry{
|
expect: &MeshConfigEntry{
|
||||||
|
@ -1335,7 +1335,7 @@ func TestDecodeConfigEntry(t *testing.T) {
|
||||||
"gir": "zim",
|
"gir": "zim",
|
||||||
},
|
},
|
||||||
TransparentProxy: TransparentProxyMeshConfig{
|
TransparentProxy: TransparentProxyMeshConfig{
|
||||||
CatalogDestinationsOnly: true,
|
MeshDestinationsOnly: true,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
@ -178,7 +178,7 @@ func makePassthroughClusters(cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message,
|
||||||
clusters := make([]proto.Message, 0, len(cfgSnap.ConnectProxy.PassthroughUpstreams)+1)
|
clusters := make([]proto.Message, 0, len(cfgSnap.ConnectProxy.PassthroughUpstreams)+1)
|
||||||
|
|
||||||
if cfgSnap.ConnectProxy.MeshConfig == nil ||
|
if cfgSnap.ConnectProxy.MeshConfig == nil ||
|
||||||
!cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.CatalogDestinationsOnly {
|
!cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.MeshDestinationsOnly {
|
||||||
|
|
||||||
clusters = append(clusters, &envoy_cluster_v3.Cluster{
|
clusters = append(clusters, &envoy_cluster_v3.Cluster{
|
||||||
Name: OriginalDestinationClusterName,
|
Name: OriginalDestinationClusterName,
|
||||||
|
|
|
@ -656,7 +656,7 @@ func TestClustersFromSnapshot(t *testing.T) {
|
||||||
snap.ConnectProxy.MeshConfigSet = true
|
snap.ConnectProxy.MeshConfigSet = true
|
||||||
snap.ConnectProxy.MeshConfig = &structs.MeshConfigEntry{
|
snap.ConnectProxy.MeshConfig = &structs.MeshConfigEntry{
|
||||||
TransparentProxy: structs.TransparentProxyMeshConfig{
|
TransparentProxy: structs.TransparentProxyMeshConfig{
|
||||||
CatalogDestinationsOnly: true,
|
MeshDestinationsOnly: true,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
|
@ -212,9 +212,9 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg.
|
||||||
outboundListener.FilterChains[j].FilterChainMatch.PrefixRanges[0].AddressPrefix
|
outboundListener.FilterChains[j].FilterChainMatch.PrefixRanges[0].AddressPrefix
|
||||||
})
|
})
|
||||||
|
|
||||||
// Add a catch-all filter chain that acts as a TCP proxy to non-catalog destinations
|
// Add a catch-all filter chain that acts as a TCP proxy to destinations outside the mesh
|
||||||
if cfgSnap.ConnectProxy.MeshConfig == nil ||
|
if cfgSnap.ConnectProxy.MeshConfig == nil ||
|
||||||
!cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.CatalogDestinationsOnly {
|
!cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.MeshDestinationsOnly {
|
||||||
|
|
||||||
filterChain, err := s.makeUpstreamFilterChainForDiscoveryChain(
|
filterChain, err := s.makeUpstreamFilterChainForDiscoveryChain(
|
||||||
"",
|
"",
|
||||||
|
|
|
@ -551,7 +551,7 @@ func TestListenersFromSnapshot(t *testing.T) {
|
||||||
snap.ConnectProxy.MeshConfigSet = true
|
snap.ConnectProxy.MeshConfigSet = true
|
||||||
snap.ConnectProxy.MeshConfig = &structs.MeshConfigEntry{
|
snap.ConnectProxy.MeshConfig = &structs.MeshConfigEntry{
|
||||||
TransparentProxy: structs.TransparentProxyMeshConfig{
|
TransparentProxy: structs.TransparentProxyMeshConfig{
|
||||||
CatalogDestinationsOnly: true,
|
MeshDestinationsOnly: true,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -11,7 +11,7 @@ type MeshConfigEntry struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
type TransparentProxyMeshConfig struct {
|
type TransparentProxyMeshConfig struct {
|
||||||
CatalogDestinationsOnly bool `alias:"catalog_destinations_only"`
|
MeshDestinationsOnly bool `alias:"mesh_destinations_only"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func (e *MeshConfigEntry) GetKind() string {
|
func (e *MeshConfigEntry) GetKind() string {
|
||||||
|
|
|
@ -199,7 +199,7 @@ func TestAPI_ConfigEntries(t *testing.T) {
|
||||||
|
|
||||||
t.Run("Mesh", func(t *testing.T) {
|
t.Run("Mesh", func(t *testing.T) {
|
||||||
mesh := &MeshConfigEntry{
|
mesh := &MeshConfigEntry{
|
||||||
TransparentProxy: TransparentProxyMeshConfig{CatalogDestinationsOnly: true},
|
TransparentProxy: TransparentProxyMeshConfig{MeshDestinationsOnly: true},
|
||||||
Meta: map[string]string{
|
Meta: map[string]string{
|
||||||
"foo": "bar",
|
"foo": "bar",
|
||||||
"gir": "zim",
|
"gir": "zim",
|
||||||
|
@ -1213,7 +1213,7 @@ func TestDecodeConfigEntry(t *testing.T) {
|
||||||
"gir": "zim"
|
"gir": "zim"
|
||||||
},
|
},
|
||||||
"TransparentProxy": {
|
"TransparentProxy": {
|
||||||
"CatalogDestinationsOnly": true
|
"MeshDestinationsOnly": true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
`,
|
`,
|
||||||
|
@ -1223,7 +1223,7 @@ func TestDecodeConfigEntry(t *testing.T) {
|
||||||
"gir": "zim",
|
"gir": "zim",
|
||||||
},
|
},
|
||||||
TransparentProxy: TransparentProxyMeshConfig{
|
TransparentProxy: TransparentProxyMeshConfig{
|
||||||
CatalogDestinationsOnly: true,
|
MeshDestinationsOnly: true,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
@ -124,7 +124,7 @@ meta {
|
||||||
"gir" = "zim"
|
"gir" = "zim"
|
||||||
}
|
}
|
||||||
transparent_proxy {
|
transparent_proxy {
|
||||||
catalog_destinations_only = true
|
mesh_destinations_only = true
|
||||||
}
|
}
|
||||||
`)
|
`)
|
||||||
|
|
||||||
|
@ -2674,7 +2674,7 @@ func TestParseConfigEntry(t *testing.T) {
|
||||||
"gir" = "zim"
|
"gir" = "zim"
|
||||||
}
|
}
|
||||||
transparent_proxy {
|
transparent_proxy {
|
||||||
catalog_destinations_only = true
|
mesh_destinations_only = true
|
||||||
}
|
}
|
||||||
`,
|
`,
|
||||||
camel: `
|
camel: `
|
||||||
|
@ -2684,7 +2684,7 @@ func TestParseConfigEntry(t *testing.T) {
|
||||||
"gir" = "zim"
|
"gir" = "zim"
|
||||||
}
|
}
|
||||||
TransparentProxy {
|
TransparentProxy {
|
||||||
CatalogDestinationsOnly = true
|
MeshDestinationsOnly = true
|
||||||
}
|
}
|
||||||
`,
|
`,
|
||||||
snakeJSON: `
|
snakeJSON: `
|
||||||
|
@ -2695,7 +2695,7 @@ func TestParseConfigEntry(t *testing.T) {
|
||||||
"gir": "zim"
|
"gir": "zim"
|
||||||
},
|
},
|
||||||
"transparent_proxy": {
|
"transparent_proxy": {
|
||||||
"catalog_destinations_only": true
|
"mesh_destinations_only": true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
`,
|
`,
|
||||||
|
@ -2707,7 +2707,7 @@ func TestParseConfigEntry(t *testing.T) {
|
||||||
"gir": "zim"
|
"gir": "zim"
|
||||||
},
|
},
|
||||||
"TransparentProxy": {
|
"TransparentProxy": {
|
||||||
"CatalogDestinationsOnly": true
|
"MeshDestinationsOnly": true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
`,
|
`,
|
||||||
|
@ -2717,7 +2717,7 @@ func TestParseConfigEntry(t *testing.T) {
|
||||||
"gir": "zim",
|
"gir": "zim",
|
||||||
},
|
},
|
||||||
TransparentProxy: api.TransparentProxyMeshConfig{
|
TransparentProxy: api.TransparentProxyMeshConfig{
|
||||||
CatalogDestinationsOnly: true,
|
MeshDestinationsOnly: true,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
@ -18,7 +18,7 @@ Settings in this config entry apply across all namespaces and federated datacent
|
||||||
|
|
||||||
## Sample Config Entries
|
## Sample Config Entries
|
||||||
|
|
||||||
### Proxy traffic to catalog destinations only
|
### Only allow transparent proxies to dial addresses in the mesh.
|
||||||
|
|
||||||
<Tabs>
|
<Tabs>
|
||||||
<Tab heading="HCL">
|
<Tab heading="HCL">
|
||||||
|
@ -27,7 +27,7 @@ Settings in this config entry apply across all namespaces and federated datacent
|
||||||
Kind = "mesh"
|
Kind = "mesh"
|
||||||
|
|
||||||
TransparentProxy {
|
TransparentProxy {
|
||||||
CatalogDestinationsOnly = true
|
MeshDestinationsOnly = true
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -42,7 +42,7 @@ Kind = "mesh"
|
||||||
Namespace = "default" # Can only be set to "default".
|
Namespace = "default" # Can only be set to "default".
|
||||||
|
|
||||||
TransparentProxy {
|
TransparentProxy {
|
||||||
CatalogDestinationsOnly = true
|
MeshDestinationsOnly = true
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -61,9 +61,9 @@ TransparentProxy {
|
||||||
- `TransparentProxy` `(TransparentProxyConfig: <optional>)` - Controls configuration specific to proxies in
|
- `TransparentProxy` `(TransparentProxyConfig: <optional>)` - Controls configuration specific to proxies in
|
||||||
`transparent` [mode](/docs/connect/config-entries/service-defaults#mode). Added in v1.10.0.
|
`transparent` [mode](/docs/connect/config-entries/service-defaults#mode). Added in v1.10.0.
|
||||||
|
|
||||||
- `CatalogDestinationsOnly` `(bool: false)` - Determines whether sidecar proxies operating in transparent mode can
|
- `MeshDestinationsOnly` `(bool: false)` - Determines whether sidecar proxies operating in transparent mode can
|
||||||
proxy traffic to IP addresses not registered in Consul's catalog. If enabled, traffic will only be proxied
|
proxy traffic to IP addresses not registered in Consul's mesh. If enabled, traffic will only be proxied
|
||||||
to upstreams with service registrations in the catalog. If disabled, requests will be proxied as-is to the
|
to upstream proxies or Connect-native services. If disabled, requests will be proxied as-is to the
|
||||||
original destination IP address. Consul will not encrypt the connection.
|
original destination IP address. Consul will not encrypt the connection.
|
||||||
|
|
||||||
## ACLs
|
## ACLs
|
||||||
|
|
Loading…
Reference in New Issue