Commit Graph

249 Commits (2274f35c89ceb6001542da5b94551981a51cd1f8)

Author SHA1 Message Date
Dhia Ayachi 256694b603
inject gateway addons to destination clusters (#13951)
2 years ago
Kyle Havlovitz 93de25f87c
Merge pull request #13872 from hashicorp/remove-upstream-log
2 years ago
DanStough 2da8949d78 feat: convert destination address to slice
2 years ago
freddygv b544ce6485 Add ACL enforcement to peering endpoints
2 years ago
Kyle Havlovitz 016f963e7e Remove excess debug log from ingress upstream shutdown
2 years ago
Kyle Havlovitz 0be7d923dc Cancel upstream watches when the discovery chain has been removed
2 years ago
Kyle Havlovitz 31318d7049 Fix duplicate Notify calls for discovery chains in ingress gateways
2 years ago
Chris S. Kim 495936300e
Make envoy resources for inferred peered upstreams (#13758)
2 years ago
Dan Stough 49f3dadb8f feat: connect proxy xDS for destinations
2 years ago
Chris S. Kim f56810132f Check if an upstream is implicit from either intentions or peered services
2 years ago
Chris S. Kim 02cff2394d Use new maps for proxycfg peered data
2 years ago
Chris S. Kim 7f32cba735 Add new watch.Map type to refactor proxycfg
2 years ago
Kyle Havlovitz 9097e2b0f0
Merge pull request #13699 from hashicorp/tgate-http2-upstream
2 years ago
Kyle Havlovitz 7d0c692374 Use protocol from resolved config entry, not gateway service
2 years ago
R.B. Boyer 2317f37b4d
state: prohibit exported discovery chains to have cross-datacenter or cross-partition references (#13726)
2 years ago
Kyle Havlovitz 439eccdd80 Respect http2 protocol for upstreams of terminating gateways
2 years ago
Daniel Upton 37ccbd2826 proxycfg: server-local intentions data source
2 years ago
Chris S. Kim d8b7940e40
Add internal endpoint to fetch peered upstream candidates from VirtualIP table (#13642)
2 years ago
R.B. Boyer 31b95c747b
xds: modify rbac rules to use the XFCC header for peered L7 enforcement (#13629)
2 years ago
R.B. Boyer 1a9c86ea8f
xds: mesh gateways now correctly load up peer-exported discovery chains using L7 protocols (#13624)
2 years ago
Chris S. Kim fb5eb20563
Pass trust domain to RBAC to validate and fix use of wrong peer trust bundles (#13508)
2 years ago
DanStough 4b402e3119 feat: tgtwy xDS generation for destinations
2 years ago
R.B. Boyer 201d1458c3
xds: mesh gateways now have their own leaf certificate when involved in a peering (#13460)
2 years ago
R.B. Boyer f557509e58
xds: allow for peered upstreams to use tagged addresses that are hostnames (#13422)
3 years ago
R.B. Boyer ab758b7b32
peering: allow mesh gateways to proxy L4 peered traffic (#13339)
3 years ago
Dan Upton b168424398
xds: remove HTTPCheckFetcher dependency (#13366)
3 years ago
R.B. Boyer 019aeaa57d
peering: update how cross-peer upstreams and represented in proxycfg and rendered in xds (#13362)
3 years ago
Freddy a09c776645 Update public listener with SPIFFE Validator
3 years ago
Freddy 74ca6406ea
Configure upstream TLS context with peer root certs (#13321)
3 years ago
Dan Upton adeabed126
proxycfg: replace direct agent cache usage with interfaces (#13320)
3 years ago
freddygv 364758ef2f Use embedded SpiffeID for peered upstreams
3 years ago
Dan Upton 2427e38839
Enable servers to configure arbitrary proxies from the catalog (#13244)
3 years ago
DanStough 2e2c71d2f2 fix: multiple grpc/http2 services for ingress listeners
3 years ago
Dan Upton d7f8a8e4ef
proxycfg: remove dependency on `cache.UpdateEvent` (#13144)
3 years ago
Matt Keeler b788691fa6
Watch the singular service resolver instead of the list + filtering to 1 (#13012)
3 years ago
Chris S. Kim abc472f2a3
Default discovery chain when upstream targets a DestinationPeer (#12942)
3 years ago
Chris S. Kim 9791bad136
peering: Make Upstream peer-aware (#12900)
3 years ago
Eric b01bb41553 Implement routing and intentions for AWS Lambdas
3 years ago
R.B. Boyer 25ba9c147a
xds: ensure that all connect timeout configs can apply equally to tproxy direct dial connections (#12711)
3 years ago
Mark Anderson 98a2e282be Fixup acl.EnterpriseMeta
3 years ago
Kyle Havlovitz 6cf22a5cef
Merge pull request #12672 from hashicorp/tgate-san-validation
3 years ago
Kyle Havlovitz 1a3b885027 Use the GatewayService SNI field for upstream SAN validation
3 years ago
Eric e0a15690ae Implement Lambda Patching in the Serverless Plugin
3 years ago
R.B. Boyer e79ce8ab03
xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry (#12601)
3 years ago
R.B. Boyer ac5bea862a
server: ensure that service-defaults meta is incorporated into the discovery chain response (#12511)
3 years ago
Eric cf3e517d0e Create and wire up the serverless patcher
3 years ago
R.B. Boyer 2a56e0055b
proxycfg: change how various proxycfg test helpers for making ConfigSnapshot copies works to be more correct and less error prone (#12531)
3 years ago
freddygv ceb52d649a Account for upstream targets in another DC.
3 years ago
freddygv cbea3d203c Fix race of upstreams with same passthrough ip
3 years ago
freddygv 659ebc05a9 Ensure passthrough addresses get cleaned up
3 years ago