consul

Commit Graph

Author	SHA1	Message	Date
Kyle Havlovitz	407e858389	Fix syntax for bootstrap sds secret config	2022-07-06 09:53:40 -07:00
R.B. Boyer	31b95c747b	xds: modify rbac rules to use the XFCC header for peered L7 enforcement (#13629 ) When the protocol is http-like, and an intention has a peered source then the normal RBAC mTLS SAN field check is replaces with a joint combo of: mTLS SAN field must be the service's local mesh gateway leaf cert AND the first XFCC header (from the MGW) must have a URI field that matches the original intention source Also: - Update the regex program limit to be much higher than the teeny defaults, since the RBAC regex constructions are more complicated now. - Fix a few stray panics in xds generation.	2022-06-29 10:29:54 -05:00
Kyle Havlovitz	55109eb9f6	command: Add TLS support for envoy prometheus endpoint	2022-06-16 17:53:05 -07:00

Author

SHA1

Message

Date

Kyle Havlovitz

407e858389

Fix syntax for bootstrap sds secret config

2022-07-06 09:53:40 -07:00

R.B. Boyer

31b95c747b

xds: modify rbac rules to use the XFCC header for peered L7 enforcement (#13629 )

When the protocol is http-like, and an intention has a peered source
then the normal RBAC mTLS SAN field check is replaces with a joint combo
of:

    mTLS SAN field must be the service's local mesh gateway leaf cert
      AND
    the first XFCC header (from the MGW) must have a URI field that matches the original intention source

Also:

- Update the regex program limit to be much higher than the teeny
  defaults, since the RBAC regex constructions are more complicated now.

- Fix a few stray panics in xds generation.

2022-06-29 10:29:54 -05:00

Kyle Havlovitz

55109eb9f6

command: Add TLS support for envoy prometheus endpoint

2022-06-16 17:53:05 -07:00

3 Commits (257f88d4dfa819c6a4540e8a3d21c4f6485a9261)