github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
consul/agent/xds/testdata/clusters
History
Derek Menteer 3e8ec8d18e
Fix SAN matching on terminating gateways (#20417) 
Fixes issue: hashicorp/consul#20360

A regression was introduced in hashicorp/consul#19954 where the SAN validation
matching was reduced from 4 potential types down to just the URI.

Terminating gateways will need to match on many fields depending on user
configuration, since they make egress calls outside of the cluster. Having more
than one matcher behaves like an OR operation, where any match is sufficient to
pass the certificate validation. To maintain backwards compatibility with the
old untyped `match_subject_alt_names` Envoy behavior, we should match on all 4
enum types.

https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#enum-extensions-transport-sockets-tls-v3-subjectaltnamematcher-santype
 		2024-01-31 12:17:45 -06:00
..
access-logs-defaults.latest.golden
access-logs-json-file.latest.golden
access-logs-text-stderr-disablelistenerlogs.latest.golden
api-gateway-http-listener-with-http-route.latest.golden
api-gateway-http-listener.latest.golden
api-gateway-nil-config-entry.latest.golden
api-gateway-tcp-listener-with-tcp-and-http-route.latest.golden
api-gateway-tcp-listener-with-tcp-route.latest.golden
api-gateway-tcp-listener.latest.golden
api-gateway-with-http-route-timeoutfilter-one-set.latest.golden
api-gateway-with-http-route.latest.golden
api-gateway-with-multiple-hostnames.latest.golden
api-gateway-with-multiple-inline-certificates.latest.golden
api-gateway-with-tcp-route-and-inline-certificate.latest.golden
api-gateway.latest.golden
connect-proxy-exported-to-peers.latest.golden
connect-proxy-lb-in-resolver.latest.golden
connect-proxy-resolver-with-lb.latest.golden
connect-proxy-route-to-lb-resolver.latest.golden
connect-proxy-splitter-overweight.latest.golden
connect-proxy-upstream-defaults.latest.golden
connect-proxy-with-chain-and-failover-to-cluster-peer.latest.golden
connect-proxy-with-chain-and-failover.latest.golden
connect-proxy-with-chain-and-overrides.latest.golden
connect-proxy-with-chain-and-redirect-to-cluster-peer.latest.golden
connect-proxy-with-chain-and-router.latest.golden
connect-proxy-with-chain-and-splitter.latest.golden
connect-proxy-with-chain-external-sni.latest.golden
connect-proxy-with-chain-http2.latest.golden
connect-proxy-with-chain.latest.golden
connect-proxy-with-default-chain-and-custom-cluster.latest.golden
connect-proxy-with-grpc-chain.latest.golden
connect-proxy-with-grpc-router.latest.golden
connect-proxy-with-http-chain.latest.golden
connect-proxy-with-http2-chain.latest.golden
connect-proxy-with-jwt-config-entry-with-local.latest.golden
connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden
connect-proxy-with-peered-upstreams-escape-overrides.latest.golden
connect-proxy-with-peered-upstreams-http2.latest.golden
connect-proxy-with-peered-upstreams.latest.golden
connect-proxy-with-tcp-chain-double-failover-through-local-gateway-triggered.latest.golden
connect-proxy-with-tcp-chain-double-failover-through-local-gateway.latest.golden
connect-proxy-with-tcp-chain-double-failover-through-remote-gateway-triggered.latest.golden
connect-proxy-with-tcp-chain-double-failover-through-remote-gateway.latest.golden
connect-proxy-with-tcp-chain-failover-through-local-gateway-triggered.latest.golden
connect-proxy-with-tcp-chain-failover-through-local-gateway.latest.golden
connect-proxy-with-tcp-chain-failover-through-remote-gateway-triggered.latest.golden
connect-proxy-with-tcp-chain-failover-through-remote-gateway.latest.golden
connect-proxy-with-tcp-chain.latest.golden
connect-proxy-with-tls-incoming-cipher-suites.latest.golden
connect-proxy-with-tls-incoming-max-version.latest.golden
connect-proxy-with-tls-incoming-min-version.latest.golden
connect-proxy-with-tls-outgoing-cipher-suites.latest.golden
connect-proxy-with-tls-outgoing-max-version.latest.golden
connect-proxy-with-tls-outgoing-min-version-auto.latest.golden
connect-proxy-with-tls-outgoing-min-version.latest.golden
connect-proxy-with-tproxy-and-permissive-mtls.latest.golden
connect-proxy-without-tproxy-and-permissive-mtls.latest.golden
custom-limits-max-connections-only.latest.golden
custom-limits-set-to-zero.latest.golden
custom-limits.latest.golden
custom-local-app.latest.golden
custom-max-inbound-connections.latest.golden
custom-passive-healthcheck-zero-consecutive_5xx.latest.golden
custom-passive-healthcheck.latest.golden
custom-public-listener-http-2.latest.golden
custom-public-listener-http-missing.latest.golden
custom-public-listener-http.latest.golden
custom-public-listener.latest.golden
custom-timeouts.latest.golden
custom-trace-listener.latest.golden
custom-upstream-default-chain.latest.golden
custom-upstream-ignored-with-disco-chain.latest.golden
custom-upstream-with-prepared-query.latest.golden
custom-upstream.latest.golden
defaults.latest.golden
downstream-service-with-unix-sockets.latest.golden
expose-checks-grpc.latest.golden
expose-checks-http-with-bind-override.latest.golden
expose-checks-http.latest.golden
expose-checks.latest.golden
expose-paths-grpc-new-cluster-http1.latest.golden
expose-paths-local-app-paths.latest.golden
expose-paths-new-cluster-http2.latest.golden
grpc-public-listener.latest.golden
http-listener-with-timeouts.latest.golden
http-public-listener-no-xfcc.latest.golden
http-public-listener.latest.golden
http-upstream.latest.golden
http2-public-listener.latest.golden
ingress-config-entry-nil.latest.golden
ingress-defaults-no-chain.latest.golden
ingress-gateway-bind-addrs.latest.golden
ingress-gateway-nil-config-entry.latest.golden
ingress-gateway-no-services.latest.golden
ingress-gateway-with-tls-outgoing-cipher-suites.latest.golden
ingress-gateway-with-tls-outgoing-max-version.latest.golden
ingress-gateway-with-tls-outgoing-min-version.latest.golden
ingress-gateway.latest.golden
ingress-grpc-multiple-services.latest.golden
ingress-http-multiple-services.latest.golden
ingress-lb-in-resolver.latest.golden
ingress-multiple-listeners-duplicate-service.latest.golden
ingress-splitter-with-resolver-redirect.latest.golden
ingress-with-chain-and-failover-to-cluster-peer.latest.golden
ingress-with-chain-and-failover.latest.golden
ingress-with-chain-and-router-header-manip.latest.golden
ingress-with-chain-and-router.latest.golden
ingress-with-chain-and-splitter.latest.golden
ingress-with-chain-external-sni.latest.golden
ingress-with-chain.latest.golden
ingress-with-defaults-passive-health-check.latest.golden
ingress-with-defaults-service-max-connections.latest.golden
ingress-with-grpc-router.latest.golden
ingress-with-grpc-single-tls-listener.latest.golden
ingress-with-http2-and-grpc-multiple-tls-listener.latest.golden
ingress-with-http2-single-tls-listener.latest.golden
ingress-with-overwrite-defaults-passive-health-check.latest.golden
ingress-with-overwrite-defaults-service-max-connections.latest.golden
ingress-with-sds-listener+service-level.latest.golden
ingress-with-sds-listener-gw-level-http.latest.golden
ingress-with-sds-listener-gw-level-mixed-tls.latest.golden
ingress-with-sds-listener-gw-level.latest.golden
ingress-with-sds-listener-level-wildcard.latest.golden
ingress-with-sds-listener-level.latest.golden
ingress-with-sds-listener-listener-level.latest.golden
ingress-with-sds-service-level-2.latest.golden
ingress-with-sds-service-level-mixed-no-tls.latest.golden
ingress-with-sds-service-level-mixed-tls.latest.golden
ingress-with-sds-service-level.latest.golden
ingress-with-service-max-connections.latest.golden
ingress-with-service-passive-health-check.latest.golden
ingress-with-single-tls-listener.latest.golden
ingress-with-tcp-chain-double-failover-through-local-gateway-triggered.latest.golden
ingress-with-tcp-chain-double-failover-through-local-gateway.latest.golden
ingress-with-tcp-chain-double-failover-through-remote-gateway-triggered.latest.golden
ingress-with-tcp-chain-double-failover-through-remote-gateway.latest.golden
ingress-with-tcp-chain-failover-through-local-gateway-triggered.latest.golden
ingress-with-tcp-chain-failover-through-local-gateway.latest.golden
ingress-with-tcp-chain-failover-through-remote-gateway-triggered.latest.golden
ingress-with-tcp-chain-failover-through-remote-gateway.latest.golden
ingress-with-tls-listener-cipher-suites.latest.golden
ingress-with-tls-listener-max-version.latest.golden
ingress-with-tls-listener-min-version.latest.golden
ingress-with-tls-listener.latest.golden
ingress-with-tls-min-version-listeners-gateway-defaults.latest.golden
ingress-with-tls-mixed-cipher-suites-listeners.latest.golden
ingress-with-tls-mixed-listeners.latest.golden
ingress-with-tls-mixed-max-version-listeners.latest.golden
ingress-with-tls-mixed-min-version-listeners.latest.golden
listener-balance-inbound-connections.latest.golden
listener-balance-outbound-connections-bind-port.latest.golden
listener-bind-address-port.latest.golden
listener-bind-address.latest.golden
listener-bind-port.latest.golden
listener-max-inbound-connections.latest.golden
listener-unix-domain-socket.latest.golden
local-mesh-gateway-with-peered-upstreams.latest.golden
mesh-gateway-custom-addresses.latest.golden
mesh-gateway-default-service-subset.latest.golden
mesh-gateway-hash-lb-ignored.latest.golden
mesh-gateway-ignore-extra-resolvers.latest.golden
mesh-gateway-newer-information-in-federation-states.latest.golden
mesh-gateway-no-services.latest.golden
mesh-gateway-non-hash-lb-injected.latest.golden
mesh-gateway-older-information-in-federation-states.latest.golden
mesh-gateway-peering-control-plane.latest.golden
mesh-gateway-service-subsets.latest.golden
mesh-gateway-service-subsets2.latest.golden
mesh-gateway-service-timeouts.latest.golden
mesh-gateway-tagged-addresses.latest.golden
mesh-gateway-tcp-keepalives.latest.golden
mesh-gateway-using-federation-control-plane.latest.golden
mesh-gateway-using-federation-states.latest.golden
mesh-gateway-with-exported-peered-services-http-with-router.latest.golden
mesh-gateway-with-exported-peered-services-http.latest.golden
mesh-gateway-with-exported-peered-services.latest.golden
mesh-gateway-with-imported-peered-services.latest.golden
mesh-gateway-with-peer-through-mesh-gateway-enabled.latest.golden
mesh-gateway.latest.golden
splitter-with-resolver-redirect.latest.golden
telemetry-collector.latest.golden
terminating-gateway-custom-and-tagged-addresses.latest.golden
terminating-gateway-custom-trace-listener.latest.golden
terminating-gateway-default-service-subset.latest.golden
terminating-gateway-hostname-service-subsets.latest.golden
terminating-gateway-http2-upstream-subsets.latest.golden
terminating-gateway-http2-upstream.latest.golden
terminating-gateway-ignore-extra-resolvers.latest.golden
terminating-gateway-lb-config-no-hash-policies.latest.golden
terminating-gateway-lb-config.latest.golden
terminating-gateway-no-api-cert.latest.golden
terminating-gateway-no-services.latest.golden
terminating-gateway-service-subsets.latest.golden
terminating-gateway-sni.latest.golden
terminating-gateway-tcp-keepalives.latest.golden
terminating-gateway-with-peer-trust-bundle.latest.golden
terminating-gateway-with-tls-incoming-cipher-suites.latest.golden
terminating-gateway-with-tls-incoming-max-version.latest.golden
terminating-gateway-with-tls-incoming-min-version.latest.golden
terminating-gateway.latest.golden
transparent-proxy-catalog-destinations-only.latest.golden
transparent-proxy-destination-http.latest.golden
transparent-proxy-destination.latest.golden
transparent-proxy-dial-instances-directly.latest.golden
transparent-proxy-http-upstream.latest.golden
transparent-proxy-terminating-gateway-destinations-only.latest.golden
transparent-proxy-terminating-gateway.latest.golden
transparent-proxy-with-peered-upstreams.latest.golden
transparent-proxy-with-resolver-redirect-upstream.latest.golden
transparent-proxy.latest.golden
xds-fetch-timeout-ms-ingress-with-router.latest.golden
xds-fetch-timeout-ms-mgw-peering.latest.golden
xds-fetch-timeout-ms-sidecar.latest.golden
xds-fetch-timeout-ms-term-gw.latest.golden
xds-fetch-timeout-ms-tproxy-http-peering.latest.golden
xds-fetch-timeout-ms-tproxy-passthrough.latest.golden