mirror of https://github.com/hashicorp/consul
28b4b3a85d
Description Add x-fowarded-client-cert information on trusted incoming connections. Envoy provides support forwarding and annotating the x-forwarded-client-cert header via the forward_client_cert_details set_current_client_cert_details filter fields. It would be helpful for consul to support this directly in its config. The escape hatches are a bit cumbersome for this purpose. This has been implemented on incoming connections to envoy. Outgoing (from the local service through the sidecar) will not have a certificate, and so are left alone. A service on an incoming connection will now get headers something like this: ``` X-Forwarded-Client-Cert:[By=spiffe://efad7282-d9b2-3298-f6d8-38b37fb58df3.consul/ns/default/dc/dc1/svc/counting;Hash=61ad5cbdfcb50f5a3ec0ca60923d61613c149a9d4495010a64175c05a0268ab2;Cert="-----BEGIN%20CERTIFICATE-----%0AMIICHDCCAcOgAwIBAgIBCDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMTli%0AYXdyb2YuY29uc3VsLmNhLmVmYWQ3MjgyLmNvbnN1bDAeFw0yMjA0MjkwMzE0NTBa%0AFw0yMjA1MDIwMzE0NTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVIZ7Y%0AZEXfbOGBfxGa7Vuok1MIng%2FuzLQK2xLVlSTIPDbO5hstTGP%2B%2FGx182PYFP3jYqk5%0Aq6rYWe1wiPNMA30Io4H8MIH5MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgrp4q50oX%0AHHghMbxz5Bk8OJFWMdfgH0Upr350WlhyxvkwKwYDVR0jBCQwIoAgUe6uERAIj%2FLM%0AyuFzDc3Wbp9TGAKBJYAwyhF14ToOQCMwYgYDVR0RAQH%2FBFgwVoZUc3BpZmZlOi8v%0AZWZhZDcyODItZDliMi0zMjk4LWY2ZDgtMzhiMzdmYjU4ZGYzLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL2RjMS9zdmMvZGFzaGJvYXJkMAoGCCqGSM49BAMCA0cAMEQCIDwb%0AFlchufggNTijnQ5SUcvTZrWlZyq%2FrdVC20nbbmWLAiAVshNNv1xBqJI1NmY2HI9n%0AgRMfb8aEPVSuxEHhqy57eQ%3D%3D%0A-----END%20CERTIFICATE-----%0A";Chain="-----BEGIN%20CERTIFICATE-----%0AMIICHDCCAcOgAwIBAgIBCDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMTli%0AYXdyb2YuY29uc3VsLmNhLmVmYWQ3MjgyLmNvbnN1bDAeFw0yMjA0MjkwMzE0NTBa%0AFw0yMjA1MDIwMzE0NTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVIZ7Y%0AZEXfbOGBfxGa7Vuok1MIng%2FuzLQK2xLVlSTIPDbO5hstTGP%2B%2FGx182PYFP3jYqk5%0Aq6rYWe1wiPNMA30Io4H8MIH5MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgrp4q50oX%0AHHghMbxz5Bk8OJFWMdfgH0Upr350WlhyxvkwKwYDVR0jBCQwIoAgUe6uERAIj%2FLM%0AyuFzDc3Wbp9TGAKBJYAwyhF14ToOQCMwYgYDVR0RAQH%2FBFgwVoZUc3BpZmZlOi8v%0AZWZhZDcyODItZDliMi0zMjk4LWY2ZDgtMzhiMzdmYjU4ZGYzLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL2RjMS9zdmMvZGFzaGJvYXJkMAoGCCqGSM49BAMCA0cAMEQCIDwb%0AFlchufggNTijnQ5SUcvTZrWlZyq%2FrdVC20nbbmWLAiAVshNNv1xBqJI1NmY2HI9n%0AgRMfb8aEPVSuxEHhqy57eQ%3D%3D%0A-----END%20CERTIFICATE-----%0A";Subject="";URI=spiffe://efad7282-d9b2-3298-f6d8-38b37fb58df3.consul/ns/default/dc/dc1/svc/dashboard] ``` Closes #12852 |
||
|---|---|---|
| .. | ||
| ae | ||
| auto-config | ||
| cache | ||
| cache-types | ||
| checks | ||
| config | ||
| configentry | ||
| connect | ||
| consul | ||
| debug | ||
| dns | ||
| exec | ||
| grpc | ||
| local | ||
| metadata | ||
| mock | ||
| pool | ||
| proxycfg | ||
| router | ||
| routine-leak-checker | ||
| rpc | ||
| rpcclient/health | ||
| structs | ||
| submatview | ||
| systemd | ||
| token | ||
| uiserver | ||
| xds | ||
| acl.go | ||
| acl_endpoint.go | ||
| acl_endpoint_legacy.go | ||
| acl_endpoint_legacy_test.go | ||
| acl_endpoint_test.go | ||
| acl_oss.go | ||
| acl_test.go | ||
| agent.go | ||
| agent_endpoint.go | ||
| agent_endpoint_oss.go | ||
| agent_endpoint_test.go | ||
| agent_oss.go | ||
| agent_test.go | ||
| apiserver.go | ||
| apiserver_test.go | ||
| catalog_endpoint.go | ||
| catalog_endpoint_oss.go | ||
| catalog_endpoint_test.go | ||
| check.go | ||
| config_endpoint.go | ||
| config_endpoint_test.go | ||
| connect_auth.go | ||
| connect_ca_endpoint.go | ||
| connect_ca_endpoint_test.go | ||
| coordinate_endpoint.go | ||
| coordinate_endpoint_test.go | ||
| delegate_mock_test.go | ||
| denylist.go | ||
| denylist_test.go | ||
| discovery_chain_endpoint.go | ||
| discovery_chain_endpoint_test.go | ||
| dns.go | ||
| dns_oss.go | ||
| dns_test.go | ||
| enterprise_delegate_oss.go | ||
| event_endpoint.go | ||
| event_endpoint_test.go | ||
| federation_state_endpoint.go | ||
| health_endpoint.go | ||
| health_endpoint_test.go | ||
| http.go | ||
| http_decode_test.go | ||
| http_oss.go | ||
| http_oss_test.go | ||
| http_register.go | ||
| http_test.go | ||
| intentions_endpoint.go | ||
| intentions_endpoint_oss_test.go | ||
| intentions_endpoint_test.go | ||
| keyring.go | ||
| keyring_test.go | ||
| kvs_endpoint.go | ||
| kvs_endpoint_test.go | ||
| metrics.go | ||
| metrics_test.go | ||
| nodeid.go | ||
| nodeid_test.go | ||
| notify.go | ||
| notify_test.go | ||
| operator_endpoint.go | ||
| operator_endpoint_oss.go | ||
| operator_endpoint_test.go | ||
| peering_endpoint.go | ||
| peering_endpoint_oss_test.go | ||
| peering_endpoint_test.go | ||
| prepared_query_endpoint.go | ||
| prepared_query_endpoint_test.go | ||
| reload.go | ||
| remote_exec.go | ||
| remote_exec_test.go | ||
| retry_join.go | ||
| retry_join_test.go | ||
| service_checks_test.go | ||
| service_manager.go | ||
| service_manager_test.go | ||
| session_endpoint.go | ||
| session_endpoint_test.go | ||
| setup.go | ||
| setup_oss.go | ||
| sidecar_service.go | ||
| sidecar_service_test.go | ||
| signal_unix.go | ||
| signal_windows.go | ||
| snapshot_endpoint.go | ||
| snapshot_endpoint_test.go | ||
| status_endpoint.go | ||
| status_endpoint_test.go | ||
| streaming_test.go | ||
| testagent.go | ||
| testagent_test.go | ||
| translate_addr.go | ||
| txn_endpoint.go | ||
| txn_endpoint_test.go | ||
| ui_endpoint.go | ||
| ui_endpoint_oss_test.go | ||
| ui_endpoint_test.go | ||
| user_event.go | ||
| user_event_test.go | ||
| util.go | ||
| util_test.go | ||
| watch_handler.go | ||
| watch_handler_test.go | ||