github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
consul/agent/structs
History
Mark Anderson 28b4b3a85d Add x-forwarded-client-cert headers 
Description
Add x-fowarded-client-cert information on trusted incoming connections.

Envoy provides support forwarding and annotating the
x-forwarded-client-cert header via the forward_client_cert_details
set_current_client_cert_details filter fields. It would be helpful for
consul to support this directly in its config. The escape hatches are
a bit cumbersome for this purpose.

This has been implemented on incoming connections to envoy. Outgoing
(from the local service through the sidecar) will not have a
certificate, and so are left alone.

A service on an incoming connection will now get headers something like this:

```
X-Forwarded-Client-Cert:[By=spiffe://efad7282-d9b2-3298-f6d8-38b37fb58df3.consul/ns/default/dc/dc1/svc/counting;Hash=61ad5cbdfcb50f5a3ec0ca60923d61613c149a9d4495010a64175c05a0268ab2;Cert="-----BEGIN%20CERTIFICATE-----%0AMIICHDCCAcOgAwIBAgIBCDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMTli%0AYXdyb2YuY29uc3VsLmNhLmVmYWQ3MjgyLmNvbnN1bDAeFw0yMjA0MjkwMzE0NTBa%0AFw0yMjA1MDIwMzE0NTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVIZ7Y%0AZEXfbOGBfxGa7Vuok1MIng%2FuzLQK2xLVlSTIPDbO5hstTGP%2B%2FGx182PYFP3jYqk5%0Aq6rYWe1wiPNMA30Io4H8MIH5MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgrp4q50oX%0AHHghMbxz5Bk8OJFWMdfgH0Upr350WlhyxvkwKwYDVR0jBCQwIoAgUe6uERAIj%2FLM%0AyuFzDc3Wbp9TGAKBJYAwyhF14ToOQCMwYgYDVR0RAQH%2FBFgwVoZUc3BpZmZlOi8v%0AZWZhZDcyODItZDliMi0zMjk4LWY2ZDgtMzhiMzdmYjU4ZGYzLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL2RjMS9zdmMvZGFzaGJvYXJkMAoGCCqGSM49BAMCA0cAMEQCIDwb%0AFlchufggNTijnQ5SUcvTZrWlZyq%2FrdVC20nbbmWLAiAVshNNv1xBqJI1NmY2HI9n%0AgRMfb8aEPVSuxEHhqy57eQ%3D%3D%0A-----END%20CERTIFICATE-----%0A";Chain="-----BEGIN%20CERTIFICATE-----%0AMIICHDCCAcOgAwIBAgIBCDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMTli%0AYXdyb2YuY29uc3VsLmNhLmVmYWQ3MjgyLmNvbnN1bDAeFw0yMjA0MjkwMzE0NTBa%0AFw0yMjA1MDIwMzE0NTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVIZ7Y%0AZEXfbOGBfxGa7Vuok1MIng%2FuzLQK2xLVlSTIPDbO5hstTGP%2B%2FGx182PYFP3jYqk5%0Aq6rYWe1wiPNMA30Io4H8MIH5MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgrp4q50oX%0AHHghMbxz5Bk8OJFWMdfgH0Upr350WlhyxvkwKwYDVR0jBCQwIoAgUe6uERAIj%2FLM%0AyuFzDc3Wbp9TGAKBJYAwyhF14ToOQCMwYgYDVR0RAQH%2FBFgwVoZUc3BpZmZlOi8v%0AZWZhZDcyODItZDliMi0zMjk4LWY2ZDgtMzhiMzdmYjU4ZGYzLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL2RjMS9zdmMvZGFzaGJvYXJkMAoGCCqGSM49BAMCA0cAMEQCIDwb%0AFlchufggNTijnQ5SUcvTZrWlZyq%2FrdVC20nbbmWLAiAVshNNv1xBqJI1NmY2HI9n%0AgRMfb8aEPVSuxEHhqy57eQ%3D%3D%0A-----END%20CERTIFICATE-----%0A";Subject="";URI=spiffe://efad7282-d9b2-3298-f6d8-38b37fb58df3.consul/ns/default/dc/dc1/svc/dashboard]
```

Closes #12852
 		2022-05-04 08:50:58 -07:00
..
acl.go Manual Structs fixup 2022-04-05 14:51:10 -07:00
acl_cache.go Store and return rpc error in acl cache entries 2022-04-28 09:08:55 -07:00
acl_cache_test.go Store and return rpc error in acl cache entries 2022-04-28 09:08:55 -07:00
acl_oss.go Manual Structs fixup 2022-04-05 14:51:10 -07:00
acl_test.go Add expanded token read flag and endpoint option 2022-03-31 10:49:49 -07:00
auto_encrypt.go
autopilot.go
autopilot_oss.go
catalog.go Manual Structs fixup 2022-04-05 14:51:10 -07:00
catalog_oss.go
check_definition.go Merge pull request #12685 from hashicorp/http-check-redirect-option 2022-04-07 11:29:27 -07:00
check_definition_test.go
check_type.go Add a field to disable following redirects on http checks 2022-04-05 16:12:18 -07:00
config_entry.go Fixup acl.EnterpriseMeta 2022-04-05 15:11:49 -07:00
config_entry_discoverychain.go Manual Structs fixup 2022-04-05 14:51:10 -07:00
config_entry_discoverychain_oss.go Manual Structs fixup 2022-04-05 14:51:10 -07:00
config_entry_discoverychain_test.go Remove support for failover to partition 2021-12-06 12:32:24 -07:00
config_entry_export_oss_test.go peering: initial sync (#12842) 2022-04-21 17:34:40 -05:00
config_entry_exports.go structs: ensure exported-services PeerName field can be addressed as peer_name (#12862) 2022-04-27 10:27:21 -05:00
config_entry_exports_test.go peering: initial sync (#12842) 2022-04-21 17:34:40 -05:00
config_entry_gateways.go Manual Structs fixup 2022-04-05 14:51:10 -07:00
config_entry_gateways_test.go
config_entry_intentions.go Manual Structs fixup 2022-04-05 14:51:10 -07:00
config_entry_intentions_oss.go Manual Structs fixup 2022-04-05 14:51:10 -07:00
config_entry_intentions_test.go
config_entry_mesh.go Add x-forwarded-client-cert headers 2022-05-04 08:50:58 -07:00
config_entry_mesh_oss.go
config_entry_oss.go peering: initial sync (#12842) 2022-04-21 17:34:40 -05:00
config_entry_oss_test.go
config_entry_test.go structs: ensure exported-services PeerName field can be addressed as peer_name (#12862) 2022-04-27 10:27:21 -05:00
connect.go Manual Structs fixup 2022-04-05 14:51:10 -07:00
connect_ca.go Manual Structs fixup 2022-04-05 14:51:10 -07:00
connect_ca_test.go
connect_oss.go
connect_proxy_config.go peering: Make Upstream peer-aware (#12900) 2022-04-29 18:12:51 -04:00
connect_proxy_config_oss.go Manual Structs fixup 2022-04-05 14:51:10 -07:00
connect_proxy_config_test.go bulk rewrite using this script 2022-01-20 10:46:23 -06:00
discovery_chain.go xds: ensure that all connect timeout configs can apply equally to tproxy direct dial connections (#12711) 2022-04-07 16:58:21 -05:00
discovery_chain_oss.go Manual Structs fixup 2022-04-05 14:51:10 -07:00
errors.go
federation_state.go
identity.go Manual Structs fixup 2022-04-05 14:51:10 -07:00
intention.go Manual Structs fixup 2022-04-05 14:51:10 -07:00
intention_oss.go Manual Structs fixup 2022-04-05 14:51:10 -07:00
intention_test.go bulk rewrite using this script 2022-01-20 10:46:23 -06:00
operator.go
peering.go peering: initial sync (#12842) 2022-04-21 17:34:40 -05:00
prepared_query.go peering: initial sync (#12842) 2022-04-21 17:34:40 -05:00
prepared_query_test.go
protobuf_compat.go remove the rest of gogo 2022-03-28 17:34:41 -04:00
sanitize_oss.go
service_definition.go peering: Make Upstream peer-aware (#12900) 2022-04-29 18:12:51 -04:00
service_definition_test.go bulk rewrite using this script 2022-01-20 10:46:23 -06:00
snapshot.go
structs.go peering: Make Upstream peer-aware (#12900) 2022-04-29 18:12:51 -04:00
structs_filtering_test.go peering: Make Upstream peer-aware (#12900) 2022-04-29 18:12:51 -04:00
structs_oss.go add new entmeta stuff. 2022-04-05 14:49:31 -07:00
structs_oss_test.go add new entmeta stuff. 2022-04-05 14:49:31 -07:00
structs_test.go peering: Make Upstream peer-aware (#12900) 2022-04-29 18:12:51 -04:00
system_metadata.go Add virtual IP generation for term gateway backed services 2022-01-12 12:08:49 -08:00
testing.go Vendor in rpc mono repo for net/rpc fork, go-msgpack, msgpackrpc. (#12311) 2022-02-14 09:45:45 -08:00
testing_catalog.go
testing_connect_proxy_config.go Manual Structs fixup 2022-04-05 14:51:10 -07:00
testing_intention.go
testing_service_definition.go
txn.go