github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
consul/agent/xds/testdata
History
Derek Menteer 3e8ec8d18e
Fix SAN matching on terminating gateways (#20417) 
Fixes issue: hashicorp/consul#20360

A regression was introduced in hashicorp/consul#19954 where the SAN validation
matching was reduced from 4 potential types down to just the URI.

Terminating gateways will need to match on many fields depending on user
configuration, since they make egress calls outside of the cluster. Having more
than one matcher behaves like an OR operation, where any match is sufficient to
pass the certificate validation. To maintain backwards compatibility with the
old untyped `match_subject_alt_names` Envoy behavior, we should match on all 4
enum types.

https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#enum-extensions-transport-sockets-tls-v3-subjectaltnamematcher-santype
 		2024-01-31 12:17:45 -06:00
..
builtin_extension NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
clusters Fix SAN matching on terminating gateways (#20417) 2024-01-31 12:17:45 -06:00
endpoints [NET-5455] Allow disabling request and idle timeouts with negative values in service router and service resolver (#19992) 2023-12-19 15:36:07 -08:00
jwt_authn xds: update golden tests to be deterministic (#18707) 2023-09-11 11:40:19 -05:00
jwt_authn_clusters xds: update golden tests to be deterministic (#18707) 2023-09-11 11:40:19 -05:00
listeners NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
rbac Fix SAN matching on terminating gateways (#20417) 2024-01-31 12:17:45 -06:00
routes NET-6945 - Replace usage of deprecated Envoy field envoy.config.core.v3.HeaderValueOption.append (#20078) 2024-01-04 00:36:25 +00:00
secrets Fix ClusterLoadAssignment timeouts dropping endpoints. (#19871) 2023-12-11 09:25:11 -06:00
alt-test-leaf-cert.golden Use golden files for gateway certs and fix listener test flakiness 2020-04-27 11:08:41 -06:00
alt-test-leaf-key.golden Use golden files for gateway certs and fix listener test flakiness 2020-04-27 11:08:41 -06:00
alt-test-root-cert.golden Use golden files for gateway certs and fix listener test flakiness 2020-04-27 11:08:41 -06:00
cache-test-leaf-cert.golden Always return a gateway cluster (#8158) 2020-06-19 13:31:39 -06:00
cache-test-leaf-key.golden Always return a gateway cluster (#8158) 2020-06-19 13:31:39 -06:00
db-test-leaf-cert.golden Always return a gateway cluster (#8158) 2020-06-19 13:31:39 -06:00
db-test-leaf-key.golden Always return a gateway cluster (#8158) 2020-06-19 13:31:39 -06:00
test-leaf-cert.golden Connect: allow configuring Envoy for L7 Observability (#5558) 2019-04-29 17:27:57 +01:00
test-leaf-key.golden Connect: allow configuring Envoy for L7 Observability (#5558) 2019-04-29 17:27:57 +01:00
test-root-cert.golden Connect: allow configuring Envoy for L7 Observability (#5558) 2019-04-29 17:27:57 +01:00