consul/agent/xds/testdata/rbac
R.B. Boyer 31b95c747b
xds: modify rbac rules to use the XFCC header for peered L7 enforcement (#13629)
When the protocol is http-like, and an intention has a peered source
then the normal RBAC mTLS SAN field check is replaces with a joint combo
of:

    mTLS SAN field must be the service's local mesh gateway leaf cert
      AND
    the first XFCC header (from the MGW) must have a URI field that matches the original intention source

Also:

- Update the regex program limit to be much higher than the teeny
  defaults, since the RBAC regex constructions are more complicated now.

- Fix a few stray panics in xds generation.
2022-06-29 10:29:54 -05:00
..
default-allow-deny-all-and-path-allow--httpfilter.golden
default-allow-deny-all-and-path-allow.golden
default-allow-deny-all-and-path-deny--httpfilter.golden
default-allow-deny-all-and-path-deny.golden
default-allow-kitchen-sink--httpfilter.golden
default-allow-kitchen-sink.golden
default-allow-one-deny--httpfilter.golden
default-allow-one-deny.golden
default-allow-path-allow--httpfilter.golden
default-allow-path-allow.golden
default-allow-path-deny--httpfilter.golden
default-allow-path-deny.golden
default-allow-service-wildcard-deny--httpfilter.golden
default-allow-service-wildcard-deny.golden
default-allow-single-intention-with-kitchen-sink-perms--httpfilter.golden
default-allow-single-intention-with-kitchen-sink-perms.golden
default-allow-two-path-deny-and-path-allow--httpfilter.golden
default-allow-two-path-deny-and-path-allow.golden
default-deny-allow-deny--httpfilter.golden
default-deny-allow-deny.golden
default-deny-deny-all-and-path-allow--httpfilter.golden
default-deny-deny-all-and-path-allow.golden
default-deny-deny-all-and-path-deny--httpfilter.golden
default-deny-deny-all-and-path-deny.golden
default-deny-kitchen-sink--httpfilter.golden
default-deny-kitchen-sink.golden
default-deny-mixed-precedence--httpfilter.golden
default-deny-mixed-precedence.golden
default-deny-one-allow--httpfilter.golden
default-deny-one-allow.golden
default-deny-path-allow--httpfilter.golden
default-deny-path-allow.golden
default-deny-path-deny--httpfilter.golden
default-deny-path-deny.golden
default-deny-peered-kitchen-sink--httpfilter.golden
default-deny-peered-kitchen-sink.golden
default-deny-service-wildcard-allow--httpfilter.golden
default-deny-service-wildcard-allow.golden
default-deny-single-intention-with-kitchen-sink-perms--httpfilter.golden
default-deny-single-intention-with-kitchen-sink-perms.golden
default-deny-two-path-deny-and-path-allow--httpfilter.golden
default-deny-two-path-deny-and-path-allow.golden