mirror of https://github.com/hashicorp/consul
31b95c747b
When the protocol is http-like, and an intention has a peered source
then the normal RBAC mTLS SAN field check is replaces with a joint combo
of:
mTLS SAN field must be the service's local mesh gateway leaf cert
AND
the first XFCC header (from the MGW) must have a URI field that matches the original intention source
Also:
- Update the regex program limit to be much higher than the teeny
defaults, since the RBAC regex constructions are more complicated now.
- Fix a few stray panics in xds generation.
|
||
|---|---|---|
| .. | ||
| proxysupport | ||
| serverlessplugin | ||
| testdata | ||
| xdscommon | ||
| clusters.go | ||
| clusters_test.go | ||
| config.go | ||
| config_test.go | ||
| delta.go | ||
| delta_test.go | ||
| endpoints.go | ||
| endpoints_test.go | ||
| envoy_versioning.go | ||
| envoy_versioning_test.go | ||
| failover_math.go | ||
| failover_math_test.go | ||
| golden_test.go | ||
| listeners.go | ||
| listeners_ingress.go | ||
| listeners_test.go | ||
| naming.go | ||
| net_fallback.go | ||
| net_linux.go | ||
| protocol_trace.go | ||
| rbac.go | ||
| rbac_test.go | ||
| resources.go | ||
| resources_oss_test.go | ||
| resources_test.go | ||
| response.go | ||
| routes.go | ||
| routes_test.go | ||
| server.go | ||
| server_oss.go | ||
| serverless_plugin_oss_test.go | ||
| testing.go | ||
| xds.go | ||
| xds_protocol_helpers_test.go | ||
| z_xds_packages.go | ||
| z_xds_packages_test.go | ||