diff --git a/.changelog/11245.txt b/.changelog/11245.txt new file mode 100644 index 000000000000..aacdb1def509 --- /dev/null +++ b/.changelog/11245.txt @@ -0,0 +1,3 @@ +```release-note:bug +connect: fix issue with attempting to generate an invalid upstream cluster from UpstreamConfig.Defaults. +``` \ No newline at end of file diff --git a/agent/proxycfg/state.go b/agent/proxycfg/state.go index cd30003531b2..237279b99791 100644 --- a/agent/proxycfg/state.go +++ b/agent/proxycfg/state.go @@ -114,11 +114,12 @@ func copyProxyConfig(ns *structs.NodeService) (structs.ConnectProxyConfig, error for idx := range proxyCfg.Upstreams { us := &proxyCfg.Upstreams[idx] if us.DestinationType != structs.UpstreamDestTypePreparedQuery && us.DestinationNamespace == "" { - // default the upstreams target namespace to the namespace of the proxy + // default the upstreams target namespace and partition to those of the proxy // doing this here prevents needing much more complex logic a bunch of other // places and makes tracking these upstreams simpler as we can dedup them // with the maps tracking upstream ids being watched. proxyCfg.Upstreams[idx].DestinationNamespace = ns.EnterpriseMeta.NamespaceOrDefault() + proxyCfg.Upstreams[idx].DestinationPartition = ns.EnterpriseMeta.PartitionOrDefault() } } diff --git a/agent/proxycfg/state_test.go b/agent/proxycfg/state_test.go index b4d1fc202f28..b172fdee8600 100644 --- a/agent/proxycfg/state_test.go +++ b/agent/proxycfg/state_test.go @@ -1686,6 +1686,7 @@ func TestState_WatchesAndUpdates(t *testing.T) { db.String(): { DestinationName: "db", DestinationNamespace: structs.IntentionDefaultNamespace, + DestinationPartition: structs.IntentionDefaultNamespace, }, } require.Equal(t, expectUpstreams, snap.ConnectProxy.UpstreamConfig) diff --git a/agent/xds/listeners.go b/agent/xds/listeners.go index 276ea58f7558..1b1292d64b5b 100644 --- a/agent/xds/listeners.go +++ b/agent/xds/listeners.go @@ -107,17 +107,31 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg. continue } + // RDS, Envoy's Route Discovery Service, is only used for HTTP services with a customized discovery chain. + useRDS := chain.Protocol != "tcp" && !chain.IsDefault() + + var clusterName string + if !useRDS { + // When not using RDS we must generate a cluster name to attach to the filter chain. + // With RDS, cluster names get attached to the dynamic routes instead. + target, err := simpleChainTarget(chain) + if err != nil { + return nil, err + } + clusterName = CustomizeClusterName(target.Name, chain) + } + + filterName := fmt.Sprintf("%s.%s.%s.%s", chain.ServiceName, chain.Namespace, chain.Partition, chain.Datacenter) + // Generate the upstream listeners for when they are explicitly set with a local bind port or socket path - if outboundListener == nil || (upstreamCfg != nil && upstreamCfg.HasLocalPortOrSocket()) { - filterChain, err := s.makeUpstreamFilterChainForDiscoveryChain( - id, - "", - cfg.Protocol, - upstreamCfg, - chain, - cfgSnap, - nil, - ) + if upstreamCfg != nil && upstreamCfg.HasLocalPortOrSocket() { + filterChain, err := s.makeUpstreamFilterChain(filterChainOpts{ + routeName: id, + clusterName: clusterName, + filterName: filterName, + protocol: cfg.Protocol, + useRDS: useRDS, + }) if err != nil { return nil, err } @@ -135,15 +149,14 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg. // The rest of this loop is used exclusively for transparent proxies. // Below we create a filter chain per upstream, rather than a listener per upstream // as we do for explicit upstreams above. - filterChain, err := s.makeUpstreamFilterChainForDiscoveryChain( - id, - "", - cfg.Protocol, - upstreamCfg, - chain, - cfgSnap, - nil, - ) + + filterChain, err := s.makeUpstreamFilterChain(filterChainOpts{ + routeName: id, + clusterName: clusterName, + filterName: filterName, + protocol: cfg.Protocol, + useRDS: useRDS, + }) if err != nil { return nil, err } @@ -188,17 +201,13 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg. DestinationPartition: sn.PartitionOrDefault(), } - filterChain, err := s.makeUpstreamFilterChainForDiscoveryChain( - "", - "passthrough~"+passthrough.SNI, + filterName := fmt.Sprintf("%s.%s.%s.%s", u.DestinationName, u.DestinationNamespace, u.DestinationPartition, cfgSnap.Datacenter) - // TODO(tproxy) This should use the protocol configured on the upstream's config entry - "tcp", - &u, - nil, - cfgSnap, - nil, - ) + filterChain, err := s.makeUpstreamFilterChain(filterChainOpts{ + clusterName: "passthrough~" + passthrough.SNI, + filterName: filterName, + protocol: "tcp", + }) if err != nil { return nil, err } @@ -219,15 +228,11 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg. if cfgSnap.ConnectProxy.MeshConfig == nil || !cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.MeshDestinationsOnly { - filterChain, err := s.makeUpstreamFilterChainForDiscoveryChain( - "", - OriginalDestinationClusterName, - "tcp", - nil, - nil, - cfgSnap, - nil, - ) + filterChain, err := s.makeUpstreamFilterChain(filterChainOpts{ + clusterName: OriginalDestinationClusterName, + filterName: OriginalDestinationClusterName, + protocol: "tcp", + }) if err != nil { return nil, err } @@ -268,15 +273,13 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg. upstreamListener := makeListener(id, u, envoy_core_v3.TrafficDirection_OUTBOUND) - filterChain, err := s.makeUpstreamFilterChainForDiscoveryChain( - id, - "", - cfg.Protocol, - u, - nil, - cfgSnap, - nil, - ) + filterChain, err := s.makeUpstreamFilterChain(filterChainOpts{ + // TODO (SNI partition) add partition for upstream SNI + clusterName: connect.UpstreamSNI(u, "", cfgSnap.Datacenter, cfgSnap.Roots.TrustDomain), + filterName: id, + routeName: id, + protocol: cfg.Protocol, + }) if err != nil { return nil, err } @@ -1212,112 +1215,32 @@ func (s *ResourceGenerator) makeMeshGatewayListener(name, addr string, port int, return l, nil } -func (s *ResourceGenerator) makeUpstreamFilterChainForDiscoveryChain( - id string, - overrideCluster string, - protocol string, - u *structs.Upstream, - chain *structs.CompiledDiscoveryChain, - cfgSnap *proxycfg.ConfigSnapshot, - tlsContext *envoy_tls_v3.DownstreamTlsContext, -) (*envoy_listener_v3.FilterChain, error) { - // TODO (freddy) Make this actually legible - useRDS := true - - var ( - clusterName string - destination, datacenter, partition, namespace string - ) - - // TODO (SNI partition) add partition for SNI - if chain != nil { - destination, datacenter, partition, namespace = chain.ServiceName, chain.Datacenter, chain.Partition, chain.Namespace - } - if (chain == nil || chain.IsDefault()) && u != nil { - useRDS = false - - if datacenter == "" { - datacenter = u.Datacenter - } - if datacenter == "" { - datacenter = cfgSnap.Datacenter - } - if destination == "" { - destination = u.DestinationName - } - if partition == "" { - partition = u.DestinationPartition - } - if namespace == "" { - namespace = u.DestinationNamespace - } - - sni := connect.UpstreamSNI(u, "", datacenter, cfgSnap.Roots.TrustDomain) - clusterName = CustomizeClusterName(sni, chain) - - } else { - if protocol == "tcp" && chain != nil { - useRDS = false - - startNode := chain.Nodes[chain.StartNode] - if startNode == nil { - return nil, fmt.Errorf("missing first node in compiled discovery chain for: %s", chain.ServiceName) - } - if startNode.Type != structs.DiscoveryGraphNodeTypeResolver { - return nil, fmt.Errorf("unexpected first node in discovery chain using protocol=%q: %s", protocol, startNode.Type) - } - targetID := startNode.Resolver.Target - target := chain.Targets[targetID] - - clusterName = CustomizeClusterName(target.Name, chain) - } - } - - // Default the namespace to match how SNIs are generated - if namespace == "" { - namespace = structs.IntentionDefaultNamespace - } - - // Default the partition to match how SNIs are generated - if partition == "" { - partition = structs.IntentionDefaultNamespace - } - - filterName := fmt.Sprintf("%s.%s.%s.%s", destination, namespace, partition, datacenter) - if u != nil && u.DestinationType == structs.UpstreamDestTypePreparedQuery { - // Avoid encoding dc and namespace for prepared queries. - // Those are defined in the query itself and are not available here. - filterName = id - } - if overrideCluster != "" { - useRDS = false - clusterName = overrideCluster - - if destination == "" { - filterName = overrideCluster - } - } +type filterChainOpts struct { + routeName string + clusterName string + filterName string + protocol string + useRDS bool + tlsContext *envoy_tls_v3.DownstreamTlsContext +} - opts := listenerFilterOpts{ - useRDS: useRDS, - protocol: protocol, - filterName: filterName, - routeName: id, - cluster: clusterName, - statPrefix: "upstream.", - routePath: "", - ingressGateway: false, - httpAuthzFilter: nil, - } - filter, err := makeListenerFilter(opts) +func (s *ResourceGenerator) makeUpstreamFilterChain(opts filterChainOpts) (*envoy_listener_v3.FilterChain, error) { + filter, err := makeListenerFilter(listenerFilterOpts{ + useRDS: opts.useRDS, + protocol: opts.protocol, + filterName: opts.filterName, + routeName: opts.routeName, + cluster: opts.clusterName, + statPrefix: "upstream.", + }) if err != nil { return nil, err } - transportSocket, err := makeDownstreamTLSTransportSocket(tlsContext) + + transportSocket, err := makeDownstreamTLSTransportSocket(opts.tlsContext) if err != nil { return nil, err } - return &envoy_listener_v3.FilterChain{ Filters: []*envoy_listener_v3.Filter{ filter, @@ -1326,111 +1249,19 @@ func (s *ResourceGenerator) makeUpstreamFilterChainForDiscoveryChain( }, nil } -// TODO(freddy) Replace in favor of new function above. Currently in use for ingress gateways. -func (s *ResourceGenerator) makeUpstreamListenerForDiscoveryChain( - u *structs.Upstream, - address string, - chain *structs.CompiledDiscoveryChain, - cfgSnap *proxycfg.ConfigSnapshot, - tlsContext *envoy_tls_v3.DownstreamTlsContext, -) (proto.Message, error) { - - // Best understanding is this only makes sense for port listeners.... - if u.LocalBindSocketPath != "" { - return nil, fmt.Errorf("makeUpstreamListenerForDiscoveryChain not supported for unix domain sockets %s %+v", - address, u) +// simpleChainTarget returns the discovery target for a chain with a single node. +// A chain can have a single target if it is for a TCP service or an HTTP service without +// multiple splits/routes/failovers. +func simpleChainTarget(chain *structs.CompiledDiscoveryChain) (*structs.DiscoveryTarget, error) { + startNode := chain.Nodes[chain.StartNode] + if startNode == nil { + return nil, fmt.Errorf("missing first node in compiled discovery chain for: %s", chain.ServiceName) } - - upstreamID := u.Identifier() - l := makePortListenerWithDefault(upstreamID, address, u.LocalBindPort, envoy_core_v3.TrafficDirection_OUTBOUND) - cfg := s.getAndModifyUpstreamConfigForListener(upstreamID, u, chain) - if cfg.EnvoyListenerJSON != "" { - return makeListenerFromUserConfig(cfg.EnvoyListenerJSON) + if startNode.Type != structs.DiscoveryGraphNodeTypeResolver { + return nil, fmt.Errorf("expected discovery chain with single node, found unexpected start node: %s", startNode.Type) } - - useRDS := true - var ( - clusterName string - destination, datacenter, partition, namespace string - ) - if chain == nil || chain.IsDefault() { - useRDS = false - - dc := u.Datacenter - if dc == "" { - dc = cfgSnap.Datacenter - } - destination, datacenter, partition, namespace = u.DestinationName, dc, u.DestinationPartition, u.DestinationNamespace - - sni := connect.UpstreamSNI(u, "", dc, cfgSnap.Roots.TrustDomain) - clusterName = CustomizeClusterName(sni, chain) - - } else { - destination, datacenter, partition, namespace = chain.ServiceName, chain.Datacenter, chain.Partition, chain.Namespace - - if cfg.Protocol == "tcp" { - useRDS = false - - startNode := chain.Nodes[chain.StartNode] - if startNode == nil { - return nil, fmt.Errorf("missing first node in compiled discovery chain for: %s", chain.ServiceName) - } - if startNode.Type != structs.DiscoveryGraphNodeTypeResolver { - return nil, fmt.Errorf("unexpected first node in discovery chain using protocol=%q: %s", cfg.Protocol, startNode.Type) - } - targetID := startNode.Resolver.Target - target := chain.Targets[targetID] - - clusterName = CustomizeClusterName(target.Name, chain) - } - } - - // Default the namespace to match how SNIs are generated - if namespace == "" { - namespace = structs.IntentionDefaultNamespace - } - - // Default the partition to match how SNIs are generated - if partition == "" { - partition = structs.IntentionDefaultNamespace - } - filterName := fmt.Sprintf("%s.%s.%s.%s", destination, namespace, partition, datacenter) - - if u.DestinationType == structs.UpstreamDestTypePreparedQuery { - // Avoid encoding dc and namespace for prepared queries. - // Those are defined in the query itself and are not available here. - filterName = upstreamID - } - - opts := listenerFilterOpts{ - useRDS: useRDS, - protocol: cfg.Protocol, - filterName: filterName, - routeName: upstreamID, - cluster: clusterName, - statPrefix: "upstream.", - routePath: "", - httpAuthzFilter: nil, - } - filter, err := makeListenerFilter(opts) - if err != nil { - return nil, err - } - - transportSocket, err := makeDownstreamTLSTransportSocket(tlsContext) - if err != nil { - return nil, err - } - - l.FilterChains = []*envoy_listener_v3.FilterChain{ - { - Filters: []*envoy_listener_v3.Filter{ - filter, - }, - TransportSocket: transportSocket, - }, - } - return l, nil + targetID := startNode.Resolver.Target + return chain.Targets[targetID], nil } func (s *ResourceGenerator) getAndModifyUpstreamConfigForListener(id string, u *structs.Upstream, chain *structs.CompiledDiscoveryChain) structs.UpstreamConfig { diff --git a/agent/xds/listeners_ingress.go b/agent/xds/listeners_ingress.go index 5a494fe99205..7668bd02ea89 100644 --- a/agent/xds/listeners_ingress.go +++ b/agent/xds/listeners_ingress.go @@ -2,7 +2,6 @@ package xds import ( "fmt" - envoy_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" envoy_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3" envoy_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" @@ -54,19 +53,47 @@ func (s *ResourceGenerator) makeIngressGatewayListeners(address string, cfgSnap id := u.Identifier() chain := cfgSnap.IngressGateway.DiscoveryChain[id] + if chain == nil { + // Wait until a chain is present in the snapshot. + continue + } + + cfg := s.getAndModifyUpstreamConfigForListener(id, &u, chain) - var upstreamListener proto.Message - upstreamListener, err := s.makeUpstreamListenerForDiscoveryChain( - &u, - address, - chain, - cfgSnap, - tlsContext, - ) + // RDS, Envoy's Route Discovery Service, is only used for HTTP services with a customized discovery chain. + // TODO(freddy): Why can the protocol of the listener be overridden here? + useRDS := cfg.Protocol != "tcp" && !chain.IsDefault() + + var clusterName string + if !useRDS { + // When not using RDS we must generate a cluster name to attach to the filter chain. + // With RDS, cluster names get attached to the dynamic routes instead. + target, err := simpleChainTarget(chain) + if err != nil { + return nil, err + } + clusterName = CustomizeClusterName(target.Name, chain) + } + + filterName := fmt.Sprintf("%s.%s.%s.%s", chain.ServiceName, chain.Namespace, chain.Partition, chain.Datacenter) + + l := makePortListenerWithDefault(id, address, u.LocalBindPort, envoy_core_v3.TrafficDirection_OUTBOUND) + filterChain, err := s.makeUpstreamFilterChain(filterChainOpts{ + routeName: id, + useRDS: useRDS, + clusterName: clusterName, + filterName: filterName, + protocol: cfg.Protocol, + tlsContext: tlsContext, + }) if err != nil { return nil, err } - resources = append(resources, upstreamListener) + l.FilterChains = []*envoy_listener_v3.FilterChain{ + filterChain, + } + resources = append(resources, l) + } else { // If multiple upstreams share this port, make a special listener for the protocol. listener := makePortListener(listenerKey.Protocol, address, listenerKey.Port, envoy_core_v3.TrafficDirection_OUTBOUND) diff --git a/agent/xds/listeners_test.go b/agent/xds/listeners_test.go index aa7bf512a496..c082d41ea66d 100644 --- a/agent/xds/listeners_test.go +++ b/agent/xds/listeners_test.go @@ -259,6 +259,23 @@ func TestListenersFromSnapshot(t *testing.T) { create: proxycfg.TestConfigSnapshotDiscoveryChainWithFailoverThroughLocalGateway, setup: nil, }, + { + name: "connect-proxy-upstream-defaults", + create: proxycfg.TestConfigSnapshot, + setup: func(snap *proxycfg.ConfigSnapshot) { + for _, v := range snap.ConnectProxy.UpstreamConfig { + // Prepared queries do not get centrally configured upstream defaults merged into them. + if v.DestinationType == structs.UpstreamDestTypePreparedQuery { + continue + } + // Represent upstream config as if it came from centrally configured upstream defaults. + // The name/namespace must not make it onto the cluster name attached to the outbound listener. + v.CentrallyConfigured = true + v.DestinationNamespace = structs.WildcardSpecifier + v.DestinationName = structs.WildcardSpecifier + } + }, + }, { name: "expose-paths-local-app-paths", create: proxycfg.TestConfigSnapshotExposeConfig, @@ -567,7 +584,7 @@ func TestListenersFromSnapshot(t *testing.T) { snap.IngressGateway.Upstreams = map[proxycfg.IngressListenerKey]structs.Upstreams{ {Protocol: "tcp", Port: 8080}: { { - DestinationName: "foo", + DestinationName: "db", LocalBindPort: 8080, }, }, @@ -640,6 +657,30 @@ func TestListenersFromSnapshot(t *testing.T) { }, }, } + + // Every ingress upstream has an associated discovery chain in the snapshot + secureChain := discoverychain.TestCompileConfigEntries( + t, + "secure", + "default", + "default", + "dc1", + connect.TestClusterID+".consul", + nil, + ) + snap.IngressGateway.DiscoveryChain["secure"] = secureChain + + insecureChain := discoverychain.TestCompileConfigEntries( + t, + "insecure", + "default", + "default", + "dc1", + connect.TestClusterID+".consul", + nil, + ) + snap.IngressGateway.DiscoveryChain["insecure"] = insecureChain + snap.IngressGateway.Listeners = map[proxycfg.IngressListenerKey]structs.IngressListener{ {Protocol: "tcp", Port: 8080}: { Port: 8080, diff --git a/agent/xds/testdata/listeners/connect-proxy-upstream-defaults.envoy-1-20-x.golden b/agent/xds/testdata/listeners/connect-proxy-upstream-defaults.envoy-1-20-x.golden new file mode 100644 index 000000000000..57d50f71c367 --- /dev/null +++ b/agent/xds/testdata/listeners/connect-proxy-upstream-defaults.envoy-1-20-x.golden @@ -0,0 +1,119 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.db.default.default.dc1", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.prepared_query_geo-cache", + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul" + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "public_listener:0.0.0.0:9999", + "address": { + "socketAddress": { + "address": "0.0.0.0", + "portValue": 9999 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", + "rules": { + + }, + "statPrefix": "connect_authz" + } + }, + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "public_listener", + "cluster": "local_app" + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + } + } + } + ], + "trafficDirection": "INBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/ingress-with-sds-listener-listener-level.envoy-1-20-x.golden b/agent/xds/testdata/listeners/ingress-with-sds-listener-listener-level.envoy-1-20-x.golden index 8e223cf3ea71..aabf3d6f9884 100644 --- a/agent/xds/testdata/listeners/ingress-with-sds-listener-listener-level.envoy-1-20-x.golden +++ b/agent/xds/testdata/listeners/ingress-with-sds-listener-listener-level.envoy-1-20-x.golden @@ -3,7 +3,7 @@ "resources": [ { "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", - "name": "foo:1.2.3.4:8080", + "name": "db:1.2.3.4:8080", "address": { "socketAddress": { "address": "1.2.3.4", @@ -17,8 +17,8 @@ "name": "envoy.filters.network.tcp_proxy", "typedConfig": { "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", - "statPrefix": "upstream.foo.default.default.dc1", - "cluster": "foo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + "statPrefix": "upstream.db.default.default.dc1", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" } } ],