Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow connections through Terminating Gateways from peered clusters NET-3463 #18959

Merged
merged 10 commits into from
Oct 5, 2023

Conversation

t-eckert
Copy link
Contributor

@t-eckert t-eckert commented Sep 21, 2023

Description

This PR enables services in one datacenter to access resources through a terminating gateway in another datacenter over cluster peering.

In the diagram below, previously only backend could reach Google. Now frontend can also reach Google.

__ dc1 ________________          __ dc2 ________________
|  ____________       |          |  ___________        |
|  |          |       |          |  |         |        |
|  | frontend |       |          |  | backend |        |
|  |__________|       |          |  |_________|        |
|        |            |          |         |           |
|        |    ___________     ___________  |  _______________    __________
|        |    |         |     |         |  -->|             |    |        |
|        ---->|  Mesh   |---->|  Mesh   |---->| Terminating |--->| Google |
|             | Gateway |     | Gateway |     |   Gateway   |    |________|
|             |_________|     |_________|     |_____________|
|                     |          |                     |
|_____________________|          |_____________________|
  • Add InboundPeerTrustBundle maps to Terminating Gateway
  • Add notify and cancelation of watch for inbound peer trust bundles
  • Pass peer trust bundles to the RBAC creation function
  • Regenerate Golden Files

Testing & Reproduction steps

I tested this using Kubernetes with this set of configuration files.

Links

PR Checklist

  • updated test coverage
  • appropriate backport labels added
  • not a security concern

@github-actions github-actions bot added the theme/envoy/xds Related to Envoy support label Sep 21, 2023
@missylbytes missylbytes changed the title Allow connections through Terminating Gateways from peered clusters Allow connections through Terminating Gateways from peered clusters NET-3463 Sep 26, 2023
@missylbytes missylbytes marked this pull request as ready for review September 29, 2023 18:17
@missylbytes missylbytes added backport/1.15 This release series is no longer active on CE. Use backport/ent/1.15. backport/1.16 This release series is no longer active on CE. Use backport/ent/1.16. labels Sep 29, 2023
@t-eckert
Copy link
Contributor Author

t-eckert commented Oct 2, 2023

@andrewstucki should I add a golden file for this change? If so, can we pair on that process?

@vercel
Copy link

vercel bot commented Oct 3, 2023

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
consul ✅ Ready (Inspect) Visit Preview 💬 Add feedback Oct 3, 2023 8:18pm
1 Ignored Deployment
Name Status Preview Comments Updated (UTC)
consul-ui-staging ⬜️ Ignored (Inspect) Oct 3, 2023 8:18pm

@nathancoleman nathancoleman enabled auto-merge (squash) October 5, 2023 21:02
@nathancoleman nathancoleman merged commit 342306c into main Oct 5, 2023
87 checks passed
@nathancoleman nathancoleman deleted the termgw-httpfilters branch October 5, 2023 21:54
nathancoleman pushed a commit that referenced this pull request Oct 5, 2023
…ET-3463 (#18959)

* Add InboundPeerTrustBundle maps to Terminating Gateway

* Add notify and cancelation of watch for inbound peer trust bundles

* Pass peer trust bundles to the RBAC creation function

* Regenerate Golden Files

* add changelog, also adds another spot that needed peeredTrustBundles

* Add basic test for terminating gateway with peer trust bundle

* Add intention to cluster peered golden test

* rerun codegen

* update changelog

* really update the changelog

---------

Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com>
nathancoleman pushed a commit that referenced this pull request Oct 5, 2023
…d clusters NET-3463 into release/1.15.x (#19091)

Allow connections through Terminating Gateways from peered clusters NET-3463 (#18959)

* Add InboundPeerTrustBundle maps to Terminating Gateway

* Add notify and cancelation of watch for inbound peer trust bundles

* Pass peer trust bundles to the RBAC creation function

* Regenerate Golden Files

* add changelog, also adds another spot that needed peeredTrustBundles

* Add basic test for terminating gateway with peer trust bundle

* Add intention to cluster peered golden test

* rerun codegen

* update changelog

* really update the changelog

---------

Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com>
nathancoleman pushed a commit that referenced this pull request Oct 5, 2023
…ET-3463 (#18959)

* Add InboundPeerTrustBundle maps to Terminating Gateway

* Add notify and cancelation of watch for inbound peer trust bundles

* Pass peer trust bundles to the RBAC creation function

* Regenerate Golden Files

* add changelog, also adds another spot that needed peeredTrustBundles

* Add basic test for terminating gateway with peer trust bundle

* Add intention to cluster peered golden test

* rerun codegen

* update changelog

* really update the changelog

---------

Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com>
nathancoleman pushed a commit that referenced this pull request Oct 5, 2023
…d clusters NET-3463 into release/1.16.x (#19092)

Allow connections through Terminating Gateways from peered clusters NET-3463 (#18959)

* Add InboundPeerTrustBundle maps to Terminating Gateway

* Add notify and cancelation of watch for inbound peer trust bundles

* Pass peer trust bundles to the RBAC creation function

* Regenerate Golden Files

* add changelog, also adds another spot that needed peeredTrustBundles

* Add basic test for terminating gateway with peer trust bundle

* Add intention to cluster peered golden test

* rerun codegen

* update changelog

* really update the changelog

---------

Co-authored-by: Thomas Eckert <teckert@hashicorp.com>
Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com>
jmurret pushed a commit that referenced this pull request Oct 12, 2023
…ET-3463 (#18959)

* Add InboundPeerTrustBundle maps to Terminating Gateway

* Add notify and cancelation of watch for inbound peer trust bundles

* Pass peer trust bundles to the RBAC creation function

* Regenerate Golden Files

* add changelog, also adds another spot that needed peeredTrustBundles

* Add basic test for terminating gateway with peer trust bundle

* Add intention to cluster peered golden test

* rerun codegen

* update changelog

* really update the changelog

---------

Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport/1.15 This release series is no longer active on CE. Use backport/ent/1.15. backport/1.16 This release series is no longer active on CE. Use backport/ent/1.16. theme/envoy/xds Related to Envoy support
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants