From 168073c4dc013c081acc31c743400b5bed7e98b0 Mon Sep 17 00:00:00 2001 From: Freddy Date: Wed, 9 Jun 2021 14:34:17 -0600 Subject: [PATCH] Add flag for transparent proxies to dial individual instances (#10329) --- .changelog/10329.txt | 3 + agent/agent_endpoint_test.go | 4 +- agent/config/builder.go | 1 + agent/config/config.go | 7 +- agent/config/runtime_test.go | 31 ++- agent/config/testdata/full-config.hcl | 1 + agent/config/testdata/full-config.json | 3 +- agent/consul/config_endpoint.go | 3 + agent/consul/config_endpoint_test.go | 61 ++-- agent/proxycfg/manager_test.go | 2 + agent/proxycfg/snapshot.go | 13 + agent/proxycfg/state.go | 74 ++++- agent/proxycfg/state_test.go | 83 +++++- agent/service_manager.go | 3 + agent/service_manager_test.go | 31 ++- agent/structs/connect_proxy_config.go | 13 +- agent/structs/discovery_chain.go | 5 + agent/structs/structs_filtering_test.go | 5 + agent/xds/clusters.go | 72 ++++- agent/xds/clusters_test.go | 50 +++- agent/xds/listeners.go | 107 ++++--- agent/xds/listeners_test.go | 55 ++++ agent/xds/server.go | 5 +- ...log-destinations-only.envoy-1-18-x.golden} | 0 ...nations-only.v2compat.envoy-1-16-x.golden} | 0 ...ial-instances-directly.envoy-1-18-x.golden | 260 ++++++++++++++++++ ...nces-directly.v2compat.envoy-1-16-x.golden | 260 ++++++++++++++++++ ...ial-instances-directly.envoy-1-18-x.golden | 213 ++++++++++++++ ...nces-directly.v2compat.envoy-1-16-x.golden | 213 ++++++++++++++ api/config_entry.go | 5 + api/config_entry_test.go | 20 +- command/config/write/config_write_test.go | 19 +- command/connect/envoy/bootstrap_config.go | 19 +- ..._ADDR-with-https-scheme-enables-tls.golden | 18 +- .../envoy/testdata/access-log-path.golden | 18 +- .../connect/envoy/testdata/defaults.golden | 18 +- .../envoy/testdata/existing-ca-file.golden | 18 +- .../envoy/testdata/existing-ca-path.golden | 18 +- .../envoy/testdata/extra_-multiple.golden | 18 +- .../envoy/testdata/extra_-single.golden | 18 +- .../envoy/testdata/grpc-addr-config.golden | 18 +- .../envoy/testdata/grpc-addr-env.golden | 18 +- .../envoy/testdata/grpc-addr-flag.golden | 18 +- .../envoy/testdata/grpc-addr-unix.golden | 18 +- .../ingress-gateway-address-specified.golden | 18 +- .../ingress-gateway-no-auto-register.golden | 18 +- ...-register-with-service-and-proxy-id.golden | 18 +- ...ister-with-service-without-proxy-id.golden | 18 +- .../envoy/testdata/ingress-gateway.golden | 18 +- .../envoy/testdata/prometheus-metrics.golden | 18 +- .../connect/envoy/testdata/token-arg.golden | 18 +- .../connect/envoy/testdata/token-env.golden | 18 +- .../envoy/testdata/token-file-arg.golden | 18 +- .../envoy/testdata/token-file-env.golden | 18 +- .../testdata/zipkin-tracing-config.golden | 18 +- proto/pbservice/service.gen.go | 2 + proto/pbservice/service.pb.go | 188 ++++++++----- proto/pbservice/service.proto | 5 + .../docs/connect/config-entries/mesh.mdx | 3 +- .../connect/config-entries/proxy-defaults.mdx | 8 + .../config-entries/service-defaults.mdx | 8 + .../registration/service-registration.mdx | 10 +- .../docs/connect/transparent-proxy.mdx | 23 +- 63 files changed, 1880 insertions(+), 404 deletions(-) create mode 100644 .changelog/10329.txt rename agent/xds/testdata/clusters/{transparent-proxy catalog destinations only.envoy-1-18-x.golden => transparent-proxy-catalog-destinations-only.envoy-1-18-x.golden} (100%) rename agent/xds/testdata/clusters/{transparent-proxy catalog destinations only.v2compat.envoy-1-16-x.golden => transparent-proxy-catalog-destinations-only.v2compat.envoy-1-16-x.golden} (100%) create mode 100644 agent/xds/testdata/clusters/transparent-proxy-dial-instances-directly.envoy-1-18-x.golden create mode 100644 agent/xds/testdata/clusters/transparent-proxy-dial-instances-directly.v2compat.envoy-1-16-x.golden create mode 100644 agent/xds/testdata/listeners/transparent-proxy-dial-instances-directly.envoy-1-18-x.golden create mode 100644 agent/xds/testdata/listeners/transparent-proxy-dial-instances-directly.v2compat.envoy-1-16-x.golden diff --git a/.changelog/10329.txt b/.changelog/10329.txt new file mode 100644 index 000000000000..1e7cc6723509 --- /dev/null +++ b/.changelog/10329.txt @@ -0,0 +1,3 @@ +```release-note:improvement +connect: Support dialing individual service IP addresses through transparent proxies. +``` \ No newline at end of file diff --git a/agent/agent_endpoint_test.go b/agent/agent_endpoint_test.go index 50350e7619c7..5835ca4cf289 100644 --- a/agent/agent_endpoint_test.go +++ b/agent/agent_endpoint_test.go @@ -399,7 +399,7 @@ func TestAgent_Service(t *testing.T) { Service: "web-sidecar-proxy", Port: 8000, Proxy: expectProxy.ToAPI(), - ContentHash: "9dcdedfd5047d46e", + ContentHash: "518ece989813bc13", Weights: api.AgentWeights{ Passing: 1, Warning: 1, @@ -413,7 +413,7 @@ func TestAgent_Service(t *testing.T) { // Copy and modify updatedResponse := *expectedResponse updatedResponse.Port = 9999 - updatedResponse.ContentHash = "a08487ca7854c7cc" + updatedResponse.ContentHash = "6cc7a4afb000afb1" // Simple response for non-proxy service registered in TestAgent config expectWebResponse := &api.AgentService{ diff --git a/agent/config/builder.go b/agent/config/builder.go index f4e0c33b8d55..f954caee507b 100644 --- a/agent/config/builder.go +++ b/agent/config/builder.go @@ -1764,6 +1764,7 @@ func (b *builder) transparentProxyConfVal(tproxyConf *TransparentProxyConfig) st } out.OutboundListenerPort = intVal(tproxyConf.OutboundListenerPort) + out.DialedDirectly = boolVal(tproxyConf.DialedDirectly) return out } diff --git a/agent/config/config.go b/agent/config/config.go index e8e344e5896a..e61c2ed5f8c8 100644 --- a/agent/config/config.go +++ b/agent/config/config.go @@ -545,8 +545,13 @@ type MeshGatewayConfig struct { } type TransparentProxyConfig struct { - // Mesh Gateway Mode + // The port of the listener where outbound application traffic is being redirected to. OutboundListenerPort *int `mapstructure:"outbound_listener_port"` + + // DialedDirectly indicates whether transparent proxies can dial this proxy instance directly. + // The discovery chain is not considered when dialing a service instance directly. + // This setting is useful when addressing stateful services, such as a database cluster with a leader node. + DialedDirectly *bool `mapstructure:"dialed_directly"` } // ExposeConfig describes HTTP paths to expose through Envoy outside of Connect. diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index 397e49e931c4..1a2f318a201b 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -2584,7 +2584,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { }, "mode": "transparent", "transparent_proxy": { - "outbound_listener_port": 10101 + "outbound_listener_port": 10101, + "dialed_directly": true }, "upstreams": [ { @@ -2630,6 +2631,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { mode = "transparent" transparent_proxy = { outbound_listener_port = 10101 + dialed_directly = true } upstreams = [ { @@ -2678,6 +2680,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { Mode: structs.ProxyModeTransparent, TransparentProxy: structs.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, Upstreams: structs.Upstreams{ structs.Upstream{ @@ -2741,7 +2744,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { }, "mode": "transparent", "transparent_proxy": { - "outbound_listener_port": 10101 + "outbound_listener_port": 10101, + "dialed_directly": true }, "upstreams": [ { @@ -2782,6 +2786,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { mode = "transparent" transparent_proxy = { outbound_listener_port = 10101 + dialed_directly = true } upstreams = [ { @@ -2825,6 +2830,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { Mode: structs.ProxyModeTransparent, TransparentProxy: structs.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, Upstreams: structs.Upstreams{ structs.Upstream{ @@ -3471,7 +3477,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { }, "mode": "transparent", "transparent_proxy": { - "outbound_listener_port": 10101 + "outbound_listener_port": 10101, + "dialed_directly": true } } ] @@ -3494,6 +3501,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { mode = "transparent" transparent_proxy = { outbound_listener_port = 10101 + dialed_directly = true } } }`}, @@ -3516,6 +3524,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { Mode: structs.ProxyModeTransparent, TransparentProxy: structs.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, }, } @@ -3541,7 +3550,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { }, "Mode": "transparent", "TransparentProxy": { - "OutboundListenerPort": 10101 + "OutboundListenerPort": 10101, + "DialedDirectly": true } } ] @@ -3564,6 +3574,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { Mode = "transparent" TransparentProxy = { OutboundListenerPort = 10101 + DialedDirectly = true } } }`}, @@ -3586,6 +3597,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { Mode: structs.ProxyModeTransparent, TransparentProxy: structs.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, }, } @@ -3611,7 +3623,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { }, "mode": "transparent", "transparent_proxy": { - "outbound_listener_port": 10101 + "outbound_listener_port": 10101, + "dialed_directly": true } } ] @@ -3634,6 +3647,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { mode = "transparent" transparent_proxy = { outbound_listener_port = 10101 + dialed_directly = true } } }`}, @@ -3656,6 +3670,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { Mode: structs.ProxyModeTransparent, TransparentProxy: structs.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, }, } @@ -3681,7 +3696,8 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { }, "Mode": "transparent", "TransparentProxy": { - "OutboundListenerPort": 10101 + "OutboundListenerPort": 10101, + "DialedDirectly": true } } ] @@ -3704,6 +3720,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { Mode = "transparent" TransparentProxy = { OutboundListenerPort = 10101 + DialedDirectly = true } } }`}, @@ -3726,6 +3743,7 @@ func TestLoad_IntegrationWithFlags(t *testing.T) { Mode: structs.ProxyModeTransparent, TransparentProxy: structs.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, }, } @@ -5670,6 +5688,7 @@ func TestLoad_FullConfig(t *testing.T) { Mode: structs.ProxyModeTransparent, TransparentProxy: structs.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, }, Weights: &structs.Weights{ diff --git a/agent/config/testdata/full-config.hcl b/agent/config/testdata/full-config.hcl index f8344a2f594c..0cc708a70136 100644 --- a/agent/config/testdata/full-config.hcl +++ b/agent/config/testdata/full-config.hcl @@ -602,6 +602,7 @@ services = [ mode = "transparent" transparent_proxy = { outbound_listener_port = 10101 + dialed_directly = true } } }, diff --git a/agent/config/testdata/full-config.json b/agent/config/testdata/full-config.json index 619347bb2fc4..adb3a7cfa9f7 100644 --- a/agent/config/testdata/full-config.json +++ b/agent/config/testdata/full-config.json @@ -575,7 +575,8 @@ }, "mode": "transparent", "transparent_proxy": { - "outbound_listener_port": 10101 + "outbound_listener_port": 10101, + "dialed_directly": true }, "upstreams": [ { diff --git a/agent/consul/config_endpoint.go b/agent/consul/config_endpoint.go index 9b3de77a8969..0fcecca18e0c 100644 --- a/agent/consul/config_endpoint.go +++ b/agent/consul/config_endpoint.go @@ -396,6 +396,9 @@ func (c *ConfigEntry) ResolveServiceConfig(args *structs.ServiceConfigRequest, r if serviceConf.TransparentProxy.OutboundListenerPort != 0 { thisReply.TransparentProxy.OutboundListenerPort = serviceConf.TransparentProxy.OutboundListenerPort } + if serviceConf.TransparentProxy.DialedDirectly { + thisReply.TransparentProxy.DialedDirectly = serviceConf.TransparentProxy.DialedDirectly + } if serviceConf.Mode != structs.ProxyModeDefault { thisReply.Mode = serviceConf.Mode } diff --git a/agent/consul/config_endpoint_test.go b/agent/consul/config_endpoint_test.go index 527018ee0fae..f946605985b2 100644 --- a/agent/consul/config_endpoint_test.go +++ b/agent/consul/config_endpoint_test.go @@ -911,10 +911,13 @@ func TestConfigEntry_ResolveServiceConfig_TransparentProxy(t *testing.T) { name: "from proxy-defaults", entries: []structs.ConfigEntry{ &structs.ProxyConfigEntry{ - Kind: structs.ProxyDefaults, - Name: structs.ProxyConfigGlobal, - Mode: structs.ProxyModeTransparent, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 10101}, + Kind: structs.ProxyDefaults, + Name: structs.ProxyConfigGlobal, + Mode: structs.ProxyModeTransparent, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 10101, + DialedDirectly: true, + }, }, }, request: structs.ServiceConfigRequest{ @@ -922,8 +925,11 @@ func TestConfigEntry_ResolveServiceConfig_TransparentProxy(t *testing.T) { Datacenter: "dc1", }, expect: structs.ServiceConfigResponse{ - Mode: structs.ProxyModeTransparent, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 10101}, + Mode: structs.ProxyModeTransparent, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 10101, + DialedDirectly: true, + }, }, }, { @@ -949,16 +955,22 @@ func TestConfigEntry_ResolveServiceConfig_TransparentProxy(t *testing.T) { name: "service-defaults overrides proxy-defaults", entries: []structs.ConfigEntry{ &structs.ProxyConfigEntry{ - Kind: structs.ProxyDefaults, - Name: structs.ProxyConfigGlobal, - Mode: structs.ProxyModeDirect, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 10101}, + Kind: structs.ProxyDefaults, + Name: structs.ProxyConfigGlobal, + Mode: structs.ProxyModeDirect, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 10101, + DialedDirectly: false, + }, }, &structs.ServiceConfigEntry{ - Kind: structs.ServiceDefaults, - Name: "foo", - Mode: structs.ProxyModeTransparent, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 808}, + Kind: structs.ServiceDefaults, + Name: "foo", + Mode: structs.ProxyModeTransparent, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 808, + DialedDirectly: true, + }, }, }, request: structs.ServiceConfigRequest{ @@ -966,8 +978,11 @@ func TestConfigEntry_ResolveServiceConfig_TransparentProxy(t *testing.T) { Datacenter: "dc1", }, expect: structs.ServiceConfigResponse{ - Mode: structs.ProxyModeTransparent, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 808}, + Mode: structs.ProxyModeTransparent, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 808, + DialedDirectly: true, + }, }, }, } @@ -1303,8 +1318,11 @@ func TestConfigEntry_ResolveServiceConfig_Upstreams(t *testing.T) { }, // TransparentProxy on the config entry but not the config request - Mode: structs.ProxyModeTransparent, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 10101}, + Mode: structs.ProxyModeTransparent, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 10101, + DialedDirectly: true, + }, }, }, request: structs.ServiceConfigRequest{ @@ -1314,8 +1332,11 @@ func TestConfigEntry_ResolveServiceConfig_Upstreams(t *testing.T) { // Empty Upstreams/UpstreamIDs }, expect: structs.ServiceConfigResponse{ - Mode: structs.ProxyModeTransparent, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 10101}, + Mode: structs.ProxyModeTransparent, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 10101, + DialedDirectly: true, + }, UpstreamIDConfigs: structs.OpaqueUpstreamConfigs{ { Upstream: wildcard, diff --git a/agent/proxycfg/manager_test.go b/agent/proxycfg/manager_test.go index 88f15a06ded4..268bf3ee7d81 100644 --- a/agent/proxycfg/manager_test.go +++ b/agent/proxycfg/manager_test.go @@ -237,6 +237,7 @@ func TestManager_BasicLifecycle(t *testing.T) { upstreams[1].Identifier(): &upstreams[1], upstreams[2].Identifier(): &upstreams[2], }, + PassthroughUpstreams: map[string]ServicePassthroughAddrs{}, }, PreparedQueryEndpoints: map[string]structs.CheckServiceNodes{}, WatchedServiceChecks: map[structs.ServiceID][]structs.CheckType{}, @@ -293,6 +294,7 @@ func TestManager_BasicLifecycle(t *testing.T) { upstreams[1].Identifier(): &upstreams[1], upstreams[2].Identifier(): &upstreams[2], }, + PassthroughUpstreams: map[string]ServicePassthroughAddrs{}, }, PreparedQueryEndpoints: map[string]structs.CheckServiceNodes{}, WatchedServiceChecks: map[structs.ServiceID][]structs.CheckType{}, diff --git a/agent/proxycfg/snapshot.go b/agent/proxycfg/snapshot.go index c7674186a4a2..991ef38fdf1c 100644 --- a/agent/proxycfg/snapshot.go +++ b/agent/proxycfg/snapshot.go @@ -47,6 +47,18 @@ type ConfigSnapshotUpstreams struct { // UpstreamConfig is a map to an upstream's configuration. UpstreamConfig map[string]*structs.Upstream + + // PassthroughEndpoints is a map of: ServiceName -> ServicePassthroughAddrs. + PassthroughUpstreams map[string]ServicePassthroughAddrs +} + +// ServicePassthroughAddrs contains the LAN addrs +type ServicePassthroughAddrs struct { + // SNI is the Service SNI of the upstream. + SNI string + + // Addrs is a set of the best LAN addresses for the instances of the upstream. + Addrs map[string]struct{} } type configSnapshotConnectProxy struct { @@ -80,6 +92,7 @@ func (c *configSnapshotConnectProxy) IsEmpty() bool { len(c.WatchedServiceChecks) == 0 && len(c.PreparedQueryEndpoints) == 0 && len(c.UpstreamConfig) == 0 && + len(c.PassthroughUpstreams) == 0 && !c.MeshConfigSet } diff --git a/agent/proxycfg/state.go b/agent/proxycfg/state.go index f53f46086d46..63269378fadb 100644 --- a/agent/proxycfg/state.go +++ b/agent/proxycfg/state.go @@ -15,6 +15,7 @@ import ( "github.com/hashicorp/consul/agent/cache" cachetype "github.com/hashicorp/consul/agent/cache-types" + "github.com/hashicorp/consul/agent/connect" "github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/consul/logging" ) @@ -582,6 +583,7 @@ func (s *state) initialConfigSnapshot() ConfigSnapshot { snap.ConnectProxy.WatchedServiceChecks = make(map[structs.ServiceID][]structs.CheckType) snap.ConnectProxy.PreparedQueryEndpoints = make(map[string]structs.CheckServiceNodes) snap.ConnectProxy.UpstreamConfig = make(map[string]*structs.Upstream) + snap.ConnectProxy.PassthroughUpstreams = make(map[string]ServicePassthroughAddrs) case structs.ServiceKindTerminatingGateway: snap.TerminatingGateway.WatchedServices = make(map[structs.ServiceName]context.CancelFunc) snap.TerminatingGateway.WatchedIntentions = make(map[structs.ServiceName]context.CancelFunc) @@ -885,23 +887,28 @@ func (s *state) handleUpdateConnectProxy(u cache.UpdateEvent, snap *ConfigSnapsh snap.ConnectProxy.MeshConfigSet = true default: - return s.handleUpdateUpstreams(u, &snap.ConnectProxy.ConfigSnapshotUpstreams) + return s.handleUpdateUpstreams(u, snap) } return nil } -func (s *state) handleUpdateUpstreams(u cache.UpdateEvent, snap *ConfigSnapshotUpstreams) error { +func (s *state) handleUpdateUpstreams(u cache.UpdateEvent, snap *ConfigSnapshot) error { if u.Err != nil { return fmt.Errorf("error filling agent cache: %v", u.Err) } + upstreamsSnapshot := &snap.ConnectProxy.ConfigSnapshotUpstreams + if snap.Kind == structs.ServiceKindIngressGateway { + upstreamsSnapshot = &snap.IngressGateway.ConfigSnapshotUpstreams + } + switch { case u.CorrelationID == leafWatchID: leaf, ok := u.Result.(*structs.IssuedCert) if !ok { return fmt.Errorf("invalid type for response: %T", u.Result) } - snap.Leaf = leaf + upstreamsSnapshot.Leaf = leaf case strings.HasPrefix(u.CorrelationID, "discovery-chain:"): resp, ok := u.Result.(*structs.DiscoveryChainResponse) @@ -909,9 +916,9 @@ func (s *state) handleUpdateUpstreams(u cache.UpdateEvent, snap *ConfigSnapshotU return fmt.Errorf("invalid type for response: %T", u.Result) } svc := strings.TrimPrefix(u.CorrelationID, "discovery-chain:") - snap.DiscoveryChain[svc] = resp.Chain + upstreamsSnapshot.DiscoveryChain[svc] = resp.Chain - if err := s.resetWatchesFromChain(svc, resp.Chain, snap); err != nil { + if err := s.resetWatchesFromChain(svc, resp.Chain, upstreamsSnapshot); err != nil { return err } @@ -926,10 +933,53 @@ func (s *state) handleUpdateUpstreams(u cache.UpdateEvent, snap *ConfigSnapshotU return fmt.Errorf("invalid correlation id %q", u.CorrelationID) } - if _, ok := snap.WatchedUpstreamEndpoints[svc]; !ok { - snap.WatchedUpstreamEndpoints[svc] = make(map[string]structs.CheckServiceNodes) + if _, ok := upstreamsSnapshot.WatchedUpstreamEndpoints[svc]; !ok { + upstreamsSnapshot.WatchedUpstreamEndpoints[svc] = make(map[string]structs.CheckServiceNodes) + } + upstreamsSnapshot.WatchedUpstreamEndpoints[svc][targetID] = resp.Nodes + + var passthroughAddrs map[string]ServicePassthroughAddrs + + for _, node := range resp.Nodes { + if snap.Proxy.Mode == structs.ProxyModeTransparent && node.Service.Proxy.TransparentProxy.DialedDirectly { + if passthroughAddrs == nil { + passthroughAddrs = make(map[string]ServicePassthroughAddrs) + } + + svc := node.Service.CompoundServiceName() + + // Overwrite the name if it's a connect proxy (as opposed to Connect native). + // We don't reference the proxy name directly for things like SNI, but rather the name + // of the destination. The enterprise meta of a proxy will always be the same as that of + // the destination service, so that remains intact. + if node.Service.Kind == structs.ServiceKindConnectProxy { + dst := node.Service.Proxy.DestinationServiceName + if dst == "" { + dst = node.Service.Proxy.DestinationServiceID + } + svc.Name = dst + } + + sni := connect.ServiceSNI( + svc.Name, + "", + svc.NamespaceOrDefault(), + snap.Datacenter, + snap.Roots.TrustDomain) + + if _, ok := upstreamsSnapshot.PassthroughUpstreams[svc.String()]; !ok { + upstreamsSnapshot.PassthroughUpstreams[svc.String()] = ServicePassthroughAddrs{ + SNI: sni, + + // Stored in a set because it's possible for these to be duplicated + // when the upstream-target is targeted by multiple discovery chains. + Addrs: make(map[string]struct{}), + } + } + addr, _ := node.BestAddress(false) + upstreamsSnapshot.PassthroughUpstreams[svc.String()].Addrs[addr] = struct{}{} + } } - snap.WatchedUpstreamEndpoints[svc][targetID] = resp.Nodes case strings.HasPrefix(u.CorrelationID, "mesh-gateway:"): resp, ok := u.Result.(*structs.IndexedNodesWithGateways) @@ -941,10 +991,10 @@ func (s *state) handleUpdateUpstreams(u cache.UpdateEvent, snap *ConfigSnapshotU if !ok { return fmt.Errorf("invalid correlation id %q", u.CorrelationID) } - if _, ok = snap.WatchedGatewayEndpoints[svc]; !ok { - snap.WatchedGatewayEndpoints[svc] = make(map[string]structs.CheckServiceNodes) + if _, ok = upstreamsSnapshot.WatchedGatewayEndpoints[svc]; !ok { + upstreamsSnapshot.WatchedGatewayEndpoints[svc] = make(map[string]structs.CheckServiceNodes) } - snap.WatchedGatewayEndpoints[svc][dc] = resp.Nodes + upstreamsSnapshot.WatchedGatewayEndpoints[svc][dc] = resp.Nodes default: return fmt.Errorf("unknown correlation ID: %s", u.CorrelationID) } @@ -1703,7 +1753,7 @@ func (s *state) handleUpdateIngressGateway(u cache.UpdateEvent, snap *ConfigSnap } default: - return s.handleUpdateUpstreams(u, &snap.IngressGateway.ConfigSnapshotUpstreams) + return s.handleUpdateUpstreams(u, snap) } return nil diff --git a/agent/proxycfg/state_test.go b/agent/proxycfg/state_test.go index d2549d1a2ba1..22e99477e5a2 100644 --- a/agent/proxycfg/state_test.go +++ b/agent/proxycfg/state_test.go @@ -3,6 +3,7 @@ package proxycfg import ( "context" "fmt" + "github.com/hashicorp/consul/agent/connect" "sync" "testing" "time" @@ -1767,11 +1768,40 @@ func TestState_WatchesAndUpdates(t *testing.T) { { Node: &structs.Node{ Node: "node1", - Address: "127.0.0.1", + Address: "10.0.0.1", }, Service: &structs.NodeService{ - ID: "db1", - Service: "db", + Kind: structs.ServiceKindConnectProxy, + ID: "db-sidecar-proxy", + Service: "db-sidecar-proxy", + Address: "10.10.10.10", + TaggedAddresses: map[string]structs.ServiceAddress{ + structs.TaggedAddressWAN: {Address: "17.5.7.8"}, + structs.TaggedAddressWANIPv6: {Address: "2607:f0d0:1002:51::4"}, + }, + Proxy: structs.ConnectProxyConfig{ + DestinationServiceName: "db", + TransparentProxy: structs.TransparentProxyConfig{ + DialedDirectly: true, + }, + }, + }, + }, + { + Node: &structs.Node{ + Node: "node2", + Address: "10.0.0.2", + }, + Service: &structs.NodeService{ + Kind: structs.ServiceKindConnectProxy, + ID: "db-sidecar-proxy2", + Service: "db-sidecar-proxy", + Proxy: structs.ConnectProxyConfig{ + DestinationServiceName: "db", + TransparentProxy: structs.TransparentProxyConfig{ + DialedDirectly: true, + }, + }, }, }, }, @@ -1789,15 +1819,56 @@ func TestState_WatchesAndUpdates(t *testing.T) { { Node: &structs.Node{ Node: "node1", - Address: "127.0.0.1", + Address: "10.0.0.1", }, Service: &structs.NodeService{ - ID: "db1", - Service: "db", + Kind: structs.ServiceKindConnectProxy, + ID: "db-sidecar-proxy", + Service: "db-sidecar-proxy", + Address: "10.10.10.10", + TaggedAddresses: map[string]structs.ServiceAddress{ + structs.TaggedAddressWAN: {Address: "17.5.7.8"}, + structs.TaggedAddressWANIPv6: {Address: "2607:f0d0:1002:51::4"}, + }, + Proxy: structs.ConnectProxyConfig{ + DestinationServiceName: "db", + TransparentProxy: structs.TransparentProxyConfig{ + DialedDirectly: true, + }, + }, + }, + }, + { + Node: &structs.Node{ + Node: "node2", + Address: "10.0.0.2", + }, + Service: &structs.NodeService{ + Kind: structs.ServiceKindConnectProxy, + ID: "db-sidecar-proxy2", + Service: "db-sidecar-proxy", + Proxy: structs.ConnectProxyConfig{ + DestinationServiceName: "db", + TransparentProxy: structs.TransparentProxyConfig{ + DialedDirectly: true, + }, + }, }, }, }, ) + // The LAN service address is used below because transparent proxying + // does not support querying service nodes in other DCs, and the WAN address + // should not be used in DC-local calls. + require.Equal(t, snap.ConnectProxy.PassthroughUpstreams, map[string]ServicePassthroughAddrs{ + db.String(): { + SNI: connect.ServiceSNI("db", "", structs.IntentionDefaultNamespace, snap.Datacenter, snap.Roots.TrustDomain), + Addrs: map[string]struct{}{ + "10.10.10.10": {}, + "10.0.0.2": {}, + }, + }, + }) }, }, // Discovery chain updates should be stored diff --git a/agent/service_manager.go b/agent/service_manager.go index e67f30ce0da8..d112fc2d0694 100644 --- a/agent/service_manager.go +++ b/agent/service_manager.go @@ -383,6 +383,9 @@ func mergeServiceConfig(defaults *structs.ServiceConfigResponse, service *struct if ns.Proxy.TransparentProxy.OutboundListenerPort == 0 { ns.Proxy.TransparentProxy.OutboundListenerPort = defaults.TransparentProxy.OutboundListenerPort } + if !ns.Proxy.TransparentProxy.DialedDirectly { + ns.Proxy.TransparentProxy.DialedDirectly = defaults.TransparentProxy.DialedDirectly + } // remoteUpstreams contains synthetic Upstreams generated from central config (service-defaults.UpstreamConfigs). remoteUpstreams := make(map[structs.ServiceID]structs.Upstream) diff --git a/agent/service_manager_test.go b/agent/service_manager_test.go index 464b7087ecd6..41aabd22810e 100644 --- a/agent/service_manager_test.go +++ b/agent/service_manager_test.go @@ -953,6 +953,7 @@ func Test_mergeServiceConfig_UpstreamOverrides(t *testing.T) { Mode: structs.ProxyModeTransparent, TransparentProxy: structs.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, Upstreams: structs.Upstreams{ structs.Upstream{ @@ -976,6 +977,7 @@ func Test_mergeServiceConfig_UpstreamOverrides(t *testing.T) { Mode: structs.ProxyModeTransparent, TransparentProxy: structs.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, Upstreams: structs.Upstreams{ structs.Upstream{ @@ -1197,8 +1199,11 @@ func Test_mergeServiceConfig_TransparentProxy(t *testing.T) { name: "inherit transparent proxy settings", args: args{ defaults: &structs.ServiceConfigResponse{ - Mode: structs.ProxyModeTransparent, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 10101}, + Mode: structs.ProxyModeTransparent, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 10101, + DialedDirectly: true, + }, }, service: &structs.NodeService{ ID: "foo-proxy", @@ -1218,7 +1223,10 @@ func Test_mergeServiceConfig_TransparentProxy(t *testing.T) { DestinationServiceName: "foo", DestinationServiceID: "foo", Mode: structs.ProxyModeTransparent, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 10101}, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 10101, + DialedDirectly: true, + }, }, }, }, @@ -1226,8 +1234,11 @@ func Test_mergeServiceConfig_TransparentProxy(t *testing.T) { name: "override transparent proxy settings", args: args{ defaults: &structs.ServiceConfigResponse{ - Mode: structs.ProxyModeTransparent, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 10101}, + Mode: structs.ProxyModeTransparent, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 10101, + DialedDirectly: false, + }, }, service: &structs.NodeService{ ID: "foo-proxy", @@ -1236,7 +1247,10 @@ func Test_mergeServiceConfig_TransparentProxy(t *testing.T) { DestinationServiceName: "foo", DestinationServiceID: "foo", Mode: structs.ProxyModeDirect, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 808}, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 808, + DialedDirectly: true, + }, }, }, }, @@ -1247,7 +1261,10 @@ func Test_mergeServiceConfig_TransparentProxy(t *testing.T) { DestinationServiceName: "foo", DestinationServiceID: "foo", Mode: structs.ProxyModeDirect, - TransparentProxy: structs.TransparentProxyConfig{OutboundListenerPort: 808}, + TransparentProxy: structs.TransparentProxyConfig{ + OutboundListenerPort: 808, + DialedDirectly: true, + }, }, }, }, diff --git a/agent/structs/connect_proxy_config.go b/agent/structs/connect_proxy_config.go index d55dacec1aea..20037a71d678 100644 --- a/agent/structs/connect_proxy_config.go +++ b/agent/structs/connect_proxy_config.go @@ -125,10 +125,18 @@ func ValidateProxyMode(mode string) (ProxyMode, error) { type TransparentProxyConfig struct { // The port of the listener where outbound application traffic is being redirected to. OutboundListenerPort int `json:",omitempty" alias:"outbound_listener_port"` + + // DialedDirectly indicates whether transparent proxies can dial this proxy instance directly. + // The discovery chain is not considered when dialing a service instance directly. + // This setting is useful when addressing stateful services, such as a database cluster with a leader node. + DialedDirectly bool `json:",omitempty" alias:"dialed_directly"` } func (c TransparentProxyConfig) ToAPI() *api.TransparentProxyConfig { - return &api.TransparentProxyConfig{OutboundListenerPort: c.OutboundListenerPort} + return &api.TransparentProxyConfig{ + OutboundListenerPort: c.OutboundListenerPort, + DialedDirectly: c.DialedDirectly, + } } // ConnectProxyConfig describes the configuration needed for any proxy managed @@ -225,6 +233,9 @@ func (t *ConnectProxyConfig) UnmarshalJSON(data []byte) (err error) { if t.TransparentProxy.OutboundListenerPort == 0 { t.TransparentProxy.OutboundListenerPort = aux.TransparentProxySnake.OutboundListenerPort } + if !t.TransparentProxy.DialedDirectly { + t.TransparentProxy.DialedDirectly = aux.TransparentProxySnake.DialedDirectly + } return nil diff --git a/agent/structs/discovery_chain.go b/agent/structs/discovery_chain.go index 42b8ebb60f23..ded0e1726026 100644 --- a/agent/structs/discovery_chain.go +++ b/agent/structs/discovery_chain.go @@ -94,6 +94,11 @@ func (c *CompiledDiscoveryChain) ID() string { return chainID("", c.ServiceName, c.Namespace, c.Datacenter) } +func (c *CompiledDiscoveryChain) CompoundServiceName() ServiceName { + entMeta := NewEnterpriseMeta(c.Namespace) + return NewServiceName(c.ServiceName, &entMeta) +} + const ( DiscoveryGraphNodeTypeRouter = "router" DiscoveryGraphNodeTypeSplitter = "splitter" diff --git a/agent/structs/structs_filtering_test.go b/agent/structs/structs_filtering_test.go index 6ac29cdba658..94ab53c61353 100644 --- a/agent/structs/structs_filtering_test.go +++ b/agent/structs/structs_filtering_test.go @@ -102,6 +102,11 @@ var expectedFieldConfigTransparentProxyConfig bexpr.FieldConfigurations = bexpr. CoerceFn: bexpr.CoerceInt, SupportedOperations: []bexpr.MatchOperator{bexpr.MatchEqual, bexpr.MatchNotEqual}, }, + "DialedDirectly": &bexpr.FieldConfiguration{ + StructFieldName: "DialedDirectly", + CoerceFn: bexpr.CoerceBool, + SupportedOperations: []bexpr.MatchOperator{bexpr.MatchEqual, bexpr.MatchNotEqual}, + }, } var expectedFieldConfigExposeConfig bexpr.FieldConfigurations = bexpr.FieldConfigurations{ diff --git a/agent/xds/clusters.go b/agent/xds/clusters.go index d32fc57a473e..c473f33cde98 100644 --- a/agent/xds/clusters.go +++ b/agent/xds/clusters.go @@ -96,20 +96,12 @@ func (s *ResourceGenerator) clustersFromSnapshotConnectProxy(cfgSnap *proxycfg.C } clusters = append(clusters, appCluster) - // In transparent proxy mode there needs to be a passthrough cluster for traffic going to destinations - // that aren't in Consul's catalog. - if cfgSnap.Proxy.Mode == structs.ProxyModeTransparent && - (cfgSnap.ConnectProxy.MeshConfig == nil || - !cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.CatalogDestinationsOnly) { - - clusters = append(clusters, &envoy_cluster_v3.Cluster{ - Name: OriginalDestinationClusterName, - ClusterDiscoveryType: &envoy_cluster_v3.Cluster_Type{ - Type: envoy_cluster_v3.Cluster_ORIGINAL_DST, - }, - LbPolicy: envoy_cluster_v3.Cluster_CLUSTER_PROVIDED, - ConnectTimeout: ptypes.DurationProto(5 * time.Second), - }) + if cfgSnap.Proxy.Mode == structs.ProxyModeTransparent { + passthroughs, err := makePassthroughClusters(cfgSnap) + if err != nil { + return nil, fmt.Errorf("failed to make passthrough clusters for transparent proxy: %v", err) + } + clusters = append(clusters, passthroughs...) } for id, chain := range cfgSnap.ConnectProxy.DiscoveryChain { @@ -176,6 +168,58 @@ func makeExposeClusterName(destinationPort int) string { return fmt.Sprintf("exposed_cluster_%d", destinationPort) } +// In transparent proxy mode there are potentially multiple passthrough clusters added. +// The first is for destinations outside of Consul's catalog. This is for a plain TCP proxy. +// All of these use Envoy's ORIGINAL_DST listener filter, which forwards to the original +// destination address (before the iptables redirection). +// The rest are for destinations inside the mesh, which require certificates for mTLS. +func makePassthroughClusters(cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message, error) { + // This size is an upper bound. + clusters := make([]proto.Message, 0, len(cfgSnap.ConnectProxy.PassthroughUpstreams)+1) + + if cfgSnap.ConnectProxy.MeshConfig == nil || + !cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.CatalogDestinationsOnly { + + clusters = append(clusters, &envoy_cluster_v3.Cluster{ + Name: OriginalDestinationClusterName, + ClusterDiscoveryType: &envoy_cluster_v3.Cluster_Type{ + Type: envoy_cluster_v3.Cluster_ORIGINAL_DST, + }, + LbPolicy: envoy_cluster_v3.Cluster_CLUSTER_PROVIDED, + ConnectTimeout: ptypes.DurationProto(5 * time.Second), + }) + } + + for _, passthrough := range cfgSnap.ConnectProxy.PassthroughUpstreams { + // Prefixed with passthrough to distinguish from non-passthrough clusters for the same upstream. + name := "passthrough~" + passthrough.SNI + + c := envoy_cluster_v3.Cluster{ + Name: name, + ClusterDiscoveryType: &envoy_cluster_v3.Cluster_Type{ + Type: envoy_cluster_v3.Cluster_ORIGINAL_DST, + }, + LbPolicy: envoy_cluster_v3.Cluster_CLUSTER_PROVIDED, + + // TODO(tproxy) This should use the connection timeout configured on the upstream's config entry + ConnectTimeout: ptypes.DurationProto(5 * time.Second), + } + + tlsContext := envoy_tls_v3.UpstreamTlsContext{ + CommonTlsContext: makeCommonTLSContextFromLeaf(cfgSnap, cfgSnap.Leaf()), + Sni: passthrough.SNI, + } + transportSocket, err := makeUpstreamTLSTransportSocket(&tlsContext) + if err != nil { + return nil, err + } + c.TransportSocket = transportSocket + clusters = append(clusters, &c) + } + + return clusters, nil +} + // clustersFromSnapshotMeshGateway returns the xDS API representation of the "clusters" // for a mesh gateway. This will include 1 cluster per remote datacenter as well as // 1 cluster for each service subset. diff --git a/agent/xds/clusters_test.go b/agent/xds/clusters_test.go index 0d96b2af46f0..5fa6c7ccf361 100644 --- a/agent/xds/clusters_test.go +++ b/agent/xds/clusters_test.go @@ -14,6 +14,8 @@ import ( testinf "github.com/mitchellh/go-testing-interface" "github.com/stretchr/testify/require" + "github.com/hashicorp/consul/agent/connect" + "github.com/hashicorp/consul/agent/consul/discoverychain" "github.com/hashicorp/consul/agent/proxycfg" "github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/consul/agent/xds/proxysupport" @@ -646,7 +648,7 @@ func TestClustersFromSnapshot(t *testing.T) { }, }, { - name: "transparent-proxy catalog destinations only", + name: "transparent-proxy-catalog-destinations-only", create: proxycfg.TestConfigSnapshot, setup: func(snap *proxycfg.ConfigSnapshot) { snap.Proxy.Mode = structs.ProxyModeTransparent @@ -659,6 +661,52 @@ func TestClustersFromSnapshot(t *testing.T) { } }, }, + { + name: "transparent-proxy-dial-instances-directly", + create: proxycfg.TestConfigSnapshot, + setup: func(snap *proxycfg.ConfigSnapshot) { + snap.Proxy.Mode = structs.ProxyModeTransparent + + // We add a passthrough cluster for each upstream service name + snap.ConnectProxy.PassthroughUpstreams = map[string]proxycfg.ServicePassthroughAddrs{ + "default/kafka": { + SNI: "kafka.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul", + Addrs: map[string]struct{}{ + "9.9.9.9": {}, + }, + }, + "default/mongo": { + SNI: "mongo.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul", + Addrs: map[string]struct{}{ + "10.10.10.10": {}, + "10.10.10.12": {}, + }, + }, + } + + // There should still be a cluster for non-passthrough requests + snap.ConnectProxy.DiscoveryChain["mongo"] = discoverychain.TestCompileConfigEntries( + t, "mongo", "default", "dc1", + connect.TestClusterID+".consul", "dc1", nil) + snap.ConnectProxy.WatchedUpstreamEndpoints["mongo"] = map[string]structs.CheckServiceNodes{ + "mongo.default.dc1": { + structs.CheckServiceNode{ + Node: &structs.Node{ + Datacenter: "dc1", + }, + Service: &structs.NodeService{ + Service: "mongo", + Address: "7.7.7.7", + Port: 27017, + TaggedAddresses: map[string]structs.ServiceAddress{ + "virtual": {Address: "6.6.6.6"}, + }, + }, + }, + }, + } + }, + }, } latestEnvoyVersion := proxysupport.EnvoyVersions[0] diff --git a/agent/xds/listeners.go b/agent/xds/listeners.go index cc08ed0d559d..b7fe4452c29e 100644 --- a/agent/xds/listeners.go +++ b/agent/xds/listeners.go @@ -91,8 +91,6 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg. } } - var hasFilterChains bool - for id, chain := range cfgSnap.ConnectProxy.DiscoveryChain { upstreamCfg := cfgSnap.ConnectProxy.UpstreamConfig[id] cfg := s.getAndModifyUpstreamConfigForListener(id, upstreamCfg, chain) @@ -167,45 +165,51 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg. // For every potential address we collected, create the appropriate address prefix to match on. // In this case we are matching on exact addresses, so the prefix is the address itself, // and the prefix length is based on whether it's IPv4 or IPv6. - ranges := make([]*envoy_core_v3.CidrRange, 0) + filterChain.FilterChainMatch = makeFilterChainMatchFromAddrs(uniqueAddrs) - for addr := range uniqueAddrs { - ip := net.ParseIP(addr) - if ip == nil { - continue - } + // Only attach the filter chain if there are addresses to match on + if filterChain.FilterChainMatch != nil && len(filterChain.FilterChainMatch.PrefixRanges) > 0 { + outboundListener.FilterChains = append(outboundListener.FilterChains, filterChain) + } + } + + if outboundListener != nil { + // Add a passthrough for every mesh endpoint that can be dialed directly, + // as opposed to via a virtual IP. + var passthroughChains []*envoy_listener_v3.FilterChain - pfxLen := uint32(32) - if ip.To4() == nil { - pfxLen = 128 + for svc, passthrough := range cfgSnap.ConnectProxy.PassthroughUpstreams { + sn := structs.ServiceNameFromString(svc) + u := structs.Upstream{ + DestinationName: sn.Name, + DestinationNamespace: sn.NamespaceOrDefault(), } - ranges = append(ranges, &envoy_core_v3.CidrRange{ - AddressPrefix: addr, - PrefixLen: &wrappers.UInt32Value{Value: pfxLen}, - }) - } - // The match rules are stable sorted to avoid draining if the list is provided out of order - sort.SliceStable(ranges, func(i, j int) bool { - return ranges[i].AddressPrefix < ranges[j].AddressPrefix - }) + filterChain, err := s.makeUpstreamFilterChainForDiscoveryChain( + "", + "passthrough~"+passthrough.SNI, - filterChain.FilterChainMatch = &envoy_listener_v3.FilterChainMatch{ - PrefixRanges: ranges, - } + // TODO(tproxy) This should use the protocol configured on the upstream's config entry + "tcp", + &u, + nil, + cfgSnap, + nil, + ) + if err != nil { + return nil, err + } + filterChain.FilterChainMatch = makeFilterChainMatchFromAddrs(passthrough.Addrs) - // Only attach the filter chain if there are addresses to match on - if len(ranges) > 0 { - outboundListener.FilterChains = append(outboundListener.FilterChains, filterChain) + passthroughChains = append(passthroughChains, filterChain) } - hasFilterChains = true - } - // Only create the outbound listener when there are upstreams and filter chains are present - if outboundListener != nil && hasFilterChains { + outboundListener.FilterChains = append(outboundListener.FilterChains, passthroughChains...) + // Filter chains are stable sorted to avoid draining if the list is provided out of order sort.SliceStable(outboundListener.FilterChains, func(i, j int) bool { - return outboundListener.FilterChains[i].Name < outboundListener.FilterChains[j].Name + return outboundListener.FilterChains[i].FilterChainMatch.PrefixRanges[0].AddressPrefix < + outboundListener.FilterChains[j].FilterChainMatch.PrefixRanges[0].AddressPrefix }) // Add a catch-all filter chain that acts as a TCP proxy to non-catalog destinations @@ -213,7 +217,7 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg. !cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.CatalogDestinationsOnly { filterChain, err := s.makeUpstreamFilterChainForDiscoveryChain( - "passthrough", + "", OriginalDestinationClusterName, "tcp", nil, @@ -227,7 +231,10 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg. outboundListener.FilterChains = append(outboundListener.FilterChains, filterChain) } - resources = append(resources, outboundListener) + // Only add the outbound listener if configured. + if len(outboundListener.FilterChains) > 0 { + resources = append(resources, outboundListener) + } } // Looping over explicit upstreams is only needed for prepared queries because they do not have discovery chains @@ -295,6 +302,35 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg. return resources, nil } +func makeFilterChainMatchFromAddrs(addrs map[string]struct{}) *envoy_listener_v3.FilterChainMatch { + ranges := make([]*envoy_core_v3.CidrRange, 0) + + for addr := range addrs { + ip := net.ParseIP(addr) + if ip == nil { + continue + } + + pfxLen := uint32(32) + if ip.To4() == nil { + pfxLen = 128 + } + ranges = append(ranges, &envoy_core_v3.CidrRange{ + AddressPrefix: addr, + PrefixLen: &wrappers.UInt32Value{Value: pfxLen}, + }) + } + + // The match rules are stable sorted to avoid draining if the list is provided out of order + sort.SliceStable(ranges, func(i, j int) bool { + return ranges[i].AddressPrefix < ranges[j].AddressPrefix + }) + + return &envoy_listener_v3.FilterChainMatch{ + PrefixRanges: ranges, + } +} + func parseCheckPath(check structs.CheckType) (structs.ExposePath, error) { var path structs.ExposePath @@ -1258,7 +1294,10 @@ func (s *ResourceGenerator) makeUpstreamFilterChainForDiscoveryChain( if overrideCluster != "" { useRDS = false clusterName = overrideCluster - filterName = overrideCluster + + if destination == "" { + filterName = overrideCluster + } } opts := listenerFilterOpts{ diff --git a/agent/xds/listeners_test.go b/agent/xds/listeners_test.go index fa3e36979d4d..b104877f6c82 100644 --- a/agent/xds/listeners_test.go +++ b/agent/xds/listeners_test.go @@ -584,6 +584,61 @@ func TestListenersFromSnapshot(t *testing.T) { connect.TestClusterID+".consul", "dc1", nil) }, }, + { + name: "transparent-proxy-dial-instances-directly", + create: proxycfg.TestConfigSnapshot, + setup: func(snap *proxycfg.ConfigSnapshot) { + snap.Proxy.Mode = structs.ProxyModeTransparent + + snap.ConnectProxy.DiscoveryChain["mongo"] = discoverychain.TestCompileConfigEntries( + t, "mongo", "default", "dc1", + connect.TestClusterID+".consul", "dc1", nil) + + snap.ConnectProxy.DiscoveryChain["kafka"] = discoverychain.TestCompileConfigEntries( + t, "kafka", "default", "dc1", + connect.TestClusterID+".consul", "dc1", nil) + + kafka := structs.NewServiceName("kafka", structs.DefaultEnterpriseMeta()) + mongo := structs.NewServiceName("mongo", structs.DefaultEnterpriseMeta()) + + // We add a filter chains for each passthrough service name. + // The filter chain will route to a cluster with the same SNI name. + snap.ConnectProxy.PassthroughUpstreams = map[string]proxycfg.ServicePassthroughAddrs{ + kafka.String(): { + SNI: "kafka.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul", + Addrs: map[string]struct{}{ + "9.9.9.9": {}, + }, + }, + mongo.String(): { + SNI: "mongo.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul", + Addrs: map[string]struct{}{ + "10.10.10.10": {}, + "10.10.10.12": {}, + }, + }, + } + + // There should still be a filter chain for mongo's virtual address + snap.ConnectProxy.WatchedUpstreamEndpoints["mongo"] = map[string]structs.CheckServiceNodes{ + "mongo.default.dc1": { + structs.CheckServiceNode{ + Node: &structs.Node{ + Datacenter: "dc1", + }, + Service: &structs.NodeService{ + Service: "mongo", + Address: "7.7.7.7", + Port: 27017, + TaggedAddresses: map[string]structs.ServiceAddress{ + "virtual": {Address: "6.6.6.6"}, + }, + }, + }, + }, + } + }, + }, } latestEnvoyVersion := proxysupport.EnvoyVersions[0] diff --git a/agent/xds/server.go b/agent/xds/server.go index 259b01437052..8e6037116289 100644 --- a/agent/xds/server.go +++ b/agent/xds/server.go @@ -96,8 +96,9 @@ const ( // OriginalDestinationClusterName is the name we give to the passthrough // cluster which redirects transparently-proxied requests to their original - // destination. This cluster prevents Consul from blocking connections to - // destinations outside of the catalog when in transparent proxy mode. + // destination outside the mesh. This cluster prevents Consul from blocking + // connections to destinations outside of the catalog when in transparent + // proxy mode. OriginalDestinationClusterName = "original-destination" // DefaultAuthCheckFrequency is the default value for diff --git a/agent/xds/testdata/clusters/transparent-proxy catalog destinations only.envoy-1-18-x.golden b/agent/xds/testdata/clusters/transparent-proxy-catalog-destinations-only.envoy-1-18-x.golden similarity index 100% rename from agent/xds/testdata/clusters/transparent-proxy catalog destinations only.envoy-1-18-x.golden rename to agent/xds/testdata/clusters/transparent-proxy-catalog-destinations-only.envoy-1-18-x.golden diff --git a/agent/xds/testdata/clusters/transparent-proxy catalog destinations only.v2compat.envoy-1-16-x.golden b/agent/xds/testdata/clusters/transparent-proxy-catalog-destinations-only.v2compat.envoy-1-16-x.golden similarity index 100% rename from agent/xds/testdata/clusters/transparent-proxy catalog destinations only.v2compat.envoy-1-16-x.golden rename to agent/xds/testdata/clusters/transparent-proxy-catalog-destinations-only.v2compat.envoy-1-16-x.golden diff --git a/agent/xds/testdata/clusters/transparent-proxy-dial-instances-directly.envoy-1-18-x.golden b/agent/xds/testdata/clusters/transparent-proxy-dial-instances-directly.envoy-1-18-x.golden new file mode 100644 index 000000000000..2dfba6613087 --- /dev/null +++ b/agent/xds/testdata/clusters/transparent-proxy-dial-instances-directly.envoy-1-18-x.golden @@ -0,0 +1,260 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "altStatName": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": { + + }, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "circuitBreakers": { + + }, + "outlierDetection": { + + }, + "commonLbConfig": { + "healthyPanicThreshold": { + + } + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "sni": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": { + + }, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "circuitBreakers": { + + }, + "outlierDetection": { + + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "sni": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "local_app", + "type": "STATIC", + "connectTimeout": "5s", + "loadAssignment": { + "clusterName": "local_app", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 8080 + } + } + } + } + ] + } + ] + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "mongo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "altStatName": "mongo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": { + + }, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "circuitBreakers": { + + }, + "outlierDetection": { + + }, + "commonLbConfig": { + "healthyPanicThreshold": { + + } + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "sni": "mongo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "original-destination", + "type": "ORIGINAL_DST", + "connectTimeout": "5s", + "lbPolicy": "CLUSTER_PROVIDED" + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "passthrough~kafka.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul", + "type": "ORIGINAL_DST", + "connectTimeout": "5s", + "lbPolicy": "CLUSTER_PROVIDED", + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "sni": "kafka.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "passthrough~mongo.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul", + "type": "ORIGINAL_DST", + "connectTimeout": "5s", + "lbPolicy": "CLUSTER_PROVIDED", + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "sni": "mongo.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul" + } + } + } + ], + "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/clusters/transparent-proxy-dial-instances-directly.v2compat.envoy-1-16-x.golden b/agent/xds/testdata/clusters/transparent-proxy-dial-instances-directly.v2compat.envoy-1-16-x.golden new file mode 100644 index 000000000000..26c586fc97eb --- /dev/null +++ b/agent/xds/testdata/clusters/transparent-proxy-dial-instances-directly.v2compat.envoy-1-16-x.golden @@ -0,0 +1,260 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Cluster", + "name": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "altStatName": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": { + + }, + "resourceApiVersion": "V2" + } + }, + "connectTimeout": "5s", + "circuitBreakers": { + + }, + "outlierDetection": { + + }, + "commonLbConfig": { + "healthyPanicThreshold": { + + } + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "sni": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Cluster", + "name": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": { + + }, + "resourceApiVersion": "V2" + } + }, + "connectTimeout": "5s", + "circuitBreakers": { + + }, + "outlierDetection": { + + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "sni": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Cluster", + "name": "local_app", + "type": "STATIC", + "connectTimeout": "5s", + "loadAssignment": { + "clusterName": "local_app", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 8080 + } + } + } + } + ] + } + ] + } + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Cluster", + "name": "mongo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "altStatName": "mongo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": { + + }, + "resourceApiVersion": "V2" + } + }, + "connectTimeout": "5s", + "circuitBreakers": { + + }, + "outlierDetection": { + + }, + "commonLbConfig": { + "healthyPanicThreshold": { + + } + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "sni": "mongo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Cluster", + "name": "original-destination", + "type": "ORIGINAL_DST", + "connectTimeout": "5s", + "lbPolicy": "CLUSTER_PROVIDED" + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Cluster", + "name": "passthrough~kafka.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul", + "type": "ORIGINAL_DST", + "connectTimeout": "5s", + "lbPolicy": "CLUSTER_PROVIDED", + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "sni": "kafka.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul" + } + } + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Cluster", + "name": "passthrough~mongo.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul", + "type": "ORIGINAL_DST", + "connectTimeout": "5s", + "lbPolicy": "CLUSTER_PROVIDED", + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "sni": "mongo.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul" + } + } + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Cluster", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/transparent-proxy-dial-instances-directly.envoy-1-18-x.golden b/agent/xds/testdata/listeners/transparent-proxy-dial-instances-directly.envoy-1-18-x.golden new file mode 100644 index 000000000000..3de39f7cb74c --- /dev/null +++ b/agent/xds/testdata/listeners/transparent-proxy-dial-instances-directly.envoy-1-18-x.golden @@ -0,0 +1,213 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.db.default.dc1", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "outbound_listener:127.0.0.1:15001", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 15001 + } + }, + "filterChains": [ + { + "filterChainMatch": { + "prefixRanges": [ + { + "addressPrefix": "10.10.10.10", + "prefixLen": 32 + }, + { + "addressPrefix": "10.10.10.12", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.mongo.default.dc1", + "cluster": "passthrough~mongo.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul" + } + } + ] + }, + { + "filterChainMatch": { + "prefixRanges": [ + { + "addressPrefix": "6.6.6.6", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.mongo.default.dc1", + "cluster": "mongo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + ] + }, + { + "filterChainMatch": { + "prefixRanges": [ + { + "addressPrefix": "9.9.9.9", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.kafka.default.dc1", + "cluster": "passthrough~kafka.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul" + } + } + ] + }, + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.original-destination", + "cluster": "original-destination" + } + } + ] + } + ], + "listenerFilters": [ + { + "name": "envoy.filters.listener.original_dst" + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.prepared_query_geo-cache", + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul" + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "public_listener:0.0.0.0:9999", + "address": { + "socketAddress": { + "address": "0.0.0.0", + "portValue": 9999 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", + "rules": { + + }, + "statPrefix": "connect_authz" + } + }, + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "public_listener", + "cluster": "local_app" + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + } + } + } + ], + "trafficDirection": "INBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/transparent-proxy-dial-instances-directly.v2compat.envoy-1-16-x.golden b/agent/xds/testdata/listeners/transparent-proxy-dial-instances-directly.v2compat.envoy-1-16-x.golden new file mode 100644 index 000000000000..ab37095abc8c --- /dev/null +++ b/agent/xds/testdata/listeners/transparent-proxy-dial-instances-directly.v2compat.envoy-1-16-x.golden @@ -0,0 +1,213 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy", + "statPrefix": "upstream.db.default.dc1", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "outbound_listener:127.0.0.1:15001", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 15001 + } + }, + "filterChains": [ + { + "filterChainMatch": { + "prefixRanges": [ + { + "addressPrefix": "10.10.10.10", + "prefixLen": 32 + }, + { + "addressPrefix": "10.10.10.12", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy", + "statPrefix": "upstream.mongo.default.dc1", + "cluster": "passthrough~mongo.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul" + } + } + ] + }, + { + "filterChainMatch": { + "prefixRanges": [ + { + "addressPrefix": "6.6.6.6", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy", + "statPrefix": "upstream.mongo.default.dc1", + "cluster": "mongo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + ] + }, + { + "filterChainMatch": { + "prefixRanges": [ + { + "addressPrefix": "9.9.9.9", + "prefixLen": 32 + } + ] + }, + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy", + "statPrefix": "upstream.kafka.default.dc1", + "cluster": "passthrough~kafka.default.dc1.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul" + } + } + ] + }, + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy", + "statPrefix": "upstream.original-destination", + "cluster": "original-destination" + } + } + ] + } + ], + "listenerFilters": [ + { + "name": "envoy.filters.listener.original_dst" + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy", + "statPrefix": "upstream.prepared_query_geo-cache", + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul" + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "public_listener:0.0.0.0:9999", + "address": { + "socketAddress": { + "address": "0.0.0.0", + "portValue": 9999 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC", + "rules": { + + }, + "statPrefix": "connect_authz" + } + }, + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy", + "statPrefix": "public_listener", + "cluster": "local_app" + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext", + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + } + } + } + ], + "trafficDirection": "INBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/api/config_entry.go b/api/config_entry.go index 5047d07a5b2f..f339149a776c 100644 --- a/api/config_entry.go +++ b/api/config_entry.go @@ -84,6 +84,11 @@ const ( type TransparentProxyConfig struct { // The port of the listener where outbound application traffic is being redirected to. OutboundListenerPort int `json:",omitempty" alias:"outbound_listener_port"` + + // DialedDirectly indicates whether transparent proxies can dial this proxy instance directly. + // The discovery chain is not considered when dialing a service instance directly. + // This setting is useful when addressing stateful services, such as a database cluster with a leader node. + DialedDirectly bool `json:",omitempty" alias:"dialed_directly"` } // ExposeConfig describes HTTP paths to expose through Envoy outside of Connect. diff --git a/api/config_entry_test.go b/api/config_entry_test.go index 1abfcc181948..2c5f8c20fcbd 100644 --- a/api/config_entry_test.go +++ b/api/config_entry_test.go @@ -358,7 +358,8 @@ func TestDecodeConfigEntry(t *testing.T) { }, "Mode": "transparent", "TransparentProxy": { - "OutboundListenerPort": 808 + "OutboundListenerPort": 808, + "DialedDirectly": true } } `, @@ -379,8 +380,11 @@ func TestDecodeConfigEntry(t *testing.T) { MeshGateway: MeshGatewayConfig{ Mode: MeshGatewayModeRemote, }, - Mode: ProxyModeTransparent, - TransparentProxy: &TransparentProxyConfig{OutboundListenerPort: 808}, + Mode: ProxyModeTransparent, + TransparentProxy: &TransparentProxyConfig{ + OutboundListenerPort: 808, + DialedDirectly: true, + }, }, }, { @@ -400,7 +404,8 @@ func TestDecodeConfigEntry(t *testing.T) { }, "Mode": "transparent", "TransparentProxy": { - "OutboundListenerPort": 808 + "OutboundListenerPort": 808, + "DialedDirectly": true }, "UpstreamConfig": { "Overrides": [ @@ -448,8 +453,11 @@ func TestDecodeConfigEntry(t *testing.T) { MeshGateway: MeshGatewayConfig{ Mode: MeshGatewayModeRemote, }, - Mode: ProxyModeTransparent, - TransparentProxy: &TransparentProxyConfig{OutboundListenerPort: 808}, + Mode: ProxyModeTransparent, + TransparentProxy: &TransparentProxyConfig{ + OutboundListenerPort: 808, + DialedDirectly: true, + }, UpstreamConfig: &UpstreamConfiguration{ Overrides: []*UpstreamConfig{ { diff --git a/command/config/write/config_write_test.go b/command/config/write/config_write_test.go index 20f20af43ea3..64d5687bc06a 100644 --- a/command/config/write/config_write_test.go +++ b/command/config/write/config_write_test.go @@ -216,6 +216,7 @@ func TestParseConfigEntry(t *testing.T) { mode = "direct" transparent_proxy = { outbound_listener_port = 10101 + dialed_directly = true } `, camel: ` @@ -238,6 +239,7 @@ func TestParseConfigEntry(t *testing.T) { Mode = "direct" TransparentProxy = { outbound_listener_port = 10101 + dialed_directly = true } `, snakeJSON: ` @@ -260,7 +262,8 @@ func TestParseConfigEntry(t *testing.T) { }, "mode": "direct", "transparent_proxy": { - "outbound_listener_port": 10101 + "outbound_listener_port": 10101, + "dialed_directly": true } } `, @@ -284,7 +287,8 @@ func TestParseConfigEntry(t *testing.T) { }, "Mode": "direct", "TransparentProxy": { - "OutboundListenerPort": 10101 + "OutboundListenerPort": 10101, + "DialedDirectly": true } } `, @@ -308,6 +312,7 @@ func TestParseConfigEntry(t *testing.T) { Mode: api.ProxyModeDirect, TransparentProxy: &api.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, }, expectJSON: &api.ProxyConfigEntry{ @@ -330,6 +335,7 @@ func TestParseConfigEntry(t *testing.T) { Mode: api.ProxyModeDirect, TransparentProxy: &api.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, }, }, @@ -495,6 +501,7 @@ func TestParseConfigEntry(t *testing.T) { mode = "direct" transparent_proxy = { outbound_listener_port = 10101 + dialed_directly = true } upstream_config { overrides = [ @@ -553,6 +560,7 @@ func TestParseConfigEntry(t *testing.T) { Mode = "direct" TransparentProxy = { outbound_listener_port = 10101 + dialed_directly = true } UpstreamConfig { Overrides = [ @@ -611,7 +619,8 @@ func TestParseConfigEntry(t *testing.T) { }, "mode": "direct", "transparent_proxy": { - "outbound_listener_port": 10101 + "outbound_listener_port": 10101, + "dialed_directly": true }, "upstream_config": { "overrides": [ @@ -671,7 +680,8 @@ func TestParseConfigEntry(t *testing.T) { }, "Mode": "direct", "TransparentProxy": { - "OutboundListenerPort": 10101 + "OutboundListenerPort": 10101, + "DialedDirectly": true }, "UpstreamConfig": { "Overrides": [ @@ -731,6 +741,7 @@ func TestParseConfigEntry(t *testing.T) { Mode: api.ProxyModeDirect, TransparentProxy: &api.TransparentProxyConfig{ OutboundListenerPort: 10101, + DialedDirectly: true, }, UpstreamConfig: &api.UpstreamConfiguration{ Overrides: []*api.UpstreamConfig{ diff --git a/command/connect/envoy/bootstrap_config.go b/command/connect/envoy/bootstrap_config.go index 28cd7ac9b7d3..12a623b22b6d 100644 --- a/command/connect/envoy/bootstrap_config.go +++ b/command/connect/envoy/bootstrap_config.go @@ -352,40 +352,41 @@ func resourceTagSpecifiers(omitDeprecatedTags bool) ([]string, error) { // - cluster.f8f8f8f8~pong.default.dc2.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul.bind_errors: 0 // - cluster.v2.pong.default.dc2.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul.bind_errors: 0 // - cluster.f8f8f8f8~v2.pong.default.dc2.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul.bind_errors: 0 + // - cluster.passthrough~pong.default.dc2.internal.e5b08d03-bfc3-c870-1833-baddb116e648.consul.bind_errors: 0 {"consul.destination.custom_hash", - fmt.Sprintf(`^cluster\.((?:(%s)~)?(?:%s\.)?%s\.%s\.%s\.%s\.%s\.consul\.)`, + fmt.Sprintf(`^cluster\.(?:passthrough~)?((?:(%s)~)?(?:%s\.)?%s\.%s\.%s\.%s\.%s\.consul\.)`, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment)}, {"consul.destination.service_subset", - fmt.Sprintf(`^cluster\.((?:%s~)?(?:(%s)\.)?%s\.%s\.%s\.%s\.%s\.consul\.)`, + fmt.Sprintf(`^cluster\.(?:passthrough~)?((?:%s~)?(?:(%s)\.)?%s\.%s\.%s\.%s\.%s\.consul\.)`, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment)}, {"consul.destination.service", - fmt.Sprintf(`^cluster\.((?:%s~)?(?:%s\.)?(%s)\.%s\.%s\.%s\.%s\.consul\.)`, + fmt.Sprintf(`^cluster\.(?:passthrough~)?((?:%s~)?(?:%s\.)?(%s)\.%s\.%s\.%s\.%s\.consul\.)`, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment)}, {"consul.destination.namespace", - fmt.Sprintf(`^cluster\.((?:%s~)?(?:%s\.)?%s\.(%s)\.%s\.%s\.%s\.consul\.)`, + fmt.Sprintf(`^cluster\.(?:passthrough~)?((?:%s~)?(?:%s\.)?%s\.(%s)\.%s\.%s\.%s\.consul\.)`, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment)}, {"consul.destination.datacenter", - fmt.Sprintf(`^cluster\.((?:%s~)?(?:%s\.)?%s\.%s\.(%s)\.%s\.%s\.consul\.)`, + fmt.Sprintf(`^cluster\.(?:passthrough~)?((?:%s~)?(?:%s\.)?%s\.%s\.(%s)\.%s\.%s\.consul\.)`, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment)}, {"consul.destination.routing_type", - fmt.Sprintf(`^cluster\.((?:%s~)?(?:%s\.)?%s\.%s\.%s\.(%s)\.%s\.consul\.)`, + fmt.Sprintf(`^cluster\.(?:passthrough~)?((?:%s~)?(?:%s\.)?%s\.%s\.%s\.(%s)\.%s\.consul\.)`, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment)}, {"consul.destination.trust_domain", - fmt.Sprintf(`^cluster\.((?:%s~)?(?:%s\.)?%s\.%s\.%s\.%s\.(%s)\.consul\.)`, + fmt.Sprintf(`^cluster\.(?:passthrough~)?((?:%s~)?(?:%s\.)?%s\.%s\.%s\.%s\.(%s)\.consul\.)`, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment)}, {"consul.destination.target", - fmt.Sprintf(`^cluster\.(((?:%s~)?(?:%s\.)?%s\.%s\.%s)\.%s\.%s\.consul\.)`, + fmt.Sprintf(`^cluster\.(?:passthrough~)?(((?:%s~)?(?:%s\.)?%s\.%s\.%s)\.%s\.%s\.consul\.)`, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment)}, {"consul.destination.full_target", - fmt.Sprintf(`^cluster\.(((?:%s~)?(?:%s\.)?%s\.%s\.%s\.%s\.%s)\.consul\.)`, + fmt.Sprintf(`^cluster\.(?:passthrough~)?(((?:%s~)?(?:%s\.)?%s\.%s\.%s\.%s\.%s)\.consul\.)`, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment, reSegment)}, // Upstream listener metrics are prefixed by consul.upstream diff --git a/command/connect/envoy/testdata/CONSUL_HTTP_ADDR-with-https-scheme-enables-tls.golden b/command/connect/envoy/testdata/CONSUL_HTTP_ADDR-with-https-scheme-enables-tls.golden index cd52a65ccc18..861b59ab9f0f 100644 --- a/command/connect/envoy/testdata/CONSUL_HTTP_ADDR-with-https-scheme-enables-tls.golden +++ b/command/connect/envoy/testdata/CONSUL_HTTP_ADDR-with-https-scheme-enables-tls.golden @@ -62,39 +62,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/access-log-path.golden b/command/connect/envoy/testdata/access-log-path.golden index e65515893fa1..393a924db345 100644 --- a/command/connect/envoy/testdata/access-log-path.golden +++ b/command/connect/envoy/testdata/access-log-path.golden @@ -49,39 +49,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/defaults.golden b/command/connect/envoy/testdata/defaults.golden index 6b989665f564..c094ddc15a2d 100644 --- a/command/connect/envoy/testdata/defaults.golden +++ b/command/connect/envoy/testdata/defaults.golden @@ -49,39 +49,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/existing-ca-file.golden b/command/connect/envoy/testdata/existing-ca-file.golden index 494752b3506d..c74249dcfa2f 100644 --- a/command/connect/envoy/testdata/existing-ca-file.golden +++ b/command/connect/envoy/testdata/existing-ca-file.golden @@ -62,39 +62,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/existing-ca-path.golden b/command/connect/envoy/testdata/existing-ca-path.golden index 88618fc5b1ab..d83c138d9932 100644 --- a/command/connect/envoy/testdata/existing-ca-path.golden +++ b/command/connect/envoy/testdata/existing-ca-path.golden @@ -62,39 +62,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/extra_-multiple.golden b/command/connect/envoy/testdata/extra_-multiple.golden index 06cd5215dd18..b16e5e248c9a 100644 --- a/command/connect/envoy/testdata/extra_-multiple.golden +++ b/command/connect/envoy/testdata/extra_-multiple.golden @@ -71,39 +71,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/extra_-single.golden b/command/connect/envoy/testdata/extra_-single.golden index 503226e17f89..b2617052f6e7 100644 --- a/command/connect/envoy/testdata/extra_-single.golden +++ b/command/connect/envoy/testdata/extra_-single.golden @@ -62,39 +62,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/grpc-addr-config.golden b/command/connect/envoy/testdata/grpc-addr-config.golden index 9082d485da0e..34ed73682bda 100644 --- a/command/connect/envoy/testdata/grpc-addr-config.golden +++ b/command/connect/envoy/testdata/grpc-addr-config.golden @@ -49,39 +49,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/grpc-addr-env.golden b/command/connect/envoy/testdata/grpc-addr-env.golden index 9082d485da0e..34ed73682bda 100644 --- a/command/connect/envoy/testdata/grpc-addr-env.golden +++ b/command/connect/envoy/testdata/grpc-addr-env.golden @@ -49,39 +49,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/grpc-addr-flag.golden b/command/connect/envoy/testdata/grpc-addr-flag.golden index 9082d485da0e..34ed73682bda 100644 --- a/command/connect/envoy/testdata/grpc-addr-flag.golden +++ b/command/connect/envoy/testdata/grpc-addr-flag.golden @@ -49,39 +49,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/grpc-addr-unix.golden b/command/connect/envoy/testdata/grpc-addr-unix.golden index 053d1c0088a8..798cbb38b669 100644 --- a/command/connect/envoy/testdata/grpc-addr-unix.golden +++ b/command/connect/envoy/testdata/grpc-addr-unix.golden @@ -48,39 +48,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/ingress-gateway-address-specified.golden b/command/connect/envoy/testdata/ingress-gateway-address-specified.golden index 99da5e21b992..2b11eeb35e63 100644 --- a/command/connect/envoy/testdata/ingress-gateway-address-specified.golden +++ b/command/connect/envoy/testdata/ingress-gateway-address-specified.golden @@ -135,39 +135,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/ingress-gateway-no-auto-register.golden b/command/connect/envoy/testdata/ingress-gateway-no-auto-register.golden index d2c4b37e4eff..f3fe7a54b7fc 100644 --- a/command/connect/envoy/testdata/ingress-gateway-no-auto-register.golden +++ b/command/connect/envoy/testdata/ingress-gateway-no-auto-register.golden @@ -135,39 +135,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/ingress-gateway-register-with-service-and-proxy-id.golden b/command/connect/envoy/testdata/ingress-gateway-register-with-service-and-proxy-id.golden index 4caf58dd4394..da6a17501b49 100644 --- a/command/connect/envoy/testdata/ingress-gateway-register-with-service-and-proxy-id.golden +++ b/command/connect/envoy/testdata/ingress-gateway-register-with-service-and-proxy-id.golden @@ -135,39 +135,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/ingress-gateway-register-with-service-without-proxy-id.golden b/command/connect/envoy/testdata/ingress-gateway-register-with-service-without-proxy-id.golden index e7bbde8078ee..ef9138e40742 100644 --- a/command/connect/envoy/testdata/ingress-gateway-register-with-service-without-proxy-id.golden +++ b/command/connect/envoy/testdata/ingress-gateway-register-with-service-without-proxy-id.golden @@ -135,39 +135,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/ingress-gateway.golden b/command/connect/envoy/testdata/ingress-gateway.golden index da76ef79b287..6f5b6c7a1868 100644 --- a/command/connect/envoy/testdata/ingress-gateway.golden +++ b/command/connect/envoy/testdata/ingress-gateway.golden @@ -135,39 +135,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/prometheus-metrics.golden b/command/connect/envoy/testdata/prometheus-metrics.golden index e4157e9c8c64..6c6799e4ed50 100644 --- a/command/connect/envoy/testdata/prometheus-metrics.golden +++ b/command/connect/envoy/testdata/prometheus-metrics.golden @@ -135,39 +135,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/token-arg.golden b/command/connect/envoy/testdata/token-arg.golden index 248790500eb2..3e33edadbf49 100644 --- a/command/connect/envoy/testdata/token-arg.golden +++ b/command/connect/envoy/testdata/token-arg.golden @@ -49,39 +49,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/token-env.golden b/command/connect/envoy/testdata/token-env.golden index 248790500eb2..3e33edadbf49 100644 --- a/command/connect/envoy/testdata/token-env.golden +++ b/command/connect/envoy/testdata/token-env.golden @@ -49,39 +49,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/token-file-arg.golden b/command/connect/envoy/testdata/token-file-arg.golden index 248790500eb2..3e33edadbf49 100644 --- a/command/connect/envoy/testdata/token-file-arg.golden +++ b/command/connect/envoy/testdata/token-file-arg.golden @@ -49,39 +49,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/token-file-env.golden b/command/connect/envoy/testdata/token-file-env.golden index 248790500eb2..3e33edadbf49 100644 --- a/command/connect/envoy/testdata/token-file-env.golden +++ b/command/connect/envoy/testdata/token-file-env.golden @@ -49,39 +49,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/command/connect/envoy/testdata/zipkin-tracing-config.golden b/command/connect/envoy/testdata/zipkin-tracing-config.golden index 15b796e26b23..5a6cc29d03b8 100644 --- a/command/connect/envoy/testdata/zipkin-tracing-config.golden +++ b/command/connect/envoy/testdata/zipkin-tracing-config.golden @@ -73,39 +73,39 @@ "stats_config": { "stats_tags": [ { - "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.custom_hash" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service_subset" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.service" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.namespace" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.datacenter" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.routing_type" }, { - "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)", "tag_name": "consul.destination.trust_domain" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)", "tag_name": "consul.destination.target" }, { - "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", + "regex": "^cluster\\.(?:passthrough~)?(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)", "tag_name": "consul.destination.full_target" }, { diff --git a/proto/pbservice/service.gen.go b/proto/pbservice/service.gen.go index f6cc1e578898..1a8c3e9c1adf 100644 --- a/proto/pbservice/service.gen.go +++ b/proto/pbservice/service.gen.go @@ -131,11 +131,13 @@ func NewServiceDefinitionFromStructs(t structs.ServiceDefinition) ServiceDefinit func TransparentProxyConfigToStructs(s TransparentProxyConfig) structs.TransparentProxyConfig { var t structs.TransparentProxyConfig t.OutboundListenerPort = int(s.OutboundListenerPort) + t.DialedDirectly = s.DialedDirectly return t } func NewTransparentProxyConfigFromStructs(t structs.TransparentProxyConfig) TransparentProxyConfig { var s TransparentProxyConfig s.OutboundListenerPort = int32(t.OutboundListenerPort) + s.DialedDirectly = t.DialedDirectly return s } func UpstreamToStructs(s Upstream) structs.Upstream { diff --git a/proto/pbservice/service.pb.go b/proto/pbservice/service.pb.go index 7a0cb6ba0e03..a7736dfb32c1 100644 --- a/proto/pbservice/service.pb.go +++ b/proto/pbservice/service.pb.go @@ -402,6 +402,10 @@ var xxx_messageInfo_MeshGatewayConfig proto.InternalMessageInfo type TransparentProxyConfig struct { // mog: func-to=int func-from=int32 OutboundListenerPort int32 `protobuf:"varint,1,opt,name=OutboundListenerPort,proto3" json:"OutboundListenerPort,omitempty"` + // DialedDirectly indicates whether transparent proxies can dial this proxy instance directly. + // The discovery chain is not considered when dialing a service instance directly. + // This setting is useful when addressing stateful services, such as a database cluster with a leader node. + DialedDirectly bool `protobuf:"varint,2,opt,name=DialedDirectly,proto3" json:"DialedDirectly,omitempty"` } func (m *TransparentProxyConfig) Reset() { *m = TransparentProxyConfig{} } @@ -615,81 +619,82 @@ func init() { func init() { proto.RegisterFile("proto/pbservice/service.proto", fileDescriptor_cbb99233b75fb80b) } var fileDescriptor_cbb99233b75fb80b = []byte{ - // 1179 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x56, 0x4f, 0x6f, 0x1b, 0x45, - 0x14, 0xf7, 0xfa, 0x4f, 0x6c, 0xbf, 0x94, 0x34, 0x99, 0x98, 0xb0, 0x84, 0xd6, 0x49, 0x2d, 0x84, - 0x22, 0x88, 0xec, 0x36, 0x51, 0x09, 0xad, 0x54, 0x24, 0x12, 0x07, 0x54, 0x35, 0x69, 0xcd, 0xc6, - 0xa8, 0x02, 0x89, 0xc3, 0x78, 0x3d, 0x59, 0xaf, 0x62, 0xef, 0x58, 0x3b, 0xe3, 0xd0, 0x7c, 0x0b, - 0x6e, 0x70, 0xe5, 0xc0, 0x9d, 0x8f, 0x91, 0x63, 0x8f, 0x9c, 0x22, 0x48, 0xbe, 0x45, 0x4e, 0x68, - 0xde, 0xcc, 0x6e, 0xd6, 0xeb, 0x25, 0x2a, 0x9c, 0x3c, 0xf3, 0x7e, 0xef, 0xf7, 0x66, 0xfc, 0xde, - 0xef, 0xbd, 0x59, 0xb8, 0x3f, 0x0e, 0xb9, 0xe4, 0xad, 0x71, 0x4f, 0xb0, 0xf0, 0xd4, 0x77, 0x59, - 0xcb, 0xfc, 0x36, 0xd1, 0x4e, 0xaa, 0x31, 0xb0, 0x7a, 0xcf, 0xe3, 0xdc, 0x1b, 0xb2, 0x16, 0x02, - 0xbd, 0xc9, 0x71, 0x4b, 0xc8, 0x70, 0xe2, 0x4a, 0xed, 0xb8, 0xfa, 0x51, 0x14, 0xc7, 0xe5, 0xa3, - 0x11, 0x0f, 0x5a, 0xfa, 0xc7, 0x80, 0x0f, 0xd2, 0x87, 0x0c, 0x18, 0x1d, 0xca, 0x81, 0x3b, 0x60, - 0xee, 0x89, 0x71, 0xa9, 0x79, 0xdc, 0xe3, 0xda, 0x4d, 0xad, 0xb4, 0xb5, 0xf1, 0x7b, 0x09, 0xc8, - 0x1e, 0x0f, 0x02, 0xe6, 0xca, 0x4e, 0xc8, 0xdf, 0x9c, 0xed, 0xf1, 0xe0, 0xd8, 0xf7, 0xc8, 0xe7, - 0xb0, 0xd2, 0x66, 0x42, 0xfa, 0x01, 0x95, 0x3e, 0x0f, 0x8e, 0x74, 0xd0, 0x97, 0x74, 0xc4, 0x6c, - 0x6b, 0xdd, 0xda, 0xa8, 0x3a, 0xff, 0x82, 0x92, 0x2d, 0xa8, 0xcd, 0x22, 0xcf, 0xdb, 0x76, 0x1e, - 0x59, 0x99, 0x18, 0x79, 0x08, 0xcb, 0x07, 0xdc, 0xa5, 0x43, 0x63, 0xf9, 0xaa, 0xdf, 0x0f, 0x99, - 0x10, 0x76, 0x01, 0x29, 0x59, 0x10, 0xf9, 0x14, 0x16, 0x93, 0xe6, 0x0e, 0x0f, 0xa5, 0x5d, 0x5c, - 0xb7, 0x36, 0x4a, 0xce, 0x8c, 0x9d, 0x3c, 0x86, 0x39, 0xfd, 0x9f, 0xec, 0xd2, 0xba, 0xb5, 0x31, - 0xbf, 0xf5, 0x41, 0x53, 0x67, 0xb9, 0x19, 0x65, 0xb9, 0x79, 0x84, 0x59, 0xde, 0x2d, 0x9e, 0x5f, - 0xac, 0x59, 0x8e, 0x71, 0x26, 0x3b, 0x50, 0xfd, 0x6e, 0x2c, 0x64, 0xc8, 0xe8, 0x48, 0xd8, 0x73, - 0xeb, 0x85, 0x8d, 0xf9, 0xad, 0xe5, 0x66, 0x9c, 0xde, 0x66, 0x84, 0x21, 0x2b, 0xe7, 0xdc, 0xf8, - 0x92, 0x36, 0xcc, 0x1f, 0x32, 0x31, 0xf8, 0x86, 0x4a, 0xf6, 0x13, 0x3d, 0xb3, 0xcb, 0x78, 0xe8, - 0xbd, 0x04, 0x35, 0x81, 0xea, 0xb3, 0x4c, 0x8c, 0x24, 0x4d, 0xdd, 0x7a, 0xff, 0xcd, 0x98, 0x0b, - 0x66, 0x57, 0xcc, 0xad, 0x6f, 0x02, 0x68, 0x60, 0x8a, 0x6b, 0x9c, 0xc9, 0x0b, 0x28, 0x1e, 0xf2, - 0x3e, 0xb3, 0xab, 0x2a, 0x77, 0xbb, 0x3b, 0xd7, 0x17, 0x6b, 0xdb, 0x9e, 0x2f, 0x07, 0x93, 0x5e, - 0xd3, 0xe5, 0xa3, 0xd6, 0x80, 0x8a, 0x81, 0xef, 0xf2, 0x70, 0xdc, 0x72, 0x79, 0x20, 0x26, 0xc3, - 0x16, 0xf5, 0x58, 0x20, 0x8d, 0xca, 0x44, 0x13, 0xeb, 0xaf, 0xe8, 0x0e, 0x06, 0x21, 0x47, 0xb0, - 0xd8, 0x0d, 0x69, 0x20, 0xc6, 0x34, 0x64, 0x81, 0x56, 0x87, 0x0d, 0x78, 0x9b, 0x07, 0x89, 0xdb, - 0xa4, 0x5d, 0xa6, 0xee, 0x35, 0x13, 0x40, 0x09, 0x2b, 0x59, 0xa2, 0x23, 0xee, 0x9e, 0x30, 0xd9, - 0xa1, 0x72, 0x60, 0xcf, 0x6b, 0x61, 0x65, 0xa3, 0x8d, 0x5f, 0x8a, 0x50, 0x89, 0x92, 0x4c, 0x36, - 0xe0, 0x6e, 0x42, 0x49, 0xdd, 0xb3, 0x71, 0x24, 0xcb, 0xb4, 0x39, 0xa5, 0x47, 0x25, 0x51, 0x31, - 0xa6, 0x2e, 0xcb, 0xd0, 0x63, 0x8c, 0xa5, 0xa2, 0xa3, 0xe8, 0x0b, 0x33, 0xd1, 0x51, 0xed, 0x75, - 0x80, 0x36, 0x95, 0xd4, 0x65, 0x81, 0x64, 0x21, 0x2a, 0xb0, 0xea, 0x24, 0x2c, 0xb1, 0x4e, 0x77, - 0xfd, 0xa0, 0x1f, 0xc9, 0xba, 0x84, 0x5e, 0x33, 0x76, 0xf2, 0x31, 0xbc, 0x17, 0xdb, 0x50, 0xd0, - 0x73, 0x28, 0xe8, 0x69, 0x63, 0x42, 0xcd, 0xe5, 0xff, 0xa2, 0xe6, 0x94, 0x28, 0x2b, 0xff, 0x4f, - 0x94, 0x0f, 0x61, 0x79, 0x8f, 0x05, 0x32, 0xa4, 0xc3, 0xa1, 0xf1, 0x9a, 0x84, 0xac, 0x8f, 0x62, - 0xab, 0x38, 0x59, 0x50, 0xdc, 0xda, 0xea, 0xfe, 0x89, 0x52, 0x43, 0xa2, 0xb5, 0xa7, 0xa1, 0x0c, - 0x06, 0x0a, 0x7a, 0x3e, 0x93, 0xa1, 0xa0, 0x46, 0x00, 0x0b, 0x46, 0x2e, 0x66, 0x8e, 0x91, 0x15, - 0x98, 0x7b, 0x49, 0xa5, 0x7f, 0xaa, 0x55, 0x51, 0x71, 0xcc, 0x8e, 0xb4, 0x61, 0xe1, 0xc8, 0xef, - 0x33, 0x97, 0x86, 0x86, 0x80, 0x75, 0x9d, 0x4e, 0x84, 0x41, 0xda, 0xec, 0xd8, 0x0f, 0x7c, 0x55, - 0x68, 0x27, 0xc5, 0x69, 0x7c, 0x0f, 0x77, 0x92, 0x1d, 0xa8, 0x4e, 0xdb, 0x53, 0x63, 0x56, 0x44, - 0xa7, 0xe9, 0x1d, 0x79, 0x04, 0x25, 0xf5, 0x8f, 0x84, 0x9d, 0xc7, 0xe9, 0xf1, 0xfe, 0x4c, 0x07, - 0x2b, 0xd4, 0xa4, 0x59, 0x7b, 0x36, 0xfe, 0xb0, 0x00, 0x6e, 0x30, 0xd2, 0x80, 0x3b, 0x07, 0xbe, - 0x90, 0x2c, 0x60, 0x21, 0x2a, 0xc2, 0x42, 0x45, 0x4c, 0xd9, 0x08, 0x81, 0x22, 0xa6, 0x54, 0x0b, - 0x1a, 0xd7, 0xb1, 0x94, 0xd4, 0x06, 0x89, 0x85, 0x84, 0x94, 0x22, 0x23, 0x59, 0x85, 0x4a, 0x47, - 0x89, 0xc6, 0xe5, 0x43, 0x23, 0xdd, 0x78, 0xaf, 0x5a, 0xa0, 0x43, 0x43, 0xc1, 0xfa, 0x5f, 0x87, - 0x7c, 0x84, 0xff, 0x07, 0x75, 0x5b, 0x71, 0xd2, 0xe6, 0xc6, 0x31, 0x2c, 0xcd, 0x68, 0x87, 0x7c, - 0x6b, 0xc6, 0x10, 0x36, 0xe5, 0xee, 0xb3, 0xeb, 0x8b, 0xb5, 0x27, 0xef, 0x3e, 0x86, 0x12, 0xe1, - 0x6e, 0x86, 0x51, 0xe3, 0x00, 0x56, 0xb2, 0x27, 0x8d, 0x6a, 0xf1, 0x57, 0x13, 0xd9, 0xe3, 0x93, - 0xa0, 0x9f, 0x91, 0xad, 0x4c, 0xac, 0xf1, 0x5b, 0x19, 0x96, 0x66, 0x2a, 0x4d, 0x0e, 0xa1, 0xf8, - 0xc2, 0x0f, 0xfa, 0xe6, 0xda, 0x4f, 0xae, 0x2f, 0xd6, 0x1e, 0xbf, 0xfb, 0xb5, 0x4d, 0x38, 0x15, - 0xc0, 0xc1, 0x30, 0x64, 0x01, 0xf2, 0xf1, 0xcb, 0x97, 0x7f, 0xde, 0x56, 0xa5, 0x4a, 0x0c, 0x13, - 0x5c, 0x2b, 0x5b, 0x97, 0x7a, 0xc2, 0x2e, 0xae, 0x17, 0x94, 0x4d, 0xad, 0x89, 0x0d, 0xe5, 0xe9, - 0x61, 0x11, 0x6d, 0x09, 0x85, 0xbb, 0x5d, 0xea, 0x79, 0x2c, 0x1a, 0x1a, 0x4c, 0xd8, 0x8b, 0x28, - 0xae, 0x47, 0xb7, 0x29, 0xb8, 0x99, 0xe2, 0xec, 0x07, 0x32, 0x3c, 0x33, 0xc2, 0x4b, 0xc7, 0x23, - 0x4f, 0xa1, 0x78, 0xc8, 0x24, 0x35, 0x4f, 0xde, 0x27, 0xb7, 0xc6, 0x55, 0x8e, 0x18, 0xcc, 0x41, - 0x0e, 0x6a, 0x51, 0x65, 0xbe, 0x8c, 0x99, 0xc7, 0xb5, 0x1a, 0x91, 0x89, 0xc6, 0x27, 0x7a, 0x44, - 0x4e, 0xf5, 0x7b, 0x49, 0xeb, 0x4b, 0xcf, 0xa4, 0x5a, 0xe2, 0x40, 0xb4, 0xab, 0x29, 0x1e, 0x35, - 0x09, 0x1a, 0xc8, 0x66, 0xdc, 0x6f, 0x55, 0xbc, 0x63, 0x26, 0x25, 0xee, 0xc2, 0x4d, 0x28, 0xbf, - 0x66, 0xbe, 0x37, 0x90, 0xc2, 0xbc, 0x5d, 0x24, 0xe1, 0x6e, 0x10, 0x27, 0x72, 0x21, 0x35, 0x28, - 0x75, 0xf9, 0x09, 0x0b, 0xcc, 0xbc, 0xd1, 0x1b, 0xb2, 0x09, 0x4b, 0xfb, 0x01, 0xed, 0x0d, 0x59, - 0x97, 0x7a, 0xaf, 0x4e, 0x59, 0x18, 0xfa, 0x7d, 0x66, 0xdf, 0xc1, 0x7e, 0x98, 0x05, 0xc8, 0x36, - 0x94, 0xf4, 0x5b, 0xb9, 0x80, 0xe7, 0xdd, 0x4f, 0x5e, 0x6f, 0xe6, 0x43, 0xcb, 0xd1, 0xbe, 0x6a, - 0x34, 0xed, 0xab, 0x27, 0x63, 0x1c, 0xfa, 0x82, 0x61, 0x01, 0x96, 0x90, 0xbd, 0xd2, 0x34, 0x9f, - 0x79, 0xd3, 0xa8, 0xc9, 0x48, 0x8a, 0x43, 0xb6, 0xa1, 0x6c, 0x8e, 0xb0, 0xef, 0x22, 0xfd, 0xc3, - 0xd9, 0xfa, 0x19, 0x07, 0x27, 0xf2, 0x5c, 0xfd, 0x11, 0x6a, 0x59, 0x02, 0x21, 0x8b, 0x50, 0x38, - 0x61, 0x67, 0xe6, 0x61, 0x55, 0x4b, 0xd2, 0x82, 0xd2, 0x29, 0x1d, 0x4e, 0xf4, 0xeb, 0x99, 0x19, - 0xdc, 0x84, 0x70, 0xb4, 0xdf, 0xd3, 0xfc, 0x17, 0xd6, 0xea, 0x0e, 0x54, 0x63, 0x9d, 0x64, 0xc4, - 0xac, 0x25, 0x63, 0x56, 0x13, 0xc4, 0xc6, 0x97, 0xf1, 0x5c, 0x8f, 0xe4, 0x9f, 0x68, 0x0c, 0x6b, - 0xba, 0x31, 0x22, 0xe5, 0xe5, 0x6f, 0x94, 0xd7, 0x78, 0x16, 0x57, 0x5e, 0x11, 0x3b, 0x54, 0x08, - 0x3f, 0xf0, 0xcc, 0x54, 0x88, 0xb6, 0x0a, 0x79, 0x4d, 0xc3, 0x40, 0x21, 0x9a, 0x1b, 0x6d, 0x77, - 0x0f, 0xcf, 0xff, 0xae, 0xe7, 0xce, 0x2f, 0xeb, 0xd6, 0xdb, 0xcb, 0xba, 0xf5, 0xd7, 0x65, 0xdd, - 0xfa, 0xf9, 0xaa, 0x9e, 0xfb, 0xf5, 0xaa, 0x9e, 0x7b, 0x7b, 0x55, 0xcf, 0xfd, 0x79, 0x55, 0xcf, - 0xfd, 0xf0, 0xd9, 0x6d, 0xc3, 0x21, 0xf5, 0x3d, 0xde, 0x9b, 0x43, 0xc3, 0xf6, 0x3f, 0x01, 0x00, - 0x00, 0xff, 0xff, 0x44, 0x39, 0xad, 0x45, 0x0e, 0x0c, 0x00, 0x00, + // 1200 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x96, 0xcf, 0x6e, 0x1b, 0xb7, + 0x13, 0xc7, 0xb5, 0xfa, 0x63, 0x49, 0xe3, 0xfc, 0x1c, 0x9b, 0xd1, 0xcf, 0xdd, 0xba, 0x89, 0xec, + 0x08, 0x45, 0x60, 0xb4, 0x86, 0x94, 0xd8, 0x48, 0xdd, 0x04, 0x48, 0x81, 0xda, 0x72, 0x8b, 0x20, + 0x71, 0xa2, 0xae, 0x55, 0x04, 0x2d, 0xd0, 0x03, 0xb5, 0xa2, 0x57, 0x0b, 0x4b, 0x4b, 0x61, 0x49, + 0xb9, 0xd1, 0x5b, 0xf4, 0xd6, 0x5e, 0x7b, 0xe8, 0xbd, 0x8f, 0xe1, 0x63, 0x8e, 0x3d, 0x19, 0xad, + 0xfd, 0x16, 0x3e, 0x15, 0x1c, 0x72, 0xd7, 0xab, 0xd5, 0xd6, 0x48, 0x7b, 0x12, 0x39, 0xdf, 0x99, + 0x21, 0x97, 0xfc, 0xcc, 0x50, 0x70, 0x6f, 0x1c, 0x72, 0xc9, 0x5b, 0xe3, 0x9e, 0x60, 0xe1, 0xa9, + 0xef, 0xb2, 0x96, 0xf9, 0x6d, 0xa2, 0x9d, 0x54, 0x63, 0x61, 0xed, 0xae, 0xc7, 0xb9, 0x37, 0x64, + 0x2d, 0x14, 0x7a, 0x93, 0xe3, 0x96, 0x90, 0xe1, 0xc4, 0x95, 0xda, 0x71, 0xed, 0xa3, 0x28, 0x8f, + 0xcb, 0x47, 0x23, 0x1e, 0xb4, 0xf4, 0x8f, 0x11, 0xef, 0xa7, 0x17, 0x19, 0x30, 0x3a, 0x94, 0x03, + 0x77, 0xc0, 0xdc, 0x13, 0xe3, 0x52, 0xf3, 0xb8, 0xc7, 0xb5, 0x9b, 0x1a, 0x69, 0x6b, 0xe3, 0xb7, + 0x12, 0x90, 0x7d, 0x1e, 0x04, 0xcc, 0x95, 0x9d, 0x90, 0xbf, 0x9d, 0xee, 0xf3, 0xe0, 0xd8, 0xf7, + 0xc8, 0x67, 0xb0, 0xda, 0x66, 0x42, 0xfa, 0x01, 0x95, 0x3e, 0x0f, 0x8e, 0x74, 0xd2, 0x57, 0x74, + 0xc4, 0x6c, 0x6b, 0xc3, 0xda, 0xac, 0x3a, 0xff, 0xa0, 0x92, 0x6d, 0xa8, 0xcd, 0x2b, 0xcf, 0xdb, + 0x76, 0x1e, 0xa3, 0x32, 0x35, 0xf2, 0x10, 0xee, 0xbc, 0xe4, 0x2e, 0x1d, 0x1a, 0xcb, 0x97, 0xfd, + 0x7e, 0xc8, 0x84, 0xb0, 0x0b, 0x18, 0x92, 0x25, 0x91, 0x4f, 0x60, 0x39, 0x69, 0xee, 0xf0, 0x50, + 0xda, 0xc5, 0x0d, 0x6b, 0xb3, 0xe4, 0xcc, 0xd9, 0xc9, 0x63, 0x58, 0xd0, 0xdf, 0x64, 0x97, 0x36, + 0xac, 0xcd, 0xc5, 0xed, 0x0f, 0x9a, 0xfa, 0x94, 0x9b, 0xd1, 0x29, 0x37, 0x8f, 0xf0, 0x94, 0xf7, + 0x8a, 0x67, 0xe7, 0xeb, 0x96, 0x63, 0x9c, 0xc9, 0x2e, 0x54, 0xbf, 0x1d, 0x0b, 0x19, 0x32, 0x3a, + 0x12, 0xf6, 0xc2, 0x46, 0x61, 0x73, 0x71, 0xfb, 0x4e, 0x33, 0x3e, 0xde, 0x66, 0xa4, 0x61, 0x54, + 0xce, 0xb9, 0xf6, 0x25, 0x6d, 0x58, 0x3c, 0x64, 0x62, 0xf0, 0x35, 0x95, 0xec, 0x47, 0x3a, 0xb5, + 0xcb, 0xb8, 0xe8, 0xdd, 0x44, 0x68, 0x42, 0xd5, 0x6b, 0x99, 0x1c, 0xc9, 0x30, 0xb5, 0xeb, 0x83, + 0xb7, 0x63, 0x2e, 0x98, 0x5d, 0x31, 0xbb, 0xbe, 0x4e, 0xa0, 0x85, 0x99, 0x58, 0xe3, 0x4c, 0x5e, + 0x40, 0xf1, 0x90, 0xf7, 0x99, 0x5d, 0x55, 0x67, 0xb7, 0xb7, 0x7b, 0x75, 0xbe, 0xbe, 0xe3, 0xf9, + 0x72, 0x30, 0xe9, 0x35, 0x5d, 0x3e, 0x6a, 0x0d, 0xa8, 0x18, 0xf8, 0x2e, 0x0f, 0xc7, 0x2d, 0x97, + 0x07, 0x62, 0x32, 0x6c, 0x51, 0x8f, 0x05, 0xd2, 0x50, 0x26, 0x9a, 0x78, 0xff, 0x2a, 0xdc, 0xc1, + 0x24, 0xe4, 0x08, 0x96, 0xbb, 0x21, 0x0d, 0xc4, 0x98, 0x86, 0x2c, 0xd0, 0x74, 0xd8, 0x80, 0xbb, + 0xb9, 0x9f, 0xd8, 0x4d, 0xda, 0x65, 0x66, 0x5f, 0x73, 0x09, 0x14, 0x58, 0xc9, 0x2b, 0x3a, 0xe2, + 0xee, 0x09, 0x93, 0x1d, 0x2a, 0x07, 0xf6, 0xa2, 0x06, 0x2b, 0x5b, 0x6d, 0xfc, 0x5c, 0x84, 0x4a, + 0x74, 0xc8, 0x64, 0x13, 0x6e, 0x27, 0x48, 0xea, 0x4e, 0xc7, 0x11, 0x96, 0x69, 0x73, 0x8a, 0x47, + 0x85, 0xa8, 0x18, 0x53, 0x97, 0x65, 0xf0, 0x18, 0x6b, 0xa9, 0xec, 0x08, 0x7d, 0x61, 0x2e, 0x3b, + 0xd2, 0x5e, 0x07, 0x68, 0x53, 0x49, 0x5d, 0x16, 0x48, 0x16, 0x22, 0x81, 0x55, 0x27, 0x61, 0x89, + 0x39, 0xdd, 0xf3, 0x83, 0x7e, 0x84, 0x75, 0x09, 0xbd, 0xe6, 0xec, 0xe4, 0x63, 0xf8, 0x5f, 0x6c, + 0x43, 0xa0, 0x17, 0x10, 0xe8, 0x59, 0x63, 0x82, 0xe6, 0xf2, 0xbf, 0xa1, 0x39, 0x05, 0x65, 0xe5, + 0xbf, 0x41, 0xf9, 0x10, 0xee, 0xec, 0xb3, 0x40, 0x86, 0x74, 0x38, 0x34, 0x5e, 0x93, 0x90, 0xf5, + 0x11, 0xb6, 0x8a, 0x93, 0x25, 0xc5, 0xa5, 0xad, 0xf6, 0x9f, 0xb8, 0x6a, 0x48, 0x94, 0xf6, 0xac, + 0x94, 0x11, 0x81, 0x40, 0x2f, 0x66, 0x46, 0x28, 0xa9, 0x11, 0xc0, 0x92, 0xc1, 0xc5, 0xf4, 0x31, + 0xb2, 0x0a, 0x0b, 0xaf, 0xa8, 0xf4, 0x4f, 0x35, 0x15, 0x15, 0xc7, 0xcc, 0x48, 0x1b, 0x96, 0x8e, + 0xfc, 0x3e, 0x73, 0x69, 0x68, 0x02, 0xf0, 0x5e, 0x67, 0x0f, 0xc2, 0x28, 0x6d, 0x76, 0xec, 0x07, + 0xbe, 0xba, 0x68, 0x27, 0x15, 0xd3, 0xf8, 0x0e, 0x6e, 0x25, 0x2b, 0x50, 0xad, 0xb6, 0xaf, 0xda, + 0xac, 0x88, 0x56, 0xd3, 0x33, 0xf2, 0x08, 0x4a, 0xea, 0x8b, 0x84, 0x9d, 0xc7, 0xee, 0xf1, 0xff, + 0xb9, 0x0a, 0x56, 0xaa, 0x39, 0x66, 0xed, 0xd9, 0xf8, 0xdd, 0x02, 0xb8, 0xd6, 0x48, 0x03, 0x6e, + 0xbd, 0xf4, 0x85, 0x64, 0x01, 0x0b, 0x91, 0x08, 0x0b, 0x89, 0x98, 0xb1, 0x11, 0x02, 0x45, 0x3c, + 0x52, 0x0d, 0x34, 0x8e, 0x63, 0x94, 0xd4, 0x04, 0x03, 0x0b, 0x09, 0x94, 0x22, 0x23, 0x59, 0x83, + 0x4a, 0x47, 0x41, 0xe3, 0xf2, 0xa1, 0x41, 0x37, 0x9e, 0xab, 0x12, 0xe8, 0xd0, 0x50, 0xb0, 0xfe, + 0x57, 0x21, 0x1f, 0xe1, 0xf7, 0x20, 0xb7, 0x15, 0x27, 0x6d, 0x6e, 0x1c, 0xc3, 0xca, 0x1c, 0x3b, + 0xe4, 0x1b, 0xd3, 0x86, 0xb0, 0x28, 0xf7, 0x9e, 0x5d, 0x9d, 0xaf, 0x3f, 0x79, 0xff, 0x36, 0x94, + 0x48, 0x77, 0xdd, 0x8c, 0x1a, 0x12, 0x56, 0xb3, 0x3b, 0x8d, 0x2a, 0xf1, 0xd7, 0x13, 0xd9, 0xe3, + 0x93, 0xa0, 0x9f, 0x71, 0x5a, 0x99, 0x1a, 0x79, 0x00, 0x4b, 0x6d, 0x9f, 0x0e, 0x59, 0xbf, 0xed, + 0x87, 0xcc, 0x95, 0xc3, 0x29, 0x9e, 0x5f, 0xc5, 0x49, 0x59, 0x1b, 0xbf, 0x96, 0x61, 0x65, 0x8e, + 0x08, 0x72, 0x08, 0xc5, 0x17, 0x7e, 0xd0, 0x37, 0x9f, 0xf7, 0xe4, 0xea, 0x7c, 0xfd, 0xf1, 0xfb, + 0x7f, 0x9e, 0x49, 0xa7, 0x12, 0x38, 0x98, 0x86, 0x2c, 0x41, 0x3e, 0x7e, 0x21, 0xf3, 0xcf, 0xdb, + 0xea, 0x4a, 0x13, 0x4d, 0x07, 0xc7, 0xca, 0xd6, 0xa5, 0x9e, 0xb0, 0x8b, 0x1b, 0x05, 0x65, 0x53, + 0x63, 0x62, 0x43, 0x79, 0xb6, 0xa9, 0x44, 0x53, 0x42, 0xe1, 0x76, 0x97, 0x7a, 0x1e, 0x8b, 0x9a, + 0x0b, 0x13, 0xf6, 0x32, 0x42, 0xf8, 0xe8, 0x26, 0xd2, 0x9b, 0xa9, 0x98, 0x83, 0x40, 0x86, 0x53, + 0x03, 0x68, 0x3a, 0x1f, 0x79, 0x0a, 0xc5, 0x43, 0x26, 0xa9, 0x79, 0x1a, 0x1f, 0xdc, 0x98, 0x57, + 0x39, 0x62, 0x32, 0x07, 0x63, 0x90, 0x59, 0x75, 0x43, 0x65, 0xbc, 0x21, 0x1c, 0xab, 0x56, 0x9a, + 0x68, 0x10, 0x44, 0xb7, 0xd2, 0x99, 0xbe, 0x50, 0xd2, 0x1c, 0xea, 0xde, 0x55, 0x4b, 0x2c, 0x88, + 0x76, 0xd5, 0xed, 0xa3, 0x62, 0x42, 0x03, 0xd9, 0x8a, 0xeb, 0xb2, 0x8a, 0x7b, 0xcc, 0x0c, 0x89, + 0xab, 0x75, 0x0b, 0xca, 0x6f, 0x98, 0xef, 0x0d, 0xa4, 0x30, 0x6f, 0x1c, 0x49, 0xb8, 0x1b, 0xc5, + 0x89, 0x5c, 0x48, 0x0d, 0x4a, 0x5d, 0x7e, 0xc2, 0x02, 0xd3, 0x97, 0xf4, 0x84, 0x6c, 0xc1, 0xca, + 0x41, 0x40, 0x7b, 0x43, 0xd6, 0xa5, 0xde, 0xeb, 0x53, 0x16, 0x86, 0x7e, 0x9f, 0xd9, 0xb7, 0x10, + 0xac, 0x79, 0x81, 0xec, 0x40, 0x49, 0xbf, 0xa9, 0x4b, 0xb8, 0xde, 0xbd, 0xe4, 0xf6, 0xe6, 0xfe, + 0x90, 0x39, 0xda, 0x57, 0xb5, 0xb0, 0x03, 0xf5, 0xb4, 0x8c, 0x43, 0x5f, 0x30, 0xbc, 0x80, 0x15, + 0x8c, 0x5e, 0x6d, 0x9a, 0xbf, 0x83, 0xb3, 0xaa, 0x39, 0x91, 0x54, 0x0c, 0xd9, 0x81, 0xb2, 0x59, + 0xc2, 0xbe, 0x8d, 0xe1, 0x1f, 0xce, 0xdf, 0x9f, 0x71, 0x70, 0x22, 0xcf, 0xb5, 0x1f, 0xa0, 0x96, + 0x05, 0x08, 0x59, 0x86, 0xc2, 0x09, 0x9b, 0x9a, 0x07, 0x58, 0x0d, 0x49, 0x0b, 0x4a, 0xa7, 0x74, + 0x38, 0xd1, 0xaf, 0x6c, 0x66, 0x72, 0x93, 0xc2, 0xd1, 0x7e, 0x4f, 0xf3, 0x9f, 0x5b, 0x6b, 0xbb, + 0x50, 0x8d, 0x39, 0xc9, 0xc8, 0x59, 0x4b, 0xe6, 0xac, 0x26, 0x02, 0x1b, 0x5f, 0xc4, 0xfd, 0x3f, + 0xc2, 0x3f, 0x51, 0x18, 0xd6, 0x6c, 0x61, 0x44, 0xe4, 0xe5, 0xaf, 0xc9, 0x6b, 0x3c, 0x8b, 0x6f, + 0x5e, 0x05, 0x76, 0xa8, 0x10, 0x7e, 0xe0, 0x99, 0xee, 0x11, 0x4d, 0x95, 0xf2, 0x86, 0x86, 0x81, + 0x52, 0x74, 0x6c, 0x34, 0xdd, 0x3b, 0x3c, 0xfb, 0xab, 0x9e, 0x3b, 0xbb, 0xa8, 0x5b, 0xef, 0x2e, + 0xea, 0xd6, 0x9f, 0x17, 0x75, 0xeb, 0xa7, 0xcb, 0x7a, 0xee, 0x97, 0xcb, 0x7a, 0xee, 0xdd, 0x65, + 0x3d, 0xf7, 0xc7, 0x65, 0x3d, 0xf7, 0xfd, 0xa7, 0x37, 0x35, 0x87, 0xd4, 0xff, 0xf6, 0xde, 0x02, + 0x1a, 0x76, 0xfe, 0x0e, 0x00, 0x00, 0xff, 0xff, 0x70, 0xa5, 0x21, 0xd2, 0x36, 0x0c, 0x00, 0x00, } func (m *ConnectProxyConfig) Marshal() (dAtA []byte, err error) { @@ -1119,6 +1124,16 @@ func (m *TransparentProxyConfig) MarshalToSizedBuffer(dAtA []byte) (int, error) _ = i var l int _ = l + if m.DialedDirectly { + i-- + if m.DialedDirectly { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x10 + } if m.OutboundListenerPort != 0 { i = encodeVarintService(dAtA, i, uint64(m.OutboundListenerPort)) i-- @@ -1593,6 +1608,9 @@ func (m *TransparentProxyConfig) Size() (n int) { if m.OutboundListenerPort != 0 { n += 1 + sovService(uint64(m.OutboundListenerPort)) } + if m.DialedDirectly { + n += 2 + } return n } @@ -3027,6 +3045,26 @@ func (m *TransparentProxyConfig) Unmarshal(dAtA []byte) error { break } } + case 2: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field DialedDirectly", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowService + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.DialedDirectly = bool(v != 0) default: iNdEx = preIndex skippy, err := skipService(dAtA[iNdEx:]) diff --git a/proto/pbservice/service.proto b/proto/pbservice/service.proto index 3f95a79aa292..e8e050115d56 100644 --- a/proto/pbservice/service.proto +++ b/proto/pbservice/service.proto @@ -218,6 +218,11 @@ message MeshGatewayConfig { message TransparentProxyConfig { // mog: func-to=int func-from=int32 int32 OutboundListenerPort = 1; + + // DialedDirectly indicates whether transparent proxies can dial this proxy instance directly. + // The discovery chain is not considered when dialing a service instance directly. + // This setting is useful when addressing stateful services, such as a database cluster with a leader node. + bool DialedDirectly = 2; } // ServiceDefinition is used to JSON decode the Service definitions. For diff --git a/website/content/docs/connect/config-entries/mesh.mdx b/website/content/docs/connect/config-entries/mesh.mdx index 932f78ada982..b47443682151 100644 --- a/website/content/docs/connect/config-entries/mesh.mdx +++ b/website/content/docs/connect/config-entries/mesh.mdx @@ -63,7 +63,8 @@ TransparentProxy { - `CatalogDestinationsOnly` `(bool: false)` - Determines whether sidecar proxies operating in transparent mode can proxy traffic to IP addresses not registered in Consul's catalog. If enabled, traffic will only be proxied - to upstreams with service registrations in the catalog. + to upstreams with service registrations in the catalog. If disabled, requests will be proxied as-is to the + original destination IP address. Consul will not encrypt the connection. ## ACLs diff --git a/website/content/docs/connect/config-entries/proxy-defaults.mdx b/website/content/docs/connect/config-entries/proxy-defaults.mdx index 4009d925da0d..24b27c0a0c16 100644 --- a/website/content/docs/connect/config-entries/proxy-defaults.mdx +++ b/website/content/docs/connect/config-entries/proxy-defaults.mdx @@ -233,6 +233,14 @@ spec: description: `The port the proxy should listen on for outbound traffic. This must be the port where outbound application traffic is captured and redirected to.`, }, + { + name: 'DialedDirectly', + type: 'bool: false', + description: `Determines whether this proxy instance's IP address can be dialed directly by transparent proxies. + Typically transparent proxies dial upstreams using the "virtual" tagged address, which load balances + across instances. Dialing individual instances can be helpful in cases like stateful services such + as a database cluster with a leader. `, + }, ], yaml: false, }, diff --git a/website/content/docs/connect/config-entries/service-defaults.mdx b/website/content/docs/connect/config-entries/service-defaults.mdx index 96a5ef0f27ab..9a326bac9d45 100644 --- a/website/content/docs/connect/config-entries/service-defaults.mdx +++ b/website/content/docs/connect/config-entries/service-defaults.mdx @@ -453,6 +453,14 @@ UpstreamConfig = { description: `The port the proxy should listen on for outbound traffic. This must be the port where outbound application traffic is redirected to.`, }, + { + name: 'DialedDirectly', + type: 'bool: false', + description: `Determines whether this proxy instance's IP address can be dialed directly by transparent proxies. + Typically transparent proxies dial upstreams using the "virtual" tagged address, which load balances + across instances. Dialing individual instances can be helpful in cases like stateful services such + as a database cluster with a leader. `, + }, ], yaml: false, }, diff --git a/website/content/docs/connect/registration/service-registration.mdx b/website/content/docs/connect/registration/service-registration.mdx index cf88ceb94ef8..7ea5b470dbd1 100644 --- a/website/content/docs/connect/registration/service-registration.mdx +++ b/website/content/docs/connect/registration/service-registration.mdx @@ -238,12 +238,20 @@ registrations](/docs/agent/services#service-definition-parameter-case). ```json { - "outbound_listener_port": 22500 + "outbound_listener_port": 22500, + "dialed_directly": true } ``` - `outbound_listener_port` `(int: 15001)` - The port the proxy should listen on for outbound traffic. This must be the port where outbound application traffic is captured and redirected to. +- `dialed_directly` `(bool: false)` - Determines whether this proxy instance's IP address can be dialed + directly by transparent proxies. Typically transparent proxies dial upstreams using the "virtual" + tagged address, which load balances across instances. Dialing individual instances can be helpful + in cases like stateful services such as a database cluster with a leader. + + ~> **Note:** Dynamic routing rules such as failovers and redirects do not apply to services dialed directly. + Additionally, the connection is proxied using a TCP proxy with a connection timeout of 5 seconds. ### Mesh Gateway Configuration Reference diff --git a/website/content/docs/connect/transparent-proxy.mdx b/website/content/docs/connect/transparent-proxy.mdx index 69b800eab5bd..0099dbe15932 100644 --- a/website/content/docs/connect/transparent-proxy.mdx +++ b/website/content/docs/connect/transparent-proxy.mdx @@ -20,9 +20,9 @@ implicitly from Service Intentions. Explicit upstreams are still supported in th registration](/docs/connect/registration/service-registration) on VMs and via the [annotation](/docs/k8s/connect#consul-hashicorp-com-connect-service-upstreams) in Kubernetes. -To support transparent proxying, Consul now supports a command +To support transparent proxying, Consul's CLI now has a command [`consul connect redirect-traffic`](/commands/connect/redirect-traffic) to redirect traffic through an inbound and -outbound listener on the sidecar. It also watches Service Intentions and configures the Envoy proxy with the appropriate +outbound listener on the sidecar. Consul also watches Service Intentions and configures the Envoy proxy with the appropriate upstream IPs. If the default ACL policy is "allow", then Service Intentions are not required. In Consul on Kubernetes, the traffic redirection command is automatically set up via an init container. @@ -103,7 +103,11 @@ spec: ## Known Beta Limitations * There is no first class support for transparent proxying on VMs. -* Traffic can only be transparently proxied within a Consul datacenter. +* Traffic can only be transparently proxied when the address dialed corresponds to the address of a service in the +transparent proxy's datacenter. Cross-datacenter transparent proxying is only possible using service-resolver +configuration entries that resolve to remote datacenters. +* When dialing headless services the request will be proxied using a plain TCP proxy with a 5s connection timeout. +Currently the upstream's protocol and connection timeout are not considered. ## Using Transparent Proxy @@ -149,3 +153,16 @@ it can dial `sample-app.default.svc.cluster.local`, using If ACLs with default "deny" policy are enabled, it also needs a [ServiceIntention](/docs/connect/config-entries/service-intentions) allowing it to talk to `sample-app`. + +### Headless Services +For services that are not addressed using a virtual cluster IP, the upstream service must be +configured using the [DialedDirectly](/docs/connect/config-entries/service-defaults#dialeddirectly) +option. + +Individual instance addresses can then be discovered using DNS, and dialed through the transparent proxy. +When this mode is enabled on the upstream, connect certificates will be presented for mTLS and +intentions will be enforced at the destination. + +Note that when dialing individual instances HTTP routing rules configured with config entries +will **not** be considered. The transparent proxy acts as a TCP proxy to the original +destination IP address.