3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-30 10:56:28 +02:00
Code Issues Projects Releases Packages Wiki Activity

explicitly list gRPC services accessible via the gRPC listener (#3879)

Browse source
This commit is contained in:
Denis Mishin 2023-01-11 12:38:34 -05:00 committed by GitHub
parent bfcd15435f
commit 04a82813f3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 16 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
config/envoyconfig/listeners.go
View file

@ -454,13 +454,18 @@ func (b *Builder) buildGRPCListener(ctx context.Context, cfg *config.Config) (*e
} }
func (b *Builder) buildGRPCHTTPConnectionManagerFilter() (*envoy_config_listener_v3.Filter, error) { func (b *Builder) buildGRPCHTTPConnectionManagerFilter() (*envoy_config_listener_v3.Filter, error) {
rc, err := b.buildRouteConfiguration("grpc", []*envoy_config_route_v3.VirtualHost{{ allow := []string{
Name: "grpc", "envoy.service.auth.v3.Authorization",
Domains: []string{"*"}, "databroker.DataBrokerService",
Routes: []*envoy_config_route_v3.Route{{ "registry.Registry",
"grpc.health.v1.Health",
}
routes := make([]*envoy_config_route_v3.Route, 0, len(allow))
for _, svc := range allow {
routes = append(routes, &envoy_config_route_v3.Route{
Name: "grpc", Name: "grpc",
Match: &envoy_config_route_v3.RouteMatch{ Match: &envoy_config_route_v3.RouteMatch{
PathSpecifier: &envoy_config_route_v3.RouteMatch_Prefix{Prefix: "/"}, PathSpecifier: &envoy_config_route_v3.RouteMatch_Prefix{Prefix: fmt.Sprintf("/%s/", svc)},
Grpc: &envoy_config_route_v3.RouteMatch_GrpcRouteMatchOptions{}, Grpc: &envoy_config_route_v3.RouteMatch_GrpcRouteMatchOptions{},
}, },
Action: &envoy_config_route_v3.Route_Route{ Action: &envoy_config_route_v3.Route_Route{
@ -477,7 +482,12 @@ func (b *Builder) buildGRPCHTTPConnectionManagerFilter() (*envoy_config_listener
}, },
}, },
}, },
}}, })
}
rc, err := b.buildRouteConfiguration("grpc", []*envoy_config_route_v3.VirtualHost{{
Name: "grpc",
Domains: []string{"*"},
Routes: routes,
}}) }})
if err != nil { if err != nil {
return nil, err return nil, err

1
config/envoyconfig/outbound.go
View file

@ -98,7 +98,6 @@ func (b *Builder) buildOutboundRoutes() []*envoy_config_route_v3.Route {
Cluster: "pomerium-databroker", Cluster: "pomerium-databroker",
Prefixes: []string{ Prefixes: []string{
"/databroker.DataBrokerService/", "/databroker.DataBrokerService/",
"/directory.DirectoryService/",
"/registry.Registry/", "/registry.Registry/",
}, },
}, },

13
config/envoyconfig/outbound_test.go
View file

@ -36,19 +36,6 @@ func Test_buildOutboundRoutes(t *testing.T) {
"timeout": "0s" "timeout": "0s"
} }
}, },
{
"match": {
"grpc": {},
"prefix": "/directory.DirectoryService/"
},
"name": "pomerium-databroker",
"route": {
"autoHostRewrite": true,
"cluster": "pomerium-databroker",
"idleTimeout": "0s",
"timeout": "0s"
}
},
{ {
"match": { "match": {
"grpc": {}, "grpc": {},