explicitly list gRPC services accessible via the gRPC listener (#3879)

2025-04-29 18:36:30 +02:00 · 2023-01-11 12:38:34 -05:00 · 2023-01-11 12:38:34 -05:00 · 04a82813f3
commit 04a82813f3
parent bfcd15435f
3 changed files with 16 additions and 20 deletions
--- a/config/envoyconfig/listeners.go
+++ b/config/envoyconfig/listeners.go
@ -454,13 +454,18 @@ func (b *Builder) buildGRPCListener(ctx context.Context, cfg *config.Config) (*e
 }

 func (b *Builder) buildGRPCHTTPConnectionManagerFilter() (*envoy_config_listener_v3.Filter, error) {
-	rc, err := b.buildRouteConfiguration("grpc", []*envoy_config_route_v3.VirtualHost{{
-		Name:    "grpc",
-		Domains: []string{"*"},
-		Routes: []*envoy_config_route_v3.Route{{
+	allow := []string{
+		"envoy.service.auth.v3.Authorization",
+		"databroker.DataBrokerService",
+		"registry.Registry",
+		"grpc.health.v1.Health",
+	}
+	routes := make([]*envoy_config_route_v3.Route, 0, len(allow))
+	for _, svc := range allow {
+		routes = append(routes, &envoy_config_route_v3.Route{
 			Name: "grpc",
 			Match: &envoy_config_route_v3.RouteMatch{
-				PathSpecifier: &envoy_config_route_v3.RouteMatch_Prefix{Prefix: "/"},
+				PathSpecifier: &envoy_config_route_v3.RouteMatch_Prefix{Prefix: fmt.Sprintf("/%s/", svc)},
 				Grpc:          &envoy_config_route_v3.RouteMatch_GrpcRouteMatchOptions{},
 			},
 			Action: &envoy_config_route_v3.Route_Route{
@ -477,7 +482,12 @@ func (b *Builder) buildGRPCHTTPConnectionManagerFilter() (*envoy_config_listener
 					},
 				},
 			},
-		}},
+		})
+	}
+	rc, err := b.buildRouteConfiguration("grpc", []*envoy_config_route_v3.VirtualHost{{
+		Name:    "grpc",
+		Domains: []string{"*"},
+		Routes:  routes,
 	}})
 	if err != nil {
 		return nil, err
--- a/config/envoyconfig/outbound.go
+++ b/config/envoyconfig/outbound.go
@ -98,7 +98,6 @@ func (b *Builder) buildOutboundRoutes() []*envoy_config_route_v3.Route {
 			Cluster: "pomerium-databroker",
 			Prefixes: []string{
 				"/databroker.DataBrokerService/",
-				"/directory.DirectoryService/",
 				"/registry.Registry/",
 			},
 		},
--- a/config/envoyconfig/outbound_test.go
+++ b/config/envoyconfig/outbound_test.go
@ -36,19 +36,6 @@ func Test_buildOutboundRoutes(t *testing.T) {
 				"timeout": "0s"
 			}
 		},
-		{
-			"match": {
-				"grpc": {},
-				"prefix": "/directory.DirectoryService/"
-			},
-			"name": "pomerium-databroker",
-			"route": {
-				"autoHostRewrite": true,
-				"cluster": "pomerium-databroker",
-				"idleTimeout": "0s",
-				"timeout": "0s"
-			}
-		},
 		{
 			"match": {
 				"grpc": {},