Backport of [NET-9098] Narrow scope of peering config on terminating gw filter chain to TCP services into release/1.18.x (#21057)

hc-github-team-consul-core · nathancoleman · web-flow · commit 537b50ee954b · 2024-05-06T20:43:14.000Z
backport of commit d65f512 Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
diff --git a/agent/xds/listeners.go b/agent/xds/listeners.go
@@ -1759,14 +1759,8 @@ type terminatingGatewayFilterChainOpts struct {
 }
 
 func (s *ResourceGenerator) makeFilterChainTerminatingGateway(cfgSnap *proxycfg.ConfigSnapshot, tgtwyOpts terminatingGatewayFilterChainOpts) (*envoy_listener_v3.FilterChain, error) {
-	// We need to at least match the SNI and use the root PEMs from the local cluster; however, requests coming
-	// from peered clusters where the external service is exported to will have their own SNI and root PEMs.
+	// We need to at least match the SNI and use the root PEMs from the local cluster
 	sniMatches := []string{tgtwyOpts.cluster}
-	for _, bundle := range tgtwyOpts.peerTrustBundles {
-		svc := tgtwyOpts.service
-		sourceSNI := connect.PeeredServiceSNI(svc.Name, svc.NamespaceOrDefault(), svc.PartitionOrDefault(), bundle.PeerName, cfgSnap.Roots.TrustDomain)
-		sniMatches = append(sniMatches, sourceSNI)
-	}
 
 	tlsContext := &envoy_tls_v3.DownstreamTlsContext{
 		CommonTlsContext: makeCommonTLSContext(
@@ -1777,9 +1771,19 @@ func (s *ResourceGenerator) makeFilterChainTerminatingGateway(cfgSnap *proxycfg.
 		RequireClientCertificate: &wrapperspb.BoolValue{Value: true},
 	}
 
-	err := injectSpiffeValidatorConfigForPeers(cfgSnap, tlsContext.CommonTlsContext, tgtwyOpts.peerTrustBundles)
-	if err != nil {
-		return nil, err
+	// For TCP connections, TLS is not terminated at the mesh gateway but is instead proxied through;
+	// therefore, we need to account for callers from other datacenters when setting up our filter chain.
+	if tgtwyOpts.protocol == "tcp" {
+		for _, bundle := range tgtwyOpts.peerTrustBundles {
+			svc := tgtwyOpts.service
+			sourceSNI := connect.PeeredServiceSNI(svc.Name, svc.NamespaceOrDefault(), svc.PartitionOrDefault(), bundle.PeerName, cfgSnap.Roots.TrustDomain)
+			sniMatches = append(sniMatches, sourceSNI)
+		}
+
+		err := injectSpiffeValidatorConfigForPeers(cfgSnap, tlsContext.CommonTlsContext, tgtwyOpts.peerTrustBundles)
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	transportSocket, err := makeDownstreamTLSTransportSocket(tlsContext)
