Use correct(?) identities

istio · Jan 21, 2025 · a8856a4 · a8856a4
1 parent cab4849
commit a8856a4
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/src/proxy/outbound.rs b/src/proxy/outbound.rs
@@ -407,6 +407,7 @@ impl OutboundConnection {
                     intended_destination_service: Some(ServiceDescription::from(&*target_service)),
                     actual_destination,
                     upstream_sans,
+                    final_sans: vec![],
                 });
             }
             // this was service addressed but we did not find a waypoint
@@ -437,6 +438,7 @@ impl OutboundConnection {
                 intended_destination_service: None,
                 actual_destination: target,
                 upstream_sans: vec![],
+                final_sans: vec![],
             });
         };
 
@@ -470,6 +472,7 @@ impl OutboundConnection {
                     intended_destination_service: us.destination_service.clone(),
                     actual_destination,
                     upstream_sans,
+                    final_sans: vec![],
                 });
             }
             // Workload doesn't have a waypoint; send directly
@@ -486,9 +489,12 @@ impl OutboundConnection {
             Protocol::HBONE | Protocol::DOUBLEHBONE => Some(us.workload_socket_addr()),
             Protocol::TCP => None,
         };
+        let (upstream_sans, final_sans) = match us.workload.protocol {
+            Protocol::DOUBLEHBONE => (vec![us.workload.identity()], us.service_sans()),
+            Protocol::TCP | Protocol::HBONE => (us.workload_and_services_san(), vec![]),
+        };
 
         // For case no waypoint for both side and direct to remote node proxy
-        let upstream_sans = us.workload_and_services_san();
         debug!("built request to workload");
         Ok(Request {
             protocol: us.workload.protocol,
@@ -498,6 +504,7 @@ impl OutboundConnection {
             intended_destination_service: us.destination_service.clone(),
             actual_destination,
             upstream_sans,
+            final_sans,
         })
     }
 }
@@ -546,6 +553,11 @@ struct Request {
     // The identity we will assert for the next hop; this may not be the same as actual_destination_workload
     // in the case of proxies along the path.
     upstream_sans: Vec<Identity>,
+
+    // The identity of workload that will ultimately process this request.
+    // This field only matters if we need to know both the identity of the next hop, as well as the
+    // final hop (currently, this is only double HBONE).
+    final_sans: Vec<Identity>,
 }
 
 #[cfg(test)]

diff --git a/src/state.rs b/src/state.rs
@@ -88,6 +88,19 @@ impl Upstream {
             .chain(std::iter::once(self.workload.identity()))
             .collect()
     }
+
+    pub fn service_sans(&self) -> Vec<Identity> {
+        self.service_sans
+            .iter()
+            .flat_map(|san| match Identity::from_str(san) {
+                Ok(id) => Some(id),
+                Err(err) => {
+                    warn!("ignoring invalid SAN {}: {}", san, err);
+                    None
+                }
+            })
+            .collect()
+    }
 }
 
 // Workload information that a specific proxy instance represents. This is used to cross check