connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled

.changelog/9973.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+connect: add toggle to globally disable wildcard outbound network access when transparent proxy is enabled
+```

agent/config/runtime_test.go

@@ -4095,6 +4095,116 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			}
 		},
 	})
+	run(t, testCase{
+		desc: "ConfigEntry bootstrap cluster (snake-case)",
+		args: []string{`-data-dir=` + dataDir},
+		json: []string{`{
+				"config_entries": {
+					"bootstrap": [
+						{
+							"kind": "cluster",
+							"name": "cluster",
+							"meta" : {
+								"foo": "bar",
+								"gir": "zim"
+							},
+							"transparent_proxy": {
+								"catalog_destinations_only": true
+							}
+						}
+					]
+				}
+			}`,
+		},
+		hcl: []string{`
+				config_entries {
+				  bootstrap {
+					kind = "cluster"
+					name = "cluster"
+					meta {
+						"foo" = "bar"
+						"gir" = "zim"
+					}
+					transparent_proxy {
+						catalog_destinations_only = true
+					}
+				  }
+				}
+			`,
+		},
+		expected: func(rt *RuntimeConfig) {
+			rt.DataDir = dataDir
+			rt.ConfigEntryBootstrap = []structs.ConfigEntry{
+				&structs.ClusterConfigEntry{
+					Kind: "cluster",
+					Name: "cluster",
+					Meta: map[string]string{
+						"foo": "bar",
+						"gir": "zim",
+					},
+					EnterpriseMeta: *defaultEntMeta,
+					TransparentProxy: structs.TransparentProxyClusterConfig{
+						CatalogDestinationsOnly: true,
+					},
+				},
+			}
+		},
+	})
+	run(t, testCase{
+		desc: "ConfigEntry bootstrap cluster (camel-case)",
+		args: []string{`-data-dir=` + dataDir},
+		json: []string{`{
+				"config_entries": {
+					"bootstrap": [
+						{
+							"Kind": "cluster",
+							"Name": "cluster",
+							"Meta" : {
+								"foo": "bar",
+								"gir": "zim"
+							},
+							"TransparentProxy": {
+								"CatalogDestinationsOnly": true
+							}
+						}
+					]
+				}
+			}`,
+		},
+		hcl: []string{`
+				config_entries {
+				  bootstrap {
+					Kind = "cluster"
+					Name = "cluster"
+					Meta {
+						"foo" = "bar"
+						"gir" = "zim"
+					}
+					TransparentProxy {
+						CatalogDestinationsOnly = true
+					}
+				  }
+				}
+			`,
+		},
+		expected: func(rt *RuntimeConfig) {
+			rt.DataDir = dataDir
+			rt.ConfigEntryBootstrap = []structs.ConfigEntry{
+				&structs.ClusterConfigEntry{
+					Kind: "cluster",
+					Name: "cluster",
+					Meta: map[string]string{
+						"foo": "bar",
+						"gir": "zim",
+					},
+					EnterpriseMeta: *defaultEntMeta,
+					TransparentProxy: structs.TransparentProxyClusterConfig{
+						CatalogDestinationsOnly: true,
+					},
+				},
+			}
+		},
+	})
 
 	///////////////////////////////////
 	// Defaults sanity checks

agent/consul/fsm/snapshot_oss_test.go

@@ -419,6 +419,16 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) {
 	}
 	require.NoError(t, fsm.state.EnsureConfigEntry(26, serviceIxn))
 
+	// cluster config entry
+	clusterConfig := &structs.ClusterConfigEntry{
+		Kind: structs.ClusterConfig,
+		Name: structs.ClusterConfigCluster,
+		TransparentProxy: structs.TransparentProxyClusterConfig{
+			CatalogDestinationsOnly: true,
+		},
+	}
+	require.NoError(t, fsm.state.EnsureConfigEntry(27, clusterConfig))
+
 	// Snapshot
 	snap, err := fsm.Snapshot()
 	require.NoError(t, err)
@@ -691,6 +701,11 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, serviceIxn, serviceIxnEntry)
 
+	// Verify cluster config entry is restored
+	_, clusterConfigEntry, err := fsm2.state.ConfigEntry(nil, structs.ClusterConfig, structs.ClusterConfigCluster, structs.DefaultEnterpriseMeta())
+	require.NoError(t, err)
+	require.Equal(t, clusterConfig, clusterConfigEntry)
+
 	// Snapshot
 	snap, err = fsm2.Snapshot()
 	require.NoError(t, err)

agent/consul/state/config_entry.go

@@ -362,6 +362,7 @@ func validateProposedConfigEntryInGraph(
 			return err
 		}
 	case structs.ServiceIntentions:
+	case structs.ClusterConfig:
 	default:
 		return fmt.Errorf("unhandled kind %q during validation of %q", kind, name)
 	}

agent/proxycfg/snapshot.go

@@ -5,8 +5,9 @@ import (
 	"fmt"
 	"sort"
 
-	"github.com/hashicorp/consul/agent/structs"
 	"github.com/mitchellh/copystructure"
+
+	"github.com/hashicorp/consul/agent/structs"
 )
 
 // TODO(ingress): Can we think of a better for this bag of data?
@@ -59,6 +60,9 @@ type configSnapshotConnectProxy struct {
 	// intentions.
 	Intentions    structs.Intentions
 	IntentionsSet bool
+
+	ClusterConfig    *structs.ClusterConfigEntry
+	ClusterConfigSet bool
 }
 
 func (c *configSnapshotConnectProxy) IsEmpty() bool {
@@ -75,7 +79,8 @@ func (c *configSnapshotConnectProxy) IsEmpty() bool {
 		len(c.WatchedGatewayEndpoints) == 0 &&
 		len(c.WatchedServiceChecks) == 0 &&
 		len(c.PreparedQueryEndpoints) == 0 &&
-		len(c.UpstreamConfig) == 0
+		len(c.UpstreamConfig) == 0 &&
+		!c.ClusterConfigSet
 }
 
 type configSnapshotTerminatingGateway struct {
@@ -355,6 +360,9 @@ type ConfigSnapshot struct {
 func (s *ConfigSnapshot) Valid() bool {
 	switch s.Kind {
 	case structs.ServiceKindConnectProxy:
+		if s.Proxy.TransparentProxy && !s.ConnectProxy.ClusterConfigSet {
+			return false
+		}
 		return s.Roots != nil &&
 			s.ConnectProxy.Leaf != nil &&
 			s.ConnectProxy.IntentionsSet

agent/proxycfg/state.go

@@ -46,6 +46,7 @@ const (
 	serviceResolverIDPrefix            = "service-resolver:"
 	serviceIntentionsIDPrefix          = "service-intentions:"
 	intentionUpstreamsID               = "intention-upstreams"
+	clusterConfigEntryID               = "cluster-config"
 	svcChecksWatchIDPrefix             = cachetype.ServiceHTTPChecksName + ":"
 	serviceIDPrefix                    = string(structs.UpstreamDestTypeService) + ":"
 	preparedQueryIDPrefix              = string(structs.UpstreamDestTypePreparedQuery) + ":"
@@ -315,6 +316,17 @@ func (s *state) initWatchesConnectProxy(snap *ConfigSnapshot) error {
 		if err != nil {
 			return err
 		}
+
+		err = s.cache.Notify(s.ctx, cachetype.ConfigEntryName, &structs.ConfigEntryQuery{
+			Kind:           structs.ClusterConfig,
+			Name:           structs.ClusterConfigCluster,
+			Datacenter:     s.source.Datacenter,
+			QueryOptions:   structs.QueryOptions{Token: s.token},
+			EnterpriseMeta: *structs.DefaultEnterpriseMeta(),
+		}, clusterConfigEntryID, s.ch)
+		if err != nil {
+			return err
+		}
 	}
 
 	// Watch for updates to service endpoints for all upstreams
@@ -846,6 +858,24 @@ func (s *state) handleUpdateConnectProxy(u cache.UpdateEvent, snap *ConfigSnapsh
 		}
 		svcID := structs.ServiceIDFromString(strings.TrimPrefix(u.CorrelationID, svcChecksWatchIDPrefix))
 		snap.ConnectProxy.WatchedServiceChecks[svcID] = resp
+
+	case u.CorrelationID == clusterConfigEntryID:
+		resp, ok := u.Result.(*structs.ConfigEntryResponse)
+		if !ok {
+			return fmt.Errorf("invalid type for response: %T", u.Result)
+		}
+
+		if resp.Entry != nil {
+			clusterConf, ok := resp.Entry.(*structs.ClusterConfigEntry)
+			if !ok {
+				return fmt.Errorf("invalid type for config entry: %T", resp.Entry)
+			}
+			snap.ConnectProxy.ClusterConfig = clusterConf
+		} else {
+			snap.ConnectProxy.ClusterConfig = nil
+		}
+		snap.ConnectProxy.ClusterConfigSet = true
+
 	default:
 		return s.handleUpdateUpstreams(u, &snap.ConnectProxy.ConfigSnapshotUpstreams)
 	}

agent/proxycfg/state_test.go

@@ -288,6 +288,18 @@ func genVerifyDiscoveryChainWatch(expected *structs.DiscoveryChainRequest) verif
 	}
 }
 
+func genVerifyClusterConfigWatch(expectedDatacenter string) verifyWatchRequest {
+	return func(t testing.TB, cacheType string, request cache.Request) {
+		require.Equal(t, cachetype.ConfigEntryName, cacheType)
+
+		reqReal, ok := request.(*structs.ConfigEntryQuery)
+		require.True(t, ok)
+		require.Equal(t, expectedDatacenter, reqReal.Datacenter)
+		require.Equal(t, structs.ClusterConfigCluster, reqReal.Name)
+		require.Equal(t, structs.ClusterConfig, reqReal.Kind)
+	}
+}
+
 func genVerifyGatewayWatch(expectedDatacenter string) verifyWatchRequest {
 	return func(t testing.TB, cacheType string, request cache.Request) {
 		require.Equal(t, cachetype.InternalServiceDumpName, cacheType)
@@ -1538,8 +1550,9 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 						rootsWatchID: genVerifyRootsWatch("dc1"),
 						intentionUpstreamsID: genVerifyServiceSpecificRequest(intentionUpstreamsID,
 							"api", "", "dc1", false),
-						leafWatchID:       genVerifyLeafWatch("api", "dc1"),
-						intentionsWatchID: genVerifyIntentionWatch("api", "dc1"),
+						leafWatchID:          genVerifyLeafWatch("api", "dc1"),
+						intentionsWatchID:    genVerifyIntentionWatch("api", "dc1"),
+						clusterConfigEntryID: genVerifyClusterConfigWatch("dc1"),
 					},
 					verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
 						require.False(t, snap.Valid(), "proxy without roots/leaf/intentions is not valid")
@@ -1562,6 +1575,13 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 							Result:        TestIntentions(),
 							Err:           nil,
 						},
+						{
+							CorrelationID: clusterConfigEntryID,
+							Result: &structs.ConfigEntryResponse{
+								Entry: nil, // no explicit config
+							},
+							Err: nil,
+						},
 					},
 					verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
 						require.True(t, snap.Valid(), "proxy with roots/leaf/intentions is valid")
@@ -1571,6 +1591,8 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 						require.True(t, snap.MeshGateway.IsEmpty())
 						require.True(t, snap.IngressGateway.IsEmpty())
 						require.True(t, snap.TerminatingGateway.IsEmpty())
+						require.True(t, snap.ConnectProxy.ClusterConfigSet)
+						require.Nil(t, snap.ConnectProxy.ClusterConfig)
 					},
 				},
 			},
@@ -1594,8 +1616,9 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 						rootsWatchID: genVerifyRootsWatch("dc1"),
 						intentionUpstreamsID: genVerifyServiceSpecificRequest(intentionUpstreamsID,
 							"api", "", "dc1", false),
-						leafWatchID:       genVerifyLeafWatch("api", "dc1"),
-						intentionsWatchID: genVerifyIntentionWatch("api", "dc1"),
+						leafWatchID:          genVerifyLeafWatch("api", "dc1"),
+						intentionsWatchID:    genVerifyIntentionWatch("api", "dc1"),
+						clusterConfigEntryID: genVerifyClusterConfigWatch("dc1"),
 					},
 					verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
 						require.False(t, snap.Valid(), "proxy without roots/leaf/intentions is not valid")
@@ -1619,6 +1642,17 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 							Result:        TestIntentions(),
 							Err:           nil,
 						},
+						{
+							CorrelationID: clusterConfigEntryID,
+							Result: &structs.ConfigEntryResponse{
+								Entry: &structs.ClusterConfigEntry{
+									Kind:             structs.ClusterConfig,
+									Name:             structs.ClusterConfigCluster,
+									TransparentProxy: structs.TransparentProxyClusterConfig{},
+								},
+							},
+							Err: nil,
+						},
 					},
 					verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
 						require.True(t, snap.Valid(), "proxy with roots/leaf/intentions is valid")
@@ -1628,6 +1662,8 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 						require.True(t, snap.MeshGateway.IsEmpty())
 						require.True(t, snap.IngressGateway.IsEmpty())
 						require.True(t, snap.TerminatingGateway.IsEmpty())
+						require.True(t, snap.ConnectProxy.ClusterConfigSet)
+						require.NotNil(t, snap.ConnectProxy.ClusterConfig)
 					},
 				},
 				// Receiving an intention should lead to spinning up a discovery chain watch

agent/structs/config_entry.go

@@ -26,8 +26,10 @@ const (
 	IngressGateway     string = "ingress-gateway"
 	TerminatingGateway string = "terminating-gateway"
 	ServiceIntentions  string = "service-intentions"
+	ClusterConfig      string = "cluster"
 
-	ProxyConfigGlobal string = "global"
+	ProxyConfigGlobal    string = "global"
+	ClusterConfigCluster string = "cluster"
 
 	DefaultServiceProtocol = "tcp"
 )
@@ -41,6 +43,7 @@ var AllConfigEntryKinds = []string{
 	IngressGateway,
 	TerminatingGateway,
 	ServiceIntentions,
+	ClusterConfig,
 }
 
 // ConfigEntry is the interface for centralized configuration stored in Raft.
@@ -496,6 +499,8 @@ func MakeConfigEntry(kind, name string) (ConfigEntry, error) {
 		return &TerminatingGatewayConfigEntry{Name: name}, nil
 	case ServiceIntentions:
 		return &ServiceIntentionsConfigEntry{Name: name}, nil
+	case ClusterConfig:
+		return &ClusterConfigEntry{Name: name}, nil
 	default:
 		return nil, fmt.Errorf("invalid config entry kind: %s", kind)
 	}