I am going through examples
I have a terminating gateway defined as
Kind = "terminating-gateway"
Name = "terminating-gateway"
Services = [
{
Name = "search"
}
]
and my service config defined as:
{
"Node": "google_node",
"address": "www.google.com",
"NodeMeta": {
"external-node": "true",
"external-probe": "true"
},
"Service": {
"ID": "search1",
"Service": "search",
"Port": 80
},
"Checks":[{
"Name": "http-check",
"status": "passing",
"Definition": {
"http": "https://www.google.com",
"interval": "30s"
}
}]
}
For My kubernetes deployment is defined as
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-nginx
# annotations:
# 'consul.hashicorp.com/connect-inject': 'true'
spec:
selector:
matchLabels:
run: my-nginx
replicas: 1
template:
metadata:
labels:
run: my-nginx
annotations:
'consul.hashicorp.com/connect-inject': 'true'
'consul.hashicorp.com/connect-service-upstreams': 'search:1234'
spec:
containers:
- name: my-nginx
image: nginx
ports:
- containerPort: 80
I understand that the upstream allows the pod to connect to the search service on port 1234 via the envoy sidecar. According to the examples I send an http requrest to port 1234 on localhost and set the Host header. This seems to allow me to reach out to any site. If I curl -kLvvv -H "Host: www.cnn.com" localhost:1234 from with they “my-nginx” container I get a response from CNN. curl -kLvvv -H Host: www.google.com" localhost:1234 returns data from google. I also see that its doing a TLS handshake even though the service was not configured with TLS. The documentation suggests that TLS must be set on the terminating gateway specifying a certificate.
* Expire in 149943 ms for 3 (transfer 0x5566583ebe00)
* Expire in 200 ms for 4 (transfer 0x5566583ebe00)
* Connected to www.cnn.com (151.101.65.67) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Fastly, Inc.; CN=turner-tls.map.fastly.net
* start date: Dec 31 17:06:12 2020 GMT
* expire date: May 6 20:11:42 2021 GMT
* issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign CloudSSL CA - SHA256 - G3
What is going on here?
What is the point of the Address field if I can reach anywhere through the service?