-
Notifications
You must be signed in to change notification settings - Fork 347
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Implement setting common TLS parameters in ClientTrafficPolicy #2297
Conversation
🚀 Thank you for contributing to the Envoy Gateway project! 🚀 Before merging, please ensure to follow the process below:
NOTE: Once your PR is under review, please do not rebase and force push it. Otherwise, it will force your reviewers to review the PR from scratch rather than simply look at your latest changes. What's more, you can help expedite the processing of your PR by
|
@envoyproxy/gateway-reviewers please review |
🚀 Deployed on https://gateway-pr-2297-preview--eg-preview.netlify.app |
please don't try to implement before API accepted, maybe a waste of your time. |
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #2297 +/- ##
==========================================
- Coverage 64.66% 64.63% -0.04%
==========================================
Files 115 115
Lines 16844 17326 +482
==========================================
+ Hits 10893 11199 +306
- Misses 5256 5415 +159
- Partials 695 712 +17 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like a really good start. I'd like some more attention paid to the defaults (at minimum, we absolutely must state what the defaults are!), and I kind of think that if the version
stanza sets the minimum and maximum it should be named versions
plural, but that's a really minor nit.
I'm marking this as "request changes" because the defaults thing is important, I think. Thanks for digging into this!
if tlsParams.Version != nil { | ||
var minVersion, maxVersion int | ||
var err error | ||
if minVersion, err = tlsVersionToNumericVersion(tlsParams.Version.Min); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems to imply that settings like this:
version:
min: TLSv1_2
will not work, since it seems that the default for max
is TLS_Auto
.
I think that "auto" should mean "the earliest supported version" for minimum and "the latest supported version" for maximum. (While we're at it, I also don't see any value in forcing people to type "TLS_" everywhere: just let the versions be strings like "v1.3", and "auto".)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was resolved by adopting defaults of minimum TLS v1.2 and maximum TLS v1.3.
The validation that min <= max
was implemented as a CEL rule.
D'oh!! I should've read #2287 before commenting here. Mea culpa. |
2409454
to
bd0d64e
Compare
hey @liorokman can you rebase ? |
bd0d64e
to
f75f911
Compare
internal/xds/translator/listener.go
Outdated
|
||
func buildTLSVersion(version *gwv1a1.TLSVersion) tlsv3.TlsParameters_TlsProtocol { | ||
lookup := map[gwv1a1.TLSVersion]tlsv3.TlsParameters_TlsProtocol{ | ||
gwv1a1.TLSv10: tlsv3.TlsParameters_TLSv1_0, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thinking out loud, about the API, should the user strings be 1.2
, 1.3
instead of v1_2
and v1_3
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think it matters that much. I'll change to whatever is requested.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FTR I think "1.2" and "1.3" are great. 🙂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@liorokman sorry for churn, can you go ahead and update the strings to 1.2
& 1.3
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
One small thing to notice: when setting the TLS protocol version to the string 1.0
, sometimes YAML/JSON parsers detect the value as a number and not as a string and remove the .0
from the value. It's important to quote the value in order to keep the .0
in it as part of a string.
This can happen when the YAML text is unmarshaled into untyped maps. I ran into this when updating the YAML files that comprise the tests. It also happens with the tool that generates the CRD, which is why the validation enum comment contains quotes.
Example:
spec:
tls:
# This sometimes gets parsed wrong, since it becomes a number and
# loses the fractional part.
minVersion: 1.0
# This always gets parsed correctly as a string.
minVersion: "1.0"
internal/gatewayapi/route.go
Outdated
@@ -995,6 +996,9 @@ func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resour | |||
}, | |||
TLS: &ir.TLS{Terminate: irTLSConfigs(listener.tlsSecrets)}, | |||
} | |||
if irListener.TLS.Terminate != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice !
a comment in here saying enable http/1.1 & http/2 alpn protocols by default would help
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just realized this is the logic for TCPRoute, what about HTTPRoute and GRPCRoute ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rethinking about this logic, here's my sugession
- dont parse/set ALPN here
- in the ClientTrafficPolicy layer, if ALPN is set, then set it in the IR
- In the xds layer, if ALPN is nil, set to http/1.1 and http/2, if set, set to the value in ALPN field
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@liorokman curious why the permissions was changed for so many files |
When I started with the tests, it stood out like a sore thumb that so many yaml files were marked as executable. |
if httpIR.HTTP3 != nil { | ||
httpIR.TLS.ALPNProtocols = []string{"h3"} | ||
} else if tlsParams != nil { | ||
httpIR.TLS.ALPNProtocols = make([]string, len(tlsParams.ALPNProtocols)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldnt this line
httpIR.TLS.ALPNProtocols = make([]string, len(tlsParams.ALPNProtocols))
be under if tlsParams.ALPNProtocols != nil
else it will end up resetting the value
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
hey @liorokman one more thing I noticed was the ALPN string for apart from this, LGTM this PR also needs a rebase |
ALPN can never be used for If EG supports I suggest keeping the |
Signed-off-by: Lior Okman <lior.okman@sap.com>
Signed-off-by: Lior Okman <lior.okman@sap.com>
Signed-off-by: Lior Okman <lior.okman@sap.com>
Signed-off-by: Lior Okman <lior.okman@sap.com>
Depends on envoyproxy#2287. Signed-off-by: Lior Okman <lior.okman@sap.com>
Signed-off-by: Lior Okman <lior.okman@sap.com>
Signed-off-by: Lior Okman <lior.okman@sap.com>
Signed-off-by: Lior Okman <lior.okman@sap.com>
* Make the new tests pass Signed-off-by: Lior Okman <lior.okman@sap.com>
Signed-off-by: Lior Okman <lior.okman@sap.com>
* Use non API types in the IR structure * Rename TLSListenerConfig to TLSConfig * Use string slices instead of Enum slices for ALPN in the IR structure Signed-off-by: Lior Okman <lior.okman@sap.com>
underscore separator. Signed-off-by: Lior Okman <lior.okman@sap.com>
translates to the required defaults in the XDS layer * Fixed translation issues between the ALPN constants and the values required on the XDS level Signed-off-by: Lior Okman <lior.okman@sap.com>
a1b7467
to
829457a
Compare
Signed-off-by: Lior Okman <lior.okman@sap.com>
@liorokman I understand that |
Is it OK to assume that valid Enum values for the ALPN field will always be from the IANA registry? Or should I keep the lookup function that currently allows the enum to be different than the technical values required on the wire? |
yeah 1:1 works, and we can do w/o a lookup func for alpn for now imo |
strings. * Replace the user-facing "http/2" ALPN string with "h2". Signed-off-by: Lior Okman <lior.okman@sap.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM thanks, appreciate you addressing all the comments !
@@ -5,8 +5,8 @@ | |||
|
|||
package v1alpha1 | |||
|
|||
// +kubebuilder:validation:XValidation:rule="has(self.minVersion) && self.minVersion == 'v1_3' ? !has(self.ciphers) : true", message="setting ciphers has no effect if the minimum possible TLS version is 1.3" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you add some test for these in a separated PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added #2424
What this PR does / why we need it:
Implementation for setting Ciphers, ECDHCurves, ALPN protocols, Signature Algorithms, and TLS protocol versions in ClientTrafficPolicy.
Which issue(s) this PR fixes:
Implements #2286
Based on #2287
Related to #1846