Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add connection requested server name attribute to TCP read filter #1843

Merged
merged 18 commits into from
Jul 10, 2018
Merged

Add connection requested server name attribute to TCP read filter #1843

merged 18 commits into from
Jul 10, 2018

Conversation

vadimeisenbergibm
Copy link
Contributor

What this PR does / why we need it:

Adds SNI attribute to the TCP read filter, to be used in telemetry reports and policy checks.

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): implements #istio/istio#6810

Release note:

SNI report and check in TCP filter

@istio-testing istio-testing added the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Jul 10, 2018
@googlebot googlebot added the cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. label Jul 10, 2018
@istio-testing istio-testing requested review from linsun and lizan July 10, 2018 07:04
@vadimeisenbergibm vadimeisenbergibm mentioned this pull request Jul 10, 2018
Closed
kyessenov
kyessenov reviewed Jul 10, 2018
View reviewed changes
src/istio/control/tcp/attributes_builder.cc Outdated
@@ -51,6 +51,9 @@ void AttributesBuilder::ExtractCheckAttributes(CheckData* check_data) {
builder.AddBool(utils::AttributeName::kConnectionMtls,
check_data->IsMutualTLS());

builder.AddString(utils::AttributeName::kConnectionRequestedServerName,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you please check whether the string is empty first? we normally don't send unset values to mixer.

kyessenov
kyessenov reviewed Jul 10, 2018
View reviewed changes
src/envoy/tcp/mixer/filter.h
@@ -53,6 +53,7 @@ class Filter : public Network::Filter,
bool GetSourceIpPort(std::string* str_ip, int* port) const override;
bool GetSourceUser(std::string* user) const override;
bool IsMutualTLS() const override;
std::string GetRequestedServerName() const override;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make sure to apply the same changes to http filter in src/envoy/http/mixer

@vadimeisenbergibm
Copy link
Contributor Author

@kyessenov I have applied your comments.

@vadimeisenbergibm vadimeisenbergibm changed the title [WIP] Add connection requested server name attribute to TCP read filter Add connection requested server name attribute to TCP read filter Jul 10, 2018
@istio-testing istio-testing removed the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Jul 10, 2018
kyessenov
kyessenov reviewed Jul 10, 2018
View reviewed changes
Copy link
Contributor

@kyessenov kyessenov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good to me, but please get an approval from @qiwzhang and release sign-off from @hklai

@vadimeisenbergibm
Copy link
Contributor Author

@qiwzhang could you please review this PR?

hklai
hklai approved these changes Jul 10, 2018
View reviewed changes
Copy link
Contributor

@hklai hklai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@istio-testing
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: hklai, vadimeisenbergibm
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: jimmycyj

Assign the PR to them by writing /assign @jimmycyj in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@hklai hklai merged commit 1464e5e into istio:release-1.0 Jul 10, 2018
@hklai hklai mentioned this pull request Jul 10, 2018
Merged
qiwzhang
qiwzhang reviewed Jul 10, 2018
View reviewed changes
include/istio/control/http/check_data.h
@@ -47,6 +47,9 @@ class CheckData {
// Returns true if connection is mutual TLS enabled.
virtual bool IsMutualTLS() const = 0;

// Get requested server name, SNI in case of TLS
virtual std::string GetRequestedServerName() const = 0;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since there are cases data is not available, the coding style is to return a bool. It should be:

// return true if data is valid.
bool GetRequestedServerName(std::string* name);

This was referenced Jul 11, 2018
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kyessenov kyessenov kyessenov left review comments

@qiwzhang qiwzhang qiwzhang left review comments

@rshriram rshriram rshriram approved these changes

@hklai hklai hklai approved these changes

@linsun linsun Awaiting requested review from linsun

@lizan lizan Awaiting requested review from lizan

Assignees

@hklai hklai

Labels
cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@vadimeisenbergibm @istio-testing @rshriram @kyessenov @qiwzhang @hklai @googlebot