Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS Passthrough support #402

Merged
merged 30 commits into from
Oct 11, 2022
Merged

TLS Passthrough support #402

merged 30 commits into from
Oct 11, 2022

Conversation

chauhanshubham
Copy link
Member

@chauhanshubham chauhanshubham commented Sep 21, 2022
edited
Loading

This commit adds a tlsroute controller which is further used to
configure tls passthrough in envoy.

Testing Done

  1. Deployed the nginx application as mentioned here: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/

  2. Applied gateway configs as follows

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
  name: eg
spec:
  gatewayClassName: eg
  listeners:
    - name: tls
      protocol: TLS
      tls:
        mode: Passthrough
      port: 8080
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
  name: tlsroute
spec:
  parentRefs:
    - name: eg
  hostnames:
    - "nginx.example.com"
  rules:
    - backendRefs:
        - group: ""
          kind: Service
          name: my-nginx
          port: 443
          weight: 1
  1. To test traffic
$ kubectl -n envoy-gateway-system port-forward service/envoy-default-eg 8888:8080
$ curl -v --resolve nginx.example.com:8888:127.0.0.1 https://nginx.example.com:8888 --cacert testing/tls-passthrough/example.com.crt
* Added nginx.example.com:8888:127.0.0.1 to DNS cache
* Hostname nginx.example.com was found in DNS cache
*   Trying 127.0.0.1:8888...
* Connected to nginx.example.com (127.0.0.1) port 8888 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: personal/tls-passthrough/example.com.crt
*  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* ... **collapsed for brevity**
* TLSv1.2 (IN), TLS handshake, Finished (20):
* Server certificate:
*  subject: CN=nginx.example.com; O=some organization
*  start date: Oct  8 05:48:33 2022 GMT
*  expire date: Oct  8 05:48:33 2023 GMT
*  common name: nginx.example.com (matched)
*  issuer: O=example Inc.; CN=example.com
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: nginx.example.com:8888
> User-Agent: curl/7.77.0
> Accept: */*
>
... **collapsed for brevity**
<title>Welcome to nginx!</title>
... **collapsed for brevity**
* Connection #0 to host nginx.example.com left intact

Fixes #168
Signed-off-by: Shubham Chauhan shubham@tetrate.io

@codecov-commenter
Copy link

codecov-commenter commented Sep 22, 2022
edited
Loading

Codecov Report

Merging #402 (88d2df3) into main (b8f234b) will decrease coverage by 0.22%.
The diff coverage is 63.64%.

@@            Coverage Diff             @@
##             main     #402      +/-   ##
==========================================
- Coverage   62.72%   62.49%   -0.23%     
==========================================
  Files          42       45       +3     
  Lines        4496     5301     +805     
==========================================
+ Hits         2820     3313     +493     
- Misses       1532     1798     +266     
- Partials      144      190      +46
Impacted Files Coverage Δ
internal/cmd/server.go 7.75% <0.00%> (-0.14%) ⬇️
internal/ir/infra.go 67.41% <ø> (ø)
internal/ir/zz_generated.deepcopy.go 0.00% <0.00%> (ø)
internal/provider/kubernetes/kubernetes.go 53.48% <0.00%> (-4.02%) ⬇️
internal/status/status.go 0.00% <0.00%> (ø)
internal/gatewayapi/helpers_v1alpha2.go 28.88% <28.88%> (ø)
internal/gatewayapi/helpers.go 67.52% <40.00%> (+0.85%) ⬆️
internal/gatewayapi/runner/runner.go 53.77% <42.85%> (-0.78%) ⬇️
internal/xds/translator/translator.go 72.04% <60.00%> (-2.65%) ⬇️
internal/provider/kubernetes/tlsroute.go 60.56% <60.56%> (ø)
... and 13 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@chauhanshubham chauhanshubham force-pushed the tls-passthrough-shchauhan branch 3 times, most recently from 4d2bca9 to 56f56db Compare September 22, 2022 17:05
@skriss skriss mentioned this pull request Sep 22, 2022
Closed
arkodg
arkodg reviewed Sep 23, 2022
View reviewed changes
internal/ir/xds.go Outdated Show resolved Hide resolved
arkodg
arkodg reviewed Sep 23, 2022
View reviewed changes
internal/ir/xds.go Outdated Show resolved Hide resolved
@chauhanshubham chauhanshubham force-pushed the tls-passthrough-shchauhan branch 2 times, most recently from edc36cc to 2114d5a Compare September 24, 2022 05:31
@chauhanshubham chauhanshubham marked this pull request as ready for review September 24, 2022 06:06
@chauhanshubham chauhanshubham requested a review from a team as a code owner September 24, 2022 06:06
@chauhanshubham
Copy link
Member Author

chauhanshubham commented Sep 24, 2022
edited
Loading

This requires two one more no thing

  1. adding tlsroute status updates to be implemented, similar to httproutes in send resource statuses using watchable #395
  2. update tlsroute controller to listen and validate gateway parent Adds Gateway Watch to HTTPRoute Controller #403
    I can take these up separately if this PR is getting too long

Above tasks were added as part of this PR
Minor pending action items include,

  1. including tlsroute in demo profile
  2. doc updates

danehans
danehans suggested changes Sep 26, 2022
View reviewed changes
Copy link
Contributor

@danehans danehans left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@chauhanshubham the Kube provider RBAC needs to be updated for TLSRoutes.

@chauhanshubham chauhanshubham force-pushed the tls-passthrough-shchauhan branch from 9ad67d4 to 3f1b654 Compare September 26, 2022 19:27
@chauhanshubham chauhanshubham force-pushed the tls-passthrough-shchauhan branch from 3f1b654 to 075b7db Compare September 27, 2022 16:13
@danehans danehans added this to the 0.3.0-rc1 milestone Sep 27, 2022
@chauhanshubham chauhanshubham marked this pull request as draft October 5, 2022 14:52
@chauhanshubham chauhanshubham force-pushed the tls-passthrough-shchauhan branch 2 times, most recently from 11d0e32 to 4b4f062 Compare October 5, 2022 14:54
danehans
danehans reviewed Oct 6, 2022
View reviewed changes
Copy link
Contributor

@danehans danehans left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One nit. Otherwise, can you create tlsroute integration test similar to this?

internal/provider/kubernetes/helpers.go Outdated Show resolved Hide resolved
@arkodg arkodg modified the milestones: 0.3.0-rc.1, 0.2.0 Oct 6, 2022
@chauhanshubham chauhanshubham marked this pull request as ready for review October 7, 2022 14:36
@chauhanshubham chauhanshubham force-pushed the tls-passthrough-shchauhan branch from 4478f40 to 04ac43d Compare October 7, 2022 19:20
@chauhanshubham chauhanshubham mentioned this pull request Oct 7, 2022
Merged
@chauhanshubham
xds config tests for tls passthrough
33e9f1b 
Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
@chauhanshubham
increase test coverage
441ed9e 
Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
@chauhanshubham
testfix
14f9a46 
Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
@chauhanshubham
separate xds tls listener
aba3fd2 
Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

testfix

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
@chauhanshubham
additional xds validate tests
5275fac 
Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
@chauhanshubham
tlsroute refgrant test
5803a54 
Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
@chauhanshubham
add rbac permissions for tlsroute
754083f 
Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
@chauhanshubham
updates post rebase
48df046 
Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
@chauhanshubham
add status updater, gateway watcher for tlsroute
8a5632f 
Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
@chauhanshubham
add status update framework for tlsroute
fa840ed 
Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
@chauhanshubham
lintfix, testfix, fix post rebase
b674402 
Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
@chauhanshubham
yet another lintfix
3f348b8 
Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
@chauhanshubham
refactor tlslistener/route -> tcplistener/route, xds updates
bf204fa 
Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
@chauhanshubham
missed a file
6a8e114 
Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
@chauhanshubham
lintfix
0ca160b 
Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
@chauhanshubham
rebase, review comments
8bf39b3 
Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
@chauhanshubham
minor testfix
932334c 
Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
@chauhanshubham
more
991b869 
Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
@chauhanshubham
review comments, status deepcopy, check routes in ns
b54f2fe 
Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
@chauhanshubham
revert bad import, testfix, new test
c09d71c 
Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
@chauhanshubham chauhanshubham force-pushed the tls-passthrough-shchauhan branch from 5c7b8fb to c09d71c Compare October 10, 2022 17:35
arkodg
arkodg reviewed Oct 10, 2022
View reviewed changes
internal/gatewayapi/sort.go Outdated Show resolved Hide resolved
@chauhanshubham
rev sort
5475f5b 
Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
chauhanshubham
chauhanshubham commented Oct 10, 2022
View reviewed changes
internal/provider/kubernetes/tlsroute.go
if !found {
r.resources.Namespaces.Delete(request.Namespace)
log.Info("deleted namespace from resource map")
r.resources.Services.Delete(request.NamespacedName)
Copy link
Member Author

@chauhanshubham chauhanshubham Oct 10, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This attempts to delete a possibly non-existent Service, and not the relevant ones. It is introducing an issue in the tlsroute controller, which was present for httproute controller too. I have filed an issue for this here #536

arkodg
arkodg approved these changes Oct 10, 2022
View reviewed changes
Copy link
Contributor

@arkodg arkodg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for spending the extra cycles to get TLS Passthrough support in for 0.2.0 !

@danehans danehans merged commit b9ed6df into envoyproxy:main Oct 11, 2022
@danehans danehans mentioned this pull request Oct 16, 2022
Closed
danehans pushed a commit to danehans/gateway that referenced this pull request Nov 3, 2022
@chauhanshubham @danehans
TLS Passthrough support (envoyproxy#402)
86b63ef 
* TLS Passthrough support

This commit adds a tlsroute controller which is further used
to configure tls passthrough in envoy.

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* Adding tlsroute experimental crd in testdata

update gatewayclass/gateway/httproute experimental
CRDs to use standard schemas

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* keep other testdata changes out of this PR

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* added testcases for tlsroutes, include serviceport in irInfraPortName

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* lintfix

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* tlroute kubernetes provider test

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* added xds tls config validate test for passthrough

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* types test tlsroute

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* test fixes

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* xds config tests for tls passthrough

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* increase test coverage

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* testfix

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* separate xds tls listener

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

testfix

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* additional xds validate tests

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* tlsroute refgrant test

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* add rbac permissions for tlsroute

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* updates post rebase

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* add status updater, gateway watcher for tlsroute

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* add status update framework for tlsroute

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* lintfix, testfix, fix post rebase

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* yet another lintfix

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* refactor tlslistener/route -> tcplistener/route, xds updates

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* missed a file

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* lintfix

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* rebase, review comments

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* minor testfix

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* more

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* review comments, status deepcopy, check routes in ns

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* revert bad import, testfix, new test

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

* rev sort

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arkodg arkodg arkodg approved these changes

@danehans danehans danehans approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.2.0
Development

Successfully merging this pull request may close these issues.

add support for TLSRoute / TLS listener protocol / TLS passthrough
4 participants
@chauhanshubham @codecov-commenter @arkodg @danehans