Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blog post for egress SNI routing. #14188

Merged
merged 16 commits into from
Nov 30, 2023
Merged

Blog post for egress SNI routing. #14188

merged 16 commits into from
Nov 30, 2023

Conversation

libesz
Copy link
Contributor

@libesz libesz commented Nov 20, 2023

Description

Blog post for #14126

Reviewers

TBD

  • Ambient
  • Docs
  • Installation
  • Networking
  • Performance and Scalability
  • Extensions and Telemetry
  • Security
  • Test and Release
  • User Experience
  • Developer Infrastructure
  • Localization/Translation

@istio-testing istio-testing added the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Nov 20, 2023
@istio-policy-bot
Copy link

😊 Welcome! This is either your first contribution to the Istio documentation repo, or
it's been a while since you've been here. A few things you should know:

  • You can learn about how we write and maintain documentation, our style guidelines,
    and the available web site features by visiting Contributing to the Docs.

  • In the next few minutes, an automatic preview of your change will be built with
    a full copy of the istio.io website. You can find this preview by clicking on
    the Details link next to the deploy/netlify entry in the status section of this
    page.

  • We care about quality, so we've put in place a number of checks to ensure our documentation
    is top-notch. We do spell checking, sanitize the Markdown, ensure all hyperlinks point to a
    valid location, and more. If your PR doesn't pass one of these checks, you'll see a red X in the
    lint_istio.io entry in the status section. Click on the Details link to get a list of the
    problems with your PR. Fix those problems and push an update; this will automatically re-run the
    tests. Hopefully this time everything will be perfect!

  • Once your changes are accepted and merged into the repository, they will initially show up
    on https://preliminary.istio.io. The changes will be published to https://istio.io
    the next time we do a major release (which typically happens every 3 months or so).
    To publish them sooner, add a cherrypick/release-x.xx label, where x.xx is the current
    release of Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented Nov 20, 2023
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@istio-testing istio-testing added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. needs-ok-to-test labels Nov 20, 2023
@istio-testing
Copy link
Contributor

Hi @libesz. Thanks for your PR.

I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@libesz libesz force-pushed the egress-sni-blogpost branch 3 times, most recently from 214b5d2 to fe17313 Compare November 20, 2023 18:57
Arhell
Arhell reviewed Nov 21, 2023
View reviewed changes
Copy link
Member

@Arhell Arhell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ok-to-test

@istio-testing istio-testing added ok-to-test Set this label allow normal testing to take place for a PR not submitted by an Istio org member. and removed needs-ok-to-test labels Nov 21, 2023
@libesz libesz force-pushed the egress-sni-blogpost branch from c6ae525 to 582164a Compare November 22, 2023 08:32
@libesz libesz force-pushed the egress-sni-blogpost branch from f11d04a to f0847b0 Compare November 22, 2023 17:29
@libesz libesz force-pushed the egress-sni-blogpost branch 9 times, most recently from 6beeeb9 to f619ea4 Compare November 24, 2023 15:00
frankbu
frankbu reviewed Nov 29, 2023
View reviewed changes
content/en/blog/2023/egress-sni/index.md Outdated
Comment on lines 2 to 3
title: "[WIP] Routing HTTPS/TLS traffic to arbitrary remote destinations"
description: "A generic approach to set up egress gateways and use them to route traffic to a restricted set of target remote hosts dynamically, supporting wildcard domains."
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
title: "[WIP] Routing HTTPS/TLS traffic to arbitrary remote destinations"
description: "A generic approach to set up egress gateways and use them to route traffic to a restricted set of target remote hosts dynamically, supporting wildcard domains."
title: "Routing egress gateway traffic to wildcard destinations"
description: "A generic approach to set up egress gateways that can route traffic to a restricted set of target remote hosts dynamically, including wildcard domains."

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't Routing egress gateway traffic be just Routing egress traffic?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically, the article is just showing how to make an egress gateway route to wildcard hosts, there's no problem if routing direct. But the description says that clearly enough, so if you think leaving gateway out of the title, that's fine.

@frankbu frankbu added the cherrypick/release-1.20 Set this label on a PR to auto-merge it to the release-1.20 branch label Nov 29, 2023
@libesz @windsonsea @frankbu
Apply suggestions from code review 4
831e8b1 
Co-authored-by: Michael <haifeng.yao@daocloud.io>
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
@frankbu
Copy link
Collaborator

frankbu commented Nov 30, 2023

image

Another listener with SNI forwarder performs a new TLS header
inspection for the original TLS session. If the inner SNI
hostname matches the allowed domain names (including
wildcards), it TCP proxies the traffic to the destination, read
from the header per connection. This listener is internal to
Envoy (allowing it to restart traffic processing to see
the innner SNI value), so that no pods (inside or outside the
mesh) can connect to it directly. This listener is 100% manually
configured through EnvoyFilter.

frankbu
frankbu reviewed Nov 30, 2023
View reviewed changes
content/en/blog/2023/egress-sni/index.md Outdated
---
title: "[WIP] Routing HTTPS/TLS traffic to arbitrary remote destinations"
description: "A generic approach to set up egress gateways and use them to route traffic to a restricted set of target remote hosts dynamically, supporting wildcard domains."
publishdate: 2023-12-10
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
publishdate: 2023-12-10
publishdate: 2023-12-01

frankbu
frankbu approved these changes Nov 30, 2023
View reviewed changes
Copy link
Collaborator

@frankbu frankbu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice article, LGTM. Thanks @libesz!

@istio-testing istio-testing merged commit be9316e into istio:master Nov 30, 2023
6 checks passed
@frankbu
Copy link
Collaborator

frankbu commented Nov 30, 2023

/cherrypick release-1.20

@istio-testing
Copy link
Contributor

@frankbu: new pull request created: #14211

In response to this:

/cherrypick release-1.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@istio-testing istio-testing mentioned this pull request Nov 30, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@windsonsea windsonsea windsonsea left review comments

@frankbu frankbu frankbu approved these changes

@Arhell Arhell Awaiting requested review from Arhell

@howardjohn howardjohn Awaiting requested review from howardjohn

Assignees
No one assigned
Labels
cherrypick/release-1.20 Set this label on a PR to auto-merge it to the release-1.20 branch ok-to-test Set this label allow normal testing to take place for a PR not submitted by an Istio org member. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@libesz @istio-policy-bot @istio-testing @frankbu @howardjohn @Arhell @windsonsea