-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
destination: add UriLikeIdentity
and server_name
#285
destination: add UriLikeIdentity
and server_name
#285
Conversation
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me after playing with this in the prototype. Should we also add a small comment in
linkerd2-proxy-api/proto/inbound.proto
Line 173 in eff6f41
message Identity { string name = 1; } |
oneof strategy { DnsLikeIdentity dns_like_identity = 1; } | ||
oneof strategy { | ||
DnsLikeIdentity dns_like_identity = 1; | ||
UriLikeIdentity uri_like_identity = 3; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I recall correctly, the name DnsLikeIdentity was chosen to indicate that this isn't actually a DNS name:
- We don't expect it to be resolvable via DNS.
- It doesn't actually support all DNS names (i.e., trailing dots are forbidden).
I think in this case, we can just call it UriIdentity.
proto/destination.proto
Outdated
UriLikeIdentity uri_like_identity = 3; | ||
} | ||
|
||
ServerName server_name = 4; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems appropriate to use DnsLikeIdentity for the server_name type to me. The server name has to be a DNS-like string.
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
@olix0r renamed |
Will merge that, we can do a follow up if needed. |
This change is a follow-up to the work to split the concepts of `ServerId` and `ServerName`. To do that we consume the changes to the protobuf API introduced in: linkerd/linkerd2-proxy-api#285. while keeping things backward compatible. Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
This PR changes the
TlsIdentity
type in the destination API such that:UriLikeIdentity
identity type that should contain identities that are in URI format (e.g. SPIFFE)server_name
to theTlsIdentity
type. This allows us to differentiate between an SNI value and a TLS Id value. This is mainly needed because in certain identity systems (SPIFFE/SPIRE) the TLS SAN can be in URI form. A URI cannot be used as a SNI extension in aClientHello
, so an alternative SNI value needs to be provided. This brings the need to distinguish between these two concepts.For context:
linkerd/linkerd2-proxy#2506