Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added support for upstream verification for TCPProxy #6079

Merged
merged 3 commits into from
Jan 29, 2024

Conversation

tsaarni
Copy link
Member

@tsaarni tsaarni commented Jan 14, 2024

This PR adds support for upstream verification for TCPProxy.

As discussed in #4373 (comment) the API has always allowed setting httpproxy.spec.tcpproxy.services.validation but it has been ignored by the implementation.

Updates #4373

@tsaarni tsaarni requested a review from a team as a code owner January 14, 2024 20:07
@tsaarni tsaarni requested review from skriss and sunjayBhatia and removed request for a team January 14, 2024 20:07
@sunjayBhatia sunjayBhatia requested review from a team and davinci26 and removed request for a team January 14, 2024 20:08
Copy link

codecov bot commented Jan 14, 2024

Codecov Report

Attention: 3 lines in your changes are missing coverage. Please review.

Comparison is base (9eb2838) 78.82% compared to head (9450ff5) 78.81%.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #6079      +/-   ##
==========================================
- Coverage   78.82%   78.81%   -0.02%     
==========================================
  Files         138      138              
  Lines       19766    19790      +24     
==========================================
+ Hits        15581    15597      +16     
- Misses       3878     3884       +6     
- Partials      307      309       +2     
Files Coverage Δ
internal/dag/httpproxy_processor.go 91.51% <91.17%> (-0.42%) ⬇️

@tsaarni tsaarni force-pushed the tcpproxy-tls-validation branch from 4420dca to 1987eac Compare January 14, 2024 20:16
@tsaarni tsaarni added the release-note/minor A minor change that needs about a paragraph of explanation in the release notes. label Jan 14, 2024
Copy link
Member

@skriss skriss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @tsaarni, looks pretty good to me

internal/dag/httpproxy_processor.go Show resolved Hide resolved
internal/dag/httpproxy_processor.go Show resolved Hide resolved
@tsaarni tsaarni force-pushed the tcpproxy-tls-validation branch from 1987eac to 6308022 Compare January 18, 2024 12:18
Copy link
Member

@skriss skriss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but GitHub is unhappy with the PR, may need a rebase or just a kick.

Signed-off-by: Tero Saarni <tero.saarni@est.tech>
@tsaarni tsaarni force-pushed the tcpproxy-tls-validation branch from 6308022 to 6773a1a Compare January 18, 2024 16:20

c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{
Resources: resources(t,
tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), []byte(featuretests.CERTIFICATE), "subjname", "", nil, nil),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe a refactor for the future, but since we only really have one fixture for cert content, we end up asserting on the same value everywhere ([]byte(featuretests.CERTIFICATE)), would be good to maybe at least use the field from caSecret for readability? (looks like sec2 in the other test below?)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 While adding the test I was reminded that I would have preferred to remove the hardcoded test certificates & private keys from the code. I'll check if I could simplify this.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated the tests so that they use the field from CA secret, though this will be bit simpler if we merge #6100 as it will allow passing the secret itself.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now updated according to #6100

Copy link
Member

@sunjayBhatia sunjayBhatia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just one nit on the featuretests, otherwise LGTM

Signed-off-by: Tero Saarni <tero.saarni@est.tech>
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
@sunjayBhatia sunjayBhatia merged commit 4619e0a into projectcontour:main Jan 29, 2024
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release-note/minor A minor change that needs about a paragraph of explanation in the release notes.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants