Fix ingress backend broken SAN #4914

steeling · 2022-07-19T14:58:26Z

Fix an issue where the trust domain is getting added to the full SAN provided in ingress backend's. This is accomplished by switching from adding service identity (which does not contain trust domain) to principals (which does), on the traffic policy rules and policy builder.

tests/e2e/e2e_ingressbackend_test.go

codecov-commenter · 2022-07-19T16:56:55Z

Codecov Report

Merging #4914 (1a6dc9d) into main (f768f64) will decrease coverage by 0.03%.
The diff coverage is 93.93%.

❗ Current head 1a6dc9d differs from pull request most recent head c9b0508. Consider uploading reports for the commit c9b0508 to get more accurate results

@@            Coverage Diff             @@
##             main    #4914      +/-   ##
==========================================
- Coverage   68.67%   68.63%   -0.04%     
==========================================
  Files         220      220              
  Lines       15944    15941       -3     
==========================================
- Hits        10949    10941       -8     
- Misses       4943     4948       +5     
  Partials       52       52

Flag	Coverage Δ
unittests	`68.63% <93.93%> (-0.04%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/identity/types.go	`74.07% <0.00%> (-5.93%)`	⬇️
pkg/catalog/catalog.go	`91.30% <100.00%> (+1.30%)`	⬆️
pkg/catalog/inbound_traffic_policies.go	`94.90% <100.00%> (ø)`
pkg/catalog/ingress.go	`96.26% <100.00%> (-0.04%)`	⬇️
pkg/envoy/lds/rbac.go	`80.35% <100.00%> (-0.68%)`	⬇️
pkg/envoy/rbac/policy.go	`100.00% <100.00%> (ø)`
pkg/envoy/rds/route/rbac.go	`92.85% <100.00%> (-0.70%)`	⬇️
pkg/trafficpolicy/trafficpolicy.go	`96.15% <100.00%> (ø)`
pkg/messaging/workqueue.go	`89.28% <0.00%> (-10.72%)`	⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f768f64...c9b0508. Read the comment docs.

Signed-off-by: Sean Teeling <seanteeling@microsoft.com>

Fix ingress backend SAN's, which were getting the trust domain appended to the provided SAN. This adds an e2e test to catch that going forward. This also switches the internal builders to use the principal (trust domain appended) vs the identity (no trust domain)

Fix ingress backend SAN's, which were getting the trust domain appended to the provided SAN. This adds an e2e test to catch that going forward. This also switches the internal builders to use the principal (trust domain appended) vs the identity (no trust domain) Signed-off-by: nshankar13 <nshankar@microsoft.com>

Fix ingress backend broken SAN (openservicemesh#4914) Fix ingress backend SAN's, which were getting the trust domain appended to the provided SAN. This adds an e2e test to catch that going forward. This also switches the internal builders to use the principal (trust domain appended) vs the identity (no trust domain) Signed-off-by: nshankar13 <nshankar@microsoft.com>

Fix ingress backend broken SAN (openservicemesh#4914) Fix ingress backend SAN's, which were getting the trust domain appended to the provided SAN. This adds an e2e test to catch that going forward. This also switches the internal builders to use the principal (trust domain appended) vs the identity (no trust domain) Signed-off-by: nshankar13 <nshankar@microsoft.com> [backport] cherry-pick 961c865 to release-v1.2 fix golints G114 and package-comments (openservicemesh#5037) golints addressed: 1. G114: Use of net/http serve function that has no support for setting timeouts 2. package-comments 3. removes pkg mesh and moves isValidUUID() to pkg/cli/proxy_get.go Signed-off-by: Shalier Xia <shalierxia@microsoft.com>

Fix ingress backend broken SAN (openservicemesh#4914) Fix ingress backend SAN's, which were getting the trust domain appended to the provided SAN. This adds an e2e test to catch that going forward. This also switches the internal builders to use the principal (trust domain appended) vs the identity (no trust domain) Signed-off-by: nshankar13 <nshankar@microsoft.com> [backport] cherry-pick 961c865 to release-v1.2 fix golints G114 and package-comments (openservicemesh#5037) golints addressed: 1. G114: Use of net/http serve function that has no support for setting timeouts 2. package-comments 3. removes pkg mesh and moves isValidUUID() to pkg/cli/proxy_get.go Signed-off-by: Shalier Xia <shalierxia@microsoft.com> [backport] cherry-pick df502a7 to release-v1.2 bump version of go to 1.19 (openservicemesh#4972) Signed-off-by: Sean Teeling <seanteeling@microsoft.com>

Fix ingress backend broken SAN (openservicemesh#4914) Fix ingress backend SAN's, which were getting the trust domain appended to the provided SAN. This adds an e2e test to catch that going forward. This also switches the internal builders to use the principal (trust domain appended) vs the identity (no trust domain) [backport] cherry-pick 961c865 to release-v1.2 fix golints G114 and package-comments (openservicemesh#5037) golints addressed: 1. G114: Use of net/http serve function that has no support for setting timeouts 2. package-comments 3. removes pkg mesh and moves isValidUUID() to pkg/cli/proxy_get.go Signed-off-by: Shalier Xia <shalierxia@microsoft.com>

Fix ingress backend broken SAN (openservicemesh#4914) Fix ingress backend SAN's, which were getting the trust domain appended to the provided SAN. This adds an e2e test to catch that going forward. This also switches the internal builders to use the principal (trust domain appended) vs the identity (no trust domain) [backport] cherry-pick 961c865 to release-v1.2 fix golints G114 and package-comments (openservicemesh#5037) golints addressed: 1. G114: Use of net/http serve function that has no support for setting timeouts 2. package-comments 3. removes pkg mesh and moves isValidUUID() to pkg/cli/proxy_get.go Signed-off-by: Shalier Xia <shalierxia@microsoft.com> Signed-off-by: nshankar13 <nshankar@microsoft.com>

Fix ingress backend broken SAN (openservicemesh#4914) Fix ingress backend SAN's, which were getting the trust domain appended to the provided SAN. This adds an e2e test to catch that going forward. This also switches the internal builders to use the principal (trust domain appended) vs the identity (no trust domain)

Fix ingress backend broken SAN (openservicemesh#4914) Fix ingress backend SAN's, which were getting the trust domain appended to the provided SAN. This adds an e2e test to catch that going forward. This also switches the internal builders to use the principal (trust domain appended) vs the identity (no trust domain) Signed-off-by: nshankar13 <nshankar@microsoft.com>

steeling changed the title ~~Feature/principals~~ Fix ingress backend broken SAN Jul 19, 2022

steeling force-pushed the feature/principals branch 3 times, most recently from a9bc9e5 to 74f3755 Compare July 19, 2022 15:28

steeling marked this pull request as ready for review July 19, 2022 16:02

steeling requested review from shashankram, snehachhabria, nojnhuh, draychev, jaellio, trstringer and keithmattix as code owners July 19, 2022 16:02

shashankram approved these changes Jul 19, 2022

View reviewed changes

tests/e2e/e2e_ingressbackend_test.go Outdated Show resolved Hide resolved

steeling force-pushed the feature/principals branch from 26b6c33 to 1a6dc9d Compare July 19, 2022 16:39

keithmattix approved these changes Jul 19, 2022

View reviewed changes

steeling force-pushed the feature/principals branch 2 times, most recently from c9b0508 to e3599ee Compare July 19, 2022 18:53

keithmattix added the blocker/release=v1.2.0 Release blocker for v1.2.0 label Jul 19, 2022

steeling added 2 commits July 19, 2022 17:06

Use principal in builders, which contains trust domain vs identity

9f3b005

Signed-off-by: Sean Teeling <seanteeling@microsoft.com>

add ingress backend test

cc41d4e

Signed-off-by: Sean Teeling <seanteeling@microsoft.com>

steeling force-pushed the feature/principals branch from e3599ee to 15e00d8 Compare July 19, 2022 21:06

use alternate trust domain in ingress backend test

cfdc68d

Signed-off-by: Sean Teeling <seanteeling@microsoft.com>

steeling force-pushed the feature/principals branch from 15e00d8 to cfdc68d Compare July 19, 2022 22:06

steeling merged commit 15e46da into openservicemesh:main Jul 19, 2022

steeling deleted the feature/principals branch July 19, 2022 22:56

nshankar13 mentioned this pull request Aug 31, 2022

[backport] cherry-pick commit 15e46da to release-v1.2 #5063

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix ingress backend broken SAN #4914

Fix ingress backend broken SAN #4914

Uh oh!

steeling commented Jul 19, 2022

Uh oh!

Uh oh!

codecov-commenter commented Jul 19, 2022 •

edited

Loading

Uh oh!

Uh oh!

Fix ingress backend broken SAN #4914

Fix ingress backend broken SAN #4914

Uh oh!

Conversation

steeling commented Jul 19, 2022

Uh oh!

Uh oh!

codecov-commenter commented Jul 19, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Uh oh!

codecov-commenter commented Jul 19, 2022 •

edited

Loading