Skip to content

policy: Add validation and docs for TLS SNI ServerNames #38615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 10, 2025
Merged

policy: Add validation and docs for TLS SNI ServerNames #38615

merged 3 commits into from
Apr 10, 2025

Conversation

sayboras
Copy link
Member

@sayboras sayboras commented Mar 31, 2025
edited
Loading

Description

After the below PR, TLS SNI server names are now supporting prefix wildcard match, this PR is to update the docs and basic validation for the same.

Relates: cilium/proxy#1242

Note: Wait for #38603 to land in first

Testing

Testing was done locally as per below

$ test_name=client-egress-tls-sni
$ cilium connectivity test --test=$test_name
[=] [cilium-test-1] Test [client-egress-tls-sni] [75/119]
.........
[=] [cilium-test-1] Test [client-egress-tls-sni-denied] [76/119]
.........
[=] [cilium-test-1] Test [client-egress-tls-sni-wildcard] [77/119]
.........
[=] [cilium-test-1] Test [client-egress-tls-sni-wildcard-denied] [78/119]
...
[=] [cilium-test-1] Test [client-egress-tls-sni-double-wildcard] [79/119]
.........
[=] [cilium-test-1] Test [client-egress-tls-sni-double-wildcard-denied] [80/119]
...
✅ [cilium-test-1] All 6 tests (42 actions) successful, 113 tests skipped, 0 scenarios skipped.

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 31, 2025
@github-actions github-actions bot added the sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. label Mar 31, 2025
@sayboras sayboras added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label Mar 31, 2025
@github-actions github-actions bot added the cilium-cli This PR contains changes related with cilium-cli label Mar 31, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Mar 31, 2025
@sayboras sayboras force-pushed the pr/tammach/sni-validation branch 3 times, most recently from 214931c to af14c52 Compare March 31, 2025 03:16
@sayboras sayboras changed the title Pr/tammach/sni validation policy: Add validation and docs for TLS SNI ServerNames Mar 31, 2025
@sayboras sayboras force-pushed the pr/tammach/sni-validation branch from af14c52 to 9e233cc Compare March 31, 2025 03:36
@sayboras sayboras added dont-merge/preview-only Only for preview or testing, don't merge it. and removed dont-merge/preview-only Only for preview or testing, don't merge it. labels Mar 31, 2025
@sayboras
Copy link
Member Author

/test

jrajahalme
jrajahalme requested changes Mar 31, 2025
View reviewed changes
Copy link
Member

@jrajahalme jrajahalme left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some early comments below

@sayboras sayboras force-pushed the pr/tammach/sni-validation branch from 9e233cc to 2ec12e0 Compare April 2, 2025 23:38
@sayboras sayboras requested a review from jrajahalme April 2, 2025 23:39
@sayboras sayboras force-pushed the pr/tammach/sni-validation branch 4 times, most recently from 45d56ff to 8dacb44 Compare April 3, 2025 13:16
@sayboras sayboras marked this pull request as ready for review April 3, 2025 13:27
@sayboras sayboras requested review from a team as code owners April 3, 2025 13:27
@sayboras
Copy link
Member Author

sayboras commented Apr 3, 2025

/test

@sayboras sayboras requested a review from Copilot April 4, 2025 07:38
Copilot
Copilot AI reviewed Apr 4, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 22 out of 22 changed files in this pull request and generated no comments.

Comments suppressed due to low confidence (1)

pkg/policy/api/zz_generated.deepcopy.go:856

  • Verify that the use of copy() is valid here, as both the source and destination slices must be of the same type. If conversion is required due to type differences between string and ServerName, consider iterating over the slice elements and converting each element explicitly.
copy(*out, *in)

derailed
derailed approved these changes Apr 4, 2025
View reviewed changes
Copy link
Contributor

@derailed derailed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sayboras Nice work Tam!

jrajahalme
jrajahalme reviewed Apr 8, 2025
View reviewed changes
Copy link
Member

@jrajahalme jrajahalme left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we support testing with **. prefix instead of *.*. prefix?

@sayboras sayboras force-pushed the pr/tammach/sni-validation branch from 8dacb44 to 913f0d6 Compare April 9, 2025 04:59
@sayboras
Copy link
Member Author

sayboras commented Apr 9, 2025

Should we support testing with **. prefix instead of *.*. prefix?

Good catch, I have added more test to cover for multiple label match.

@sayboras sayboras force-pushed the pr/tammach/sni-validation branch from 913f0d6 to d1e0320 Compare April 9, 2025 05:59
@jrajahalme
Copy link
Member

/test

sayboras added 3 commits April 10, 2025 08:20
@sayboras
api: Add validation for SNI ServerNames
42f82d8 
Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras
check: Skip warn log for TLS context
ccaffb3 
Similarly to external target, this is to skip the warning log for
external other target.

Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras
connectivity: Add test for TLS wildcard SNI
bf42eec 
Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras sayboras force-pushed the pr/tammach/sni-validation branch from d1e0320 to bf42eec Compare April 9, 2025 22:27
@sayboras sayboras enabled auto-merge April 9, 2025 22:27
@sayboras
Copy link
Member Author

sayboras commented Apr 9, 2025

/test

@sayboras sayboras added this pull request to the merge queue Apr 10, 2025
Merged via the queue into main with commit f636909 Apr 10, 2025
292 checks passed
@sayboras sayboras deleted the pr/tammach/sni-validation branch April 10, 2025 02:14
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@derailed derailed derailed approved these changes

@nathanjsweet nathanjsweet nathanjsweet approved these changes

@christarazi christarazi christarazi approved these changes

@jrajahalme jrajahalme jrajahalme approved these changes

@julianwiedmann julianwiedmann julianwiedmann approved these changes

Assignees
No one assigned
Labels
cilium-cli This PR contains changes related with cilium-cli ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@sayboras @jrajahalme @derailed @nathanjsweet @christarazi @julianwiedmann