Set alpnOverride depending on TLS Mode #44918
Conversation
|
Skipping CI for Draft Pull Request. |
4bdbda5 to
6d0c539
Compare
|
/retest |
|
was there some istio/proxy change to enable this? |
|
should add the test in #42902 |
Updated PR description to reflect that istio/proxy changes are to follow |
|
I've included just a unit test for this change to verify that the filtermetada is set correctly. I will follow up with integration testing after the proxy changes. |
| @@ -294,6 +294,13 @@ func (cb *ClusterBuilder) applyDestinationRule(mc *MutableCluster, clusterMode C | |||
|
|
|||
| if destRule != nil { | |||
| mc.cluster.Metadata = util.AddConfigInfoMetadata(mc.cluster.Metadata, destRule.Meta) | |||
|
|
|||
| // ALPN header rewrite starts mTLS. Skip if TLS mode is SIMPLE. | |||
| trafficPolicy := destinationRule.GetTrafficPolicy() | |||
There was a problem hiding this comment.
I think we want to use opts.policy which is not the same as destinationRule. Actually I would do this inside of applyTrafficPolicy as well
There was a problem hiding this comment.
what is the difference between destinationRule.GetTrafficPolicy() and opts.policy?
There was a problem hiding this comment.
It is the result of MergeTrafficPolicy which does some merging logic
There was a problem hiding this comment.
for applyTrafficPolicy, would we want to modify the opts.mutable.cluster.Metadata. If so, then we need to modify the return type which could mean making changes wherever it is called in the case that opts is nil
There was a problem hiding this comment.
Why do we need to modify any return ttpes? Can't we just just set opts.mutable.cluster.metadata = util.AddALPNOverrideToMetadata(mc.cluster.Metadata, alpnOverride)?
| @@ -435,6 +435,30 @@ func AddSubsetToMetadata(md *core.Metadata, subset string) { | |||
| } | |||
| } | |||
|
|
|||
| // AddALPNOverrideToMetadata adds whether the the ALPN prefix should be added to the header | |||
| // to the given core.Metadata struct, if metadata is not initialized, build a new metadata. | |||
| func AddALPNOverrideToMetadata(metadata *core.Metadata, alpnOverride bool) *core.Metadata { | |||
There was a problem hiding this comment.
can we just only include the metadata if alpnOverride is true (or false, I am not sure which one means "do not set it")?
Its not free to add the metadata, actually surprisingly high cost
There was a problem hiding this comment.
Added return metadata if alpnOverride is true
There was a problem hiding this comment.
added logic to configureALPNOverride
|
MUTUAL aspect is a TLS message: ClientCertificateType
https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.4
It should not be tied to ALPN
…On Mon, Jun 5, 2023 at 10:13 AM Keith Mattix II ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In pilot/pkg/networking/core/v1alpha3/cluster_builder.go
<#44918 (comment)>:
> @@ -294,6 +294,13 @@ func (cb *ClusterBuilder) applyDestinationRule(mc *MutableCluster, clusterMode C
if destRule != nil {
mc.cluster.Metadata = util.AddConfigInfoMetadata(mc.cluster.Metadata, destRule.Meta)
+
+ // ALPN header rewrite starts mTLS. Skip if TLS mode is SIMPLE.
FWIW, the original design doc was scoped to SIMPLE. MUTUAL probably makes
sense semantically, but what's the existing mechanism for a tlsMode MUTUAL
to indicate that it expects a client cert (outside of ALPN)? My concern is
that it only works because we don't remove the alpn rewrite today
—
Reply to this email directly, view it on GitHub
<#44918 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXNDVSTGWIBPYCOVI7TXJYHVDANCNFSM6AAAAAAYCPFM44>
.
You are receiving this because your review was requested.Message ID:
***@***.***>
|
|
Hey @ksubrmnn, are you going to continue to work on this PR? I am interested in this change and I wonder if it will end up in master. |
|
@jewertow Yes I'm working on this PR. Had some delay with proxy changes, but you can find them at istio/proxy#4783 |
|
WIP tests will fail since still working on applyTrafficPolicy part |
| @@ -1432,3 +1441,14 @@ func (cb *ClusterBuilder) buildExternalSDSCluster(addr string) *cluster.Cluster | |||
| } | |||
| return c | |||
| } | |||
|
|
|||
| // configureALPNOverride determines whether alpn_override should be added to metadata | |||
| func configureALPNOverride(tlsMode networking.ClientTLSSettings_TLSmode, md *core.Metadata) *core.Metadata { | |||
There was a problem hiding this comment.
I think you added a comment somewhere on the issue, but do you even need to return anything here since you're passing a pointer to md? In fact AddALPNOverrideToMetadata probably doesn't need a return value either if you're manipulating a pointer value
There was a problem hiding this comment.
Yes you do because if the metadata is nil, we want to return a new metadata with the headers. That's the only reason. Empty metadata can be modified and set, but not nil.
There was a problem hiding this comment.
Then why pass a pointer in the first place?
There was a problem hiding this comment.
That's how it's stored in the mutable cluster.
|
@howardjohn I've removed the changes to apply traffic policy. The PR was getting to be a bit large and unwieldy for me. I prefer to add those changes in a followup |
Signed-off-by: Kalya Subramanian <kasubra@microsoft.com>
Signed-off-by: Kalya Subramanian <kasubra@microsoft.com>
* Set alpnOverride Signed-off-by: Kalya Subramanian <kasubra@microsoft.com> * remove test logs Signed-off-by: Kalya Subramanian <kasubra@microsoft.com> --------- Signed-off-by: Kalya Subramanian <kasubra@microsoft.com>
…e"` for SIMPLE and MUTUAL TLS (istio#833) * Set alpnOverride depending on TLS Mode (istio#44918) * Set alpnOverride Signed-off-by: Kalya Subramanian <kasubra@microsoft.com> * remove test logs Signed-off-by: Kalya Subramanian <kasubra@microsoft.com> --------- Signed-off-by: Kalya Subramanian <kasubra@microsoft.com> * pilot: set `istio.alpn_override: false` in subset clusters (istio#46496) (istio#46529) * Add tests for destination rules with port level settings * Add test cases for subsets * Refactor AddALPNOverrideToMetadata * Update comment for AddALPNOverrideToMetadata * Fix lint error * Add release note * Fix release note --------- Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> --------- Signed-off-by: Kalya Subramanian <kasubra@microsoft.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Co-authored-by: Kalya Subramanian <42158129+ksubrmnn@users.noreply.github.com>
Please provide a description of this PR:
By setting tls.mode SIMPLE, the user is signaling that they want to opt out of mTLS, Istio managed or otherwise. Since ALPN rewrite exists solely for the purpose of starting Istio mTLS, it violates the user’s intent to perform said rewrite.
This PR checks if the TLS mode is simple and then adds a field to the filter metadata to indicate whether the proxy should proceed with the alpn header rewrite.
Partially fixes #40680
Istio/proxy change: istio/proxy#4783