feat(*) expand Mesh resource to control passthrough #1058
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
October 8, 2020 18:08
Signed-off-by: Nikolay Nikolaev <[email protected]>
Signed-off-by: Nikolay Nikolaev <[email protected]>
|
Should it be “true” by default instead? |
|
This definitely should be true by default. Otherwise we will be breaking current deployments when we deploy Kuma |
jakubdyszkiewicz
requested changes
Oct 8, 2020
added 2 commits
October 8, 2020 19:58
Signed-off-by: Nikolay Nikolaev <[email protected]>
added 2 commits
October 9, 2020 19:04
Signed-off-by: Nikolay Nikolaev <[email protected]>
Signed-off-by: Nikolay Nikolaev <[email protected]>
nickolaev
force-pushed
the
feat/disable_passthrough
branch
from
d639809 to
b597704
Compare
api/mesh/v1alpha1/mesh_helpers.go
Outdated
| package v1alpha1 | ||
|
|
||
| func (m *Mesh) IsPassthrough() bool { | ||
| if m.GetNetworking() == nil || m.GetNetworking().GetOutbound() == nil || m.GetNetworking().GetOutbound().GetPassthrough() == nil { |
There was a problem hiding this comment.
nit: you can do just m.GetNetworking().GetOutbound().GetPassthrough() == nil, check implementation of those getters, they handle nulls
| _, stderr, err := cluster.ExecWithRetries(TestNamespace, clientPod.GetName(), "demo-client", | ||
| "curl", "-v", "-m", "3", "--fail", "http://externalservice-http-server.externalservice-namespace") | ||
| Expect(err).ToNot(HaveOccurred()) | ||
| Expect(stderr).To(ContainSubstring("HTTP/1.1 200 OK")) |
There was a problem hiding this comment.
give some description of steps in this test please, example:
// given Mesh with passthrough false communication is not established
_, err := retry.DoWithRetryE
Expect(err).To(HaveOccurred())
// when applied Mesh with passthrough true
err = YamlK8s(fmt.Sprintf(meshDefaulMtlsOn, "true"))(cluster)
// then communication outside of the Mesh works
_, stderr, err := cluster.ExecWithRetries
Expect(err).ToNot(HaveOccurred())
Expect(stderr).To(ContainSubstring("HTTP/1.1 200 OK"))
| }) | ||
| Expect(err).To(HaveOccurred()) | ||
|
|
||
| err = YamlK8s(fmt.Sprintf(meshDefaulMtlsOn, "true"))(cluster) |
There was a problem hiding this comment.
Just a note for whoever will take care of E2E tests eventually. We need proper builders for our entities. Something like this:
MeshBuilder().WithPassThrough(false).WithMTLS().KubeYAML()
Copy-pasting those YAMLs with parameters over many test is not the best idea IMHO.
added 2 commits
October 12, 2020 16:12
Signed-off-by: Nikolay Nikolaev <[email protected]>
nickolaev
force-pushed
the
feat/disable_passthrough
branch
from
240d8ff to
12985ef
Compare
added 2 commits
October 12, 2020 19:49
Signed-off-by: Nikolay Nikolaev <[email protected]>
jakubdyszkiewicz
approved these changes
Oct 13, 2020
api/mesh/v1alpha1/mesh.proto
Outdated
| google.protobuf.BoolValue passthrough = 1; | ||
| } | ||
|
|
||
| // Outbounf settings |
There was a problem hiding this comment.
Outbounf -> Outbound
api/mesh/v1alpha1/mesh.proto
Outdated
| @@ -70,6 +73,19 @@ message CertificateAuthorityBackend { | |||
| google.protobuf.Struct conf = 4; | |||
| } | |||
|
|
|||
| // Networking defines he networking configuration of the mesh | |||
| err = YamlK8s(fmt.Sprintf(meshDefaulMtlsOn, "false"))(cluster) | ||
| Expect(err).ToNot(HaveOccurred()) | ||
|
|
||
| // then accessing the external service is no logne possible |
added 2 commits
October 13, 2020 16:09
Signed-off-by: Nikolay Nikolaev <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Expanding the Mesh resource with pass-through control capabilities.
The setting defaults to
trueand needs to be explicitly set tofalseto disallow access to non-mesh resources.Documentation