Feature support connection info in route matching #8453
Conversation
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
There was a problem hiding this comment.
Some API comments to start things. Also, have you considered having a filter put this information in dynamic metadata and doing a more generic match on that in the route table? I'm not generally a fan of putting too much business logic for specific cases here unless it's widely interesting.
CC @PiotrSikora
@htuch My thought on this is consolidating with what RBAC has, we already have huge overlap with there and the properties from the TLS connection will be also interested there. This falls into the goal of consolidating all HttpMatcher in v4. |
|
@lizan yeah, RBAC unification makes sense. Is there an issue and/or roadmap somewhere to provide a north star? Is there anything actionable in this review on that front? |
source/common/router/config_impl.cc
Outdated
| if (criteria.presented()) { | ||
| const bool peerPresented = stream_info.downstreamSslConnection() && | ||
| stream_info.downstreamSslConnection()->expirationPeerCertificate(); | ||
| matches &= *criteria.presented() == peerPresented; |
There was a problem hiding this comment.
nits: I think has_value() and value() is preferred if it is optional<bool>
There was a problem hiding this comment.
modified to use has_value() & value()
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
include/envoy/router/router.h
Outdated
| @@ -502,6 +502,16 @@ class MetadataMatchCriteria { | |||
| mergeMatchCriteria(const ProtobufWkt::Struct& metadata_matches) const PURE; | |||
| }; | |||
|
|
|||
| class TlsContextMatchCriteria; | |||
| using TlsContextMatchCriteriaConstPtr = std::unique_ptr<const TlsContextMatchCriteria>; | |||
There was a problem hiding this comment.
Nit: move this after the class definition below, no need to forward declare for this simple class.
There was a problem hiding this comment.
I still see the forward declaration above..
There was a problem hiding this comment.
Sorry, thought it was referring to same comment as tls_context_match_criteria_impl.h below
Fixed now.
| @@ -53,7 +53,9 @@ class TestConfigImpl : public ConfigImpl { | |||
| bool validate_clusters_default) | |||
| : ConfigImpl(config, factory_context, validate_clusters_default), config_(config) {} | |||
|
|
|||
| RouteConstSharedPtr route(const Http::HeaderMap& headers, uint64_t random_value) const override { | |||
| RouteConstSharedPtr route(const Http::HeaderMap& headers, | |||
There was a problem hiding this comment.
I'm probably missing it, but could you point me to where the tests for the new behaviors are?
There was a problem hiding this comment.
I've just now pushed the unit-test for tls-context matching.
Signed-off-by: Michael Hargreaves <[email protected]>
…atching Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
| @@ -5780,6 +5787,95 @@ name: foo | |||
| } | |||
| } | |||
|
|
|||
| TEST_F(RouteMatcherTest, TlsContextMatching) { | |||
There was a problem hiding this comment.
Please add a brief comment above this test explaining what it does.
There was a problem hiding this comment.
I've added a comment - let me know if it needs more details. thanks
Signed-off-by: Michael Hargreaves <[email protected]>
Signed-off-by: Michael Hargreaves <[email protected]>
Description: Add the ability to route match based on client credentials.
This is an output of the changes requested for PR #8248 (#8248 (comment))
To more cleanly support #8248 , it would be better to be able to route based on downstream connection details, instead of hoisting more information into headers.
As an API example, route matching based on presented and/or expired client certificate is supported.
The end goal for #8248 is to route based on 'validated'.
By default the routing rules are unchanged.
Risk Level: Medium
Testing: Currently Manual tests
Docs Changes: API proto changes
Release Notes: N/A