New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial connection MDS implementation #802
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't envision connection manager being used in this way so we'll probably need to make more changes to ensure all outbound connections register and release correctly
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add desc of the usage
src/proxy/connection_manager.rs
Outdated
#[derive(Clone, Debug, Serialize)] | ||
pub struct ConnectionMetadata { | ||
#[serde(default)] | ||
identity: Option<Identity>, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am confused about a connection's identity. Usually, we say the src identity or dest identity
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the implementation we've got it will be the source identity. I suppose keeping the type general would allow us to represent peer identity generically with the same type in the future though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I documented a bit more now
dd717d1
to
e54eb0b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is looking good. I have a few comments but nothing I suspect to be a show stopper for this direction.
src/proxy/connection_manager.rs
Outdated
#[derive(Clone, Debug, Serialize)] | ||
pub struct ConnectionMetadata { | ||
#[serde(default)] | ||
identity: Option<Identity>, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the implementation we've got it will be the source identity. I suppose keeping the type general would allow us to represent peer identity generically with the same type in the future though.
src/proxy/metadata.rs
Outdated
serve_request(&ct, remote_addr, req).await.or_else(|e| { | ||
Ok(crate::hyper_util::plaintext_response( | ||
StatusCode::UNPROCESSABLE_ENTITY, | ||
e.to_string(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to be concerned about e
leaking something we shouldn't to the mds client?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think its ok? I documented that we expose errors which could help a bit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can iterate if it becomes a problem later.
src/proxy/connection_manager.rs
Outdated
@@ -118,6 +133,19 @@ impl ConnectionManager { | |||
// potentially large copy under read lock, could require optomization | |||
self.drains.read().await.keys().cloned().collect() | |||
} | |||
|
|||
/// fetch looks up a tuple and returns the connection metadata | |||
// TODO: we should key on tuple so we can more efficiently lookup |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe another index instead of re-keying? I suppose we could see about keying on tuple and storing the full ProxyRbacContext
in the ConnectionDrain
struct. Otherwise we'll need to do work to re-construct the full context when we need to assert.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I would probably do the index if we do it
5f49bc1
to
c8c232c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@howardjohn: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Do we still want to merge this anytime soon? Sorry I missed it. |
IMO it's worth doing. also, I did not realize that my review would get retroactively upgraded... 😬 |
Also has an example Golang library implementation to add HTTP middleware that extracts the identity.
Istio tests: istio/istio#44536 (blocked by this PR, of course), which also show how to use it
Original PR in #504 got force deleted so cannot re-open