Initial connection MDS implementation #802
Conversation
howardjohn
added
the
release-notes-none
istio-testing
added
the
size/L
istio-testing
added
the
do-not-merge/work-in-progress
src/proxy/connection_manager.rs
Outdated
| #[derive(Clone, Debug, Serialize)] | ||
| pub struct ConnectionMetadata { | ||
| #[serde(default)] | ||
| identity: Option<Identity>, |
There was a problem hiding this comment.
I am confused about a connection's identity. Usually, we say the src identity or dest identity
There was a problem hiding this comment.
In the implementation we've got it will be the source identity. I suppose keeping the type general would allow us to represent peer identity generically with the same type in the future though.
There was a problem hiding this comment.
I documented a bit more now
istio-testing
added
the
needs-rebase
howardjohn
force-pushed
the
mds/initial
branch
from
dd717d1
to
e54eb0b
Compare
istio-testing
removed
the
needs-rebase
istio-testing
removed
the
do-not-merge/work-in-progress
src/proxy/connection_manager.rs
Outdated
| #[derive(Clone, Debug, Serialize)] | ||
| pub struct ConnectionMetadata { | ||
| #[serde(default)] | ||
| identity: Option<Identity>, |
There was a problem hiding this comment.
In the implementation we've got it will be the source identity. I suppose keeping the type general would allow us to represent peer identity generically with the same type in the future though.
src/proxy/metadata.rs
Outdated
| serve_request(&ct, remote_addr, req).await.or_else(|e| { | ||
| Ok(crate::hyper_util::plaintext_response( | ||
| StatusCode::UNPROCESSABLE_ENTITY, | ||
| e.to_string(), |
There was a problem hiding this comment.
Do we need to be concerned about e leaking something we shouldn't to the mds client?
There was a problem hiding this comment.
I think its ok? I documented that we expose errors which could help a bit
There was a problem hiding this comment.
We can iterate if it becomes a problem later.
src/proxy/connection_manager.rs
Outdated
| @@ -118,6 +133,19 @@ impl ConnectionManager { | |||
| // potentially large copy under read lock, could require optomization | |||
| self.drains.read().await.keys().cloned().collect() | |||
| } | |||
|
|
|||
| /// fetch looks up a tuple and returns the connection metadata | |||
| // TODO: we should key on tuple so we can more efficiently lookup | |||
There was a problem hiding this comment.
Maybe another index instead of re-keying? I suppose we could see about keying on tuple and storing the full ProxyRbacContext in the ConnectionDrain struct. Otherwise we'll need to do work to re-construct the full context when we need to assert.
There was a problem hiding this comment.
Yeah I would probably do the index if we do it
istio-testing
added
needs-rebase
howardjohn
force-pushed
the
mds/initial
branch
from
5f49bc1
to
c8c232c
Compare
istio-testing
removed
the
needs-rebase
istio-testing
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@howardjohn: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Do we still want to merge this anytime soon? Sorry I missed it. |
|
IMO it's worth doing. also, I did not realize that my review would get retroactively upgraded... 😬 |
Also has an example Golang library implementation to add HTTP middleware that extracts the identity.
Istio tests: istio/istio#44536 (blocked by this PR, of course), which also show how to use it
Original PR in #504 got force deleted so cannot re-open