-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ingress/model: Support multiple certs based on SNI #22671
Conversation
b1a934e
to
d2fdc72
Compare
We're now running this commit ( Thanks @sayboras ! |
Thanks a lot for your issue, as well as the effort in testing the change. This got overlooked as part of another work item in #19698.
|
/test |
I got assigned to review this on behalf of @cilium/operator. The change itself (and the package it touches) looks servicemesh-specific, so I've sent #22683 such that these kinds of changes get reviewed by @cilium/sig-servicemesh in the future as well. |
d2fdc72
to
945ebc3
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a comment inline regarding the unit test.
Apart from that, LGTM 🚀
sort.Slice(downStreamTLS.CommonTlsContext.TlsCertificateSdsSecretConfigs, func(i, j int) bool { | ||
return downStreamTLS.CommonTlsContext.TlsCertificateSdsSecretConfigs[i].Name < downStreamTLS.CommonTlsContext.TlsCertificateSdsSecretConfigs[j].Name | ||
}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we have just one config at a time, we can avoid the sorting here and at line 63.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good point, let me clean this up in subsequent PR, just to avoid re-run all tests.
As per [cert-selection] docs, only the first certificate listed is used, this causes the bug in which the wrong certs are used in either Ingress or Gateway API. This commit is to add serverNames, which are having values same as host name, in TLS filter chain. [cert-selection]: https://github.com/envoyproxy/envoy/blob/main/docs/root/intro/arch_overview/security/ssl.rst#certificate-selection Relates: cilium#22668 Reported-by: Nikhil Jha <hi@nikhiljha.com> Signed-off-by: Tam Mach <tam.mach@cilium.io>
945ebc3
to
210dd34
Compare
/test Job 'Cilium-PR-K8s-1.24-kernel-5.4' failed: Click to show.Test Name
Failure Output
If it is a flake and a GitHub issue doesn't already exist to track it, comment |
codeowners for this PR seem to include @cilium/operator , but the code itself doesn't look very relevant to that code owner. Perhaps we could drop that codeowner from these files. For this particular PR, I'm OK to accept the change with just servicemesh review (which was already provided by Fabio above, thanks!) |
/test-1.24-5.4 |
/test-1.26-net-next |
/test-runtime |
Per Slack, the previous failures were:
Tam, if you re-run tests, please provide an explanation like the above that demonstrates why the PR is not at cause for the failures. We have had too many cases recently where we've merged PRs that have blatant issues in them, because PR authors have not triaged the issues and we've ignored the CI in order to merge the PRs. |
I've taken a stab at one step forward on #15455, at least some further investigation. It looks like #22750 has recent activity pushing the issue forwards, so I'm not as worried about that one. I'm not sure where to look to improve the reliability of the "provisioning error" cases but if it comes up more frequently then we should spent some time looking deeper into it. Given that this is a bugfix and a release-blocker, I'll merge this now. |
Description
As per cert-selection docs, only the first certificate listed is used, this causes the bug in which the wrong certs are used in either Ingress or Gateway API.
This commit is to add serverNames, which are having values same as host name, in TLS filter chain.
Fixes: #22668
Reported-by: Nikhil Jha hi@nikhiljha.com
Signed-off-by: Tam Mach tam.mach@cilium.io
Testing
Testing was done before and after changes with below manifest
Before
After