-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
policy: Add GetAuthTypes() #26116
policy: Add GetAuthTypes() #26116
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -219,6 +219,12 @@ func (a *PerSelectorPolicy) Equal(b *PerSelectorPolicy) bool { | |
// AuthType enumerates the supported authentication types in api. | ||
type AuthType uint8 | ||
|
||
// AuthTypes is a set of AuthTypes, usually nil if empty | ||
type AuthTypes map[AuthType]struct{} | ||
|
||
// Authmap maps remote selectors to their needed AuthTypes, if any | ||
type AuthMap map[CachedSelector]AuthTypes | ||
|
||
const ( | ||
// AuthTypeDisabled means no authentication required | ||
AuthTypeDisabled AuthType = iota | ||
|
@@ -835,7 +841,7 @@ func (l4 *L4Filter) detach(selectorCache *SelectorCache) { | |
} | ||
|
||
// attach signifies that the L4Filter is ready and reacheable for updates | ||
// from SelectorCache. L4Filter is read-only after this is called, | ||
// from SelectorCache. L4Filter (and L4Policy) is read-only after this is called, | ||
// multiple goroutines will be reading the fields from that point on. | ||
func (l4 *L4Filter) attach(ctx PolicyContext, l4Policy *L4Policy) { | ||
// All rules have been added to the L4Filter at this point. | ||
|
@@ -846,9 +852,23 @@ func (l4 *L4Filter) attach(ctx PolicyContext, l4Policy *L4Policy) { | |
|
||
// Compute Envoy policies when a policy is ready to be used | ||
if ctx != nil { | ||
for _, l7policy := range l4.PerSelectorPolicies { | ||
if l7policy != nil && len(l7policy.L7Rules.HTTP) > 0 { | ||
l7policy.EnvoyHTTPRules, l7policy.CanShortCircuit = ctx.GetEnvoyHTTPRules(&l7policy.L7Rules) | ||
for cs, l7policy := range l4.PerSelectorPolicies { | ||
if l7policy != nil { | ||
if len(l7policy.L7Rules.HTTP) > 0 { | ||
l7policy.EnvoyHTTPRules, l7policy.CanShortCircuit = ctx.GetEnvoyHTTPRules(&l7policy.L7Rules) | ||
} | ||
|
||
if authType := l7policy.GetAuthType(); authType != AuthTypeDisabled { | ||
if l4Policy.AuthMap == nil { | ||
l4Policy.AuthMap = make(AuthMap, 1) | ||
} | ||
authTypes := l4Policy.AuthMap[cs] | ||
if authTypes == nil { | ||
authTypes = make(AuthTypes, 1) | ||
Comment on lines
+863
to
+867
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: Why Background I'm thinking here is that maybe we are trying to set the default map size in order to micro-optimize for memory allocation, but we end up shooting ourselves in the foot because we force reallocations if there's more than one authenticated peer for the endpoint? I guess overall you might argue that overall "number of unique peers an app connects to" amortizes towards one peer identity and hence selected by one rule 🤔. A cursory search around Go default map capacity seems to suggest one bucket, eight entries... do we think there's a strong reason to be particular about this aspect here? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm thinking worst case we could end up recalculating new selectorPolicy on a regular basis, and every time we first allocate a map that's too small, then allocate again to a size that fits the policy. Mildly wasteful. Anyway this is not a big deal, just seems like it may be premature optimization. |
||
} | ||
authTypes[authType] = struct{}{} | ||
l4Policy.AuthMap[cs] = authTypes | ||
} | ||
} | ||
} | ||
} | ||
|
@@ -1097,6 +1117,8 @@ type L4Policy struct { | |
Ingress L4PolicyMap | ||
Egress L4PolicyMap | ||
|
||
AuthMap AuthMap | ||
|
||
// Revision is the repository revision used to generate this policy. | ||
Revision uint64 | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit:
ID
can end up ambiguous, it'd be nice to give the reader one less thing to be confused about - stating clearly that the inputs are expected to be security identities. If by any weird course we end up plugging the wrong id numbers in, it could help point out the mistake.