-
Notifications
You must be signed in to change notification settings - Fork 88
wasm abi: tls certificate information retrieval #476
Conversation
Signed-off-by: shikugawa <Shikugawa@gmail.com>
@Shikugawa thanks for the PR, but could you send a PR with the ABI changes to https://github.com/proxy-wasm/spec, or just create an issue there to discuss this feature? Ultimately, I don't think that we need to have a separate function for each buffer/map, and this could be exposed either as a raw certificate via cc @jplevyak |
Why do we need this if we can use |
@kyessenov If we use this, we must build |
@Shikugawa I don't follow. getValue lets you add more getters without bloating the API and we already added a bunch for TLS info for telemetry. There's no extra dependencies on rbac filter, it just uses the underlying code to match the property names. |
@kyessenov Thanks. I'll try it with this. But, this functionality may be required in the future. So I think that continuing a discussion with this is useful. |
Sure, please take a look and we can decide how to grow the set of the attributes. I just don't want two different ways to get the same things. |
@kyessenov I tried it with |
@Shikugawa See |
@@ -80,9 +80,10 @@ Word set_effective_context(void* raw_context, Word context_id); | |||
Word done(void* raw_context); | |||
Word call_foreign_function(void* raw_context, Word function_name, Word function_name_size, | |||
Word arguments, Word warguments_size, Word results, Word results_size); | |||
Word get_peer_certificate_info(void* raw_context, Word value_ptr_ptr, Word value_size_ptr); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of adding this as a core ABI, let's add it to getProperties.
Signed-off-by: shikugawa Shikugawa@gmail.com
For an explanation of how to fill out the fields, please see the relevant section
in PULL_REQUESTS.md
Description: This is only a proposal implementation. I added instructions to retrieve local/peer certificate information. It is required to retrieve on AuthN filter wasm implementation. If there is no implementation to retrieve cert info via wasm VM, we should link upstream envoy connection info. It may cause the complexity of dependencies of AuthN wasm implementation.
istio/istio#15772
Risk Level: Low
Testing: N/A
Docs Changes: Required
Release Notes:
[Optional Fixes #Issue]
[Optional Deprecated:]