Skip to content

http_connection_manager: support multiple SAN URIs for XFCC #20724

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
htuch merged 3 commits into from
Apr 12, 2022
Merged

http_connection_manager: support multiple SAN URIs for XFCC #20724

htuch merged 3 commits into from
Apr 12, 2022

Conversation

@jacob-delgado
Copy link
Contributor

@jacob-delgado jacob-delgado commented Apr 7, 2022

Commit Message:

...when using APPEND_FORWARD and SANITIZE set.

Currently XFCC only keeps the first URI in a certificate or a header presented
to it.

This works fine for most use cases, however, not everyone uses a single
URI (typically spiffe:// only).

Add every URI present to the 'By=' portion as well as the 'URI=' portion of an
XFCC header.

Additional Description:
Risk Level: Low
Testing: Unit and integration tests
Docs Changes: Yes. The appropriate http_connection_managers configuration section.
Release Notes: Yes
Fixes #20723

@jacob-delgado
Copy link
Contributor Author

jacob-delgado commented Apr 8, 2022

The core requirement we are asked is to support is URI=. However, as I was reviewing the code I stumbled on By= also just looking at the code. I'm not sure if this was intentional or not.

I can put this behind a feature toggle if needed to get this merged. I would also like for this to be as a feature toggle in Envoy 1.19-1.21 as well, if possible. Thoughts?

@jacob-delgado
Support multiple SAN URIs for XFCC
f14ed31 
...when using APPEND_FORWARD and SANITIZE set.

Currently XFCC only keeps the first URI in a certificate or a header presented
to it.

This works fine for most use cases, however, not everyone uses a single
URI (typically spiffe:// only).

Add every URI present to the 'By=' portion as well as the 'URI=' portion of an
XFCC header.

Signed-off-by: Jacob Delgado <jacob.delgado@volunteers.acasi.info>
@jacob-delgado
Run code formatting
6fa8095 
Signed-off-by: Jacob Delgado <jacob.delgado@volunteers.acasi.info>
@jacob-delgado
Fix docs
dadca33 
Signed-off-by: Jacob Delgado <jacob.delgado@volunteers.acasi.info>
@jacob-delgado
Copy link
Contributor Author

jacob-delgado commented Apr 8, 2022

/retest

@repokitteh-read-only
Copy link

repokitteh-read-only bot commented Apr 8, 2022

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #20724 (comment) was created by @jacob-delgado.

see: more, trace.

lizan
lizan approved these changes Apr 11, 2022
View reviewed changes
Copy link
Member

@lizan lizan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good and I don't feel strongly we need a toggle for main branch.

Though I don't think we should backport either even with a toggle but backports are up to stable maintainer @pradeepcrao

@zuercher
Copy link
Member

zuercher commented Apr 11, 2022

/assign-from @envoyproxy/senior-maintainers

@repokitteh-read-only
Copy link

repokitteh-read-only bot commented Apr 11, 2022

@envoyproxy/senior-maintainers assignee is @htuch

🐱

Caused by: a #20724 (comment) was created by @zuercher.

see: more, trace.

htuch
htuch reviewed Apr 12, 2022
View reviewed changes
Copy link
Member

@htuch htuch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lizan is senior maintainers, so will merge.

@htuch htuch merged commit b67a3fc into envoyproxy:main Apr 12, 2022
vehre-x41 pushed a commit to vehre-x41/envoy that referenced this pull request Apr 19, 2022
@jacob-delgado @vehre-x41
http_connection_manager: support multiple SAN URIs for XFCC (envoypro…
1a21b50 
…xy#20724)

...when using APPEND_FORWARD and SANITIZE set.

Currently XFCC only keeps the first URI in a certificate or a header presented
to it.

This works fine for most use cases, however, not everyone uses a single
URI (typically spiffe:// only).

Add every URI present to the 'By=' portion as well as the 'URI=' portion of an
XFCC header.

Additional Description:
Risk Level: Low
Testing: Unit and integration tests
Docs Changes: Yes. The appropriate http_connection_managers configuration section.
Release Notes: Yes
Fixes envoyproxy#20723

Signed-off-by: Jacob Delgado <jacob.delgado@volunteers.acasi.info>
Signed-off-by: Andre Vehreschild <vehre@x41-dsec.de>
@jacob-delgado jacob-delgado deleted the xfcc-multiple-uri branch May 19, 2022 16:13
ravenblackx pushed a commit to ravenblackx/envoy that referenced this pull request Jun 8, 2022
@jacob-delgado @ravenblackx
http_connection_manager: support multiple SAN URIs for XFCC (envoypro…
f606ec2 
…xy#20724)

...when using APPEND_FORWARD and SANITIZE set.

Currently XFCC only keeps the first URI in a certificate or a header presented
to it.

This works fine for most use cases, however, not everyone uses a single
URI (typically spiffe:// only).

Add every URI present to the 'By=' portion as well as the 'URI=' portion of an
XFCC header.

Additional Description:
Risk Level: Low
Testing: Unit and integration tests
Docs Changes: Yes. The appropriate http_connection_managers configuration section.
Release Notes: Yes
Fixes envoyproxy#20723

Signed-off-by: Jacob Delgado <jacob.delgado@volunteers.acasi.info>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@htuch htuch htuch left review comments

@lizan lizan lizan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@htuch htuch

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

XFCC in APPEND_FORWARD or SANITIZE_SET only uses the first URI present

4 participants

@jacob-delgado @zuercher @lizan @htuch