-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Skip filter chain created by permissive mtls #20406
Conversation
We should update the permissive mode docs to list which functionality is not supported with permissive mode (e.g., rate limiting, all the Envoy extensions that can be invoked directly). That can happen in a separate PR if needed. |
81ee5b8
to
e9a628e
Compare
@@ -296,6 +296,27 @@ func (b *BasicEnvoyExtender) patchSupportedListenerFilterChains(config *RuntimeC | |||
func (b *BasicEnvoyExtender) patchListenerFilterChains(config *RuntimeConfig, l *envoy_listener_v3.Listener, nameOrSNI string) (*envoy_listener_v3.Listener, error) { | |||
var resultErr error | |||
|
|||
// Special case for Permissive mTLS, which adds a filter chain |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried working with a sentinel name for the filter chain but ran into issues with v2 resource tests since v2 proxystate Routers don't have names.
Instead I added this special case code block to suppress errors as long as one filter chain gets patched successfully.
e9a628e
to
d002f4d
Compare
d002f4d
to
4e54636
Compare
Backport failed @kisunji. Run: https://github.com/hashicorp/consul/actions/runs/7732725160 |
@kisunji, a backport is missing for this PR [20406] for versions [1.16,1.17] please perform the backport manually and add the following snippet to your backport PR description:
|
(cherry picked from commit b6f10bc)
@kisunji, a backport is missing for this PR [20406] for versions [1.16,1.17] please perform the backport manually and add the following snippet to your backport PR description:
|
4 similar comments
@kisunji, a backport is missing for this PR [20406] for versions [1.16,1.17] please perform the backport manually and add the following snippet to your backport PR description:
|
@kisunji, a backport is missing for this PR [20406] for versions [1.16,1.17] please perform the backport manually and add the following snippet to your backport PR description:
|
@kisunji, a backport is missing for this PR [20406] for versions [1.16,1.17] please perform the backport manually and add the following snippet to your backport PR description:
|
@kisunji, a backport is missing for this PR [20406] for versions [1.16,1.17] please perform the backport manually and add the following snippet to your backport PR description:
|
Backports:
1.17.x
1.16.x
Description
Customers transitioning to service mesh using mTLS permissive mode and transparent proxy have run into an issue when using some envoy extensions like local rate-limiter because permissive mode adds a new filter chain to the
public_listener
: https://github.com/hashicorp/consul/blob/v1.17.2/agent/xds/listeners.go#L1436-L1445Most of our envoy extensions assume one filter chain containing an HTTPConnectionManager but that assumption is broken in permissive mode.
We have yet to decide on how the permissive filter chain should interact with envoy extensions but until then, it is safer to explicitly skip it (meaning envoy extensions will not apply to insecure traffic to services) so that xDS does not error upon being unable to find an HTTPConnectionManager.
Testing & Reproduction steps
Manual testing was done on enterprise:
After this patch, the errors were suppressed and the ratelimit filter applied correctly to the non-permissive filter chain.
PR Checklist