From 458afedf0f3d88c9df090b73400159d9e4bab1ea Mon Sep 17 00:00:00 2001 From: Andra Cismaru Date: Tue, 5 Mar 2019 14:08:21 -0800 Subject: [PATCH 1/7] Hosts are not ignored in ServiceEntry for HTTPs --- networking/v1alpha3/service_entry.proto | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto index 8db08dff8f4..42fe9a1b76a 100644 --- a/networking/v1alpha3/service_entry.proto +++ b/networking/v1alpha3/service_entry.proto @@ -339,18 +339,21 @@ option go_package = "istio.io/api/networking/v1alpha3"; message ServiceEntry { // REQUIRED. The hosts associated with the ServiceEntry. Could be a DNS - // name with wildcard prefix (external services only). DNS names in hosts - // will be ignored if the application accesses the service over non-HTTP - // protocols such as mongo/opaque TCP/HTTPS. In such scenarios, the + // name with wildcard prefix (external services only). The destination will be + // identified based on the HTTP Host/Authority header for HTTP + // and Server Name Indication (SNI) for HTTPs. DNS names in hosts + // will be ignored if the application accesses the service over non-HTTP(s) + // protocols such as mongo/opaque TCP. In such scenarios, the // IP addresses specified in the Addresses field or the port will be used // to uniquely identify the destination. repeated string hosts = 1; // The virtual IP addresses associated with the service. Could be CIDR - // prefix. For HTTP services, the addresses field will be ignored and + // prefix. For HTTP/HTTPs services, the addresses field will be ignored and // the destination will be identified based on the HTTP Host/Authority - // header. For non-HTTP protocols such as mongo/opaque TCP/HTTPS, - // the hosts will be ignored. If one or more IP addresses are specified, + // header and Server Name Indication (SNI). For non-HTTP protocols + // such as mongo/opaque TCP, the hosts will be ignored. + // If one or more IP addresses are specified, // the incoming traffic will be identified as belonging to this service // if the destination IP matches the IP/CIDRs specified in the addresses // field. If the Addresses field is empty, traffic will be identified From cbf1c02b6c94acace1419ab95c3c11e585086fec Mon Sep 17 00:00:00 2001 From: Andra Cismaru Date: Tue, 5 Mar 2019 14:13:01 -0800 Subject: [PATCH 2/7] Clarify --- networking/v1alpha3/service_entry.proto | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto index 42fe9a1b76a..62d83e95018 100644 --- a/networking/v1alpha3/service_entry.proto +++ b/networking/v1alpha3/service_entry.proto @@ -351,8 +351,8 @@ message ServiceEntry { // The virtual IP addresses associated with the service. Could be CIDR // prefix. For HTTP/HTTPs services, the addresses field will be ignored and // the destination will be identified based on the HTTP Host/Authority - // header and Server Name Indication (SNI). For non-HTTP protocols - // such as mongo/opaque TCP, the hosts will be ignored. + // header for HTTP and Server Name Indication (SNI) for HTTPs. + // For non-HTTP protocols such as mongo/opaque TCP, the hosts will be ignored. // If one or more IP addresses are specified, // the incoming traffic will be identified as belonging to this service // if the destination IP matches the IP/CIDRs specified in the addresses From 82632f4ce938d43926938e1d558a84b8155e9728 Mon Sep 17 00:00:00 2001 From: Andra Cismaru Date: Thu, 7 Mar 2019 15:01:33 -0800 Subject: [PATCH 3/7] Reword --- networking/v1alpha3/service_entry.proto | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto index 62d83e95018..25220caa6eb 100644 --- a/networking/v1alpha3/service_entry.proto +++ b/networking/v1alpha3/service_entry.proto @@ -339,20 +339,21 @@ option go_package = "istio.io/api/networking/v1alpha3"; message ServiceEntry { // REQUIRED. The hosts associated with the ServiceEntry. Could be a DNS - // name with wildcard prefix (external services only). The destination will be - // identified based on the HTTP Host/Authority header for HTTP - // and Server Name Indication (SNI) for HTTPs. DNS names in hosts - // will be ignored if the application accesses the service over non-HTTP(s) - // protocols such as mongo/opaque TCP. In such scenarios, the - // IP addresses specified in the Addresses field or the port will be used - // to uniquely identify the destination. + // name with wildcard prefix (external services only). For HTTP traffic + // the HTTP Host/Authority header will be matched against the hosts field. + // For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value + // will be matched against the hosts field. For non-HTTP(s) protocols + // such as TCP/mongo the hosts will be ignored. + // In such scenarios, the IP addresses specified in + // the Addresses field or the port will be used to uniquely identify the destination. repeated string hosts = 1; // The virtual IP addresses associated with the service. Could be CIDR - // prefix. For HTTP/HTTPs services, the addresses field will be ignored and + // prefix. For HTTP(s) and TLS services, the addresses field will be ignored and // the destination will be identified based on the HTTP Host/Authority - // header for HTTP and Server Name Indication (SNI) for HTTPs. - // For non-HTTP protocols such as mongo/opaque TCP, the hosts will be ignored. + // header or the Server Name Indication (SNI). + // For non-HTTP(s) protocols + // such as TCP/mongo the hosts will be ignored. // If one or more IP addresses are specified, // the incoming traffic will be identified as belonging to this service // if the destination IP matches the IP/CIDRs specified in the addresses From b50f39e5e4bbaca9353bd8ed78038d0ebeb0cb64 Mon Sep 17 00:00:00 2001 From: Andra Cismaru Date: Thu, 7 Mar 2019 19:16:03 -0800 Subject: [PATCH 4/7] Generate protos --- networking/v1alpha3/service_entry.pb.go | 20 ++++++++++++-------- networking/v1alpha3/service_entry.pb.html | 20 ++++++++++++-------- 2 files changed, 24 insertions(+), 16 deletions(-) diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go index 97d37b99a75..ce4736a52de 100644 --- a/networking/v1alpha3/service_entry.pb.go +++ b/networking/v1alpha3/service_entry.pb.go @@ -426,17 +426,21 @@ func (ServiceEntry_Resolution) EnumDescriptor() ([]byte, []int) { type ServiceEntry struct { // REQUIRED. The hosts associated with the ServiceEntry. Could be a DNS - // name with wildcard prefix (external services only). DNS names in hosts - // will be ignored if the application accesses the service over non-HTTP - // protocols such as mongo/opaque TCP/HTTPS. In such scenarios, the - // IP addresses specified in the Addresses field or the port will be used - // to uniquely identify the destination. + // name with wildcard prefix (external services only). For HTTP traffic + // the HTTP Host/Authority header will be matched against the hosts field. + // For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value + // will be matched against the hosts field. For non-HTTP(s) protocols + // such as TCP/mongo the hosts will be ignored. + // In such scenarios, the IP addresses specified in + // the Addresses field or the port will be used to uniquely identify the destination. Hosts []string `protobuf:"bytes,1,rep,name=hosts,proto3" json:"hosts,omitempty"` // The virtual IP addresses associated with the service. Could be CIDR - // prefix. For HTTP services, the addresses field will be ignored and + // prefix. For HTTP(s) and TLS services, the addresses field will be ignored and // the destination will be identified based on the HTTP Host/Authority - // header. For non-HTTP protocols such as mongo/opaque TCP/HTTPS, - // the hosts will be ignored. If one or more IP addresses are specified, + // header or the Server Name Indication (SNI). + // For non-HTTP(s) protocols + // such as TCP/mongo the hosts will be ignored. + // If one or more IP addresses are specified, // the incoming traffic will be identified as belonging to this service // if the destination IP matches the IP/CIDRs specified in the addresses // field. If the Addresses field is empty, traffic will be identified diff --git a/networking/v1alpha3/service_entry.pb.html b/networking/v1alpha3/service_entry.pb.html index 8aaf60b847f..261b335356f 100644 --- a/networking/v1alpha3/service_entry.pb.html +++ b/networking/v1alpha3/service_entry.pb.html @@ -323,11 +323,13 @@

ServiceEntry

string[]

REQUIRED. The hosts associated with the ServiceEntry. Could be a DNS -name with wildcard prefix (external services only). DNS names in hosts -will be ignored if the application accesses the service over non-HTTP -protocols such as mongo/opaque TCP/HTTPS. In such scenarios, the -IP addresses specified in the Addresses field or the port will be used -to uniquely identify the destination.

+name with wildcard prefix (external services only). For HTTP traffic +the HTTP Host/Authority header will be matched against the hosts field. +For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value +will be matched against the hosts field. For non-HTTP(s) protocols +such as TCP/mongo the hosts will be ignored. +In such scenarios, the IP addresses specified in +the Addresses field or the port will be used to uniquely identify the destination.

@@ -336,10 +338,12 @@

ServiceEntry

string[]

The virtual IP addresses associated with the service. Could be CIDR -prefix. For HTTP services, the addresses field will be ignored and +prefix. For HTTP(s) and TLS services, the addresses field will be ignored and the destination will be identified based on the HTTP Host/Authority -header. For non-HTTP protocols such as mongo/opaque TCP/HTTPS, -the hosts will be ignored. If one or more IP addresses are specified, +header or the Server Name Indication (SNI). +For non-HTTP(s) protocols +such as TCP/mongo the hosts will be ignored. +If one or more IP addresses are specified, the incoming traffic will be identified as belonging to this service if the destination IP matches the IP/CIDRs specified in the addresses field. If the Addresses field is empty, traffic will be identified From da82fd1cf3252fe9e494bab9c9c0b5cf933dccd6 Mon Sep 17 00:00:00 2001 From: Andra Cismaru Date: Fri, 8 Mar 2019 13:33:49 -0800 Subject: [PATCH 5/7] Address code review comments --- networking/v1alpha3/service_entry.proto | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto index 25220caa6eb..47cd0301498 100644 --- a/networking/v1alpha3/service_entry.proto +++ b/networking/v1alpha3/service_entry.proto @@ -342,19 +342,17 @@ message ServiceEntry { // name with wildcard prefix (external services only). For HTTP traffic // the HTTP Host/Authority header will be matched against the hosts field. // For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value - // will be matched against the hosts field. For non-HTTP(s) protocols - // such as TCP/mongo the hosts will be ignored. - // In such scenarios, the IP addresses specified in - // the Addresses field or the port will be used to uniquely identify the destination. + // will be matched against the hosts field. For all other protocols + // the hosts will be ignored, and the port and addresses and ports fields + // will be used if present. Note that when resolution is set to type DNS + // and no endpoints are specified, the host field will be used as the DNS name + // of the endpoint to route traffic to. repeated string hosts = 1; // The virtual IP addresses associated with the service. Could be CIDR - // prefix. For HTTP(s) and TLS services, the addresses field will be ignored and + // prefix. For HTTP traffic the addresses field will be ignored and // the destination will be identified based on the HTTP Host/Authority - // header or the Server Name Indication (SNI). - // For non-HTTP(s) protocols - // such as TCP/mongo the hosts will be ignored. - // If one or more IP addresses are specified, + // header. If one or more IP addresses are specified, // the incoming traffic will be identified as belonging to this service // if the destination IP matches the IP/CIDRs specified in the addresses // field. If the Addresses field is empty, traffic will be identified From 4d8572d2881f5f8068ecc28369b04e13420c7a17 Mon Sep 17 00:00:00 2001 From: Andra Cismaru Date: Fri, 8 Mar 2019 13:35:43 -0800 Subject: [PATCH 6/7] Fix typo --- networking/v1alpha3/service_entry.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto index 47cd0301498..7a61b47aaea 100644 --- a/networking/v1alpha3/service_entry.proto +++ b/networking/v1alpha3/service_entry.proto @@ -343,7 +343,7 @@ message ServiceEntry { // the HTTP Host/Authority header will be matched against the hosts field. // For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value // will be matched against the hosts field. For all other protocols - // the hosts will be ignored, and the port and addresses and ports fields + // the hosts will be ignored, and the port and addresses fields // will be used if present. Note that when resolution is set to type DNS // and no endpoints are specified, the host field will be used as the DNS name // of the endpoint to route traffic to. From 2d49f1ca69b6368e5cda2ac98d476074f6e3e362 Mon Sep 17 00:00:00 2001 From: Andra Cismaru Date: Fri, 8 Mar 2019 13:41:11 -0800 Subject: [PATCH 7/7] generate --- networking/v1alpha3/service_entry.pb.go | 16 +++++++--------- networking/v1alpha3/service_entry.pb.html | 16 +++++++--------- 2 files changed, 14 insertions(+), 18 deletions(-) diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go index ce4736a52de..6168b16ee64 100644 --- a/networking/v1alpha3/service_entry.pb.go +++ b/networking/v1alpha3/service_entry.pb.go @@ -429,18 +429,16 @@ type ServiceEntry struct { // name with wildcard prefix (external services only). For HTTP traffic // the HTTP Host/Authority header will be matched against the hosts field. // For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value - // will be matched against the hosts field. For non-HTTP(s) protocols - // such as TCP/mongo the hosts will be ignored. - // In such scenarios, the IP addresses specified in - // the Addresses field or the port will be used to uniquely identify the destination. + // will be matched against the hosts field. For all other protocols + // the hosts will be ignored, and the port and addresses fields + // will be used if present. Note that when resolution is set to type DNS + // and no endpoints are specified, the host field will be used as the DNS name + // of the endpoint to route traffic to. Hosts []string `protobuf:"bytes,1,rep,name=hosts,proto3" json:"hosts,omitempty"` // The virtual IP addresses associated with the service. Could be CIDR - // prefix. For HTTP(s) and TLS services, the addresses field will be ignored and + // prefix. For HTTP traffic the addresses field will be ignored and // the destination will be identified based on the HTTP Host/Authority - // header or the Server Name Indication (SNI). - // For non-HTTP(s) protocols - // such as TCP/mongo the hosts will be ignored. - // If one or more IP addresses are specified, + // header. If one or more IP addresses are specified, // the incoming traffic will be identified as belonging to this service // if the destination IP matches the IP/CIDRs specified in the addresses // field. If the Addresses field is empty, traffic will be identified diff --git a/networking/v1alpha3/service_entry.pb.html b/networking/v1alpha3/service_entry.pb.html index 261b335356f..419590bd635 100644 --- a/networking/v1alpha3/service_entry.pb.html +++ b/networking/v1alpha3/service_entry.pb.html @@ -326,10 +326,11 @@

ServiceEntry

name with wildcard prefix (external services only). For HTTP traffic the HTTP Host/Authority header will be matched against the hosts field. For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value -will be matched against the hosts field. For non-HTTP(s) protocols -such as TCP/mongo the hosts will be ignored. -In such scenarios, the IP addresses specified in -the Addresses field or the port will be used to uniquely identify the destination.

+will be matched against the hosts field. For all other protocols +the hosts will be ignored, and the port and addresses fields +will be used if present. Note that when resolution is set to type DNS +and no endpoints are specified, the host field will be used as the DNS name +of the endpoint to route traffic to.

@@ -338,12 +339,9 @@

ServiceEntry

string[]

The virtual IP addresses associated with the service. Could be CIDR -prefix. For HTTP(s) and TLS services, the addresses field will be ignored and +prefix. For HTTP traffic the addresses field will be ignored and the destination will be identified based on the HTTP Host/Authority -header or the Server Name Indication (SNI). -For non-HTTP(s) protocols -such as TCP/mongo the hosts will be ignored. -If one or more IP addresses are specified, +header. If one or more IP addresses are specified, the incoming traffic will be identified as belonging to this service if the destination IP matches the IP/CIDRs specified in the addresses field. If the Addresses field is empty, traffic will be identified