New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[wip] dont apply client TLS filtering on gateways #39829
Conversation
pilot/pkg/xds/endpoint_builder.go
Outdated
@@ -384,9 +386,12 @@ type mtlsChecker struct { | |||
subsetPolicyMode map[string]*networkingapi.ClientTLSSettings_TLSmode | |||
// the tlsMode of the root traffic policy if it's set | |||
rootPolicyMode *networkingapi.ClientTLSSettings_TLSmode | |||
|
|||
// Indicates the cluster we're checking settings for doesn't care about mTLS settings on the client (DestinationRule). | |||
passthroughMode bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is confusing, i think you mean for east west gateway, the tls mode of from DR is ignorred
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cluster
as in xDS cluster. The srv passthrough clusters don't actually apply client TLS settings since they don't terminate/originate any TLS.
So I changed this a bit to allow the "workaround destinationrule" to work, even though it shouldn't be needed. In the egress case, it's the tlsMode causing the issue. We only have that label on sidecar pods. We could either:
The latter will fix things without users adding the label though.. |
@@ -16,6 +16,7 @@ gateways: | |||
labels: | |||
app: istio-egressgateway | |||
istio: egressgateway | |||
security.istio.io/tlsMode: istio |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't seem safe? Won't we accidentally start doing autoMTLS to the gateway?
@@ -831,6 +832,12 @@ func (ep *IstioEndpoint) DeepCopy() *IstioEndpoint { | |||
return copyInternal(ep).(*IstioEndpoint) | |||
} | |||
|
|||
var gatewayNames = sets.New("ingressgateway", "egressgateway") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have these as constants anywhere? Is this even truly a "standard"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems not a standard naming
/retest |
@@ -419,16 +425,21 @@ func (c *mtlsChecker) computeForEndpoint(ep *model.IstioEndpoint) { | |||
if drMode := c.mtlsModeForDestinationRule(ep); drMode != nil { | |||
switch *drMode { | |||
case networkingapi.ClientTLSSettings_DISABLE: | |||
c.mtlsDisabledHosts[lbEpKey(ep.EnvoyEndpoint)] = struct{}{} | |||
return | |||
if !c.sniDNAT { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am confused here, shouldn't check sniDNAT first and set it to c.mtlsDisabledHosts[lbEpKey(ep.EnvoyEndpoint)] in any case?
// if endpoint has no sidecar or explicitly tls disabled by "security.istio.io/tlsMode" label. | ||
if ep.TLSMode != model.IstioMutualTLSModeLabel { | ||
// the endpoint must either be a part of istio or have the securty.istio.io/tlsMode: istio label | ||
if !ep.IsIstioGateway() && ep.TLSMode != model.IstioMutualTLSModeLabel { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why checking IsGateway here? IIRC, tls mode is always set on gateway
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think that's true from my testing. I don' think checking "is gateway" is a good idea, more of an experiment so far.
11c50bd
to
0fdb665
Compare
Change-Id: Ie1448ef9d9c24bcd0869008357004e2995cf3856
@stevenctl: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Included #40243 + the "fix" for eastwest gateway being considered TLS-enabled and things look stable. |
@stevenctl: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2022-08-05. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions. Created by the issue and PR lifecycle manager. |
No description provided.