New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OSSM-2187 Allow usage of spec.proxy.networking.protocol.autoDetect #1049
Conversation
/retest |
1 similar comment
/retest |
@dgn: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested your change on OCP and I can confirm that it worked. After setting protocol auto detection, istiod had updated env vars:
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
value: 'true'
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
value: 'true'
When I set autoDetect.timeout then istiod updated connected proxies.
There is only one thing that I would change.
if autoDetect.Timeout != "" {
if err := setHelmStringValue(proxyValues, "protocolDetectionTimeout", autoDetect.Timeout); err != nil {
return err
}
if err := setHelmStringValue(meshConfigValues, "protocolDetectionTimeout", autoDetect.Timeout); err != nil {
return err
}
}
Setting proxyValues
has no effect, because istiod respects only MeshConfig, so maybe we could remove it? It works anyway, so you can ignore this suggestion, but this PR is an opportunity to simplify this piece of code.
Good catch Jacek! Thank you. I removed that code |
This removes the 'validation' that was effectively removing support for protocol sniffing and allows usage of the fields in 2.2 and 2.3 control planes. We previously removed this feature from OSSM 2.0 because of security concerns, however I cannot find any documentation of these concerns and upstream has been enabling it by default since Istio 1.6, so I consider it safe enough to allow usage. Note that we will still default to disabling it in order not to change behavior in any existing deployments.
/retest |
This removes the 'validation' that was effectively removing support for protocol sniffing and allows usage of the fields in 2.2 and 2.3 control planes. We previously removed this feature from OSSM 2.0 because of security concerns, however I cannot find any documentation of these concerns and upstream has been enabling it by default since Istio 1.6, so I consider it safe enough to allow usage. Note that we will still default to disabling it in order not to change behavior in any existing deployments.
We might want to discuss enabling it by default in 2.4