Skip to content

Commit

Permalink
gRPC Services get a configured authority
Browse files Browse the repository at this point in the history 
- so that cluster name, which may not be a valid host, is not used
- if SNI is set on ExtensionService, it is passed through as authority
- otherwise, / is replaced with . in extension cluster name to be used
as authority

Fixes: projectcontour#4278

Signed-off-by: Sunjay Bhatia <[email protected]>
  • Loading branch information
@sunjayBhatia
sunjayBhatia committed Jun 21, 2022
1 parent 664742d commit 53c396b
Show file tree
Hide file tree
Showing 11 changed files with 133 additions and 35 deletions.
6 changes: 6 additions & 0 deletions cmd/contour/serve.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -609,8 +609,14 @@ func (s *Server) setupRateLimitService(contourConfiguration contour_api_v1alpha1
}
}

var sni string
if extensionSvc.Spec.UpstreamValidation != nil {
sni = extensionSvc.Spec.UpstreamValidation.SubjectName
}

return &xdscache_v3.RateLimitConfig{
ExtensionService: key,
SNI: sni,
Domain: contourConfiguration.RateLimitService.Domain,
Timeout: responseTimeout,
FailOpen: pointer.BoolDeref(contourConfiguration.RateLimitService.FailOpen, false),
Expand Down
81 changes: 54 additions & 27 deletions internal/envoy/v3/bootstrap_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand All @@ -147,7 +148,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand Down Expand Up @@ -192,7 +194,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand Down Expand Up @@ -310,7 +313,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand All @@ -324,7 +328,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand Down Expand Up @@ -369,7 +374,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand Down Expand Up @@ -487,7 +493,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand All @@ -501,7 +508,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand Down Expand Up @@ -546,7 +554,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand Down Expand Up @@ -665,7 +674,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand All @@ -679,7 +689,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand Down Expand Up @@ -724,7 +735,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand Down Expand Up @@ -843,7 +855,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand All @@ -857,7 +870,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand Down Expand Up @@ -902,7 +916,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand Down Expand Up @@ -1021,7 +1036,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand All @@ -1035,7 +1051,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand Down Expand Up @@ -1080,7 +1097,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand Down Expand Up @@ -1201,7 +1219,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand All @@ -1215,7 +1234,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand Down Expand Up @@ -1260,7 +1280,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand Down Expand Up @@ -1415,7 +1436,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand All @@ -1429,7 +1451,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand Down Expand Up @@ -1474,7 +1497,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand Down Expand Up @@ -1627,7 +1651,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand All @@ -1641,7 +1666,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand Down Expand Up @@ -1686,7 +1712,8 @@ func TestBootstrap(t *testing.T) {
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "contour"
"cluster_name": "contour",
"authority": "contour"
}
}
]
Expand Down
2 changes: 1 addition & 1 deletion internal/envoy/v3/cluster.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -231,7 +231,7 @@ func ConfigSource(cluster string) *envoy_core_v3.ConfigSource {
ApiType: envoy_core_v3.ApiConfigSource_GRPC,
TransportApiVersion: envoy_core_v3.ApiVersion_V3,
GrpcServices: []*envoy_core_v3.GrpcService{
GrpcService(cluster, timeout.DefaultSetting()),
GrpcService(cluster, "", timeout.DefaultSetting()),
},
},
},
Expand Down
11 changes: 8 additions & 3 deletions internal/envoy/v3/listener.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -677,10 +677,10 @@ end

// FilterExternalAuthz returns an `ext_authz` filter configured with the
// requested parameters.
func FilterExternalAuthz(authzClusterName string, failOpen bool, timeout timeout.Setting, bufferSettings *dag.AuthorizationServerBufferSettings) *http.HttpFilter {
func FilterExternalAuthz(authzClusterName, sni string, failOpen bool, timeout timeout.Setting, bufferSettings *dag.AuthorizationServerBufferSettings) *http.HttpFilter {
authConfig := envoy_config_filter_http_ext_authz_v3.ExtAuthz{
Services: &envoy_config_filter_http_ext_authz_v3.ExtAuthz_GrpcService{
GrpcService: GrpcService(authzClusterName, timeout),
GrpcService: GrpcService(authzClusterName, sni, timeout),
},
// Pretty sure we always want this. Why have an
// external auth service if it is not going to affect
Expand Down Expand Up @@ -758,11 +758,16 @@ func FilterChainTLSFallback(downstream *envoy_tls_v3.DownstreamTlsContext, filte
}

// GRPCService returns a envoy_core_v3.GrpcService for the given parameters.
func GrpcService(clusterName string, timeout timeout.Setting) *envoy_core_v3.GrpcService {
func GrpcService(clusterName, sni string, timeout timeout.Setting) *envoy_core_v3.GrpcService {
authority := strings.ReplaceAll(clusterName, "/", ".")
if sni != "" {
authority = sni
}
return &envoy_core_v3.GrpcService{
TargetSpecifier: &envoy_core_v3.GrpcService_EnvoyGrpc_{
EnvoyGrpc: &envoy_core_v3.GrpcService_EnvoyGrpc{
ClusterName: clusterName,
Authority: authority,
},
},
Timeout: envoy.Timeout(timeout),
Expand Down
Loading

0 comments on commit 53c396b

Please sign in to comment.