Skip to content

tls: move ssl connection info into SocketAddressProvider#17334

Merged
ggreenway merged 21 commits intoenvoyproxy:mainfrom
soulxu:move_ssl_info_2
Aug 4, 2021
Merged

tls: move ssl connection info into SocketAddressProvider#17334
ggreenway merged 21 commits intoenvoyproxy:mainfrom
soulxu:move_ssl_info_2

Conversation

@soulxu
Copy link
Member

@soulxu soulxu commented Jul 14, 2021

Commit Message: tls: move ssl connection info into SocketAddressProvider
Additional Description:
Moving the StreamInfo's SSL connection info into the SocketAddressProvider.
Risk Level: low
Testing: unittest
Docs Changes: n/a
Release Notes: n/a
Part of #17168

Signed-off-by: He Jie Xu hejie.xu@intel.com

soulxu added 5 commits July 12, 2021 06:22
@soulxu
Add ssl info interface to SocketAddressProvider
cad3fa0 
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
@soulxu
Setting the downstream ssl connection inside the ConnectionImpl
288b40a 
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
@soulxu
Setting the upstream ssl connection through socketaddressprovider
2dffc9f 
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
@soulxu
remove the StreamInfo::upstreamSslConnection
f9881a3 
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
@soulxu
fix format
3b56911 
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
@soulxu soulxu requested a review from lizan as a code owner July 14, 2021 07:56
@soulxu
Copy link
Member Author

soulxu commented Jul 14, 2021

cc @mattklein123

soulxu
soulxu commented Jul 14, 2021
View reviewed changes
envoy/network/connection.h Outdated
*/
virtual const SocketAddressProvider& addressProvider() const PURE;
virtual SocketAddressProviderSharedPtr addressProviderSharedPtr() const PURE;
virtual SocketAddressSetterSharedPtr addressProviderSharedPtr() const PURE;
Copy link
Member Author

@soulxu soulxu Jul 14, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: I have to change this due to allow the StreamInfo to set the upstream SSL connection into the AddressProvider.

soulxu
soulxu commented Jul 14, 2021
View reviewed changes
envoy/stream_info/stream_info.h
* @param connection_info sets the upstream ssl connection.
*/
virtual void
setUpstreamSslConnection(const Ssl::ConnectionInfoConstSharedPtr& ssl_connection_info) PURE;
Copy link
Member Author

@soulxu soulxu Jul 14, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was kept to avoid change the 'downstreamSslConnection()' interface as non const. I feel change the 'downstreamSslConnection' isn't right direction.

Also this is why I can change the place to set the upstream SSL connection

envoy/source/common/router/upstream_request.cc

Line 415 in 68fe53a

stream_info_.setUpstreamSslConnection(info.downstreamSslConnection());

soulxu added 3 commits July 15, 2021 05:37
@soulxu
silence the null pointer warning
d04acbd 
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
@soulxu
Merge branch 'main' into move_ssl_info_2
f18d2af 
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
@soulxu
fix format
2df315a 
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
@soulxu
Copy link
Member Author

soulxu commented Jul 19, 2021

/retest

@repokitteh-read-only
Copy link

repokitteh-read-only bot commented Jul 19, 2021

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #17334 (comment) was created by @soulxu.

see: more, trace.

ggreenway
ggreenway requested changes Jul 21, 2021
View reviewed changes
Copy link
Member

@ggreenway ggreenway left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/wait

envoy/network/socket.h Outdated
* @return the upstream SSL connection. This will be nullptr if the upstream
* connection does not use SSL.
*/
virtual Ssl::ConnectionInfoConstSharedPtr upstreamSslConnection() const PURE;
Copy link
Member

@ggreenway ggreenway Jul 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this interface should only have the downstreamSslConnection(). All the other fields here are specific to the downstream connection, so including the upstream connection seems misleading.

Copy link
Member Author

@soulxu soulxu Jul 22, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I feel strange too. Although we can keep this in the StreamInfo also, but it still feel strange, since the StreamInfo is only mean to stream for one direction(upstream, or downstream). Also can see the downstream StreamInfo's upstream SSL info is copied from upstream StreamInfo. For example:

envoy/source/common/tcp_proxy/tcp_proxy.cc

Line 531 in a8033fa

getStreamInfo().setUpstreamSslConnection(ssl_info);

So in the end, the upstream SSL info is still mixed with downstream SSL info into downstream StreamInfo. Based on my guess the reason is the filter need the upstream StreamInfo, but other than tcpProxy or HttpRouter filter can't get the upstream StreamInfo, since the upstream StreamInfo is created the last filter (tcpProxy/http router filter).

Copy link
Member

@ggreenway ggreenway Jul 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The streaminfo is a bit odd, and has a mix of upstream/downstream. But SocketAddressProvider is only supposed to have information that should be copied to each request on the connection. The upstream ssl info should not be copied between requests, so I don't think it belongs here.

Copy link
Member Author

@soulxu soulxu Jul 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks, got it, let me revert the change to upstream SSL info.

soulxu added 5 commits July 24, 2021 12:18
@soulxu
Revert "fix format"
f4f5746 
This reverts commit 2df315a.

Signed-off-by: He Jie Xu <hejie.xu@intel.com>
@soulxu
Revert "silence the null pointer warning"
e4c648d 
This reverts commit d04acbd.

Signed-off-by: He Jie Xu <hejie.xu@intel.com>
@soulxu
Revert "fix format"
4801259 
This reverts commit 3b56911.

Signed-off-by: He Jie Xu <hejie.xu@intel.com>
@soulxu
Revert "remove the StreamInfo::upstreamSslConnection"
69c9244 
This reverts commit f9881a3.

Signed-off-by: He Jie Xu <hejie.xu@intel.com>
@soulxu
Revert "Setting the upstream ssl connection through socketaddressprov…
e05ab4e 
…ider"

This reverts commit 2dffc9f.

Signed-off-by: He Jie Xu <hejie.xu@intel.com>
soulxu added 5 commits July 25, 2021 00:22
@soulxu
fix format
03377f8 
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
@soulxu
Merge branch 'main' into move_ssl_info_2
60b8ed5 
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
@soulxu
rename downstreamSslConnection to sslConnection
7d1729c 
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
@soulxu
fix format
93073ae 
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
@soulxu
fix the lua test
27426b8 
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
@soulxu
Copy link
Member Author

soulxu commented Jul 26, 2021

/retest

@repokitteh-read-only
Copy link

repokitteh-read-only bot commented Jul 26, 2021

Retrying Azure Pipelines:
Check envoy-presubmit isn't fully completed, but will still attempt retrying.
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #17334 (comment) was created by @soulxu.

see: more, trace.

@soulxu
Copy link
Member Author

soulxu commented Jul 26, 2021

/retest

@repokitteh-read-only
Copy link

repokitteh-read-only bot commented Jul 26, 2021

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #17334 (comment) was created by @soulxu.

see: more, trace.

@soulxu
Copy link
Member Author

soulxu commented Jul 26, 2021

emm...I can't reproduce the ci failure

@ggreenway
Copy link
Member

ggreenway commented Jul 27, 2021

Looks like the test timed out. Unsure why. Let's see if it's happier in CI today:

/retest

@repokitteh-read-only
Copy link

repokitteh-read-only bot commented Jul 27, 2021

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #17334 (comment) was created by @ggreenway.

see: more, trace.

@ggreenway
Copy link
Member

ggreenway commented Jul 27, 2021

The last two guarddog tests are taking over 1 minute each, so the test is timing out. Unsure why. Can you try merging main into the PR to see if that helps?

@soulxu
Copy link
Member Author

soulxu commented Jul 29, 2021

The last two guarddog tests are taking over 1 minute each, so the test is timing out. Unsure why. Can you try merging main into the PR to see if that helps?

got it, thanks

@soulxu
Merge branch 'main' into move_ssl_info_2
8238485 
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
@ggreenway
Copy link
Member

ggreenway commented Aug 2, 2021

@soulxu CI is fixed, but now's there a merge conflict; please resolve.

@ggreenway
Copy link
Member

ggreenway commented Aug 2, 2021

/wait

@soulxu
Merge branch 'main' into move_ssl_info_2
e996cc8 
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
@soulxu
Copy link
Member Author

soulxu commented Aug 3, 2021

@soulxu CI is fixed, but now's there a merge conflict; please resolve.

resolved, thanks again!

@soulxu
Copy link
Member Author

soulxu commented Aug 3, 2021
edited
Loading

emm....

https://dev.azure.com/cncf/envoy/_build/results?buildId=84261&view=logs&j=bbe4b42d-86e6-5e9c-8a0b-fea01d818a24&t=e00c5a13-c6dc-5e9a-6104-69976170e881&l=17863

Per-extension coverage failed:
Code coverage for source/common is lower than limit of 96.6 (96.5)
Code coverage for source/common/quic is lower than limit of 91.3 (91.2)

I will take a look at this tomorrow.

@ggreenway do you have any suggestions on fixing the coverage test, just add more tests?

@ggreenway
Copy link
Member

ggreenway commented Aug 3, 2021

Looks like this should address the coverage issue. Merge from main to get it. Sorry for all the CI trouble on this PR. a066b5e

@soulxu
Merge branch 'main' into move_ssl_info_2
c14b661 
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
@soulxu
Copy link
Member Author

soulxu commented Aug 4, 2021

/retest

@repokitteh-read-only
Copy link

repokitteh-read-only bot commented Aug 4, 2021

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #17334 (comment) was created by @soulxu.

see: more, trace.

@ggreenway
Copy link
Member

ggreenway commented Aug 4, 2021

/retest

@repokitteh-read-only
Copy link

repokitteh-read-only bot commented Aug 4, 2021

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #17334 (comment) was created by @ggreenway.

see: more, trace.

@ggreenway
Copy link
Member

ggreenway commented Aug 4, 2021

/retest

@repokitteh-read-only
Copy link

repokitteh-read-only bot commented Aug 4, 2021

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #17334 (comment) was created by @ggreenway.

see: more, trace.

@ggreenway ggreenway merged commit 371099f into envoyproxy:main Aug 4, 2021
baojr added a commit to baojr/envoy that referenced this pull request Aug 4, 2021
@baojr
Merge remote-tracking branch 'upstream/main' into baojr/grpc-reverse-…
aef6031 
…bridge-stream

* upstream/main: (32 commits)
  tls: move ssl connection info into SocketAddressProvider (envoyproxy#17334)
  conn pool: default enable runtime feature `conn_pool_delete_when_idle` (envoyproxy#17577)
  api: LEDS api introduction (envoyproxy#17419)
  kafka: add support for api versions request in mesh-filter (envoyproxy#17475)
  ext_proc: Implement BUFFERED_PARTIAL processing mode (envoyproxy#17531)
  tooling: Async/pathlib/mypy cleanups and utils (envoyproxy#17505)
  xds: restructure CertificateProvider fields (envoyproxy#17201)
  Refactor OverloadIntegrationTest breaking out a test base, and the fake resource monitors. (envoyproxy#17530)
  listener: move active connection collection out of active tcp listener (envoyproxy#16947)
  tools: format checks for backticks (envoyproxy#17566)
  coverage: set lower limit for common/quic and common (envoyproxy#17573)
  v2: final source removal (envoyproxy#17565)
  test: bumping coverage (envoyproxy#17564)
  quic: enforcing header size and contents (envoyproxy#17520)
  Support for canonicalizing URI properly for AWS SigV4 signer (envoyproxy#17137)
  listener: add a stat for transport socket connect timeout (envoyproxy#17458)
  listener: add listen() error handling (envoyproxy#17427)
  http: return per route config when direct response is set (envoyproxy#17449)
  removing most v2 references from source/ (envoyproxy#17415)
  bug fix: return bootstrap when validating config (envoyproxy#17499)
  ...

Signed-off-by: Garrett Bourg <bourg@squareup.com>
@soulxu soulxu mentioned this pull request Aug 15, 2021
Closed
leyao-daily pushed a commit to leyao-daily/envoy that referenced this pull request Sep 30, 2021
@soulxu
tls: move ssl connection info into SocketAddressProvider (envoyproxy#…
18e7ce1 
…17334)

Part of envoyproxy#17168

Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ggreenway ggreenway ggreenway approved these changes

@lizan lizan Awaiting requested review from lizan

Assignees

@ggreenway ggreenway

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@soulxu @ggreenway