Feat: Extension server policy propagation to PostTranslateModify#5914
Conversation
raviverma-ai
changed the title
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #5914 +/- ##
==========================================
- Coverage 70.52% 70.49% -0.04%
==========================================
Files 220 220
Lines 36621 36639 +18
==========================================
Hits 25828 25828
- Misses 9268 9285 +17
- Partials 1525 1526 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
guydc
left a comment
guydc
left a comment
There was a problem hiding this comment.
Can we avoid saving the extension policies twice per XDS? they are saved for both the entire XDS and the IR Listener now.
|
hey @raviverma-ai can you share your use case, curious why the other hooks aren't applicable |
|
cc @nareddyt |
|
this seems to be doing what I suggested in #5561, but it would be good to know what the specific use-case for the PR author is (as arko said here: #5914 (comment)) |
This enables users to perform actions which needs modifications to clusters (other hooks are not proving options to modify clusters). In our particular use case, we would like to enable sds based mtls certificate issuance and rotation instead of manually updating certificates. This requires clusters to have UpstreamTlsContext pointing to sds server and get certificates automatically. In our case, we are creating native integration with Istio and to avoid sidecar injection on EG. |
|
thanks @raviverma-ai, the use case makes sense, do you need access to Extension Resources for this case ? |
|
@arkodg, Yes, it would give more control to user to take actions on. For instance, we are using extension server policy CRD to enable this feature bound to specific gateway. i.e. If user wants to enable sds based mtls for specific gateway and not for all gateways. Furthermore, we are planning to provide even more control in future like user would be able to control this behaviour on httproute or backend/service basis (still under discussion for feasibility and use case). |
raviverma-ai
force-pushed
the
allow-extension-policy-in-post-translate-hook
branch
from
33ad861 to
c070bd2
Compare
raviverma-ai
force-pushed
the
allow-extension-policy-in-post-translate-hook
branch
3 times, most recently
from
cdcf7fc to
ec030bc
Compare
|
hi @raviverma-ai. Thoughts on this comment from earlier?
|
|
cc @liorokman |
@guydc thanks for reminding. Updated logic to store the pointer to original policies instead of creating another copy. |
I think that this should be reflected in the test files as well. Can you regenerate the test output files with Also, please add a few test cases for this new flow to
|
raviverma-ai
force-pushed
the
allow-extension-policy-in-post-translate-hook
branch
from
0d1d884 to
8d5f19b
Compare
@guydc added/updated test cases as requested. |
raviverma-ai
force-pushed
the
allow-extension-policy-in-post-translate-hook
branch
from
8d5f19b to
09d990a
Compare
…tually pass to PostTranslateModify() method Signed-off-by: Ravi Verma <ravi@imesh.ai>
Signed-off-by: Ravi Verma <ravi@imesh.ai>
…instead of creating another copy Signed-off-by: Ravi Verma <ravi@imesh.ai>
…r policy Signed-off-by: Ravi Verma <ravi@imesh.ai>
raviverma-ai
force-pushed
the
allow-extension-policy-in-post-translate-hook
branch
from
09d990a to
48d054b
Compare
|
@raviverma-ai - one question on my end. Right now, for gateway-attached policies, we save the relevant policy for the appropriate listener in the gateway and provide it as context in that listener's scope. Here, we seem to store all policies on the gateway level and send them as context for the post-translate hook. As a user, does that meet your requirements? Do you not need to know which specific clusters (originating from specific listeners) should be affected by the policy? |
|
@guydc As I had mentioned earlier as well. For this or any similar use case, where user only needs to know which Gateway, that specific Extension Server Policy is applicable to, i.e. all dynamic cluster can be modified/reviewed or even specific ones as well, those information can be specified in Custom Extension Server Policy defined by user. For now, we will be using this to enable mtls via sds server on all backend communications. However, there is plan for future to even further fine tune and target specific route/service etc. |
| FilterOrder []egv1a1.FilterPosition `json:"filterOrder,omitempty" yaml:"filterOrder,omitempty"` | ||
| // GlobalResources holds the global resources used by the Envoy, for example, the envoy client certificate and the OIDC HMAC secret | ||
| GlobalResources *GlobalResources `json:"globalResources,omitempty" yaml:"globalResources,omitempty"` | ||
| // ExtensionServerPolicies is the intermediate representation of the ExtensionServerPolicy resource |
There was a problem hiding this comment.
can we use the same naming used in other places like L264
// ExtensionRefs holds unstructured resources that were introduced by an extension policy
ExtensionRefs []*UnstructuredRef `json:"extensionRefs,omitempty" yaml:"extensionRefs,omitempty"`
arkodg
left a comment
arkodg
left a comment
There was a problem hiding this comment.
LGTM thanks
added one non blocker comment
Can you fix this in a follow-up PR please? |
Yes, sure. |
5 participants
What type of PR is this?
What this PR does / why we need it:
Add custom extension server policies to PostTranslateContext and eventually pass to PostTranslateModify() method so that extension server can take actions accordingly based on CRDs.
Release Notes: Yes