Double HBONE implementation for ambient multicluster

[Stevenjin8]

Initial double HBONE implementation

Right now, inner HBONE will only hold one connect tunnel. Once the inner tunnel terminates, so will the outer tunnel (but not the outer HBONE). So when ztunnel receives its first connection to a double HBONE host (E/W gateway), it will perform two TLS handshakes. Subsequent connections to the same host will perform one TLS handshake.

This behavior is not great, but if we put the inner HBONE in the connection pool, then we pin ourselves to a pod in the remote cluster since ztunnel performs connection pooling, but is not aware of the E/W gateway's routing decision.

That being said, I think this is a good place to stop and think about control plane implementation and get some feedback on how I'm approaching this.

Tasks:

• Implement double HBONE
• Fix TLS code (I don't think I can do this without more control plane info since SANs are set for services)
• metrics
• Implement proper inner HBONE connection pooling
• Tests

Some open questions:

• Do I need to make any changes to metrics?
• How do should we do inner HBONE pooling? My suggestion is to have up to N inner HBONE connections per E/W or per remote cluster.
• Good ways to test for race conditions in connection terminations? Right now, it seems that connections end gracefully without race conditions, but that's just on my machine.

References:

• Multi-network Ambient Protocol
• Multi-network Ambient: Control Plane and ServiceDiscovery

[istio-testing]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[Stevenjin8]

How did we get these numbers?

[bleggett]

by looking a the current size and adding a small amount of buffer.

[howardjohn]

I think we covered this live on the WG call, but just to close the loop here - this must not grow (beyond a trivial amount) else it meas every connection will use that much additional memory. Typically the fix here is to Box::pin the futures.

[Stevenjin8]

Anything here we can do higher up I think, but things might change if we decide to implement pooling in this PR

[bleggett]

Yeah if we want double-hbone conns to be unpooled and thus need ~none of this surrounding machinery, then I'd be inclined to just start proxy/double-hbone.rs and use that directly, rather than complicating the purpose of this file.

(Could also just have a common HboneConnMgr trait or something too)

[Stevenjin8]

Does anybody have any info on how to properly drop/terminate H2 connections over stream with nontrivial drops (e.g. shutting down TLS over HTTP2 CONNECT). Right now, I'm just dropping things/aborting tasks randomly until something works

[keithmattix]

Are you asking about how to cleanup after, for example, a RST_STREAM to the inner tunnel? Or something else

[Stevenjin8]

Kinda. I mostly mean the outer TLS stream because that's what I've looked at. It seems like if I drop conn_client before termination driver_task the TCP connection will close without sending close notifies. So yes, I'm asking if there is a way to explicitly do cleanup rather than relying on implicit drops.

[keithmattix]

I see the code changed; do you still need help figuring this out?

[Stevenjin8]

Im still not confident in it. It works (on my machine), but I couldn't find any docs on proper connection termination/dropping.

[Stevenjin8]

Seems like we ignore shutdown errors so I'm not going to worry about this

[Stevenjin8]

Git merge is getting confused here

[keithmattix]

I may have missed in the description, but why the change here?

[Stevenjin8]

I was hoping it would making debugging async rust easier (it didn't)

[bleggett]

(if you haven't already found it, tokio-console can be helpful)

[keithmattix]

Are you asking about how to cleanup after, for example, a RST_STREAM to the inner tunnel? Or something else

[Stevenjin8]

Will reorganize later.

[Stevenjin8]

My understanding from talking to @keithmattix is that Upstream.service_sans will be repurposed to contain the identities of remote pods/waypoints, so I should change the logic of the other protocols to only use us.workload.identity instead of us.workload_and_services_san.

[keithmattix]

Yes, I think this is correct; only the double hbone codepath needs to be added/changed because there are two sans being considered: the e/w gateway SAN and the SANs of the backends. So what you have looks right to me

[Stevenjin8]

fixme

[Stevenjin8]

I think metrics story is clear: only do metrics for inner hbone.

Also for RBAC, its only destination ztunnel that does RBAC, its not relevant here?

[Stevenjin8]

/test test

[Stevenjin8]

TODO write tests

[Stevenjin8]

tests are in poo.rs

[howardjohn]

Can you please revert this. We should NOT be sending an SNI.

rustls makes this kind of annoying, but if you just set an IP it will not send anything. We can put 0.0.0.0 if you want.

Putting a dummy IP != putting a dummy domain

[howardjohn]

nit: can we just put this all in state.rs like fetch_waypoint but fetch_network_gateway?

[howardjohn]

IIUC this means that if we find a workload in another network but it does NOT have a gateway, we will just send to the IP, which will not work (or worse, may go to some actual destination unrelated to the target). Do we have something protecting against this

[Stevenjin8]

I can add it, but I don't think we ever did this check

[howardjohn]

If we follow the above comment about following fetch_watchpoint this would probably end up calling find_hostname --> find_upstream_from_service

[howardjohn]

Overall looks good, mostly some minor comments, only blocker is the dummy SNI

[howardjohn]

The intent of these APIs is the address are not raw IPs we send to, but lookup keys into workloads/services. We should use the same logic as fetch_waypoint which calls find_upstream

[Stevenjin8]

ok, so I can assume that the address has a Workload object behind it

[zirain]

the PR title is terrible.

[keithmattix]

That's my fault; I removed the hold before he could change it