http: make credential injector filter a dual filter#38398
http: make credential injector filter a dual filter#38398mattklein123 merged 9 commits intoenvoyproxy:mainfrom
Conversation
jewertow
force-pushed
the
credential-injector-upstream-filter
branch
from
92bea00 to
17d1568
Compare
…actoryContext (#38399) Commit Message: factory context: extend ServerFactoryContext with getTransportSocketFactoryContext Additional Description: This change is necessary to allow upstream filters reading secrets from SDS. Risk Level: low Testing: - Docs Changes: Not needed as it is only an internal change. Release Notes: Not needed as it is only an internal change. Platform Specific Features: - This change is necessary to unblock: 1. injecting credentials to upstream requests #38398 2. reading image pull secret by upstream wasm filters #37635 --------- Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
jewertow
force-pushed
the
credential-injector-upstream-filter
branch
from
17d1568 to
3172ce6
Compare
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
jewertow
force-pushed
the
credential-injector-upstream-filter
branch
from
3172ce6 to
2f43d09
Compare
Signed-off-by: Jacek Ewertowski <[email protected]>
|
I don't know why the test 2 is not equal to 2 - what? Do you have any idea? Update: The counter did not reach the value of 2 within 1 second, and the |
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
|
@jewertow |
|
I've seen that PR, but this test was still failing in this PR. This check was failing immediately, and I think this is risky to assume that the initial request should not fail within 20 milliseconds, because the cluster manager returns nullptr immediately for a cluster, which does not exists. So I changed the logic of this test to wait at most 3 seconds for 2 retried requests. My understanding of this test is as follows: a filter is initialized during X milliseconds, and we have to observe a failure before the first retry, which should happen within 1 second, so it is 1s + X ms. We want to observe a retry, so we must wait for the second request, but it must happen before the third request (second retry), which means it must happen not later than 3 s + X ms. I know it's complicated, and I guess you don't want to debug this problem anymore. What do you think about merging it as is and see in the ongoing weeks if that will become flaky? If it will start failing again, I will take care of debugging and if I will not fix the problem, we will revert this change before the release? |
|
I will also mention here that this PR may cause flaky results, so I will be responsible for fixing issues. |
|
@mattklein123 I think this is ready for review. |
|
make sense @jewertow |
|
I could also investigate enabling |
- Update the ENVOY_COMMIT and ENVOY_SHA in bazel/repositories.bzl to the latest Envoy's commit. - Update .bazelrc with changes from envoyproxy/envoy#38477 - Update source/client/process_impl.cc with API changes to envoyproxy/envoy@a1cdaed - Update tools/code_format/config.yaml to envoyproxy/envoy#38460 and envoyproxy/envoy#38398 Signed-off-by: Tom Zhang <[email protected]>
fix: envoyproxy/gateway#5496 (comment) We should use the initManager in the DualInfo because the Credential Injector can be used for both HCM filter and upstream filter. Using the initManger from the ServerFactoryContext for HCM filter causes the secret to be added to the server initManager when it's already in the initialized state. Change log should not be required as this fixes a bug introduced in [a RP](#38398) that just merged after v1.33.0 . @yanavlasov --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]>
fix: envoyproxy/gateway#5496 (comment) We should use the initManager in the DualInfo because the Credential Injector can be used for both HCM filter and upstream filter. Using the initManger from the ServerFactoryContext for HCM filter causes the secret to be added to the server initManager when it's already in the initialized state. Change log should not be required as this fixes a bug introduced in [a RP](envoyproxy#38398) that just merged after v1.33.0 . @yanavlasov --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]>
…actoryContext (envoyproxy#38399) Commit Message: factory context: extend ServerFactoryContext with getTransportSocketFactoryContext Additional Description: This change is necessary to allow upstream filters reading secrets from SDS. Risk Level: low Testing: - Docs Changes: Not needed as it is only an internal change. Release Notes: Not needed as it is only an internal change. Platform Specific Features: - This change is necessary to unblock: 1. injecting credentials to upstream requests envoyproxy#38398 2. reading image pull secret by upstream wasm filters envoyproxy#37635 --------- Signed-off-by: Jacek Ewertowski <[email protected]>
Commit Message: http: make credential injector filter a dual filter Additional Description: This change allows users to inject credentials to HTTP CONNECT requests sent to the upstream tunnel proxy. Credentials can come from secrets (static and sds) for example for Basic auth, or from authorization servers in case of OAuth2. Risk Level: Testing: Integration test was implemented. Docs Changes: TODO Release Notes: done Fixes envoyproxy#13809 This approach to injecting Proxy-Authorization was suggested by @alyssawilk [here](envoyproxy#13809 (comment)) This PR must be merged first: envoyproxy#38399. [Here](https://github.com/jewertow/envoy-playground/blob/master/inject-proxy-authorization/envoy.filters.http.upstream.credential_injector/envoy.yaml) you can see example configuration for credential injector upstream filter. --------- Signed-off-by: Jacek Ewertowski <[email protected]>
fix: envoyproxy/gateway#5496 (comment) We should use the initManager in the DualInfo because the Credential Injector can be used for both HCM filter and upstream filter. Using the initManger from the ServerFactoryContext for HCM filter causes the secret to be added to the server initManager when it's already in the initialized state. Change log should not be required as this fixes a bug introduced in [a RP](envoyproxy#38398) that just merged after v1.33.0 . @yanavlasov --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]>
3 participants
Commit Message: http: make credential injector filter a dual filter
Additional Description: This change allows users to inject credentials to HTTP CONNECT requests sent to the upstream tunnel proxy. Credentials can come from secrets (static and sds) for example for Basic auth, or from authorization servers in case of OAuth2.
Risk Level:
Testing: Integration test was implemented.
Docs Changes: TODO
Release Notes: done
Fixes #13809
This approach to injecting Proxy-Authorization was suggested by @alyssawilk here
This PR must be merged first: #38399.
Here you can see example configuration for credential injector upstream filter.