fix: add unary interceptor and fix fail-open auth in GatewayNamespaceMode#8986
Conversation
✅ Deploy Preview for cerulean-figolla-1f9435 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
…Mode Signed-off-by: Karol Szwaj <[email protected]>
bf2f381 to
39585d7
Compare
Signed-off-by: Karol Szwaj <[email protected]>
|
Codex Review: Didn't find any major issues. Keep it up! ℹ️ About Codex in GitHubCodex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback". |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #8986 +/- ##
==========================================
+ Coverage 74.76% 74.79% +0.02%
==========================================
Files 251 251
Lines 40397 40417 +20
==========================================
+ Hits 30204 30229 +25
+ Misses 8128 8119 -9
- Partials 2065 2069 +4 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
zhaohuabing
left a comment
There was a problem hiding this comment.
LGTM. Thanks for the quick fix!
|
/retest |
…Mode (envoyproxy#8986) Signed-off-by: jukie <[email protected]>
…Mode (envoyproxy#8986) Signed-off-by: Rudrakh Panigrahi <[email protected]>
…Mode (envoyproxy#8986) Signed-off-by: nguyenptk <[email protected]>
…Mode (envoyproxy#8986) Signed-off-by: Karol Szwaj <[email protected]>
…atewayNamespaceMode (#8986) (#9116) fix: add unary interceptor and fix fail-open auth in GatewayNamespaceMode (#8986) Signed-off-by: Karol Szwaj <[email protected]>
…atewayNamespaceMode (#8986) (#9118) fix: add unary interceptor and fix fail-open auth in GatewayNamespaceMode (#8986) Signed-off-by: Karol Szwaj <[email protected]>
What type of PR is this?
What this PR does / why we need it:
The xDS gRPC server in GatewayNamespaceMode had no UnaryInterceptor, leaving all unary RPCs completely unauthenticated. The go-control-plane xDS server exposes both streaming and unary methods for all registered discovery services. Additionally, the stream interceptor only validated DeltaDiscoveryRequest messages.
This PR adds UnaryInterceptor, handles SotW requests as well and validates message types.
I have cleaned the code as well and added unit tests for interceptors.
Which issue(s) this PR fixes:
Fixes #
Release Notes: Yes