destination: add UriLikeIdentity and server_name#285
Merged
zaharidichev merged 4 commits intolinkerd:mainfrom Jan 5, 2024
Merged
Conversation
Signed-off-by: Zahari Dichev <[email protected]>
mateiidavid
approved these changes
Dec 20, 2023
Member
mateiidavid
left a comment
mateiidavid
left a comment
There was a problem hiding this comment.
Looks good to me after playing with this in the prototype. Should we also add a small comment in
linkerd2-proxy-api/proto/inbound.proto
Line 173 in eff6f41
olix0r
reviewed
Jan 3, 2024
| oneof strategy { DnsLikeIdentity dns_like_identity = 1; } | ||
| oneof strategy { | ||
| DnsLikeIdentity dns_like_identity = 1; | ||
| UriLikeIdentity uri_like_identity = 3; |
Member
There was a problem hiding this comment.
If I recall correctly, the name DnsLikeIdentity was chosen to indicate that this isn't actually a DNS name:
- We don't expect it to be resolvable via DNS.
- It doesn't actually support all DNS names (i.e., trailing dots are forbidden).
I think in this case, we can just call it UriIdentity.
proto/destination.proto
Outdated
| UriLikeIdentity uri_like_identity = 3; | ||
| } | ||
|
|
||
| ServerName server_name = 4; |
Member
There was a problem hiding this comment.
It seems appropriate to use DnsLikeIdentity for the server_name type to me. The server name has to be a DNS-like string.
Signed-off-by: Zahari Dichev <[email protected]>
olix0r
approved these changes
Jan 4, 2024
Signed-off-by: Zahari Dichev <[email protected]>
Member
Author
|
@olix0r renamed |
Member
Author
|
Will merge that, we can do a follow up if needed. |
zaharidichev
added a commit
to linkerd/linkerd2-proxy
that referenced
this pull request
Jan 15, 2024
This change is a follow-up to the work to split the concepts of `ServerId` and `ServerName`. To do that we consume the changes to the protobuf API introduced in: linkerd/linkerd2-proxy-api#285. while keeping things backward compatible. Signed-off-by: Zahari Dichev <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR changes the
TlsIdentitytype in the destination API such that:UriLikeIdentityidentity type that should contain identities that are in URI format (e.g. SPIFFE)server_nameto theTlsIdentitytype. This allows us to differentiate between an SNI value and a TLS Id value. This is mainly needed because in certain identity systems (SPIFFE/SPIRE) the TLS SAN can be in URI form. A URI cannot be used as a SNI extension in aClientHello, so an alternative SNI value needs to be provided. This brings the need to distinguish between these two concepts.For context:
linkerd/linkerd2-proxy#2506