Add generic transport security context#189
Conversation
Signed-off-by: Lizan Zhou <zlizan@google.com>
api/sds.proto
Outdated
| import "api/transport_security.proto"; | ||
|
|
||
| import "google/api/annotations.proto"; | ||
| import "google/protobuf/wrappers.proto"; |
There was a problem hiding this comment.
I think google/protobuf/wrappers.proto can be removed now.
| ConfigSource sds_config = 2; | ||
| } | ||
|
|
||
| message TransportSecurityContext { |
There was a problem hiding this comment.
Nit: feel free to add this before SdsSecretConfig, so it's next to other context definition.
|
|
||
| // Implementation specific configuration which depends on the implementation being instantiated. | ||
| // See the supported transport security implementations for further documentation. | ||
| google.protobuf.Any config = 2; |
There was a problem hiding this comment.
As discussed in person, I'm fine with Any, but we use Struct in other places for opaque configs.
There was a problem hiding this comment.
Yes I am following discussion at envoyproxy/envoy#1680 . For this I feel Any is better since there won't be v1 compatibility issue with JSON.
My POC work actually does parsing Any from JSON without problem.
There was a problem hiding this comment.
I honestly don't fully grok all the history on Struct vs. Any so will defer to @htuch on this.
There was a problem hiding this comment.
I followed up at envoyproxy/envoy#168, but I think that if this is another opaque config that isn't going to always have the proto descriptor available for the inner messages at data-plane-api, then we should at least make the option of Struct, and TBH, I would just defer the Any handling until #1680 gets done as an orthogonal piece of work.
There was a problem hiding this comment.
Followed up on envoyproxy/envoy#1680 too.
Also note a Struct can be wrapped into Any. So it seems like for new opaque configs like this PR, can be defined with Any only, to avoid complexities and confusions between Struct and Any, while we provide both options, and gains from typed config.
There was a problem hiding this comment.
I rather not have inconsistency in how opaque configs are provided. Either we resolve envoyproxy/envoy#1680 and apply the solution across the API surface, or we stick with Struct here for now IMHO.
There was a problem hiding this comment.
OK, let's make this just an Any for now, but please document that the dynamically typed Struct equivalent for any proto that is supported by the Any will also be accepted as a value, and Envoy will do the work of attempting to parse this under the expected type for the transport security in question.
There was a problem hiding this comment.
I think we still need to sort out whether this is a transport security feature or not. Based on the implementation it seems like a full listener/connection swap? (Any/Struct is fine with me).
There was a problem hiding this comment.
Sorry for the delay, yes I'm still figuring out the split between transport security or full connection impl. Yet busy with other stuff...
The implementation what I want to hook up (TSI) is just shuffling bytes, so it does't have to be a full listener/connection, though the existing BoringSSL does operate on file descriptors directly.
| DownstreamTlsContext tls_context = 2; | ||
|
|
||
| oneof transport_security { | ||
| DownstreamTlsContext tls_context = 2; |
There was a problem hiding this comment.
While you're here, can you add comment here, similar to the one for UpstreamTlsContext?
Signed-off-by: Lizan Zhou <zlizan@google.com>
PiotrSikora
left a comment
There was a problem hiding this comment.
LGTM, pending Any vs Struct decision from @htuch and @mattklein123.
| @@ -0,0 +1,151 @@ | |||
| syntax = "proto3"; | |||
There was a problem hiding this comment.
this is all just moves, right? did anything actually change in here beyond the addition of the opaque config message?
There was a problem hiding this comment.
Right, just moved all contexts out of sds.proto to here, and added TransportSecurityContext.
|
Seems reasonable to me. @lizan can you add a small amount of detail in terms of how this will work? Where will the dividing line be? Will these be new listeners and new connection impls? Or will this all be baked into SslConnectionImpl somehow? |
|
@mattklein123 The plan is to add a factory via registry, which can instantiate listeners and connection impls. I'll make a POC branch in my envoy repo to show how this works. |
|
If that's the case, I'm not sure this is really related to security at all? It's basically about plugging in a new connection level stack (which is fine). Can we rename appropriately? Someone could come along and plug in QUIC or any other proprietary thing that can shuffle bytes around. |
|
Hmm, I see your point. Let me play around this a bit more, may be next week, I'm busy with other stuff the rest of this week. The internal PoC did have another listener / connection impls (they also inherits I'm not sure QUIC will fall into this or not (even we make it pluggable connection level stack). Will need to sync with @alyssawilk, since the new impls is still following TCP semantics. |
|
cc @jpinner-lyft ^ |
|
@lizan where are we with this PR? Do you have an update or should we close out for now? |
|
Closing this, I'll make another PR based on conversation in envoyproxy/envoy#1924 |
Context: envoyproxy/envoy#1840
Signed-off-by: Lizan Zhou zlizan@google.com