postgres: add ability to terminate SSL at Envoy#14634
postgres: add ability to terminate SSL at Envoy#14634lizan merged 25 commits intoenvoyproxy:mainfrom
Conversation
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Signed-off-by: Christoph Pakulski <christoph@tetrate.io> Co-authored-by: Fabrízio de Royes Mello <fabrizio@ongres.com>
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
api/envoy/extensions/filters/network/postgres_proxy/v3alpha/postgres_proxy.proto
Outdated
Show resolved
Hide resolved
api/envoy/extensions/filters/network/postgres_proxy/v3alpha/postgres_proxy.proto
Outdated
Show resolved
Hide resolved
api/envoy/extensions/filters/network/postgres_proxy/v3alpha/postgres_proxy.proto
Show resolved
Hide resolved
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
|
@cpakulski As you already know I did a lot of tests against this new implementation using Postgres regression test suite. But need to test more cases: replication and authentication using client certificates (testing it today). |
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
|
/retest |
|
Retrying Azure Pipelines: |
|
/retest |
|
Retrying Azure Pipelines: |
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
dio
left a comment
There was a problem hiding this comment.
Looks good. Observed bad merging in the version history.
| * http: change frame flood and abuse checks to the upstream HTTP/2 codec to ON by default. It can be disabled by setting the `envoy.reloadable_features.upstream_http2_flood_checks` runtime key to false. | ||
| * overload: add support for scaling :ref:`transport connection timeouts<envoy_v3_api_enum_value_config.overload.v3.ScaleTimersOverloadActionConfig.TimerType.TRANSPORT_SOCKET_CONNECT>`. This can be used to reduce the TLS handshake timeout in response to overload. | ||
| * postgres: added ability to :ref:`terminate SSL<envoy_v3_api_field_extensions.filters.network.postgres_proxy.v3alpha.PostgresProxy.terminate_ssl>`. | ||
| * server: added :ref:`fips_mode <statistics>` statistic. |
There was a problem hiding this comment.
Corrected. Thanks for catching it!
test/extensions/filters/network/postgres_proxy/postgres_integration_test.cc
Show resolved
Hide resolved
|
And all Postgres regression are OK with last commits of this PR: https://github.com/fabriziomello/envoy-postgres-regression/runs/1810089899?check_suite_focus=true |
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
|
@cpakulski sorry, another sync to main? |
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
dio
left a comment
There was a problem hiding this comment.
Thanks, awesome work! @fabriziomello I think we need to pull in the regression test to be part of the envoy test suite, as mentioned before, probably verify_examples is one of the possible places to do so.
|
Thanks @dio for reviewing and valuable comments! |
|
/retest |
|
Retrying Azure Pipelines: |
Are you meant here? https://github.com/envoyproxy/envoy/tree/main/examples/postgres |
|
@fabriziomello yes. |
Commit Message:
Adds ability to use starttls transport socket to terminate SSL at Envoy and pass unencrypted traffic upstream to Postgres server.
Additional Description:
Risk Level: Low
Testing: Added unit and integration tests.
Docs Changes: Yes.
Release Notes: Yes.
Fixes #10942