Skip to content

http_connection_manager: support multiple SAN URIs for XFCC#20724

Merged
htuch merged 3 commits intoenvoyproxy:mainfrom
jacob-delgado:xfcc-multiple-uri
Apr 12, 2022
Merged

http_connection_manager: support multiple SAN URIs for XFCC#20724
htuch merged 3 commits intoenvoyproxy:mainfrom
jacob-delgado:xfcc-multiple-uri

Conversation

@jacob-delgado
Copy link
Copy Markdown
Contributor

@jacob-delgado jacob-delgado commented Apr 7, 2022

Commit Message:

...when using APPEND_FORWARD and SANITIZE set.

Currently XFCC only keeps the first URI in a certificate or a header presented
to it.

This works fine for most use cases, however, not everyone uses a single
URI (typically spiffe:// only).

Add every URI present to the 'By=' portion as well as the 'URI=' portion of an
XFCC header.

Additional Description:
Risk Level: Low
Testing: Unit and integration tests
Docs Changes: Yes. The appropriate http_connection_managers configuration section.
Release Notes: Yes
Fixes #20723

@jacob-delgado
Copy link
Copy Markdown
Contributor Author

jacob-delgado commented Apr 8, 2022

The core requirement we are asked is to support is URI=. However, as I was reviewing the code I stumbled on By= also just looking at the code. I'm not sure if this was intentional or not.

I can put this behind a feature toggle if needed to get this merged. I would also like for this to be as a feature toggle in Envoy 1.19-1.21 as well, if possible. Thoughts?

@jacob-delgado
Support multiple SAN URIs for XFCC
f14ed31 
...when using APPEND_FORWARD and SANITIZE set.

Currently XFCC only keeps the first URI in a certificate or a header presented
to it.

This works fine for most use cases, however, not everyone uses a single
URI (typically spiffe:// only).

Add every URI present to the 'By=' portion as well as the 'URI=' portion of an
XFCC header.

Signed-off-by: Jacob Delgado <jacob.delgado@volunteers.acasi.info>
@jacob-delgado
Run code formatting
6fa8095 
Signed-off-by: Jacob Delgado <jacob.delgado@volunteers.acasi.info>
@jacob-delgado
Fix docs
dadca33 
Signed-off-by: Jacob Delgado <jacob.delgado@volunteers.acasi.info>
@jacob-delgado
Copy link
Copy Markdown
Contributor Author

jacob-delgado commented Apr 8, 2022

/retest

@repokitteh-read-only
Copy link
Copy Markdown

repokitteh-read-only bot commented Apr 8, 2022

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #20724 (comment) was created by @jacob-delgado.

see: more, trace.

lizan
lizan approved these changes Apr 11, 2022
View reviewed changes
Copy link
Copy Markdown
Member

@lizan lizan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good and I don't feel strongly we need a toggle for main branch.

Though I don't think we should backport either even with a toggle but backports are up to stable maintainer @pradeepcrao

@zuercher
Copy link
Copy Markdown
Member

zuercher commented Apr 11, 2022

/assign-from @envoyproxy/senior-maintainers

@repokitteh-read-only
Copy link
Copy Markdown

repokitteh-read-only bot commented Apr 11, 2022

@envoyproxy/senior-maintainers assignee is @htuch

🐱

Caused by: a #20724 (comment) was created by @zuercher.

see: more, trace.

htuch
htuch reviewed Apr 12, 2022
View reviewed changes
Copy link
Copy Markdown
Member

@htuch htuch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lizan is senior maintainers, so will merge.

@htuch htuch merged commit b67a3fc into envoyproxy:main Apr 12, 2022
vehre-x41 pushed a commit to vehre-x41/envoy that referenced this pull request Apr 19, 2022
@jacob-delgado @vehre-x41
http_connection_manager: support multiple SAN URIs for XFCC (envoypro…
1a21b50 
…xy#20724)

...when using APPEND_FORWARD and SANITIZE set.

Currently XFCC only keeps the first URI in a certificate or a header presented
to it.

This works fine for most use cases, however, not everyone uses a single
URI (typically spiffe:// only).

Add every URI present to the 'By=' portion as well as the 'URI=' portion of an
XFCC header.

Additional Description:
Risk Level: Low
Testing: Unit and integration tests
Docs Changes: Yes. The appropriate http_connection_managers configuration section.
Release Notes: Yes
Fixes envoyproxy#20723

Signed-off-by: Jacob Delgado <jacob.delgado@volunteers.acasi.info>
Signed-off-by: Andre Vehreschild <vehre@x41-dsec.de>
@jacob-delgado jacob-delgado deleted the xfcc-multiple-uri branch May 19, 2022 16:13
ravenblackx pushed a commit to ravenblackx/envoy that referenced this pull request Jun 8, 2022
@jacob-delgado @ravenblackx
http_connection_manager: support multiple SAN URIs for XFCC (envoypro…
f606ec2 
…xy#20724)

...when using APPEND_FORWARD and SANITIZE set.

Currently XFCC only keeps the first URI in a certificate or a header presented
to it.

This works fine for most use cases, however, not everyone uses a single
URI (typically spiffe:// only).

Add every URI present to the 'By=' portion as well as the 'URI=' portion of an
XFCC header.

Additional Description:
Risk Level: Low
Testing: Unit and integration tests
Docs Changes: Yes. The appropriate http_connection_managers configuration section.
Release Notes: Yes
Fixes envoyproxy#20723

Signed-off-by: Jacob Delgado <jacob.delgado@volunteers.acasi.info>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@htuch htuch htuch left review comments

@lizan lizan lizan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@htuch htuch

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

XFCC in APPEND_FORWARD or SANITIZE_SET only uses the first URI present

4 participants

@jacob-delgado @zuercher @lizan @htuch