hcm: add match_upstream to SchemeHeaderTransformation#34099
hcm: add match_upstream to SchemeHeaderTransformation#34099adisuissa merged 10 commits intoenvoyproxy:mainfrom
Conversation
|
Hi @wtzhang23, welcome and thank you for your contribution. We will try to review your Pull Request as quickly as possible. In the meantime, please take a look at the contribution guidelines if you have not done so already. |
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
bd0e1b2 to
90b1609
Compare
|
Small Qs:
|
Signed-off-by: William <wtzhang23@gmail.com>
90b1609 to
d419b59
Compare
|
/retest |
adisuissa
left a comment
There was a problem hiding this comment.
Thanks!
High-level API comment, but otherwise API LGTM.
Signed-off-by: William <wtzhang23@gmail.com>
adisuissa
left a comment
There was a problem hiding this comment.
Thanks!
Please also add a release note.
/assign-from @envoyproxy/senior-maintainers
| filter_callbacks_.connection_.raiseEvent(Network::ConnectionEvent::RemoteClose); | ||
| } | ||
|
|
||
| TEST_F(HttpConnectionManagerImplTest, PassMatchUpstreamSchemeHintToStreamInfo) { |
There was a problem hiding this comment.
High-level comment:
it seems that the relevant part of the test is essentially:
EXPECT_TRUE(filter->callbacks_->streamInfo().shouldSchemeMatchUpstream());
Can this test be refactored to minimize the non-relevant parts?
There was a problem hiding this comment.
Cut as much of the test as I'm familiar with. Will need to dive deeper to see if any other cuts can be made.
| HttpConnectionManagerProto::ServerHeaderTransformation server_transformation_{ | ||
| HttpConnectionManagerProto::OVERWRITE}; | ||
| absl::optional<std::string> scheme_; | ||
| bool scheme_match_upstream_{false}; |
There was a problem hiding this comment.
nit: If this is not being overwritten, consider converting to const.
There was a problem hiding this comment.
Need this to be non-const to override in the PassMatchUpstreamSchemeHintToStreamInfo test I wrote.
|
@envoyproxy/senior-maintainers assignee is @htuch |
…compat Signed-off-by: William <wtzhang23@gmail.com>
Signed-off-by: William <wtzhang23@gmail.com>
Signed-off-by: William <wtzhang23@gmail.com>
Signed-off-by: William <wtzhang23@gmail.com>
|
/retest |
|
Reassigning to @alyssawilk for data plane senior maintainer coverage. |
alyssawilk
left a comment
There was a problem hiding this comment.
I think this version is cleaner, thanks for being willing to move over to it!
/wait on comments
| stream_info_.dynamicMetadata().MergeFrom(options.metadata); | ||
| stream_info_.setIsShadow(options.is_shadow); | ||
| stream_info_.setUpstreamClusterInfo(parent_.cluster_); | ||
| stream_info_.setShouldSchemeMatchUpstream(false); |
There was a problem hiding this comment.
ooc isn't this just setting it to the default? Why not remove?
test/common/router/router_2_test.cc
Outdated
| .value()); | ||
| } | ||
|
|
||
| class RouterTestSchemeMatchUpstream : public RouterTestBase { |
There was a problem hiding this comment.
do you need to subclass? Can't you just put the expect_call in your test body?
There was a problem hiding this comment.
Removed new class and moved code to router.cc where all the tests that use RouterTest live.
source/common/router/router.cc
Outdated
| } | ||
|
|
||
| void FilterUtility::setUpstreamScheme(Http::RequestHeaderMap& headers, bool downstream_secure) { | ||
| void FilterUtility::setUpstreamScheme(Http::RequestHeaderMap& headers, bool downstream_secure, |
There was a problem hiding this comment.
so there's a difference in what we pass in here
I think we need to decide if we want to set scheme based on "is upstream ssl" or "is upstream secure"
e.g. ALTS is secure but not TLS
There was a problem hiding this comment.
Looking at the golang grpc and alts source code, it seems like this should only be set when the upstream is using TLS and not ATLS. The RFC also seems to couple it with TLS.
Given the number of transport sockets, I'm thinking of adding a new virtual method to the transport socket to allow each socket to select which scheme it would like to set. Let me know if you have any opinions.
There was a problem hiding this comment.
Decided to keep it simple and just check if it has an SSL context (TLS) to set the scheme to https, otherwise use http.
| } | ||
|
|
||
| // Set the Scheme header to match the upstream transport protocol. For example, should a | ||
| // request be sent to the upstream over TLS, the scheme header will be set to "https". Should the |
There was a problem hiding this comment.
comment doesn't match code as commented below. Do we want to set ssl over secure transports or only over TLS?
There was a problem hiding this comment.
Decided to set it only over TLS to be consistent with the downstream fallback, which also only sets it if ssl_connection is not null.
Signed-off-by: William <wtzhang23@gmail.com>
Signed-off-by: William <wtzhang23@gmail.com>
…tocol test Signed-off-by: William <wtzhang23@gmail.com>
Signed-off-by: William <wtzhang23@gmail.com>
1ea29f6 to
0a80882
Compare
|
/wait on CI |
|
/retest |
alyssawilk
left a comment
There was a problem hiding this comment.
apologies - this got tagged as waiting due to CI but fixing CI didn't untag.
LGTM. @adisuissa any final thoughts? if not no I'll merge tomorrow.
|
ah actually needs shephard LGTM |
Commit Message: add match_upstream to SchemeHeaderTransformation
Additional Description: Define a new variant that configures the hcm to override the scheme with the upstream transport protocol. The value is accessible by all downstream filters and is specifically used by the Router filter. Renamed variant from
use_upstream_schemeto be clear that the scheme matches the transport protocol.Risk Level: low
Testing: unit testing
Docs Changes: n/a
Release Notes: n/a
Platform Specific Features: n/a
Fixes #33020