Conversation
Istio now can handle HTTPS (originated by the application). The decision to use HTTP or HTTPS now is unrelated to the fact that the appliation runs with Istio or without it.
Codecov Report
@@ Coverage Diff @@
## master #6842 +/- ##
======================================
+ Coverage 71% 71% +1%
======================================
Files 369 369
Lines 31977 32017 +40
======================================
+ Hits 22461 22532 +71
+ Misses 8597 8558 -39
- Partials 919 927 +8
Continue to review full report at Codecov.
|
| - containerPort: 9080 | ||
| env: | ||
| - name: WITH_ISTIO | ||
| - name: DO_NOT_USE_TLS_FOR_EXTERNAL_SERVICE_CALLS |
There was a problem hiding this comment.
Shouldn’t we be setting this to false always to show SNI routing ?
Also this name is too big. I suggest use_https_googleapis which is short n sweet
There was a problem hiding this comment.
@rshriram I propose to use this example to demonstrate both HTTP with TLS origination and HTTPS, and to compare between them. The idea is to demonstrate an organization that requires monitoring of the content and requires not to use TLS (HTTP with TLS origination). The environment variable simulates some general policy variable to enforce the policy of the organization. Maybe a simpler name would be DO_NOT_USE_TLS or DO_NOT_ENCRYPT.
Then I will compare this approach with HTTPS - an organization that does not have strict monitoring requirements and is OK to perform monitoring by SNI.
| # WITH_ISTIO means that the details app runs with an Istio sidecar injected. | ||
| # DO_NOT_ENCRYPT means that the app must access external services without TLS, | ||
| # using unencrypted traffic protocols like HTTP. The TLS origination will be | ||
| # performed if needed, elsewhere, e.g. by a sidecar proxy. |
There was a problem hiding this comment.
This description seems too general and confusing. If I understand correctly, the flag is simply used to configure the code to use either HTTP or HTTPS when calling the external service, with HTTPS the default. I would suggest simply explaining what the flag does:
# DO_NOT_ENCRYPT is used to configure the details service to use either HTTP (true) or HTTPS (false, default)
# when calling the external service to retrieve the book information.
IMO, explaining that a sidecar may perform TLS origination is not helpful here, that belongs in the docs.
| # Without the Istio sidecar injected, the TLS origination must be performed by the `http` object, | ||
| # by setting `use_ssl` field to true. | ||
| unless ENV['WITH_ISTIO'] === 'true' then | ||
| # If this environment variable is false, the app must use TLS, e.g. HTTPS, to access |
There was a problem hiding this comment.
Unless this environment variable is set to true, the app will use TLS (HTTPS) to access
niaquinto/gradle has been removed from docker
* Switch back to standard ratings image * Remove unneeded file name * Update Writer flush in productpage.py * Allow services domain to be configurable * This is needed to run on CloudFoundry
|
So there's good news and bad news. 👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there. 😕 The bad news is that it appears that one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request. Note to project maintainer: This is a terminal state, meaning the |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: frankbu, vadimeisenbergibm The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
New changes are detected. LGTM label has been removed. |
|
/test e2e-mixer-no_auth |
|
/test e2e-bookInfo-envoyv2-v1alpha3 |
|
/test e2e-mixer-no_auth |
|
@vadimeisenbergibm: The following test failed, say
DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@vadimeisenbergibm can we do this on release-1.0 branch? That will get merged periodically. |
|
@andraxylia yes, let me resubmit the PR to release-1.0 branch. |
|
Resubmitted as #6988 to release-1.0. |
Today, after TLS external services are supported without necessary TLS origination, https://istio.io/blog/2018/egress-https/ must be rewritten to show access with TLS origination and without it. The code of the details must be changed accordingly.