envoy icon indicating copy to clipboard operation
envoy copied to clipboard

Published 20 hours ago verified publisher icon envoyproxy

conn pool: use hostnames of endpoints as SNI values

Open dmitriyilin opened this issue 1 year ago • 11 comments

Commit Message: conn pool: use hostnames of endpoints as SNI values Additional Description: optional support for usage of upstream cluster endpoints' hostnames as SNI values. This PR is the successor of 34898 with expected improvement of test flakiness. Original PR was reverted by 35212. Risk Level: Low Testing: integration Docs Changes: added information about new mechanism of SNI derivation Release Notes: https://github.com/dmitriyilin/envoy/blob/0f70012a2383dd56cb070199664be44dbd8bbd93/changelogs/current.yaml#L16 Platform Specific Features: N/A Fixes https://github.com/envoyproxy/envoy/issues/15839

dmitriyilin avatar Jul 23 '24 15:07 dmitriyilin

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/). envoyproxy/api-shepherds assignee is @abeyad CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

:cat:

Caused by: https://github.com/envoyproxy/envoy/pull/35380 was opened by dmitriyilin.

see: more, trace.

repokitteh-read-only[bot] avatar Jul 23 '24 15:07 repokitteh-read-only[bot]

fyi, I took "ProxyFilterIntegrationTest, UpstreamTlsInvalidSAN" as basis for the test that was showing flaky behavior "AutoSniIntegrationTest, AutoSniFromUpstreamAndAutoSanValidationFailureTest".

dmitriyilin avatar Jul 23 '24 19:07 dmitriyilin

@adisuissa , could you "rereview" this change?

dmitriyilin avatar Jul 24 '24 15:07 dmitriyilin

Assigning Matt who also reviewed #34898. Can you provide more info about how the flaky test was fixed? /assign @mattklein123

adisuissa avatar Jul 24 '24 19:07 adisuissa

Assigning Matt who also reviewed #34898. Can you provide more info about how the flaky test was fixed? /assign @mattklein123

I had used ProxyFilterIntegrationTest. UpstreamTlsInvalidSAN test as the basis and added missed configuration: FakeUpstream.setReadDisableOnNewConnection(false)

As flaky test validates behaviour in case of failure, I've added explicit cleanup: HttpIntegrationTest.cleanupUpstreamAndDownstream()

dmitriyilin avatar Jul 25 '24 08:07 dmitriyilin

@yanavlasov, @adisuissa, @mattklein123, just a reminder

dmitriyilin avatar Jul 30 '24 06:07 dmitriyilin

Hey! This is exactly the feature I'm needing. Do you think it's possible to do the same using current Envoy's release configuration?

quantumsheep avatar Aug 23 '24 13:08 quantumsheep

Hey! This is exactly the feature I'm needing. Do you think it's possible to do the same using current Envoy's release configuration?

It's a new functionality, so new config is needed.

dmitriyilin avatar Sep 16 '24 14:09 dmitriyilin

@yanavlasov, @adisuissa, @mattklein123 up

dmitriyilin avatar Sep 16 '24 14:09 dmitriyilin

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

github-actions[bot] avatar Oct 16 '24 16:10 github-actions[bot]

@yanavlasov, @adisuissa, @mattklein123 do you see any issues with the changes?

dmitriyilin avatar Oct 17 '24 09:10 dmitriyilin

@mattklein123 @yanavlasov @adisuissa any feedback?

dmitriyilin avatar Nov 07 '24 08:11 dmitriyilin

I too would like this to be merged

quantumsheep avatar Nov 07 '24 18:11 quantumsheep

Can you please merge main and I can take a look?

/wait

mattklein123 avatar Nov 11 '24 16:11 mattklein123

@ggreenway , thanks for the info. I am closing this PR then

dmitriyilin avatar Nov 12 '24 07:11 dmitriyilin