Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: auto tls sni #1160

Merged
merged 1 commit into from
Apr 2, 2024
Merged

feat: auto tls sni #1160

merged 1 commit into from
Apr 2, 2024

Conversation

buroa
Copy link
Contributor

@buroa buroa commented Jan 18, 2024

Closes #541

@buroa buroa force-pushed the master branch 2 times, most recently from c0b8c50 to baf9216 Compare January 18, 2024 17:41
@buroa
Copy link
Contributor Author

buroa commented Jan 18, 2024

@chungthuang, @sudarshan-reddy Can you check this out & if it makes sense? I have it working on my end, but I don't know if this is the best way to implement it.

buroa added a commit to buroa/k8s-gitops that referenced this pull request Jan 18, 2024
@buroa
feat(cloudflared): use auto sni image
2d3fb16 
Ref: cloudflare/cloudflared#1160

Signed-off-by: Steven Kreitzer <skre@skre.me>
@buroa buroa changed the title feat: set auto sni feat: auto tls sni Jan 18, 2024
@buroa
Copy link
Contributor Author

buroa commented Jan 22, 2024

Maybe @joliveirinha?

@buroa
Copy link
Contributor Author

buroa commented Mar 19, 2024

@jcsf Can you help?

@jcsf
Copy link
Contributor

jcsf commented Mar 19, 2024

@jcsf Can you help?

Took a look didn't saw anything strange. Let me just discuss this with the team so that we can be sure that this can be merged. Will try to get back to you as soon as possible.

@jcsf jcsf self-requested a review March 21, 2024 15:54
jcsf
jcsf requested changes Mar 21, 2024
View reviewed changes
Copy link
Contributor

@jcsf jcsf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing the approval to avoid accidental merge

@jcsf jcsf self-requested a review March 21, 2024 15:56
@buroa
Copy link
Contributor Author

buroa commented Mar 21, 2024

Thanks @jcsf for taking a look here, greatly appreciate it! :-)

@jcsf
Copy link
Contributor

jcsf commented Mar 21, 2024

@buroa Can you rename the configuration from autoOriginServerName to matchSNItoHost and remove the command line argument? we are no longer adding command line arguments for ingress rules, we are only allowing it in the configuration file.

@buroa
Copy link
Contributor Author

buroa commented Mar 21, 2024

@buroa Can you rename the configuration from autoOriginServerName to matchSNItoHost and remove the command line argument? we are no longer adding command line arguments for ingress rules, we are only allowing it in the configuration file.

Done!

@owenhaynes
Copy link

This would be handy to merge and a release for.

@buroa
Copy link
Contributor Author

buroa commented Apr 2, 2024

@jcsf Any update?

@DevinCarr
Copy link
Contributor

@jcsf is currently busy, but we hope to be able to review this by the end of the week.

@DevinCarr
Copy link
Contributor

Looks like you will need to make the following changes to this branch to correct the tests:

diff --git a/ingress/rule_test.go b/ingress/rule_test.go
index 1a46f155..a3d12e01 100644
--- a/ingress/rule_test.go
+++ b/ingress/rule_test.go
@@ -204,25 +204,25 @@ func TestMarshalJSON(t *testing.T) {
                {
                        name:     "Nil",
                        path:     nil,
-                       expected: `{"hostname":"example.com","path":null,"service":"https://localhost:8000","Handlers":null,"originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null,"http2Origin":false,"access":{"teamName":"","audTag":null}}}`,
+                       expected: `{"hostname":"example.com","path":null,"service":"https://localhost:8000","Handlers":null,"originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","matchSNItoHost":false,"caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null,"http2Origin":false,"access":{"teamName":"","audTag":null}}}`,
                        want:     true,
                },
                {
                        name:     "Nil regex",
                        path:     &Regexp{Regexp: nil},
-                       expected: `{"hostname":"example.com","path":null,"service":"https://localhost:8000","Handlers":null,"originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null,"http2Origin":false,"access":{"teamName":"","audTag":null}}}`,
+                       expected: `{"hostname":"example.com","path":null,"service":"https://localhost:8000","Handlers":null,"originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","matchSNItoHost":false,"caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null,"http2Origin":false,"access":{"teamName":"","audTag":null}}}`,
                        want:     true,
                },
                {
                        name:     "Empty",
                        path:     &Regexp{Regexp: regexp.MustCompile("")},
-                       expected: `{"hostname":"example.com","path":"","service":"https://localhost:8000","Handlers":null,"originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null,"http2Origin":false,"access":{"teamName":"","audTag":null}}}`,
+                       expected: `{"hostname":"example.com","path":"","service":"https://localhost:8000","Handlers":null,"originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","matchSNItoHost":false,"caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null,"http2Origin":false,"access":{"teamName":"","audTag":null}}}`,
                        want:     true,
                },
                {
                        name:     "Basic",
                        path:     &Regexp{Regexp: regexp.MustCompile("/echo")},
-                       expected: `{"hostname":"example.com","path":"/echo","service":"https://localhost:8000","Handlers":null,"originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null,"http2Origin":false,"access":{"teamName":"","audTag":null}}}`,
+                       expected: `{"hostname":"example.com","path":"/echo","service":"https://localhost:8000","Handlers":null,"originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","matchSNItoHost":false,"caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null,"http2Origin":false,"access":{"teamName":"","audTag":null}}}`,
                        want:     true,
                },
        }

@buroa
feat: auto tls sni
d91a1be 
Signed-off-by: Steven Kreitzer <skre@skre.me>
@buroa
Copy link
Contributor Author

buroa commented Apr 2, 2024

Looks like you will need to make the following changes to this branch to correct the tests:

diff --git a/ingress/rule_test.go b/ingress/rule_test.go
index 1a46f155..a3d12e01 100644
--- a/ingress/rule_test.go
+++ b/ingress/rule_test.go
@@ -204,25 +204,25 @@ func TestMarshalJSON(t *testing.T) {
                {
                        name:     "Nil",
                        path:     nil,
-                       expected: `{"hostname":"example.com","path":null,"service":"https://localhost:8000","Handlers":null,"originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null,"http2Origin":false,"access":{"teamName":"","audTag":null}}}`,
+                       expected: `{"hostname":"example.com","path":null,"service":"https://localhost:8000","Handlers":null,"originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","matchSNItoHost":false,"caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null,"http2Origin":false,"access":{"teamName":"","audTag":null}}}`,
                        want:     true,
                },
                {
                        name:     "Nil regex",
                        path:     &Regexp{Regexp: nil},
-                       expected: `{"hostname":"example.com","path":null,"service":"https://localhost:8000","Handlers":null,"originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null,"http2Origin":false,"access":{"teamName":"","audTag":null}}}`,
+                       expected: `{"hostname":"example.com","path":null,"service":"https://localhost:8000","Handlers":null,"originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","matchSNItoHost":false,"caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null,"http2Origin":false,"access":{"teamName":"","audTag":null}}}`,
                        want:     true,
                },
                {
                        name:     "Empty",
                        path:     &Regexp{Regexp: regexp.MustCompile("")},
-                       expected: `{"hostname":"example.com","path":"","service":"https://localhost:8000","Handlers":null,"originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null,"http2Origin":false,"access":{"teamName":"","audTag":null}}}`,
+                       expected: `{"hostname":"example.com","path":"","service":"https://localhost:8000","Handlers":null,"originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","matchSNItoHost":false,"caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null,"http2Origin":false,"access":{"teamName":"","audTag":null}}}`,
                        want:     true,
                },
                {
                        name:     "Basic",
                        path:     &Regexp{Regexp: regexp.MustCompile("/echo")},
-                       expected: `{"hostname":"example.com","path":"/echo","service":"https://localhost:8000","Handlers":null,"originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null,"http2Origin":false,"access":{"teamName":"","audTag":null}}}`,
+                       expected: `{"hostname":"example.com","path":"/echo","service":"https://localhost:8000","Handlers":null,"originRequest":{"connectTimeout":30,"tlsTimeout":10,"tcpKeepAlive":30,"noHappyEyeballs":false,"keepAliveTimeout":90,"keepAliveConnections":100,"httpHostHeader":"","originServerName":"","matchSNItoHost":false,"caPool":"","noTLSVerify":false,"disableChunkedEncoding":false,"bastionMode":false,"proxyAddress":"127.0.0.1","proxyPort":0,"proxyType":"","ipRules":null,"http2Origin":false,"access":{"teamName":"","audTag":null}}}`,
                        want:     true,
                },
        }

Done :)

@DevinCarr DevinCarr merged commit b5be8a6 into cloudflare:master Apr 2, 2024
3 of 4 checks passed
@buroa
Copy link
Contributor Author

buroa commented Apr 3, 2024

Thanks for the merge @DevinCarr & @jcsf 🧡

@DevinCarr
Copy link
Contributor

Thank you for the contribution!

@jcsf
Copy link
Contributor

jcsf commented Apr 10, 2024

This has been released on version 2024.4.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joliveirinha joliveirinha Awaiting requested review from joliveirinha

@DevinCarr DevinCarr Awaiting requested review from DevinCarr

@chungthuang chungthuang Awaiting requested review from chungthuang

@jcsf jcsf Awaiting requested review from jcsf

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Pass SNI to origin + Istio ingress gateway
4 participants
@buroa @jcsf @owenhaynes @DevinCarr