Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NET-4774 - replace usage of deprecated Envoy field match_subject_alt_names #19954

Merged
merged 1 commit into from
Dec 22, 2023
Merged

NET-4774 - replace usage of deprecated Envoy field match_subject_alt_names #19954

merged 1 commit into from
Dec 22, 2023

Conversation

jmurret
Copy link
Member

@jmurret jmurret commented Dec 14, 2023
edited
Loading

Description

match_subject_alt_names has been available since at least envoy 1.20

Testing & Reproduction steps

Links

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

@jmurret jmurret added backport/1.15 This release series is no longer active on CE. Use backport/ent/1.15. backport/1.16 This release series is no longer active on CE. Use backport/ent/1.16. backport/1.17 This release series is no longer active on CE. Use backport/ent/1.17. labels Dec 14, 2023
@github-actions github-actions bot added the theme/envoy/xds Related to Envoy support label Dec 14, 2023
@jmurret jmurret force-pushed the jm/NET-4774 branch 4 times, most recently from b45a64c to b1e93af Compare December 15, 2023 21:56
@jmurret jmurret changed the title NET-4774 - replace usage of deprecated Envoy fields match_subject_alt_names and google_re2 NET-4774 - replace usage of deprecated Envoy field match_subject_alt_names Dec 15, 2023
@jmurret jmurret force-pushed the jm/NET-4774 branch 5 times, most recently from 0196da8 to 6f86e3d Compare December 22, 2023 16:55
@jmurret jmurret marked this pull request as ready for review December 22, 2023 17:55
zalimeni
zalimeni approved these changes Dec 22, 2023
View reviewed changes
Makefile Outdated
ENVOY_VERSION?='1.28.0'
ENVOY_VERSION?='1.25.4'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Guessing this is accidental diff from your other recent PR?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you. fixed this.

@jmurret jmurret force-pushed the jm/NET-4774 branch 2 times, most recently from 6b3fe3b to 6461f90 Compare December 22, 2023 18:12
@jmurret jmurret enabled auto-merge (squash) December 22, 2023 18:14
@jmurret jmurret merged commit 90cd56c into main Dec 22, 2023
88 checks passed
@jmurret jmurret deleted the jm/NET-4774 branch December 22, 2023 18:34
This was referenced Dec 22, 2023
Merged
Merged
Merged
jmurret added a commit that referenced this pull request Jan 2, 2024
@jmurret
NET-4774 - replace usage of deprecated Envoy field match_subject_alt_…
19b37a6 
…names (#19954)
jmurret added a commit that referenced this pull request Jan 2, 2024
@jmurret
NET-4774 - replace usage of deprecated Envoy field match_subject_alt_…
5aca018 
…names (#19954)
jmurret added a commit that referenced this pull request Jan 2, 2024
@jmurret
NET-4774 - replace usage of deprecated Envoy field match_subject_alt_…
1fd8ed3 
…names (#19954)
jmurret added a commit that referenced this pull request Jan 2, 2024
@jmurret
NET-4774 - replace usage of deprecated Envoy field match_subject_alt_…
e87f903 
…names (#19954)
jmurret added a commit that referenced this pull request Jan 2, 2024
@jmurret
NET-4774 - replace usage of deprecated Envoy field match_subject_alt_…
47a603b 
…names (#19954)
jmurret added a commit that referenced this pull request Jan 2, 2024
@jmurret
NET-4774 - replace usage of deprecated Envoy field match_subject_alt_…
f880850 
…names (#19954)
jmurret added a commit that referenced this pull request Jan 2, 2024
@jmurret
NET-4774 - replace usage of deprecated Envoy field match_subject_alt_…
e1b2873 
…names (#19954)
jmurret added a commit that referenced this pull request Jan 2, 2024
@hc-github-team-consul-core @jmurret
Backport of NET-4774 - replace usage of deprecated Envoy field match_…
833f3e2 
…subject_alt_names into release/1.17.x (#20057)

NET-4774 - replace usage of deprecated Envoy field match_subject_alt_names (#19954)

Co-authored-by: John Murret <john.murret@hashicorp.com>
jmurret added a commit that referenced this pull request Jan 2, 2024
@hc-github-team-consul-core @jmurret
Backport of NET-4774 - replace usage of deprecated Envoy field match_…
57f2716 
…subject_alt_names into release/1.16.x (#20056)

NET-4774 - replace usage of deprecated Envoy field match_subject_alt_names (#19954)

Co-authored-by: John Murret <john.murret@hashicorp.com>
jmurret added a commit that referenced this pull request Jan 2, 2024
@hc-github-team-consul-core @jmurret
Backport of NET-4774 - replace usage of deprecated Envoy field match_…
dbc87ca 
…subject_alt_names into release/1.15.x (#20055)

* NET-4774 - replace usage of deprecated Envoy field match_subject_alt_names (#19954)

* Delete agent/xdsv2/listener_resources.go

* fix golden tests

---------

Co-authored-by: John Murret <john.murret@hashicorp.com>
@mr-miles mr-miles mentioned this pull request Jan 26, 2024
Closed
hashi-derek added a commit that referenced this pull request Jan 31, 2024
@hashi-derek
Fix SAN matching on terminating gateways
d0dc8fd 
Fixes issue: #20360

A regression was introduced in #19954 where the SAN validation
matching was reduced from 4 potential types down to just the URI.

Terminating gateways will need to match on many fields depending on user
configuration, since they make egress calls outside of the cluster. Having more
than one matcher behaves like an OR operation, where any match is sufficient to
pass the certificate validation. To maintain backwards compatibility with the
old untyped `match_subject_alt_names` Envoy behavior, we should match on all 4
enum types.

https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#enum-extensions-transport-sockets-tls-v3-subjectaltnamematcher-santype
@hashi-derek hashi-derek mentioned this pull request Jan 31, 2024
Merged
hashi-derek added a commit that referenced this pull request Jan 31, 2024
@hashi-derek
Fix SAN matching on terminating gateways
64dd94f 
Fixes issue: #20360

A regression was introduced in #19954 where the SAN validation
matching was reduced from 4 potential types down to just the URI.

Terminating gateways will need to match on many fields depending on user
configuration, since they make egress calls outside of the cluster. Having more
than one matcher behaves like an OR operation, where any match is sufficient to
pass the certificate validation. To maintain backwards compatibility with the
old untyped `match_subject_alt_names` Envoy behavior, we should match on all 4
enum types.

https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#enum-extensions-transport-sockets-tls-v3-subjectaltnamematcher-santype
hashi-derek added a commit that referenced this pull request Jan 31, 2024
@hashi-derek
Fix SAN matching on terminating gateways
434103c 
Fixes issue: #20360

A regression was introduced in #19954 where the SAN validation
matching was reduced from 4 potential types down to just the URI.

Terminating gateways will need to match on many fields depending on user
configuration, since they make egress calls outside of the cluster. Having more
than one matcher behaves like an OR operation, where any match is sufficient to
pass the certificate validation. To maintain backwards compatibility with the
old untyped `match_subject_alt_names` Envoy behavior, we should match on all 4
enum types.

https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#enum-extensions-transport-sockets-tls-v3-subjectaltnamematcher-santype
hashi-derek added a commit that referenced this pull request Jan 31, 2024
@hashi-derek
Fix SAN matching on terminating gateways (#20417)
3e8ec8d 
Fixes issue: #20360

A regression was introduced in #19954 where the SAN validation
matching was reduced from 4 potential types down to just the URI.

Terminating gateways will need to match on many fields depending on user
configuration, since they make egress calls outside of the cluster. Having more
than one matcher behaves like an OR operation, where any match is sufficient to
pass the certificate validation. To maintain backwards compatibility with the
old untyped `match_subject_alt_names` Envoy behavior, we should match on all 4
enum types.

https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#enum-extensions-transport-sockets-tls-v3-subjectaltnamematcher-santype
This was referenced Jan 31, 2024
Merged
Merged
hashi-derek added a commit that referenced this pull request Jan 31, 2024
@hashi-derek
Fix SAN matching on terminating gateways (#20417)
4883a77 
Fixes issue: #20360

A regression was introduced in #19954 where the SAN validation
matching was reduced from 4 potential types down to just the URI.

Terminating gateways will need to match on many fields depending on user
configuration, since they make egress calls outside of the cluster. Having more
than one matcher behaves like an OR operation, where any match is sufficient to
pass the certificate validation. To maintain backwards compatibility with the
old untyped `match_subject_alt_names` Envoy behavior, we should match on all 4
enum types.

https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#enum-extensions-transport-sockets-tls-v3-subjectaltnamematcher-santype
hashi-derek added a commit that referenced this pull request Jan 31, 2024
@hashi-derek
Fix SAN matching on terminating gateways (#20417)
e572d92 
Fixes issue: #20360

A regression was introduced in #19954 where the SAN validation
matching was reduced from 4 potential types down to just the URI.

Terminating gateways will need to match on many fields depending on user
configuration, since they make egress calls outside of the cluster. Having more
than one matcher behaves like an OR operation, where any match is sufficient to
pass the certificate validation. To maintain backwards compatibility with the
old untyped `match_subject_alt_names` Envoy behavior, we should match on all 4
enum types.

https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#enum-extensions-transport-sockets-tls-v3-subjectaltnamematcher-santype
hashi-derek added a commit that referenced this pull request Jan 31, 2024
@hc-github-team-consul-core @hashi-derek
Backport of Fix SAN matching on terminating gateways into release/1.1…
d438d5b 
…6.x (#20418)

Fix SAN matching on terminating gateways (#20417)

Fixes issue: #20360

A regression was introduced in #19954 where the SAN validation
matching was reduced from 4 potential types down to just the URI.

Terminating gateways will need to match on many fields depending on user
configuration, since they make egress calls outside of the cluster. Having more
than one matcher behaves like an OR operation, where any match is sufficient to
pass the certificate validation. To maintain backwards compatibility with the
old untyped `match_subject_alt_names` Envoy behavior, we should match on all 4
enum types.

https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#enum-extensions-transport-sockets-tls-v3-subjectaltnamematcher-santype

Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com>
hashi-derek added a commit that referenced this pull request Jan 31, 2024
@hc-github-team-consul-core @hashi-derek
Backport of Fix SAN matching on terminating gateways into release/1.1…
4d180ca 
…7.x (#20419)

Fix SAN matching on terminating gateways (#20417)

Fixes issue: #20360

A regression was introduced in #19954 where the SAN validation
matching was reduced from 4 potential types down to just the URI.

Terminating gateways will need to match on many fields depending on user
configuration, since they make egress calls outside of the cluster. Having more
than one matcher behaves like an OR operation, where any match is sufficient to
pass the certificate validation. To maintain backwards compatibility with the
old untyped `match_subject_alt_names` Envoy behavior, we should match on all 4
enum types.

https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#enum-extensions-transport-sockets-tls-v3-subjectaltnamematcher-santype

Co-authored-by: Derek Menteer <105233703+hashi-derek@users.noreply.github.com>
This was referenced Sep 27, 2024
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zalimeni zalimeni zalimeni approved these changes

Assignees
No one assigned
Labels
backport/1.15 This release series is no longer active on CE. Use backport/ent/1.15. backport/1.16 This release series is no longer active on CE. Use backport/ent/1.16. backport/1.17 This release series is no longer active on CE. Use backport/ent/1.17. theme/envoy/xds Related to Envoy support
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jmurret @zalimeni