-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove gRPC tap server listener from controller #3276
Conversation
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
} | ||
) | ||
// GRPCTapServer describes the gRPC server implementing tap.Tap_TapByResourceServer | ||
type GRPCTapServer struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I decided to make this public because of lint warnings when the type is returned outside the package in main.go.
It does not need to be public, but if I should address the warning a different way I can make that change.
@@ -363,3 +343,38 @@ func renderJSONError(w http.ResponseWriter, err error, status int) { | |||
w.WriteHeader(status) | |||
w.Write(rsp) | |||
} | |||
|
|||
type serverStream struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The implementation here reflects a previous revision of the tap server in stable-2.4.0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this part looks good. recommend putting a big comment above this line for context, and/or, moving everything from here below to another file.
// serverStream and tapByResourceServer provide functionality that satisfy the
// Tap_TapByResourceServer. This allows the Tap APIServer to call
// GRPCTapServer.TapByResource() directly, rather than make the request to an
// actual gRPC over the network.
// TODO: Share this code with streamServer and destinationServer in
// http_server.go.
Integration test results for f6362df: success 🎉 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
works well! a few housekeeping comments...
@@ -363,3 +343,38 @@ func renderJSONError(w http.ResponseWriter, err error, status int) { | |||
w.WriteHeader(status) | |||
w.Write(rsp) | |||
} | |||
|
|||
type serverStream struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this part looks good. recommend putting a big comment above this line for context, and/or, moving everything from here below to another file.
// serverStream and tapByResourceServer provide functionality that satisfy the
// Tap_TapByResourceServer. This allows the Tap APIServer to call
// GRPCTapServer.TapByResource() directly, rather than make the request to an
// actual gRPC over the network.
// TODO: Share this code with streamServer and destinationServer in
// http_server.go.
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
Integration test results for 923dbcb: fail 😕 |
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
Integration test results for 0bfebc0: success 🎉 |
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm! one comment fixup, shipit pending l5d-bot 👍 🚢
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
Depends on #3276 Signed-off-by: Andrew Seigner <siggy@buoyant.io>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔪 💁♂
Depends on #3276 Signed-off-by: Andrew Seigner <siggy@buoyant.io>
Integration test results for 0a1ac19: success 🎉 |
Depends on #3276 Signed-off-by: Andrew Seigner <siggy@buoyant.io>
Summary
As an initial attempt to secure the connection from clients to the gRPC tap
server on the tap Pod, the tap
addr
only listened on localhost.As @adleong pointed out #3257, this was not actually secure because the inbound
proxy would establish a connection to localhost anyways.
This change removes the gRPC tap server listener and changes
TapByResource
requests to interface with the server object directly.
From this, we know that all
TapByResourceRequests
have gone through the tapAPIServer and thus authorized by RBAC.
Details
NewAPIServer now takes a GRPCTapServer instead of a
pb.TapClient
so thatTapByResource
requests can interact directly with the TapByResource method.GRPCTapServer.TapByResource
now makes a private grpcTapServer that satisfiesthe tap.TapServer interface. Because this interface is satisfied, we can interact
with the tap server methods without spawning an additional listener.
Signed-off-by: Kevin Leimkuhler kleimkuhler@icloud.com