[WiP] api: annotations for fields that should be set for untrusted en… #11058
Conversation
…vironments. This PR is an early prototype of a new flow for indicating that fields needs to be set in the presence of untrusted downstreams/upstreams. Based on the (yet to be merged) cncf/udpa#28, a worked example of a YAML example in bootstrap.proto for overload_manager is provided. The new security annotations are validated during docs build for correctness and used to generate inline docs where fields are defined. This is intended to supplement and eventually replace https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#best-practices-edge. Work still to be done: - Decide if this is the approach we want to take. - Fix protoformat toolchain to work with fields inside the annotations. - Annotate remaining fields from https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#best-practices-edge - Cleanup protodoc Python for style reasons and make error handling more robust. Risk level: Low Testing: Docs inspection Part of envoyproxy#9087 Signed-off-by: Harvey Tuch <htuch@google.com>
| configure_for_untrusted_upstream: true | ||
| example_configs { | ||
| example: | ||
| " refresh_interval: 0.25s\n" |
There was a problem hiding this comment.
Protobuf strings don't support multi-line, so you have this ugliness with "\n". The alternative is we have a text proto fragment here buried inside an Any, but when I tried that, it caused the protobuf compiler to hang, so we'd need to debug that. The other downside of text proto is that it's an unfamiliar syntax to most folks.
There was a problem hiding this comment.
@lizan @mattklein123 WDYT about the best approach to handling this? I'm almost starting to think that putting examples inline might not be the greatest idea, but in this prototype it does seem to work reasonably well, see the generated docs. From an end user UX, it's helpful to have these directly attached to the fields.
There was a problem hiding this comment.
I would start with annotations and possibly a comment to sec config docs. The issue is 1 size does not fit all limits and timeouts when operating with untrusted downstreams and upstreams. Typical example is H2 flow control windows; setting them too small will result in poor performance when the remote endpoint has high RTT as is typical for a downstream client somewhere in the internets (or a cruise ship).
There was a problem hiding this comment.
@antoniovicente what do you mean by annotations here? Does this example constitute an annotation from your view point?
There was a problem hiding this comment.
I was referring to things like configure_for_untrusted_upstream. Those are great. I think example config needs to be reconsidered; we can always introduce it later if we decide it is necessary.
There was a problem hiding this comment.
Yeah, I think we can drop the experiment here on inline examples due to size and poor proto representation capabilities. I'll switch to the simpler configure_foo annotations.
There was a problem hiding this comment.
sgtm. I do like the idea of baking in defaults for different "profiles" but maybe we can figure that out separately.
There was a problem hiding this comment.
I have an alternative idea on how to achieve the programmatic association of examples or defaults with API protos. We could use a similar approach to what I want to do for proxy-specific docs comments. We start with the normal protos as defined today. We then add a manifest file, which is a map from to comment or example, e.g.
envoy.config.listener.v3.Listener.foo_field: "foo isn't implemented yet in super-duper proxy.
envoy.config.listener.v3.Listener.bar: "bar is alpha in super-duper proxy.
Protodoc can then glue this manifest as it generates docs for each proto.
We can do a similar thing for these secure default examples, getting the same end results as in this PR, but without modifying any of the protos, and also by using natural YAML syntax.
WDYT? I'm hoping I can kill two birds with one stone and address @alyssawilk ask here.
There was a problem hiding this comment.
Yeah that looks neat and a great step in the right direction! As I said offline to @htuch I think also with this Python close we are very close to having a Python sphinx plugin that can check examples inline. It would be really awesome to be able to add those directly in the RST files and/or link out to include things in the manfiest.
Signed-off-by: Harvey Tuch <htuch@google.com>
|
For reference, see the |
|
/assign @antoniovicente |
|
|
||
| # Load the central repo's install function from its `//:requirements.bzl` file, | ||
| # and call it. | ||
| load("@protodoc_deps//:requirements.bzl", "pip_install") |
There was a problem hiding this comment.
@lizan I'm trying to roll this into envoy_dependency_imports() and envoy_dependencies(). Unfortunately, I think this requires a 3 stage load(..)/invoke function from load sequence. The core issue is that we can't do the pip3_import in envoy_dependencies(), since it needs @rules_protobuf, which itself is only loaded from repository_locations.bzl in repositories.bzl.
Any ideas on how to do this in 2 stages? If not, I think we need to add a envoy_dependencies_extra() stage to this flow.
|
Closing this out as it's replaced by #11151. |
This PR replaces envoyproxy#11058, taking a slightly different approach. We utilize field options to annotate fields that should be set for untrusted environments with [configure_for_untrusted_downstream, configure_for_untrusted_downstream]. Defaults are provided out-of-band, in a manifest files in docs/edge_defaults_manifest.yaml. Protodoc glues the manifest and options together when generating field documentation, providing an additional notice for sensitive fields. This PR depends on envoyproxy#11108 first merging to provide the pip3 build infrastructure. Risk level: Low (docs only). Testing: Inspection of generated docs. Signed-off-by: Harvey Tuch <htuch@google.com>
This PR replaces #11058, taking a slightly different approach. We utilize field options to annotate fields that should be set for untrusted environments with [configure_for_untrusted_downstream, configure_for_untrusted_downstream]. Defaults are provided out-of-band, in a manifest files in docs/edge_defaults_manifest.yaml. Protodoc glues the manifest and options together when generating field documentation, providing an additional notice for sensitive fields. This PR depends on #11108 first merging to provide the pip3 build infrastructure. Risk level: Low (docs only). Testing: Inspection of generated docs. Signed-off-by: Harvey Tuch <htuch@google.com>
…vironments.
This PR is an early prototype of a new flow for indicating that fields
needs to be set in the presence of untrusted downstreams/upstreams.
Based on the (yet to be merged)
cncf/udpa#28, a worked example of a YAML example
in bootstrap.proto for overload_manager is provided. The new security
annotations are validated during docs build for correctness and used to
generate inline docs where fields are defined.
This is intended to supplement and eventually replace
https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#best-practices-edge.
Work still to be done:
https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#best-practices-edge
Risk level: Low
Testing: Docs inspection
Part of #9087
Signed-off-by: Harvey Tuch htuch@google.com