-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
listener-filter: refactor tls_inspector so its logic could be shared with custom filters #4331
listener-filter: refactor tls_inspector so its logic could be shared with custom filters #4331
Conversation
Usage example can be found here: envoyproxy#4236 Signed-off-by: ronenschafferibm <ronen.schaffer@ibm.com>
Signed-off-by: ronenschafferibm <ronen.schaffer@ibm.com>
} | ||
|
||
void Filter::onServername(absl::string_view servername) { | ||
ENVOY_LOG(debug, "tls:onServerName(), requestedServerName: {}", servername); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we keep this similar debug log in tcp_proxy
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it can be useful for debug to track that the SNI in both filters
Given that you're now trying to share code with an out-of-tree filter (in istio), would it make more sense for you to just copy/paste the relevant bits of implementation? Then we don't have to deal with any problems around this code changing and breaking the out-of-tree filter. |
Yes, so the out-of-the-tree filter must duplicate the implementation of the Envoy's filter. Let me summarize the story until now:
Any advice is welcome. |
…or-extract-common
I think this would be a useful addition to envoy, but it doesn't exist right now. Perhaps we add a way to set and get key-value pairs on a connection or a request. Any other opinions on this from @envoyproxy/maintainers ? |
I'd talked to Matt previously about having an extensible per-connection object just as we have a per-stream object - I think it's a great thing for Envoy to have in the long run. I'd prefer we follow the same model we do per HTTP request, where you can add not just strings but arbitrary structured data as well, both for consistency and anticipated feature requirements on our part. |
I agree. I was envisioning string-->Any (for some implementation of Any) |
It would be somewhere between trivial and easy to adapt the existing (newly added) per-request state structure to also be per-connection. See #4219 and the design doc @ https://docs.google.com/document/d/1GNawM59Pp09WZ34zqJYiO_qmERjuGbOUeAqF1GG6v9Q/edit#heading=h.khcea34u1f8a (see Accessing Data Produced by One Filter from Another section). |
@curiouserrandy That looks like it should work. Are you interested in doing the work to adapt it to per-connection state? |
@ggreenway : My apologies, but I don't think I have the cycles at the moment. But it really shouldn't be a lot of work, especially for someone who understands the connection architecture better than I do :-}. Basically, you just need to find the structure that's equivalent to RequestInfo for connections and put a member variable/accessor on it for per-connection-state. That plus whatever tests you and your reviewer consider needed and you're done. Glancing at the source, that might be ConnectionImpl or ClientConnectionImpl, but I don't have enough confidence to throw together a trivial PR for it. |
@ggreenway I can spare a few cycles to work on this. Can you comment on if there is an eqivalent RequestInfo for connections? I'm unsure if @alyssawilk 's comment here indicates that this does not exist. |
@cmluciano Thanks! I think it is a very important functionality. |
@cmluciano No, there is no equivalent of RequestInfo for connections. The closest thing is that I think the common place for filters to get state would be So then the question is whether we should attach a We should probably move this discussion to a new issue, since this is larger than the scope of this PR. |
Let's move this discussion to #4100, in short I think we agreed there to add |
This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
This pull request has been automatically closed because it has not had activity in the last 14 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
Description:
This PR refactors tls_inspector listener filter so its logic could be shared with custom filters.
Usage example can be found here: #4236
This PR is related to issue #4076
Risk Level:
Low
Testing:
since it is refactoring - no new functionality was added, so no new tests are required
Docs Changes:
N/A
Release Notes:
N/A