Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of ext-authz Envoy extension: support localhost as a valid target URI into release/1.16.0 #17838

Merged
merged 1 commit into from
Jun 22, 2023
Merged

Backport of ext-authz Envoy extension: support localhost as a valid target URI into release/1.16.0 #17838

merged 1 commit into from
Jun 22, 2023

Conversation

cthain
Copy link
Contributor

@cthain cthain commented Jun 21, 2023

Backport

This PR is for backporting #17821 to release/1.16.0

The below text is copied from the body of the original PR.

Description

This PR fixes a bug in the builtin/ext-authz extension when using localhost as the target URI. When using an upstream on the localhost network we configure a STATIC cluster type that requires using an IP address. The extension was configuring the cluster with the localhost hostname, which caused Envoy to reject the xDS configuration update with an error similar to:

2023-06-20T16:27:39.907Z [ERROR] agent.envoy.xds: got error response from envoy proxy: service_id=default/default/api-5f54fbf97-vkpgr-api-sidecar-proxy typeUrl=type.googleapis.com/envoy.config.cluster.v3.Cluster xdsVersion=v3 nonce=00000006 error="rpc error: code = Internal desc = Error adding/updating cluster(s) local_ext_authz: malformed IP address: localhost. Consider setting resolver_name or setting cluster type to 'STRICT_DNS' or 'LOGICAL_DNS'"

Testing & Reproduction steps

  • I found this testing the ext_authz extension using Consul on k8s.
    • I tested the fix successfully in this same environment
  • I've updated the agent/xds golden tests to ensure that IP addresses result in a STATIC cluster type and that localhost results in a STRICT_DNS cluster type, when creating the cluster definition.
  • Added some additional unit tests to the ext-authz extension to cover some additional error cases.

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

@cthain cthain added type/docs Documentation needs to be created/updated/clarified theme/envoy/xds Related to Envoy support labels Jun 21, 2023
@cthain cthain self-assigned this Jun 21, 2023
@cthain cthain requested a review from a team as a code owner June 21, 2023 20:59
@github-actions github-actions bot added pr/dependencies PR specifically updates dependencies of project theme/api Relating to the HTTP API interface theme/cli Flags and documentation for the CLI interface theme/config Relating to Consul Agent configuration, including reloading theme/contributing Additions and enhancements to community contributing materials type/ci Relating to continuous integration (CI) tooling for testing or releases labels Jun 21, 2023
@cthain cthain changed the base branch from main to release/1.16.0 June 21, 2023 20:59
NicoletaPopoviciu
NicoletaPopoviciu approved these changes Jun 21, 2023
View reviewed changes
Copy link
Collaborator

@NicoletaPopoviciu NicoletaPopoviciu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM compared w the original PR

@cthain cthain merged commit bbcdef6 into release/1.16.0 Jun 22, 2023
@cthain cthain deleted the backport/cthain/manual/net-4631/translate-localhost-to-ip branch June 22, 2023 13:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NicoletaPopoviciu NicoletaPopoviciu NicoletaPopoviciu approved these changes

@blake blake Awaiting requested review from blake

Assignees

@cthain cthain

Labels
pr/dependencies PR specifically updates dependencies of project theme/api Relating to the HTTP API interface theme/cli Flags and documentation for the CLI interface theme/config Relating to Consul Agent configuration, including reloading theme/contributing Additions and enhancements to community contributing materials theme/envoy/xds Related to Envoy support type/ci Relating to continuous integration (CI) tooling for testing or releases type/docs Documentation needs to be created/updated/clarified
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cthain @NicoletaPopoviciu