SNI-based dynamic forward proxy filter#10448
SNI-based dynamic forward proxy filter#10448mattklein123 merged 22 commits intoenvoyproxy:masterfrom
Conversation
Signed-off-by: Lizan Zhou <lizan@tetrate.io>
Signed-off-by: Lizan Zhou <lizan@tetrate.io>
Signed-off-by: Lizan Zhou <lizan@tetrate.io>
…rd_proxy Signed-off-by: Lizan Zhou <lizan@tetrate.io>
|
/wait |
…rd_proxy Signed-off-by: Lizan Zhou <lizan@tetrate.io>
|
/lgtm api |
junr03
left a comment
junr03
left a comment
There was a problem hiding this comment.
mostly lgtm assigning to @mattklein123 so he can take a pass.
…rd_proxy Signed-off-by: Lizan Zhou <lizan@tetrate.io>
mattklein123
left a comment
mattklein123
left a comment
There was a problem hiding this comment.
Thanks this is super cool. Just a few small comments.
/wait
| [(validate.rules).message = {required: true}]; | ||
|
|
||
| oneof port_specifier { | ||
| // The port number to connect to the upstream. |
There was a problem hiding this comment.
Is this flexible enough? Might we need different ports for different hosts at some point? Is that why you did the oneof?
There was a problem hiding this comment.
Yes that's the reason we have oneof here as pointed out by @htuch. SNI itself dosn't contain port number but we can support original dst port etc.
|
Please merge master to pick up #10672. We no longer accept changes to v2 (without explicit exception), so any API modifications should happen in v3. If this PR is adding a new proto, please follow the updated instructions in https://github.com/envoyproxy/envoy/blob/master/api/STYLE.md#adding-an-extension-configuration-to-the-api. |
|
This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
stale
Bot
added
the
stale
…rd_proxy Signed-off-by: Lizan Zhou <lizan@tetrate.io>
…rd_proxy Signed-off-by: Lizan Zhou <lizan@tetrate.io>
Signed-off-by: Lizan Zhou <lizan@tetrate.io>
…rd_proxy Signed-off-by: Lizan Zhou <lizan@tetrate.io>
stale
Bot
removed
the
stale
mattklein123
left a comment
mattklein123
left a comment
There was a problem hiding this comment.
Thanks LGTM with 1 question. Can you also merge master?
/wait
| return Network::FilterStatus::Continue; | ||
| } | ||
|
|
||
| // TODO(lizan): implement circuit breaker in SNI dynamic forward proxy like it is in HTTP: |
There was a problem hiding this comment.
Is there an reason not to do this now since it's pretty easy? Or can this be done as an immediate follow up? This is going to get used and this is a pretty big potential issue I think?
There was a problem hiding this comment.
Unlike HTTP in network filters we don't have immediate access to cluster info through filter callbacks. There are plumbings need to happen there.
…rd_proxy Signed-off-by: Lizan Zhou <lizan@tetrate.io>
5 participants
Signed-off-by: Lizan Zhou lizan@tetrate.io
Description:
Implement a network filter to do DNS resolution based on SNI. So a TCP connection can be routed to a dynamic_forward_proxy cluster based on that.
Risk Level: Low (extension only)
Testing: manual, unit test, integration test.
Docs Changes: protodoc
Release Notes: Added
Fixes #9916