-
Notifications
You must be signed in to change notification settings - Fork 690
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added support for upstream verification for TCPProxy #6079
Added support for upstream verification for TCPProxy #6079
Conversation
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #6079 +/- ##
==========================================
- Coverage 78.82% 78.81% -0.02%
==========================================
Files 138 138
Lines 19766 19790 +24
==========================================
+ Hits 15581 15597 +16
- Misses 3878 3884 +6
- Partials 307 309 +2
|
4420dca
to
1987eac
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @tsaarni, looks pretty good to me
1987eac
to
6308022
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, but GitHub is unhappy with the PR, may need a rebase or just a kick.
Signed-off-by: Tero Saarni <[email protected]>
6308022
to
6773a1a
Compare
|
||
c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{ | ||
Resources: resources(t, | ||
tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), []byte(featuretests.CERTIFICATE), "subjname", "", nil, nil), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe a refactor for the future, but since we only really have one fixture for cert content, we end up asserting on the same value everywhere ([]byte(featuretests.CERTIFICATE)
), would be good to maybe at least use the field from caSecret
for readability? (looks like sec2
in the other test below?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 While adding the test I was reminded that I would have preferred to remove the hardcoded test certificates & private keys from the code. I'll check if I could simplify this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've updated the tests so that they use the field from CA secret, though this will be bit simpler if we merge #6100 as it will allow passing the secret itself.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now updated according to #6100
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just one nit on the featuretests, otherwise LGTM
Signed-off-by: Tero Saarni <[email protected]>
Signed-off-by: Tero Saarni <[email protected]>
This PR adds support for upstream verification for TCPProxy.
As discussed in #4373 (comment) the API has always allowed setting
httpproxy.spec.tcpproxy.services.validation
but it has been ignored by the implementation.Updates #4373