envoy: Add host identity (nphds) gRPC client #3407
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
houndci-bot
reviewed
Mar 30, 2018
| @@ -38,21 +41,33 @@ func (m *BpfMetadata) GetIsIngress() bool { | |||
| return false | |||
| } | |||
|
|
|||
| func (m *BpfMetadata) GetApiConfigSource() *envoy_api_v2_core2.ApiConfigSource { | |||
There was a problem hiding this comment.
exported method BpfMetadata.GetApiConfigSource should have comment or be unexported
func GetApiConfigSource should be GetAPIConfigSource
| @@ -17,6 +18,8 @@ type BpfMetadata struct { | |||
| BpfRoot string `protobuf:"bytes,1,opt,name=bpf_root,json=bpfRoot" json:"bpf_root,omitempty"` | |||
| // 'true' if the filter is on ingress listener, 'false' for egress listener. | |||
| IsIngress bool `protobuf:"varint,2,opt,name=is_ingress,json=isIngress" json:"is_ingress,omitempty"` | |||
| // gRPC API config source for policy host mapping | |||
| ApiConfigSource *envoy_api_v2_core2.ApiConfigSource `protobuf:"bytes,3,opt,name=api_config_source,json=apiConfigSource" json:"api_config_source,omitempty"` | |||
There was a problem hiding this comment.
struct field ApiConfigSource should be APIConfigSource
|
test-me-please |
90339e9 to
f5ef252
Compare
houndci-bot
reviewed
Mar 30, 2018
| @@ -107,11 +107,11 @@ func (m *PortNetworkPolicy) GetPort() uint32 { | |||
| return 0 | |||
| } | |||
|
|
|||
| func (m *PortNetworkPolicy) GetProtocol() envoy_api_v2_core3.SocketAddress_Protocol { | |||
| func (m *PortNetworkPolicy) GetProtocol() envoy_api_v2_core.SocketAddress_Protocol { | |||
There was a problem hiding this comment.
exported method PortNetworkPolicy.GetProtocol should have comment or be unexported
Refactor gRPC subscription code to share it for host IP - security ID mapping. We never supported using more than one "xdsCluster", hard code it so that we don't need to keep configuring it from all filter instances. Change "bpf_root" default to an empty string, and do not use bfp if "bpf_root" is not configured. Do not try to remove proxymap entries if we don't know the proxy_port (zero proxy_port implies no bpf). Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
No resources means we should delete all cached policies, rather than return without doing anything. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
Running Envoy tests under gdb requires the sources to be available via 'external'. It should be created as a symlink to 'bazel-envoy/external' once bazel has fetched the dependencies. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
…dentity update for IP If the identity is updated for an endpoint, the XDS cache not only needs to have the new identity to list of IPs mapping updated, it needs to have the old identity to IP mapping updated as well to account that the IP for which a key-value store Create or Modify event no longer maps to its old identity. Delete the identity from the XDS cache if it no longer maps to any IPs in the IPIdentityCache, or update it with the list of IPs that it still maps to. Signed-off by: Ian Vernon <ian@cilium.io>
f5ef252 to
7226738
Compare
|
test-me-please |
tgraf
approved these changes
Mar 30, 2018
30 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adding the gRPC client for NPHDS makes the destination identity available for
L3-dependent egress policy enforcement.
Refactor gRPC subscription code to share it for host IP - security ID mapping.
We never supported using more than one "xdsCluster", hard code it so
that we don't need to keep configuring it from all filter instances.
Change "bpf_root" default to an empty string, and do not use bfp if
"bpf_root" is not configured.
Do not try to remove proxymap entries if we don't know the proxy_port
(zero proxy_port implies no bpf).
NOTE: Ian's xds cache fix (#3403) is cherry-picked here to be able to test this in CI.