Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fips: force stackdriver to use TLSv1.2 #5339

Merged
merged 1 commit into from
Feb 16, 2024
Merged

fips: force stackdriver to use TLSv1.2 #5339

merged 1 commit into from
Feb 16, 2024

Conversation

kyessenov
Copy link
Contributor

Change-Id: Icd1cd577c039512bb90234642719a8b5d3523567

Unconditional enforcement of istio/istio#49081 for GCP Stackdriver, since TLSv1.2 is sufficient.

@kyessenov
fips: force stackdriver to use TLSv1.2
0d35349 
Change-Id: Icd1cd577c039512bb90234642719a8b5d3523567
Signed-off-by: Kuat Yessenov <kuat@google.com>
@kyessenov kyessenov requested a review from a team as a code owner February 15, 2024 23:05
@istio-testing istio-testing added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Feb 15, 2024
lei-tang
lei-tang reviewed Feb 16, 2024
View reviewed changes
extensions/stackdriver/metric/registry.cc
@@ -80,16 +81,19 @@ getStackdriverOptions(const Wasm::Common::FlatNode& local_node_info,
}
}

auto ssl_creds_options = grpc::SslCredentialsOptions();
grpc::experimental::TlsChannelCredentialsOptions tls_options;
tls_options.set_max_tls_version(grpc_tls_version::TLS1_2);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the intension to 1) only use TLS 1.2 or 2) avoid using TLS 1.3?
From the following code in the CL, the intension seems to be 2) but the title of the CL seems to indicate 1).

tls_options.set_max_tls_version(grpc_tls_version::TLS1_2);

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's the same. gRPC sets TLS 1.2 as a minimum version.

lei-tang
lei-tang reviewed Feb 16, 2024
View reviewed changes
extensions/stackdriver/metric/registry.cc
@@ -80,16 +81,19 @@ getStackdriverOptions(const Wasm::Common::FlatNode& local_node_info,
}
}

auto ssl_creds_options = grpc::SslCredentialsOptions();
grpc::experimental::TlsChannelCredentialsOptions tls_options;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on its name, "grpc::experimental::TlsChannelCredentialsOptions" seems to be an experimental feature. Do we have a more stable API to set the max TLS version? If this experimental feature becomes deprecated, we need to find a replacement for it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

gRPC team specifically backported this experimental feature for us. A similar change in Envoy was approved envoyproxy/envoy#32315.

@istio-testing istio-testing merged commit dad212e into istio:master Feb 16, 2024
9 checks passed
@kyessenov kyessenov added cherrypick/release-1.19 Set this label on a PR to auto-merge it to the release-1.19 branch cherrypick/release-1.20 Set this label on a PR to auto-merge it to the release-1.20 branch cherrypick/release-1.21 Set this label on a PR to auto-merge it to the release-1.21 branch labels Feb 16, 2024
@istio-testing
Copy link
Collaborator

In response to a cherrypick label: new pull request created: #5342

@istio-testing
Copy link
Collaborator

In response to a cherrypick label: new pull request created: #5343

This was referenced Feb 16, 2024
Merged
Merged
@istio-testing
Copy link
Collaborator

In response to a cherrypick label: new pull request could not be created: failed to create pull request against istio/proxy#release-1.19 from head istio-testing:cherry-pick-5339-to-release-1.19: status code 422 not one of [201], body: {"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"A pull request already exists for istio-testing:cherry-pick-5339-to-release-1.19."}],"documentation_url":"https://docs.github.com/rest/pulls/pulls#create-a-pull-request"}

@istio-testing
Copy link
Collaborator

In response to a cherrypick label: new pull request created: #5344

@istio-testing istio-testing mentioned this pull request Feb 16, 2024
Merged
@istio-testing
Copy link
Collaborator

In response to a cherrypick label: new pull request could not be created: failed to create pull request against istio/proxy#release-1.19 from head istio-testing:cherry-pick-5339-to-release-1.19: status code 422 not one of [201], body: {"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"A pull request already exists for istio-testing:cherry-pick-5339-to-release-1.19."}],"documentation_url":"https://docs.github.com/rest/pulls/pulls#create-a-pull-request"}

@istio-testing
Copy link
Collaborator

In response to a cherrypick label: new pull request could not be created: failed to create pull request against istio/proxy#release-1.21 from head istio-testing:cherry-pick-5339-to-release-1.21: status code 422 not one of [201], body: {"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"A pull request already exists for istio-testing:cherry-pick-5339-to-release-1.21."}],"documentation_url":"https://docs.github.com/rest/pulls/pulls#create-a-pull-request"}

@istio-testing
Copy link
Collaborator

In response to a cherrypick label: new pull request could not be created: failed to create pull request against istio/proxy#release-1.20 from head istio-testing:cherry-pick-5339-to-release-1.20: status code 422 not one of [201], body: {"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"A pull request already exists for istio-testing:cherry-pick-5339-to-release-1.20."}],"documentation_url":"https://docs.github.com/rest/pulls/pulls#create-a-pull-request"}

1 similar comment
@istio-testing
Copy link
Collaborator

In response to a cherrypick label: new pull request could not be created: failed to create pull request against istio/proxy#release-1.20 from head istio-testing:cherry-pick-5339-to-release-1.20: status code 422 not one of [201], body: {"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"A pull request already exists for istio-testing:cherry-pick-5339-to-release-1.20."}],"documentation_url":"https://docs.github.com/rest/pulls/pulls#create-a-pull-request"}

@istio-testing
Copy link
Collaborator

In response to a cherrypick label: new pull request could not be created: failed to create pull request against istio/proxy#release-1.21 from head istio-testing:cherry-pick-5339-to-release-1.21: status code 422 not one of [201], body: {"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"A pull request already exists for istio-testing:cherry-pick-5339-to-release-1.21."}],"documentation_url":"https://docs.github.com/rest/pulls/pulls#create-a-pull-request"}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lei-tang lei-tang lei-tang approved these changes

Assignees

@lei-tang lei-tang

Labels
cherrypick/release-1.19 Set this label on a PR to auto-merge it to the release-1.19 branch cherrypick/release-1.20 Set this label on a PR to auto-merge it to the release-1.20 branch cherrypick/release-1.21 Set this label on a PR to auto-merge it to the release-1.21 branch size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kyessenov @istio-testing @lei-tang