Add a transport socket match in cluster.

[incfly]

Signed-off-by: Jianfei Hu jianfeih@google.com

API for #8016

Context

Customers adopting service mesh likes mTLS ability. However, rolling it out without breaking existing traffic is hard. This is because mTLS is configured on per cluster basis. In reality, a service consists of multiple endpoints, mixed with having Envoy sidecar and without-sidecar endpoints. Client envoy can't send mTLS traffic until all server migrated to having Envoy sidecar.

This API tries to solve the issue by allowing mTLS/transport socket to configured at finer granularity, e.g. endpoint level. The endpoint has metadata label information, which will be used to decide which transport socket configuration to use from a map specified in the cluster.

So the outcome is that, xDS management server is able to configure client envoy talks to endpoints with sidecar in mTLS and plain text to endpoints without sidecar, for a single cluster.

Description:
Risk Level: N/A (API change only)
Release Notes: Cluster API change to use different transport socket based on endpoint label.

[incfly]

/cc @lizan @rshriram @PiotrSikora

[htuch]

I'm generally opposed to using unstructured metadata for this purpose. If we are going to go down this path (see above comment about needing to understand design rationale and motivation), then we need to add an explicit label field to EDS endpoints.

[htuch]

@incfly FYI, for changes to Envoy's APIs, you should tag @envoyproxy/api-shepherds on any design review.

[rshriram]

So @htuch , how about this:

cluster:
  tlsContextMap:
    mtls: …, default
    plaintext: …
  endpoints:
    1.1.1.1, tlsContext-to-use: mtls
    2.2.2.2 tlsContext-to-use: plaintext

effectively, we ship a bunch of named TLS contexts to the cluster and then in the EDS, we can ship the TLS context to use for a given endpoint. This has the same effect of using label selectors in the TLS context.

[lizan]

@rshriram lets iterate on the doc a bit more, I like labels more for its flexibility, a tlscontextmap (or transport socket map) potentially explodes when you have multiple factor to select. (supports mTLS/TLS/cleartext)

[incfly]

@lizan not sure if I get it.

The value of the endpoint.transport_socket_selector (single hardcoded name) is used to retrieve entries from the map. So this is selection based on single factor, and deterministically, right?

By label do you refer to actual endpoint.metadata or it does not matter, can be a field in message Endpoint as well?

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/.

🐱

Caused by: #8100 was synchronize by incfly.

see: more, trace.

[incfly]

PR has been modified to match the proposal, using actual fields in endpoints plus match semantics for transport socket. @htuch @lizan
PTAL, thanks.

[lizan]

@htuch

[rshriram]

So @htuch / @lizan I have been giving this some thought. I think its better to have a named TLS context rather than a label selector because named TLS contexts refer to exactly one context to use. Label selectors could select multiple contexts and then we would have to define some first match wins semantics which gets clunky.

[lizan]

I'd like to this be first match wins (similar to FCM), the context map couples EDS with CDS too tightly, and the matcher semantics here is more flexible to match a subset has two labels etc.

[htuch]

Yeah, let's just have a string field here pointing at a specific TLS context. This will be the clearest I reckon.

[incfly]

I'm fine with that.

[incfly]

done.

[htuch]

Switching back into this review after some time out, it seems that we still have a label match scheme. If the consensus is heading towards this being necessary, there are two things I'd ask:

1. Document a clear use case of why we have this in endpoint_transport_socket_matchers comments.
2. Use the existing metadata; I originally pushed back on this as I felt we could just specify a transport socket name here, but now that we are going to a "label" scheme, we already have a source of this information, the endpoint metadata. There should be well-known key name for this, envoy.transport_socket.

[incfly]

Done. Added a use case in the end of this field comments. @lizan fyi.

I also renamed the field by removing "endpoint_", since as @rshriram points out, it's possible to add metadata for DNS based endpoint as well.

[rshriram]

ping. any updates? Its been two weeks.

[incfly]

/retest

[repokitteh-read-only]

🔨 rebuilding ci/circleci: release (failed build)

🐱

Caused by: a #8100 (comment) was created by @incfly.

see: more, trace.

[incfly]

/retest

[repokitteh-read-only]

🐴 hold your horses - no failures detected, yet.

🐱

Caused by: a #8100 (comment) was created by @incfly.

see: more, trace.

[incfly]

All tests passed now, PTAL, thanks.

[incfly]

@htuch @lizan

I'm reading well_known_names.h, and see we already have envoy.transport_sockets.xxx (alts) for socket name, this makes me think using envoy.transport_socket to extract endpoint info can cause confusion.
https://github.com/envoyproxy/envoy/blob/master/source/extensions/transport_sockets/well_known_names.h#L17

how about renaming this to envoy.transport_socket_match or envoy.transport_socket_selector?

wdty?

[mattklein123]

Thanks, generally LGTM with a few small comments.

/wait

[mattklein123]

Thanks this LGTM. I will defer to others for further review.

[incfly]

@htuch Could you take a look to see anything else we need to update before merging?

[htuch]

Thanks, the explanation is now more helpful. LGTM modulo nit and merging master.

[htuch]

Thanks!