Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

service-mesh: implement secure ingress #186

Merged
merged 6 commits into from
Apr 12, 2024
Merged

service-mesh: implement secure ingress #186

merged 6 commits into from
Apr 12, 2024

Conversation

3u13r
Copy link
Member

@3u13r 3u13r commented Mar 1, 2024
edited
Loading

Changes:

  • Setup iptables to re-route ingress traffic
  • Add default iptables+envoy config which requires clientAuth (on port 15006)
  • Add options to except traffic from (1) client auth (Envoy port 15007) or (2) tls completely

TODOs:

@3u13r 3u13r force-pushed the feat/serive-mesh/ingress-first-implementation branch 4 times, most recently from bf7d780 to 2706aee Compare March 8, 2024 14:53
@katexochen katexochen changed the title service mesh ingress service-mesh: implement secure ingress Mar 12, 2024
@katexochen katexochen added the feature Shiny new feature for our users label Mar 12, 2024
burgerdev
burgerdev reviewed Mar 14, 2024
View reviewed changes
Copy link
Contributor

@burgerdev burgerdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm overall

deployments/emojivoto-sm-ingress/emoji.yml Outdated Show resolved Hide resolved
service-mesh/config.go Outdated Show resolved Hide resolved
service-mesh/config.go Outdated Show resolved Hide resolved
service-mesh/iptables.go Outdated Show resolved Hide resolved
service-mesh/iptables.go Show resolved Hide resolved
@3u13r 3u13r force-pushed the feat/serive-mesh/ingress-first-implementation branch 2 times, most recently from 7187793 to f362879 Compare March 28, 2024 23:53
@3u13r 3u13r marked this pull request as ready for review March 28, 2024 23:57
@3u13r 3u13r requested a review from katexochen as a code owner March 28, 2024 23:57
@3u13r 3u13r requested a review from burgerdev April 2, 2024 11:46
@katexochen katexochen requested a review from malt3 April 2, 2024 13:14
malt3
malt3 reviewed Apr 3, 2024
View reviewed changes
packages/containers.nix Outdated Show resolved Hide resolved
service-mesh/iptables.go Outdated Show resolved Hide resolved
service-mesh/iptables.go Show resolved Hide resolved
@malt3
Copy link
Contributor

malt3 commented Apr 3, 2024
edited
Loading

I’m not sure if I’m overlooking something, but I believe we still need to add this as an e2e test, right?
That can also be a follow-up. I just believe that we need to ensure that the service mesh does not break. EDIT: Just saw #248. Ignore this :)

@3u13r 3u13r force-pushed the feat/serive-mesh/ingress-first-implementation branch 4 times, most recently from 1432932 to 10d67e1 Compare April 6, 2024 19:51
@3u13r
Copy link
Member Author

3u13r commented Apr 6, 2024

cherry-picked the e2e test commit from Markus and updated it to fit the current e2e test requirements.

@3u13r 3u13r requested a review from malt3 April 6, 2024 20:07
burgerdev
burgerdev approved these changes Apr 8, 2024
View reviewed changes
service-mesh/iptables.go Outdated Show resolved Hide resolved
service-mesh/iptables.go Outdated Show resolved Hide resolved
service-mesh/iptables.go Show resolved Hide resolved
@3u13r 3u13r force-pushed the feat/serive-mesh/ingress-first-implementation branch from 10d67e1 to 2dc6427 Compare April 12, 2024 18:09
@3u13r 3u13r force-pushed the feat/serive-mesh/ingress-first-implementation branch from 2dc6427 to 56c606e Compare April 12, 2024 18:45
@3u13r 3u13r merged commit ef472e4 into main Apr 12, 2024
8 checks passed
@3u13r 3u13r deleted the feat/serive-mesh/ingress-first-implementation branch April 12, 2024 18:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@burgerdev burgerdev burgerdev approved these changes

@katexochen katexochen Awaiting requested review from katexochen katexochen is a code owner

@malt3 malt3 Awaiting requested review from malt3

Assignees
No one assigned
Labels
feature Shiny new feature for our users
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@3u13r @malt3 @burgerdev @katexochen