Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

quic: use sds for upstream http/3 #16462

Merged
merged 5 commits into from
May 19, 2021
Merged

quic: use sds for upstream http/3 #16462

merged 5 commits into from
May 19, 2021

Conversation

alyssawilk
Copy link
Contributor

Risk Level: Medium (some data plane refactors, mostly no-ops for !HTTP/3)
Testing: turned up HTTP/3 upstream SDS integration tests
Docs Changes: n/a
Release Notes: n/a
part of #14829

@alyssawilk
quic: use sds for upstream http/3
798a95d 
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
danzh2010
danzh2010 reviewed May 12, 2021
View reviewed changes
source/common/quic/client_connection_factory_impl.cc
return quic_socket_factory->sslCtx();
}

std::shared_ptr<quic::QuicCryptoClientConfig> PersistentQuicInfoImpl::cryptoConfig() {
Copy link
Contributor

@danzh2010 danzh2010 May 12, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is somewhat laid-back updating. If a client connection is created before the SSL context update, will its crypto config not be updated till another createQuicNetworkConnection() is called?
Could this be a problem?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think once a quic client is created we support reloading, so AFIK it'd only be applied when we created a new client anyway.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK.
Another question is if we need to copy over resumption tickets stored in EnvoyQuicSessionCache before replacing crypto config?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would think if we changed client certs we'd not want to keep resumption info? cc @RyanTheOptimist

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, that sounds right to me.

@alyssawilk
tidy
1d2a556 
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
@alyssawilk
coverage fix
272d27e 
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
ggreenway
ggreenway requested changes May 17, 2021
View reviewed changes
Copy link
Contributor

@ggreenway ggreenway left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

source/common/http/http3/conn_pool.cc Outdated
[](HttpConnPoolImplBase* pool) {
[](HttpConnPoolImplBase* pool) -> ::Envoy::ConnectionPool::ActiveClientPtr {
// If there's no ssl context, the secrets are not loaded. Fast-fail by returning null.
if (dynamic_cast<Quic::QuicClientTransportSocketFactory*>(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this cast guaranteed to succeed? Should it be a static_cast, and maybe an ASSERT that the dynamic_cast succeeds?

source/common/quic/quic_transport_socket_factory.h Outdated
// fallback_factory_ will update the stats.
// TODO(14829) Client transport socket factory may also need to update quic crypto.
}
// fallback factory will update the context.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: capitalize Fallback or change back to fallback_factory_

@alyssawilk
Merge branch 'main' into sds
93d09e1 
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
@alyssawilk
comments
9b9d975 
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
@alyssawilk alyssawilk merged commit 67bfb7c into envoyproxy:main May 19, 2021
This was referenced May 19, 2021
Merged
Merged
leyao-daily pushed a commit to leyao-daily/envoy that referenced this pull request Sep 30, 2021
@alyssawilk
quic: use sds for upstream http/3 (envoyproxy#16462)
32c6254 
Risk Level: Medium (some data plane refactors, mostly no-ops for !HTTP/3)
Testing: turned up HTTP/3 upstream SDS integration tests
Docs Changes: n/a
Release Notes: n/a
part of envoyproxy#14829

Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
@alyssawilk alyssawilk deleted the sds branch February 28, 2022 21:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danzh2010 danzh2010 danzh2010 left review comments

@RyanTheOptimist RyanTheOptimist RyanTheOptimist left review comments

@ggreenway ggreenway ggreenway approved these changes

Assignees

@ggreenway ggreenway

@danzh2010 danzh2010

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@alyssawilk @ggreenway @danzh2010 @RyanTheOptimist