Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

postgres: support for upstream SSL #23990

Merged
merged 19 commits into from
Dec 7, 2022
Merged

postgres: support for upstream SSL #23990

merged 19 commits into from
Dec 7, 2022

Conversation

cpakulski
Copy link
Contributor

Commit Message:
postgres: support for upstream SSL

Additional Description:
Postgres filter can negotiate upstream SSL connection with Postgres server and enable upstream encryption.
Upon receiving the initial postgres request, the filter buffers the received packet (without sending it) and sends to the upstream server a request to establish SSL connection. When the server agrees, the postgres filter enables upstream STARTTLS transport socket and sends the previously buffered initial packet. From now on, the connection to upstream is encrypted and the filter can read the postgres payloads in clear-text.

If the server does not agree for SSL or converting STARTTLS transport socket to secure mode fails, depending on the configuration, the filter may continue in clear-text or may tear down the connection.

Risk Level: Low
Testing: unit, integration and manual tests.
Docs Changes: yes.
Release Notes: yes
Platform Specific Features: No
Fixes #19527

@cpakulski
Initial framework with unit tests.
86dfaa1 
Signed-off-by: Christoph Pakulski <[email protected]>
@cpakulski
Added integration test for disabled upstream SSL.
395edf5 
Signed-off-by: Christoph Pakulski <[email protected]>
@cpakulski
Added integration tests for REQUIRE upstream SSL.
8cdbabb 
Signed-off-by: Christoph Pakulski <[email protected]>
@cpakulski
Finished integration tests.
4ef0a88 
Signed-off-by: Christoph Pakulski <[email protected]>
@cpakulski
Added helper functions to setup and attach upstream TLS.
84b138f 
Signed-off-by: Christoph Pakulski <[email protected]>
@cpakulski
Changed integration test's upstream certs.
5708ca9 
Signed-off-by: Christoph Pakulski <[email protected]>
@cpakulski
Common type for upstream and downstream SSL config options.
b797674 
Signed-off-by: Christoph Pakulski <[email protected]>
@cpakulski
Added comments to integration tests.
82bc277 
Signed-off-by: Christoph Pakulski <[email protected]>
@cpakulski
Added log messages.
af25b71 
Signed-off-by: Christoph Pakulski <[email protected]>
@cpakulski
Updated docs and proto.
47ab2c1 
Signed-off-by: Christoph Pakulski <[email protected]>
@cpakulski
Merge remote-tracking branch 'upstream/main' into issue/19527
aee0798 
Signed-off-by: Christoph Pakulski <[email protected]>
@cpakulski
Updated release notes.
c6aafea 
Signed-off-by: Christoph Pakulski <[email protected]>
@cpakulski
Renamed integration tests yaml file.
5df4fe3 
Signed-off-by: Christoph Pakulski <[email protected]>
@cpakulski
Corrected comment.
0d2de32 
Signed-off-by: Christoph Pakulski <[email protected]>
@repokitteh-read-only
Copy link

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #23990 was opened by cpakulski.

see: more, trace.

@cpakulski cpakulski marked this pull request as ready for review November 22, 2022 18:04
@cpakulski
Copy link
Contributor Author

@lizan. Friendly ping 😊.

@cpakulski cpakulski requested a review from lizan December 2, 2022 02:55
@alyssawilk
Copy link
Contributor

@lizan ping!

@lizan lizan merged commit 0ce6cf5 into envoyproxy:main Dec 7, 2022
@fabriziomello
Copy link
Contributor

Will run Postgres regression tests over this commit to make sure we didn't break anything.

jpsim added a commit that referenced this pull request Dec 8, 2022
@jpsim
Merge remote-tracking branch 'origin/main' into builddeps-bump-abseil…
ec1d638 
…-cpp-to-latest-version

* origin/main: (23 commits)
  Reduce Route memory utilization by avoiding RuntimeData instances when not needed (#24327)
  build: fix compile error for mac (#24429)
  postgres: support for upstream SSL (#23990)
  iOS: split `EnvoyEngine.h` into multiple header files (#24397)
  mobile: check for pending exceptions after JNI call (#24361)
  Remove uneccessary `this->` from mobile engine builder (#24389)
  Add setRequestDecoder to ResponseEncoder interface (#24368)
  downstream: refactoring code to remove listener hard deps (#24394)
  lb api: moving load balancing policy specific configuration to extension configuration (#23967)
  ci: Skip docker/examples verification for docs or mobile only changes (#24417)
  ci: run mobile GitHub Actions on every PR (#24407)
  mobile: remove `bump_lyft_support_rotation.sh` script (#24404)
  Add file size to DirectoryEntry (#24176)
  bazel: update to 6.0.0rc4 (#24235)
  bazel: update rules_rust (#24409)
  Ecds config dump recommit (#24384)
  bazel: add another config_setting incompatible flag (#24270)
  listeners: moving listeners to extension directory (#24248)
  mobile: build Swift with whole module optimization (#24396)
  ci: update `actions/setup-java` from v1 to v3.8 (#24393)
  ...

Signed-off-by: JP Simard <[email protected]>
@cpakulski
Copy link
Contributor Author

Thanks @fabriziomello ! I hope it passed 😀.

@cpakulski cpakulski deleted the issue/19527 branch December 8, 2022 14:25
@phlax phlax mentioned this pull request Feb 5, 2023
Open
@rgs1 rgs1 mentioned this pull request Jul 21, 2023
Closed
@shiponcs shiponcs mentioned this pull request Jan 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lizan lizan lizan approved these changes

Assignees

@lizan lizan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

postgres: Support StartTLS upstream and plain-text downstream
4 participants
@cpakulski @alyssawilk @fabriziomello @lizan