Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support read header value from env variable #3474

Merged
merged 1 commit into from
Apr 9, 2025
Merged

support read header value from env variable #3474

merged 1 commit into from
Apr 9, 2025

Conversation

zirain
Copy link
Member

@zirain zirain commented Mar 26, 2025

this's a proposal for istio/istio#53408

With this patch, users will be able mount a secret into pilot discovery pod as env variable, then pilot will read from it and send to all proxies.

@zirain zirain requested a review from a team as a code owner March 26, 2025 13:16
@istio-testing istio-testing added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Mar 26, 2025
@zirain
Copy link
Member Author

zirain commented Mar 26, 2025

cc @joaopgrassi @keithmattix, looks like you're interesting in original issue.

@zirain zirain added the release-notes-none Indicates a PR that does not require release notes. label Mar 26, 2025
howardjohn
howardjohn reviewed Mar 27, 2025
View reviewed changes
Copy link
Member

@howardjohn howardjohn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does envoy just have a corresponding config we pass this through to?

@zirain
Copy link
Member Author

zirain commented Mar 28, 2025
edited
Loading

Not sure about I understand what you said:

  1. envoy didn't support read it direcetly from env or sds, see grpc and http
  2. we'd better do this on controlplane instread of, otherwise we need to spread the secret to all the namespaces where sidecars are.

@howardjohn
Copy link
Member

I see. This absolutely needs to specify it's the environment variable of the control plane, which is not intuitive.

This is a possible security risk, as someone can now trigger the control plane to send out arbitrary env vars down to proxies, which may include confidential information. Given this is in mesh config, not proxy config, that is likely ok as they are the same trust domain.

However we are still storing the credentials in envoy, accessible by config_dump,etc. We do similar for TLS, but that is all in the "secret" code paths which obfuscate the contents. I worry this doesn't really meet the goal of the original issue, as we don't actually have end to end security of the header

@zirain
Copy link
Member Author

zirain commented Mar 28, 2025
edited
Loading

However we are still storing the credentials in envoy, accessible by config_dump,etc. We do similar for TLS, but that is all in the "secret" code paths which obfuscate the contents. I worry this doesn't really meet the goal of the original issue, as we don't actually have end to end security of the header

you can not avoid this happen, users who can access config_dump will be able to read nearly everything.

In my experience, most people don't have direct access to the product environment (or need permission).
It still makes sense to decouple the mesh configuration(with argo or else) from the creation of secret(manually by ops team).

@howardjohn
Copy link
Member

Yeah good call. Maybe we just specify in the comments that:

  • Its istiod env var
  • Its not end to end secure

@zirain zirain force-pushed the read-header-from-env branch from 718b392 to acb1b52 Compare March 29, 2025 02:46
@istio-testing istio-testing added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Mar 29, 2025
@zirain zirain requested a review from howardjohn March 29, 2025 02:48
@istio-testing istio-testing added the needs-rebase Indicates a PR needs to be rebased before being merged label Apr 1, 2025
@zirain zirain force-pushed the read-header-from-env branch from acb1b52 to 36692fd Compare April 1, 2025 05:59
@istio-testing istio-testing removed the needs-rebase Indicates a PR needs to be rebased before being merged label Apr 1, 2025
@istio-testing istio-testing merged commit 5e1d96e into istio:master Apr 9, 2025
5 checks passed
@zirain zirain deleted the read-header-from-env branch April 10, 2025 00:17
@zirain zirain mentioned this pull request Apr 10, 2025
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@howardjohn howardjohn howardjohn approved these changes

@keithmattix keithmattix keithmattix approved these changes

Assignees
No one assigned
Labels
release-notes-none Indicates a PR that does not require release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zirain @howardjohn @keithmattix @istio-testing