Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-2187

Allow enabling Automatic protocol selection

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Normal Normal
    • OSSM 2.3.0
    • OSSM 2.0.10, OSSM 2.1.1, OSSM 2.2.2
    • Maistra
    • Sprint 59, Sprint 60

      In MAISTRA-1972, we disabled protocol sniffing by default and even extended the validatingwebhook to not allow re-enabling it. This was due to security concerns about the implementation present in OSSM 2.0/Istio 1.5. I cannot find any more documentation about our concerns, but as upstream has been running with this feature enabled by default for ages, and customers are asking for it, we should at least allow enabling it. The default will stay disabled for now.

      The fields in SMCP look like this:

      spec: 
        proxy: 
          networking: 
            protocol: 
              autoDetect: 
                # maps to PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
                inbound: true
                # maps to PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
                outbound: true
                # maps to protocolDetectionTimeout in meshConfig
                timeout: 500ms
      

      Acceptance Criteria:

      • Remove the validation that blocks usage of the fields in spec.proxy.networking.protocol.autoDetect
      • Add documentation
      • Add a release note

      Original description:

      Since istio 1.6, this feature was enabled by default.

      https://istio.io/v1.6/docs/ops/configuration/traffic-management/protocol-selection/ 

      However, our OSSM seems still keeping the old config from istio 1.4

       

      {{$ oc get deployment istiod-basic -o yaml -n istio-system | grep SNIFF -A1

      • name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
        value: "false"
      • name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
        value: "false"}}

      And these two environment variables only exists in istiod's deployment.

      We should be able to configure them via SMCP

       

      Related case - https://access.redhat.com/support/cases/#/case/03339815

       

              dgrimm@redhat.com Daniel Grimm
              rhn-support-jaliang Jace Liang
              Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: