Feature support connection info in route matching (#8453)

Add the ability to route match based on client credentials. This is an output of the changes requested for PR #8248 (#8248 (comment)) To more cleanly support #8248 , it would be better to be able to route based on downstream connection details, instead of hoisting more information into headers. As an API example, route matching based on presented and/or expired client certificate is supported. The end goal for #8248 is to route based on 'validated'. By default the routing rules are unchanged. Risk Level: Medium Testing: Currently Manual tests Docs Changes: API proto changes Release Notes: N/A Signed-off-by: Michael Hargreaves <mik.hargreaves@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ 350e4ce17b8bcf3880fdd87ca41814261d6bffed
6 years ago · 3132b5c116
parent 1dd3555a28
commit 3132b5c116
2 changed files with 22 additions and 0 deletions
--- a/envoy/api/v2/route/route.proto
+++ b/envoy/api/v2/route/route.proto
@ -329,6 +329,11 @@ message RouteMatch {
  message GrpcRouteMatchOptions {
  }

+  message TlsContextMatchOptions {
+    // If specified, the route will match against whether or not a certificate is presented.
+    google.protobuf.BoolValue presented = 1;
+  }
+
  reserved 5;

  oneof path_specifier {
@ -415,6 +420,12 @@ message RouteMatch {
  // that the content-type header has a application/grpc or one of the various
  // application/grpc+ values.
  GrpcRouteMatchOptions grpc = 8;
+
+  // If specified, the client tls context will be matched against the defined
+  // match options.
+  //
+  // [#next-major-version: unify with RBAC]
+  TlsContextMatchOptions tls_context = 11;
 }

 // [#comment:next free field: 11]
--- a/envoy/api/v3alpha/route/route.proto
+++ b/envoy/api/v3alpha/route/route.proto
@ -330,6 +330,11 @@ message RouteMatch {
  message GrpcRouteMatchOptions {
  }

+  message TlsContextMatchOptions {
+    // If specified, the route will match against whether or not a certificate is presented.
+    google.protobuf.BoolValue presented = 1;
+  }
+
  reserved 5, 3;

  reserved "regex";
@ -400,6 +405,12 @@ message RouteMatch {
  // that the content-type header has a application/grpc or one of the various
  // application/grpc+ values.
  GrpcRouteMatchOptions grpc = 8;
+
+  // If specified, the client tls context will be matched against the defined
+  // match options.
+  //
+  // [#next-major-version: unify with RBAC]
+  TlsContextMatchOptions tls_context = 11;
 }

 // [#comment:next free field: 11]