tls: add per-upstream session key caching support #38479
Conversation
Signed-off-by: Ronak Jain <[email protected]>
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
|
Assigning TLS extension codeowner for a first-pass. |
| // would be 200. | ||
| // | ||
| // Defaults to 0, which disables TLS session key caching per upstream host. | ||
| google.protobuf.UInt32Value max_session_cache_upstream_hosts = 8; |
There was a problem hiding this comment.
Is it possible that there will be other configurable parameters for per-upstream-host session caching in the future? If so, consider using a separate message as an alternative:
message TlsPerHostSessionCacheConfig {
uint32 max_session_cache_upstream_hosts = 1;
// ...can add more fields here in the future...
}
message UpstreamTlsContext {
// ...existing fields...
// If set, per-host session caching is enabled.
TlsPerHostSessionCacheConfig per_host_session_cache_config = 8;
}
There was a problem hiding this comment.
Yeah it could potentially carry other features in the future, updated with separate message. Thanks for the review!
| @@ -25,7 +25,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; | |||
| // [#extension: envoy.transport_sockets.tls] | |||
| // The TLS contexts below provide the transport socket configuration for upstream/downstream TLS. | |||
|
|
|||
| // [#next-free-field: 8] | |||
| // [#next-free-field: 9] | |||
| message UpstreamTlsContext { | |||
There was a problem hiding this comment.
Is this something we might also need in DownstreamTlsContext for the server side?
There was a problem hiding this comment.
This feature is only needed on the client/upstream side. Servers/downstreams issue stateless session keys (tickets) for resumption, so they don't require per-host session caching.
|
/wait |
Signed-off-by: Ronak Jain <[email protected]>
Commit Message:
This pull request introduces a new configuration option,
max_session_cache_upstream_hosts, which allows TLS session keys to be cached and used on a per-upstream host basis. It addresses #33512 by ensuring that a session key generated for one upstream host isn’t mistakenly reused by another.Additional Description:
In a typical service mesh, upstream hosts serving the same destination might have unique TLS configurations (for example, different session ticket keys). As a result, a session key issued by one host shouldn’t be used with another. This pull request enables caching on a per-upstream host basis, ensuring that session keys are used only by the host that generated them, which in turn helps maintain correct and efficient TLS session resumption.
This option sets the maximum number of upstream hosts that can cache and use TLS session keys. It works together with the existing max_session_keys setting, which limits the number of session keys per host. For instance, if you set
max_session_keysto 10 andmax_session_cache_upstream_hoststo 20, you can cache up to 200 session keys overall.I'll follow up with another pull request to add support for the following improvements:
Risk Level: Low
Testing: Unit tests