profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/lei-tang/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.

lei-tang/api 0

API, config definitions and standard vocabulary definitions for the Istio project

lei-tang/bazel-cmakelists 0

Convert Bazel C++ targets to CMakeLists for IDEs

lei-tang/data-plane-api 0

Envoy REST/proto API definitions

lei-tang/endpoints-tools 0

Tools for Google Cloud Endpoints Proxy

lei-tang/envoy 0

C++ front/service proxy

lei-tang/esp 0

Extensible Service Proxy

PullRequestReviewEvent

issue commentistio/istio

Concern over leaking sensitive information in headers X-Envoy-Peer-Metadata and X-Envoy-Peer-Metadata-Id

Thanks! Based on the comment, this issue was consolidated at #17635.

lei-tang

comment created time in a day

issue commentistio/istio

Strip internal mesh-machinery headers when sending requests/responses out of mesh

https://github.com/istio/istio/issues/35283 describes a concern over leaking sensitive information in headers X-Envoy-Peer-Metadata and X-Envoy-Peer-Metadata-Id. Based on the comment from @bianpengyuan, consolidate https://github.com/istio/istio/issues/35283 at this issue.

chadlwilson

comment created time in a day

PullRequestReviewEvent

issue commentistio/istio

Concern over leaking sensitive information in headers X-Envoy-Peer-Metadata and X-Envoy-Peer-Metadata-Id

https://github.com/istio/proxy/blob/e02cbbe2e3f390afd9711c5d5e9f4bb5462059ea/test/envoye2e/http_metadata_exchange/exchange_test.go#L77 refers to x-envoy-peer-metadata and x-envoy-peer-metadata-id.

@kyessenov Can you take a look of this issue?

lei-tang

comment created time in a day

issue openedistio/istio

Concern over leaking sensitive information in headers X-Envoy-Peer-Metadata and X-Envoy-Peer-Metadata-Id

(This is used to request new product features, please visit https://discuss.istio.io for questions on using Istio)

Describe the feature request https://discuss.istio.io/t/istio-leaks-sensitive-information-in-http-headers/11263 describes the concern over leaking sensitive information in http headers X-Envoy-Peer-Metadata and X-Envoy-Peer-Metadata-Id. This issue is created to discuss such concern.

Describe alternatives you've considered

Affected product area (please put an X in all that apply)

[ ] Docs [ ] Installation [X ] Networking [ ] Performance and Scalability [X ] Extensions and Telemetry [X ] Security [ ] Test and Release [ ] User Experience [ ] Developer Infrastructure

Affected features (please put an X in all that apply)

[ ] Multi Cluster [ ] Virtual Machine [ ] Multi Control Plane

Additional context

created time in a day

push eventlei-tang/anthos-service-mesh-packages

Lei Tang

commit sha 7acf388ab2b67bc53eda01ffb4b54cdf756e9770

ASM Zatar integration (install and config)

view details

push time in 5 days

PullRequestReviewEvent
PullRequestReviewEvent

Pull request review commentGoogleCloudPlatform/anthos-service-mesh-packages

CAS: Fixing Project ID

 install_private_ca() {   local WORKLOAD_IDENTITY; WORKLOAD_IDENTITY="${WORKLOAD_POOL}:/allAuthenticatedUsers/"   local CA_LOCATION; CA_LOCATION=$(echo "${CA_NAME}" | cut -f4 -d/)   local CA_POOL; CA_POOL=$(echo "${CA_NAME}" | cut -f6 -d/)-  local PROJECT_ID; PROJECT_ID="$(context_get-option "PROJECT_ID")"+  local PROJECT_ID; PROJECT_ID=$(echo "${CA_NAME}" | cut -f2 -d/)

Ditto the comment above.

shankgan

comment created time in 5 days

Pull request review commentGoogleCloudPlatform/anthos-service-mesh-packages

CAS: Fixing Project ID

 install_private_ca() {   local WORKLOAD_IDENTITY; WORKLOAD_IDENTITY="${WORKLOAD_POOL}:/allAuthenticatedUsers/"   local CA_LOCATION; CA_LOCATION=$(echo "${CA_NAME}" | cut -f4 -d/)   local CA_POOL; CA_POOL=$(echo "${CA_NAME}" | cut -f6 -d/)-  local PROJECT_ID; PROJECT_ID="$(context_get-option "PROJECT_ID")"+  local PROJECT_ID; PROJECT_ID=$(echo "${CA_NAME}" | cut -f2 -d/)

This PR changes how to obtain PROJECT_ID. Will this PR impact the integration test and user guide?

shankgan

comment created time in 5 days

PullRequestReviewEvent
PullRequestReviewEvent
PullRequestReviewEvent

push eventlei-tang/istio

Lei Tang

commit sha 73cd5e7294cc7875a264eb4af08776bc4dbf93bf

Remove two variable declarations

view details

push time in 6 days

Pull request review commentistio/istio

Improve the error handling of STS token manager

 func GetGCPProjectInfo() GCPProjectInfo {  // CreateTokenManager creates a token manager with specified type and returns // that token manager-func CreateTokenManager(tokenManagerType string, config Config) security.TokenManager {+func CreateTokenManager(tokenManagerType string, config Config) (security.TokenManager, error) { 	tm := &TokenManager{ 		plugin: nil, 	}+	var err error 	switch tokenManagerType { 	case GoogleTokenExchange: 		if projectInfo := GetGCPProjectInfo(); len(projectInfo.Number) > 0 { 			if p, err := google.CreateTokenManagerPlugin(config.CredFetcher, config.TrustDomain, 				projectInfo.Number, projectInfo.clusterURL, true); err == nil { 				tm.plugin = p 			}+			// When err != nil, the error will be returned at the end 		} else {-			log.Warnf("%v token manager specified but failed to ready GCP project information", GoogleTokenExchange)+			return nil, fmt.Errorf("%v token manager specified but failed to ready GCP project information", GoogleTokenExchange) 		} 	}-	return tm+	return tm, err

I have refactored code to return "tm, nil" here.

lei-tang

comment created time in 6 days

PullRequestReviewEvent

Pull request review commentistio/istio

Improve the error handling of STS token manager

 func GetGCPProjectInfo() GCPProjectInfo {  // CreateTokenManager creates a token manager with specified type and returns // that token manager-func CreateTokenManager(tokenManagerType string, config Config) security.TokenManager {+func CreateTokenManager(tokenManagerType string, config Config) (security.TokenManager, error) { 	tm := &TokenManager{ 		plugin: nil, 	}+	var err error

I have refactored the code to remove this variable.

lei-tang

comment created time in 6 days

PullRequestReviewEvent

push eventlei-tang/istio

Lei Tang

commit sha 4317ba16c31fb59836691936f3b6558054293558

Refactor the if statement

view details

push time in 6 days

push eventlei-tang/istio

Lei Tang

commit sha 255295a57a78245448b5b520e2395edd90870cc2

Minor change

view details

push time in 6 days

push eventlei-tang/istio

Lei Tang

commit sha c0dff113542b21eb63ed2e155253257f1ee1af07

Fix the error to return

view details

push time in 6 days

Pull request review commentistio/istio

Improve the error handling of STS token manager

 func GetGCPProjectInfo() GCPProjectInfo {  // CreateTokenManager creates a token manager with specified type and returns // that token manager-func CreateTokenManager(tokenManagerType string, config Config) security.TokenManager {+func CreateTokenManager(tokenManagerType string, config Config) (security.TokenManager, error) { 	tm := &TokenManager{ 		plugin: nil, 	}+	var err error 	switch tokenManagerType { 	case GoogleTokenExchange: 		if projectInfo := GetGCPProjectInfo(); len(projectInfo.Number) > 0 { 			if p, err := google.CreateTokenManagerPlugin(config.CredFetcher, config.TrustDomain, 				projectInfo.Number, projectInfo.clusterURL, true); err == nil { 				tm.plugin = p 			}+			// When err != nil, the error will be returned at the end 		} else {-			log.Warnf("%v token manager specified but failed to ready GCP project information", GoogleTokenExchange)+			return nil, fmt.Errorf("%v token manager specified but failed to ready GCP project information", GoogleTokenExchange) 		} 	}-	return tm+	return tm, err

Because "if p, err := google.CreateTokenManagerPlugin(...)" may return an error, here returns "tm, err", instead of "tm, nil".

lei-tang

comment created time in 6 days

PullRequestReviewEvent

Pull request review commentistio/istio

Improve the error handling of STS token manager

 func GetGCPProjectInfo() GCPProjectInfo {  // CreateTokenManager creates a token manager with specified type and returns // that token manager-func CreateTokenManager(tokenManagerType string, config Config) security.TokenManager {+func CreateTokenManager(tokenManagerType string, config Config) (security.TokenManager, error) { 	tm := &TokenManager{ 		plugin: nil, 	}+	var err error

This error variable is needed because "if p, err := google.CreateTokenManagerPlugin(...)" may return an error.

lei-tang

comment created time in 6 days

PullRequestReviewEvent

Pull request review commentistio/istio

Improve the error handling of STS token manager

 func NewSecurityOptions(proxyConfig *meshconfig.ProxyConfig, stsPort int, tokenM 	var tokenManager security.TokenManager 	if stsPort > 0 || xdsAuthProvider.Get() != "" { 		// tokenManager is gcp token manager when using the default token manager plugin.-		tokenManager = tokenmanager.CreateTokenManager(tokenManagerPlugin,+		tokenManager, err = tokenmanager.CreateTokenManager(tokenManagerPlugin, 			tokenmanager.Config{CredFetcher: o.CredFetcher, TrustDomain: o.TrustDomain})+		if err != nil {+			log.Errorf("failed to create token manager: %v", err)

The log here has been removed.

lei-tang

comment created time in 6 days

PullRequestReviewEvent

push eventlei-tang/istio

Lei Tang

commit sha fb19d443bd835d5359937d5cb2899e687c674d5f

Remove the log statement

view details

push time in 6 days