Skip to content

Add sni rewrite support #522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Joey-Rose wants to merge 8 commits into
base: develop
Choose a base branch
from
Open

Add sni rewrite support #522

Joey-Rose wants to merge 8 commits into from
+371 −46

Conversation

@Joey-Rose
Copy link

@Joey-Rose Joey-Rose commented Jan 5, 2026
edited
Loading

Summary

  1. Updated routing-api submodule to point to latest commit in joey-add-sni-rewrite-support branch
  2. Added sni_rewrite_san field support in route-registrar config and routing-api integration
  3. Implemented HAProxy SNI rewrite functionality in TCP router config marshaller using sni str() directive
  4. Added unit tests for SNI rewrite functionality in route-registrar, routing-api, and TCP router
  5. Updated route registrar job spec to document sni_rewrite_san field
  6. Added validation logic in registrar_settings.json.erb template: required when type is sni and terminate_frontend_tls is enabled, cannot be provided when type is sni and terminate_frontend_tls is disabled
  7. Updated route registrar usage documentation with sni_rewrite_san field description and example
  8. Added comprehensive tests for sni_rewrite_san validation in route_registar_templates_spec.rb covering all validation scenarios

Backward Compatibility

Breaking Change?

No

@Joey-Rose Joey-Rose requested a review from a team as a code owner January 5, 2026 19:18
@Joey-Rose Joey-Rose marked this pull request as draft January 5, 2026 19:18
@Joey-Rose Joey-Rose force-pushed the joey-add-sni-rewrite-support branch from d169bcf to 61e468b Compare January 9, 2026 20:09
@Joey-Rose Joey-Rose changed the title DRAFT: Add sni rewrite support Add sni rewrite support Jan 11, 2026
@Joey-Rose Joey-Rose marked this pull request as ready for review January 11, 2026 03:20
ameowlia
ameowlia requested changes Jan 13, 2026
View reviewed changes
@ameowlia
Copy link
Member

ameowlia commented Jan 13, 2026
edited
Loading

You are also missing...

  • Updating the route registrar usage docs
  • Updating the route registrar job spec description
  • Adding any validations to the job template + tests for that validation

See this PR as an example for all of these items: 129e488

@Joey-Rose Joey-Rose force-pushed the joey-add-sni-rewrite-support branch from 61e468b to ce17e87 Compare January 13, 2026 19:57
@Joey-Rose
Copy link
Author

Joey-Rose commented Jan 13, 2026
edited
Loading

You are also missing...

  • Updating the route registrar usage docs
  • Updating the route registrar job spec description
  • Adding any validations to the job template + tests for that validation

See this PR as an example for all of these items: 129e488

Just pushed changes to address this feedback. Could you take another look? @ameowlia

neowulf
neowulf reviewed Jan 14, 2026
View reviewed changes
src/code.cloudfoundry.org/cf-tcp-router/configurer/haproxy/config_marshaller.go Outdated
output.WriteString(fmt.Sprintf(" verifyhost %s", server.InstanceID))
}

if server.SniRewriteHostname != "" {
Copy link
Contributor

@neowulf neowulf Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if server.SniRewriteHostname != "" {
if enableFrontendTLS && server.SniRewriteHostname != "" {

Copy link
Author

@Joey-Rose Joey-Rose Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just pushed a commit to address this

ameowlia
ameowlia requested changes Jan 15, 2026
View reviewed changes
jobs/route_registrar/templates/registrar_settings.json.erb Outdated
Comment on lines 98 to 100
if route['sni_rewrite_san'] == nil || route['sni_rewrite_san'] == ''
raise "route_registrar.routes[#{index}].route.sni_rewrite_san must be provided when type is sni and terminate_frontend_tls is enabled"
end
Copy link
Member

@ameowlia ameowlia Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is making a backwards incompatible change for all users who currently have...

type: sni
terminate_frontend_tls: true.

...because it is requiring them to include this new property. Is that intended? I thought that the following was supposed to be a valid config?

type: sni
terminate_frontend_tls: true. 
sni_routable_san: meow.com

^ In this case haproxy would keep the sni hostname the same when sending traffic to the backend.

Copy link
Author

@Joey-Rose Joey-Rose Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I talked with @neowulf about this and he said that the field should be required when type: sni and terminate_frontend_tls: true are present. It was completely optional before but I changed it to meet this requirement

@ameowlia
Copy link
Member

ameowlia commented Jan 15, 2026

I also get to template test failures...

Failures:

  1) route_registrar config/registrar_settings.json when type is sni and frontend_tls is enabled and sni_routable_san is provided should use the provided sni_routable_san
     Failure/Error: rendered_hash = JSON.parse(template.render(merged_manifest_properties, consumes: links))

     RuntimeError:
       route_registrar.routes[0].route.sni_rewrite_san must be provided when type is sni and terminate_frontend_tls is enabled
     # (erb):99:in `block in get_binding'
     # (erb):75:in `each'
     # (erb):75:in `each_with_index'
     # (erb):75:in `get_binding'
     # ./spec/route_registar_templates_spec.rb:703:in `block (4 levels) in <top (required)>'

  2) route_registrar config/registrar_settings.json when type is sni and frontend_tls is disabled and sni_rewrite_san is provided raises an error for invalid sni_rewrite_san
     Failure/Error:
       expect { template.render(merged_manifest_properties, consumes: links) }.to raise_error(
         RuntimeError, 'route_registrar.routes[0].route.sni_rewrite_san cannot be provided when type is sni and terminate_frontend_tls is disabled'
       )

       expected RuntimeError with "route_registrar.routes[0].route.sni_rewrite_san cannot be provided when type is sni and terminate_frontend_tls is disabled", got #<RuntimeError: route_registrar.routes[0].route.sni_routable_san cannot be provided when type is sni and terminate_frontend_tls is disabled> with backtrace:
         # (erb):105:in `block in get_binding'
         # (erb):75:in `each'
         # (erb):75:in `each_with_index'
         # (erb):75:in `get_binding'
         # ./spec/route_registar_templates_spec.rb:782:in `block (5 levels) in <top (required)>'
         # ./spec/route_registar_templates_spec.rb:782:in `block (4 levels) in <top (required)>'
     # ./spec/route_registar_templates_spec.rb:782:in `block (4 levels) in <top (required)>'

Finished in 1.17 seconds (files took 0.07684 seconds to load)
368 examples, 2 failures

Failed examples:

rspec ./spec/route_registar_templates_spec.rb:702 # route_registrar config/registrar_settings.json when type is sni and frontend_tls is enabled and sni_routable_san is provided should use the provided sni_routable_san
rspec ./spec/route_registar_templates_spec.rb:781 # route_registrar config/registrar_settings.json when type is sni and frontend_tls is disabled and sni_rewrite_san is provided raises an error for invalid sni_rewrite_san

@Joey-Rose Joey-Rose force-pushed the joey-add-sni-rewrite-support branch from 78ab0b4 to 62255df Compare January 15, 2026 22:39
@Joey-Rose
Update the route registrar sni_rewrite_san field validation logic + d…
e399a69 
…ocs to require type: sni and terminate_frontend_tls: true if sni_rewrite_san is set
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ameowlia ameowlia ameowlia requested changes

+1 more reviewer

@neowulf neowulf neowulf left review comments

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

Application Runtime Platform Working Group
Status: Inbox

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Joey-Rose @ameowlia @neowulf