Add envoy.filters.network.sni_to_metadata #41275
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Ben Plotnick <[email protected]>
Signed-off-by: Ben Plotnick <[email protected]>
Signed-off-by: Ben Plotnick <[email protected]>
Signed-off-by: Ben Plotnick <[email protected]>
Signed-off-by: Ben Plotnick <[email protected]>
Signed-off-by: Ben Plotnick <[email protected]>
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
Signed-off-by: Ben Plotnick <[email protected]>
Signed-off-by: Ben Plotnick <[email protected]>
wbpcode
reviewed
Oct 5, 2025
Comment on lines
+20
to
+53
| message SniToMetadataFilter { | ||
| // MetadataTarget defines where to store extracted metadata. | ||
| message MetadataTarget { | ||
| // The metadata namespace to use when storing the result. | ||
| // If empty, defaults to ``envoy.filters.network.sni_to_metadata`` | ||
| string metadata_namespace = 1; | ||
|
|
||
| // The metadata key to use when storing the result. | ||
| string metadata_key = 2 [(validate.rules).string = {min_len: 1}]; | ||
|
|
||
| // The metadata value to store. If empty, the entire matched SNI value will be used. | ||
| // This field supports capture group substitution using numbered groups from the regex pattern. | ||
| // For example: ``app-\\1-\\2`` where ``\\1`` and ``\\2`` refer to the first and second capture groups (note escaped backslashes). | ||
| string metadata_value = 3; | ||
| } | ||
|
|
||
| // ConnectionRule defines a rule for extracting metadata from SNI. | ||
| message ConnectionRule { | ||
| // The regex pattern to match against the SNI value. | ||
| // Supports Google RE2 numbered capture groups. | ||
| // Example: ``^([^.]+)\.([^.]+)\.([^.]+)\.example\.com$`` | ||
| // If not specified, the rule will always match and use the entire SNI value. | ||
| type.matcher.v3.RegexMatcher pattern = 1; | ||
|
|
||
| // List of metadata targets to populate when this rule matches. | ||
| // Each target can use capture groups from the regex pattern in its metadata_value. | ||
| // If no pattern is specified, metadata_value will be used as-is or default to the full SNI. | ||
| repeated MetadataTarget metadata_targets = 2 [(validate.rules).repeated = {min_items: 1}]; | ||
| } | ||
|
|
||
| // List of connection rules to evaluate against the SNI. | ||
| // Rules are evaluated in order, and the first matching rule will be applied. | ||
| repeated ConnectionRule connection_rules = 1 [(validate.rules).repeated = {min_items: 1}]; | ||
| } |
There was a problem hiding this comment.
Could you take the HeaderToMetadata as a reference and use the similar API (like the same KeyValuePair)? So, it would be more friendly for new users.
| // Supports Google RE2 numbered capture groups. | ||
| // Example: ``^([^.]+)\.([^.]+)\.([^.]+)\.example\.com$`` | ||
| // If not specified, the rule will always match and use the entire SNI value. | ||
| type.matcher.v3.RegexMatcher pattern = 1; |
There was a problem hiding this comment.
We prefer StringMatcher rather than single regex matcher. :)
|
/wait |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This implements a new filter
envoy.filter.network.sni_to_metadata.Commit Message: Adds a new SNI-to-Metadata filter that extracts the SNI of the client connection and stores it in the connection dynamic metadata.
Additional Description: SNI-to-Metadata filter extracts the SNI of the client connection and stores it in the connection dynamic metadata. It is able to conditionally extract based on regex patters as well as extract fields and format the metadata using regex capture groups.
Risk Level: Low
Testing: unit testing
Docs Changes:
Release Notes:
Platform Specific Features:
Fixes: #41262