Merge pull request envoyproxy#4 from mangchiandjjoe/sds_dynamic_secret

Sds dynamic secret
JimmyCYJ · Jun 6, 2018 · fc5cbdc · fc5cbdc
2 parents c585dfe + 80042a0
commit fc5cbdc
Show file tree

Hide file tree

Showing 72 changed files with 1,701 additions and 137 deletions.
diff --git a/include/envoy/secret/BUILD b/include/envoy/secret/BUILD
@@ -0,0 +1,30 @@
+licenses(["notice"])  # Apache 2
+
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_package",
+)
+
+envoy_package()
+
+envoy_cc_library(
+    name = "secret_interface",
+    hdrs = ["secret.h"],
+)
+
+envoy_cc_library(
+    name = "secret_callbacks_interface",
+    hdrs = ["secret_callbacks.h"],
+)
+
+envoy_cc_library(
+    name = "secret_manager_interface",
+    hdrs = ["secret_manager.h"],
+    deps = [
+        ":secret_callbacks_interface",
+        ":secret_interface",
+        "@envoy_api//envoy/api/v2/auth:cert_cc",
+        "@envoy_api//envoy/api/v2/core:config_source_cc",
+    ],
+)
diff --git a/include/envoy/secret/secret.h b/include/envoy/secret/secret.h
@@ -0,0 +1,41 @@
+#pragma once
+
+#include <memory>
+#include <string>
+
+#include "envoy/common/pure.h"
+
+namespace Envoy {
+namespace Secret {
+
+class Secret;
+
+typedef std::shared_ptr<Secret> SecretSharedPtr;
+
+/**
+ * An instance of the secret.
+ */
+class Secret {
+public:
+  virtual ~Secret() {}
+
+  enum SecretType { TLS_CERTIFICATE };
+
+  /**
+   * @return a name of the secret.
+   */
+  virtual const std::string& name() const PURE;
+
+  /**
+   * @return a type of the secret instance.
+   */
+  virtual SecretType type() const PURE;
+
+  /**
+   * @return true if secret contains same values. Otherwise returns false.
+   */
+  virtual bool equalTo(const SecretSharedPtr& secret) const PURE;
+};
+
+} // namespace Secret
+} // namespace Envoy
diff --git a/include/envoy/secret/secret_callbacks.h b/include/envoy/secret/secret_callbacks.h
@@ -0,0 +1,22 @@
+#pragma once
+
+#include <memory>
+#include <string>
+
+#include "envoy/common/pure.h"
+
+namespace Envoy {
+namespace Secret {
+
+/**
+ * Callbacks invoked by a secret manager.
+ */
+class SecretCallbacks {
+public:
+  virtual ~SecretCallbacks() {}
+
+  virtual void onAddOrUpdateSecret() PURE;
+};
+
+} // namespace Secret
+} // namespace Envoy
diff --git a/include/envoy/secret/secret_manager.h b/include/envoy/secret/secret_manager.h
@@ -0,0 +1,59 @@
+#pragma once
+
+#include "envoy/api/v2/auth/cert.pb.h"
+#include "envoy/api/v2/core/config_source.pb.h"
+#include "envoy/secret/secret.h"
+#include "envoy/secret/secret_callbacks.h"
+
+namespace Envoy {
+namespace Secret {
+
+/**
+ * A manager for all static secrets
+ */
+class SecretManager {
+public:
+  virtual ~SecretManager() {}
+
+  /**
+   * add or update secret grouped by type.
+   * @param sdsConfigSourceHash a hash string of normalized config source. If it is empty string,
+   *        find secret from the static secrets.
+   * @param secret a shared_ptr of an implementation of Secret.
+   */
+  virtual void addOrUpdateSecret(const std::string& sdsConfigSourceHash,
+                                 const envoy::api::v2::auth::Secret& secret) PURE;
+
+  /**const envoy::api::v2::auth::Secret& secret
+   * @param sdsConfigSourceHash hash string of normalized config source.
+   * @param name a name of the secret
+   * @return the secret in given type. Returns nullptr if the secret is not found.
+   */
+  virtual const SecretSharedPtr findSecret(Secret::SecretType type,
+                                           const std::string& sdsConfigSourceHash,
+                                           const std::string& name) const PURE;
+
+  /**
+   * Add or update SDS config source. SecretManager start downloading secrets from registered
+   * config source.
+   *
+   * @param sdsConfigSource a protobuf message object contains SDS config source.
+   * @return a hash string of normalized config source
+   */
+  virtual std::string
+  addOrUpdateSdsService(const envoy::api::v2::core::ConfigSource& sdsConfigSource) PURE;
+
+  /**
+   * Register callback function when on secret were updated.
+   *
+   * @param hash Hash code of ConfigSource
+   * @param secret updated SecretSharedPtr
+   * @param callback Callback function
+   */
+  virtual void registerSecretCallbacks(const std::string config_source_hash,
+                                       const std::string secret_name,
+                                       SecretCallbacks& callback) PURE;
+};
+
+} // namespace Secret
+} // namespace Envoy
diff --git a/include/envoy/server/BUILD b/include/envoy/server/BUILD
@@ -96,6 +96,7 @@ envoy_cc_library(
         "//include/envoy/local_info:local_info_interface",
         "//include/envoy/ratelimit:ratelimit_interface",
         "//include/envoy/runtime:runtime_interface",
+        "//include/envoy/secret:secret_manager_interface",
         "//include/envoy/ssl:context_manager_interface",
         "//include/envoy/thread_local:thread_local_interface",
         "//include/envoy/tracing:http_tracer_interface",
@@ -172,6 +173,7 @@ envoy_cc_library(
     hdrs = ["transport_socket_config.h"],
     deps = [
         "//include/envoy/network:transport_socket_interface",
+        "//include/envoy/secret:secret_manager_interface",
         "//include/envoy/ssl:context_manager_interface",
         "//source/common/protobuf",
     ],

diff --git a/include/envoy/server/instance.h b/include/envoy/server/instance.h
@@ -11,6 +11,7 @@
 #include "envoy/network/listen_socket.h"
 #include "envoy/ratelimit/ratelimit.h"
 #include "envoy/runtime/runtime.h"
+#include "envoy/secret/secret_manager.h"
 #include "envoy/server/admin.h"
 #include "envoy/server/drain_manager.h"
 #include "envoy/server/hot_restart.h"
@@ -113,6 +114,11 @@ class Instance {
    */
   virtual ListenerManager& listenerManager() PURE;
 
+  /**
+   * @return the server's secret manager.
+   */
+  virtual Secret::SecretManager& secretManager() PURE;
+
   /**
    * @return the server's CLI options.
    */

diff --git a/include/envoy/server/transport_socket_config.h b/include/envoy/server/transport_socket_config.h
@@ -3,6 +3,7 @@
 #include <string>
 
 #include "envoy/network/transport_socket.h"
+#include "envoy/secret/secret_manager.h"
 #include "envoy/ssl/context_manager.h"
 
 #include "common/protobuf/protobuf.h"

diff --git a/include/envoy/ssl/context_config.h b/include/envoy/ssl/context_config.h
@@ -106,6 +106,17 @@ class ContextConfig {
    * @return The maximum TLS protocol version to negotiate.
    */
   virtual unsigned maxProtocolVersion() const PURE;
+
+  /**
+   * @return The hash code of SdsSecretConfig in std::string. If the SdsSecretConfig is empty, then
+   *         returns empty string.
+   */
+  virtual const std::string& sdsConfigShourceHash() const PURE;
+
+  /**
+   * @return The secret name in SdsSecretConfig. SdsSecretConfig is empty, returns empty string.
+   */
+  virtual const std::string& sdsSecretName() const PURE;
 };
 
 class ClientContextConfig : public virtual ContextConfig {

diff --git a/include/envoy/ssl/context_manager.h b/include/envoy/ssl/context_manager.h
@@ -2,6 +2,7 @@
 
 #include <functional>
 
+#include "envoy/secret/secret_manager.h"
 #include "envoy/ssl/context.h"
 #include "envoy/ssl/context_config.h"
 #include "envoy/stats/stats.h"
@@ -22,13 +23,22 @@ class ContextManager {
   virtual ClientContextPtr createSslClientContext(Stats::Scope& scope,
                                                   const ClientContextConfig& config) PURE;
 
+  virtual ClientContextPtr updateSslClientContext(const ClientContextPtr& context,
+                                                  Stats::Scope& scope,
+                                                  const ClientContextConfig& config) PURE;
+
   /**
    * Builds a ServerContext from a ServerContextConfig.
    */
   virtual ServerContextPtr
   createSslServerContext(Stats::Scope& scope, const ServerContextConfig& config,
                          const std::vector<std::string>& server_names) PURE;
 
+  virtual ServerContextPtr
+  updateSslServerContext(const ServerContextPtr& context, Stats::Scope& scope,
+                         const ServerContextConfig& config,
+                         const std::vector<std::string>& server_names) PURE;
+
   /**
    * @return the number of days until the next certificate being managed will expire.
    */
@@ -38,6 +48,11 @@ class ContextManager {
    * Iterate through all currently allocated contexts.
    */
   virtual void iterateContexts(std::function<void(const Context&)> callback) PURE;
+
+  /**
+   * Return the secret manager
+   */
+  virtual Secret::SecretManager& secretManager() PURE;
 };
 
 } // namespace Ssl

diff --git a/source/common/config/BUILD b/source/common/config/BUILD
@@ -237,6 +237,7 @@ envoy_cc_library(
     hdrs = ["protobuf_link_hacks.h"],
     deps = [
         "@envoy_api//envoy/service/discovery/v2:ads_cc",
+        "@envoy_api//envoy/service/discovery/v2:sds_cc",
         "@envoy_api//envoy/service/ratelimit/v2:rls_cc",
     ],
 )

diff --git a/source/common/config/protobuf_link_hacks.h b/source/common/config/protobuf_link_hacks.h
@@ -1,12 +1,14 @@
 #pragma once
 
 #include "envoy/service/discovery/v2/ads.pb.h"
+#include "envoy/service/discovery/v2/sds.pb.h"
 #include "envoy/service/ratelimit/v2/rls.pb.h"
 
 namespace Envoy {
 
 // Hack to force linking of the service: https://github.com/google/protobuf/issues/4221.
 // This file should be included ONLY if this hack is required.
 const envoy::service::discovery::v2::AdsDummy _ads_dummy;
+const envoy::service::discovery::v2::SdsDummy _sds_dummy;
 const envoy::service::ratelimit::v2::RateLimitRequest _rls_dummy;
 } // namespace Envoy
diff --git a/source/common/config/resources.h b/source/common/config/resources.h
@@ -14,6 +14,7 @@ class TypeUrlValues {
 public:
   const std::string Listener{"type.googleapis.com/envoy.api.v2.Listener"};
   const std::string Cluster{"type.googleapis.com/envoy.api.v2.Cluster"};
+  const std::string Secret{"type.googleapis.com/envoy.api.v2.auth.Secret"};
   const std::string ClusterLoadAssignment{"type.googleapis.com/envoy.api.v2.ClusterLoadAssignment"};
   const std::string RouteConfiguration{"type.googleapis.com/envoy.api.v2.RouteConfiguration"};
 };

diff --git a/source/common/secret/BUILD b/source/common/secret/BUILD
@@ -0,0 +1,61 @@
+licenses(["notice"])  # Apache 2
+
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_package",
+)
+
+envoy_package()
+
+envoy_cc_library(
+    name = "secret_manager_util",
+    hdrs = ["secret_manager_util.h"],
+    deps = [
+        "//source/common/json:json_loader_lib",
+        "@envoy_api//envoy/api/v2/core:config_source_cc",
+    ],
+)
+
+envoy_cc_library(
+    name = "secret_manager_impl_lib",
+    srcs = ["secret_manager_impl.cc"],
+    hdrs = ["secret_manager_impl.h"],
+    deps = [
+        ":sds_api_lib",
+        ":secret_manager_util",
+        "//include/envoy/secret:secret_manager_interface",
+        "//include/envoy/server:instance_interface",
+        "//source/common/ssl:tls_certificate_config_impl_lib",
+    ],
+)
+
+envoy_cc_library(
+    name = "sds_api_lib",
+    srcs = ["sds_api.cc"],
+    hdrs = ["sds_api.h"],
+    deps = [
+        ":sds_subscription_lib",
+        ":secret_manager_util",
+        "//include/envoy/config:subscription_interface",
+        "//include/envoy/secret:secret_interface",
+        "//include/envoy/secret:secret_manager_interface",
+        "//include/envoy/server:instance_interface",
+        "//source/common/config:resources_lib",
+        "//source/common/config:subscription_factory_lib",
+        "//source/common/ssl:tls_certificate_config_impl_lib",
+    ],
+)
+
+envoy_cc_library(
+    name = "sds_subscription_lib",
+    srcs = ["sds_subscription.cc"],
+    hdrs = ["sds_subscription.h"],
+    deps = [
+        "//include/envoy/config:subscription_interface",
+        "//source/common/config:lds_json_lib",
+        "//source/common/config:utility_lib",
+        "//source/common/http:rest_api_fetcher_lib",
+        "//source/common/json:json_validator_lib",
+    ],
+)