envoyproxy · snowp · Apr 20, 2021 · Apr 12, 2021 · Apr 12, 2021 · Apr 12, 2021
diff --git a/configs/envoy-tap-config.yaml b/configs/envoy-tap-config.yaml
@@ -0,0 +1,69 @@
+admin:
+  address:
+    socket_address:
+      protocol: TCP
+      address: 0.0.0.0
+      port_value: 9901
+static_resources:
+  listeners:
+  - name: listener_0
+    address:
+      socket_address:
+        protocol: TCP
+        address: 0.0.0.0
+        port_value: 10000
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.http_connection_manager
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          stat_prefix: ingress_http
+          access_log:
+          - name: envoy.access_loggers.stdout
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
+          route_config:
+            name: local_route
+            virtual_hosts:
+            - name: local_service
+              domains: ["*"]
+              routes:
+              - match:
+                  prefix: "/"
+                route:
+                  host_rewrite_literal: www.envoyproxy.io
+                  cluster: service_envoyproxy_io
+          http_filters:
+          - name: envoy.filters.http.router
+  clusters:
+  - name: service_envoyproxy_io
+    connect_timeout: 30s
+    type: LOGICAL_DNS
+    # Comment out the following line to test on v6 networks
+    dns_lookup_family: V4_ONLY
+    lb_policy: ROUND_ROBIN
+    load_assignment:
+      cluster_name: service_envoyproxy_io
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: www.envoyproxy.io
+                port_value: 443
+    transport_socket:
+      name: envoy.transport_sockets.tap
+      typed_config:
+        '@type': type.googleapis.com/envoy.extensions.transport_sockets.tap.v3.Tap
+        common_config:
+          admin_config:
+            config_id: api-gateway
+        transport_socket:
+          name: envoy.transport_sockets.tls
+          typed_config:
+            '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+            allow_renegotiation: true
+            common_tls_context:
+              tls_params:
+                tls_minimum_protocol_version: TLSv1_2
+            sni: "service"
diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst
@@ -19,6 +19,8 @@ Bug Fixes
 ---------
 *Changes expected to improve the state of the world and are unlikely to have negative effects*
 
+* validation: fix an issue that causes TAP sockets to panic during config validation mode.
+
 Removed Config or Runtime
 -------------------------
 *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`

diff --git a/source/server/config_validation/BUILD b/source/server/config_validation/BUILD
@@ -9,8 +9,10 @@ envoy_cc_library(
     srcs = ["admin.cc"],
     hdrs = ["admin.h"],
     deps = [
+        "//include/envoy/network:listen_socket_interface",
         "//include/envoy/server:admin_interface",
         "//source/common/common:assert_lib",
+        "//source/common/network:listen_socket_lib",
         "//source/server/admin:config_tracker_lib",
     ],
 )

diff --git a/source/server/config_validation/admin.cc b/source/server/config_validation/admin.cc
@@ -10,7 +10,7 @@ bool ValidationAdmin::addHandler(const std::string&, const std::string&, Handler
 
 bool ValidationAdmin::removeHandler(const std::string&) { return true; }
 
-const Network::Socket& ValidationAdmin::socket() { NOT_IMPLEMENTED_GCOVR_EXCL_LINE; }
+const Network::Socket& ValidationAdmin::socket() { return *socket_; }
 
 ConfigTracker& ValidationAdmin::getConfigTracker() { return config_tracker_; }
 

diff --git a/source/server/config_validation/admin.h b/source/server/config_validation/admin.h
@@ -1,8 +1,10 @@
 #pragma once
 
+#include "envoy/network/listen_socket.h"
 #include "envoy/server/admin.h"
 
 #include "common/common/assert.h"
+#include "common/network/listen_socket_impl.h"
 
 #include "server/admin/config_tracker_impl.h"
 
@@ -16,6 +18,12 @@ namespace Server {
  */
 class ValidationAdmin : public Admin {
 public:
+  // We want to implement the socket interface without implementing the http listener function.
+  // This is useful for TAP because it wants to emit warnings when the address type is UDS
+  explicit ValidationAdmin(Network::Address::InstanceConstSharedPtr address)
+      : socket_(address ? std::make_shared<Network::TcpListenSocket>(nullptr, std::move(address),
+                                                                     nullptr)
+                        : nullptr) {}
   bool addHandler(const std::string&, const std::string&, HandlerCb, bool, bool) override;
   bool removeHandler(const std::string&) override;
   const Network::Socket& socket() override;
@@ -32,6 +40,7 @@ class ValidationAdmin : public Admin {
 
 private:
   ConfigTrackerImpl config_tracker_;
+  Network::SocketSharedPtr socket_;
 };
 
 } // namespace Server

diff --git a/source/server/config_validation/server.cc b/source/server/config_validation/server.cc
@@ -92,8 +92,9 @@ void ValidationInstance::initialize(const Options& options,
   overload_manager_ = std::make_unique<OverloadManagerImpl>(
       dispatcher(), stats(), threadLocal(), bootstrap.overload_manager(),
       messageValidationContext().staticValidationVisitor(), *api_, options_);
-  listener_manager_ = std::make_unique<ListenerManagerImpl>(*this, *this, *this, false);
   Configuration::InitialImpl initial_config(bootstrap, options, *this);
+  admin_ = std::make_unique<Server::ValidationAdmin>(initial_config.admin().address());
+  listener_manager_ = std::make_unique<ListenerManagerImpl>(*this, *this, *this, false);
   thread_local_.registerThread(*dispatcher_, true);
   runtime_singleton_ = std::make_unique<Runtime::ScopedLoaderSingleton>(
       component_factory.createRuntime(*this, initial_config));

diff --git a/source/server/config_validation/server.h b/source/server/config_validation/server.h
@@ -69,7 +69,7 @@ class ValidationInstance final : Logger::Loggable<Logger::Id::main>,
                      Filesystem::Instance& file_system);
 
   // Server::Instance
-  Admin& admin() override { return admin_; }
+  Admin& admin() override { return *admin_; }
   Api::Api& api() override { return *api_; }
   Upstream::ClusterManager& clusterManager() override { return *config_.clusterManager(); }
   Ssl::ContextManager& sslContextManager() override { return *ssl_context_manager_; }
@@ -192,7 +192,7 @@ class ValidationInstance final : Logger::Loggable<Logger::Id::main>,
   ThreadLocal::InstanceImpl thread_local_;
   Api::ApiPtr api_;
   Event::DispatcherPtr dispatcher_;
-  Server::ValidationAdmin admin_;
+  std::unique_ptr<Server::ValidationAdmin> admin_;
   Singleton::ManagerPtr singleton_manager_;
   std::unique_ptr<Runtime::ScopedLoaderSingleton> runtime_singleton_;
   Random::RandomGeneratorImpl random_generator_;

diff --git a/test/mocks/server/admin.cc b/test/mocks/server/admin.cc
@@ -3,6 +3,7 @@
 #include "gmock/gmock.h"
 #include "gtest/gtest.h"
 
+using testing::_;
 using testing::Return;
 using testing::ReturnRef;
 
@@ -13,6 +14,8 @@ MockAdmin::MockAdmin() {
   ON_CALL(*this, getConfigTracker()).WillByDefault(ReturnRef(config_tracker_));
   ON_CALL(*this, concurrency()).WillByDefault(Return(1));
   ON_CALL(*this, socket()).WillByDefault(ReturnRef(socket_));
+  ON_CALL(*this, addHandler(_, _, _, _, _)).WillByDefault(Return(true));
+  ON_CALL(*this, removeHandler(_)).WillByDefault(Return(true));
 }
 
 MockAdmin::~MockAdmin() = default;