Implementation of SDS

[JimmyCYJ]

Description: Implement SDS api that fetches secrets from remote SDS server. Secrets are stored in Secret Provider. Listeners and Clusters are updated when secrets are received.
Risk Level: Low
Testing: Unit tests and integration tests
Fixes #1194

Signed-off-by: Jimmy Chen jimmychen.0102@gmail.com

[JimmyCYJ]

cc @lizan @qiwzhang @PiotrSikora

[lizan]

nit: revert

[lizan]

why did this need to be a non static private function? I don't think it uses any member variable?

[qiwzhang]

setSecretUpdateCallback

[JimmyCYJ]

Changed.

[qiwzhang]

Can move subcription_ creation into the constructor so we don't need to store so many object references.

Only call start in the initialize() function

[JimmyCYJ]

We cannot move subcription_ into constructor. Envoy::Config::SubscriptionFactory::subscriptionFromConfigSourceenvoy::api::v2::auth::Secre will access members of those objects, which are not ready when SdsApi constructor is called. That causes segmentation fault in test runs.

[qiwzhang]

for easy to read, maybe create a member function removeDynamicSecretProvider() function, can the lambda function just call it.

[JimmyCYJ]

Done. Thanks.

[qiwzhang]

move it .cc file

[qiwzhang]

move it to .cc file

[qiwzhang]

only save the callback when provider is not null.

You can do

if (secret_callback_) {
if (secret_callback_) {
secret_callback_->remove
}
secret_callback_ = &callback;
secret_callback_->add
}

[JimmyCYJ]

Done.

[qiwzhang]

Please add comment for this class
// This SslSocket will be used when SSL secret is not fetched from SDS server.

[JimmyCYJ]

Done.

[qiwzhang]

You can call erase() directly, then check the return value. If 0, log an error.

[JimmyCYJ]

Nice advice. Thanks!

[qiwzhang]

may not need this variable, just use the lambda directly in the function argument. such

xxx(....,
[map_key, this] () { removeDynamicSecretProvider(map_key); }
);

[lizan]

Can you merge master and run clang-format on 6.0 per #4168?

[JimmyCYJ]

@lizan I have run clang-format on 6.0

[lizan]

nit: unused include

[lizan]

string is not used either...

[mattklein123]

Thanks for the hard work here and extra thanks for the integration tests. It gives me good confidence this change works. Nice! I have some high level comments to get started with. FYI, @htuch is going to take over senior maintainer review on this since I am out for a month starting tomorrow. Thank you!

[mattklein123]

nit: It would probably be better to just move this interface into the secret or SSL/TLS namespace but not a big deal.

[JimmyCYJ]

Thanks, I will keep this.

[mattklein123]

Do we need the forward declare here?

[JimmyCYJ]

I have removed this forward declaration and included secret_callbacks.h.

[mattklein123]

Can we add more information about what ready means?

[JimmyCYJ]

Comment is updated.

[mattklein123]

Can you add more information about when callbacks will be invoked? It's not clear at the interface level why/when this happens.

[JimmyCYJ]

More information is added into comment. Thanks.

[mattklein123]

It's not optimal that this interface has a setter and a getter for the init manager. Is there any way to simplify this so that the init manager is known ahead of time and we only need a getter?

[JimmyCYJ]

Ideally the init manager should exist when we create TransportSocketFactoryContext, so that we only need a getter. But we create TransportSocketFactoryContext at ClusterManagerFactory and then create init manager per cluster, we have to add it into factory context. @qiwzhang proposed #3831, I think once we are working on that, we can get rid of this setter.

[htuch]

Shouldn't the init manager then be part of the factory context?

[JimmyCYJ]

For now, init manager is per cluster. At the time of the construction of TransportSocketFactoryContext, per cluster init manager is not available. We have to set it when init manager is available.

[mattklein123]

Do we really need this? What causes us to require an instantiated connection? Can't we cause the control flow to return in such a way that there is no socket and we just fail whatever we are doing?

[qiwzhang]

Our first attempt was to return nullptr in socket creation when ssl_context is not ready (SDS client failed to get secret). This works for ListenerImpl, but did not work for ClusterImpl. After looked at the ClusterImpl codes, most of them do not expect nullptr socket nor nullptr connection. It will require a lot of code changes to make these code to handle null connection.

For less code change, we decided to return such dummy socket which would just reset the connect.

[mattklein123]

I don't have an opinion on whether this is the best course of action or not. @htuch hopefully can have a look. In general I would prefer that we don't do this but if it's the best way I can accept that.

[mattklein123]

Pretty positive this needs locking. I think you will be accessing ssl_ctx_ across threads to make transport sockets. Thus, you will need a R/W lock here and ultimately should move to using TLS but a R/W lock is OK for now? I think at a high level having a locking/threading analysis of this change would be useful. Can you add that to the description somewhere?

[JimmyCYJ]

Good point! Thanks! Will add R/W lock.

[JimmyCYJ]

I have added a lock to protect read/write to ssl_ctx_, and added comments.

[lizan]

I don't think you will need a lock beyond what shared_ptr already provide, it seems unnecessary. Though you might want to have a local variable of shared_ptr during create socket, so the access to the member variable is always atomic.

[JimmyCYJ]

@lizan Thanks for pointing this out. Yes the lock is not necessary as we already use shared_ptr. They are removed.

[mattklein123]

Locking. Is there a way to share this code in a base class somehow? Would prefer to not implement a bunch of this twice.

[JimmyCYJ]

Lock is added, thanks! ServerSslSocketFactory::onAddOrUpdateSecret() and ClientSslSocketFactory::onAddOrUpdateSecret() are different, one owns ServerContextSharedPtr ssl_ctx_ and the other owns ClientContextSharedPtr ssl_ctx_, and they are created by calling different methods at context manager. I would like to leave this method in separate class.

[mattklein123]

Please move init_manager_impl out of server/ and into a new subdirectory in source/ called init/. Feel free to do this in a followup but please add a TODO.

[JimmyCYJ]

Added TODO in init_manager_impl.h. Thanks.

[mattklein123]

Remove references to SDS or make it clear that SDS is one of the things that init manager is used for. We are likely to add other things in the future.

[JimmyCYJ]

Removed references to SDS from comment. Thanks.

[htuch]

Some comments to get started. This is a pretty huge PR; FWIW, I strongly encourage shorter PRs for reviewabilty and velocity.

[htuch]

Nit: s/contains/containing a/

[JimmyCYJ]

Done. Thanks.

[htuch]

Nit: full stop at end of sentence.

[JimmyCYJ]

Done. Thanks.

[htuch]

Nit: @return TlsCertificateConfigProviderSharedPtr the dynamic TLS secret provider.

[JimmyCYJ]

Done. Thanks.

[htuch]

Can you add some comments on thread safety? E.g. from which threads is it safe to call this, on which thread will the callback be invoked?

[JimmyCYJ]

Comments are added. Thanks.

[htuch]

Shouldn't the init manager then be part of the factory context?

[htuch]

Nit: !=

[JimmyCYJ]

Done.

[htuch]

This should be RELEASE_ASSERT; otherwise in opt builds, this entire line disappears.

[JimmyCYJ]

Thanks for pointing that out. Fixed.

[htuch]

Nit:const std::string

[JimmyCYJ]

Done.

[htuch]

Maybe add some lifetime comments here. @ambuc recently hit issues where these kinds of callbacks were invoked and the equivalent of SdsApi outlived the equivalent of SecreteManagerImpl (this was in ListenerManager).

[JimmyCYJ]

The lifetime issue has been captured by integration tests. We have adjusted the order of secret manager and other components to make sure SdsApi objects are destroyed before SecretManagerImpl. Comments are added. Thanks.

[htuch]

I haven't looked into this yet, but this is something I'd like to understand the necessity for better; usually in Envoy, needing to do shared memory concurrency is not needed, and other mechanisms like TLS posting are the right solution.

[JimmyCYJ]

lock is not necessary as @lizan points out here, I have removed them.

[htuch]

@JimmyCYJ also, personal plea to avoid force push; general GH etiquette avoids this to make reviewer lives easier (so they can just look a the delta between each PR).

[JimmyCYJ]

@htuch Thanks for reviewing this PR, I have created PR #4231 which has SDS api and dummy socket, and they are not in use.

[JimmyCYJ]

This PR didn't update correctly. I am going to close this one and create a new PR.

[JimmyCYJ]

I have created PR #4256, please take a look. Thanks!