Fetch certificate validation context using SDS service.#4355
Fetch certificate validation context using SDS service.#4355htuch merged 18 commits intoenvoyproxy:masterfrom
Conversation
Signed-off-by: JimmyCYJ <jimmychen.0102@gmail.com>
Signed-off-by: JimmyCYJ <jimmychen.0102@gmail.com>
Signed-off-by: JimmyCYJ <jimmychen.0102@gmail.com>
Signed-off-by: JimmyCYJ <jimmychen.0102@gmail.com>
|
I am adding unit tests and integration tests to cover this change. |
Signed-off-by: JimmyCYJ <jimmychen.0102@gmail.com>
| Common::CallbackHandle* tls_certificate_update_callback_handle_; | ||
| Secret::CertificateValidationContextConfigProviderSharedPtr | ||
| certficate_validation_context_provider_; | ||
| Common::CallbackHandle* certificate_validation_context_update_callback_handle_; |
…_api Signed-off-by: JimmyCYJ <jimmychen.0102@gmail.com>
Signed-off-by: JimmyCYJ <jimmychen.0102@gmail.com>
| } | ||
|
|
||
| CertificateValidationContextConfigProviderSharedPtr | ||
| SecretManagerImpl::findOrCreateCertificateValidationContextProvider( |
There was a problem hiding this comment.
The code is similar for this function and the other. try to share them by create a
SdsApiSharedPtr innerFindOrCreate(..., create_fn);
Then, each function will provide its creation_function to create proper object,
| RepeatedPtrUtil::join(config.tls_params().ecdh_curves(), ":"), DEFAULT_ECDH_CURVES)), | ||
| tls_certficate_provider_(getTlsCertificateConfigProvider(config, factory_context)), | ||
| secret_update_callback_handle_(nullptr), | ||
| tls_certificate_update_callback_handle_(nullptr), |
There was a problem hiding this comment.
use {} to initiliaze raw pointer
| const std::string ecdh_curves_; | ||
| Secret::TlsCertificateConfigProviderSharedPtr tls_certficate_provider_; | ||
| Common::CallbackHandle* secret_update_callback_handle_; | ||
| Common::CallbackHandle* tls_certificate_update_callback_handle_; |
There was a problem hiding this comment.
just add {} next to the raw pointer to initailize it.
Signed-off-by: JimmyCYJ <jimmychen.0102@gmail.com>
| TlsCertificateConfigProviderSharedPtr SecretManagerImpl::findOrCreateTlsCertificateProvider( | ||
| const envoy::api::v2::core::ConfigSource& sds_config_source, const std::string& config_name, | ||
| Server::Configuration::TransportSocketFactoryContext& secret_provider_context) { | ||
| std::function<SdsApiSharedPtr(std::function<void()> unregister_secret_provider)> create_fn = |
There was a problem hiding this comment.
just use auto as
auto create_fn = [&]
in the capture, not need to list all used variable, just one & to tell compiler that all used variables are using reference.
| std::function<SdsApiSharedPtr(std::function<void()> unregister_secret_provider)> create_fn = | ||
| [&sds_config_source, &config_name, &secret_provider_context]( | ||
| std::function<void()> unregister_secret_provider) -> SdsApiSharedPtr { | ||
| return std::make_shared<TlsCertificateSdsApi>( |
There was a problem hiding this comment.
How about move this make_shared code to a static create() function in the
TlsCertificateSdsApi class
source/common/secret/sds_api.cc
Outdated
| secret.type_case() == envoy::api::v2::auth::Secret::TypeCase::kValidationContext) { | ||
| secret_hash_ = new_hash; | ||
| secrets_ = | ||
| certificate_validation_context_secrets_ = |
There was a problem hiding this comment.
these two updateConfigHelper are almost the same. can we move them to the sds_api base class
Signed-off-by: JimmyCYJ <jimmychen.0102@gmail.com>
Signed-off-by: JimmyCYJ <jimmychen.0102@gmail.com>
source/common/secret/sds_api.h
Outdated
| Stats::Store& stats, Upstream::ClusterManager& cluster_manager, | ||
| Init::Manager& init_manager, | ||
| const envoy::api::v2::core::ConfigSource& sds_config, | ||
| const std::string& sds_config_name, |
There was a problem hiding this comment.
can we use provider_context in create() function so less number of argument to pass?
test/common/secret/sds_api_test.cc
Outdated
| auto sds_api = std::static_pointer_cast<CertificateValidationContextSdsApi>( | ||
| CertificateValidationContextSdsApi::create( | ||
| server.localInfo(), server.dispatcher(), server.random(), server.stats(), | ||
| server.clusterManager(), init_manager, config_source, "abc.com", []() {})); |
There was a problem hiding this comment.
you don't need to change this. It can still use constructor
Signed-off-by: JimmyCYJ <jimmychen.0102@gmail.com>
source/common/secret/sds_api.h
Outdated
| : SdsApi(local_info, dispatcher, random, stats, cluster_manager, init_manager, sds_config, | ||
| sds_config_name, destructor_cb, | ||
| [this](const uint64_t new_hash, const envoy::api::v2::auth::Secret& secret) { | ||
| if (new_hash != secret_hash_ && |
There was a problem hiding this comment.
This create_secret_fn is doing more than creating secret. It is confusing.
My idea: derived class overload two virtual functions:
secret_type() and set_secret(). That is it. Most of updateConfig() logic are in the sds_api class
Signed-off-by: JimmyCYJ <jimmychen.0102@gmail.com>
|
LGTM |
JimmyCYJ
changed the title
Signed-off-by: JimmyCYJ <jimmychen.0102@gmail.com>
Signed-off-by: JimmyCYJ <jimmychen.0102@gmail.com>
…_api Signed-off-by: JimmyCYJ <jimmychen.0102@gmail.com>
JimmyCYJ
changed the title
htuch
left a comment
htuch
left a comment
There was a problem hiding this comment.
Looks good, should be shippable after this round of feedback.
source/common/secret/sds_api.h
Outdated
| } | ||
| protected: | ||
| // Creates new secrets. | ||
| virtual void set_secret(const envoy::api::v2::auth::Secret&) PURE; |
source/common/secret/sds_api.h
Outdated
| // Creates new secrets. | ||
| virtual void set_secret(const envoy::api::v2::auth::Secret&) PURE; | ||
| Common::CallbackManager<> update_callback_manager_; | ||
| uint64_t secret_hash_; |
There was a problem hiding this comment.
Why is secret_hash_ no longer private?
There was a problem hiding this comment.
It should be private, thanks for catching this.
It was changed to be protected because it was assigned to a new hash in derived class. But then we simplified that part of code and moved hash calculation back to base class.
| * CertificateValidationContextSdsApi implementation maintains and updates dynamic certificate | ||
| * validation context secrets. | ||
| */ | ||
| class CertificateValidationContextSdsApi : public SdsApi, |
There was a problem hiding this comment.
At first I thought templates might be a nice thing here to avoid the boiler plate, but then we have another problem, namely how to marry templates and virtual inheritance. Worth thinking about if you have any way to reduce this repetition.
There was a problem hiding this comment.
We tried using templates at first (cd35a2c), and then we found that causes many duplicated methods. We have to add more methods into secret manager to create each type of provider, and the provider creation methods have duplicated code. We also need two maps for each type of providers in secret manager. Besides, each type of provider also overrides some methods of provider interface, and those methods have duplicated code, too. Then we decide to switch to this way and simplify the code a lot. We don't find a better way for now.
| // Removes dynamic secret provider which has been deleted. | ||
| void removeDynamicSecretProvider(const std::string& map_key); | ||
| // Finds or creates SdsApi object. | ||
| SdsApiSharedPtr innerFindOrCreate( |
There was a problem hiding this comment.
Can we rename innerFindOrCreate to something else? Even findOrCreate would be fine, I just find "inner" leads to more questions (e.g. "is this an inner class?", "inner of what?"), so this isn't as clear as it could be.
There was a problem hiding this comment.
Good point. Changed to findOrCreate. Thanks.
|
|
||
| void SecretManagerImpl::removeDynamicSecretProvider(const std::string& map_key) { | ||
| ENVOY_LOG(debug, "Unregister secret provider. hash key: {}", map_key); | ||
| ENVOY_LOG(debug, "Unregister tls certificate provider. hash key: {}", map_key); |
There was a problem hiding this comment.
Is this definitely TLS? It seems the general SdsApi type of dynamic_secret_providers_ might suggest otherwise?
There was a problem hiding this comment.
Yes, this message is not correct. Changed to secret provider.
| TlsCertificateConfigProviderSharedPtr SecretManagerImpl::findOrCreateTlsCertificateProvider( | ||
| const envoy::api::v2::core::ConfigSource& sds_config_source, const std::string& config_name, | ||
| Server::Configuration::TransportSocketFactoryContext& secret_provider_context) { | ||
| auto create_fn = [&](std::function<void()> unregister_secret_provider) -> SdsApiSharedPtr { |
There was a problem hiding this comment.
Prefer to use explicit capture rather than & for lambdas (I think this is a style guide recommendation).
| if (secret_update_callback_handle_) { | ||
| secret_update_callback_handle_->remove(); | ||
| if (tc_update_callback_handle_) { | ||
| tc_update_callback_handle_->remove(); |
There was a problem hiding this comment.
There was a problem hiding this comment.
Fixed in context_impl_test.cc. Thanks.
| } | ||
| if (certficate_validation_context_provider_) { | ||
| if (cvc_update_callback_handle_) { | ||
| cvc_update_callback_handle_->remove(); |
There was a problem hiding this comment.
Fixed in context_impl_test.cc. Thanks.
Signed-off-by: JimmyCYJ <jimmychen.0102@gmail.com>
Signed-off-by: JimmyCYJ <jimmychen.0102@gmail.com>
…_api Signed-off-by: JimmyCYJ <jimmychen.0102@gmail.com>
| }; | ||
| SdsApiSharedPtr secret_provider = findOrCreate(sds_config_source, config_name, create_fn); | ||
|
|
||
| return std::dynamic_pointer_cast<CertificateValidationContextConfigProvider>(secret_provider); |
There was a problem hiding this comment.
Can we templatize findOrCreate and remove avoid std::dynamic_pointer_cast here?
There was a problem hiding this comment.
We are building sidecar with SDS feature from istio:collab-gcp-identity branch, and @quanjielin is working on merging istio:collab-gcp-identity branch into istio:master. This PR blocks the merge.
Maybe let's make this change in a follow up PR. I would like to get this in soon.
According to comment in PR #4355, we want to avoid std::dynamic_pointer_cast in SecretManagerImpl. This PR creates a template class and moves findOrCreate method into the template class. Risk Level: Low Testing: Existing unit tests and integration tests. Signed-off-by: JimmyCYJ <jimmychen.0102@gmail.com>
4 participants
Description: Refactor SdsApi to support dynamic certificate validation context, and support Envoy to fetch certificate validation context from remote server via SDS API.
Risk Level: Low
Testing: Unit tests and integration tests.
Fixes #1194
Signed-off-by: Jimmy Chen jimmychen.0102@gmail.com