Config Dump for Secret Discovery Service.

api/envoy/admin/v2alpha/BUILD

@@ -11,6 +11,7 @@ api_proto_library_internal(
         "//envoy/api/v2:lds",
         "//envoy/api/v2:rds",
         "//envoy/api/v2:srds",
+        "//envoy/api/v2/auth:cert",
         "//envoy/config/bootstrap/v2:bootstrap",
     ],
 )

api/envoy/admin/v2alpha/config_dump.proto

@@ -6,6 +6,7 @@ option java_outer_classname = "ConfigDumpProto";
 option java_multiple_files = true;
 option java_package = "io.envoyproxy.envoy.admin.v2alpha";
 
+import "envoy/api/v2/auth/cert.proto";
 import "envoy/api/v2/cds.proto";
 import "envoy/api/v2/lds.proto";
 import "envoy/api/v2/rds.proto";
@@ -219,3 +220,25 @@ message ScopedRoutesConfigDump {
   repeated DynamicScopedRouteConfigs dynamic_scoped_route_configs = 2
       [(gogoproto.nullable) = false];
 }
+
+// Config dump for SDS.
+message SecretsConfigDump {
+  // DynamicSecret contains secret information fetched via SDS.
+  // The security sensitive information will trimmed, for example, private key.
+  message DynamicSecret {
+    // The name assigned to the secret.
+    string name = 1;
+
+    // Per resource version information.
+    string version_info = 2;
+
+    // The timestamp when the Cluster was last updated.
+    google.protobuf.Timestamp last_updated = 3;
+
+    // Security sensitive information should be stripped.
+    envoy.api.v2.auth.Secret secret = 4;
+  }
+
+  // List of all the secrets fetched via SDS.
+  repeated DynamicSecret dynamic_secrets = 1;
+}

source/common/secret/BUILD

@@ -19,6 +19,7 @@ envoy_cc_library(
         "//include/envoy/server:transport_socket_config_interface",
         "//source/common/common:assert_lib",
         "//source/common/common:minimal_logger_lib",
+        "@envoy_api//envoy/admin/v2alpha:config_dump_cc",
         "@envoy_api//envoy/api/v2/auth:cert_cc",
     ],
 )

source/common/secret/sds_api.cc

@@ -11,13 +11,15 @@ namespace Envoy {
 namespace Secret {
 
 SdsApi::SdsApi(envoy::api::v2::core::ConfigSource sds_config, absl::string_view sds_config_name,
-               Config::SubscriptionFactory& subscription_factory,
+               Config::SubscriptionFactory& subscription_factory, TimeSource& time_source,
                ProtobufMessage::ValidationVisitor& validation_visitor, Stats::Store& stats,
                Init::Manager& init_manager, std::function<void()> destructor_cb)
     : init_target_(fmt::format("SdsApi {}", sds_config_name), [this] { initialize(); }),
       stats_(stats), sds_config_(std::move(sds_config)), sds_config_name_(sds_config_name),
       secret_hash_(0), clean_up_(std::move(destructor_cb)), validation_visitor_(validation_visitor),
-      subscription_factory_(subscription_factory) {
+      subscription_factory_(subscription_factory),
+      time_source_(time_source), secret_data_{sds_config_name_, "uninitialized",
+                                              time_source_.systemTime()} {
   // TODO(JimmyCYJ): Implement chained_init_manager, so that multiple init_manager
   // can be chained together to behave as one init_manager. In that way, we let
   // two listeners which share same SdsApi to register at separate init managers, and
@@ -26,7 +28,7 @@ SdsApi::SdsApi(envoy::api::v2::core::ConfigSource sds_config, absl::string_view
 }
 
 void SdsApi::onConfigUpdate(const Protobuf::RepeatedPtrField<ProtobufWkt::Any>& resources,
-                            const std::string&) {
+                            const std::string& version_info) {
   validateUpdateSize(resources.size());
   auto secret =
       MessageUtil::anyConvert<envoy::api::v2::auth::Secret>(resources[0], validation_visitor_);
@@ -44,7 +46,8 @@ void SdsApi::onConfigUpdate(const Protobuf::RepeatedPtrField<ProtobufWkt::Any>&
     setSecret(secret);
     update_callback_manager_.runCallbacks();
   }
-
+  secret_data_.last_updated_ = time_source_.systemTime();
+  secret_data_.version_info_ = version_info;
   init_target_.ready();
 }
 
@@ -79,5 +82,7 @@ void SdsApi::initialize() {
   subscription_->start({sds_config_name_});
 }
 
+SdsApi::SecretData SdsApi::secretData() { return secret_data_; }
+
 } // namespace Secret
 } // namespace Envoy

source/common/secret/sds_api.h

@@ -32,11 +32,21 @@ namespace Secret {
  */
 class SdsApi : public Config::SubscriptionCallbacks {
 public:
+  struct SecretData {
+    const std::string resource_name;
+    std::string version_info_;
+    SystemTime last_updated_;
+  };
+
   SdsApi(envoy::api::v2::core::ConfigSource sds_config, absl::string_view sds_config_name,
-         Config::SubscriptionFactory& subscription_factory,
+         Config::SubscriptionFactory& subscription_factory, TimeSource& time_source,
          ProtobufMessage::ValidationVisitor& validation_visitor, Stats::Store& stats,
          Init::Manager& init_manager, std::function<void()> destructor_cb);
 
+  // TODO: what's the thread model of the admin::config_dump vs xDS config updates?
+  // any lock mechanism needed?
+  SecretData secretData();
+
 protected:
   // Creates new secrets.
   virtual void setSecret(const envoy::api::v2::auth::Secret&) PURE;
@@ -68,6 +78,8 @@ class SdsApi : public Config::SubscriptionCallbacks {
   Cleanup clean_up_;
   ProtobufMessage::ValidationVisitor& validation_visitor_;
   Config::SubscriptionFactory& subscription_factory_;
+  TimeSource& time_source_;
+  SecretData secret_data_;
 };
 
 class TlsCertificateSdsApi;
@@ -90,17 +102,18 @@ class TlsCertificateSdsApi : public SdsApi, public TlsCertificateConfigProvider
     Config::Utility::checkLocalInfo("TlsCertificateSdsApi", secret_provider_context.localInfo());
     return std::make_shared<TlsCertificateSdsApi>(
         sds_config, sds_config_name, secret_provider_context.clusterManager().subscriptionFactory(),
+        secret_provider_context.dispatcher().timeSource(),
         secret_provider_context.messageValidationVisitor(), secret_provider_context.stats(),
         *secret_provider_context.initManager(), destructor_cb);
   }
 
   TlsCertificateSdsApi(const envoy::api::v2::core::ConfigSource& sds_config,
                        const std::string& sds_config_name,
-                       Config::SubscriptionFactory& subscription_factory,
+                       Config::SubscriptionFactory& subscription_factory, TimeSource& time_source,
                        ProtobufMessage::ValidationVisitor& validation_visitor, Stats::Store& stats,
                        Init::Manager& init_manager, std::function<void()> destructor_cb)
-      : SdsApi(sds_config, sds_config_name, subscription_factory, validation_visitor, stats,
-               init_manager, std::move(destructor_cb)) {}
+      : SdsApi(sds_config, sds_config_name, subscription_factory, time_source, validation_visitor,
+               stats, init_manager, std::move(destructor_cb)) {}
 
   // SecretProvider
   const envoy::api::v2::auth::TlsCertificate* secret() const override {
@@ -138,17 +151,19 @@ class CertificateValidationContextSdsApi : public SdsApi,
                                     secret_provider_context.localInfo());
     return std::make_shared<CertificateValidationContextSdsApi>(
         sds_config, sds_config_name, secret_provider_context.clusterManager().subscriptionFactory(),
+        secret_provider_context.dispatcher().timeSource(),
         secret_provider_context.messageValidationVisitor(), secret_provider_context.stats(),
         *secret_provider_context.initManager(), destructor_cb);
   }
   CertificateValidationContextSdsApi(const envoy::api::v2::core::ConfigSource& sds_config,
                                      const std::string& sds_config_name,
                                      Config::SubscriptionFactory& subscription_factory,
+                                     TimeSource& time_source,
                                      ProtobufMessage::ValidationVisitor& validation_visitor,
                                      Stats::Store& stats, Init::Manager& init_manager,
                                      std::function<void()> destructor_cb)
-      : SdsApi(sds_config, sds_config_name, subscription_factory, validation_visitor, stats,
-               init_manager, std::move(destructor_cb)) {}
+      : SdsApi(sds_config, sds_config_name, subscription_factory, time_source, validation_visitor,
+               stats, init_manager, std::move(destructor_cb)) {}
 
   // SecretProvider
   const envoy::api::v2::auth::CertificateValidationContext* secret() const override {

source/common/secret/secret_manager_impl.cc

@@ -1,8 +1,10 @@
 #include "common/secret/secret_manager_impl.h"
 
+#include "envoy/admin/v2alpha/config_dump.pb.h"
 #include "envoy/common/exception.h"
 
 #include "common/common/assert.h"
+#include "common/common/logger.h"
 #include "common/secret/sds_api.h"
 #include "common/secret/secret_provider_impl.h"
 #include "common/ssl/certificate_validation_context_config_impl.h"
@@ -11,6 +13,9 @@
 namespace Envoy {
 namespace Secret {
 
+SecretManagerImpl::SecretManagerImpl(Server::ConfigTracker& config_tracker)
+    : config_tracker_entry_(config_tracker.add("secrets", [this] { return dumpSecretConfigs(); })) {
+}
 void SecretManagerImpl::addStaticSecret(const envoy::api::v2::auth::Secret& secret) {
   switch (secret.type_case()) {
   case envoy::api::v2::auth::Secret::TypeCase::kTlsCertificate: {
@@ -79,5 +84,53 @@ SecretManagerImpl::findOrCreateCertificateValidationContextProvider(
                                                     secret_provider_context);
 }
 
+// TODO: question, what's the handling of static inlined stuff? they're just internal constructs
+// not needed to be exposed, maybe?
+ProtobufTypes::MessagePtr SecretManagerImpl::dumpSecretConfigs() {
+  auto config_dump = std::make_unique<envoy::admin::v2alpha::SecretsConfigDump>();
+  auto providers = certificate_providers_.allSecretProviders();
+  for (const auto& cert_secrets : providers) {
+    const auto& secret_data = cert_secrets->secretData();
+    const auto& tls_cert = cert_secrets->secret();
+    const auto& dynamic_secret = config_dump->mutable_dynamic_secrets()->Add();
+    const auto& secret = dynamic_secret->mutable_secret();
+
+    ProtobufWkt::Timestamp last_updated_ts;
+    TimestampUtil::systemClockToTimestamp(secret_data.last_updated_, last_updated_ts);
+    dynamic_secret->set_version_info(secret_data.version_info_);
+    *dynamic_secret->mutable_last_updated() = last_updated_ts;
+    secret->set_name(secret_data.resource_name);
+    // TODO(incfly): this means the config is registered but Envoy hasn't received a
+    // valid push from SDS server yet... should we still dump it somehow?
+    if (!tls_cert) {
+      continue;
+    }
+    auto tls_certificate = secret->mutable_tls_certificate();
+    tls_certificate->MergeFrom(*tls_cert);
+    tls_certificate->clear_private_key();
+    tls_certificate->clear_password();
+  }
+
+  // Handling validation Context provided via SDS.
+  auto context_secret_provider = validation_context_providers_.allSecretProviders();
+  for (const auto& validation_context_secret : context_secret_provider) {
+    auto secret_data = validation_context_secret->secretData();
+    auto validation_context = validation_context_secret->secret();
+    auto dynamic_secret = config_dump->mutable_dynamic_secrets()->Add();
+    auto secret = dynamic_secret->mutable_secret();
+    ProtobufWkt::Timestamp last_updated_ts;
+    TimestampUtil::systemClockToTimestamp(secret_data.last_updated_, last_updated_ts);
+    dynamic_secret->set_version_info(secret_data.version_info_);
+    *dynamic_secret->mutable_last_updated() = last_updated_ts;
+    secret->set_name(secret_data.resource_name);
+    if (!validation_context) {
+      continue;
+    }
+    auto dump_context = secret->mutable_validation_context();
+    dump_context->MergeFrom(*validation_context);
+  }
+  return config_dump;
+}
+
 } // namespace Secret
 } // namespace Envoy

source/common/secret/secret_manager_impl.h

@@ -14,8 +14,9 @@
 namespace Envoy {
 namespace Secret {
 
-class SecretManagerImpl : public SecretManager {
+class SecretManagerImpl : public SecretManager, public Logger::Loggable<Logger::Id::secret> {
 public:
+  SecretManagerImpl(Server::ConfigTracker& config_tracker);
   void addStaticSecret(const envoy::api::v2::auth::Secret& secret) override;
 
   TlsCertificateConfigProviderSharedPtr
@@ -42,6 +43,8 @@ class SecretManagerImpl : public SecretManager {
       Server::Configuration::TransportSocketFactoryContext& secret_provider_context) override;
 
 private:
+  ProtobufTypes::MessagePtr dumpSecretConfigs();
+
   template <class SecretType>
   class DynamicSecretProviders : public Logger::Loggable<Logger::Id::secret> {
   public:
@@ -68,6 +71,17 @@ class SecretManagerImpl : public SecretManager {
       return secret_provider;
     }
 
+    std::vector<std::shared_ptr<SecretType>> allSecretProviders() {
+      std::vector<std::shared_ptr<SecretType>> providers;
+      for (const auto& secret_entry : dynamic_secret_providers_) {
+        std::shared_ptr<SecretType> secret_provider = secret_entry.second.lock();
+        if (secret_provider) {
+          providers.push_back(std::move(secret_provider));
+        }
+      }
+      return providers;
+    }
+
   private:
     // Removes dynamic secret provider which has been deleted.
     void removeDynamicSecretProvider(const std::string& map_key) {
@@ -91,6 +105,8 @@ class SecretManagerImpl : public SecretManager {
   // map hash code of SDS config source and SdsApi object.
   DynamicSecretProviders<TlsCertificateSdsApi> certificate_providers_;
   DynamicSecretProviders<CertificateValidationContextSdsApi> validation_context_providers_;
+
+  Server::ConfigTracker::EntryOwnerPtr config_tracker_entry_;
 };
 
 } // namespace Secret

source/server/config_validation/server.cc

@@ -90,7 +90,7 @@ void ValidationInstance::initialize(const Options& options,
   listener_manager_ = std::make_unique<ListenerManagerImpl>(*this, *this, *this, false);
   thread_local_.registerThread(*dispatcher_, true);
   runtime_loader_ = component_factory.createRuntime(*this, initial_config);
-  secret_manager_ = std::make_unique<Secret::SecretManagerImpl>();
+  secret_manager_ = std::make_unique<Secret::SecretManagerImpl>(admin().getConfigTracker());
   ssl_context_manager_ =
       std::make_unique<Extensions::TransportSockets::Tls::ContextManagerImpl>(api_->timeSource());
   cluster_manager_factory_ = std::make_unique<Upstream::ValidationClusterManagerFactory>(

source/server/server.cc

@@ -55,8 +55,7 @@ InstanceImpl::InstanceImpl(const Options& options, Event::TimeSystem& time_syste
                            ThreadLocal::Instance& tls, Thread::ThreadFactory& thread_factory,
                            Filesystem::Instance& file_system,
                            std::unique_ptr<ProcessContext> process_context)
-    : secret_manager_(std::make_unique<Secret::SecretManagerImpl>()), shutdown_(false),
-      options_(options), time_source_(time_system), restarter_(restarter),
+    : shutdown_(false), options_(options), time_source_(time_system), restarter_(restarter),
       start_time_(time(nullptr)), original_start_time_(start_time_), stats_store_(store),
       thread_local_(tls), api_(new Api::Impl(thread_factory, store, time_system, file_system)),
       dispatcher_(api_->allocateDispatcher()),
@@ -309,6 +308,8 @@ void InstanceImpl::initialize(const Options& options,
 
   loadServerFlags(initial_config.flagsPath());
 
+  secret_manager_ = std::make_unique<Secret::SecretManagerImpl>(admin_->getConfigTracker());
+
   // Initialize the overload manager early so other modules can register for actions.
   overload_manager_ = std::make_unique<OverloadManagerImpl>(
       *dispatcher_, stats_store_, thread_local_, bootstrap_.overload_manager(),

test/common/secret/BUILD

@@ -22,6 +22,7 @@ envoy_cc_test(
         "//test/mocks/server:server_mocks",
         "//test/test_common:environment_lib",
         "//test/test_common:registry_lib",
+        "//test/test_common:simulated_time_system_lib",
         "//test/test_common:utility_lib",
     ],
 )