-
Notifications
You must be signed in to change notification settings - Fork 5.5k
Config Dump for Secret Discovery Service. #7365
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 14 commits
32f1d5d
c017b07
4269751
a8e2724
fabae9e
350e7c8
a24bcc8
d5e329b
9343b62
3e7bdb2
4bedd26
7082ff7
f72888b
d68b3f5
40f83ed
022db7b
da5d481
742fa01
6771fdd
ec6449e
51a64ad
f75d116
44ace74
031da5c
aef1787
67373f2
62b9635
9fb8f42
5130216
e0f12dd
52938d1
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,8 +1,10 @@ | ||
| #include "common/secret/secret_manager_impl.h" | ||
|
|
||
| #include "envoy/admin/v2alpha/config_dump.pb.h" | ||
| #include "envoy/common/exception.h" | ||
|
|
||
| #include "common/common/assert.h" | ||
| #include "common/common/logger.h" | ||
| #include "common/secret/sds_api.h" | ||
| #include "common/secret/secret_provider_impl.h" | ||
| #include "common/ssl/certificate_validation_context_config_impl.h" | ||
|
|
@@ -11,6 +13,9 @@ | |
| namespace Envoy { | ||
| namespace Secret { | ||
|
|
||
| SecretManagerImpl::SecretManagerImpl(Server::ConfigTracker& config_tracker) | ||
| : config_tracker_entry_(config_tracker.add("secrets", [this] { return dumpSecretConfigs(); })) { | ||
| } | ||
| void SecretManagerImpl::addStaticSecret(const envoy::api::v2::auth::Secret& secret) { | ||
| switch (secret.type_case()) { | ||
| case envoy::api::v2::auth::Secret::TypeCase::kTlsCertificate: { | ||
|
|
@@ -79,5 +84,61 @@ SecretManagerImpl::findOrCreateCertificateValidationContextProvider( | |
| secret_provider_context); | ||
| } | ||
|
|
||
| ProtobufTypes::MessagePtr SecretManagerImpl::dumpSecretConfigs() { | ||
| auto config_dump = std::make_unique<envoy::admin::v2alpha::SecretsConfigDump>(); | ||
| auto providers = certificate_providers_.allSecretProviders(); | ||
| for (const auto& cert_secrets : providers) { | ||
| const auto& secret_data = cert_secrets->secretData(); | ||
| const auto& tls_cert = cert_secrets->secret(); | ||
| ::envoy::admin::v2alpha::SecretsConfigDump_DynamicSecret* dump_secret; | ||
| bool secret_ready = tls_cert != nullptr; | ||
|
incfly marked this conversation as resolved.
Outdated
|
||
| if (secret_ready) { | ||
| dump_secret = config_dump->mutable_dynamic_active_secrets()->Add(); | ||
| } else { | ||
| dump_secret = config_dump->mutable_dynamic_warming_secrets()->Add(); | ||
| } | ||
| auto secret = dump_secret->mutable_secret(); | ||
|
|
||
| ProtobufWkt::Timestamp last_updated_ts; | ||
| TimestampUtil::systemClockToTimestamp(secret_data.last_updated_, last_updated_ts); | ||
| dump_secret->set_version_info(secret_data.version_info_); | ||
| *dump_secret->mutable_last_updated() = last_updated_ts; | ||
| secret->set_name(secret_data.resource_name); | ||
| if (secret_ready) { | ||
| auto tls_certificate = secret->mutable_tls_certificate(); | ||
| tls_certificate->MergeFrom(*tls_cert); | ||
| // We clear private key and password to avoid information leaking.j | ||
|
incfly marked this conversation as resolved.
Outdated
|
||
| // TODO(incfly): switch to more generic scrubbing mechanism once | ||
| // https://github.com/envoyproxy/envoy/issues/4757 is resolved. | ||
| tls_certificate->clear_private_key(); | ||
| tls_certificate->clear_password(); | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Perhaps set those to
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Also, while you're at it, could you make similar change to LDS and CDS config dumps? Separate PR is fine.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not sure what you mean? The inlined_string typed key/password from tls_certificate used in LDS/CDS dump? |
||
| } | ||
| } | ||
|
|
||
| // Handling validation Context provided via SDS. | ||
| auto context_secret_provider = validation_context_providers_.allSecretProviders(); | ||
|
incfly marked this conversation as resolved.
Outdated
|
||
| for (const auto& validation_context_secret : context_secret_provider) { | ||
| const auto& secret_data = validation_context_secret->secretData(); | ||
| const auto& validation_context = validation_context_secret->secret(); | ||
| ::envoy::admin::v2alpha::SecretsConfigDump_DynamicSecret* dump_secret; | ||
| bool secret_ready = validation_context != nullptr; | ||
| if (secret_ready) { | ||
| dump_secret = config_dump->mutable_dynamic_active_secrets()->Add(); | ||
| } else { | ||
| dump_secret = config_dump->mutable_dynamic_warming_secrets()->Add(); | ||
| } | ||
| auto secret = dump_secret->mutable_secret(); | ||
| ProtobufWkt::Timestamp last_updated_ts; | ||
| TimestampUtil::systemClockToTimestamp(secret_data.last_updated_, last_updated_ts); | ||
| dump_secret->set_version_info(secret_data.version_info_); | ||
| *dump_secret->mutable_last_updated() = last_updated_ts; | ||
| secret->set_name(secret_data.resource_name); | ||
| if (secret_ready) { | ||
| secret->mutable_validation_context()->MergeFrom(*validation_context); | ||
| } | ||
| } | ||
| return config_dump; | ||
| } | ||
|
|
||
| } // namespace Secret | ||
| } // namespace Envoy | ||
Uh oh!
There was an error while loading. Please reload this page.