envoy

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 27, 2022 License: MPL-2.0 Imports: 35 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ErrInvalidSecretProtocol = errors.New("secret protocol is not registered")

Functions

func GatewayFromContext

func GatewayFromContext(ctx context.Context) core.GatewayID

GatewayFromContext retrieves info about a gateway from the context or nil if there is none

func NewRequestHandler

func NewRequestHandler(logger hclog.Logger, registry GatewaySecretRegistry, secretManager SecretManager) *server.CallbackFuncs

NewRequestHandler initializes a RequestHandler instance and wraps it in a github.com/envoyproxy/go-control-plane/pkg/server/v3,(*CallbackFuncs) so that it can be used by the stock go-control-plane server implementation

func NewSecretManager

func NewSecretManager(client SecretClient, cache SecretCache, logger hclog.Logger) *secretManager

NewSecretManager returns a secret manager that manages the use of an underlying SecretClient and SecretCache to track and keep TLS secrets up-to-date.

func SPIFFEStreamMiddleware

func SPIFFEStreamMiddleware(logger hclog.Logger, fetcher CertificateFetcher, registry GatewaySecretRegistry) grpc.StreamServerInterceptor

SPIFFEStreamMiddleware verifies the spiffe entries for the certificate and sets the client identidy on the request context. If no spiffe information is detected, or if the service is unknown, the request is rejected.

Types

type CertificateFetcher

type CertificateFetcher interface {
	SPIFFE() *url.URL
	RootPool() *x509.CertPool
	TLSCertificate() *tls.Certificate
}

CertificateFetcher is used to fetch the CA and server certificate that the server should use for TLS

type GatewaySecretRegistry

type GatewaySecretRegistry interface {
	// GatewayExists is used to determine whether or not we know a particular gateway instance
	GatewayExists(ctx context.Context, info core.GatewayID) (bool, error)
	// CanFetchSecrets is used to determine whether a gateway should be able to fetch a set
	// of secrets it has requested
	CanFetchSecrets(ctx context.Context, info core.GatewayID, secrets []string) (bool, error)
}

GatewaySecretRegistry is used as the authority for determining what gateways the SDS server should actually respond to because they're managed by consul-api-gateway

type Manager

type Manager struct {
	ManagerConfig
	// contains filtered or unexported fields
}

Manager wraps and manages an envoy process and its bootstrap configuration

func NewManager

func NewManager(logger hclog.Logger, config ManagerConfig) *Manager

NewManager returns a new Manager isntance

func (*Manager) CommandArgs

func (m *Manager) CommandArgs() (string, []string)

CommandArgs returns the actual command for the manager to invoke

func (*Manager) RenderBootstrap

func (m *Manager) RenderBootstrap(sdsConfig string) error

RenderBootstrap persists a bootstrapped envoy template to disk

func (*Manager) Run

func (m *Manager) Run(ctx context.Context) error

Run spawns the envoy process

type ManagerConfig

type ManagerConfig struct {
	ID                string
	Namespace         string
	ConsulCA          string
	ConsulAddress     string
	ConsulXDSPort     int
	Token             string
	BootstrapFilePath string
	LogLevel          string
	EnvoyBinary       string
	ExtraArgs         []string
	Output            io.Writer
}

ManagerConfig configures a Manager

type MultiSecretClient

type MultiSecretClient struct {
	// contains filtered or unexported fields
}

MultiSecretClient implements a registry of secret clients that handle fetching secrets based off of the protocol they're given in the secret name.

func NewMultiSecretClient

func NewMultiSecretClient() *MultiSecretClient

func (*MultiSecretClient) FetchSecret

func (m *MultiSecretClient) FetchSecret(ctx context.Context, name string) (*tls.Secret, time.Time, error)

func (*MultiSecretClient) Register

func (m *MultiSecretClient) Register(protocol string, client SecretClient)

type RequestHandler

type RequestHandler struct {
	// contains filtered or unexported fields
}

RequestHandler implements the handlers for an SDS Delta server

func (*RequestHandler) OnStreamClosed

func (r *RequestHandler) OnStreamClosed(streamID int64)

OnStreamClosed is invoked when an envoy instance disconnects from the server

func (*RequestHandler) OnStreamOpen

func (r *RequestHandler) OnStreamOpen(ctx context.Context, streamID int64) error

OnStreamOpen is invoked when an envoy instance first connects to the server

func (*RequestHandler) OnStreamRequest

func (r *RequestHandler) OnStreamRequest(streamID int64, req *discovery.DiscoveryRequest) error

OnStreamRequest is invoked when a request for resources comes in from the envoy instance

type SDSServer

type SDSServer struct {
	// contains filtered or unexported fields
}

SDSServer wraps a gRPC-based SDS Delta server

func NewSDSServer

func NewSDSServer(logger hclog.Logger, fetcher CertificateFetcher, client SecretClient, registry GatewaySecretRegistry) *SDSServer

NEWSDSServer initializes an SDSServer instance

func (*SDSServer) Run

func (s *SDSServer) Run(ctx context.Context) error

Run starts the SDS server

func (*SDSServer) Shutdown

func (s *SDSServer) Shutdown()

Shutdown attempts to gracefully shutdown the server, it is called automatically when the context passed into the Run function is canceled.

type SecretCache

type SecretCache interface {
	UpdateResource(name string, res types.Resource) error
	DeleteResource(name string) error
}

SecretCache is used as an intermediate cache for pushing tls certificates into. In practice we're using github.com/envoyproxy/go-control-plane/pkg/cache.(*LinearCache) as the concrete struct that implements this and handles notifying watched gRPC streams when we push new requested resources into into or delete existing resources from the cache.

type SecretClient

type SecretClient interface {
	FetchSecret(ctx context.Context, name string) (*tls.Secret, time.Time, error)
}

SecretClient is used to retrieve TLS secrets. When a gRPC stream attempts to watch a secret we first check if we've already pushed it into our intermediate SecretCache, if we have, then we only increment a reference counter used to track the lifecycle of the watched secret. If we are not yet tracking the secret, we retrieve it remotely via the SecretClient.

type SecretManager

type SecretManager interface {
	// SetResourcesForNode sets a list of TLS certificates being tracked by the node
	SetResourcesForNode(ctx context.Context, names []string, node string) error
	// Watch is used for tracking an envoy node's TLS secrets of interest
	Watch(ctx context.Context, names []string, node string) error
	// Unwatch is used for removing a subset of an envoy node's TLS secrets
	// from the list the node's secrets of interest
	Unwatch(ctx context.Context, names []string, node string) error
	// UnwatchAll is used to completely unwatch all a node's secrets
	UnwatchAll(ctx context.Context, node string) error
	// Manage is used for re-fetching expiring TLS certificates and updating them
	Manage(ctx context.Context)
}

SecretManager handles the lifecycle of watched TLS secrets.

Directories

Path Synopsis
Package mocks is a generated GoMock package.
Package mocks is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL