From 5b911e41c7266c033e2d117fb38f1c28238ddeb9 Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Fri, 10 Feb 2023 20:50:48 +0000 Subject: [PATCH 1/9] backport of commit 8312d33f81e47599f8baebee9113acd485436697 --- agent/xds/resources.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/agent/xds/resources.go b/agent/xds/resources.go index 6bd6709343c1..cab494da4cad 100644 --- a/agent/xds/resources.go +++ b/agent/xds/resources.go @@ -35,8 +35,7 @@ func NewResourceGenerator( func (g *ResourceGenerator) AllResourcesFromSnapshot(cfgSnap *proxycfg.ConfigSnapshot) (map[string][]proto.Message, error) { all := make(map[string][]proto.Message) - // TODO Add xdscommon.SecretType - for _, typeUrl := range []string{xdscommon.ListenerType, xdscommon.RouteType, xdscommon.ClusterType, xdscommon.EndpointType} { + for _, typeUrl := range []string{xdscommon.ListenerType, xdscommon.RouteType, xdscommon.ClusterType, xdscommon.EndpointType, xdscommon.SecretType} { res, err := g.resourcesFromSnapshot(typeUrl, cfgSnap) if err != nil { return nil, fmt.Errorf("failed to generate xDS resources for %q: %v", typeUrl, err) From 8891db7e0c8660e0c934cb156ed2eeb732063ff4 Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Fri, 10 Feb 2023 21:51:12 +0000 Subject: [PATCH 2/9] backport of commit d9a0b25b2554935426dc6579b0ef97acc87eaab4 --- agent/structs/config_entry_status.go | 5 ++++ agent/xds/secrets.go | 38 +++++++++++++++++++++++++--- 2 files changed, 40 insertions(+), 3 deletions(-) diff --git a/agent/structs/config_entry_status.go b/agent/structs/config_entry_status.go index faafd34d7b7a..5485a6ccaf95 100644 --- a/agent/structs/config_entry_status.go +++ b/agent/structs/config_entry_status.go @@ -1,6 +1,7 @@ package structs import ( + "fmt" "sort" "time" @@ -24,6 +25,10 @@ type ResourceReference struct { acl.EnterpriseMeta } +func (r *ResourceReference) String() string { + return fmt.Sprintf("%s:%s/%s/%s/%s", r.Kind, r.PartitionOrDefault(), r.NamespaceOrDefault(), r.Name, r.SectionName) +} + func (r *ResourceReference) IsSame(other *ResourceReference) bool { if r == nil && other == nil { return true diff --git a/agent/xds/secrets.go b/agent/xds/secrets.go index 5547b6d2037d..5eb2bcb3015a 100644 --- a/agent/xds/secrets.go +++ b/agent/xds/secrets.go @@ -4,10 +4,13 @@ import ( "errors" "fmt" + envoy_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + envoy_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" "google.golang.org/protobuf/proto" "github.com/hashicorp/consul/agent/proxycfg" "github.com/hashicorp/consul/agent/structs" + "github.com/hashicorp/consul/lib" ) // secretsFromSnapshot returns the xDS API representation of the "secrets" @@ -32,7 +35,36 @@ func (s *ResourceGenerator) secretsFromSnapshot(cfgSnap *proxycfg.ConfigSnapshot } func (s *ResourceGenerator) secretsFromSnapshotAPIGateway(cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message, error) { - var res []proto.Message - // TODO - return res, nil + resources := make([]proto.Message, 0, cfgSnap.APIGateway.Certificates.Len()) + + cfgSnap.APIGateway.Certificates.ForEachKey(func(ref structs.ResourceReference) bool { + cert, ok := cfgSnap.APIGateway.Certificates.Get(ref) + if !ok { + // inline-certificate not present in map for some reason, process others + return true + } + + secret := &envoy_tls_v3.Secret{ + Name: ref.String(), + Type: &envoy_tls_v3.Secret_TlsCertificate{ + TlsCertificate: &envoy_tls_v3.TlsCertificate{ + CertificateChain: &envoy_core_v3.DataSource{ + Specifier: &envoy_core_v3.DataSource_InlineString{ + InlineString: lib.EnsureTrailingNewline(cert.Certificate), + }, + }, + PrivateKey: &envoy_core_v3.DataSource{ + Specifier: &envoy_core_v3.DataSource_InlineString{ + InlineString: lib.EnsureTrailingNewline(cert.PrivateKey), + }, + }, + }, + }, + } + + resources = append(resources, secret) + return true + }) + + return resources, nil } From 712f423f1f87fbc3d6bbc875894f63b41be6929d Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Fri, 10 Feb 2023 21:58:41 +0000 Subject: [PATCH 3/9] backport of commit 23e57d66d77b61da922689a0f926604c4d67b87e --- agent/xds/delta.go | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/agent/xds/delta.go b/agent/xds/delta.go index 5a1ef17d2445..62a725b8f1b1 100644 --- a/agent/xds/delta.go +++ b/agent/xds/delta.go @@ -466,20 +466,21 @@ func (s *Server) applyEnvoyExtensions(resources *xdscommon.IndexedResources, cfg return nil } +// https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol#eventual-consistency-considerations var xDSUpdateOrder = []xDSUpdateOperation{ - // TODO Update comments + // 1. SDS updates (if any) can be pushed here with no harm. {TypeUrl: xdscommon.SecretType, Upsert: true}, - // 1. CDS updates (if any) must always be pushed first. + // 2. CDS updates (if any) must always be pushed before the following types. {TypeUrl: xdscommon.ClusterType, Upsert: true}, - // 2. EDS updates (if any) must arrive after CDS updates for the respective clusters. + // 3. EDS updates (if any) must arrive after CDS updates for the respective clusters. {TypeUrl: xdscommon.EndpointType, Upsert: true}, - // 3. LDS updates must arrive after corresponding CDS/EDS updates. + // 4. LDS updates must arrive after corresponding CDS/EDS updates. {TypeUrl: xdscommon.ListenerType, Upsert: true, Remove: true}, - // 4. RDS updates related to the newly added listeners must arrive after CDS/EDS/LDS updates. + // 5. RDS updates related to the newly added listeners must arrive after CDS/EDS/LDS updates. {TypeUrl: xdscommon.RouteType, Upsert: true, Remove: true}, - // 5. (NOT IMPLEMENTED YET IN CONSUL) VHDS updates (if any) related to the newly added RouteConfigurations must arrive after RDS updates. + // 6. (NOT IMPLEMENTED YET IN CONSUL) VHDS updates (if any) related to the newly added RouteConfigurations must arrive after RDS updates. // {}, - // 6. Stale CDS clusters, related EDS endpoints (ones no longer being referenced) and SDS secrets can then be removed. + // 7. Stale CDS clusters, related EDS endpoints (ones no longer being referenced) and SDS secrets can then be removed. {TypeUrl: xdscommon.ClusterType, Remove: true}, {TypeUrl: xdscommon.EndpointType, Remove: true}, {TypeUrl: xdscommon.SecretType, Remove: true}, From 8d4acc7ac9f86ee9d2d3db327ecab7576b033baf Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Fri, 10 Feb 2023 22:27:57 +0000 Subject: [PATCH 4/9] backport of commit 2b69d793a979a8ce5ea51f4dd0016c1bfcf265c4 --- agent/xds/resources_test.go | 8 +++++++- .../secrets/connect-proxy-exported-to-peers.latest.golden | 5 +++++ ...-with-chain-and-failover-to-cluster-peer.latest.golden | 5 +++++ ...-with-chain-and-redirect-to-cluster-peer.latest.golden | 5 +++++ .../connect-proxy-with-peered-upstreams.latest.golden | 5 +++++ agent/xds/testdata/secrets/defaults.latest.golden | 5 +++++ ...local-mesh-gateway-with-peered-upstreams.latest.golden | 5 +++++ .../mesh-gateway-peering-control-plane.latest.golden | 5 +++++ ...xported-peered-services-http-with-router.latest.golden | 5 +++++ ...teway-with-exported-peered-services-http.latest.golden | 5 +++++ ...sh-gateway-with-exported-peered-services.latest.golden | 5 +++++ ...sh-gateway-with-imported-peered-services.latest.golden | 5 +++++ ...y-with-peer-through-mesh-gateway-enabled.latest.golden | 5 +++++ .../transparent-proxy-destination-http.latest.golden | 5 +++++ .../secrets/transparent-proxy-destination.latest.golden | 5 +++++ ...xy-terminating-gateway-destinations-only.latest.golden | 5 +++++ .../transparent-proxy-with-peered-upstreams.latest.golden | 5 +++++ .../xds/testdata/secrets/transparent-proxy.latest.golden | 5 +++++ 18 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 agent/xds/testdata/secrets/connect-proxy-exported-to-peers.latest.golden create mode 100644 agent/xds/testdata/secrets/connect-proxy-with-chain-and-failover-to-cluster-peer.latest.golden create mode 100644 agent/xds/testdata/secrets/connect-proxy-with-chain-and-redirect-to-cluster-peer.latest.golden create mode 100644 agent/xds/testdata/secrets/connect-proxy-with-peered-upstreams.latest.golden create mode 100644 agent/xds/testdata/secrets/defaults.latest.golden create mode 100644 agent/xds/testdata/secrets/local-mesh-gateway-with-peered-upstreams.latest.golden create mode 100644 agent/xds/testdata/secrets/mesh-gateway-peering-control-plane.latest.golden create mode 100644 agent/xds/testdata/secrets/mesh-gateway-with-exported-peered-services-http-with-router.latest.golden create mode 100644 agent/xds/testdata/secrets/mesh-gateway-with-exported-peered-services-http.latest.golden create mode 100644 agent/xds/testdata/secrets/mesh-gateway-with-exported-peered-services.latest.golden create mode 100644 agent/xds/testdata/secrets/mesh-gateway-with-imported-peered-services.latest.golden create mode 100644 agent/xds/testdata/secrets/mesh-gateway-with-peer-through-mesh-gateway-enabled.latest.golden create mode 100644 agent/xds/testdata/secrets/transparent-proxy-destination-http.latest.golden create mode 100644 agent/xds/testdata/secrets/transparent-proxy-destination.latest.golden create mode 100644 agent/xds/testdata/secrets/transparent-proxy-terminating-gateway-destinations-only.latest.golden create mode 100644 agent/xds/testdata/secrets/transparent-proxy-with-peered-upstreams.latest.golden create mode 100644 agent/xds/testdata/secrets/transparent-proxy.latest.golden diff --git a/agent/xds/resources_test.go b/agent/xds/resources_test.go index ad3c1b396c2b..07e363f873cb 100644 --- a/agent/xds/resources_test.go +++ b/agent/xds/resources_test.go @@ -9,6 +9,8 @@ import ( envoy_endpoint_v3 "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3" envoy_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3" envoy_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" + envoy_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" + "github.com/hashicorp/consul/agent/xds/testcommon" "github.com/hashicorp/consul/envoyextensions/xdscommon" @@ -25,6 +27,7 @@ var testTypeUrlToPrettyName = map[string]string{ xdscommon.RouteType: "routes", xdscommon.ClusterType: "clusters", xdscommon.EndpointType: "endpoints", + xdscommon.SecretType: "secrets", } type goldenTestCase struct { @@ -60,7 +63,7 @@ func TestAllResourcesFromSnapshot(t *testing.T) { // We need to replace the TLS certs with deterministic ones to make golden // files workable. Note we don't update these otherwise they'd change - // golder files for every test case and so not be any use! + // golden files for every test case and so not be any use! testcommon.SetupTLSRootsAndLeaf(t, snap) if tt.setup != nil { @@ -82,6 +85,7 @@ func TestAllResourcesFromSnapshot(t *testing.T) { xdscommon.RouteType, xdscommon.ClusterType, xdscommon.EndpointType, + xdscommon.SecretType, } require.Len(t, resources, len(typeUrls)) @@ -101,6 +105,8 @@ func TestAllResourcesFromSnapshot(t *testing.T) { return items[i].(*envoy_cluster_v3.Cluster).Name < items[j].(*envoy_cluster_v3.Cluster).Name case xdscommon.EndpointType: return items[i].(*envoy_endpoint_v3.ClusterLoadAssignment).ClusterName < items[j].(*envoy_endpoint_v3.ClusterLoadAssignment).ClusterName + case xdscommon.SecretType: + return items[i].(*envoy_tls_v3.Secret).Name < items[j].(*envoy_tls_v3.Secret).Name default: panic("not possible") } diff --git a/agent/xds/testdata/secrets/connect-proxy-exported-to-peers.latest.golden b/agent/xds/testdata/secrets/connect-proxy-exported-to-peers.latest.golden new file mode 100644 index 000000000000..e6c25e165c65 --- /dev/null +++ b/agent/xds/testdata/secrets/connect-proxy-exported-to-peers.latest.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/secrets/connect-proxy-with-chain-and-failover-to-cluster-peer.latest.golden b/agent/xds/testdata/secrets/connect-proxy-with-chain-and-failover-to-cluster-peer.latest.golden new file mode 100644 index 000000000000..e6c25e165c65 --- /dev/null +++ b/agent/xds/testdata/secrets/connect-proxy-with-chain-and-failover-to-cluster-peer.latest.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/secrets/connect-proxy-with-chain-and-redirect-to-cluster-peer.latest.golden b/agent/xds/testdata/secrets/connect-proxy-with-chain-and-redirect-to-cluster-peer.latest.golden new file mode 100644 index 000000000000..e6c25e165c65 --- /dev/null +++ b/agent/xds/testdata/secrets/connect-proxy-with-chain-and-redirect-to-cluster-peer.latest.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/secrets/connect-proxy-with-peered-upstreams.latest.golden b/agent/xds/testdata/secrets/connect-proxy-with-peered-upstreams.latest.golden new file mode 100644 index 000000000000..e6c25e165c65 --- /dev/null +++ b/agent/xds/testdata/secrets/connect-proxy-with-peered-upstreams.latest.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/secrets/defaults.latest.golden b/agent/xds/testdata/secrets/defaults.latest.golden new file mode 100644 index 000000000000..e6c25e165c65 --- /dev/null +++ b/agent/xds/testdata/secrets/defaults.latest.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/secrets/local-mesh-gateway-with-peered-upstreams.latest.golden b/agent/xds/testdata/secrets/local-mesh-gateway-with-peered-upstreams.latest.golden new file mode 100644 index 000000000000..e6c25e165c65 --- /dev/null +++ b/agent/xds/testdata/secrets/local-mesh-gateway-with-peered-upstreams.latest.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/secrets/mesh-gateway-peering-control-plane.latest.golden b/agent/xds/testdata/secrets/mesh-gateway-peering-control-plane.latest.golden new file mode 100644 index 000000000000..e6c25e165c65 --- /dev/null +++ b/agent/xds/testdata/secrets/mesh-gateway-peering-control-plane.latest.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/secrets/mesh-gateway-with-exported-peered-services-http-with-router.latest.golden b/agent/xds/testdata/secrets/mesh-gateway-with-exported-peered-services-http-with-router.latest.golden new file mode 100644 index 000000000000..e6c25e165c65 --- /dev/null +++ b/agent/xds/testdata/secrets/mesh-gateway-with-exported-peered-services-http-with-router.latest.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/secrets/mesh-gateway-with-exported-peered-services-http.latest.golden b/agent/xds/testdata/secrets/mesh-gateway-with-exported-peered-services-http.latest.golden new file mode 100644 index 000000000000..e6c25e165c65 --- /dev/null +++ b/agent/xds/testdata/secrets/mesh-gateway-with-exported-peered-services-http.latest.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/secrets/mesh-gateway-with-exported-peered-services.latest.golden b/agent/xds/testdata/secrets/mesh-gateway-with-exported-peered-services.latest.golden new file mode 100644 index 000000000000..e6c25e165c65 --- /dev/null +++ b/agent/xds/testdata/secrets/mesh-gateway-with-exported-peered-services.latest.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/secrets/mesh-gateway-with-imported-peered-services.latest.golden b/agent/xds/testdata/secrets/mesh-gateway-with-imported-peered-services.latest.golden new file mode 100644 index 000000000000..e6c25e165c65 --- /dev/null +++ b/agent/xds/testdata/secrets/mesh-gateway-with-imported-peered-services.latest.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/secrets/mesh-gateway-with-peer-through-mesh-gateway-enabled.latest.golden b/agent/xds/testdata/secrets/mesh-gateway-with-peer-through-mesh-gateway-enabled.latest.golden new file mode 100644 index 000000000000..e6c25e165c65 --- /dev/null +++ b/agent/xds/testdata/secrets/mesh-gateway-with-peer-through-mesh-gateway-enabled.latest.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/secrets/transparent-proxy-destination-http.latest.golden b/agent/xds/testdata/secrets/transparent-proxy-destination-http.latest.golden new file mode 100644 index 000000000000..e6c25e165c65 --- /dev/null +++ b/agent/xds/testdata/secrets/transparent-proxy-destination-http.latest.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/secrets/transparent-proxy-destination.latest.golden b/agent/xds/testdata/secrets/transparent-proxy-destination.latest.golden new file mode 100644 index 000000000000..e6c25e165c65 --- /dev/null +++ b/agent/xds/testdata/secrets/transparent-proxy-destination.latest.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/secrets/transparent-proxy-terminating-gateway-destinations-only.latest.golden b/agent/xds/testdata/secrets/transparent-proxy-terminating-gateway-destinations-only.latest.golden new file mode 100644 index 000000000000..e6c25e165c65 --- /dev/null +++ b/agent/xds/testdata/secrets/transparent-proxy-terminating-gateway-destinations-only.latest.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/secrets/transparent-proxy-with-peered-upstreams.latest.golden b/agent/xds/testdata/secrets/transparent-proxy-with-peered-upstreams.latest.golden new file mode 100644 index 000000000000..e6c25e165c65 --- /dev/null +++ b/agent/xds/testdata/secrets/transparent-proxy-with-peered-upstreams.latest.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/secrets/transparent-proxy.latest.golden b/agent/xds/testdata/secrets/transparent-proxy.latest.golden new file mode 100644 index 000000000000..e6c25e165c65 --- /dev/null +++ b/agent/xds/testdata/secrets/transparent-proxy.latest.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", + "nonce": "00000001" +} \ No newline at end of file From ecafd94c89c259b42a1e6041250129ed920c1476 Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Mon, 13 Feb 2023 19:44:55 +0000 Subject: [PATCH 5/9] backport of commit e229b33af0d8dbf24165955081db35d84c877ed9 --- agent/proxycfg/testing_api_gateway.go | 135 ++++++++++++++++++++++++++ agent/xds/resources_test.go | 12 +++ 2 files changed, 147 insertions(+) create mode 100644 agent/proxycfg/testing_api_gateway.go diff --git a/agent/proxycfg/testing_api_gateway.go b/agent/proxycfg/testing_api_gateway.go new file mode 100644 index 000000000000..e9561ac4fe6b --- /dev/null +++ b/agent/proxycfg/testing_api_gateway.go @@ -0,0 +1,135 @@ +package proxycfg + +import ( + "fmt" + + "github.com/mitchellh/go-testing-interface" + + "github.com/hashicorp/consul/agent/connect" + "github.com/hashicorp/consul/agent/consul/discoverychain" + "github.com/hashicorp/consul/agent/structs" +) + +func TestConfigSnapshotAPIGateway(t testing.T) *ConfigSnapshot { + roots, placeholderLeaf := TestCerts(t) + + entries := []structs.ConfigEntry{ + &structs.ProxyConfigEntry{ + Kind: structs.ProxyDefaults, + Name: structs.ProxyConfigGlobal, + Config: map[string]interface{}{ + "protocol": "tcp", + }, + }, + &structs.ServiceResolverConfigEntry{ + Kind: structs.ServiceResolver, + Name: "api-gateway", + }, + } + + baseEvents := []UpdateEvent{ + { + CorrelationID: rootsWatchID, + Result: roots, + }, + { + CorrelationID: leafWatchID, + Result: placeholderLeaf, + }, + { + CorrelationID: gatewayConfigWatchID, + Result: &structs.ConfigEntryResponse{ + Entry: &structs.APIGatewayConfigEntry{ + Kind: structs.APIGateway, + Name: "api-gateway", + Listeners: []structs.APIGatewayListener{ + { + Name: "", + Hostname: "", + Port: 8080, + Protocol: structs.ListenerProtocolTCP, + TLS: structs.APIGatewayTLSConfiguration{ + Certificates: []structs.ResourceReference{ + { + Kind: structs.InlineCertificate, + Name: "my-inline-certificate", + }, + }, + }, + }, + }, + }, + }, + }, + { + CorrelationID: gatewayConfigWatchID, + Result: &structs.ConfigEntryResponse{ + Entry: &structs.BoundAPIGatewayConfigEntry{ + Kind: structs.BoundAPIGateway, + Name: "api-gateway", + Listeners: []structs.BoundAPIGatewayListener{ + { + Name: "", + Certificates: []structs.ResourceReference{ + { + Kind: structs.InlineCertificate, + Name: "my-inline-certificate", + }, + }, + Routes: []structs.ResourceReference{ + { + Kind: structs.TCPRoute, + Name: "my-tcp-route", + }, + }, + }, + }, + }, + }, + }, + { + CorrelationID: routeConfigWatchID, + Result: &structs.ConfigEntryResponse{ + Entry: &structs.TCPRouteConfigEntry{ + Kind: structs.TCPRoute, + Name: "my-tcp-route", + Parents: []structs.ResourceReference{ + { + Kind: structs.APIGateway, + Name: "api-gateway", + }, + }, + Services: []structs.TCPService{ + {Name: "my-tcp-service"}, + }, + }, + }, + }, + { + CorrelationID: inlineCertificateConfigWatchID, + Result: &structs.ConfigEntryResponse{ + Entry: &structs.InlineCertificateConfigEntry{ + Kind: structs.InlineCertificate, + Name: "my-inline-certificate", + Certificate: "certificate", + PrivateKey: "private key", + }, + }, + }, + { + CorrelationID: fmt.Sprintf("discovery-chain:%s", UpstreamIDString("","","my-tcp-service",nil, "")), + Result: &structs.DiscoveryChainResponse{ + Chain: discoverychain.TestCompileConfigEntries(t,"my-tcp-service","default","default","dc1", connect.TestClusterID+".consul",nil,entries...), + }, + }, + } + + return testConfigSnapshotFixture(t, &structs.NodeService{ + Kind: structs.ServiceKindAPIGateway, + Service: "api-gateway", + Port: 9999, + Address: "1.2.3.4", + Meta: nil, + TaggedAddresses: nil, + }, nil, nil, testSpliceEvents(baseEvents, nil)) +} diff --git a/agent/xds/resources_test.go b/agent/xds/resources_test.go index 07e363f873cb..3dd9db2ddc06 100644 --- a/agent/xds/resources_test.go +++ b/agent/xds/resources_test.go @@ -171,6 +171,7 @@ func TestAllResourcesFromSnapshot(t *testing.T) { tests = append(tests, getMeshGatewayPeeringGoldenTestCases()...) tests = append(tests, getTrafficControlPeeringGoldenTestCases()...) tests = append(tests, getEnterpriseGoldenTestCases()...) + tests = append(tests, getAPIGatewayGoldenTestCases()...) latestEnvoyVersion := xdscommon.EnvoyVersions[0] for _, envoyVersion := range xdscommon.EnvoyVersions { @@ -262,3 +263,14 @@ func getTrafficControlPeeringGoldenTestCases() []goldenTestCase { }, } } + +func getAPIGatewayGoldenTestCases() []goldenTestCase { + return []goldenTestCase{ + { + name:"api-gateway-with-tcp-route-and-inline-certificate", + create: func(t testinf.T) *proxycfg.ConfigSnapshot { + return proxycfg.TestConfigSnapshotAPIGateway(t) + }, + }, + } +} From 01bdb237dac92b6b39da662127512ea6d3c505d3 Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Mon, 13 Feb 2023 20:00:05 +0000 Subject: [PATCH 6/9] backport of commit a837edb05aa16c64a87a05b029787d321af3fbdc --- ...and-inline-certificate.envoy-1-21-x.golden | 55 +++++++++++++++++++ ...and-inline-certificate.envoy-1-22-x.golden | 55 +++++++++++++++++++ ...and-inline-certificate.envoy-1-23-x.golden | 55 +++++++++++++++++++ ...route-and-inline-certificate.latest.golden | 55 +++++++++++++++++++ ...route-and-inline-certificate.latest.golden | 5 ++ ...route-and-inline-certificate.latest.golden | 32 +++++++++++ ...route-and-inline-certificate.latest.golden | 5 ++ ...route-and-inline-certificate.latest.golden | 19 +++++++ 8 files changed, 281 insertions(+) create mode 100644 agent/xds/testdata/clusters/api-gateway-with-tcp-route-and-inline-certificate.envoy-1-21-x.golden create mode 100644 agent/xds/testdata/clusters/api-gateway-with-tcp-route-and-inline-certificate.envoy-1-22-x.golden create mode 100644 agent/xds/testdata/clusters/api-gateway-with-tcp-route-and-inline-certificate.envoy-1-23-x.golden create mode 100644 agent/xds/testdata/clusters/api-gateway-with-tcp-route-and-inline-certificate.latest.golden create mode 100644 agent/xds/testdata/endpoints/api-gateway-with-tcp-route-and-inline-certificate.latest.golden create mode 100644 agent/xds/testdata/listeners/api-gateway-with-tcp-route-and-inline-certificate.latest.golden create mode 100644 agent/xds/testdata/routes/api-gateway-with-tcp-route-and-inline-certificate.latest.golden create mode 100644 agent/xds/testdata/secrets/api-gateway-with-tcp-route-and-inline-certificate.latest.golden diff --git a/agent/xds/testdata/clusters/api-gateway-with-tcp-route-and-inline-certificate.envoy-1-21-x.golden b/agent/xds/testdata/clusters/api-gateway-with-tcp-route-and-inline-certificate.envoy-1-21-x.golden new file mode 100644 index 000000000000..0f1acf258838 --- /dev/null +++ b/agent/xds/testdata/clusters/api-gateway-with-tcp-route-and-inline-certificate.envoy-1-21-x.golden @@ -0,0 +1,55 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "my-tcp-service.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "altStatName": "my-tcp-service.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "circuitBreakers": {}, + "outlierDetection": {}, + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICBTCCAaugAwIBAgIIDUmSJn0rk7IwCgYIKoZIzj0EAwIwFjEUMBIGA1UEAxML\nVGVzdCBDQSA5OTcwHhcNMjMwMjEzMTk1NzI2WhcNMzMwMjEwMTk1NzI2WjAAMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEg0SW0HLUZjEG9lnmnVT8g/1i+zdPVrCq\nWIltXSdtS3xbwaiP+5Vnc4sr/MqLhIC46BfyjrQWlz8bH+AGmn6pqKOB+DCB9TAO\nBgNVHQ8BAf8EBAMCA7gwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwG\nA1UdEwEB/wQCMAAwKQYDVR0OBCIEIJhaXpuR2wfoxMchnGF3jGjSlhq4ldWkWnbj\nTjqghzzBMCsGA1UdIwQkMCKAIPSY/nP8UYJ63YM3PU3r4pUr6PujDyRaz1fyqlsJ\njZOZMF4GA1UdEQEB/wRUMFKCAIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMz\nLTQ0NDQtNTU1NTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMv\nd2ViMAoGCCqGSM49BAMCA0gAMEUCIQCWa5SsdXjVOHrIymFBFDYaB63G37I7G4fS\nnwHSTUX4WgIgRSmlLlZyYAC7iVfxYawVF00jlJgiI9BR15jZKX7AbQY=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIAXRcUw9WfqWXNpB17uKREas/k4BEXmfTrHuMipy4cBYoAoGCCqGSM49\nAwEHoUQDQgAEg0SW0HLUZjEG9lnmnVT8g/1i+zdPVrCqWIltXSdtS3xbwaiP+5Vn\nc4sr/MqLhIC46BfyjrQWlz8bH+AGmn6pqA==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/my-tcp-service" + } + ] + } + }, + "sni": "my-tcp-service.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + } + ], + "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/clusters/api-gateway-with-tcp-route-and-inline-certificate.envoy-1-22-x.golden b/agent/xds/testdata/clusters/api-gateway-with-tcp-route-and-inline-certificate.envoy-1-22-x.golden new file mode 100644 index 000000000000..0b1056b40b1d --- /dev/null +++ b/agent/xds/testdata/clusters/api-gateway-with-tcp-route-and-inline-certificate.envoy-1-22-x.golden @@ -0,0 +1,55 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "my-tcp-service.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "altStatName": "my-tcp-service.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "circuitBreakers": {}, + "outlierDetection": {}, + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICBTCCAaugAwIBAgIIG2bvG5luNEYwCgYIKoZIzj0EAwIwFjEUMBIGA1UEAxML\nVGVzdCBDQSA5NzkwHhcNMjMwMjEzMTk1NzI2WhcNMzMwMjEwMTk1NzI2WjAAMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYSJyZ40B0yli1l9saCNXvLBLOW6rH6If\n8pSTLnpHGP0WJY4GMwO0v9F5jictCTmOkP49yhtk8ef2rdO1kMR0PKOB+DCB9TAO\nBgNVHQ8BAf8EBAMCA7gwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwG\nA1UdEwEB/wQCMAAwKQYDVR0OBCIEIJOFXG6Pe2sqp1FkWQmR7flevS9uZs09aeEN\nNKEtMkI7MCsGA1UdIwQkMCKAIHom8J1J7r2qiBvE4u9kK5De4Q4nvvps5kv2c+fO\n0t7IMF4GA1UdEQEB/wRUMFKCAIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMz\nLTQ0NDQtNTU1NTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMv\nd2ViMAoGCCqGSM49BAMCA0gAMEUCIE5kA4PXhGzPILtP36RGYWn3aclQswsd/WWo\nDGIkVpmYAiEA5O0IkIfjyIfGOhNgFn0hG4ffL5VkWEKSVOjWGRkVotg=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIGxowbkhPhgEwmrllLTqOhaiUK0VXnVxs56qhrbZJoCaoAoGCCqGSM49\nAwEHoUQDQgAEYSJyZ40B0yli1l9saCNXvLBLOW6rH6If8pSTLnpHGP0WJY4GMwO0\nv9F5jictCTmOkP49yhtk8ef2rdO1kMR0PA==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/my-tcp-service" + } + ] + } + }, + "sni": "my-tcp-service.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + } + ], + "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/clusters/api-gateway-with-tcp-route-and-inline-certificate.envoy-1-23-x.golden b/agent/xds/testdata/clusters/api-gateway-with-tcp-route-and-inline-certificate.envoy-1-23-x.golden new file mode 100644 index 000000000000..c0673919bffa --- /dev/null +++ b/agent/xds/testdata/clusters/api-gateway-with-tcp-route-and-inline-certificate.envoy-1-23-x.golden @@ -0,0 +1,55 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "my-tcp-service.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "altStatName": "my-tcp-service.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "circuitBreakers": {}, + "outlierDetection": {}, + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICBDCCAaugAwIBAgIISt5wJ7l2J+0wCgYIKoZIzj0EAwIwFjEUMBIGA1UEAxML\nVGVzdCBDQSA5NjEwHhcNMjMwMjEzMTk1NzI2WhcNMzMwMjEwMTk1NzI2WjAAMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0yhnVU34nRMqaIbQd1E6osnv39ZfWgc2\nOjmE08SrHDthLI39QT19sQpDiMzPguqRmrUiOHdnv9JBUWuypOmzIKOB+DCB9TAO\nBgNVHQ8BAf8EBAMCA7gwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwG\nA1UdEwEB/wQCMAAwKQYDVR0OBCIEIAjR+bDoPah/y1W0B4/Ej0r0cqCVNc0xabWv\nbQ6/Aj4fMCsGA1UdIwQkMCKAICFyBuVQj3g5XWEj6apjtTivKD6j4vgZjoQ8PPA3\nuPDAMF4GA1UdEQEB/wRUMFKCAIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMz\nLTQ0NDQtNTU1NTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMv\nd2ViMAoGCCqGSM49BAMCA0cAMEQCIEmVVGnGNE6kOOKXeKWQnvEN/zrmk4sBfk4q\n7War0PpKAiA3fHNbVGERIhYNFi3Hx7wwQFSvC0EYH3TCoFAr9BMIGg==\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIOnQ38u+a0B6y+YfqXuo5VTbcLq8gq1op9Tbhfp79pzHoAoGCCqGSM49\nAwEHoUQDQgAE0yhnVU34nRMqaIbQd1E6osnv39ZfWgc2OjmE08SrHDthLI39QT19\nsQpDiMzPguqRmrUiOHdnv9JBUWuypOmzIA==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/my-tcp-service" + } + ] + } + }, + "sni": "my-tcp-service.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + } + ], + "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/clusters/api-gateway-with-tcp-route-and-inline-certificate.latest.golden b/agent/xds/testdata/clusters/api-gateway-with-tcp-route-and-inline-certificate.latest.golden new file mode 100644 index 000000000000..6bc332e7be05 --- /dev/null +++ b/agent/xds/testdata/clusters/api-gateway-with-tcp-route-and-inline-certificate.latest.golden @@ -0,0 +1,55 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "name": "my-tcp-service.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "altStatName": "my-tcp-service.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "type": "EDS", + "edsClusterConfig": { + "edsConfig": { + "ads": {}, + "resourceApiVersion": "V3" + } + }, + "connectTimeout": "5s", + "circuitBreakers": {}, + "outlierDetection": {}, + "commonLbConfig": { + "healthyPanicThreshold": {} + }, + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "commonTlsContext": { + "tlsParams": {}, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICBjCCAaugAwIBAgIIHm2Ne79HM58wCgYIKoZIzj0EAwIwFjEUMBIGA1UEAxML\nVGVzdCBDQSA5NDMwHhcNMjMwMjEzMTk1NzI2WhcNMzMwMjEwMTk1NzI2WjAAMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAawh2wC9ZhCtUed7oCpIsAZkXimQhgrJ\nVo5sVUcnN2Q2qCb3oZxsGF5rtdgID5AP9llsCHQRCvxrRhfOoMApFqOB+DCB9TAO\nBgNVHQ8BAf8EBAMCA7gwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwG\nA1UdEwEB/wQCMAAwKQYDVR0OBCIEIEsxvBvrDLKHFHlFm6HzaNgGYZ0lSRw085oL\n11VVN5r/MCsGA1UdIwQkMCKAIIz1Q3Mkg4ls2U5Ye4l0U0VrSh4TLjIixSIoCaKy\nyv3hMF4GA1UdEQEB/wRUMFKCAIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMz\nLTQ0NDQtNTU1NTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMv\nd2ViMAoGCCqGSM49BAMCA0kAMEYCIQC2DzWWs710/sCL9fz68JoAHBNof/t6Kzxy\nWQoVdSTNzAIhAMiEGoHeFJubTrA4ArrYfZetFTucN8bZQT7Kwd9y1BaL\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIAOQb7PQqvdj8o0x/mk5WN8gvM0QrWY6Da1JhpKMUEcpoAoGCCqGSM49\nAwEHoUQDQgAEAawh2wC9ZhCtUed7oCpIsAZkXimQhgrJVo5sVUcnN2Q2qCb3oZxs\nGF5rtdgID5AP9llsCHQRCvxrRhfOoMApFg==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + }, + "matchSubjectAltNames": [ + { + "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/my-tcp-service" + } + ] + } + }, + "sni": "my-tcp-service.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + } + ], + "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/endpoints/api-gateway-with-tcp-route-and-inline-certificate.latest.golden b/agent/xds/testdata/endpoints/api-gateway-with-tcp-route-and-inline-certificate.latest.golden new file mode 100644 index 000000000000..8504dae2b840 --- /dev/null +++ b/agent/xds/testdata/endpoints/api-gateway-with-tcp-route-and-inline-certificate.latest.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/api-gateway-with-tcp-route-and-inline-certificate.latest.golden b/agent/xds/testdata/listeners/api-gateway-with-tcp-route-and-inline-certificate.latest.golden new file mode 100644 index 000000000000..32b36b478ea9 --- /dev/null +++ b/agent/xds/testdata/listeners/api-gateway-with-tcp-route-and-inline-certificate.latest.golden @@ -0,0 +1,32 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "name": "my-tcp-service:1.2.3.4:8080", + "address": { + "socketAddress": { + "address": "1.2.3.4", + "portValue": 8080 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "statPrefix": "upstream.my-tcp-service.default.default.dc1", + "cluster": "my-tcp-service.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul" + } + } + ] + } + ], + "trafficDirection": "OUTBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/routes/api-gateway-with-tcp-route-and-inline-certificate.latest.golden b/agent/xds/testdata/routes/api-gateway-with-tcp-route-and-inline-certificate.latest.golden new file mode 100644 index 000000000000..9c050cbe6b4d --- /dev/null +++ b/agent/xds/testdata/routes/api-gateway-with-tcp-route-and-inline-certificate.latest.golden @@ -0,0 +1,5 @@ +{ + "versionInfo": "00000001", + "typeUrl": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/secrets/api-gateway-with-tcp-route-and-inline-certificate.latest.golden b/agent/xds/testdata/secrets/api-gateway-with-tcp-route-and-inline-certificate.latest.golden new file mode 100644 index 000000000000..5088584d1f2c --- /dev/null +++ b/agent/xds/testdata/secrets/api-gateway-with-tcp-route-and-inline-certificate.latest.golden @@ -0,0 +1,19 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", + "name": "inline-certificate:default/default/my-inline-certificate/", + "tlsCertificate": { + "certificateChain": { + "inlineString": "certificate\n" + }, + "privateKey": { + "inlineString": "private key\n" + } + } + } + ], + "typeUrl": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", + "nonce": "00000001" +} \ No newline at end of file From cc4a2f2271094d63c34da1d11824e3ad9eb20477 Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Wed, 15 Feb 2023 23:08:57 +0000 Subject: [PATCH 7/9] backport of commit 023323c2432fc6f882796ae1048861ac198dbf58 --- agent/structs/config_entry_gateways.go | 2 ++ agent/xds/listeners_ingress.go | 28 +++++++++++++++++++++++++- 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/agent/structs/config_entry_gateways.go b/agent/structs/config_entry_gateways.go index 83bbcfb15959..0cef33b57659 100644 --- a/agent/structs/config_entry_gateways.go +++ b/agent/structs/config_entry_gateways.go @@ -123,6 +123,8 @@ type GatewayTLSConfig struct { // Indicates that TLS should be enabled for this gateway or listener Enabled bool + UseADS bool + // SDS allows configuring TLS certificate from an SDS service. SDS *GatewayTLSSDSConfig `json:",omitempty"` diff --git a/agent/xds/listeners_ingress.go b/agent/xds/listeners_ingress.go index 6083529849dc..0e4d21cfe7ac 100644 --- a/agent/xds/listeners_ingress.go +++ b/agent/xds/listeners_ingress.go @@ -226,6 +226,8 @@ func resolveListenerTLSConfig(gatewayTLSCfg *structs.GatewayTLSConfig, listenerC } if listenerCfg.TLS != nil { + mergedCfg.UseADS = listenerCfg.TLS.UseADS + if listenerCfg.TLS.TLSMinVersion != types.TLSVersionUnspecified { mergedCfg.TLSMinVersion = listenerCfg.TLS.TLSMinVersion } @@ -384,9 +386,17 @@ func makeTLSParametersFromGatewayTLSConfig(tlsCfg structs.GatewayTLSConfig) *env } func makeCommonTLSContextFromGatewayTLSConfig(tlsCfg structs.GatewayTLSConfig) *envoy_tls_v3.CommonTlsContext { + + var secretConfigs []*envoy_tls_v3.SdsSecretConfig + if tlsCfg.UseADS { + secretConfigs = makeTLSCertificateSdsSecretConfigsFromSDSUsingADS(*tlsCfg.SDS) + } else { + secretConfigs = makeTLSCertificateSdsSecretConfigsFromSDS(*tlsCfg.SDS) + } + return &envoy_tls_v3.CommonTlsContext{ TlsParams: makeTLSParametersFromGatewayTLSConfig(tlsCfg), - TlsCertificateSdsSecretConfigs: makeTLSCertificateSdsSecretConfigsFromSDS(*tlsCfg.SDS), + TlsCertificateSdsSecretConfigs: secretConfigs, } } @@ -396,6 +406,22 @@ func makeCommonTLSContextFromGatewayServiceTLSConfig(tlsCfg structs.GatewayServi TlsCertificateSdsSecretConfigs: makeTLSCertificateSdsSecretConfigsFromSDS(*tlsCfg.SDS), } } + +func makeTLSCertificateSdsSecretConfigsFromSDSUsingADS(sdsCfg structs.GatewayTLSSDSConfig) []*envoy_tls_v3.SdsSecretConfig { + return []*envoy_tls_v3.SdsSecretConfig{ + { + Name: sdsCfg.CertResource, + SdsConfig: &envoy_core_v3.ConfigSource{ + ConfigSourceSpecifier: &envoy_core_v3.ConfigSource_Ads{ + Ads: &envoy_core_v3.AggregatedConfigSource{}, + }, + ResourceApiVersion: envoy_core_v3.ApiVersion_V3, + }, + }, + } +} + + func makeTLSCertificateSdsSecretConfigsFromSDS(sdsCfg structs.GatewayTLSSDSConfig) []*envoy_tls_v3.SdsSecretConfig { return []*envoy_tls_v3.SdsSecretConfig{ { From 0da00f45a5b48d4a7a5349bd6abaf29e13b39b4e Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Wed, 15 Feb 2023 23:09:12 +0000 Subject: [PATCH 8/9] backport of commit e5afda58af1572384f73cc1b08a9f4d71a3a5353 --- agent/proxycfg/snapshot.go | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/agent/proxycfg/snapshot.go b/agent/proxycfg/snapshot.go index 13c854005621..6ea61be67a3a 100644 --- a/agent/proxycfg/snapshot.go +++ b/agent/proxycfg/snapshot.go @@ -803,7 +803,7 @@ func (c *configSnapshotAPIGateway) ToIngress(datacenter string) (configSnapshotI } // Configure TLS for the ingress listener - tls, err := c.toIngressTLS() + tls, err := c.toIngressTLS(listener) if err != nil { return configSnapshotIngressGateway{}, err } @@ -905,9 +905,24 @@ DOMAIN_LOOP: return services, upstreams, compiled, err } -func (c *configSnapshotAPIGateway) toIngressTLS() (*structs.GatewayTLSConfig, error) { - // TODO (t-eckert) this is dependent on future SDS work. - return &structs.GatewayTLSConfig{}, nil +func (c *configSnapshotAPIGateway) toIngressTLS(listener structs.APIGatewayListener) (*structs.GatewayTLSConfig, error) { + // TODO How do we handle multiple listener.TLS.Certificates? + var sds *structs.GatewayTLSSDSConfig + if len(listener.TLS.Certificates) > 0 { + sds = &structs.GatewayTLSSDSConfig{ + ClusterName: "local_agent", + CertResource: listener.TLS.Certificates[0].String(), + } + } + + return &structs.GatewayTLSConfig{ + Enabled: true, + UseADS: true, + SDS: sds, + TLSMinVersion: listener.TLS.MinVersion, + TLSMaxVersion: listener.TLS.MaxVersion, + CipherSuites: listener.TLS.CipherSuites, + }, nil } type configSnapshotIngressGateway struct { From 663bc25e06ba0734bb0dc5c5e0140b83ccd1d019 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Thu, 16 Feb 2023 20:36:02 +0000 Subject: [PATCH 9/9] backport of commit 37502d482670f3253f3e60d4160bf66c8d4ee7a4 --- agent/proxycfg/snapshot.go | 37 ++++++++++-------- agent/structs/config_entry_gateways.go | 2 - agent/xds/listeners_ingress.go | 52 ++++++++++++++++++-------- agent/xds/secrets.go | 44 +--------------------- 4 files changed, 61 insertions(+), 74 deletions(-) diff --git a/agent/proxycfg/snapshot.go b/agent/proxycfg/snapshot.go index 6ea61be67a3a..6ce5a30083eb 100644 --- a/agent/proxycfg/snapshot.go +++ b/agent/proxycfg/snapshot.go @@ -734,6 +734,8 @@ type configSnapshotAPIGateway struct { // Listeners is the original listener config from the api-gateway config // entry to save us trying to pass fields through Upstreams Listeners map[string]structs.APIGatewayListener + // this acts as an intermediary for inlining certificates + ListenerCertificates map[IngressListenerKey][]structs.InlineCertificateConfigEntry BoundListeners map[string]structs.BoundAPIGatewayListener } @@ -751,6 +753,9 @@ func (c *configSnapshotAPIGateway) ToIngress(datacenter string) (configSnapshotI watchedUpstreamEndpoints := make(map[UpstreamID]map[string]structs.CheckServiceNodes) watchedGatewayEndpoints := make(map[UpstreamID]map[string]structs.CheckServiceNodes) + // reset the cached certificates + c.ListenerCertificates = make(map[IngressListenerKey][]structs.InlineCertificateConfigEntry) + for name, listener := range c.Listeners { boundListener, ok := c.BoundListeners[name] if !ok { @@ -802,17 +807,18 @@ func (c *configSnapshotAPIGateway) ToIngress(datacenter string) (configSnapshotI watchedGatewayEndpoints[id] = gatewayEndpoints } + key := IngressListenerKey{ + Port: listener.Port, + Protocol: string(listener.Protocol), + } + // Configure TLS for the ingress listener - tls, err := c.toIngressTLS(listener) + tls, err := c.toIngressTLS(key, listener, boundListener) if err != nil { return configSnapshotIngressGateway{}, err } - ingressListener.TLS = tls - key := IngressListenerKey{ - Port: listener.Port, - Protocol: string(listener.Protocol), - } + ingressListener.TLS = tls ingressListeners[key] = ingressListener ingressUpstreams[key] = upstreams } @@ -905,20 +911,21 @@ DOMAIN_LOOP: return services, upstreams, compiled, err } -func (c *configSnapshotAPIGateway) toIngressTLS(listener structs.APIGatewayListener) (*structs.GatewayTLSConfig, error) { - // TODO How do we handle multiple listener.TLS.Certificates? - var sds *structs.GatewayTLSSDSConfig - if len(listener.TLS.Certificates) > 0 { - sds = &structs.GatewayTLSSDSConfig{ - ClusterName: "local_agent", - CertResource: listener.TLS.Certificates[0].String(), +func (c *configSnapshotAPIGateway) toIngressTLS(key IngressListenerKey, listener structs.APIGatewayListener, bound structs.BoundAPIGatewayListener) (*structs.GatewayTLSConfig, error) { + if len(listener.TLS.Certificates) == 0 { + return nil, nil + } + + for _, certRef := range bound.Certificates { + cert, ok := c.Certificates.Get(certRef) + if !ok { + continue } + c.ListenerCertificates[key] = append(c.ListenerCertificates[key], *cert) } return &structs.GatewayTLSConfig{ Enabled: true, - UseADS: true, - SDS: sds, TLSMinVersion: listener.TLS.MinVersion, TLSMaxVersion: listener.TLS.MaxVersion, CipherSuites: listener.TLS.CipherSuites, diff --git a/agent/structs/config_entry_gateways.go b/agent/structs/config_entry_gateways.go index 0cef33b57659..83bbcfb15959 100644 --- a/agent/structs/config_entry_gateways.go +++ b/agent/structs/config_entry_gateways.go @@ -123,8 +123,6 @@ type GatewayTLSConfig struct { // Indicates that TLS should be enabled for this gateway or listener Enabled bool - UseADS bool - // SDS allows configuring TLS certificate from an SDS service. SDS *GatewayTLSSDSConfig `json:",omitempty"` diff --git a/agent/xds/listeners_ingress.go b/agent/xds/listeners_ingress.go index 0e4d21cfe7ac..c408499ec78c 100644 --- a/agent/xds/listeners_ingress.go +++ b/agent/xds/listeners_ingress.go @@ -13,6 +13,7 @@ import ( "github.com/hashicorp/consul/agent/proxycfg" "github.com/hashicorp/consul/agent/structs" + "github.com/hashicorp/consul/lib" "github.com/hashicorp/consul/types" ) @@ -25,7 +26,12 @@ func (s *ResourceGenerator) makeIngressGatewayListeners(address string, cfgSnap return nil, fmt.Errorf("no listener config found for listener on proto/port %s/%d", listenerKey.Protocol, listenerKey.Port) } - tlsContext, err := makeDownstreamTLSContextFromSnapshotListenerConfig(cfgSnap, listenerCfg) + var certs []structs.InlineCertificateConfigEntry + if cfgSnap.APIGateway.ListenerCertificates != nil { + certs = cfgSnap.APIGateway.ListenerCertificates[listenerKey] + } + + tlsContext, err := makeDownstreamTLSContextFromSnapshotListenerConfig(cfgSnap, listenerCfg, certs) if err != nil { return nil, err } @@ -160,10 +166,10 @@ func (s *ResourceGenerator) makeIngressGatewayListeners(address string, cfgSnap return resources, nil } -func makeDownstreamTLSContextFromSnapshotListenerConfig(cfgSnap *proxycfg.ConfigSnapshot, listenerCfg structs.IngressListener) (*envoy_tls_v3.DownstreamTlsContext, error) { +func makeDownstreamTLSContextFromSnapshotListenerConfig(cfgSnap *proxycfg.ConfigSnapshot, listenerCfg structs.IngressListener, certs []structs.InlineCertificateConfigEntry) (*envoy_tls_v3.DownstreamTlsContext, error) { var downstreamContext *envoy_tls_v3.DownstreamTlsContext - tlsContext, err := makeCommonTLSContextFromSnapshotListenerConfig(cfgSnap, listenerCfg) + tlsContext, err := makeCommonTLSContextFromSnapshotListenerConfig(cfgSnap, listenerCfg, certs) if err != nil { return nil, err } @@ -181,7 +187,7 @@ func makeDownstreamTLSContextFromSnapshotListenerConfig(cfgSnap *proxycfg.Config return downstreamContext, nil } -func makeCommonTLSContextFromSnapshotListenerConfig(cfgSnap *proxycfg.ConfigSnapshot, listenerCfg structs.IngressListener) (*envoy_tls_v3.CommonTlsContext, error) { +func makeCommonTLSContextFromSnapshotListenerConfig(cfgSnap *proxycfg.ConfigSnapshot, listenerCfg structs.IngressListener, certs []structs.InlineCertificateConfigEntry) (*envoy_tls_v3.CommonTlsContext, error) { var tlsContext *envoy_tls_v3.CommonTlsContext // Enable connect TLS if it is enabled at the Gateway or specific listener @@ -199,6 +205,10 @@ func makeCommonTLSContextFromSnapshotListenerConfig(cfgSnap *proxycfg.ConfigSnap return nil, err } + if len(certs) != 0 { + return makeInlineTLSContextFromGatewayTLSConfig(*tlsCfg, certs), nil + } + if tlsCfg.SDS != nil { // Set up listener TLS from SDS tlsContext = makeCommonTLSContextFromGatewayTLSConfig(*tlsCfg) @@ -226,8 +236,6 @@ func resolveListenerTLSConfig(gatewayTLSCfg *structs.GatewayTLSConfig, listenerC } if listenerCfg.TLS != nil { - mergedCfg.UseADS = listenerCfg.TLS.UseADS - if listenerCfg.TLS.TLSMinVersion != types.TLSVersionUnspecified { mergedCfg.TLSMinVersion = listenerCfg.TLS.TLSMinVersion } @@ -385,18 +393,33 @@ func makeTLSParametersFromGatewayTLSConfig(tlsCfg structs.GatewayTLSConfig) *env return makeTLSParametersFromTLSConfig(tlsCfg.TLSMinVersion, tlsCfg.TLSMaxVersion, tlsCfg.CipherSuites) } -func makeCommonTLSContextFromGatewayTLSConfig(tlsCfg structs.GatewayTLSConfig) *envoy_tls_v3.CommonTlsContext { - - var secretConfigs []*envoy_tls_v3.SdsSecretConfig - if tlsCfg.UseADS { - secretConfigs = makeTLSCertificateSdsSecretConfigsFromSDSUsingADS(*tlsCfg.SDS) - } else { - secretConfigs = makeTLSCertificateSdsSecretConfigsFromSDS(*tlsCfg.SDS) +func makeInlineTLSContextFromGatewayTLSConfig(tlsCfg structs.GatewayTLSConfig, certs []structs.InlineCertificateConfigEntry) *envoy_tls_v3.CommonTlsContext { + tlsParams := makeTLSParametersFromGatewayTLSConfig(tlsCfg) + tlsCerts := []*envoy_tls_v3.TlsCertificate{} + for _, cert := range certs { + tlsCerts = append(tlsCerts, &envoy_tls_v3.TlsCertificate{ + CertificateChain: &envoy_core_v3.DataSource{ + Specifier: &envoy_core_v3.DataSource_InlineString{ + InlineString: lib.EnsureTrailingNewline(cert.Certificate), + }, + }, + PrivateKey: &envoy_core_v3.DataSource{ + Specifier: &envoy_core_v3.DataSource_InlineString{ + InlineString: lib.EnsureTrailingNewline(cert.PrivateKey), + }, + }, + }) + } + return &envoy_tls_v3.CommonTlsContext{ + TlsParams: tlsParams, + TlsCertificates: tlsCerts, } +} +func makeCommonTLSContextFromGatewayTLSConfig(tlsCfg structs.GatewayTLSConfig) *envoy_tls_v3.CommonTlsContext { return &envoy_tls_v3.CommonTlsContext{ TlsParams: makeTLSParametersFromGatewayTLSConfig(tlsCfg), - TlsCertificateSdsSecretConfigs: secretConfigs, + TlsCertificateSdsSecretConfigs: makeTLSCertificateSdsSecretConfigsFromSDS(*tlsCfg.SDS), } } @@ -421,7 +444,6 @@ func makeTLSCertificateSdsSecretConfigsFromSDSUsingADS(sdsCfg structs.GatewayTLS } } - func makeTLSCertificateSdsSecretConfigsFromSDS(sdsCfg structs.GatewayTLSSDSConfig) []*envoy_tls_v3.SdsSecretConfig { return []*envoy_tls_v3.SdsSecretConfig{ { diff --git a/agent/xds/secrets.go b/agent/xds/secrets.go index 5eb2bcb3015a..a1ef50e44caa 100644 --- a/agent/xds/secrets.go +++ b/agent/xds/secrets.go @@ -4,13 +4,10 @@ import ( "errors" "fmt" - envoy_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" - envoy_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" "google.golang.org/protobuf/proto" "github.com/hashicorp/consul/agent/proxycfg" "github.com/hashicorp/consul/agent/structs" - "github.com/hashicorp/consul/lib" ) // secretsFromSnapshot returns the xDS API representation of the "secrets" @@ -24,47 +21,10 @@ func (s *ResourceGenerator) secretsFromSnapshot(cfgSnap *proxycfg.ConfigSnapshot case structs.ServiceKindConnectProxy, structs.ServiceKindTerminatingGateway, structs.ServiceKindMeshGateway, - structs.ServiceKindIngressGateway: + structs.ServiceKindIngressGateway, + structs.ServiceKindAPIGateway: return nil, nil - // Only API gateways utilize secrets - case structs.ServiceKindAPIGateway: - return s.secretsFromSnapshotAPIGateway(cfgSnap) default: return nil, fmt.Errorf("Invalid service kind: %v", cfgSnap.Kind) } } - -func (s *ResourceGenerator) secretsFromSnapshotAPIGateway(cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message, error) { - resources := make([]proto.Message, 0, cfgSnap.APIGateway.Certificates.Len()) - - cfgSnap.APIGateway.Certificates.ForEachKey(func(ref structs.ResourceReference) bool { - cert, ok := cfgSnap.APIGateway.Certificates.Get(ref) - if !ok { - // inline-certificate not present in map for some reason, process others - return true - } - - secret := &envoy_tls_v3.Secret{ - Name: ref.String(), - Type: &envoy_tls_v3.Secret_TlsCertificate{ - TlsCertificate: &envoy_tls_v3.TlsCertificate{ - CertificateChain: &envoy_core_v3.DataSource{ - Specifier: &envoy_core_v3.DataSource_InlineString{ - InlineString: lib.EnsureTrailingNewline(cert.Certificate), - }, - }, - PrivateKey: &envoy_core_v3.DataSource{ - Specifier: &envoy_core_v3.DataSource_InlineString{ - InlineString: lib.EnsureTrailingNewline(cert.PrivateKey), - }, - }, - }, - }, - } - - resources = append(resources, secret) - return true - }) - - return resources, nil -}