envoyproxy · lizan · Aug 31, 2018 · Aug 15, 2018 · Aug 16, 2018 · Aug 16, 2018
diff --git a/include/envoy/secret/BUILD b/include/envoy/secret/BUILD
@@ -29,5 +29,6 @@ envoy_cc_library(
     deps = [
         ":secret_provider_interface",
         "@envoy_api//envoy/api/v2/auth:cert_cc",
+        "@envoy_api//envoy/api/v2/core:config_source_cc",
     ],
 )
diff --git a/include/envoy/secret/secret_callbacks.h b/include/envoy/secret/secret_callbacks.h
@@ -11,6 +11,7 @@ namespace Secret {
 class SecretCallbacks {
 public:
   virtual ~SecretCallbacks() {}
+
   virtual void onAddOrUpdateSecret() PURE;
 };
 

diff --git a/include/envoy/secret/secret_manager.h b/include/envoy/secret/secret_manager.h
@@ -6,12 +6,17 @@
 #include "envoy/secret/secret_provider.h"
 
 namespace Envoy {
+
+namespace Server {
+namespace Configuration {
+class TransportSocketFactoryContext;
+} // namespace Configuration
+} // namespace Server
+
 namespace Secret {
 
 /**
- * A manager for static secrets.
- *
- * TODO(jaebong) Support dynamic secrets.
+ * A manager for static and dynamic secrets.
  */
 class SecretManager {
 public:
@@ -37,6 +42,20 @@ class SecretManager {
    */
   virtual TlsCertificateConfigProviderSharedPtr createInlineTlsCertificateProvider(
       const envoy::api::v2::auth::TlsCertificate& tls_certificate) PURE;
+
+  /**
+   * Finds and returns a dynamic secret provider associated to SDS config. Create
+   * a new one if such provider does not exist.
+   *
+   * @param config_source a protobuf message object containing a SDS config source.
+   * @param config_name a name that uniquely refers to the SDS config source.
+   * @param secret_provider_context context that provides components for creating and initializing
+   * secret provider.
+   * @return TlsCertificateConfigProviderSharedPtr the dynamic TLS secret provider.
+   */
+  virtual TlsCertificateConfigProviderSharedPtr findOrCreateDynamicSecretProvider(
+      const envoy::api::v2::core::ConfigSource& config_source, const std::string& config_name,
+      Server::Configuration::TransportSocketFactoryContext& secret_provider_context) PURE;
 };
 
 } // namespace Secret

diff --git a/include/envoy/secret/secret_provider.h b/include/envoy/secret/secret_provider.h
@@ -4,6 +4,7 @@
 
 #include "envoy/common/callback.h"
 #include "envoy/common/pure.h"
+#include "envoy/secret/secret_callbacks.h"
 #include "envoy/ssl/tls_certificate_config.h"
 
 namespace Envoy {
@@ -23,7 +24,7 @@ template <class SecretType> class SecretProvider {
 
   /**
    * Add secret update callback into secret provider.
-   * It is safe to call this method by main thread and is safe to be invoked
+   * It is safe to call this method by main thread and callback is safe to be invoked
    * on main thread.
    * @param callback callback that is executed by secret provider.
    * @return CallbackHandle the handle which can remove that update callback.

diff --git a/include/envoy/server/BUILD b/include/envoy/server/BUILD
@@ -177,6 +177,7 @@ envoy_cc_library(
     hdrs = ["transport_socket_config.h"],
     deps = [
         "//include/envoy/event:dispatcher_interface",
+        "//include/envoy/init:init_interface",
         "//include/envoy/local_info:local_info_interface",
         "//include/envoy/network:transport_socket_interface",
         "//include/envoy/runtime:runtime_interface",

diff --git a/include/envoy/server/transport_socket_config.h b/include/envoy/server/transport_socket_config.h
@@ -3,6 +3,7 @@
 #include <string>
 
 #include "envoy/event/dispatcher.h"
+#include "envoy/init/init.h"
 #include "envoy/local_info/local_info.h"
 #include "envoy/network/transport_socket.h"
 #include "envoy/runtime/runtime.h"
@@ -63,6 +64,18 @@ class TransportSocketFactoryContext {
    * @return the server-wide stats store.
    */
   virtual Stats::Store& stats() PURE;
+
+  /**
+   * Pass an init manager to register dynamic secret provider.
+   * @param init_manager instance of init manager.
+   */
+  virtual void setInitManager(Init::Manager& init_manager) PURE;
+
+  /**
+   * @return a pointer pointing to the instance of an init manager, or nullptr
+   * if not set.
+   */
+  virtual Init::Manager* initManager() PURE;
 };
 
 class TransportSocketConfigFactory {

diff --git a/include/envoy/ssl/BUILD b/include/envoy/ssl/BUILD
@@ -22,7 +22,7 @@ envoy_cc_library(
     name = "context_config_interface",
     hdrs = ["context_config.h"],
     deps = [
-        ":tls_certificate_config_interface",
+        "//include/envoy/secret:secret_provider_interface",
     ],
 )
 

diff --git a/include/envoy/ssl/context_config.h b/include/envoy/ssl/context_config.h
@@ -5,7 +5,8 @@
 #include <vector>
 
 #include "envoy/common/pure.h"
-#include "envoy/ssl/tls_certificate_config.h"
+#include "envoy/secret/secret_callbacks.h"
+#include "envoy/secret/secret_provider.h"
 
 namespace Envoy {
 namespace Ssl {
@@ -95,6 +96,19 @@ class ContextConfig {
    * @return The maximum TLS protocol version to negotiate.
    */
   virtual unsigned maxProtocolVersion() const PURE;
+
+  /**
+   * @return true if the ContextConfig is able to provide secrets to create SSL context,
+   * and false if dynamic secrets are expected but are not downloaded from SDS server yet.
+   */
+  virtual bool isReady() const PURE;
+
+  /**
+   * Add secret callback into context config. When dynamic secrets are in use and new secrets
+   * are downloaded from SDS server, this callback is invoked to update SSL context.
+   * @param callback callback that is executed by context config.
+   */
+  virtual void setSecretUpdateCallback(std::function<void()> callback) PURE;
 };
 
 class ClientContextConfig : public virtual ContextConfig {

diff --git a/source/common/common/logger.h b/source/common/common/logger.h
@@ -44,6 +44,7 @@ namespace Logger {
   FUNCTION(router)               \
   FUNCTION(runtime)              \
   FUNCTION(stats)                \
+  FUNCTION(secret)               \
   FUNCTION(testing)              \
   FUNCTION(thrift)               \
   FUNCTION(tracing)              \

diff --git a/source/common/config/BUILD b/source/common/config/BUILD
@@ -242,6 +242,7 @@ envoy_cc_library(
     hdrs = ["protobuf_link_hacks.h"],
     deps = [
         "@envoy_api//envoy/service/discovery/v2:ads_cc",
+        "@envoy_api//envoy/service/discovery/v2:sds_cc",
         "@envoy_api//envoy/service/ratelimit/v2:rls_cc",
     ],
 )

diff --git a/source/common/config/protobuf_link_hacks.h b/source/common/config/protobuf_link_hacks.h
@@ -1,6 +1,7 @@
 #pragma once
 
 #include "envoy/service/discovery/v2/ads.pb.h"
+#include "envoy/service/discovery/v2/sds.pb.h"
 #include "envoy/service/ratelimit/v2/rls.pb.h"
 
 namespace Envoy {
@@ -9,4 +10,5 @@ namespace Envoy {
 // This file should be included ONLY if this hack is required.
 const envoy::service::discovery::v2::AdsDummy _ads_dummy;
 const envoy::service::ratelimit::v2::RateLimitRequest _rls_dummy;
+const envoy::service::discovery::v2::SdsDummy _sds_dummy;
 } // namespace Envoy
diff --git a/source/common/config/resources.h b/source/common/config/resources.h
@@ -15,6 +15,7 @@ class TypeUrlValues {
   const std::string Listener{"type.googleapis.com/envoy.api.v2.Listener"};
   const std::string Cluster{"type.googleapis.com/envoy.api.v2.Cluster"};
   const std::string ClusterLoadAssignment{"type.googleapis.com/envoy.api.v2.ClusterLoadAssignment"};
+  const std::string Secret{"type.googleapis.com/envoy.api.v2.auth.Secret"};
   const std::string RouteConfiguration{"type.googleapis.com/envoy.api.v2.RouteConfiguration"};
 };
 

diff --git a/source/common/secret/BUILD b/source/common/secret/BUILD
@@ -13,8 +13,11 @@ envoy_cc_library(
     srcs = ["secret_manager_impl.cc"],
     hdrs = ["secret_manager_impl.h"],
     deps = [
+        ":sds_api_lib",
         ":secret_provider_impl_lib",
         "//include/envoy/secret:secret_manager_interface",
+        "//include/envoy/server:transport_socket_config_interface",
+        "//source/common/common:assert_lib",
         "//source/common/common:minimal_logger_lib",
         "@envoy_api//envoy/api/v2/auth:cert_cc",
     ],

diff --git a/source/common/secret/secret_manager_impl.cc b/source/common/secret/secret_manager_impl.cc
@@ -3,6 +3,7 @@
 #include "envoy/common/exception.h"
 
 #include "common/common/assert.h"
+#include "common/secret/sds_api.h"
 #include "common/secret/secret_provider_impl.h"
 #include "common/ssl/tls_certificate_config_impl.h"
 
@@ -37,5 +38,37 @@ TlsCertificateConfigProviderSharedPtr SecretManagerImpl::createInlineTlsCertific
   return std::make_shared<TlsCertificateConfigProviderImpl>(tls_certificate);
 }
 
+void SecretManagerImpl::removeDynamicSecretProvider(const std::string& map_key) {
+  ENVOY_LOG(debug, "Unregister secret provider. hash key: {}", map_key);
+
+  RELEASE_ASSERT(dynamic_secret_providers_.erase(map_key) == 1, "");
+}
+
+TlsCertificateConfigProviderSharedPtr SecretManagerImpl::findOrCreateDynamicSecretProvider(
+    const envoy::api::v2::core::ConfigSource& sds_config_source, const std::string& config_name,
+    Server::Configuration::TransportSocketFactoryContext& secret_provider_context) {
+  const std::string map_key = std::to_string(MessageUtil::hash(sds_config_source)) + config_name;
+
+  auto secret_provider = dynamic_secret_providers_[map_key].lock();
+  if (!secret_provider) {
+    ASSERT(secret_provider_context.initManager() != nullptr);
+
+    // SdsApi is owned by ListenerImpl and ClusterInfo which are destroyed before
+    // SecretManagerImpl. It is safe to invoke this callback at the destructor of SdsApi.
+    std::function<void()> unregister_secret_provider = [map_key, this]() {
+      removeDynamicSecretProvider(map_key);
+    };
+
+    secret_provider = std::make_shared<SdsApi>(
+        secret_provider_context.localInfo(), secret_provider_context.dispatcher(),
+        secret_provider_context.random(), secret_provider_context.stats(),
+        secret_provider_context.clusterManager(), *secret_provider_context.initManager(),
+        sds_config_source, config_name, unregister_secret_provider);
+    dynamic_secret_providers_[map_key] = secret_provider;
+  }
+
+  return secret_provider;
+}
+
 } // namespace Secret
 } // namespace Envoy
diff --git a/source/common/secret/secret_manager_impl.h b/source/common/secret/secret_manager_impl.h
@@ -4,24 +4,39 @@
 
 #include "envoy/secret/secret_manager.h"
 #include "envoy/secret/secret_provider.h"
+#include "envoy/server/transport_socket_config.h"
 #include "envoy/ssl/tls_certificate_config.h"
 
 #include "common/common/logger.h"
 
 namespace Envoy {
 namespace Secret {
 
-class SecretManagerImpl : public SecretManager, Logger::Loggable<Logger::Id::upstream> {
+class SecretManagerImpl : public SecretManager, Logger::Loggable<Logger::Id::secret> {
 public:
   void addStaticSecret(const envoy::api::v2::auth::Secret& secret) override;
+
   TlsCertificateConfigProviderSharedPtr
   findStaticTlsCertificateProvider(const std::string& name) const override;
+
   TlsCertificateConfigProviderSharedPtr createInlineTlsCertificateProvider(
       const envoy::api::v2::auth::TlsCertificate& tls_certificate) override;
 
+  TlsCertificateConfigProviderSharedPtr findOrCreateDynamicSecretProvider(
+      const envoy::api::v2::core::ConfigSource& config_source, const std::string& config_name,
+      Server::Configuration::TransportSocketFactoryContext& secret_provider_context) override;
+
 private:
+  // Remove dynamic secret provider which has been deleted.
+  void removeDynamicSecretProvider(const std::string& map_key);
+
+  // Manages pairs of secret name and TlsCertificateConfigProviderSharedPtr.
   std::unordered_map<std::string, TlsCertificateConfigProviderSharedPtr>
       static_tls_certificate_providers_;
+
+  // map hash code of SDS config source and SdsApi object.
+  std::unordered_map<std::string, std::weak_ptr<TlsCertificateConfigProvider>>
+      dynamic_secret_providers_;
 };
 
 } // namespace Secret

diff --git a/source/common/ssl/BUILD b/source/common/ssl/BUILD
@@ -19,6 +19,7 @@ envoy_cc_library(
         ":utility_lib",
         "//include/envoy/network:connection_interface",
         "//include/envoy/network:transport_socket_interface",
+        "//include/envoy/stats:stats_macros",
         "//source/common/common:assert_lib",
         "//source/common/common:empty_string",
         "//source/common/common:minimal_logger_lib",
@@ -34,8 +35,9 @@ envoy_cc_library(
         "ssl",
     ],
     deps = [
-        "//include/envoy/secret:secret_manager_interface",
+        "//include/envoy/secret:secret_callbacks_interface",
         "//include/envoy/secret:secret_provider_interface",
+        "//include/envoy/server:transport_socket_config_interface",
         "//include/envoy/ssl:context_config_interface",
         "//source/common/common:assert_lib",
         "//source/common/common:empty_string",
-Original file line number
+Diff line change
@@ Expand Up / @@ -11,6 +11,7 @@ namespace Secret { @@
     class SecretCallbacks {
     public:
       virtual ~SecretCallbacks() {}
       virtual void onAddOrUpdateSecret() PURE;
     };
@@ Expand Down @@