feat(*) path file is passed by metadata

Makefile

@@ -441,11 +441,13 @@ run/example/envoy/k8s: run/example/envoy
 
 run/example/envoy/universal: run/example/envoy
 
-run/example/envoy: build/kuma-dp ## Dev: Run Envoy configured against local Control Plane
+run/example/envoy: build/kuma-dp build/kumactl ## Dev: Run Envoy configured against local Control Plane
+	${BUILD_ARTIFACTS_DIR}/kumactl/kumactl generate dataplane-token --name=$(EXAMPLE_DATAPLANE_NAME) --mesh=$(EXAMPLE_DATAPLANE_MESH) > /tmp/kuma-dp-$(EXAMPLE_DATAPLANE_NAME)-$(EXAMPLE_DATAPLANE_MESH)-token
 	KUMA_CONTROL_PLANE_BOOTSTRAP_SERVER_URL=http://localhost:5682 \
 	KUMA_DATAPLANE_MESH=$(EXAMPLE_DATAPLANE_MESH) \
 	KUMA_DATAPLANE_NAME=$(EXAMPLE_DATAPLANE_NAME) \
 	KUMA_DATAPLANE_ADMIN_PORT=$(ENVOY_ADMIN_PORT) \
+	KUMA_DATAPLANE_RUNTIME_TOKEN_PATH=/tmp/kuma-dp-$(EXAMPLE_DATAPLANE_NAME)-$(EXAMPLE_DATAPLANE_MESH)-token \
 	${BUILD_ARTIFACTS_DIR}/kuma-dp/kuma-dp run --log-level=debug
 
 config_dump/example/envoy: ## Dev: Dump effective configuration of example Envoy

app/kuma-dp/cmd/run.go

@@ -9,6 +9,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 
+	kumadp_config "github.com/Kong/kuma/app/kuma-dp/pkg/config"
 	"github.com/Kong/kuma/app/kuma-dp/pkg/dataplane/accesslogs"
 	"github.com/Kong/kuma/app/kuma-dp/pkg/dataplane/envoy"
 	"github.com/Kong/kuma/pkg/config"
@@ -41,6 +42,10 @@ func newRunCmd() *cobra.Command {
 				return err
 			}
 
+			if err := kumadp_config.ValidateTokenPath(cfg.DataplaneRuntime.TokenPath); err != nil {
+				return err
+			}
+
 			if cfg.DataplaneRuntime.ConfigDir == "" {
 				tmpDir, err := ioutil.TempDir("", "kuma-dp-")
 				if err != nil {
@@ -106,5 +111,6 @@ func newRunCmd() *cobra.Command {
 	cmd.PersistentFlags().StringVar(&cfg.ControlPlane.BootstrapServer.URL, "cp-address", cfg.ControlPlane.BootstrapServer.URL, "Mesh that Dataplane belongs to")
 	cmd.PersistentFlags().StringVar(&cfg.DataplaneRuntime.BinaryPath, "binary-path", cfg.DataplaneRuntime.BinaryPath, "Binary path of Envoy executable")
 	cmd.PersistentFlags().StringVar(&cfg.DataplaneRuntime.ConfigDir, "config-dir", cfg.DataplaneRuntime.ConfigDir, "Directory in which Envoy config will be generated")
+	cmd.PersistentFlags().StringVar(&cfg.DataplaneRuntime.TokenPath, "dataplane-token", cfg.DataplaneRuntime.TokenPath, "Path to a file with dataplane token (use 'kumactl generate dataplane-token' to get one)")
 	return cmd
 }

app/kuma-dp/pkg/config/config_suite_test.go

@@ -0,0 +1,13 @@
+package config_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+func TestConfig(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Kuma DP Config Suite")
+}

app/kuma-dp/pkg/config/validate.go

@@ -0,0 +1,20 @@
+package config
+
+import (
+	util_files "github.com/Kong/kuma/pkg/util/files"
+	"github.com/pkg/errors"
+)
+
+func ValidateTokenPath(path string) error {
+	if path == "" {
+		return nil
+	}
+	empty, err := util_files.FileEmpty(path)
+	if err != nil {
+		return errors.Wrap(err, "could not read file")
+	}
+	if empty {
+		return errors.Errorf("token under file %s is empty", path)
+	}
+	return nil
+}

app/kuma-dp/pkg/config/validate_test.go

@@ -0,0 +1,57 @@
+package config_test
+
+import (
+	"fmt"
+	"github.com/Kong/kuma/app/kuma-dp/pkg/config"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"io/ioutil"
+	"os"
+)
+
+var _ = Describe("ValidateTokenPath", func() {
+
+	var tokenFile *os.File
+
+	BeforeEach(func() {
+		tf, err := ioutil.TempFile("", "")
+		Expect(err).ToNot(HaveOccurred())
+		tokenFile = tf
+	})
+
+	It("should pass validation for empty path", func() {
+		// when
+		err := config.ValidateTokenPath("")
+
+		// then
+		Expect(err).ToNot(HaveOccurred())
+	})
+
+	It("should pass validation for empty path", func() {
+		// given
+		_, err := tokenFile.WriteString("sampletoken")
+		Expect(err).ToNot(HaveOccurred())
+
+		// when
+		err = config.ValidateTokenPath("")
+
+		// then
+		Expect(err).ToNot(HaveOccurred())
+	})
+
+	It("should fail for non existing file", func() {
+		// when
+		err := config.ValidateTokenPath("nonexistingfile")
+
+		// then
+		Expect(err).To(MatchError("could not read file: stat nonexistingfile: no such file or directory"))
+	})
+
+	It("should fail for empty file", func() {
+		// when
+		err := config.ValidateTokenPath(tokenFile.Name())
+
+		// then
+		Expect(err).To(MatchError(fmt.Sprintf("token under file %s is empty", tokenFile.Name())))
+	})
+})

app/kuma-dp/pkg/dataplane/envoy/remote_bootstrap.go

@@ -30,7 +30,8 @@ func (b *remoteBootstrap) Generate(cfg kuma_dp.Config) (proto.Message, error) {
 		Name: cfg.Dataplane.Name,
 		// if not set in config, the 0 will be sent which will result in providing default admin port
 		// that is set in the control plane bootstrap params
-		AdminPort: cfg.Dataplane.AdminPort,
+		AdminPort:          cfg.Dataplane.AdminPort,
+		DataplaneTokenPath: cfg.DataplaneRuntime.TokenPath,
 	}
 	jsonBytes, err := json.Marshal(request)
 	if err != nil {

app/kuma-dp/pkg/dataplane/envoy/remote_bootstrap_test.go

@@ -28,7 +28,8 @@ var _ = Describe("Remote Bootstrap", func() {
 			{
 				"mesh": "demo",
 				"name": "sample",
-				"adminPort": 4321
+				"adminPort": 4321,
+				"dataplaneTokenPath": "/tmp/token"
 			}
 			`))
 
@@ -47,6 +48,7 @@ var _ = Describe("Remote Bootstrap", func() {
 		cfg.Dataplane.Mesh = "demo"
 		cfg.Dataplane.Name = "sample"
 		cfg.Dataplane.AdminPort = 4321
+		cfg.DataplaneRuntime.TokenPath = "/tmp/token"
 		cfg.ControlPlane.BootstrapServer.URL = fmt.Sprintf("http://localhost:%d", port)
 
 		// when

app/kuma-injector/pkg/injector/injector.go

@@ -113,6 +113,10 @@ func (i *KumaInjector) NewSidecarContainer(pod *kube_core.Pod) kube_core.Contain
 				Name:  "KUMA_DATAPLANE_DRAIN_TIME",
 				Value: fmt.Sprintf("%s", i.cfg.SidecarContainer.DrainTime),
 			},
+			{
+				Name:  "KUMA_DATAPLANE_RUNTIME_TOKEN_PATH",
+				Value: "/var/run/secrets/kubernetes.io/serviceaccount/token",
+			},
 		},
 		SecurityContext: &kube_core.SecurityContext{
 			RunAsUser:  &i.cfg.SidecarContainer.UID,

app/kuma-injector/pkg/injector/testdata/inject.01.golden.yaml

@@ -48,6 +48,8 @@ spec:
       value: "9901"
     - name: KUMA_DATAPLANE_DRAIN_TIME
       value: 31s
+    - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH
+      value: /var/run/secrets/kubernetes.io/serviceaccount/token
     image: kuma/kuma-sidecar:latest
     imagePullPolicy: IfNotPresent
     livenessProbe:

app/kuma-injector/pkg/injector/testdata/inject.02.golden.yaml

@@ -49,6 +49,8 @@ spec:
       value: "9901"
     - name: KUMA_DATAPLANE_DRAIN_TIME
       value: 31s
+    - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH
+      value: /var/run/secrets/kubernetes.io/serviceaccount/token
     image: kuma/kuma-sidecar:latest
     imagePullPolicy: IfNotPresent
     livenessProbe:

app/kuma-injector/pkg/injector/testdata/inject.03.golden.yaml

@@ -108,6 +108,8 @@ spec:
       value: "9901"
     - name: KUMA_DATAPLANE_DRAIN_TIME
       value: 31s
+    - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH
+      value: /var/run/secrets/kubernetes.io/serviceaccount/token
     image: kuma/kuma-sidecar:latest
     imagePullPolicy: IfNotPresent
     livenessProbe:

app/kuma-injector/pkg/injector/testdata/inject.04.golden.yaml

@@ -48,6 +48,8 @@ spec:
       value: "9901"
     - name: KUMA_DATAPLANE_DRAIN_TIME
       value: 31s
+    - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH
+      value: /var/run/secrets/kubernetes.io/serviceaccount/token
     image: kuma/kuma-sidecar:latest
     imagePullPolicy: IfNotPresent
     livenessProbe:

app/kumactl/pkg/cmd/root_context.go

@@ -11,6 +11,7 @@ import (
 	config_proto "github.com/Kong/kuma/pkg/config/app/kumactl/v1alpha1"
 	core_model "github.com/Kong/kuma/pkg/core/resources/model"
 	core_store "github.com/Kong/kuma/pkg/core/resources/store"
+	util_files "github.com/Kong/kuma/pkg/util/files"
 	"github.com/pkg/errors"
 
 	kumactl_resources "github.com/Kong/kuma/app/kumactl/pkg/resources"
@@ -130,5 +131,5 @@ func (rc *RootContext) CurrentDataplaneTokenClient() (tokens.DataplaneTokenClien
 }
 
 func (rc *RootContext) IsFirstTimeUsage() bool {
-	return rc.Args.ConfigFile == "" && !config.FileExists(config.DefaultConfigFile)
+	return rc.Args.ConfigFile == "" && !util_files.FileExists(config.DefaultConfigFile)
 }

app/kumactl/pkg/config/io.go

@@ -6,6 +6,7 @@ import (
 	"path/filepath"
 
 	config_proto "github.com/Kong/kuma/pkg/config/app/kumactl/v1alpha1"
+	util_files "github.com/Kong/kuma/pkg/util/files"
 	util_proto "github.com/Kong/kuma/pkg/util/proto"
 	"github.com/pkg/errors"
 )
@@ -15,13 +16,13 @@ var DefaultConfigFile = filepath.Join(os.Getenv("HOME"), ".kumactl", "config")
 func Load(file string, cfg *config_proto.Configuration) error {
 	configFile := DefaultConfigFile
 	if file != "" {
-		if FileExists(file) {
+		if util_files.FileExists(file) {
 			configFile = file
 		} else {
 			return errors.Errorf("Failed to access configuration file %q", file)
 		}
 	}
-	if FileExists(configFile) {
+	if util_files.FileExists(configFile) {
 		if contents, err := ioutil.ReadFile(configFile); err != nil {
 			return errors.Wrapf(err, "Failed to read configuration from file %q", configFile)
 		} else if err := util_proto.FromYAML(contents, cfg); err != nil {
@@ -57,8 +58,3 @@ func Save(file string, cfg *config_proto.Configuration) error {
 	}
 	return nil
 }
-
-func FileExists(path string) bool {
-	_, err := os.Stat(path)
-	return err == nil
-}

pkg/config/app/kuma-dp/config.go

@@ -5,7 +5,6 @@ import (
 	"time"
 
 	"github.com/Kong/kuma/pkg/config"
-
 	"github.com/pkg/errors"
 	"go.uber.org/multierr"
 )
@@ -69,6 +68,8 @@ type DataplaneRuntime struct {
 	BinaryPath string `yaml:"binaryPath,omitempty" envconfig:"kuma_dataplane_runtime_binary_path"`
 	// Dir to store auto-generated Envoy bootstrap config in.
 	ConfigDir string `yaml:"configDir,omitempty" envconfig:"kuma_dataplane_runtime_config_dir"`
+	// Path to a file with dataplane token (use 'kumactl generate dataplane-token' to get one)
+	TokenPath string `yaml:"dataplaneTokenPath,omitempty" envconfig:"kuma_dataplane_runtime_token_path"`
 }
 
 var _ config.Config = &Config{}

pkg/config/app/kuma-dp/config_test.go

@@ -57,6 +57,7 @@ var _ = Describe("Config", func() {
 				"KUMA_DATAPLANE_DRAIN_TIME":               "60s",
 				"KUMA_DATAPLANE_RUNTIME_BINARY_PATH":      "envoy.sh",
 				"KUMA_DATAPLANE_RUNTIME_CONFIG_DIR":       "/var/run/envoy",
+				"KUMA_DATAPLANE_RUNTIME_TOKEN_PATH":       "/tmp/token",
 			}
 			for key, value := range env {
 				os.Setenv(key, value)
@@ -79,6 +80,7 @@ var _ = Describe("Config", func() {
 			Expect(cfg.Dataplane.DrainTime).To(Equal(60 * time.Second))
 			Expect(cfg.DataplaneRuntime.BinaryPath).To(Equal("envoy.sh"))
 			Expect(cfg.DataplaneRuntime.ConfigDir).To(Equal("/var/run/envoy"))
+			Expect(cfg.DataplaneRuntime.TokenPath).To(Equal("/tmp/token"))
 		})
 	})
 

pkg/core/xds/metadata.go

@@ -0,0 +1,18 @@
+package xds
+
+import "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
+
+type DataplaneMetadata struct {
+	DataplaneTokenPath string
+}
+
+func DataplaneMetadataFromNode(node *core.Node) *DataplaneMetadata {
+	metadata := DataplaneMetadata{}
+	if node.Metadata == nil {
+		return &metadata
+	}
+	if field := node.Metadata.Fields["dataplaneTokenPath"]; field != nil {
+		metadata.DataplaneTokenPath = field.GetStringValue()
+	}
+	return &metadata
+}

pkg/core/xds/metadata_test.go

@@ -0,0 +1,44 @@
+package xds_test
+
+import (
+	"github.com/Kong/kuma/pkg/core/xds"
+	"github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
+	"github.com/gogo/protobuf/types"
+	. "github.com/onsi/ginkgo/extensions/table"
+	. "github.com/onsi/gomega"
+)
+
+type testCase struct {
+	node     core.Node
+	expected xds.DataplaneMetadata
+}
+
+var _ = DescribeTable("DataplaneMetadataFromNode",
+	func(given testCase) {
+		// when
+		metadata := xds.DataplaneMetadataFromNode(&given.node)
+
+		// then
+		Expect(*metadata).To(Equal(given.expected))
+	},
+	Entry("should parse metadata from empty node", testCase{
+		node:     core.Node{},
+		expected: xds.DataplaneMetadata{},
+	}),
+	Entry("should parse metadata", testCase{
+		node: core.Node{
+			Metadata: &types.Struct{
+				Fields: map[string]*types.Value{
+					"dataplaneTokenPath": &types.Value{
+						Kind: &types.Value_StringValue{
+							StringValue: "/tmp/token",
+						},
+					},
+				},
+			},
+		},
+		expected: xds.DataplaneMetadata{
+			DataplaneTokenPath: "/tmp/token",
+		},
+	}),
+)

pkg/core/xds/types.go

@@ -31,6 +31,7 @@ type Proxy struct {
 	TrafficPermissions permissions.MatchedPermissions
 	Logs               *logs.MatchedLogs
 	OutboundTargets    map[string][]net.SRV
+	Metadata           *DataplaneMetadata
 }
 
 func BuildProxyId(mesh, name string, more ...string) (*ProxyId, error) {

pkg/util/files/files.go

@@ -0,0 +1,16 @@
+package files
+
+import "os"
+
+func FileExists(path string) bool {
+	_, err := os.Stat(path)
+	return err == nil
+}
+
+func FileEmpty(path string) (bool, error) {
+	file, err := os.Stat(path)
+	if err != nil {
+		return true, err
+	}
+	return file.Size() == 0, nil
+}

pkg/xds/bootstrap/generator.go

@@ -67,6 +67,7 @@ func (b *bootstrapGenerator) GenerateFor(proxyId xds.ProxyId, dataplane *mesh.Da
 		XdsPort:            b.config.XdsPort,
 		XdsConnectTimeout:  b.config.XdsConnectTimeout,
 		AccessLogPipe:      accessLogPipe,
+		DataplaneTokenPath: request.DataplaneTokenPath,
 	}
 	log.WithValues("params", params).Info("Generating bootstrap config")
 	return b.ConfigForParameters(params)