chore(*) ExternalServices add CA and Client certificate support

api/mesh/v1alpha1/externalservice.proto

@@ -6,6 +6,8 @@ option go_package = "v1alpha1";
 
 import "validate/validate.proto";
 
+import "system/v1alpha1/datasource.proto";
+
 // ExternalService defines configuration of the externaly accessible service
 message ExternalService {
 
@@ -18,6 +20,15 @@ message ExternalService {
     message TLS {
       // denotes that the external service uses TLS
       bool enabled = 1;
+
+      // Data source for the certificate of CA
+      kuma.system.v1alpha1.DataSource ca_cert = 2;
+
+      // Data source for the authentication
+      kuma.system.v1alpha1.DataSource client_cert = 3;
+
+      // Data source for the authentication
+      kuma.system.v1alpha1.DataSource client_key = 4;
     }
 
     TLS tls = 2;
@@ -27,5 +38,5 @@ message ExternalService {
 
   // Tags associated with the external service,
   // e.g. kuma.io/service=web, kuma.io/protocol, version=1.0.
-  map<string, string> tags = 3 [ (validate.rules).map.min_pairs = 1 ];
+  map<string, string> tags = 2 [ (validate.rules).map.min_pairs = 1 ];
 }

go.sum

@@ -106,8 +106,10 @@ github.com/VividCortex/gohistogram v1.0.0/go.mod h1:Pf5mBqqDxYaXu3hDrrU+w6nw50o/
 github.com/afex/hystrix-go v0.0.0-20180502004556-fa1af6a1f4f5/go.mod h1:SkGFH1ia65gfNATL8TAiHDNxPzPdmEL5uirI2Uyuz6c=
 github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafoB+tBA3gMyHYHrpOtNuDiK/uB5uXxq5wM=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4 h1:Hs82Z41s6SdL1CELW+XaDYmOH4hkBN4/N9og/AsOv7E=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 h1:MzBOUgng9orim59UnfUTLRjMpd09C5uEVQ6RPGeCaVI=
 github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129/go.mod h1:rFgpPQZYZ8vdbc+48xibu8ALc3yeyd64IhHS+PU6Yyg=
@@ -1202,6 +1204,7 @@ google.golang.org/grpc v1.30.0 h1:M5a8xTlYTxwMn5ZFkwhRabsygDY5G8TYLyQDBxJNAxE=
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 gopkg.in/DATA-DOG/go-sqlmock.v1 v1.3.0/go.mod h1:OdE7CF6DbADk7lN8LIKRzRJTTZXIjtWgA5THM5lhBAw=
 gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20141024133853-64131543e789/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

pkg/core/runtime/builder.go

@@ -200,6 +200,7 @@ func (b *Builder) Build() (Runtime, error) {
 			ss:       b.ss,
 			cam:      b.cam,
 			xds:      b.xds,
+			dsl:      b.dsl,
 			ext:      b.ext,
 			dns:      b.dns,
 			configm:  b.configm,

pkg/core/runtime/runtime.go

@@ -3,6 +3,8 @@ package runtime
 import (
 	"context"
 
+	"github.com/kumahq/kuma/pkg/core/datasource"
+
 	"github.com/kumahq/kuma/pkg/core/dns/lookup"
 	"github.com/kumahq/kuma/pkg/core/secrets/store"
 	"github.com/kumahq/kuma/pkg/metrics"
@@ -36,6 +38,7 @@ type RuntimeInfo interface {
 type RuntimeContext interface {
 	Config() kuma_cp.Config
 	XDS() core_xds.XdsContext
+	DataSourceLoader() datasource.Loader
 	ResourceManager() core_manager.ResourceManager
 	ResourceStore() core_store.ResourceStore
 	ReadOnlyResourceManager() core_manager.ReadOnlyResourceManager
@@ -88,6 +91,7 @@ type runtimeContext struct {
 	rom      core_manager.ReadOnlyResourceManager
 	cam      ca.Managers
 	xds      core_xds.XdsContext
+	dsl      datasource.Loader
 	ext      context.Context
 	dns      dns.DNSResolver
 	configm  config_manager.ConfigManager
@@ -109,6 +113,9 @@ func (rc *runtimeContext) Config() kuma_cp.Config {
 func (rc *runtimeContext) XDS() core_xds.XdsContext {
 	return rc.xds
 }
+func (rc *runtimeContext) DataSourceLoader() datasource.Loader {
+	return rc.dsl
+}
 func (rc *runtimeContext) ResourceManager() core_manager.ResourceManager {
 	return rc.rm
 }

pkg/core/xds/types.go

@@ -44,6 +44,9 @@ type DestinationMap map[ServiceName]TagSelectorSet
 
 type ExternalService struct {
 	TLSEnabled bool
+	CaCert     []byte
+	ClientCert []byte
+	ClientKey  []byte
 }
 
 // Endpoint holds routing-related information about a single endpoint.

pkg/xds/cache/cla/cache.go

@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/kumahq/kuma/pkg/core/datasource"
+
 	"github.com/prometheus/client_golang/prometheus"
 
 	"github.com/kumahq/kuma/pkg/metrics"
@@ -32,6 +34,7 @@ var (
 type Cache struct {
 	cache   *cache.Cache
 	rm      manager.ReadOnlyResourceManager
+	dsl     datasource.Loader
 	ipFunc  lookup.LookupIPFunc
 	zone    string
 	onceMap *once.Map
@@ -40,6 +43,7 @@ type Cache struct {
 
 func NewCache(
 	rm manager.ReadOnlyResourceManager,
+	dsl datasource.Loader,
 	zone string, expirationTime time.Duration,
 	ipFunc lookup.LookupIPFunc,
 	metrics metrics.Metrics,
@@ -54,6 +58,7 @@ func NewCache(
 	return &Cache{
 		cache:   cache.New(expirationTime, time.Duration(int64(float64(expirationTime)*0.9))),
 		rm:      rm,
+		dsl:     dsl,
 		zone:    zone,
 		ipFunc:  ipFunc,
 		onceMap: once.NewMap(),
@@ -85,7 +90,7 @@ func (c *Cache) GetCLA(ctx context.Context, meshName, service string) (*envoy_ap
 		if err := c.rm.List(ctx, externalServices, core_store.ListByMesh(meshName)); err != nil {
 			return nil, err
 		}
-		endpointMap := topology.BuildEndpointMap(dataplanes.Items, c.zone, mesh, externalServices.Items)
+		endpointMap := topology.BuildEndpointMap(mesh, c.zone, dataplanes.Items, externalServices.Items, c.dsl)
 		cla := endpoints.CreateClusterLoadAssignment(service, endpointMap[service])
 		c.cache.SetDefault(key, cla)
 		c.onceMap.Delete(key)

pkg/xds/cache/cla/cache_test.go

@@ -9,6 +9,11 @@ import (
 	"sync"
 	"time"
 
+	"github.com/kumahq/kuma/pkg/core/datasource"
+	"github.com/kumahq/kuma/pkg/core/secrets/cipher"
+	secret_manager "github.com/kumahq/kuma/pkg/core/secrets/manager"
+	secret_store "github.com/kumahq/kuma/pkg/core/secrets/store"
+
 	core_metrics "github.com/kumahq/kuma/pkg/metrics"
 	test_metrics "github.com/kumahq/kuma/pkg/test/metrics"
 
@@ -51,16 +56,21 @@ var _ = Describe("ClusterLoadAssignment Cache", func() {
 	expiration := 500 * time.Millisecond
 
 	BeforeEach(func() {
+		dataSourceLoader := datasource.NewDataSourceLoader(
+			secret_manager.NewSecretManager(
+				secret_store.NewSecretStore(memory.NewStore()), cipher.None(), nil))
+
 		s = memory.NewStore()
 		countingManager = &countingResourcesManager{store: s}
 		var err error
 
 		metrics, err = core_metrics.NewMetrics("Standalone")
 		Expect(err).ToNot(HaveOccurred())
 
-		claCache, err = cla.NewCache(countingManager, "", expiration, func(s string) ([]net.IP, error) {
-			return []net.IP{net.ParseIP(s)}, nil
-		}, metrics)
+		claCache, err = cla.NewCache(countingManager, dataSourceLoader, "", expiration,
+			func(s string) ([]net.IP, error) {
+				return []net.IP{net.ParseIP(s)}, nil
+			}, metrics)
 		Expect(err).ToNot(HaveOccurred())
 	})
 

pkg/xds/envoy/clusters/client_side_tls_configurer.go

@@ -26,14 +26,17 @@ type clientSideTLSConfigurer struct {
 func (c *clientSideTLSConfigurer) Configure(cluster *envoy_api.Cluster) error {
 	for _, ep := range c.endpoints {
 		if ep.ExternalService.TLSEnabled {
-			tlsContext, err := envoy.CreateUpstreamTlsContextNoMetadata(ep.Target)
+			ca, cert, key := externalServiceTlsCerts(ep.ExternalService)
+			tlsContext, err := envoy.CreateUpstreamTlsContextNoMetadata(ca, cert, key, ep.Target)
 			if err != nil {
 				return err
 			}
+
 			pbst, err := proto.MarshalAnyDeterministic(tlsContext)
 			if err != nil {
 				return err
 			}
+
 			transportSocket := &envoy_core.TransportSocket{
 				Name: envoy_wellknown.TransportSocketTls,
 				ConfigType: &envoy_core.TransportSocket_TypedConfig{
@@ -53,3 +56,28 @@ func (c *clientSideTLSConfigurer) Configure(cluster *envoy_api.Cluster) error {
 
 	return nil
 }
+
+func externalServiceTlsCerts(es *xds.ExternalService) (ca, cert, key *envoy_core.DataSource) {
+	if es.CaCert != nil {
+		ca = &envoy_core.DataSource{
+			Specifier: &envoy_core.DataSource_InlineBytes{
+				InlineBytes: es.CaCert,
+			},
+		}
+	}
+	if es.ClientCert != nil {
+		cert = &envoy_core.DataSource{
+			Specifier: &envoy_core.DataSource_InlineBytes{
+				InlineBytes: es.ClientCert,
+			},
+		}
+	}
+	if es.ClientKey != nil {
+		key = &envoy_core.DataSource{
+			Specifier: &envoy_core.DataSource_InlineBytes{
+				InlineBytes: es.ClientKey,
+			},
+		}
+	}
+	return
+}