chore(*) ExternalServices add CA and Client certificate support

go.sum

@@ -106,10 +106,8 @@ github.com/VividCortex/gohistogram v1.0.0/go.mod h1:Pf5mBqqDxYaXu3hDrrU+w6nw50o/
 github.com/afex/hystrix-go v0.0.0-20180502004556-fa1af6a1f4f5/go.mod h1:SkGFH1ia65gfNATL8TAiHDNxPzPdmEL5uirI2Uyuz6c=
 github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafoB+tBA3gMyHYHrpOtNuDiK/uB5uXxq5wM=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4 h1:Hs82Z41s6SdL1CELW+XaDYmOH4hkBN4/N9og/AsOv7E=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 h1:MzBOUgng9orim59UnfUTLRjMpd09C5uEVQ6RPGeCaVI=
 github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129/go.mod h1:rFgpPQZYZ8vdbc+48xibu8ALc3yeyd64IhHS+PU6Yyg=
@@ -1204,7 +1202,6 @@ google.golang.org/grpc v1.30.0 h1:M5a8xTlYTxwMn5ZFkwhRabsygDY5G8TYLyQDBxJNAxE=
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 gopkg.in/DATA-DOG/go-sqlmock.v1 v1.3.0/go.mod h1:OdE7CF6DbADk7lN8LIKRzRJTTZXIjtWgA5THM5lhBAw=
 gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
-gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20141024133853-64131543e789/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

pkg/core/bootstrap/bootstrap.go

@@ -70,7 +70,7 @@ func buildRuntime(cfg kuma_cp.Config) (core_runtime.Runtime, error) {
 		return nil, err
 	}
 
-	builder.WithDataSourceLoader(datasource.NewDataSourceLoader(builder.ResourceManager()))
+	builder.WithDataSourceLoader(datasource.NewDataSourceLoader(builder.ReadOnlyResourceManager()))
 
 	if err := initializeCaManagers(builder); err != nil {
 		return nil, err

pkg/core/datasource/loader.go

@@ -18,12 +18,12 @@ type Loader interface {
 }
 
 type loader struct {
-	secretManager manager.ResourceManager
+	secretManager manager.ReadOnlyResourceManager
 }
 
 var _ Loader = &loader{}
 
-func NewDataSourceLoader(secretManager manager.ResourceManager) Loader {
+func NewDataSourceLoader(secretManager manager.ReadOnlyResourceManager) Loader {
 	return &loader{
 		secretManager: secretManager,
 	}

pkg/xds/envoy/clusters/client_side_tls_configurer.go

@@ -27,7 +27,7 @@ func (c *clientSideTLSConfigurer) Configure(cluster *envoy_api.Cluster) error {
 	for _, ep := range c.endpoints {
 		if ep.ExternalService.TLSEnabled {
 			ca, cert, key := externalServiceTlsCerts(ep.ExternalService)
-			tlsContext, err := envoy.CreateUpstreamTlsContextNoMetadata(ca, cert, key, ep.Target)
+			tlsContext, err := envoy.UpstreamTlsContextOutsideMesh(ca, cert, key, ep.Target)
 			if err != nil {
 				return err
 			}

pkg/xds/envoy/clusters/client_side_tls_configurer_test.go

@@ -61,7 +61,10 @@ var _ = Describe("ClientSideTLSConfigurer", func() {
             name: envoy.transport_sockets.tls
             typedConfig:
               '@type': type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext
-              sni: httpbin.org
+              commonTlsContext:
+                validationContext:
+                  matchSubjectAltNames:
+                  - exact: httpbin.org
         type: EDS
 `}),
 	)

pkg/xds/envoy/tls.go

@@ -183,12 +183,19 @@ func ServiceSpiffeIDMatcher(mesh string, service string) *envoy_type_matcher.Str
 	}
 }
 
-func CreateUpstreamTlsContextNoMetadata(ca, cert, key *envoy_core.DataSource, sni string) (*envoy_auth.UpstreamTlsContext, error) {
+func UpstreamTlsContextOutsideMesh(ca, cert, key *envoy_core.DataSource, hostname string) (*envoy_auth.UpstreamTlsContext, error) {
 	var validationContextType *envoy_auth.CommonTlsContext_ValidationContext
-	if ca != nil {
+	if ca != nil || len(hostname) > 0 {
 		validationContextType = &envoy_auth.CommonTlsContext_ValidationContext{
 			ValidationContext: &envoy_auth.CertificateValidationContext{
 				TrustedCa: ca,
+				MatchSubjectAltNames: []*envoy_type_matcher.StringMatcher{
+					{
+						MatchPattern: &envoy_type_matcher.StringMatcher_Exact{
+							Exact: hostname,
+						},
+					},
+				},
 			},
 		}
 	}
@@ -210,8 +217,8 @@ func CreateUpstreamTlsContextNoMetadata(ca, cert, key *envoy_core.DataSource, sn
 			ValidationContextType: validationContextType,
 		}
 	}
+
 	return &envoy_auth.UpstreamTlsContext{
 		CommonTlsContext: commonTlsContext,
-		Sni:              sni,
 	}, nil
 }

pkg/xds/topology/outbound.go

@@ -3,8 +3,9 @@ package topology
 import (
 	"context"
 
+	"github.com/kumahq/kuma/pkg/core"
+
 	"github.com/pkg/errors"
-	"github.com/prometheus/common/log"
 
 	mesh_proto "github.com/kumahq/kuma/api/mesh/v1alpha1"
 	"github.com/kumahq/kuma/pkg/core/datasource"
@@ -58,7 +59,7 @@ func BuildEndpointMap(
 
 		externalServiceEndpoint, err := buildExternalServiceEndpoint(externalService, mesh.Meta.GetMesh(), loader)
 		if err != nil {
-			log.Info("Unable to create ExternalService endpoint", err)
+			core.Log.Error(err, "unable to create ExternalService endpoint. Endpoint won't be included in the XDS.", "name", externalService.Meta.GetName(), "mesh", externalService.Meta.GetMesh())
 			continue
 		}
 		outbound[service] = append(outbound[service], *externalServiceEndpoint)