cache/server: implement sds (#77)

Implements SecretDiscoveryService

Fixes #76

Signed-off-by: Snow Pettersen <[email protected]>

Author: snowp

cache/src/main/java/io/envoyproxy/controlplane/cache/Resources.java

@@ -17,6 +17,7 @@
 import envoy.api.v2.Eds.ClusterLoadAssignment;
 import envoy.api.v2.Lds.Listener;
 import envoy.api.v2.Rds.RouteConfiguration;
+import envoy.api.v2.auth.Cert.Secret;
 import envoy.api.v2.listener.Listener.Filter;
 import envoy.api.v2.listener.Listener.FilterChain;
 import envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManagerOuterClass.HttpConnectionManager;
@@ -40,18 +41,21 @@ public class Resources {
   public static final String ENDPOINT_TYPE_URL = TYPE_URL_PREFIX + "ClusterLoadAssignment";
   public static final String LISTENER_TYPE_URL = TYPE_URL_PREFIX + "Listener";
   public static final String ROUTE_TYPE_URL = TYPE_URL_PREFIX + "RouteConfiguration";
+  public static final String SECRET_TYPE_URL = TYPE_URL_PREFIX + "auth.Secret";
 
   public static final List<String> TYPE_URLS = ImmutableList.of(
       CLUSTER_TYPE_URL,
       ENDPOINT_TYPE_URL,
       LISTENER_TYPE_URL,
-      ROUTE_TYPE_URL);
+      ROUTE_TYPE_URL,
+      SECRET_TYPE_URL);
 
   public static final Map<String, Class<? extends Message>> RESOURCE_TYPE_BY_URL = ImmutableMap.of(
       CLUSTER_TYPE_URL, Cluster.class,
       ENDPOINT_TYPE_URL, ClusterLoadAssignment.class,
       LISTENER_TYPE_URL, Listener.class,
-      ROUTE_TYPE_URL, RouteConfiguration.class
+      ROUTE_TYPE_URL, RouteConfiguration.class,
+      SECRET_TYPE_URL, Secret.class
       );
 
   /**
@@ -76,6 +80,10 @@ public static String getResourceName(Message resource) {
       return ((RouteConfiguration) resource).getName();
     }
 
+    if (resource instanceof Secret) {
+      return ((Secret) resource).getName();
+    }
+
     return "";
   }
 

cache/src/main/java/io/envoyproxy/controlplane/cache/Snapshot.java

@@ -4,6 +4,7 @@
 import static io.envoyproxy.controlplane.cache.Resources.ENDPOINT_TYPE_URL;
 import static io.envoyproxy.controlplane.cache.Resources.LISTENER_TYPE_URL;
 import static io.envoyproxy.controlplane.cache.Resources.ROUTE_TYPE_URL;
+import static io.envoyproxy.controlplane.cache.Resources.SECRET_TYPE_URL;
 
 import com.google.auto.value.AutoValue;
 import com.google.common.base.Strings;
@@ -13,6 +14,7 @@
 import envoy.api.v2.Eds.ClusterLoadAssignment;
 import envoy.api.v2.Lds.Listener;
 import envoy.api.v2.Rds.RouteConfiguration;
+import envoy.api.v2.auth.Cert.Secret;
 import java.util.Map;
 import java.util.Set;
 
@@ -37,13 +39,15 @@ public static Snapshot create(
       Iterable<ClusterLoadAssignment> endpoints,
       Iterable<Listener> listeners,
       Iterable<RouteConfiguration> routes,
+      Iterable<Secret> secrets,
       String version) {
 
     return new AutoValue_Snapshot(
         SnapshotResources.create(clusters, version),
         SnapshotResources.create(endpoints, version),
         SnapshotResources.create(listeners, version),
-        SnapshotResources.create(routes, version));
+        SnapshotResources.create(routes, version),
+        SnapshotResources.create(secrets, version));
   }
 
   /**
@@ -66,13 +70,17 @@ public static Snapshot create(
       Iterable<Listener> listeners,
       String listenersVersion,
       Iterable<RouteConfiguration> routes,
-      String routesVersion) {
+      String routesVersion,
+      Iterable<Secret> secrets,
+      String secretsVersion) {
 
+    // TODO(snowp): add a builder alternative
     return new AutoValue_Snapshot(
         SnapshotResources.create(clusters, clustersVersion),
         SnapshotResources.create(endpoints, endpointsVersion),
         SnapshotResources.create(listeners, listenersVersion),
-        SnapshotResources.create(routes, routesVersion));
+        SnapshotResources.create(routes, routesVersion),
+        SnapshotResources.create(secrets, secretsVersion));
   }
 
   /**
@@ -95,6 +103,11 @@ public static Snapshot create(
    */
   public abstract SnapshotResources<RouteConfiguration> routes();
 
+  /**
+   * Returns all secret items in the SDS payload.
+   */
+  public abstract SnapshotResources<Secret> secrets();
+
   /**
    * Asserts that all dependent resources are included in the snapshot. All EDS resources are listed by name in CDS
    * resources, and all RDS resources are listed by name in LDS resources.
@@ -133,6 +146,8 @@ public void ensureConsistent() throws SnapshotConsistencyException {
         return listeners().resources();
       case ROUTE_TYPE_URL:
         return routes().resources();
+      case SECRET_TYPE_URL:
+        return secrets().resources();
       default:
         return ImmutableMap.of();
     }
@@ -157,6 +172,8 @@ public String version(String typeUrl) {
         return listeners().version();
       case ROUTE_TYPE_URL:
         return routes().version();
+      case SECRET_TYPE_URL:
+        return secrets().version();
       default:
         return "";
     }

cache/src/main/java/io/envoyproxy/controlplane/cache/TestResources.java

@@ -12,9 +12,12 @@
 import envoy.api.v2.Eds.ClusterLoadAssignment;
 import envoy.api.v2.Lds.Listener;
 import envoy.api.v2.Rds.RouteConfiguration;
+import envoy.api.v2.auth.Cert;
+import envoy.api.v2.auth.Cert.TlsCertificate;
 import envoy.api.v2.core.AddressOuterClass.Address;
 import envoy.api.v2.core.AddressOuterClass.SocketAddress;
 import envoy.api.v2.core.AddressOuterClass.SocketAddress.Protocol;
+import envoy.api.v2.core.Base.DataSource;
 import envoy.api.v2.core.ConfigSourceOuterClass.AggregatedConfigSource;
 import envoy.api.v2.core.ConfigSourceOuterClass.ApiConfigSource;
 import envoy.api.v2.core.ConfigSourceOuterClass.ApiConfigSource.ApiType;
@@ -171,6 +174,20 @@ public static RouteConfiguration createRoute(String routeName, String clusterNam
         .build();
   }
 
+  /**
+   * Returns a new test secret.
+   *
+   * @param secretName name of the new secret
+   */
+  public static Cert.Secret createSecret(String secretName) {
+    return Cert.Secret.newBuilder()
+        .setName(secretName)
+        .setTlsCertificate(TlsCertificate.newBuilder()
+            .setPrivateKey(DataSource.newBuilder()
+                .setInlineString("secret!")))
+        .build();
+  }
+
   private static Struct messageAsStruct(MessageOrBuilder message) {
     try {
       String json = JsonFormat.printer()

cache/src/test/java/io/envoyproxy/controlplane/cache/SimpleCacheTest.java

@@ -9,6 +9,7 @@
 import envoy.api.v2.Eds.ClusterLoadAssignment;
 import envoy.api.v2.Lds.Listener;
 import envoy.api.v2.Rds.RouteConfiguration;
+import envoy.api.v2.auth.Cert.Secret;
 import envoy.api.v2.core.Base.Node;
 import java.util.Collections;
 import java.util.LinkedList;
@@ -26,6 +27,7 @@ public class SimpleCacheTest {
   private static final String SECONDARY_CLUSTER_NAME = "cluster1";
   private static final String LISTENER_NAME = "listener0";
   private static final String ROUTE_NAME = "route0";
+  private static final String SECRET_NAME = "secret0";
 
   private static final String VERSION1 = UUID.randomUUID().toString();
   private static final String VERSION2 = UUID.randomUUID().toString();
@@ -35,13 +37,15 @@ public class SimpleCacheTest {
       ImmutableList.of(ClusterLoadAssignment.getDefaultInstance()),
       ImmutableList.of(Listener.newBuilder().setName(LISTENER_NAME).build()),
       ImmutableList.of(RouteConfiguration.newBuilder().setName(ROUTE_NAME).build()),
+      ImmutableList.of(Secret.newBuilder().setName(ROUTE_NAME).build()),
       VERSION1);
 
   private static final Snapshot SNAPSHOT2 = Snapshot.create(
       ImmutableList.of(Cluster.newBuilder().setName(CLUSTER_NAME).build()),
       ImmutableList.of(ClusterLoadAssignment.getDefaultInstance()),
       ImmutableList.of(Listener.newBuilder().setName(LISTENER_NAME).build()),
       ImmutableList.of(RouteConfiguration.newBuilder().setName(ROUTE_NAME).build()),
+      ImmutableList.of(Secret.newBuilder().setName(ROUTE_NAME).build()),
       VERSION2);
 
   private static final Snapshot MULTIPLE_RESOURCES_SNAPSHOT2 = Snapshot.create(
@@ -51,6 +55,7 @@ public class SimpleCacheTest {
           ClusterLoadAssignment.newBuilder().setClusterName(SECONDARY_CLUSTER_NAME).build()),
       ImmutableList.of(Listener.newBuilder().setName(LISTENER_NAME).build()),
       ImmutableList.of(RouteConfiguration.newBuilder().setName(ROUTE_NAME).build()),
+      ImmutableList.of(Secret.newBuilder().setName(ROUTE_NAME).build()),
       VERSION2);
 
   @Test

cache/src/test/java/io/envoyproxy/controlplane/cache/SnapshotTest.java

@@ -14,6 +14,7 @@
 import envoy.api.v2.Eds.ClusterLoadAssignment;
 import envoy.api.v2.Lds.Listener;
 import envoy.api.v2.Rds.RouteConfiguration;
+import envoy.api.v2.auth.Cert.Secret;
 import java.util.Map;
 import java.util.UUID;
 import java.util.concurrent.ThreadLocalRandom;
@@ -25,6 +26,7 @@ public class SnapshotTest {
   private static final String CLUSTER_NAME = "cluster0";
   private static final String LISTENER_NAME = "listener0";
   private static final String ROUTE_NAME = "route0";
+  private static final String SECRET_NAME = "secret0";
 
   private static final int ENDPOINT_PORT = ThreadLocalRandom.current().nextInt(10000, 20000);
   private static final int LISTENER_PORT = ThreadLocalRandom.current().nextInt(20000, 30000);
@@ -33,6 +35,7 @@ public class SnapshotTest {
   private static final ClusterLoadAssignment ENDPOINT = TestResources.createEndpoint(CLUSTER_NAME, ENDPOINT_PORT);
   private static final Listener LISTENER = TestResources.createListener(ADS, LISTENER_NAME, LISTENER_PORT, ROUTE_NAME);
   private static final RouteConfiguration ROUTE = TestResources.createRoute(ROUTE_NAME, CLUSTER_NAME);
+  private static final Secret SECRET = TestResources.createSecret(SECRET_NAME);
 
   @Test
   public void createSingleVersionSetsResourcesCorrectly() {
@@ -43,6 +46,7 @@ public void createSingleVersionSetsResourcesCorrectly() {
         ImmutableList.of(ENDPOINT),
         ImmutableList.of(LISTENER),
         ImmutableList.of(ROUTE),
+        ImmutableList.of(SECRET),
         version);
 
     assertThat(snapshot.clusters().resources())
@@ -73,12 +77,15 @@ public void createSeparateVersionsSetsResourcesCorrectly() {
     final String endpointsVersion = UUID.randomUUID().toString();
     final String listenersVersion = UUID.randomUUID().toString();
     final String routesVersion = UUID.randomUUID().toString();
+    final String secretsVersion = UUID.randomUUID().toString();
 
     Snapshot snapshot = Snapshot.create(
         ImmutableList.of(CLUSTER), clustersVersion,
         ImmutableList.of(ENDPOINT), endpointsVersion,
         ImmutableList.of(LISTENER), listenersVersion,
-        ImmutableList.of(ROUTE), routesVersion);
+        ImmutableList.of(ROUTE), routesVersion,
+        ImmutableList.of(SECRET), secretsVersion
+        );
 
     assertThat(snapshot.clusters().resources())
         .containsEntry(CLUSTER_NAME, CLUSTER)
@@ -110,6 +117,7 @@ public void resourcesReturnsExpectedResources() {
         ImmutableList.of(ENDPOINT),
         ImmutableList.of(LISTENER),
         ImmutableList.of(ROUTE),
+        ImmutableList.of(SECRET),
         UUID.randomUUID().toString());
 
     // We have to do some lame casting to appease java's compiler, otherwise it fails to compile due to limitations with
@@ -145,6 +153,7 @@ public void versionReturnsExpectedVersion() {
         ImmutableList.of(ENDPOINT),
         ImmutableList.of(LISTENER),
         ImmutableList.of(ROUTE),
+        ImmutableList.of(SECRET),
         version);
 
     assertThat(snapshot.version(CLUSTER_TYPE_URL)).isEqualTo(version);
@@ -164,6 +173,7 @@ public void ensureConsistentReturnsWithoutExceptionForConsistentSnapshot() throw
         ImmutableList.of(ENDPOINT),
         ImmutableList.of(LISTENER),
         ImmutableList.of(ROUTE),
+        ImmutableList.of(SECRET),
         UUID.randomUUID().toString());
 
     snapshot.ensureConsistent();
@@ -176,6 +186,7 @@ public void ensureConsistentThrowsIfEndpointOrRouteRefCountMismatch() {
         ImmutableList.of(),
         ImmutableList.of(LISTENER),
         ImmutableList.of(ROUTE),
+        ImmutableList.of(SECRET),
         UUID.randomUUID().toString());
 
     assertThatThrownBy(snapshot1::ensureConsistent)
@@ -191,6 +202,7 @@ public void ensureConsistentThrowsIfEndpointOrRouteRefCountMismatch() {
         ImmutableList.of(ENDPOINT),
         ImmutableList.of(LISTENER),
         ImmutableList.of(),
+        ImmutableList.of(SECRET),
         UUID.randomUUID().toString());
 
     assertThatThrownBy(snapshot2::ensureConsistent)
@@ -212,6 +224,7 @@ public void ensureConsistentThrowsIfEndpointOrRouteNamesMismatch() {
         ImmutableList.of(TestResources.createEndpoint(otherClusterName, ENDPOINT_PORT)),
         ImmutableList.of(LISTENER),
         ImmutableList.of(ROUTE),
+        ImmutableList.of(SECRET),
         UUID.randomUUID().toString());
 
     assertThatThrownBy(snapshot1::ensureConsistent)
@@ -228,6 +241,7 @@ public void ensureConsistentThrowsIfEndpointOrRouteNamesMismatch() {
         ImmutableList.of(ENDPOINT),
         ImmutableList.of(LISTENER),
         ImmutableList.of(TestResources.createRoute(otherRouteName, CLUSTER_NAME)),
+        ImmutableList.of(SECRET),
         UUID.randomUUID().toString());
 
     assertThatThrownBy(snapshot2::ensureConsistent)

server/src/main/java/io/envoyproxy/controlplane/server/DiscoveryServer.java

@@ -10,6 +10,7 @@
 import envoy.api.v2.ListenerDiscoveryServiceGrpc.ListenerDiscoveryServiceImplBase;
 import envoy.api.v2.RouteDiscoveryServiceGrpc.RouteDiscoveryServiceImplBase;
 import envoy.service.discovery.v2.AggregatedDiscoveryServiceGrpc.AggregatedDiscoveryServiceImplBase;
+import envoy.service.discovery.v2.SecretDiscoveryServiceGrpc;
 import io.envoyproxy.controlplane.cache.ConfigWatcher;
 import io.envoyproxy.controlplane.cache.Resources;
 import io.envoyproxy.controlplane.cache.Response;
@@ -115,6 +116,18 @@ public StreamObserver<DiscoveryRequest> streamRoutes(
     };
   }
 
+  /**
+   * Returns a SDS implementation that uses this server's {@link ConfigWatcher}.
+   */
+  public SecretDiscoveryServiceGrpc.SecretDiscoveryServiceImplBase getSecretDiscoveryServiceImpl() {
+    return new SecretDiscoveryServiceGrpc.SecretDiscoveryServiceImplBase() {
+      @Override public StreamObserver<DiscoveryRequest> streamSecrets(
+          StreamObserver<DiscoveryResponse> responseObserver) {
+        return createRequestHandler(responseObserver, false, Resources.SECRET_TYPE_URL);
+      }
+    };
+  }
+
   private StreamObserver<DiscoveryRequest> createRequestHandler(
       StreamObserver<DiscoveryResponse> responseObserver,
       boolean ads,