Only allow local xds bind address

Author: jshahriddhi

pkg/consuldp/bootstrap.go

@@ -68,14 +68,12 @@ func (cdp *ConsulDataplane) bootstrapConfig(ctx context.Context) ([]byte, error)
 		Datacenter:            rsp.Datacenter,
 	}
 
-	if cdp.localXDSServer != nil && cdp.localXDSServer.enabled {
-		if cdp.localXDSServer.listenerNetwork == "unix" {
-			args.GRPC.AgentSocket = cdp.localXDSServer.listenerAddress
-		} else {
-			xdsServerFullAddr := strings.Split(cdp.localXDSServer.listenerAddress, ":")
-			args.GRPC.AgentAddress = xdsServerFullAddr[0]
-			args.GRPC.AgentPort = xdsServerFullAddr[1]
-		}
+	if cdp.xdsServer.listenerNetwork == "unix" {
+		args.GRPC.AgentSocket = cdp.xdsServer.listenerAddress
+	} else {
+		xdsServerFullAddr := strings.Split(cdp.xdsServer.listenerAddress, ":")
+		args.GRPC.AgentAddress = xdsServerFullAddr[0]
+		args.GRPC.AgentPort = xdsServerFullAddr[1]
 	}
 
 	var bootstrapConfig bootstrap.BootstrapConfig

pkg/consuldp/bootstrap_test.go

@@ -56,7 +56,7 @@ func TestBootstrapConfig(t *testing.T) {
 				Telemetry: &TelemetryConfig{
 					UseCentralConfig: false,
 				},
-				XDSServer: &XDSServer{BindAddress: "1.2.3.4", BindPort: xdsBindPort},
+				XDSServer: &XDSServer{BindAddress: "127.0.0.1", BindPort: xdsBindPort},
 			},
 			&pbdataplane.GetEnvoyBootstrapParamsResponse{
 				Service:  "web",
@@ -82,7 +82,7 @@ func TestBootstrapConfig(t *testing.T) {
 				Telemetry: &TelemetryConfig{
 					UseCentralConfig: true,
 				},
-				XDSServer: &XDSServer{BindAddress: "1.2.3.4", BindPort: xdsBindPort},
+				XDSServer: &XDSServer{BindAddress: "127.0.0.1", BindPort: xdsBindPort},
 			},
 			&pbdataplane.GetEnvoyBootstrapParamsResponse{
 				Service:  "web",
@@ -110,40 +110,14 @@ func TestBootstrapConfig(t *testing.T) {
 				Telemetry: &TelemetryConfig{
 					UseCentralConfig: false,
 				},
-				XDSServer: &XDSServer{BindAddress: "1.2.3.4", BindPort: xdsBindPort},
-			},
-			&pbdataplane.GetEnvoyBootstrapParamsResponse{
-				Service:  "web",
-				NodeName: nodeName,
-			},
-		},
-		"local-xds-server": {
-			&Config{
-				Consul: &ConsulConfig{
-					GRPCPort: 1234,
-				},
-				Service: &ServiceConfig{
-					ServiceID: "web-proxy",
-					NodeName:  nodeName,
-				},
-				Envoy: &EnvoyConfig{
-					AdminBindAddress: "127.0.0.1",
-					AdminBindPort:    19000,
-				},
-				Telemetry: &TelemetryConfig{
-					UseCentralConfig: false,
-				},
 				XDSServer: &XDSServer{BindAddress: "127.0.0.1", BindPort: xdsBindPort},
 			},
 			&pbdataplane.GetEnvoyBootstrapParamsResponse{
 				Service:  "web",
 				NodeName: nodeName,
-				Config: makeStruct(map[string]any{
-					"envoy_dogstatsd_url": "this-should-not-appear-in-generated-config",
-				}),
 			},
 		},
-		"local-unix-socket-xds-server": {
+		"unix-socket-xds-server": {
 			&Config{
 				Consul: &ConsulConfig{
 					GRPCPort: 1234,
@@ -188,12 +162,10 @@ func TestBootstrapConfig(t *testing.T) {
 				dpServiceClient: client,
 			}
 
-			if checkLocalXDSServer(tc.cfg.XDSServer.BindAddress) {
-				if strings.HasPrefix(tc.cfg.XDSServer.BindAddress, "unix://") {
-					dp.localXDSServer = &localXDSServer{enabled: true, listenerAddress: socketPath, listenerNetwork: "unix"}
-				} else {
-					dp.localXDSServer = &localXDSServer{enabled: true, listenerAddress: fmt.Sprintf("127.0.0.1:%d", xdsBindPort)}
-				}
+			if strings.HasPrefix(tc.cfg.XDSServer.BindAddress, "unix://") {
+				dp.xdsServer = &xdsServer{listenerAddress: socketPath, listenerNetwork: "unix"}
+			} else {
+				dp.xdsServer = &xdsServer{listenerAddress: fmt.Sprintf("127.0.0.1:%d", xdsBindPort)}
 			}
 
 			bsCfg, err := dp.bootstrapConfig(ctx)

pkg/consuldp/consul_dataplane.go

@@ -30,8 +30,7 @@ type consulServer struct {
 	grpcClientConn *grpc.ClientConn
 }
 
-type localXDSServer struct {
-	enabled         bool
+type xdsServer struct {
 	listener        net.Listener
 	listenerAddress string
 	listenerNetwork string
@@ -45,7 +44,7 @@ type ConsulDataplane struct {
 	cfg             *Config
 	consulServer    *consulServer
 	dpServiceClient pbdataplane.DataplaneServiceClient
-	localXDSServer  *localXDSServer
+	xdsServer       *xdsServer
 }
 
 // NewConsulDP creates a new instance of ConsulDataplane
@@ -65,9 +64,8 @@ func NewConsulDP(cfg *Config) (*ConsulDataplane, error) {
 	})
 
 	return &ConsulDataplane{
-		logger:         logger,
-		cfg:            cfg,
-		localXDSServer: &localXDSServer{enabled: false},
+		logger: logger,
+		cfg:    cfg,
 	}, nil
 }
 
@@ -93,8 +91,8 @@ func validateConfig(cfg *Config) error {
 		return errors.New("logging settings not specified")
 	case cfg.XDSServer.BindAddress == "":
 		return errors.New("envoy xDS bind address not specified")
-	case cfg.XDSServer.BindPort == 0 && !checkLocalXDSServer(cfg.XDSServer.BindAddress):
-		return errors.New("envoy xDS bind port not specified")
+	case !strings.HasPrefix(cfg.XDSServer.BindAddress, "unix://") && cfg.XDSServer.BindAddress != "127.0.0.1" && cfg.XDSServer.BindAddress != "localhost":
+		return errors.New("non-local xDS bind address not allowed")
 	}
 	return nil
 }
@@ -133,28 +131,6 @@ func (cdp *ConsulDataplane) setConsulServerSupportedFeatures(ctx context.Context
 	return nil
 }
 
-// checkLocalXDSServer checks if the specified xds bind address is local.
-func checkLocalXDSServer(xdsBindAddr string) bool {
-	if strings.HasPrefix(xdsBindAddr, "unix://") || xdsBindAddr == "127.0.0.1" || xdsBindAddr == "localhost" {
-		return true
-	}
-	return false
-}
-
-// checkAndEnableLocalXDSServer checks if the specified xds bind address is local.
-// If local, it enables the flag to configure consul-dataplane (later on in the setup process)
-// with a gRPC server to serve envoy xDS requests.
-// If not local, the flag remains turned off and it is assumed the xDS requests will be served
-// by a remote gRPC server.
-// Potential TODO: Explicitly allow specifying an option (xds.disable?) to disable configuring
-// consul-dataplane as the xDS server in case xDS requests can be served on another port locally
-// (example: consul server process on localhost).
-func (cdp *ConsulDataplane) checkAndEnableLocalXDSServer() {
-	if checkLocalXDSServer(cdp.cfg.XDSServer.BindAddress) {
-		cdp.localXDSServer.enabled = true
-	}
-}
-
 func (cdp *ConsulDataplane) Run(ctx context.Context) error {
 	cdp.logger.Info("started consul-dataplane process")
 
@@ -187,16 +163,12 @@ func (cdp *ConsulDataplane) Run(ctx context.Context) error {
 		return fmt.Errorf("failed to set supported features: %w", err)
 	}
 
-	cdp.checkAndEnableLocalXDSServer()
-
-	if cdp.localXDSServer.enabled {
-		err = cdp.setupXDSServer()
-		if err != nil {
-			return err
-		}
-		go cdp.startXDSServer()
-		defer cdp.stopXDSServer()
+	err = cdp.setupXDSServer()
+	if err != nil {
+		return err
 	}
+	go cdp.startXDSServer()
+	defer cdp.stopXDSServer()
 
 	cfg, err := cdp.bootstrapConfig(ctx)
 	if err != nil {

pkg/consuldp/consul_dataplane_test.go

@@ -126,12 +126,11 @@ func TestNewConsulDPError(t *testing.T) {
 			expectErr: "envoy xDS bind address not specified",
 		},
 		{
-			name: "missing xds bind port when address not local",
+			name: "non-local xds bind address",
 			modFn: func(c *Config) {
-				c.XDSServer.BindPort = 0
 				c.XDSServer.BindAddress = "1.2.3.4"
 			},
-			expectErr: "envoy xDS bind port not specified",
+			expectErr: "non-local xDS bind address not allowed",
 		},
 	}
 	for _, tc := range testCases {
@@ -214,47 +213,3 @@ func TestSetConsulServerSupportedFeaturesError(t *testing.T) {
 	require.ErrorContains(t, consulDP.setConsulServerSupportedFeatures(context.Background()), "failure getting supported consul-dataplane features")
 	require.Empty(t, consulDP.consulServer.supportedFeatures)
 }
-
-func TestCheckAndEnableLocalXDSServer(t *testing.T) {
-	type testCase struct {
-		name                 string
-		modFn                func(*Config)
-		expectLocalXDSServer bool
-	}
-
-	testCases := []testCase{
-		{
-			name:                 "localhost ip",
-			modFn:                func(c *Config) { c.XDSServer.BindAddress = "127.0.0.1" },
-			expectLocalXDSServer: true,
-		},
-		{
-			name:                 "localhost name",
-			modFn:                func(c *Config) { c.XDSServer.BindAddress = "localhost" },
-			expectLocalXDSServer: true,
-		},
-		{
-			name:                 "unix socket",
-			modFn:                func(c *Config) { c.XDSServer.BindAddress = "unix:///var/run/xds.sock" },
-			expectLocalXDSServer: true,
-		},
-		{
-			name: "remote ip",
-			modFn: func(c *Config) {
-				c.XDSServer.BindAddress = "1.2.3.4"
-				c.XDSServer.BindPort = 1234
-			},
-			expectLocalXDSServer: false,
-		},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			cfg := validConfig()
-			tc.modFn(cfg)
-			cdp, err := NewConsulDP(cfg)
-			require.NoError(t, err)
-			cdp.checkAndEnableLocalXDSServer()
-			require.Equal(t, tc.expectLocalXDSServer, cdp.localXDSServer.enabled)
-		})
-	}
-}

pkg/consuldp/testdata/TestBootstrapConfig/basic.golden

@@ -44,7 +44,7 @@
                   "endpoint": {
                     "address": {
                       "socket_address": {
-                        "address": "1.2.3.4",
+                        "address": "127.0.0.1",
                         "port_value": 1234
                       }
                     }

pkg/consuldp/testdata/TestBootstrapConfig/central-telemetry-config.golden

@@ -44,7 +44,7 @@
                   "endpoint": {
                     "address": {
                       "socket_address": {
-                        "address": "1.2.3.4",
+                        "address": "127.0.0.1",
                         "port_value": 1234
                       }
                     }