feat(outbound): Configure TLS routes from the policy API (#3341)

Until now, the TLS routing stack was not wire with the API responses. This PR adds mappings from the protobuf API representation to the correct internal types. This enables the proxy to build the correct sidecar type when it receives a TLS protocol response from the discovery.

In addition to that, in a separate commit the TLS rule matching logic has been simplified for our internal types. This can be done because for TLS routes we do not do any real route matching. Furthermore the validation logic in the controller ensures that a TLSRoute has exactly on rule.

Signed-off-by: Zahari Dichev <[email protected]>

Author: zaharidichev

Cargo.lock

@@ -2416,6 +2416,7 @@ version = "0.1.0"
 dependencies = [
  "linkerd-dns",
  "linkerd-tls",
+ "linkerd2-proxy-api",
  "rand",
  "regex",
  "thiserror",

linkerd/app/outbound/src/tls/logical/router.rs

@@ -148,15 +148,7 @@ where
             .iter()
             .map(|route| tls_route::Route {
                 snis: route.snis.clone(),
-                rules: route
-                    .rules
-                    .iter()
-                    .cloned()
-                    .map(|tls_route::Rule { matches, policy }| tls_route::Rule {
-                        matches,
-                        policy: mk_policy(policy),
-                    })
-                    .collect(),
+                policy: mk_policy(route.policy.clone()),
             })
             .collect();
 

linkerd/app/outbound/src/tls/logical/tests.rs

@@ -147,26 +147,22 @@ fn default_backend(addr: SocketAddr) -> client_policy::Backend {
 
 fn sni_route(backend: client_policy::Backend, sni: sni::MatchSni) -> client_policy::tls::Route {
     use client_policy::{
-        tls::{Filter, Policy, Route, Rule},
+        tls::{Filter, Policy, Route},
         Meta, RouteBackend, RouteDistribution,
     };
-    use linkerd_tls_route::r#match::MatchSession;
     use once_cell::sync::Lazy;
     static NO_FILTERS: Lazy<Arc<[Filter]>> = Lazy::new(|| Arc::new([]));
     Route {
         snis: vec![sni],
-        rules: vec![Rule {
-            matches: vec![MatchSession::default()],
-            policy: Policy {
-                meta: Meta::new_default("test_route"),
+        policy: Policy {
+            meta: Meta::new_default("test_route"),
+            filters: NO_FILTERS.clone(),
+            params: (),
+            distribution: RouteDistribution::FirstAvailable(Arc::new([RouteBackend {
                 filters: NO_FILTERS.clone(),
-                params: (),
-                distribution: RouteDistribution::FirstAvailable(Arc::new([RouteBackend {
-                    filters: NO_FILTERS.clone(),
-                    backend,
-                }])),
-            },
-        }],
+                backend,
+            }])),
+        },
     }
 }
 

linkerd/proxy/client-policy/Cargo.toml

@@ -9,6 +9,7 @@ publish = false
 [features]
 proto = [
     "linkerd-http-route/proto",
+    "linkerd-tls-route/proto",
     "linkerd2-proxy-api",
     "prost-types",
     "thiserror",

linkerd/proxy/client-policy/src/lib.rs

@@ -333,6 +333,9 @@ pub mod proto {
         #[error("invalid opaque route: {0}")]
         OpaqueRoute(#[from] opaq::proto::InvalidOpaqueRoute),
 
+        #[error("invalid TLS route: {0}")]
+        TlsRoute(#[from] tls::proto::InvalidTlsRoute),
+
         #[error("invalid backend: {0}")]
         Backend(#[from] InvalidBackend),
 
@@ -479,10 +482,7 @@ pub mod proto {
                 proxy_protocol::Kind::Http2(http) => Protocol::Http2(http.try_into()?),
                 proxy_protocol::Kind::Opaque(opaque) => Protocol::Opaque(opaque.try_into()?),
                 proxy_protocol::Kind::Grpc(grpc) => Protocol::Grpc(grpc.try_into()?),
-                proxy_protocol::Kind::Tls(_tls) => {
-                    // TODO(ver): impl TryFrom<proxy_protocol::Tls> for `tls::Tls`
-                    return Err(InvalidPolicy::Protocol("TLS not supported yet"));
-                }
+                proxy_protocol::Kind::Tls(tls) => Protocol::Tls(tls.try_into()?),
             };
 
             let mut backends = BackendSet::default();

linkerd/proxy/client-policy/src/tls.rs

@@ -5,7 +5,6 @@ pub use linkerd_tls_route::{find, sni, RouteMatch};
 
 pub type Policy = crate::RoutePolicy<Filter, ()>;
 pub type Route = tls::Route<Policy>;
-pub type Rule = tls::Rule<Policy>;
 
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub struct Tls {
@@ -18,15 +17,12 @@ pub enum Filter {}
 pub fn default(distribution: crate::RouteDistribution<Filter>) -> Route {
     Route {
         snis: vec![],
-        rules: vec![Rule {
-            matches: vec![],
-            policy: Policy {
-                meta: crate::Meta::new_default("default"),
-                filters: Arc::new([]),
-                params: (),
-                distribution,
-            },
-        }],
+        policy: Policy {
+            meta: crate::Meta::new_default("default"),
+            filters: Arc::new([]),
+            params: (),
+            distribution,
+        },
     }
 }
 
@@ -39,17 +35,175 @@ impl Default for Tls {
 }
 
 #[cfg(feature = "proto")]
-pub mod proto {
+pub(crate) mod proto {
     use super::*;
-    use crate::proto::BackendSet;
+    use crate::{
+        proto::{BackendSet, InvalidBackend, InvalidDistribution, InvalidMeta},
+        Meta, RouteBackend, RouteDistribution,
+    };
+    use linkerd2_proxy_api::outbound::{self, tls_route};
+    use linkerd_tls_route::sni::proto::InvalidSniMatch;
+
+    use once_cell::sync::Lazy;
+    use std::sync::Arc;
+
+    pub(crate) static NO_FILTERS: Lazy<Arc<[Filter]>> = Lazy::new(|| Arc::new([]));
+
+    #[derive(Debug, thiserror::Error)]
+    pub enum InvalidTlsRoute {
+        #[error("invalid sni match: {0}")]
+        SniMatch(#[from] InvalidSniMatch),
+
+        #[error("invalid route metadata: {0}")]
+        Meta(#[from] InvalidMeta),
+
+        #[error("invalid distribution: {0}")]
+        Distribution(#[from] InvalidDistribution),
+
+        /// Note: this restriction may be removed in the future, if a way of
+        /// actually matching rules for TLS routes is added.
+        #[error("a TLS route must have exactly one rule, but {0} were provided")]
+        OnlyOneRule(usize),
+
+        #[error("no filters can be configured on opaque routes yet")]
+        NoFilters,
+
+        #[error("missing {0}")]
+        Missing(&'static str),
+    }
+
+    impl TryFrom<outbound::proxy_protocol::Tls> for Tls {
+        type Error = InvalidTlsRoute;
+        fn try_from(proto: outbound::proxy_protocol::Tls) -> Result<Self, Self::Error> {
+            let routes = proto
+                .routes
+                .into_iter()
+                .map(try_route)
+                .collect::<Result<Arc<[_]>, _>>()?;
+
+            Ok(Self { routes })
+        }
+    }
 
     impl Tls {
         pub fn fill_backends(&self, set: &mut BackendSet) {
-            for Route { ref rules, .. } in &*self.routes {
-                for Rule { ref policy, .. } in rules {
-                    policy.distribution.fill_backends(set);
-                }
+            for Route { ref policy, .. } in &*self.routes {
+                policy.distribution.fill_backends(set);
             }
         }
     }
+
+    fn try_route(proto: outbound::TlsRoute) -> Result<Route, InvalidTlsRoute> {
+        let outbound::TlsRoute {
+            rules,
+            snis,
+            metadata,
+            ..
+        } = proto;
+        let meta = Arc::new(
+            metadata
+                .ok_or(InvalidMeta("missing metadata"))?
+                .try_into()?,
+        );
+
+        let snis = snis
+            .into_iter()
+            .map(sni::MatchSni::try_from)
+            .collect::<Result<Vec<_>, _>>()?;
+
+        if rules.len() != 1 {
+            // Currently, TLS rules have no match expressions, so if there's
+            // more than one rule, we have no way of determining which one to
+            // use. Therefore, require that there's exactly one rule.
+            return Err(InvalidTlsRoute::OnlyOneRule(rules.len()));
+        }
+
+        let policy = rules
+            .into_iter()
+            .map(|rule| try_rule(&meta, rule))
+            .next()
+            .ok_or(InvalidTlsRoute::OnlyOneRule(0))??;
+
+        Ok(Route { snis, policy })
+    }
+
+    fn try_rule(
+        meta: &Arc<Meta>,
+        tls_route::Rule { backends }: tls_route::Rule,
+    ) -> Result<Policy, InvalidTlsRoute> {
+        let distribution = backends
+            .ok_or(InvalidTlsRoute::Missing("distribution"))?
+            .try_into()?;
+
+        Ok(Policy {
+            meta: meta.clone(),
+            filters: NO_FILTERS.clone(),
+            params: (),
+            distribution,
+        })
+    }
+
+    impl TryFrom<tls_route::Distribution> for RouteDistribution<Filter> {
+        type Error = InvalidDistribution;
+        fn try_from(distribution: tls_route::Distribution) -> Result<Self, Self::Error> {
+            use tls_route::{distribution, WeightedRouteBackend};
+
+            Ok(
+                match distribution.kind.ok_or(InvalidDistribution::Missing)? {
+                    distribution::Kind::Empty(_) => RouteDistribution::Empty,
+                    distribution::Kind::RandomAvailable(distribution::RandomAvailable {
+                        backends,
+                    }) => {
+                        let backends = backends
+                            .into_iter()
+                            .map(|WeightedRouteBackend { weight, backend }| {
+                                let backend = backend
+                                    .ok_or(InvalidDistribution::MissingBackend)?
+                                    .try_into()?;
+                                Ok((backend, weight))
+                            })
+                            .collect::<Result<Arc<[_]>, InvalidDistribution>>()?;
+                        if backends.is_empty() {
+                            return Err(InvalidDistribution::Empty("RandomAvailable"));
+                        }
+                        RouteDistribution::RandomAvailable(backends)
+                    }
+                    distribution::Kind::FirstAvailable(distribution::FirstAvailable {
+                        backends,
+                    }) => {
+                        let backends = backends
+                            .into_iter()
+                            .map(RouteBackend::try_from)
+                            .collect::<Result<Arc<[_]>, InvalidBackend>>()?;
+                        if backends.is_empty() {
+                            return Err(InvalidDistribution::Empty("FirstAvailable"));
+                        }
+                        RouteDistribution::FirstAvailable(backends)
+                    }
+                },
+            )
+        }
+    }
+
+    impl TryFrom<tls_route::RouteBackend> for RouteBackend<Filter> {
+        type Error = InvalidBackend;
+        fn try_from(
+            tls_route::RouteBackend {
+                backend,
+                invalid: _, // TODO
+            }: tls_route::RouteBackend,
+        ) -> Result<Self, Self::Error> {
+            let backend = backend.ok_or(InvalidBackend::Missing("backend"))?;
+            RouteBackend::try_from_proto(backend, std::iter::empty::<()>())
+        }
+    }
+
+    // Necessary to satisfy `RouteBackend::try_from_proto` type constraints.
+    // TODO(eliza): if filters are added to opaque routes, change this to a
+    // proper `TryFrom` impl...
+    impl From<()> for Filter {
+        fn from(_: ()) -> Self {
+            unreachable!("no filters can be configured on opaque routes yet")
+        }
+    }
 }

linkerd/tls/route/Cargo.toml

@@ -5,10 +5,18 @@ license = "Apache-2.0"
 edition = "2021"
 publish = false
 
+[features]
+proto = ["linkerd2-proxy-api"]
+
 [dependencies]
 regex = "1"
 rand = "0.8"
 thiserror = "1"
 tracing = "0.1"
 linkerd-tls = { path = "../" }
 linkerd-dns = { path = "../../dns" }
+
+[dependencies.linkerd2-proxy-api]
+workspace = true
+optional = true
+features = ["outbound"]

linkerd/tls/route/src/lib.rs

@@ -5,10 +5,8 @@
 #![forbid(unsafe_code)]
 
 use linkerd_tls::ServerName;
-use r#match::SessionMatch;
 use tracing::trace;
 
-pub mod r#match;
 pub mod sni;
 #[cfg(test)]
 mod tests;
@@ -24,19 +22,6 @@ pub struct Route<P> {
     /// When no SNI matches are present, all SNIs match.
     pub snis: Vec<MatchSni>,
 
-    /// Must not be empty.
-    pub rules: Vec<Rule<P>>,
-}
-
-/// Policies for a given set of route matches.
-#[derive(Clone, Debug, Default, Hash, PartialEq, Eq)]
-pub struct Rule<P> {
-    /// A list of session matchers, *any* of which may apply.
-    ///
-    /// The "best" match is used when comparing rules.
-    pub matches: Vec<r#match::MatchSession>,
-
-    /// The policy to apply to sessions matched by this rule.
     pub policy: P,
 }
 
@@ -45,7 +30,6 @@ pub struct Rule<P> {
 #[derive(Clone, Debug, Hash, PartialEq, Eq, PartialOrd, Ord, Default)]
 pub struct RouteMatch {
     sni: Option<SniMatch>,
-    route: r#match::SessionMatch,
 }
 
 /// Provides metadata information about a TLS session. For now this contains
@@ -74,27 +58,7 @@ pub fn find<P>(routes: &[Route<P>], session_info: SessionInfo) -> Option<(RouteM
             Some(sni_match)
         };
 
-        trace!(rules = %rt.rules.len());
-        let (route, policy) = best(rt.rules.iter().filter_map(|rule| {
-            // If there are no matches in the list, then the rule has an
-            // implicit default match.
-            if rule.matches.is_empty() {
-                trace!("implicit match");
-                return Some((SessionMatch::default(), &rule.policy));
-            }
-            // Find the best match to compare against other rules/routes
-            // (if any apply). The order/precedence of matches is not
-            // relevant.
-            let summary = rule
-                .matches
-                .iter()
-                .filter_map(|m| m.match_session(&session_info))
-                .max()?;
-            trace!("matches!");
-            Some((summary, &rule.policy))
-        }))?;
-
-        Some((RouteMatch { sni, route }, policy))
+        Some((RouteMatch { sni }, &rt.policy))
     }))
 }