reorg: Decouple TLS implementation from proxy client (#1349)

Currently the TLS implementation in `proxy-identity-default` depends on
`proxy-identity`, which depends on the proxy API to implement its
refreshing identity client.

This change updates these crates so that the TLS implementation only
depends on the core identity crate as follows:

* Move `proxy_identity::Credentials` to `identity::Credentials`;
* Move `proxy/identity/default` to `identity/default`;
* Rename `proxy/identity` to `proxy/identity-client` to help
  disambiguate it from the core identity crate.

Author: olix0r

Cargo.lock

@@ -674,6 +674,7 @@ dependencies = [
  "linkerd-http-classify",
  "linkerd-http-metrics",
  "linkerd-http-retry",
+ "linkerd-identity-default",
  "linkerd-io",
  "linkerd-metrics",
  "linkerd-opencensus",
@@ -682,7 +683,7 @@ dependencies = [
  "linkerd-proxy-discover",
  "linkerd-proxy-dns-resolve",
  "linkerd-proxy-http",
- "linkerd-proxy-identity-default",
+ "linkerd-proxy-identity-client",
  "linkerd-proxy-resolve",
  "linkerd-proxy-tap",
  "linkerd-proxy-tcp",
@@ -742,8 +743,8 @@ dependencies = [
  "libfuzzer-sys",
  "linkerd-app-core",
  "linkerd-app-test",
+ "linkerd-identity-default",
  "linkerd-io",
- "linkerd-proxy-identity-default",
  "linkerd-server-policy",
  "linkerd-tonic-watch",
  "linkerd-tracing",
@@ -798,8 +799,8 @@ dependencies = [
  "linkerd-app-test",
  "linkerd-http-retry",
  "linkerd-identity",
+ "linkerd-identity-default",
  "linkerd-io",
- "linkerd-proxy-identity-default",
  "linkerd-tracing",
  "parking_lot",
  "pin-project",
@@ -995,6 +996,30 @@ name = "linkerd-identity"
 version = "0.1.0"
 dependencies = [
  "linkerd-dns-name",
+ "linkerd-error",
+]
+
+[[package]]
+name = "linkerd-identity-default"
+version = "0.1.0"
+dependencies = [
+ "futures",
+ "linkerd-conditional",
+ "linkerd-error",
+ "linkerd-identity",
+ "linkerd-io",
+ "linkerd-proxy-transport",
+ "linkerd-stack",
+ "linkerd-tls",
+ "linkerd-tls-test-util",
+ "linkerd-tracing",
+ "ring",
+ "thiserror",
+ "tokio",
+ "tokio-rustls",
+ "tower",
+ "tracing",
+ "webpki",
 ]
 
 [[package]]
@@ -1136,7 +1161,7 @@ dependencies = [
 ]
 
 [[package]]
-name = "linkerd-proxy-identity"
+name = "linkerd-proxy-identity-client"
 version = "0.1.0"
 dependencies = [
  "futures",
@@ -1154,29 +1179,6 @@ dependencies = [
  "tracing",
 ]
 
-[[package]]
-name = "linkerd-proxy-identity-default"
-version = "0.1.0"
-dependencies = [
- "futures",
- "linkerd-conditional",
- "linkerd-error",
- "linkerd-io",
- "linkerd-proxy-identity",
- "linkerd-proxy-transport",
- "linkerd-stack",
- "linkerd-tls",
- "linkerd-tls-test-util",
- "linkerd-tracing",
- "ring",
- "thiserror",
- "tokio",
- "tokio-rustls",
- "tower",
- "tracing",
- "webpki",
-]
-
 [[package]]
 name = "linkerd-proxy-resolve"
 version = "0.1.0"
@@ -1200,10 +1202,9 @@ dependencies = [
  "ipnet",
  "linkerd-conditional",
  "linkerd-error",
- "linkerd-identity",
+ "linkerd-identity-default",
  "linkerd-io",
  "linkerd-proxy-http",
- "linkerd-proxy-identity-default",
  "linkerd-stack",
  "linkerd-tls",
  "linkerd2-proxy-api",

Cargo.toml

@@ -29,6 +29,7 @@ members = [
     "linkerd/http-metrics",
     "linkerd/http-retry",
     "linkerd/identity",
+    "linkerd/identity/default",
     "linkerd/io",
     "linkerd/metrics",
     "linkerd/opencensus",
@@ -37,8 +38,7 @@ members = [
     "linkerd/proxy/core",
     "linkerd/proxy/discover",
     "linkerd/proxy/http",
-    "linkerd/proxy/identity",
-    "linkerd/proxy/identity/default",
+    "linkerd/proxy/identity-client",
     "linkerd/proxy/resolve",
     "linkerd/proxy/tap",
     "linkerd/proxy/tcp",

linkerd/app/core/Cargo.toml

@@ -33,13 +33,14 @@ linkerd-exp-backoff = { path = "../../exp-backoff" }
 linkerd-http-classify = { path = "../../http-classify" }
 linkerd-http-metrics = { path = "../../http-metrics" }
 linkerd-http-retry = { path = "../../http-retry" }
+linkerd-identity-default = { path = "../../identity/default" }
 linkerd-io = { path = "../../io" }
 linkerd-metrics = { path = "../../metrics", features = ["linkerd-stack"] }
 linkerd-opencensus = { path = "../../opencensus" }
 linkerd-proxy-core = { path = "../../proxy/core" }
 linkerd-proxy-api-resolve = { path = "../../proxy/api-resolve" }
 linkerd-proxy-discover = { path = "../../proxy/discover" }
-linkerd-proxy-identity-default = { path = "../../proxy/identity/default" }
+linkerd-proxy-identity-client = { path = "../../proxy/identity-client" }
 linkerd-proxy-http = { path = "../../proxy/http" }
 linkerd-proxy-resolve = { path = "../../proxy/resolve" }
 linkerd-proxy-dns-resolve = { path = "../../proxy/dns-resolve" }

linkerd/app/core/src/lib.rs

@@ -20,9 +20,10 @@ pub use linkerd_dns;
 pub use linkerd_error::{is_error, Error, Infallible, Recover, Result};
 pub use linkerd_exp_backoff as exp_backoff;
 pub use linkerd_http_metrics as http_metrics;
+pub use linkerd_identity_default as identity;
 pub use linkerd_io as io;
 pub use linkerd_opencensus as opencensus;
-pub use linkerd_proxy_identity_default as identity;
+pub use linkerd_proxy_identity_client as identity_client;
 pub use linkerd_service_profiles as profiles;
 pub use linkerd_stack_metrics as stack_metrics;
 pub use linkerd_stack_tracing as stack_tracing;

linkerd/app/inbound/Cargo.toml

@@ -34,7 +34,7 @@ libfuzzer-sys = { version = "0.4.2", features = ["arbitrary-derive"] }
 hyper = { version = "0.14.14", features = ["http1", "http2"] }
 linkerd-app-test = { path = "../test" }
 linkerd-io = { path = "../../io", features = ["tokio-test"] }
-linkerd-proxy-identity-default = { path = "../../proxy/identity/default", features = ["test-util"] }
+linkerd-identity-default = { path = "../../identity/default", features = ["test-util"] }
 linkerd-tracing = { path = "../../tracing", features = ["ansi"] }
 tokio = { version = "1", features = ["full", "macros"] }
 tokio-test = "0.4"

linkerd/app/inbound/fuzz/Cargo.toml

@@ -17,7 +17,7 @@ libfuzzer-sys = { version = "0.4.2", features = ["arbitrary-derive"] }
 linkerd-app-core = { path = "../../core" }
 linkerd-app-inbound = { path = ".." }
 linkerd-app-test = { path = "../../test" }
-linkerd-proxy-identity-default = { path = "../../../proxy/identity/default", features = ["test-util"] }
+linkerd-identity-default = { path = "../../../identity/default", features = ["test-util"] }
 linkerd-tracing = { path = "../../../tracing", features = ["ansi"] }
 tokio = { version = "1", features = ["full"] }
 tracing = "0.1"

linkerd/app/outbound/Cargo.toml

@@ -32,7 +32,7 @@ pin-project = "1"
 hyper = { version = "0.14.14", features = ["http1", "http2"] }
 linkerd-app-test = { path = "../test" }
 linkerd-io = { path = "../../io", features = ["tokio-test"] }
-linkerd-proxy-identity-default = { path = "../../proxy/identity/default", features = ["test-util"] }
+linkerd-identity-default = { path = "../../identity/default", features = ["test-util"] }
 linkerd-tracing = { path = "../../tracing", features = ["ansi"] }
 parking_lot = "0.11"
 tokio = { version = "1", features = ["time", "macros"] }

linkerd/app/src/env.rs

@@ -2,6 +2,7 @@ use crate::core::{
     addr,
     config::*,
     control::{Config as ControlConfig, ControlAddr},
+    identity_client,
     proxy::http::{h1, h2},
     tls,
     transport::{Keepalive, ListenAddr},
@@ -1101,7 +1102,14 @@ pub fn parse_control_addr<S: Strings>(
 
 pub fn parse_identity_config<S: Strings>(
     strings: &S,
-) -> Result<(ControlAddr, identity::certify::Config, identity::Documents), EnvError> {
+) -> Result<
+    (
+        ControlAddr,
+        identity_client::certify::Config,
+        identity::Documents,
+    ),
+    EnvError,
+> {
     let control = parse_control_addr(strings, ENV_IDENTITY_SVC_BASE);
     let ta = parse(strings, ENV_IDENTITY_TRUST_ANCHORS, |s| {
         if s.is_empty() {

linkerd/app/src/identity.rs

@@ -1,11 +1,15 @@
-pub use linkerd_app_core::identity::*;
 use linkerd_app_core::{
     control, dns,
     exp_backoff::{ExponentialBackoff, ExponentialBackoffStream},
-    identity,
-    metrics::ControlHttp as Metrics,
+    identity::{creds, Credentials, DerX509},
+    identity_client::{Certify, Metrics as IdentityMetrics},
+    metrics::ControlHttp as ClientMetrics,
     Error, Result,
 };
+pub use linkerd_app_core::{
+    identity::{InvalidName, LocalId, Name},
+    identity_client::{certify, TokenSource},
+};
 use std::{future::Future, pin::Pin};
 use tokio::sync::watch;
 use tracing::Instrument;
@@ -27,9 +31,9 @@ pub struct Documents {
 
 pub struct Identity {
     addr: control::ControlAddr,
-    receiver: identity::creds::Receiver,
+    receiver: creds::Receiver,
     ready: watch::Receiver<bool>,
-    metrics: identity::Metrics,
+    metrics: IdentityMetrics,
     task: Task,
 }
 
@@ -41,22 +45,22 @@ struct Recover(ExponentialBackoff);
 /// Wraps a credential with a watch sender that notifies receivers when the store has been updated
 /// at least once.
 struct NotifyReady {
-    store: identity::creds::Store,
+    store: creds::Store,
     tx: watch::Sender<bool>,
 }
 
 // === impl Config ===
 
 impl Config {
-    pub fn build(self, dns: dns::Resolver, client_metrics: Metrics) -> Result<Identity> {
-        let (store, receiver) = identity::creds::watch(
+    pub fn build(self, dns: dns::Resolver, client_metrics: ClientMetrics) -> Result<Identity> {
+        let (store, receiver) = creds::watch(
             (*self.documents.id).clone(),
             &self.documents.trust_anchors_pem,
             &self.documents.key_pkcs8,
             &self.documents.csr_der,
         )?;
 
-        let certify = identity::Certify::from(self.certify);
+        let certify = Certify::from(self.certify);
         let metrics = certify.metrics();
 
         let addr = self.control.addr.clone();
@@ -85,21 +89,21 @@ impl Config {
     }
 }
 
-impl identity::Credentials for NotifyReady {
+impl Credentials for NotifyReady {
     #[inline]
     fn dns_name(&self) -> &Name {
         self.store.dns_name()
     }
 
     #[inline]
-    fn gen_certificate_signing_request(&mut self) -> identity::DerX509 {
+    fn gen_certificate_signing_request(&mut self) -> DerX509 {
         self.store.gen_certificate_signing_request()
     }
 
     fn set_certificate(
         &mut self,
-        leaf: identity::DerX509,
-        chain: Vec<identity::DerX509>,
+        leaf: DerX509,
+        chain: Vec<DerX509>,
         expiry: std::time::SystemTime,
     ) -> Result<()> {
         self.store.set_certificate(leaf, chain, expiry)?;
@@ -136,11 +140,11 @@ impl Identity {
         })
     }
 
-    pub fn receiver(&self) -> identity::creds::Receiver {
+    pub fn receiver(&self) -> creds::Receiver {
         self.receiver.clone()
     }
 
-    pub fn metrics(&self) -> identity::Metrics {
+    pub fn metrics(&self) -> IdentityMetrics {
         self.metrics.clone()
     }
 

linkerd/identity/Cargo.toml

@@ -8,3 +8,4 @@ publish = false
 
 [dependencies]
 linkerd-dns-name = { path = "../dns/name" }
+linkerd-error = { path = "../error" }