Introduce meshtls facade to hide rustls crate (#1353)

In #1351, we add an alternate identity/mtls implementation that uses
`boring`. To setup for that, this change introduces a new `meshtls`
crate that serves as a facade for application crates to depend on,
independently of the actual crypto implementation.

This change does not change any runtime logic and sets up for #1351 to
enable an alternate TLS implementation as a build-time configuration.

Author: olix0r

Cargo.lock

@@ -674,8 +674,9 @@ dependencies = [
  "linkerd-http-classify",
  "linkerd-http-metrics",
  "linkerd-http-retry",
- "linkerd-identity-default",
+ "linkerd-identity",
  "linkerd-io",
+ "linkerd-meshtls",
  "linkerd-metrics",
  "linkerd-opencensus",
  "linkerd-proxy-api-resolve",
@@ -743,8 +744,8 @@ dependencies = [
  "libfuzzer-sys",
  "linkerd-app-core",
  "linkerd-app-test",
- "linkerd-identity-default",
  "linkerd-io",
+ "linkerd-meshtls-rustls",
  "linkerd-server-policy",
  "linkerd-tonic-watch",
  "linkerd-tracing",
@@ -799,8 +800,8 @@ dependencies = [
  "linkerd-app-test",
  "linkerd-http-retry",
  "linkerd-identity",
- "linkerd-identity-default",
  "linkerd-io",
+ "linkerd-meshtls-rustls",
  "linkerd-tracing",
  "parking_lot",
  "pin-project",
@@ -1000,7 +1001,35 @@ dependencies = [
 ]
 
 [[package]]
-name = "linkerd-identity-default"
+name = "linkerd-io"
+version = "0.1.0"
+dependencies = [
+ "async-trait",
+ "bytes",
+ "futures",
+ "linkerd-errno",
+ "pin-project",
+ "tokio",
+ "tokio-test",
+ "tokio-util",
+]
+
+[[package]]
+name = "linkerd-meshtls"
+version = "0.1.0"
+dependencies = [
+ "futures",
+ "linkerd-error",
+ "linkerd-identity",
+ "linkerd-io",
+ "linkerd-meshtls-rustls",
+ "linkerd-stack",
+ "linkerd-tls",
+ "pin-project",
+]
+
+[[package]]
+name = "linkerd-meshtls-rustls"
 version = "0.1.0"
 dependencies = [
  "futures",
@@ -1022,20 +1051,6 @@ dependencies = [
  "webpki",
 ]
 
-[[package]]
-name = "linkerd-io"
-version = "0.1.0"
-dependencies = [
- "async-trait",
- "bytes",
- "futures",
- "linkerd-errno",
- "pin-project",
- "tokio",
- "tokio-test",
- "tokio-util",
-]
-
 [[package]]
 name = "linkerd-metrics"
 version = "0.1.0"
@@ -1202,8 +1217,8 @@ dependencies = [
  "ipnet",
  "linkerd-conditional",
  "linkerd-error",
- "linkerd-identity-default",
  "linkerd-io",
+ "linkerd-meshtls",
  "linkerd-proxy-http",
  "linkerd-stack",
  "linkerd-tls",

Cargo.toml

@@ -29,8 +29,9 @@ members = [
     "linkerd/http-metrics",
     "linkerd/http-retry",
     "linkerd/identity",
-    "linkerd/identity/default",
     "linkerd/io",
+    "linkerd/meshtls",
+    "linkerd/meshtls/rustls",
     "linkerd/metrics",
     "linkerd/opencensus",
     "linkerd/proxy/api-resolve",

linkerd/app/core/Cargo.toml

@@ -12,6 +12,10 @@ This crate conglomerates proxy configuration, runtime administration, etc,
 independently of the inbound and outbound proxy logic.
 """
 
+[features]
+default = ["meshtls-rustls"]
+meshtls-rustls = ["linkerd-meshtls/rustls"]
+
 [dependencies]
 bytes = "1"
 drain = { version = "0.1.0", features = ["retain"] }
@@ -33,8 +37,9 @@ linkerd-exp-backoff = { path = "../../exp-backoff" }
 linkerd-http-classify = { path = "../../http-classify" }
 linkerd-http-metrics = { path = "../../http-metrics" }
 linkerd-http-retry = { path = "../../http-retry" }
-linkerd-identity-default = { path = "../../identity/default" }
+linkerd-identity = { path = "../../identity" }
 linkerd-io = { path = "../../io" }
+linkerd-meshtls = { path = "../../meshtls", default-features = false }
 linkerd-metrics = { path = "../../metrics", features = ["linkerd-stack"] }
 linkerd-opencensus = { path = "../../opencensus" }
 linkerd-proxy-core = { path = "../../proxy/core" }

linkerd/app/core/src/lib.rs

@@ -20,10 +20,8 @@ pub use linkerd_dns;
 pub use linkerd_error::{is_error, Error, Infallible, Recover, Result};
 pub use linkerd_exp_backoff as exp_backoff;
 pub use linkerd_http_metrics as http_metrics;
-pub use linkerd_identity_default as identity;
 pub use linkerd_io as io;
 pub use linkerd_opencensus as opencensus;
-pub use linkerd_proxy_identity_client as identity_client;
 pub use linkerd_service_profiles as profiles;
 pub use linkerd_stack_metrics as stack_metrics;
 pub use linkerd_stack_tracing as stack_tracing;
@@ -51,6 +49,12 @@ pub mod transport;
 
 pub use self::addr_match::{AddrMatch, IpMatch, NameMatch};
 
+pub mod identity {
+    pub use linkerd_identity::*;
+    pub use linkerd_meshtls::*;
+    pub use linkerd_proxy_identity_client as client;
+}
+
 pub const CANONICAL_DST_HEADER: &str = "l5d-dst-canonical";
 
 const DEFAULT_PORT: u16 = 80;

linkerd/app/inbound/Cargo.toml

@@ -34,7 +34,7 @@ libfuzzer-sys = { version = "0.4.2", features = ["arbitrary-derive"] }
 hyper = { version = "0.14.14", features = ["http1", "http2"] }
 linkerd-app-test = { path = "../test" }
 linkerd-io = { path = "../../io", features = ["tokio-test"] }
-linkerd-identity-default = { path = "../../identity/default", features = ["test-util"] }
+linkerd-meshtls-rustls = { path = "../../meshtls/rustls", features = ["test-util"] }
 linkerd-tracing = { path = "../../tracing", features = ["ansi"] }
 tokio = { version = "1", features = ["full", "macros"] }
 tokio-test = "0.4"

linkerd/app/inbound/fuzz/Cargo.toml

@@ -17,7 +17,7 @@ libfuzzer-sys = { version = "0.4.2", features = ["arbitrary-derive"] }
 linkerd-app-core = { path = "../../core" }
 linkerd-app-inbound = { path = ".." }
 linkerd-app-test = { path = "../../test" }
-linkerd-identity-default = { path = "../../../identity/default", features = ["test-util"] }
+linkerd-meshtls-rustls = { path = "../../../meshtls/rustls", features = ["test-util"] }
 linkerd-tracing = { path = "../../../tracing", features = ["ansi"] }
 tokio = { version = "1", features = ["full"] }
 tracing = "0.1"

linkerd/app/inbound/src/test_util.rs

@@ -3,7 +3,9 @@ pub use futures::prelude::*;
 use linkerd_app_core::{
     config,
     dns::Suffix,
-    drain, exp_backoff, identity, metrics,
+    drain, exp_backoff,
+    identity::rustls,
+    metrics,
     proxy::{
         http::{h1, h2},
         tap,
@@ -73,7 +75,7 @@ pub fn runtime() -> (ProxyRuntime, drain::Signal) {
     let (tap, _) = tap::new();
     let (metrics, _) = metrics::Metrics::new(std::time::Duration::from_secs(10));
     let runtime = ProxyRuntime {
-        identity: identity::creds::default_for_test().1,
+        identity: rustls::creds::default_for_test().1.into(),
         metrics: metrics.proxy,
         tap,
         span_sink: None,

linkerd/app/outbound/Cargo.toml

@@ -32,7 +32,7 @@ pin-project = "1"
 hyper = { version = "0.14.14", features = ["http1", "http2"] }
 linkerd-app-test = { path = "../test" }
 linkerd-io = { path = "../../io", features = ["tokio-test"] }
-linkerd-identity-default = { path = "../../identity/default", features = ["test-util"] }
+linkerd-meshtls-rustls = { path = "../../meshtls/rustls", features = ["test-util"] }
 linkerd-tracing = { path = "../../tracing", features = ["ansi"] }
 parking_lot = "0.11"
 tokio = { version = "1", features = ["time", "macros"] }

linkerd/app/outbound/src/test_util.rs

@@ -1,7 +1,7 @@
 use crate::Config;
 pub use futures::prelude::*;
 use linkerd_app_core::{
-    config, drain, exp_backoff, identity, metrics,
+    config, drain, exp_backoff, metrics,
     proxy::{
         http::{h1, h2},
         tap,
@@ -53,7 +53,7 @@ pub(crate) fn runtime() -> (ProxyRuntime, drain::Signal) {
     let (tap, _) = tap::new();
     let (metrics, _) = metrics::Metrics::new(std::time::Duration::from_secs(10));
     let runtime = ProxyRuntime {
-        identity: identity::creds::default_for_test().1,
+        identity: linkerd_meshtls_rustls::creds::default_for_test().1.into(),
         metrics: metrics.proxy,
         tap,
         span_sink: None,

linkerd/app/src/env.rs

@@ -2,7 +2,6 @@ use crate::core::{
     addr,
     config::*,
     control::{Config as ControlConfig, ControlAddr},
-    identity_client,
     proxy::http::{h1, h2},
     tls,
     transport::{Keepalive, ListenAddr},
@@ -1102,14 +1101,7 @@ pub fn parse_control_addr<S: Strings>(
 
 pub fn parse_identity_config<S: Strings>(
     strings: &S,
-) -> Result<
-    (
-        ControlAddr,
-        identity_client::certify::Config,
-        identity::Documents,
-    ),
-    EnvError,
-> {
+) -> Result<(ControlAddr, identity::certify::Config, identity::Documents), EnvError> {
     let control = parse_control_addr(strings, ENV_IDENTITY_SVC_BASE);
     let ta = parse(strings, ENV_IDENTITY_TRUST_ANCHORS, |s| {
         if s.is_empty() {