diff --git a/DESIGN.md b/DESIGN.md index 810a09b6b9..2cb500335d 100644 --- a/DESIGN.md +++ b/DESIGN.md @@ -289,7 +289,7 @@ would require: In the previous section, we proposed implementation of the `StreamAggregatedResources` method. This provides connected Envoy proxies with a list of clusters, mapping of service name to list of routable IP addresses, list of permitted routes, listeners and secrets for CDS, EDS, RDS, LDS and SDS respectively. -The `ListEndpointsForService`, `ListTrafficPolicies` and `GetCertificateForService` methods will be provided by the OSM component, which we refer to +The `ListEndpointsForService`, `ListTrafficPolicies` methods will be provided by the OSM component, which we refer to as the **Mesh Catalog** in this document. The Mesh Catalog will have access to the `MeshSpec`, `CertificateManager`, and the list of `EndpointsProvider`s. @@ -315,10 +315,6 @@ type MeshCataloger interface { // ListEndpointsForService returns the list of provider endpoints corresponding to a service ListEndpointsForService(service.MeshService) ([]endpoint.Endpoint, error) - // GetCertificateForService returns the SSL Certificate for the given service. - // This certificate will be used for service-to-service mTLS. - GetCertificateForService(service.MeshService) (certificate.Certificater, error) - // ExpectProxy catalogs the fact that a certificate was issued for an Envoy proxy and this is expected to connect to XDS. ExpectProxy(certificate.CommonName) diff --git a/cmd/osm-controller/osm-controller.go b/cmd/osm-controller/osm-controller.go index ebd5a6745f..4d6db70b73 100644 --- a/cmd/osm-controller/osm-controller.go +++ b/cmd/osm-controller/osm-controller.go @@ -209,7 +209,7 @@ func main() { } // Create and start the ADS gRPC service - xdsServer := ads.NewADSServer(meshCatalog, cfg.IsDebugServerEnabled(), osmNamespace, cfg) + xdsServer := ads.NewADSServer(meshCatalog, cfg.IsDebugServerEnabled(), osmNamespace, cfg, certManager) if err := xdsServer.Start(ctx, cancel, *port, adsCert); err != nil { events.GenericEventRecorder().FatalEvent(err, events.InitializationError, "Error initializing ADS server") } diff --git a/go.sum b/go.sum index eb0b9a7b3e..90c12952f4 100644 --- a/go.sum +++ b/go.sum @@ -392,6 +392,7 @@ github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfb github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.3.1 h1:qGJ6qTW+x6xX/my+8YUVl4WNpX9B7+/l2tRsHGZ7f2s= github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= +github.com/golang/mock v1.4.4 h1:l75CXGRSwbaYNpl/Z2X1XIIAMSCquvXgpVZDhwEIJsc= github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.0.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= diff --git a/pkg/catalog/certificates.go b/pkg/catalog/certificates.go deleted file mode 100644 index 6c6609c367..0000000000 --- a/pkg/catalog/certificates.go +++ /dev/null @@ -1,23 +0,0 @@ -package catalog - -import ( - "github.com/openservicemesh/osm/pkg/certificate" - "github.com/openservicemesh/osm/pkg/service" -) - -// GetCertificateForService returns the certificate the given proxy uses for mTLS to the XDS server. -func (mc *MeshCatalog) GetCertificateForService(meshService service.MeshService) (certificate.Certificater, error) { - cn := meshService.GetCommonName() - - cert, err := mc.certManager.GetCertificate(cn) - if err != nil { - // Certificate was not found in CertManager's cache, issue one - newCert, err := mc.certManager.IssueCertificate(cn, mc.configurator.GetServiceCertValidityPeriod()) - if err != nil { - log.Error().Err(err).Msgf("Error issuing a new certificate for service:%s, CN: %s", meshService, cn) - return nil, err - } - return newCert, nil - } - return cert, nil -} diff --git a/pkg/catalog/certificates_test.go b/pkg/catalog/certificates_test.go deleted file mode 100644 index 751bea419e..0000000000 --- a/pkg/catalog/certificates_test.go +++ /dev/null @@ -1,57 +0,0 @@ -package catalog - -import ( - "time" - - testclient "k8s.io/client-go/kubernetes/fake" - - . "github.com/onsi/ginkgo" - . "github.com/onsi/gomega" - - "github.com/openservicemesh/osm/pkg/certificate" - "github.com/openservicemesh/osm/pkg/service" -) - -var _ = Describe("Test certificate tooling", func() { - namespacedService := service.MeshService{ - Namespace: "namespace-here", - Name: "service-name-here", - } - mc := NewFakeMeshCatalog(testclient.NewSimpleClientset()) - - Context("Testing DecodePEMCertificate along with GetCommonName and IssueCertificate", func() { - It("issues a PEM certificate with the correct CN", func() { - cert, err := mc.GetCertificateForService(namespacedService) - Expect(err).ToNot(HaveOccurred()) - - actual := cert.GetCertificateChain() - expected := "-----BEGIN CERTIFICATE-----\nMII" - Expect(string(actual[:len(expected)])).To(Equal(expected)) - - x509Cert, err := certificate.DecodePEMCertificate(cert.GetCertificateChain()) - Expect(err).ToNot(HaveOccurred()) - - expectedCN := "service-name-here.namespace-here.svc.cluster.local" - Expect(x509Cert.Subject.CommonName).To(Equal(expectedCN)) - - Expect(x509Cert.NotAfter.After(time.Now())).To(BeTrue()) - Expect(x509Cert.NotAfter.Before(time.Now().Add(24 * time.Hour))).To(BeTrue()) - }) - }) - - Context("Testing GetCertificateForService for issuance and retrieval of cached certificates", func() { - namespacedService := service.MeshService{ - Namespace: "namespace-here", - Name: "service-name-here", - } - It("issues a PEM certificate with the correct CN", func() { - cert, err := mc.GetCertificateForService(namespacedService) - Expect(err).ToNot(HaveOccurred()) - - cachedCert, err := mc.GetCertificateForService(namespacedService) - Expect(err).ToNot(HaveOccurred()) - - Expect(cert).To(Equal(cachedCert)) - }) - }) -}) diff --git a/pkg/catalog/mock_catalog.go b/pkg/catalog/mock_catalog.go index 0e1de75e09..4753c55e6f 100644 --- a/pkg/catalog/mock_catalog.go +++ b/pkg/catalog/mock_catalog.go @@ -54,21 +54,6 @@ func (mr *MockMeshCatalogerMockRecorder) ExpectProxy(arg0 interface{}) *gomock.C return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ExpectProxy", reflect.TypeOf((*MockMeshCataloger)(nil).ExpectProxy), arg0) } -// GetCertificateForService mocks base method -func (m *MockMeshCataloger) GetCertificateForService(arg0 service.MeshService) (certificate.Certificater, error) { - m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "GetCertificateForService", arg0) - ret0, _ := ret[0].(certificate.Certificater) - ret1, _ := ret[1].(error) - return ret0, ret1 -} - -// GetCertificateForService indicates an expected call of GetCertificateForService -func (mr *MockMeshCatalogerMockRecorder) GetCertificateForService(arg0 interface{}) *gomock.Call { - mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificateForService", reflect.TypeOf((*MockMeshCataloger)(nil).GetCertificateForService), arg0) -} - // GetIngressRoutesPerHost mocks base method func (m *MockMeshCataloger) GetIngressRoutesPerHost(arg0 service.MeshService) (map[string][]trafficpolicy.HTTPRoute, error) { m.ctrl.T.Helper() diff --git a/pkg/catalog/types.go b/pkg/catalog/types.go index e4735dad6c..f3964db779 100644 --- a/pkg/catalog/types.go +++ b/pkg/catalog/types.go @@ -79,10 +79,6 @@ type MeshCataloger interface { // If no LB/virtual IPs are assigned to the service, GetResolvableServiceEndpoints will return ListEndpointsForService GetResolvableServiceEndpoints(service.MeshService) ([]endpoint.Endpoint, error) - // GetCertificateForService returns the SSL Certificate for the given service. - // This certificate will be used for service-to-service mTLS. - GetCertificateForService(service.MeshService) (certificate.Certificater, error) - // ExpectProxy catalogs the fact that a certificate was issued for an Envoy proxy and this is expected to connect to XDS. ExpectProxy(certificate.CommonName) diff --git a/pkg/certificate/mock_certificate.go b/pkg/certificate/mock_certificate.go new file mode 100644 index 0000000000..0c33a80bc0 --- /dev/null +++ b/pkg/certificate/mock_certificate.go @@ -0,0 +1,217 @@ +// Code generated by MockGen. DO NOT EDIT. +// Source: types.go + +// Package certificate is a generated GoMock package. +package certificate + +import ( + reflect "reflect" + time "time" + + gomock "github.com/golang/mock/gomock" +) + +// MockCertificater is a mock of Certificater interface +type MockCertificater struct { + ctrl *gomock.Controller + recorder *MockCertificaterMockRecorder +} + +// MockCertificaterMockRecorder is the mock recorder for MockCertificater +type MockCertificaterMockRecorder struct { + mock *MockCertificater +} + +// NewMockCertificater creates a new mock instance +func NewMockCertificater(ctrl *gomock.Controller) *MockCertificater { + mock := &MockCertificater{ctrl: ctrl} + mock.recorder = &MockCertificaterMockRecorder{mock} + return mock +} + +// EXPECT returns an object that allows the caller to indicate expected use +func (m *MockCertificater) EXPECT() *MockCertificaterMockRecorder { + return m.recorder +} + +// GetCommonName mocks base method +func (m *MockCertificater) GetCommonName() CommonName { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "GetCommonName") + ret0, _ := ret[0].(CommonName) + return ret0 +} + +// GetCommonName indicates an expected call of GetCommonName +func (mr *MockCertificaterMockRecorder) GetCommonName() *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCommonName", reflect.TypeOf((*MockCertificater)(nil).GetCommonName)) +} + +// GetCertificateChain mocks base method +func (m *MockCertificater) GetCertificateChain() []byte { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "GetCertificateChain") + ret0, _ := ret[0].([]byte) + return ret0 +} + +// GetCertificateChain indicates an expected call of GetCertificateChain +func (mr *MockCertificaterMockRecorder) GetCertificateChain() *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificateChain", reflect.TypeOf((*MockCertificater)(nil).GetCertificateChain)) +} + +// GetPrivateKey mocks base method +func (m *MockCertificater) GetPrivateKey() []byte { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "GetPrivateKey") + ret0, _ := ret[0].([]byte) + return ret0 +} + +// GetPrivateKey indicates an expected call of GetPrivateKey +func (mr *MockCertificaterMockRecorder) GetPrivateKey() *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetPrivateKey", reflect.TypeOf((*MockCertificater)(nil).GetPrivateKey)) +} + +// GetIssuingCA mocks base method +func (m *MockCertificater) GetIssuingCA() []byte { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "GetIssuingCA") + ret0, _ := ret[0].([]byte) + return ret0 +} + +// GetIssuingCA indicates an expected call of GetIssuingCA +func (mr *MockCertificaterMockRecorder) GetIssuingCA() *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetIssuingCA", reflect.TypeOf((*MockCertificater)(nil).GetIssuingCA)) +} + +// GetExpiration mocks base method +func (m *MockCertificater) GetExpiration() time.Time { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "GetExpiration") + ret0, _ := ret[0].(time.Time) + return ret0 +} + +// GetExpiration indicates an expected call of GetExpiration +func (mr *MockCertificaterMockRecorder) GetExpiration() *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetExpiration", reflect.TypeOf((*MockCertificater)(nil).GetExpiration)) +} + +// MockManager is a mock of Manager interface +type MockManager struct { + ctrl *gomock.Controller + recorder *MockManagerMockRecorder +} + +// MockManagerMockRecorder is the mock recorder for MockManager +type MockManagerMockRecorder struct { + mock *MockManager +} + +// NewMockManager creates a new mock instance +func NewMockManager(ctrl *gomock.Controller) *MockManager { + mock := &MockManager{ctrl: ctrl} + mock.recorder = &MockManagerMockRecorder{mock} + return mock +} + +// EXPECT returns an object that allows the caller to indicate expected use +func (m *MockManager) EXPECT() *MockManagerMockRecorder { + return m.recorder +} + +// IssueCertificate mocks base method +func (m *MockManager) IssueCertificate(arg0 CommonName, arg1 time.Duration) (Certificater, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "IssueCertificate", arg0, arg1) + ret0, _ := ret[0].(Certificater) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// IssueCertificate indicates an expected call of IssueCertificate +func (mr *MockManagerMockRecorder) IssueCertificate(arg0, arg1 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IssueCertificate", reflect.TypeOf((*MockManager)(nil).IssueCertificate), arg0, arg1) +} + +// GetCertificate mocks base method +func (m *MockManager) GetCertificate(arg0 CommonName) (Certificater, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "GetCertificate", arg0) + ret0, _ := ret[0].(Certificater) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// GetCertificate indicates an expected call of GetCertificate +func (mr *MockManagerMockRecorder) GetCertificate(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificate", reflect.TypeOf((*MockManager)(nil).GetCertificate), arg0) +} + +// RotateCertificate mocks base method +func (m *MockManager) RotateCertificate(arg0 CommonName) (Certificater, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "RotateCertificate", arg0) + ret0, _ := ret[0].(Certificater) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// RotateCertificate indicates an expected call of RotateCertificate +func (mr *MockManagerMockRecorder) RotateCertificate(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RotateCertificate", reflect.TypeOf((*MockManager)(nil).RotateCertificate), arg0) +} + +// GetRootCertificate mocks base method +func (m *MockManager) GetRootCertificate() (Certificater, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "GetRootCertificate") + ret0, _ := ret[0].(Certificater) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// GetRootCertificate indicates an expected call of GetRootCertificate +func (mr *MockManagerMockRecorder) GetRootCertificate() *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetRootCertificate", reflect.TypeOf((*MockManager)(nil).GetRootCertificate)) +} + +// ListCertificates mocks base method +func (m *MockManager) ListCertificates() ([]Certificater, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "ListCertificates") + ret0, _ := ret[0].([]Certificater) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// ListCertificates indicates an expected call of ListCertificates +func (mr *MockManagerMockRecorder) ListCertificates() *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListCertificates", reflect.TypeOf((*MockManager)(nil).ListCertificates)) +} + +// GetAnnouncementsChannel mocks base method +func (m *MockManager) GetAnnouncementsChannel() <-chan interface{} { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "GetAnnouncementsChannel") + ret0, _ := ret[0].(<-chan interface{}) + return ret0 +} + +// GetAnnouncementsChannel indicates an expected call of GetAnnouncementsChannel +func (mr *MockManagerMockRecorder) GetAnnouncementsChannel() *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAnnouncementsChannel", reflect.TypeOf((*MockManager)(nil).GetAnnouncementsChannel)) +} diff --git a/pkg/envoy/ads/response.go b/pkg/envoy/ads/response.go index e18ea810cd..cd2e47f40b 100644 --- a/pkg/envoy/ads/response.go +++ b/pkg/envoy/ads/response.go @@ -104,7 +104,7 @@ func (s *Server) newAggregatedDiscoveryResponse(proxy *envoy.Proxy, request *xds } log.Trace().Msgf("Invoking handler for %s with request: %+v", typeURL, request) - response, err := handler(s.catalog, proxy, request, cfg) + response, err := handler(s.catalog, proxy, request, cfg, s.certManager) if err != nil { log.Error().Msgf("Responder for TypeUrl %s is not implemented", request.TypeUrl) return nil, errCreatingResponse diff --git a/pkg/envoy/ads/response_test.go b/pkg/envoy/ads/response_test.go index df91a25c03..319fc42989 100644 --- a/pkg/envoy/ads/response_test.go +++ b/pkg/envoy/ads/response_test.go @@ -32,10 +32,12 @@ var _ = Describe("Test ADS response functions", func() { var ( mockCtrl *gomock.Controller mockConfigurator *configurator.MockConfigurator + mockCertManager *certificate.MockManager ) mockCtrl = gomock.NewController(GinkgoT()) mockConfigurator = configurator.NewMockConfigurator(mockCtrl) + mockCertManager = certificate.NewMockManager(mockCtrl) // --- setup kubeClient := testclient.NewSimpleClientset() @@ -111,7 +113,8 @@ var _ = Describe("Test ADS response functions", func() { cache := make(map[certificate.CommonName]certificate.Certificater) certManager := tresor.NewFakeCertManager(&cache, mockConfigurator) cn := certificate.CommonName(fmt.Sprintf("%s.%s.%s", uuid.New(), serviceAccountName, tests.Namespace)) - certPEM, _ := certManager.IssueCertificate(cn, 1*time.Hour) + certDuration := 1 * time.Hour + certPEM, _ := certManager.IssueCertificate(cn, certDuration) cert, _ := certificate.DecodePEMCertificate(certPEM.GetCertificateChain()) server, actualResponses := tests.NewFakeXDSServer(cert, nil, nil) @@ -119,12 +122,14 @@ var _ = Describe("Test ADS response functions", func() { mockConfigurator.EXPECT().IsPrometheusScrapingEnabled().Return(false).AnyTimes() mockConfigurator.EXPECT().IsTracingEnabled().Return(false).AnyTimes() mockConfigurator.EXPECT().IsPermissiveTrafficPolicyMode().Return(false).AnyTimes() + mockConfigurator.EXPECT().GetServiceCertValidityPeriod().Return(certDuration).AnyTimes() It("returns Aggregated Discovery Service response", func() { - s := NewADSServer(mc, true, tests.Namespace, mockConfigurator) + s := NewADSServer(mc, true, tests.Namespace, mockConfigurator, mockCertManager) Expect(s).ToNot(BeNil()) + mockCertManager.EXPECT().IssueCertificate(gomock.Any(), certDuration).Return(certPEM, nil).Times(1) s.sendAllResponses(proxy, &server, mockConfigurator) Expect(actualResponses).ToNot(BeNil()) diff --git a/pkg/envoy/ads/server.go b/pkg/envoy/ads/server.go index 06615a7790..1a5627b0ff 100644 --- a/pkg/envoy/ads/server.go +++ b/pkg/envoy/ads/server.go @@ -22,10 +22,10 @@ import ( const ServerType = "ADS" // NewADSServer creates a new Aggregated Discovery Service server -func NewADSServer(meshCatalog catalog.MeshCataloger, enableDebug bool, osmNamespace string, cfg configurator.Configurator) *Server { +func NewADSServer(meshCatalog catalog.MeshCataloger, enableDebug bool, osmNamespace string, cfg configurator.Configurator, certManager certificate.Manager) *Server { server := Server{ catalog: meshCatalog, - xdsHandlers: map[envoy.TypeURI]func(catalog.MeshCataloger, *envoy.Proxy, *xds_discovery.DiscoveryRequest, configurator.Configurator) (*xds_discovery.DiscoveryResponse, error){ + xdsHandlers: map[envoy.TypeURI]func(catalog.MeshCataloger, *envoy.Proxy, *xds_discovery.DiscoveryRequest, configurator.Configurator, certificate.Manager) (*xds_discovery.DiscoveryResponse, error){ envoy.TypeEDS: eds.NewResponse, envoy.TypeCDS: cds.NewResponse, envoy.TypeRDS: rds.NewResponse, @@ -35,6 +35,7 @@ func NewADSServer(meshCatalog catalog.MeshCataloger, enableDebug bool, osmNamesp enableDebug: enableDebug, osmNamespace: osmNamespace, cfg: cfg, + certManager: certManager, } if enableDebug { diff --git a/pkg/envoy/ads/types.go b/pkg/envoy/ads/types.go index 178f805b3f..352a5b0057 100644 --- a/pkg/envoy/ads/types.go +++ b/pkg/envoy/ads/types.go @@ -19,10 +19,11 @@ var ( // Server implements the Envoy xDS Aggregate Discovery Services type Server struct { catalog catalog.MeshCataloger - xdsHandlers map[envoy.TypeURI]func(catalog.MeshCataloger, *envoy.Proxy, *xds_discovery.DiscoveryRequest, configurator.Configurator) (*xds_discovery.DiscoveryResponse, error) + xdsHandlers map[envoy.TypeURI]func(catalog.MeshCataloger, *envoy.Proxy, *xds_discovery.DiscoveryRequest, configurator.Configurator, certificate.Manager) (*xds_discovery.DiscoveryResponse, error) xdsLog map[certificate.CommonName]map[envoy.TypeURI][]time.Time enableDebug bool osmNamespace string cfg configurator.Configurator + certManager certificate.Manager ready bool } diff --git a/pkg/envoy/cds/response.go b/pkg/envoy/cds/response.go index e0909c3163..c05c6cf74a 100644 --- a/pkg/envoy/cds/response.go +++ b/pkg/envoy/cds/response.go @@ -8,6 +8,7 @@ import ( "github.com/golang/protobuf/ptypes" "github.com/openservicemesh/osm/pkg/catalog" + "github.com/openservicemesh/osm/pkg/certificate" "github.com/openservicemesh/osm/pkg/configurator" "github.com/openservicemesh/osm/pkg/envoy" "github.com/openservicemesh/osm/pkg/featureflags" @@ -15,7 +16,7 @@ import ( ) // NewResponse creates a new Cluster Discovery Response. -func NewResponse(catalog catalog.MeshCataloger, proxy *envoy.Proxy, _ *xds_discovery.DiscoveryRequest, cfg configurator.Configurator) (*xds_discovery.DiscoveryResponse, error) { +func NewResponse(catalog catalog.MeshCataloger, proxy *envoy.Proxy, _ *xds_discovery.DiscoveryRequest, cfg configurator.Configurator, _ certificate.Manager) (*xds_discovery.DiscoveryResponse, error) { svcList, err := catalog.GetServicesFromEnvoyCertificate(proxy.GetCommonName()) if err != nil { log.Error().Err(err).Msgf("Error looking up MeshService for Envoy with CN=%q", proxy.GetCommonName()) diff --git a/pkg/envoy/cds/response_test.go b/pkg/envoy/cds/response_test.go index f2c918e89c..5c1c4e32ff 100644 --- a/pkg/envoy/cds/response_test.go +++ b/pkg/envoy/cds/response_test.go @@ -81,7 +81,7 @@ var _ = Describe("CDS Response", func() { mockConfigurator.EXPECT().GetTracingHost().Return(constants.DefaultTracingHost).AnyTimes() mockConfigurator.EXPECT().GetTracingPort().Return(constants.DefaultTracingPort).AnyTimes() - resp, err := NewResponse(catalog, proxy, nil, mockConfigurator) + resp, err := NewResponse(catalog, proxy, nil, mockConfigurator, nil) Expect(err).ToNot(HaveOccurred()) // There are to any.Any resources in the ClusterDiscoveryStruct (Clusters) diff --git a/pkg/envoy/eds/response.go b/pkg/envoy/eds/response.go index 5419edc759..2a592cff16 100644 --- a/pkg/envoy/eds/response.go +++ b/pkg/envoy/eds/response.go @@ -7,6 +7,7 @@ import ( "github.com/golang/protobuf/ptypes/any" "github.com/openservicemesh/osm/pkg/catalog" + "github.com/openservicemesh/osm/pkg/certificate" "github.com/openservicemesh/osm/pkg/configurator" "github.com/openservicemesh/osm/pkg/endpoint" "github.com/openservicemesh/osm/pkg/envoy" @@ -15,7 +16,7 @@ import ( ) // NewResponse creates a new Endpoint Discovery Response. -func NewResponse(catalog catalog.MeshCataloger, proxy *envoy.Proxy, _ *xds_discovery.DiscoveryRequest, _ configurator.Configurator) (*xds_discovery.DiscoveryResponse, error) { +func NewResponse(catalog catalog.MeshCataloger, proxy *envoy.Proxy, _ *xds_discovery.DiscoveryRequest, _ configurator.Configurator, _ certificate.Manager) (*xds_discovery.DiscoveryResponse, error) { svcList, err := catalog.GetServicesFromEnvoyCertificate(proxy.GetCommonName()) if err != nil { log.Error().Err(err).Msgf("Error looking up MeshService for Envoy with CN=%q", proxy.GetCommonName()) diff --git a/pkg/envoy/eds/response_test.go b/pkg/envoy/eds/response_test.go index 8bdd93b35f..5c92fc7ad1 100644 --- a/pkg/envoy/eds/response_test.go +++ b/pkg/envoy/eds/response_test.go @@ -65,7 +65,7 @@ var _ = Describe("Test EDS response", func() { Expect(err).ToNot(HaveOccurred()) } - _, err := NewResponse(catalog, proxy, nil, mockConfigurator) + _, err := NewResponse(catalog, proxy, nil, mockConfigurator, nil) Expect(err).ToNot(HaveOccurred()) }) @@ -81,7 +81,7 @@ var _ = Describe("Test EDS response", func() { // Don't create a pod/service for this proxy, this should result in an error when the // service is being looked up based on the proxy's certificate - _, err := NewResponse(catalog, proxy, nil, mockConfigurator) + _, err := NewResponse(catalog, proxy, nil, mockConfigurator, nil) Expect(err).To(HaveOccurred()) }) }) diff --git a/pkg/envoy/lds/response.go b/pkg/envoy/lds/response.go index 8cc9ac989b..0ab70ed5b2 100644 --- a/pkg/envoy/lds/response.go +++ b/pkg/envoy/lds/response.go @@ -2,10 +2,10 @@ package lds import ( xds_discovery "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3" - "github.com/golang/protobuf/ptypes" "github.com/openservicemesh/osm/pkg/catalog" + "github.com/openservicemesh/osm/pkg/certificate" "github.com/openservicemesh/osm/pkg/configurator" "github.com/openservicemesh/osm/pkg/constants" "github.com/openservicemesh/osm/pkg/envoy" @@ -22,7 +22,7 @@ const ( // 1. Inbound listener to handle incoming traffic // 2. Outbound listener to handle outgoing traffic // 3. Prometheus listener for metrics -func NewResponse(catalog catalog.MeshCataloger, proxy *envoy.Proxy, _ *xds_discovery.DiscoveryRequest, cfg configurator.Configurator) (*xds_discovery.DiscoveryResponse, error) { +func NewResponse(catalog catalog.MeshCataloger, proxy *envoy.Proxy, _ *xds_discovery.DiscoveryRequest, cfg configurator.Configurator, _ certificate.Manager) (*xds_discovery.DiscoveryResponse, error) { svcList, err := catalog.GetServicesFromEnvoyCertificate(proxy.GetCommonName()) if err != nil { log.Error().Err(err).Msgf("Error looking up MeshService for Envoy with CN=%q", proxy.GetCommonName()) diff --git a/pkg/envoy/rds/response.go b/pkg/envoy/rds/response.go index 9748c8ef59..258dd9ad4e 100644 --- a/pkg/envoy/rds/response.go +++ b/pkg/envoy/rds/response.go @@ -7,6 +7,7 @@ import ( "github.com/golang/protobuf/ptypes" "github.com/openservicemesh/osm/pkg/catalog" + "github.com/openservicemesh/osm/pkg/certificate" "github.com/openservicemesh/osm/pkg/configurator" "github.com/openservicemesh/osm/pkg/envoy" "github.com/openservicemesh/osm/pkg/envoy/route" @@ -16,7 +17,7 @@ import ( ) // NewResponse creates a new Route Discovery Response. -func NewResponse(catalog catalog.MeshCataloger, proxy *envoy.Proxy, _ *xds_discovery.DiscoveryRequest, _ configurator.Configurator) (*xds_discovery.DiscoveryResponse, error) { +func NewResponse(catalog catalog.MeshCataloger, proxy *envoy.Proxy, _ *xds_discovery.DiscoveryRequest, _ configurator.Configurator, _ certificate.Manager) (*xds_discovery.DiscoveryResponse, error) { svcList, err := catalog.GetServicesFromEnvoyCertificate(proxy.GetCommonName()) if err != nil { log.Error().Err(err).Msgf("Error looking up MeshService for Envoy with CN=%q", proxy.GetCommonName()) diff --git a/pkg/envoy/sds/response.go b/pkg/envoy/sds/response.go index b55e442d52..2bf991285e 100644 --- a/pkg/envoy/sds/response.go +++ b/pkg/envoy/sds/response.go @@ -23,7 +23,7 @@ var directionMap = map[envoy.SDSCertType]string{ } // NewResponse creates a new Secrets Discovery Response. -func NewResponse(catalog catalog.MeshCataloger, proxy *envoy.Proxy, request *xds_discovery.DiscoveryRequest, _ configurator.Configurator) (*xds_discovery.DiscoveryResponse, error) { +func NewResponse(catalog catalog.MeshCataloger, proxy *envoy.Proxy, request *xds_discovery.DiscoveryRequest, cfg configurator.Configurator, certManager certificate.Manager) (*xds_discovery.DiscoveryResponse, error) { log.Info().Msgf("Composing SDS Discovery Response for proxy: %s", proxy.GetCommonName()) svcList, err := catalog.GetServicesFromEnvoyCertificate(proxy.GetCommonName()) @@ -34,9 +34,9 @@ func NewResponse(catalog catalog.MeshCataloger, proxy *envoy.Proxy, request *xds return nil, err } - cert, err := catalog.GetCertificateForService(serviceForProxy) + cert, err := certManager.IssueCertificate(serviceForProxy.GetCommonName(), cfg.GetServiceCertValidityPeriod()) if err != nil { - log.Error().Err(err).Msgf("Error obtaining a certificate for client %s", proxy.GetCommonName()) + log.Error().Err(err).Msgf("Error issuing a certificate for proxy service %s", serviceForProxy) return nil, err }