Introduce meshtls facade to hide rustls crate (#1353)

In #1351, we add an alternate identity/mtls implementation that uses
`boring`. To setup for that, this change introduces a new `meshtls`
crate that serves as a facade for application crates to depend on,
independently of the actual crypto implementation.

This change does not change any runtime logic and sets up for #1351 to
enable an alternate TLS implementation as a build-time configuration.

Cargo.lock

@@ -674,8 +674,9 @@ dependencies = [
  "linkerd-http-classify",
  "linkerd-http-metrics",
  "linkerd-http-retry",
- "linkerd-identity-default",
+ "linkerd-identity",
  "linkerd-io",
+ "linkerd-meshtls",
  "linkerd-metrics",
  "linkerd-opencensus",
  "linkerd-proxy-api-resolve",
@@ -743,8 +744,8 @@ dependencies = [
  "libfuzzer-sys",
  "linkerd-app-core",
  "linkerd-app-test",
- "linkerd-identity-default",
  "linkerd-io",
+ "linkerd-meshtls-rustls",
  "linkerd-server-policy",
  "linkerd-tonic-watch",
  "linkerd-tracing",
@@ -799,8 +800,8 @@ dependencies = [
  "linkerd-app-test",
  "linkerd-http-retry",
  "linkerd-identity",
- "linkerd-identity-default",
  "linkerd-io",
+ "linkerd-meshtls-rustls",
  "linkerd-tracing",
  "parking_lot",
  "pin-project",
@@ -1000,7 +1001,35 @@ dependencies = [
 ]
 
 [[package]]
-name = "linkerd-identity-default"
+name = "linkerd-io"
+version = "0.1.0"
+dependencies = [
+ "async-trait",
+ "bytes",
+ "futures",
+ "linkerd-errno",
+ "pin-project",
+ "tokio",
+ "tokio-test",
+ "tokio-util",
+]
+
+[[package]]
+name = "linkerd-meshtls"
+version = "0.1.0"
+dependencies = [
+ "futures",
+ "linkerd-error",
+ "linkerd-identity",
+ "linkerd-io",
+ "linkerd-meshtls-rustls",
+ "linkerd-stack",
+ "linkerd-tls",
+ "pin-project",
+]
+
+[[package]]
+name = "linkerd-meshtls-rustls"
 version = "0.1.0"
 dependencies = [
  "futures",
@@ -1022,20 +1051,6 @@ dependencies = [
  "webpki",
 ]
 
-[[package]]
-name = "linkerd-io"
-version = "0.1.0"
-dependencies = [
- "async-trait",
- "bytes",
- "futures",
- "linkerd-errno",
- "pin-project",
- "tokio",
- "tokio-test",
- "tokio-util",
-]
-
 [[package]]
 name = "linkerd-metrics"
 version = "0.1.0"
@@ -1202,8 +1217,8 @@ dependencies = [
  "ipnet",
  "linkerd-conditional",
  "linkerd-error",
- "linkerd-identity-default",
  "linkerd-io",
+ "linkerd-meshtls",
  "linkerd-proxy-http",
  "linkerd-stack",
  "linkerd-tls",

Cargo.toml

@@ -29,8 +29,9 @@ members = [
     "linkerd/http-metrics",
     "linkerd/http-retry",
     "linkerd/identity",
-    "linkerd/identity/default",
     "linkerd/io",
+    "linkerd/meshtls",
+    "linkerd/meshtls/rustls",
     "linkerd/metrics",
     "linkerd/opencensus",
     "linkerd/proxy/api-resolve",

linkerd/app/core/Cargo.toml

@@ -12,6 +12,10 @@ This crate conglomerates proxy configuration, runtime administration, etc,
 independently of the inbound and outbound proxy logic.
 """
 
+[features]
+default = ["meshtls-rustls"]
+meshtls-rustls = ["linkerd-meshtls/rustls"]
+
 [dependencies]
 bytes = "1"
 drain = { version = "0.1.0", features = ["retain"] }
@@ -33,8 +37,9 @@ linkerd-exp-backoff = { path = "../../exp-backoff" }
 linkerd-http-classify = { path = "../../http-classify" }
 linkerd-http-metrics = { path = "../../http-metrics" }
 linkerd-http-retry = { path = "../../http-retry" }
-linkerd-identity-default = { path = "../../identity/default" }
+linkerd-identity = { path = "../../identity" }
 linkerd-io = { path = "../../io" }
+linkerd-meshtls = { path = "../../meshtls", default-features = false }
 linkerd-metrics = { path = "../../metrics", features = ["linkerd-stack"] }
 linkerd-opencensus = { path = "../../opencensus" }
 linkerd-proxy-core = { path = "../../proxy/core" }

linkerd/app/core/src/lib.rs

@@ -20,10 +20,8 @@ pub use linkerd_dns;
 pub use linkerd_error::{is_error, Error, Infallible, Recover, Result};
 pub use linkerd_exp_backoff as exp_backoff;
 pub use linkerd_http_metrics as http_metrics;
-pub use linkerd_identity_default as identity;
 pub use linkerd_io as io;
 pub use linkerd_opencensus as opencensus;
-pub use linkerd_proxy_identity_client as identity_client;
 pub use linkerd_service_profiles as profiles;
 pub use linkerd_stack_metrics as stack_metrics;
 pub use linkerd_stack_tracing as stack_tracing;
@@ -51,6 +49,12 @@ pub mod transport;
 
 pub use self::addr_match::{AddrMatch, IpMatch, NameMatch};
 
+pub mod identity {
+    pub use linkerd_identity::*;
+    pub use linkerd_meshtls::*;
+    pub use linkerd_proxy_identity_client as client;
+}
+
 pub const CANONICAL_DST_HEADER: &str = "l5d-dst-canonical";
 
 const DEFAULT_PORT: u16 = 80;

linkerd/app/inbound/Cargo.toml

@@ -34,7 +34,7 @@ libfuzzer-sys = { version = "0.4.2", features = ["arbitrary-derive"] }
 hyper = { version = "0.14.14", features = ["http1", "http2"] }
 linkerd-app-test = { path = "../test" }
 linkerd-io = { path = "../../io", features = ["tokio-test"] }
-linkerd-identity-default = { path = "../../identity/default", features = ["test-util"] }
+linkerd-meshtls-rustls = { path = "../../meshtls/rustls", features = ["test-util"] }
 linkerd-tracing = { path = "../../tracing", features = ["ansi"] }
 tokio = { version = "1", features = ["full", "macros"] }
 tokio-test = "0.4"

linkerd/app/inbound/fuzz/Cargo.toml

@@ -17,7 +17,7 @@ libfuzzer-sys = { version = "0.4.2", features = ["arbitrary-derive"] }
 linkerd-app-core = { path = "../../core" }
 linkerd-app-inbound = { path = ".." }
 linkerd-app-test = { path = "../../test" }
-linkerd-identity-default = { path = "../../../identity/default", features = ["test-util"] }
+linkerd-meshtls-rustls = { path = "../../../meshtls/rustls", features = ["test-util"] }
 linkerd-tracing = { path = "../../../tracing", features = ["ansi"] }
 tokio = { version = "1", features = ["full"] }
 tracing = "0.1"

linkerd/app/inbound/src/test_util.rs

@@ -3,7 +3,9 @@ pub use futures::prelude::*;
 use linkerd_app_core::{
     config,
     dns::Suffix,
-    drain, exp_backoff, identity, metrics,
+    drain, exp_backoff,
+    identity::rustls,
+    metrics,
     proxy::{
         http::{h1, h2},
         tap,
@@ -73,7 +75,7 @@ pub fn runtime() -> (ProxyRuntime, drain::Signal) {
     let (tap, _) = tap::new();
     let (metrics, _) = metrics::Metrics::new(std::time::Duration::from_secs(10));
     let runtime = ProxyRuntime {
-        identity: identity::creds::default_for_test().1,
+        identity: rustls::creds::default_for_test().1.into(),
         metrics: metrics.proxy,
         tap,
         span_sink: None,

linkerd/app/outbound/Cargo.toml

@@ -32,7 +32,7 @@ pin-project = "1"
 hyper = { version = "0.14.14", features = ["http1", "http2"] }
 linkerd-app-test = { path = "../test" }
 linkerd-io = { path = "../../io", features = ["tokio-test"] }
-linkerd-identity-default = { path = "../../identity/default", features = ["test-util"] }
+linkerd-meshtls-rustls = { path = "../../meshtls/rustls", features = ["test-util"] }
 linkerd-tracing = { path = "../../tracing", features = ["ansi"] }
 parking_lot = "0.11"
 tokio = { version = "1", features = ["time", "macros"] }

linkerd/app/outbound/src/test_util.rs

@@ -1,7 +1,7 @@
 use crate::Config;
 pub use futures::prelude::*;
 use linkerd_app_core::{
-    config, drain, exp_backoff, identity, metrics,
+    config, drain, exp_backoff, metrics,
     proxy::{
         http::{h1, h2},
         tap,
@@ -53,7 +53,7 @@ pub(crate) fn runtime() -> (ProxyRuntime, drain::Signal) {
     let (tap, _) = tap::new();
     let (metrics, _) = metrics::Metrics::new(std::time::Duration::from_secs(10));
     let runtime = ProxyRuntime {
-        identity: identity::creds::default_for_test().1,
+        identity: linkerd_meshtls_rustls::creds::default_for_test().1.into(),
         metrics: metrics.proxy,
         tap,
         span_sink: None,

linkerd/app/src/env.rs

@@ -2,7 +2,6 @@ use crate::core::{
     addr,
     config::*,
     control::{Config as ControlConfig, ControlAddr},
-    identity_client,
     proxy::http::{h1, h2},
     tls,
     transport::{Keepalive, ListenAddr},
@@ -1102,14 +1101,7 @@ pub fn parse_control_addr<S: Strings>(
 
 pub fn parse_identity_config<S: Strings>(
     strings: &S,
-) -> Result<
-    (
-        ControlAddr,
-        identity_client::certify::Config,
-        identity::Documents,
-    ),
-    EnvError,
-> {
+) -> Result<(ControlAddr, identity::certify::Config, identity::Documents), EnvError> {
     let control = parse_control_addr(strings, ENV_IDENTITY_SVC_BASE);
     let ta = parse(strings, ENV_IDENTITY_TRUST_ANCHORS, |s| {
         if s.is_empty() {

linkerd/app/src/identity.rs

@@ -1,15 +1,17 @@
+pub use linkerd_app_core::identity::{
+    client::{certify, TokenSource},
+    InvalidName, LocalId, Name,
+};
 use linkerd_app_core::{
     control, dns,
     exp_backoff::{ExponentialBackoff, ExponentialBackoffStream},
-    identity::{creds, Credentials, DerX509},
-    identity_client::{Certify, Metrics as IdentityMetrics},
+    identity::{
+        client::{Certify, Metrics as IdentityMetrics},
+        creds, Credentials, DerX509, Mode,
+    },
     metrics::ControlHttp as ClientMetrics,
     Error, Result,
 };
-pub use linkerd_app_core::{
-    identity::{InvalidName, LocalId, Name},
-    identity_client::{certify, TokenSource},
-};
 use std::{future::Future, pin::Pin};
 use tokio::sync::watch;
 use tracing::Instrument;
@@ -53,7 +55,7 @@ struct NotifyReady {
 
 impl Config {
     pub fn build(self, dns: dns::Resolver, client_metrics: ClientMetrics) -> Result<Identity> {
-        let (store, receiver) = creds::watch(
+        let (store, receiver) = Mode::default().watch(
             (*self.documents.id).clone(),
             &self.documents.trust_anchors_pem,
             &self.documents.key_pkcs8,

linkerd/meshtls/Cargo.toml

@@ -0,0 +1,22 @@
+[package]
+name = "linkerd-meshtls"
+version = "0.1.0"
+authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
+license = "Apache-2.0"
+edition = "2018"
+publish = false
+
+[features]
+default = ["rustls"]
+rustls = ["linkerd-meshtls-rustls"]
+
+
+[dependencies]
+futures = { version = "0.3", default-features = false }
+linkerd-error = { path = "../error" }
+linkerd-identity = { path = "../identity" }
+linkerd-io = { path = "../io" }
+linkerd-meshtls-rustls = { path = "rustls", optional = true }
+linkerd-stack = { path = "../stack" }
+linkerd-tls = { path = "../tls" }
+pin-project = "1"

linkerd/meshtls/build.rs

@@ -0,0 +1,16 @@
+fn main() -> Result<(), Box<dyn std::error::Error>> {
+    // Ensure that at least one TLS implementation feature is enabled.
+    static TLS_FEATURES: &[&str] = &["rustls"];
+    if !TLS_FEATURES
+        .iter()
+        .any(|f| std::env::var_os(&*format!("CARGO_FEATURE_{}", f.to_ascii_uppercase())).is_some())
+    {
+        return Err(format!(
+            "at least one of the following TLS implementations must be enabled: '{}'",
+            TLS_FEATURES.join("', '"),
+        )
+        .into());
+    }
+
+    Ok(())
+}

linkerd/identity/default/Cargo.toml → linkerd/meshtls/rustls/Cargo.toml

@@ -1,5 +1,5 @@
 [package]
-name = "linkerd-identity-default"
+name = "linkerd-meshtls-rustls"
 version = "0.1.0"
 authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
 license = "Apache-2.0"
@@ -19,7 +19,7 @@ linkerd-tls = { path = "../../tls" }
 linkerd-tls-test-util = { path = "../../tls/test-util", optional = true }
 ring = { version = "0.16.19", features = ["std"] }
 thiserror = "1"
-tokio = { version = "1", features = ["macros", "sync"] }
+tokio = { version = "1", features = ["macros", "rt", "sync"] }
 tokio-rustls = "0.22"
 tracing = "0.1"
 webpki = "0.21"

linkerd/identity/default/src/lib.rs → linkerd/meshtls/rustls/src/lib.rs

@@ -9,4 +9,3 @@ pub use self::{
     client::{ClientIo, Connect, ConnectFuture, NewClient},
     server::{Server, ServerIo, TerminateFuture},
 };
-pub use linkerd_identity::*;