diff --git a/pkg/catalog/service.go b/pkg/catalog/service.go index 92c2d73acc..f50aa39c9d 100644 --- a/pkg/catalog/service.go +++ b/pkg/catalog/service.go @@ -8,6 +8,7 @@ import ( "github.com/pkg/errors" "github.com/openservicemesh/osm/pkg/constants" + "github.com/openservicemesh/osm/pkg/errcode" "github.com/openservicemesh/osm/pkg/identity" "github.com/openservicemesh/osm/pkg/k8s" "github.com/openservicemesh/osm/pkg/service" @@ -105,7 +106,8 @@ func (mc *MeshCatalog) ListServiceIdentitiesForService(svc service.MeshService) for _, provider := range mc.serviceProviders { serviceIDs, err := provider.ListServiceIdentitiesForService(svc) if err != nil { - log.Err(err).Msgf("Error getting ServiceIdentities for Service %s", svc) + log.Err(err).Str(errcode.Kind, errcode.ErrGettingServiceIdentitiesForService.String()). + Msgf("Error getting ServiceIdentities for Service %s", svc) return nil, err } diff --git a/pkg/catalog/traffictarget.go b/pkg/catalog/traffictarget.go index 022be1b201..151ecbf49b 100644 --- a/pkg/catalog/traffictarget.go +++ b/pkg/catalog/traffictarget.go @@ -6,6 +6,7 @@ import ( mapset "github.com/deckarep/golang-set" smiAccess "github.com/servicemeshinterface/smi-sdk-go/pkg/apis/access/v1alpha3" + "github.com/openservicemesh/osm/pkg/errcode" "github.com/openservicemesh/osm/pkg/identity" "github.com/openservicemesh/osm/pkg/trafficpolicy" ) @@ -92,7 +93,8 @@ func (mc *MeshCatalog) getAllowedDirectionalServiceAccounts(svcIdentity identity if spec.Destination.Kind != serviceAccountKind { // Destination kind is not valid - log.Error().Msgf("Applied TrafficTarget policy %s has invalid Destination kind: %s", trafficTarget.Name, spec.Destination.Kind) + log.Error().Str(errcode.Kind, errcode.ErrInvalidDestinationKind.String()). + Msgf("Applied TrafficTarget policy %s has invalid Destination kind: %s", trafficTarget.Name, spec.Destination.Kind) continue } @@ -105,7 +107,8 @@ func (mc *MeshCatalog) getAllowedDirectionalServiceAccounts(svcIdentity identity for _, source := range spec.Sources { if source.Kind != serviceAccountKind { // Destination kind is not valid - log.Error().Msgf("Applied TrafficTarget policy %s has invalid Source kind: %s", trafficTarget.Name, spec.Destination.Kind) + log.Error().Str(errcode.Kind, errcode.ErrInvalidSourceKind.String()). + Msgf("Applied TrafficTarget policy %s has invalid Source kind: %s", trafficTarget.Name, spec.Destination.Kind) continue } @@ -118,7 +121,8 @@ func (mc *MeshCatalog) getAllowedDirectionalServiceAccounts(svcIdentity identity for _, source := range spec.Sources { if source.Kind != serviceAccountKind { // Destination kind is not valid - log.Error().Msgf("Applied TrafficTarget policy %s has invalid Source kind: %s", trafficTarget.Name, spec.Destination.Kind) + log.Error().Str(errcode.Kind, errcode.ErrInvalidSourceKind.String()). + Msgf("Applied TrafficTarget policy %s has invalid Source kind: %s", trafficTarget.Name, spec.Destination.Kind) continue } diff --git a/pkg/envoy/rds/response.go b/pkg/envoy/rds/response.go index 96f4945895..8e5e072195 100644 --- a/pkg/envoy/rds/response.go +++ b/pkg/envoy/rds/response.go @@ -12,6 +12,7 @@ import ( "github.com/openservicemesh/osm/pkg/envoy" "github.com/openservicemesh/osm/pkg/envoy/rds/route" "github.com/openservicemesh/osm/pkg/envoy/registry" + "github.com/openservicemesh/osm/pkg/errcode" "github.com/openservicemesh/osm/pkg/trafficpolicy" ) @@ -23,13 +24,15 @@ func NewResponse(cataloger catalog.MeshCataloger, proxy *envoy.Proxy, discoveryR proxyIdentity, err := envoy.GetServiceIdentityFromProxyCertificate(proxy.GetCertificateCommonName()) if err != nil { - log.Error().Err(err).Msgf("Error looking up Service Account for Envoy with serial number=%q", proxy.GetCertificateSerialNumber()) + log.Error().Err(err).Str(errcode.Kind, errcode.ErrGettingServiceIdentity.String()). + Msgf("Error looking up Service Account for Envoy with serial number=%q", proxy.GetCertificateSerialNumber()) return nil, err } services, err := proxyRegistry.ListProxyServices(proxy) if err != nil { - log.Error().Err(err).Msgf("Error looking up services for Envoy with serial number=%q", proxy.GetCertificateSerialNumber()) + log.Error().Err(err).Str(errcode.Kind, errcode.ErrFetchingServiceList.String()). + Msgf("Error looking up services for Envoy with serial number=%q", proxy.GetCertificateSerialNumber()) return nil, err } diff --git a/pkg/envoy/rds/route/route_config.go b/pkg/envoy/rds/route/route_config.go index f008c63044..8b26f95ca5 100644 --- a/pkg/envoy/rds/route/route_config.go +++ b/pkg/envoy/rds/route/route_config.go @@ -13,6 +13,7 @@ import ( "github.com/openservicemesh/osm/pkg/configurator" "github.com/openservicemesh/osm/pkg/constants" "github.com/openservicemesh/osm/pkg/envoy" + "github.com/openservicemesh/osm/pkg/errcode" "github.com/openservicemesh/osm/pkg/service" "github.com/openservicemesh/osm/pkg/trafficpolicy" ) @@ -182,7 +183,8 @@ func buildInboundRoutes(rules []*trafficpolicy.Rule) []*xds_route.Route { // Each route is associated with an RBAC policy rbacPolicyForRoute, err := buildInboundRBACFilterForRule(rule) if err != nil { - log.Error().Err(err).Msgf("Error building RBAC policy for rule [%v], skipping route addition", rule) + log.Error().Err(err).Str(errcode.Kind, errcode.ErrBuildingRBACPolicyForRoute.String()). + Msgf("Error building RBAC policy for rule [%v], skipping route addition", rule) continue } diff --git a/pkg/envoy/sds/response.go b/pkg/envoy/sds/response.go index c105cad92b..fc3d994046 100644 --- a/pkg/envoy/sds/response.go +++ b/pkg/envoy/sds/response.go @@ -13,6 +13,7 @@ import ( "github.com/openservicemesh/osm/pkg/envoy" "github.com/openservicemesh/osm/pkg/envoy/registry" "github.com/openservicemesh/osm/pkg/envoy/secrets" + "github.com/openservicemesh/osm/pkg/errcode" "github.com/openservicemesh/osm/pkg/identity" ) @@ -23,7 +24,8 @@ func NewResponse(meshCatalog catalog.MeshCataloger, proxy *envoy.Proxy, request // OSM currently relies on kubernetes ServiceAccount for service identity proxyIdentity, err := envoy.GetServiceIdentityFromProxyCertificate(proxy.GetCertificateCommonName()) if err != nil { - log.Error().Err(err).Msgf("Error retrieving ServiceAccount for proxy %s", proxy.String()) + log.Error().Err(err).Str(errcode.Kind, errcode.ErrGettingServiceIdentity.String()). + Msgf("Error retrieving ServiceAccount for proxy %s", proxy.String()) return nil, err } @@ -67,7 +69,8 @@ func (s *sdsImpl) getSDSSecrets(cert certificate.Certificater, requestedCerts [] for _, requestedCertificate := range requestedCerts { sdsCert, err := secrets.UnmarshalSDSCert(requestedCertificate) if err != nil { - log.Error().Err(err).Msgf("Invalid resource kind requested: %q", requestedCertificate) + log.Error().Err(err).Str(errcode.Kind, errcode.ErrUnmarshallingSDSCert.String()). + Msgf("Invalid resource kind requested: %q", requestedCertificate) continue } @@ -78,7 +81,8 @@ func (s *sdsImpl) getSDSSecrets(cert certificate.Certificater, requestedCerts [] case secrets.ServiceCertType: envoySecret, err := getServiceCertSecret(cert, requestedCertificate) if err != nil { - log.Error().Err(err).Msgf("Error creating cert %s for proxy %s", requestedCertificate, proxy.String()) + log.Error().Err(err).Str(errcode.Kind, errcode.ErrGettingServiceCertSecret.String()). + Msgf("Error creating cert %s for proxy %s", requestedCertificate, proxy.String()) continue } certs = append(certs, envoySecret) @@ -170,7 +174,8 @@ func getServiceIdentitiesFromCert(sdscert secrets.SDSCert, serviceIdentity ident // the SANs for this certificate should correspond to the service identities of 'X'. meshSvc, err := sdscert.GetMeshService() if err != nil { - log.Error().Err(err).Msgf("Error unmarshalling upstream service for outbound cert %s", sdscert) + log.Error().Err(err).Str(errcode.Kind, errcode.ErrGettingMeshService.String()). + Msgf("Error unmarshalling upstream service for outbound cert %s", sdscert) return nil, err } svcIdentities, err := meshCatalog.ListServiceIdentitiesForService(*meshSvc) @@ -185,12 +190,14 @@ func getServiceIdentitiesFromCert(sdscert secrets.SDSCert, serviceIdentity ident // of this proxy. If it doesn't, then something is wrong in the system. svcAccountInRequest, err := sdscert.GetK8sServiceAccount() if err != nil { - log.Error().Err(err).Msgf("Error unmarshalling service account for inbound mTLS validation cert %s", sdscert) + log.Error().Err(err).Str(errcode.Kind, errcode.ErrGettingK8sServiceAccount.String()). + Msgf("Error unmarshalling service account for inbound mTLS validation cert %s", sdscert) return nil, err } if svcAccountInRequest.ToServiceIdentity() != serviceIdentity { - log.Error().Err(errCertMismatch).Msgf("Request for SDS cert %s does not belong to proxy with identity %s", sdscert.Name, serviceIdentity) + log.Error().Err(errCertMismatch).Str(errcode.Kind, errcode.ErrSDSCertMismatch.String()). + Msgf("Request for SDS cert %s does not belong to proxy with identity %s", sdscert.Name, serviceIdentity) return nil, errCertMismatch } diff --git a/pkg/errcode/errcode.go b/pkg/errcode/errcode.go index b0e79a1dd8..ad7e0fa180 100644 --- a/pkg/errcode/errcode.go +++ b/pkg/errcode/errcode.go @@ -75,6 +75,12 @@ const ( // ErrGettingInboundTrafficTargets indicates the inbound traffic targets composed of its routes for a given // desitination ServiceIdentity could not be obtained ErrGettingInboundTrafficTargets + + // ErrInvalidDestinationKind indicates an applied SMI TrafficTarget policy has an invalid destination kind + ErrInvalidDestinationKind + + // ErrInvalidSourceKind indicated an applied SMI TrafficTarget policy has an invalid source kind + ErrInvalidSourceKind ) // Range 3000-3500 is reserved for errors related to k8s constructs (service accounts, namespaces, etc.) @@ -93,6 +99,9 @@ const ( // ErrGettingServicePorts indicates the mapping of a service's ports to their corresponding application protocol could not be obtained ErrGettingServicePorts + + // ErrGettingServiceIdentitiesForService indicates the ServiceIdentities associated with a specified MeshService could not be listed + ErrGettingServiceIdentitiesForService ) // Range 4000-4100 reserved for errors related to certificate providers @@ -258,6 +267,30 @@ const ( // ErrIngressFilterChain indicates there an error related to an ingress filter chain ErrIngressFilterChain + + // ErrGettingLuaFilter indicates the Lua XDS HttpFilter could not be configured + ErrGettingLuaFilter + + // ErrGettingWASMFilter indicates the WASM XDS HttpFilter could not be configured + ErrGettingWASMFilter + + // ErrBuildingRBACPolicyForRoute indicates a traffic policy rule could not be configured as an RBAC rule on a proxy + ErrBuildingRBACPolicyForRoute + + // ErrUnmarshallingSDSCert indicates the SDS certificate resource could not be unmarshalled + ErrUnmarshallingSDSCert + + // ErrGettingServiceCertSecret indicates a XDS secret containing a TLS certificate could not be retrieved + ErrGettingServiceCertSecret + + // ErrGettingMeshService indicates a SDS secret does not correspond to a MeshService + ErrGettingMeshService + + // ErrGettingK8sServiceAccount indicates a SDS secret does not correspond to a ServiceAccount + ErrGettingK8sServiceAccount + + // ErrSDSCertMismatch indicates the indentity obtained from the SDSCert request does not match the identity of the proxy + ErrSDSCertMismatch ) // String returns the error code as a string, ex. E1000 @@ -374,6 +407,14 @@ The associated route was ignored by the system. The system was unable to lookup the services associated with the destination specified in the SMI TrafficTarget policy. The associated SMI TrafficTarget policy was ignored by the system. +`, + + ErrInvalidDestinationKind: ` +An applied SMI TrafficTarget policy has an invalid destination kind. +`, + + ErrInvalidSourceKind: ` +An applied SMI TrafficTarget policy has an invalid source kind. `, ErrGettingInboundTrafficTargets: ` @@ -405,10 +446,14 @@ The mapping of ports the application is exposing a service on to their correspon application protocol could not be obtained for a specified service. `, - // ErrEndpointsNotFound indicates resolvable service endpoints could not be found ErrEndpointsNotFound: ` The system found 0 endpoints to be reached when the service's FQDN was resolved. `, + + ErrGettingServiceIdentitiesForService: ` +The ServiceIdentities associated with a specified MeshService could not be listed. +`, + // // Range 4000-4100 // @@ -577,20 +622,20 @@ server could not be initialized. ErrMismatchedServiceAccount: ` The ServiceAccount referenced in the NodeID does not match the ServiceAccount -specified in the proxy certificate. In this case, the proxy is not allowed to be a -part of the mesh. +specified in the proxy certificate. +The proxy was not allowed to be a part of the mesh. `, ErrGRPCStreamClosedByProxy: ` -The gRPC stream is closed by the proxy and no DiscoveryRequests can be received. -The Stream Agreggated Resource server is terminated for the specified proxy +The gRPC stream was closed by the proxy and no DiscoveryRequests can be received. +The Stream Agreggated Resource server was terminated for the specified proxy. `, ErrUnexpectedXDSRequest: ` The envoy proxy has not completed the initialization phase and it is not ready to receive broadcast updates from control plane related changes. New versions should not be pushed if the first request has not be received. -The broadcast update is ignored for that proxy. +The broadcast update was ignored for that proxy. `, ErrInvalidXDSTypeURI: ` @@ -632,7 +677,7 @@ will not be sent to the Envoy proxy in a ClusterDiscovery response. ErrUnsupportedProtocolForService: ` The application protocol specified for a port is not supported for ingress -traffic. The XDS filter chain for ingress traffic to the port is not created. +traffic. The XDS filter chain for ingress traffic to the port was not created. `, ErrBuildingRBACPolicy: ` @@ -642,5 +687,42 @@ policy. ErrIngressFilterChain: ` An XDS filter chain could not be constructed for ingress. +`, + + ErrGettingLuaFilter: ` +The Lua XDS HttpFilter could not be configured. +`, + + ErrGettingWASMFilter: ` +The WASM XDS HttpFilter could not be configured. +`, + + ErrBuildingRBACPolicyForRoute: ` +A traffic policy rule could not be configured as an RBAC rule on the proxy. +The corresponding rule was ignored by the system. +`, + + ErrUnmarshallingSDSCert: ` +The SDS certificate resource could not be unmarshalled. +The corresponding certificate resource was ignored by the system. +`, + + ErrGettingServiceCertSecret: ` +An XDS secret containing a TLS certificate could not be retrieved. +The corresponding secret request was ignored by the system. +`, + + ErrGettingMeshService: ` +The SDS secret does not correspond to a MeshService. +`, + + ErrGettingK8sServiceAccount: ` +The SDS secret does not correspond to a ServiceAccount. +`, + + ErrSDSCertMismatch: ` +The identity obtained from the SDS certificate request does not match the +identity of the proxy. +The corresponding certificate request was ignored by the system. `, }