openservicemesh · jaellio · Jul 26, 2021 · Jul 11, 2021
@@ -8,6 +8,7 @@ import (
 	"github.com/pkg/errors"
 
 	"github.com/openservicemesh/osm/pkg/constants"
+	"github.com/openservicemesh/osm/pkg/errcode"
 	"github.com/openservicemesh/osm/pkg/identity"
 	"github.com/openservicemesh/osm/pkg/k8s"
 	"github.com/openservicemesh/osm/pkg/service"
@@ -105,7 +106,8 @@ func (mc *MeshCatalog) ListServiceIdentitiesForService(svc service.MeshService)
 	for _, provider := range mc.serviceProviders {
 		serviceIDs, err := provider.ListServiceIdentitiesForService(svc)
 		if err != nil {
-			log.Err(err).Msgf("Error getting ServiceIdentities for Service %s", svc)
+			log.Err(err).Str(errcode.Kind, errcode.ErrGettingServiceIdentitiesForService.String()).
+				Msgf("Error getting ServiceIdentities for Service %s", svc)
 			return nil, err
 		}
 

@@ -6,6 +6,7 @@ import (
 	mapset "github.com/deckarep/golang-set"
 	smiAccess "github.com/servicemeshinterface/smi-sdk-go/pkg/apis/access/v1alpha3"
 
+	"github.com/openservicemesh/osm/pkg/errcode"
 	"github.com/openservicemesh/osm/pkg/identity"
 	"github.com/openservicemesh/osm/pkg/trafficpolicy"
 )
@@ -92,7 +93,8 @@ func (mc *MeshCatalog) getAllowedDirectionalServiceAccounts(svcIdentity identity
 
 		if spec.Destination.Kind != serviceAccountKind {
 			// Destination kind is not valid
-			log.Error().Msgf("Applied TrafficTarget policy %s has invalid Destination kind: %s", trafficTarget.Name, spec.Destination.Kind)
+			log.Error().Str(errcode.Kind, errcode.ErrInvalidDestinationKind.String()).
+				Msgf("Applied TrafficTarget policy %s has invalid Destination kind: %s", trafficTarget.Name, spec.Destination.Kind)
 			continue
 		}
 
@@ -105,7 +107,8 @@ func (mc *MeshCatalog) getAllowedDirectionalServiceAccounts(svcIdentity identity
 			for _, source := range spec.Sources {
 				if source.Kind != serviceAccountKind {
 					// Destination kind is not valid
-					log.Error().Msgf("Applied TrafficTarget policy %s has invalid Source kind: %s", trafficTarget.Name, spec.Destination.Kind)
+					log.Error().Str(errcode.Kind, errcode.ErrInvalidSourceKind.String()).
+						Msgf("Applied TrafficTarget policy %s has invalid Source kind: %s", trafficTarget.Name, spec.Destination.Kind)
 					continue
 				}
 
@@ -118,7 +121,8 @@ func (mc *MeshCatalog) getAllowedDirectionalServiceAccounts(svcIdentity identity
 			for _, source := range spec.Sources {
 				if source.Kind != serviceAccountKind {
 					// Destination kind is not valid
-					log.Error().Msgf("Applied TrafficTarget policy %s has invalid Source kind: %s", trafficTarget.Name, spec.Destination.Kind)
+					log.Error().Str(errcode.Kind, errcode.ErrInvalidSourceKind.String()).
+						Msgf("Applied TrafficTarget policy %s has invalid Source kind: %s", trafficTarget.Name, spec.Destination.Kind)
 					continue
 				}
 

@@ -12,6 +12,7 @@ import (
 	"github.com/openservicemesh/osm/pkg/envoy"
 	"github.com/openservicemesh/osm/pkg/envoy/rds/route"
 	"github.com/openservicemesh/osm/pkg/envoy/registry"
+	"github.com/openservicemesh/osm/pkg/errcode"
 	"github.com/openservicemesh/osm/pkg/trafficpolicy"
 )
 
@@ -23,13 +24,15 @@ func NewResponse(cataloger catalog.MeshCataloger, proxy *envoy.Proxy, discoveryR
 
 	proxyIdentity, err := envoy.GetServiceIdentityFromProxyCertificate(proxy.GetCertificateCommonName())
 	if err != nil {
-		log.Error().Err(err).Msgf("Error looking up Service Account for Envoy with serial number=%q", proxy.GetCertificateSerialNumber())
+		log.Error().Err(err).Str(errcode.Kind, errcode.ErrGettingServiceIdentity.String()).
+			Msgf("Error looking up Service Account for Envoy with serial number=%q", proxy.GetCertificateSerialNumber())
 		return nil, err
 	}
 
 	services, err := proxyRegistry.ListProxyServices(proxy)
 	if err != nil {
-		log.Error().Err(err).Msgf("Error looking up services for Envoy with serial number=%q", proxy.GetCertificateSerialNumber())
+		log.Error().Err(err).Str(errcode.Kind, errcode.ErrFetchingServiceList.String()).
+			Msgf("Error looking up services for Envoy with serial number=%q", proxy.GetCertificateSerialNumber())
 		return nil, err
 	}
 

@@ -13,6 +13,7 @@ import (
 	"github.com/openservicemesh/osm/pkg/configurator"
 	"github.com/openservicemesh/osm/pkg/constants"
 	"github.com/openservicemesh/osm/pkg/envoy"
+	"github.com/openservicemesh/osm/pkg/errcode"
 	"github.com/openservicemesh/osm/pkg/service"
 	"github.com/openservicemesh/osm/pkg/trafficpolicy"
 )
@@ -182,7 +183,8 @@ func buildInboundRoutes(rules []*trafficpolicy.Rule) []*xds_route.Route {
 		// Each route is associated with an RBAC policy
 		rbacPolicyForRoute, err := buildInboundRBACFilterForRule(rule)
 		if err != nil {
-			log.Error().Err(err).Msgf("Error building RBAC policy for rule [%v], skipping route addition", rule)
+			log.Error().Err(err).Str(errcode.Kind, errcode.ErrBuildingRBACPolicyForRoute.String()).
+				Msgf("Error building RBAC policy for rule [%v], skipping route addition", rule)
 			continue
 		}
 

@@ -13,6 +13,7 @@ import (
 	"github.com/openservicemesh/osm/pkg/envoy"
 	"github.com/openservicemesh/osm/pkg/envoy/registry"
 	"github.com/openservicemesh/osm/pkg/envoy/secrets"
+	"github.com/openservicemesh/osm/pkg/errcode"
 	"github.com/openservicemesh/osm/pkg/identity"
 )
 
@@ -23,7 +24,8 @@ func NewResponse(meshCatalog catalog.MeshCataloger, proxy *envoy.Proxy, request
 	// OSM currently relies on kubernetes ServiceAccount for service identity
 	proxyIdentity, err := envoy.GetServiceIdentityFromProxyCertificate(proxy.GetCertificateCommonName())
 	if err != nil {
-		log.Error().Err(err).Msgf("Error retrieving ServiceAccount for proxy %s", proxy.String())
+		log.Error().Err(err).Str(errcode.Kind, errcode.ErrGettingServiceIdentity.String()).
+			Msgf("Error retrieving ServiceAccount for proxy %s", proxy.String())
 		return nil, err
 	}
 
@@ -67,7 +69,8 @@ func (s *sdsImpl) getSDSSecrets(cert certificate.Certificater, requestedCerts []
 	for _, requestedCertificate := range requestedCerts {
 		sdsCert, err := secrets.UnmarshalSDSCert(requestedCertificate)
 		if err != nil {
-			log.Error().Err(err).Msgf("Invalid resource kind requested: %q", requestedCertificate)
+			log.Error().Err(err).Str(errcode.Kind, errcode.ErrUnmarshallingSDSCert.String()).
+				Msgf("Invalid resource kind requested: %q", requestedCertificate)
 			continue
 		}
 
@@ -78,7 +81,8 @@ func (s *sdsImpl) getSDSSecrets(cert certificate.Certificater, requestedCerts []
 		case secrets.ServiceCertType:
 			envoySecret, err := getServiceCertSecret(cert, requestedCertificate)
 			if err != nil {
-				log.Error().Err(err).Msgf("Error creating cert %s for proxy %s", requestedCertificate, proxy.String())
+				log.Error().Err(err).Str(errcode.Kind, errcode.ErrGettingServiceCertSecret.String()).
+					Msgf("Error creating cert %s for proxy %s", requestedCertificate, proxy.String())
 				continue
 			}
 			certs = append(certs, envoySecret)
@@ -170,7 +174,8 @@ func getServiceIdentitiesFromCert(sdscert secrets.SDSCert, serviceIdentity ident
 		// the SANs for this certificate should correspond to the service identities of 'X'.
 		meshSvc, err := sdscert.GetMeshService()
 		if err != nil {
-			log.Error().Err(err).Msgf("Error unmarshalling upstream service for outbound cert %s", sdscert)
+			log.Error().Err(err).Str(errcode.Kind, errcode.ErrGettingMeshService.String()).
+				Msgf("Error unmarshalling upstream service for outbound cert %s", sdscert)
 			return nil, err
 		}
 		svcIdentities, err := meshCatalog.ListServiceIdentitiesForService(*meshSvc)
@@ -185,12 +190,14 @@ func getServiceIdentitiesFromCert(sdscert secrets.SDSCert, serviceIdentity ident
 		// of this proxy. If it doesn't, then something is wrong in the system.
 		svcAccountInRequest, err := sdscert.GetK8sServiceAccount()
 		if err != nil {
-			log.Error().Err(err).Msgf("Error unmarshalling service account for inbound mTLS validation cert %s", sdscert)
+			log.Error().Err(err).Str(errcode.Kind, errcode.ErrGettingK8sServiceAccount.String()).
+				Msgf("Error unmarshalling service account for inbound mTLS validation cert %s", sdscert)
 			return nil, err
 		}
 
 		if svcAccountInRequest.ToServiceIdentity() != serviceIdentity {
-			log.Error().Err(errCertMismatch).Msgf("Request for SDS cert %s does not belong to proxy with identity %s", sdscert.Name, serviceIdentity)
+			log.Error().Err(errCertMismatch).Str(errcode.Kind, errcode.ErrSDSCertMismatch.String()).
+				Msgf("Request for SDS cert %s does not belong to proxy with identity %s", sdscert.Name, serviceIdentity)
 			return nil, errCertMismatch
 		}
 

@@ -75,6 +75,12 @@ const (
 	// ErrGettingInboundTrafficTargets indicates the inbound traffic targets composed of its routes for a given
 	// desitination ServiceIdentity could not be obtained
 	ErrGettingInboundTrafficTargets
+
+	// ErrInvalidDestinationKind indicates an applied SMI TrafficTarget policy has an invalid destination kind
+	ErrInvalidDestinationKind
+
+	// ErrInvalidSourceKind	indicated an applied SMI TrafficTarget policy has an invalid source kind
+	ErrInvalidSourceKind
 )
 
 // Range 3000-3500 is reserved for errors related to k8s constructs (service accounts, namespaces, etc.)
@@ -93,6 +99,9 @@ const (
 
 	// ErrGettingServicePorts indicates the mapping of a service's ports to their corresponding application protocol could not be obtained
 	ErrGettingServicePorts
+
+	// ErrGettingServiceIdentitiesForService indicates the ServiceIdentities associated with a specified MeshService could not be listed
+	ErrGettingServiceIdentitiesForService
 )
 
 // Range 4000-4100 reserved for errors related to certificate providers
@@ -258,6 +267,30 @@ const (
 
 	// ErrIngressFilterChain indicates there an error related to an ingress filter chain
 	ErrIngressFilterChain
+
+	// ErrGettingLuaFilter indicates the Lua XDS HttpFilter could not be configured
+	ErrGettingLuaFilter
+
+	// ErrGettingWASMFilter indicates the WASM XDS HttpFilter could not be configured
+	ErrGettingWASMFilter
+
+	// ErrBuildingRBACPolicyForRoute indicates a traffic policy rule could not be configured as an RBAC rule on a proxy
+	ErrBuildingRBACPolicyForRoute
+
+	// ErrUnmarshallingSDSCert indicates the SDS certificate resource could not be unmarshalled
+	ErrUnmarshallingSDSCert
+
+	// ErrGettingServiceCertSecret indicates a XDS secret containing a TLS certificate could not be retrieved
+	ErrGettingServiceCertSecret
+
+	// ErrGettingMeshService indicates a SDS secret does not correspond to a MeshService
+	ErrGettingMeshService
+
+	// ErrGettingK8sServiceAccount indicates a SDS secret does not correspond to a ServiceAccount
+	ErrGettingK8sServiceAccount
+
+	// ErrSDSCertMismatch indicates the indentity obtained from the SDSCert request does not match the identity of the proxy
+	ErrSDSCertMismatch
 )
 
 // String returns the error code as a string, ex. E1000
@@ -374,6 +407,14 @@ The associated route was ignored by the system.
 The system was unable to lookup the services associated with the destination specified
 in the SMI TrafficTarget policy.
 The associated SMI TrafficTarget policy was ignored by the system.
+`,
+
+	ErrInvalidDestinationKind: `
+An applied SMI TrafficTarget policy has an invalid destination kind.
+`,
+
+	ErrInvalidSourceKind: `
+An applied SMI TrafficTarget policy has an invalid source kind.
 `,
 
 	ErrGettingInboundTrafficTargets: `
@@ -405,10 +446,14 @@ The mapping of ports the application is exposing a service on to their correspon
 application protocol could not be obtained for a specified service.
 `,
 
-	// ErrEndpointsNotFound indicates resolvable service endpoints could not be found
 	ErrEndpointsNotFound: `
 The system found 0 endpoints to be reached when the service's FQDN was resolved.
 `,
+
+	ErrGettingServiceIdentitiesForService: `
+The ServiceIdentities associated with a specified MeshService could not be listed.
+`,
+
 	//
 	// Range 4000-4100
 	//
@@ -577,20 +622,20 @@ server could not be initialized.
 
 	ErrMismatchedServiceAccount: `
 The ServiceAccount referenced in the NodeID does not match the ServiceAccount
-specified in the proxy certificate. In this case, the proxy is not allowed to be a
-part of the mesh.
+specified in the proxy certificate.
+The proxy was not allowed to be a part of the mesh.
 `,
 
 	ErrGRPCStreamClosedByProxy: `
-The gRPC stream is closed by the proxy and no DiscoveryRequests can be received.
-The Stream Agreggated Resource server is terminated for the specified proxy
+The gRPC stream was closed by the proxy and no DiscoveryRequests can be received. 
+The Stream Agreggated Resource server was terminated for the specified proxy.
 `,
 
 	ErrUnexpectedXDSRequest: `
 The envoy proxy has not completed the initialization phase and it is not ready
 to receive broadcast updates from control plane related changes. New versions
 should not be pushed if the first request has not be received.
-The broadcast update is ignored for that proxy.
+The broadcast update was ignored for that proxy.
 `,
 
 	ErrInvalidXDSTypeURI: `
@@ -632,7 +677,7 @@ will not be sent to the Envoy proxy in a ClusterDiscovery response.
 
 	ErrUnsupportedProtocolForService: `
 The application protocol specified for a port is not supported for ingress
-traffic. The XDS filter chain for ingress traffic to the port is not created.
+traffic. The XDS filter chain for ingress traffic to the port was not created.
 `,
 
 	ErrBuildingRBACPolicy: `
@@ -642,5 +687,42 @@ policy.
 
 	ErrIngressFilterChain: `
 An XDS filter chain could not be constructed for ingress.
+`,
+
+	ErrGettingLuaFilter: `
+The Lua XDS HttpFilter could not be configured.
+`,
+
+	ErrGettingWASMFilter: `
+The WASM XDS HttpFilter could not be configured.
+`,
+
+	ErrBuildingRBACPolicyForRoute: `
+A traffic policy rule could not be configured as an RBAC rule on the proxy.
+The corresponding rule was ignored by the system.
+`,
+
+	ErrUnmarshallingSDSCert: `
+The SDS certificate resource could not be unmarshalled.
+The corresponding certificate resource was ignored by the system.
+`,
+
+	ErrGettingServiceCertSecret: `
+An XDS secret containing a TLS certificate could not be retrieved. 
+The corresponding secret request was ignored by the system.
+`,
+
+	ErrGettingMeshService: `
+The SDS secret does not correspond to a MeshService.
+`,
+
+	ErrGettingK8sServiceAccount: `
+The SDS secret does not correspond to a ServiceAccount.
+`,
+
+	ErrSDSCertMismatch: `
+The identity obtained from the SDS certificate request does not match the
+identity of the proxy.
+The corresponding certificate request was ignored by the system.
 `,
 }