consul/agent/grpc-external/services/dataplane/get_envoy_bootstrap_params.go

232 lines
7.4 KiB
Go
Raw Normal View History

// Copyright (c) HashiCorp, Inc.
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
2023-08-11 13:12:13 +00:00
// SPDX-License-Identifier: BUSL-1.1
package dataplane
import (
"context"
"errors"
"strings"
"github.com/hashicorp/go-hclog"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
"google.golang.org/protobuf/encoding/protojson"
"google.golang.org/protobuf/proto"
"google.golang.org/protobuf/types/known/structpb"
"github.com/hashicorp/consul/internal/catalog"
"github.com/hashicorp/consul/internal/mesh"
pbcatalog "github.com/hashicorp/consul/proto-public/pbcatalog/v1alpha1"
pbmesh "github.com/hashicorp/consul/proto-public/pbmesh/v1alpha1"
"github.com/hashicorp/consul/proto-public/pbresource"
"github.com/hashicorp/consul/acl"
"github.com/hashicorp/consul/agent/configentry"
"github.com/hashicorp/consul/agent/consul/state"
external "github.com/hashicorp/consul/agent/grpc-external"
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/consul/agent/xds/accesslogs"
"github.com/hashicorp/consul/proto-public/pbdataplane"
)
func (s *Server) GetEnvoyBootstrapParams(ctx context.Context, req *pbdataplane.GetEnvoyBootstrapParamsRequest) (*pbdataplane.GetEnvoyBootstrapParamsResponse, error) {
proxyID := req.ProxyId
if req.GetServiceId() != "" {
proxyID = req.GetServiceId()
}
logger := s.Logger.Named("get-envoy-bootstrap-params").With("proxy_id", proxyID, "request_id", external.TraceID())
logger.Trace("Started processing request")
defer logger.Trace("Finished processing request")
options, err := external.QueryOptionsFromContext(ctx)
if err != nil {
return nil, err
}
var authzContext acl.AuthorizerContext
entMeta := acl.NewEnterpriseMetaWithPartition(req.GetPartition(), req.GetNamespace())
authz, err := s.ACLResolver.ResolveTokenAndDefaultMeta(options.Token, &entMeta, &authzContext)
if err != nil {
return nil, status.Error(codes.Unauthenticated, err.Error())
}
if s.EnableV2 {
// Get the workload.
workloadId := &pbresource.ID{
Name: proxyID,
Tenancy: &pbresource.Tenancy{
Namespace: req.Namespace,
Partition: req.Partition,
PeerName: "local",
},
Type: catalog.WorkloadType,
}
workloadRsp, err := s.ResourceAPIClient.Read(ctx, &pbresource.ReadRequest{
Id: workloadId,
})
if err != nil {
// This error should already include the gRPC status code and so we don't need to wrap it
// in status.Error.
return nil, err
}
var workload pbcatalog.Workload
err = workloadRsp.Resource.Data.UnmarshalTo(&workload)
if err != nil {
return nil, status.Error(codes.Internal, "failed to parse workload data")
}
// Only workloads that have an associated identity can ask for proxy bootstrap parameters.
if workload.Identity == "" {
return nil, status.Errorf(codes.InvalidArgument, "workload %q doesn't have identity associated with it", req.ProxyId)
}
// todo (ishustava): ACL enforcement ensuring there's identity:write permissions.
// Get all proxy configurations for this workload. Currently we're only looking
// for proxy configurations in the same tenancy as the workload.
// todo (ishustava): we need to support wildcard proxy configurations as well.
proxyCfgList, err := s.ResourceAPIClient.List(ctx, &pbresource.ListRequest{
Tenancy: workloadRsp.Resource.Id.GetTenancy(),
Type: mesh.ProxyConfigurationType,
})
if err != nil {
return nil, err
}
// Collect and merge proxy configs.
// todo (ishustava): sorting and conflict resolution.
bootstrapCfg := &pbmesh.BootstrapConfig{}
dynamicCfg := &pbmesh.DynamicConfig{}
for _, cfgResource := range proxyCfgList.Resources {
var proxyCfg pbmesh.ProxyConfiguration
err = cfgResource.Data.UnmarshalTo(&proxyCfg)
if err != nil {
return nil, status.Errorf(codes.Internal, "failed to parse proxy configuration data: %q", cfgResource.Id.Name)
}
if isWorkloadSelected(req.ProxyId, proxyCfg.Workloads) {
proto.Merge(bootstrapCfg, proxyCfg.BootstrapConfig)
proto.Merge(dynamicCfg, proxyCfg.DynamicConfig)
}
}
accessLogs := makeAccessLogs(dynamicCfg.GetAccessLogs(), logger)
return &pbdataplane.GetEnvoyBootstrapParamsResponse{
Identity: workload.Identity,
Partition: workloadRsp.Resource.Id.Tenancy.Partition,
Namespace: workloadRsp.Resource.Id.Tenancy.Namespace,
BootstrapConfig: bootstrapCfg,
Datacenter: s.Datacenter,
NodeName: workload.NodeName,
AccessLogs: accessLogs,
}, nil
}
// The remainder of this file focuses on v1 implementation of this endpoint.
store := s.GetStore()
_, svc, err := store.ServiceNode(req.GetNodeId(), req.GetNodeName(), proxyID, &entMeta, structs.DefaultPeerKeyword)
if err != nil {
logger.Error("Error looking up service", "error", err)
if errors.Is(err, state.ErrNodeNotFound) {
return nil, status.Error(codes.NotFound, err.Error())
} else if strings.Contains(err.Error(), "Node ID or name required") {
return nil, status.Error(codes.InvalidArgument, err.Error())
} else {
return nil, status.Error(codes.Internal, "Failure looking up service")
}
}
if svc == nil {
return nil, status.Error(codes.NotFound, "Service not found")
}
if err := authz.ToAllowAuthorizer().ServiceReadAllowed(svc.ServiceName, &authzContext); err != nil {
return nil, status.Error(codes.PermissionDenied, err.Error())
}
_, ns, err := configentry.MergeNodeServiceWithCentralConfig(
nil,
store,
svc.ToNodeService(),
logger,
)
if err != nil {
logger.Error("Error merging with central config", "error", err)
return nil, status.Errorf(codes.Unknown, "Error merging central config: %v", err)
}
bootstrapConfig, err := structpb.NewStruct(ns.Proxy.Config)
if err != nil {
logger.Error("Error creating the envoy boostrap params config", "error", err)
return nil, status.Error(codes.Unknown, "Error creating the envoy boostrap params config")
}
// Inspect access logging
// This is non-essential, and don't want to return an error unless there is a more serious issue
var accessLogs []string
if ns != nil {
accessLogs = makeAccessLogs(&ns.Proxy.AccessLogs, logger)
}
// Build out the response
var serviceName string
if svc.ServiceKind == structs.ServiceKindConnectProxy {
serviceName = svc.ServiceProxy.DestinationServiceName
} else {
serviceName = svc.ServiceName
}
return &pbdataplane.GetEnvoyBootstrapParamsResponse{
Identity: serviceName,
Service: serviceName,
Partition: svc.EnterpriseMeta.PartitionOrDefault(),
Namespace: svc.EnterpriseMeta.NamespaceOrDefault(),
Config: bootstrapConfig,
Datacenter: s.Datacenter,
NodeName: svc.Node,
AccessLogs: accessLogs,
}, nil
}
func makeAccessLogs(logs structs.AccessLogs, logger hclog.Logger) []string {
var accessLogs []string
if logs.GetEnabled() {
envoyLoggers, err := accesslogs.MakeAccessLogs(logs, false)
if err != nil {
logger.Warn("Error creating the envoy access log config", "error", err)
}
accessLogs = make([]string, 0, len(envoyLoggers))
for _, msg := range envoyLoggers {
logConfig, err := protojson.Marshal(msg)
if err != nil {
logger.Warn("Error marshaling the envoy access log config", "error", err)
}
accessLogs = append(accessLogs, string(logConfig))
}
}
return accessLogs
}
func isWorkloadSelected(name string, selector *pbcatalog.WorkloadSelector) bool {
for _, prefix := range selector.Prefixes {
if strings.Contains(name, prefix) {
return true
}
}
for _, selectorName := range selector.Names {
if name == selectorName {
return true
}
}
return false
}