2023-03-28 18:39:22 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
2023-08-11 13:12:13 +00:00
|
|
|
// SPDX-License-Identifier: BUSL-1.1
|
2023-03-28 18:39:22 +00:00
|
|
|
|
2023-02-08 21:52:12 +00:00
|
|
|
package xds
|
|
|
|
|
|
|
|
import (
|
|
|
|
"errors"
|
|
|
|
"fmt"
|
|
|
|
|
2024-04-15 20:45:05 +00:00
|
|
|
envoy_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
|
|
|
|
envoy_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
|
2023-02-08 21:52:12 +00:00
|
|
|
"google.golang.org/protobuf/proto"
|
|
|
|
|
|
|
|
"github.com/hashicorp/consul/agent/proxycfg"
|
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
|
|
)
|
|
|
|
|
|
|
|
// secretsFromSnapshot returns the xDS API representation of the "secrets"
|
|
|
|
// in the snapshot
|
|
|
|
func (s *ResourceGenerator) secretsFromSnapshot(cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message, error) {
|
|
|
|
if cfgSnap == nil {
|
|
|
|
return nil, errors.New("nil config given")
|
|
|
|
}
|
|
|
|
|
|
|
|
switch cfgSnap.Kind {
|
2024-04-15 20:45:05 +00:00
|
|
|
case structs.ServiceKindAPIGateway:
|
|
|
|
return s.secretsFromSnapshotAPIGateway(cfgSnap), nil // return any attached certs
|
2023-02-08 21:52:12 +00:00
|
|
|
case structs.ServiceKindConnectProxy,
|
|
|
|
structs.ServiceKindTerminatingGateway,
|
|
|
|
structs.ServiceKindMeshGateway,
|
2024-04-15 20:45:05 +00:00
|
|
|
structs.ServiceKindIngressGateway:
|
2023-02-08 21:52:12 +00:00
|
|
|
return nil, nil
|
|
|
|
default:
|
|
|
|
return nil, fmt.Errorf("Invalid service kind: %v", cfgSnap.Kind)
|
|
|
|
}
|
|
|
|
}
|
2024-04-15 20:45:05 +00:00
|
|
|
|
|
|
|
// secretsFromSnapshotAPIGateway returns the "secrets" for an api-gateway service
|
|
|
|
func (s *ResourceGenerator) secretsFromSnapshotAPIGateway(cfgSnap *proxycfg.ConfigSnapshot) []proto.Message {
|
|
|
|
var resources []proto.Message
|
|
|
|
|
|
|
|
cfgSnap.APIGateway.FileSystemCertificates.ForEachKey(func(ref structs.ResourceReference) bool {
|
|
|
|
cert, ok := cfgSnap.APIGateway.FileSystemCertificates.Get(ref)
|
|
|
|
if !ok || cert == nil {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
resources = append(resources, &envoy_tls_v3.Secret{
|
|
|
|
Name: ref.Name,
|
|
|
|
Type: &envoy_tls_v3.Secret_TlsCertificate{
|
|
|
|
TlsCertificate: &envoy_tls_v3.TlsCertificate{
|
|
|
|
CertificateChain: &envoy_core_v3.DataSource{
|
|
|
|
Specifier: &envoy_core_v3.DataSource_Filename{
|
|
|
|
Filename: cert.Certificate,
|
|
|
|
}},
|
|
|
|
PrivateKey: &envoy_core_v3.DataSource{
|
|
|
|
Specifier: &envoy_core_v3.DataSource_Filename{
|
|
|
|
Filename: cert.PrivateKey,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
})
|
|
|
|
return true
|
|
|
|
})
|
|
|
|
|
|
|
|
return resources
|
|
|
|
}
|