consul/connect/proxy/proxy.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package proxy

import (
	"crypto/x509"

	"github.com/hashicorp/go-hclog"

	"github.com/hashicorp/consul/api"
	"github.com/hashicorp/consul/connect"
	"github.com/hashicorp/consul/lib"
)

// Proxy implements the built-in connect proxy.
type Proxy struct {
	client     *api.Client
	cfgWatcher ConfigWatcher
	stopChan   chan struct{}
	logger     hclog.Logger
	service    *connect.Service
}

// New returns a proxy with the given configuration source.
//
// The ConfigWatcher can be used to update the configuration of the proxy.
// Whenever a new configuration is detected, the proxy will reconfigure itself.
func New(client *api.Client, cw ConfigWatcher, logger hclog.Logger) (*Proxy, error) {
	return &Proxy{
		client:     client,
		cfgWatcher: cw,
		stopChan:   make(chan struct{}),
		logger:     logger,
	}, nil
}

// Serve the proxy instance until a fatal error occurs or proxy is closed.
func (p *Proxy) Serve() error {
	var cfg *Config

	// failCh is used to stop Serve and return an error from another goroutine we
	// spawn.
	failCh := make(chan error, 1)

	// Watch for config changes (initial setup happens on first "change")
	for {
		select {
		case err := <-failCh:
			// don't log here, we can log with better context at the point where we
			// write the err to the chan
			return err

		case newCfg := <-p.cfgWatcher.Watch():
			p.logger.Debug("got new config")

			if cfg == nil {
				// Initial setup

				// Setup telemetry if configured
				// NOTE(kit): As far as I can tell, all of the metrics in the proxy are generated at runtime, so we
				//  don't have any static metrics we initialize at start.
				_, err := lib.InitTelemetry(newCfg.Telemetry, p.logger)
				if err != nil {
					p.logger.Error("proxy telemetry config error", "error", err)
				}

				// Setup Service instance now we know target ID etc
				service, err := newCfg.Service(p.client, p.logger)
				if err != nil {
					return err
				}
				p.service = service

				go func() {
					<-service.ReadyWait()
					p.logger.Info("Proxy loaded config and ready to serve")
					tcfg := service.ServerTLSConfig()
					cert, _ := tcfg.GetCertificate(nil)
					leaf, _ := x509.ParseCertificate(cert.Certificate[0])
					p.logger.Info("Parsed TLS identity", "uri", leaf.URIs[0])

					// Only start a listener if we have a port set. This allows
					// the configuration to disable our public listener.
					if newCfg.PublicListener.BindPort != 0 {
						newCfg.PublicListener.applyDefaults()
						l := NewPublicListener(p.service, newCfg.PublicListener, p.logger)
						err = p.startListener("public listener", l)
						if err != nil {
							// This should probably be fatal.
							p.logger.Error("failed to start public listener", "error", err)
							failCh <- err
						}

					}
				}()
			}

			// TODO(banks) update/remove upstreams properly based on a diff with current. Can
			// store a map of uc.String() to Listener here and then use it to only
			// start one of each and stop/modify if changes occur.
			for _, uc := range newCfg.Upstreams {
				uc.applyDefaults()

				if uc.LocalBindSocketPath != "" {
					p.logger.Error("local_bind_socket_path is not supported with this proxy implementation. "+
						"Can't start upstream.", "upstream", uc.String())
					continue
				}

				if uc.LocalBindPort < 1 {
					p.logger.Error("upstream has no local_bind_port. "+
						"Can't start upstream.", "upstream", uc.String())
					continue
				}

				l := NewUpstreamListener(p.service, p.client, uc, p.logger)
				err := p.startListener(uc.String(), l)
				if err != nil {
					p.logger.Error("failed to start upstream",
						"upstream", uc.String(),
						"error", err,
					)
				}
			}
			cfg = newCfg

		case <-p.stopChan:
			if p.service != nil {
				p.service.Close()
			}
			return nil
		}
	}
}

// startPublicListener is run from the internal state machine loop
func (p *Proxy) startListener(name string, l *Listener) error {
	p.logger.Info("Starting listener", "listener", name, "bind_addr", l.BindAddr())
	go func() {
		err := l.Serve()
		if err != nil {
			p.logger.Error("listener stopped with error", "listener", name, "error", err)
			return
		}
		p.logger.Info("listener stopped", "listener", name)
	}()

	go func() {
		<-p.stopChan
		l.Close()

	}()

	return nil
}

// Close stops the proxy and terminates all active connections. It must be
// called only once.
func (p *Proxy) Close() {
	close(p.stopChan)
}
Copyright headers for missing files/folders (#16708) * copyright headers for agent folder 2023-03-28 22:48:58 +00:00			`// Copyright (c) HashiCorp, Inc.`
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> 2023-08-11 13:12:13 +00:00			`// SPDX-License-Identifier: BUSL-1.1`
Copyright headers for missing files/folders (#16708) * copyright headers for agent folder 2023-03-28 22:48:58 +00:00
Rework connect/proxy and command/connect/proxy. End to end demo working again 2018-04-03 18:10:59 +00:00			`package proxy`

			`import (`
TLS watching integrated into Service with some basic tests. There are also a lot of small bug fixes found when testing lots of things end-to-end for the first time and some cleanup now it's integrated with real CA code. 2018-04-26 13:01:20 +00:00			`"crypto/x509"`
Rework connect/proxy and command/connect/proxy. End to end demo working again 2018-04-03 18:10:59 +00:00
connect/proxy: fixes logic bug preventing builtin/native proxy from starting upstream listeners (#10486) Fixes #10480 Also fixed a data race in the `connect/proxy` package that was unearthed by the tests changed for this bugfix. 2021-06-24 20:02:34 +00:00			`"github.com/hashicorp/go-hclog"`

Rework connect/proxy and command/connect/proxy. End to end demo working again 2018-04-03 18:10:59 +00:00			`"github.com/hashicorp/consul/api"`
			`"github.com/hashicorp/consul/connect"`
Basic proxy telemetry working; not sure if it's too ugly; need to instrument things we care about 2018-06-08 15:18:58 +00:00			`"github.com/hashicorp/consul/lib"`
Rework connect/proxy and command/connect/proxy. End to end demo working again 2018-04-03 18:10:59 +00:00			`)`

			`// Proxy implements the built-in connect proxy.`
			`type Proxy struct {`
			`client *api.Client`
			`cfgWatcher ConfigWatcher`
			`stopChan chan struct{}`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 2020-01-28 23:50:41 +00:00			`logger hclog.Logger`
TLS watching integrated into Service with some basic tests. There are also a lot of small bug fixes found when testing lots of things end-to-end for the first time and some cleanup now it's integrated with real CA code. 2018-04-26 13:01:20 +00:00			`service *connect.Service`
Rework connect/proxy and command/connect/proxy. End to end demo working again 2018-04-03 18:10:59 +00:00			`}`

connect/proxy: don't require proxy ID 2018-05-19 07:11:51 +00:00			`// New returns a proxy with the given configuration source.`
			`//`
			`// The ConfigWatcher can be used to update the configuration of the proxy.`
			`// Whenever a new configuration is detected, the proxy will reconfigure itself.`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 2020-01-28 23:50:41 +00:00			`func New(client api.Client, cw ConfigWatcher, logger hclog.Logger) (Proxy, error) {`
connect/proxy: don't require proxy ID 2018-05-19 07:11:51 +00:00			`return &Proxy{`
TLS watching integrated into Service with some basic tests. There are also a lot of small bug fixes found when testing lots of things end-to-end for the first time and some cleanup now it's integrated with real CA code. 2018-04-26 13:01:20 +00:00			`client: client,`
			`cfgWatcher: cw,`
			`stopChan: make(chan struct{}),`
			`logger: logger,`
connect/proxy: don't require proxy ID 2018-05-19 07:11:51 +00:00			`}, nil`
Rework connect/proxy and command/connect/proxy. End to end demo working again 2018-04-03 18:10:59 +00:00			`}`

			`// Serve the proxy instance until a fatal error occurs or proxy is closed.`
			`func (p *Proxy) Serve() error {`
			`var cfg *Config`

Make proxy only listen after initial certs are fetched 2018-06-15 20:04:04 +00:00			`// failCh is used to stop Serve and return an error from another goroutine we`
			`// spawn.`
			`failCh := make(chan error, 1)`

Rework connect/proxy and command/connect/proxy. End to end demo working again 2018-04-03 18:10:59 +00:00			`// Watch for config changes (initial setup happens on first "change")`
			`for {`
			`select {`
Make proxy only listen after initial certs are fetched 2018-06-15 20:04:04 +00:00			`case err := <-failCh:`
			`// don't log here, we can log with better context at the point where we`
			`// write the err to the chan`
			`return err`

Rework connect/proxy and command/connect/proxy. End to end demo working again 2018-04-03 18:10:59 +00:00			`case newCfg := <-p.cfgWatcher.Watch():`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 2020-01-28 23:50:41 +00:00			`p.logger.Debug("got new config")`
TLS watching integrated into Service with some basic tests. There are also a lot of small bug fixes found when testing lots of things end-to-end for the first time and some cleanup now it's integrated with real CA code. 2018-04-26 13:01:20 +00:00
Rework connect/proxy and command/connect/proxy. End to end demo working again 2018-04-03 18:10:59 +00:00			`if cfg == nil {`
			`// Initial setup`

Basic proxy telemetry working; not sure if it's too ugly; need to instrument things we care about 2018-06-08 15:18:58 +00:00			`// Setup telemetry if configured`
first pass on agent-configured prometheusDefs and adding defs for every consul metric 2020-11-13 02:12:12 +00:00			`// NOTE(kit): As far as I can tell, all of the metrics in the proxy are generated at runtime, so we`
			`// don't have any static metrics we initialize at start.`
Retry on bad dogstatsd connection (#13091) - Introduce a new telemetry configurable parameter retry_failed_connection. User can set the value to true to let consul agent continue its start process on failed connection to datadog server. When set to false, agent will stop on failed start. The default behavior is true. Co-authored-by: Dan Upton <daniel@floppy.co> Co-authored-by: Evan Culver <eculver@users.noreply.github.com> 2022-05-19 20:03:46 +00:00			`_, err := lib.InitTelemetry(newCfg.Telemetry, p.logger)`
Refactor to use embedded struct. 2018-06-14 12:52:48 +00:00			`if err != nil {`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 2020-01-28 23:50:41 +00:00			`p.logger.Error("proxy telemetry config error", "error", err)`
Basic proxy telemetry working; not sure if it's too ugly; need to instrument things we care about 2018-06-08 15:18:58 +00:00			`}`

TLS watching integrated into Service with some basic tests. There are also a lot of small bug fixes found when testing lots of things end-to-end for the first time and some cleanup now it's integrated with real CA code. 2018-04-26 13:01:20 +00:00			`// Setup Service instance now we know target ID etc`
connect/proxy: use the right variable for loading the new service 2018-05-19 07:20:43 +00:00			`service, err := newCfg.Service(p.client, p.logger)`
TLS watching integrated into Service with some basic tests. There are also a lot of small bug fixes found when testing lots of things end-to-end for the first time and some cleanup now it's integrated with real CA code. 2018-04-26 13:01:20 +00:00			`if err != nil {`
			`return err`
			`}`
			`p.service = service`

			`go func() {`
			`<-service.ReadyWait()`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 2020-01-28 23:50:41 +00:00			`p.logger.Info("Proxy loaded config and ready to serve")`
TLS watching integrated into Service with some basic tests. There are also a lot of small bug fixes found when testing lots of things end-to-end for the first time and some cleanup now it's integrated with real CA code. 2018-04-26 13:01:20 +00:00			`tcfg := service.ServerTLSConfig()`
			`cert, _ := tcfg.GetCertificate(nil)`
			`leaf, _ := x509.ParseCertificate(cert.Certificate[0])`
Update go version to 1.18.1 2022-04-14 20:55:10 +00:00			`p.logger.Info("Parsed TLS identity", "uri", leaf.URIs[0])`
TLS watching integrated into Service with some basic tests. There are also a lot of small bug fixes found when testing lots of things end-to-end for the first time and some cleanup now it's integrated with real CA code. 2018-04-26 13:01:20 +00:00
Make proxy only listen after initial certs are fetched 2018-06-15 20:04:04 +00:00			`// Only start a listener if we have a port set. This allows`
			`// the configuration to disable our public listener.`
			`if newCfg.PublicListener.BindPort != 0 {`
			`newCfg.PublicListener.applyDefaults()`
			`l := NewPublicListener(p.service, newCfg.PublicListener, p.logger)`
			`err = p.startListener("public listener", l)`
			`if err != nil {`
			`// This should probably be fatal.`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 2020-01-28 23:50:41 +00:00			`p.logger.Error("failed to start public listener", "error", err)`
Make proxy only listen after initial certs are fetched 2018-06-15 20:04:04 +00:00			`failCh <- err`
			`}`
Add -sidecar-for and new /agent/service/:service_id endpoint (#4691) - A new endpoint `/v1/agent/service/:service_id` which is a generic way to look up the service for a single instance. The primary value here is that it: - supports hash-based blocking and so; - replaces `/agent/connect/proxy/:proxy_id` as the mechanism the built-in proxy uses to read its config. - It's not proxy specific and so works for any service. - It has a temporary shim to call through to the existing endpoint to preserve current managed proxy config defaulting behaviour until that is removed entirely (tested). - The built-in proxy now uses the new endpoint exclusively for it's config - The built-in proxy now has a `-sidecar-for` flag that allows the service ID of the _target_ service to be specified, on the condition that there is exactly one "sidecar" proxy (that is one that has `Proxy.DestinationServiceID` set) for the service registered. - Several fixes for edge cases for SidecarService - A fix for `Alias` checks - when running locally they didn't update their state until some external thing updated the target. If the target service has no checks registered as below, then the alias never made it past critical. 2018-09-27 14:00:51 +00:00
connect/proxy: don't start public listener if 0 port 2018-05-19 07:46:06 +00:00			`}`
Make proxy only listen after initial certs are fetched 2018-06-15 20:04:04 +00:00			`}()`
Rework connect/proxy and command/connect/proxy. End to end demo working again 2018-04-03 18:10:59 +00:00			`}`

			`// TODO(banks) update/remove upstreams properly based on a diff with current. Can`
			`// store a map of uc.String() to Listener here and then use it to only`
			`// start one of each and stop/modify if changes occur.`
			`for _, uc := range newCfg.Upstreams {`
			`uc.applyDefaults()`

connect/proxy: fixes logic bug preventing builtin/native proxy from starting upstream listeners (#10486) Fixes #10480 Also fixed a data race in the `connect/proxy` package that was unearthed by the tests changed for this bugfix. 2021-06-24 20:02:34 +00:00			`if uc.LocalBindSocketPath != "" {`
			`p.logger.Error("local_bind_socket_path is not supported with this proxy implementation. "+`
			`"Can't start upstream.", "upstream", uc.String())`
			`continue`
			`}`

			`if uc.LocalBindPort < 1 {`
			`p.logger.Error("upstream has no local_bind_port. "+`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 2020-01-28 23:50:41 +00:00			`"Can't start upstream.", "upstream", uc.String())`
TLS watching integrated into Service with some basic tests. There are also a lot of small bug fixes found when testing lots of things end-to-end for the first time and some cleanup now it's integrated with real CA code. 2018-04-26 13:01:20 +00:00			`continue`
			`}`

Add Proxy Upstreams to Service Definition (#4639) * Refactor Service Definition ProxyDestination. This includes: - Refactoring all internal structs used - Updated tests for both deprecated and new input for: - Agent Services endpoint response - Agent Service endpoint response - Agent Register endpoint - Unmanaged deprecated field - Unmanaged new fields - Managed deprecated upstreams - Managed new - Catalog Register - Unmanaged deprecated field - Unmanaged new fields - Managed deprecated upstreams - Managed new - Catalog Services endpoint response - Catalog Node endpoint response - Catalog Service endpoint response - Updated API tests for all of the above too (both deprecated and new forms of register) TODO: - config package changes for on-disk service definitions - proxy config endpoint - built-in proxy support for new fields * Agent proxy config endpoint updated with upstreams * Config file changes for upstreams. * Add upstream opaque config and update all tests to ensure it works everywhere. * Built in proxy working with new Upstreams config * Command fixes and deprecations * Fix key translation, upstream type defaults and a spate of other subtele bugs found with ned to end test scripts... TODO: tests still failing on one case that needs a fix. I think it's key translation for upstreams nested in Managed proxy struct. * Fix translated keys in API registration. ≈ * Fixes from docs - omit some empty undocumented fields in API - Bring back ServiceProxyDestination in Catalog responses to not break backwards compat - this was removed assuming it was only used internally. * Documentation updates for Upstreams in service definition * Fixes for tests broken by many refactors. * Enable travis on f-connect branch in this branch too. * Add consistent Deprecation comments to ProxyDestination uses * Update version number on deprecation notices, and correct upstream datacenter field with explanation in docs 2018-09-12 16:07:47 +00:00			`l := NewUpstreamListener(p.service, p.client, uc, p.logger)`
Rework connect/proxy and command/connect/proxy. End to end demo working again 2018-04-03 18:10:59 +00:00			`err := p.startListener(uc.String(), l)`
			`if err != nil {`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 2020-01-28 23:50:41 +00:00			`p.logger.Error("failed to start upstream",`
			`"upstream", uc.String(),`
			`"error", err,`
			`)`
Rework connect/proxy and command/connect/proxy. End to end demo working again 2018-04-03 18:10:59 +00:00			`}`
			`}`
			`cfg = newCfg`

			`case <-p.stopChan:`
Fix race during proxy closing (#13283) p.service is written to within the Serve method. The Serve method also waits for the stopChan to be closed. The race was between Close being called on the proxy causing Close on the service which was written to around the same time in the Serve method. The fix is to have Serve be responsible for closing p.service. 2022-05-27 20:52:03 +00:00			`if p.service != nil {`
			`p.service.Close()`
			`}`
Rework connect/proxy and command/connect/proxy. End to end demo working again 2018-04-03 18:10:59 +00:00			`return nil`
			`}`
			`}`
			`}`

			`// startPublicListener is run from the internal state machine loop`
			`func (p Proxy) startListener(name string, l Listener) error {`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 2020-01-28 23:50:41 +00:00			`p.logger.Info("Starting listener", "listener", name, "bind_addr", l.BindAddr())`
Rework connect/proxy and command/connect/proxy. End to end demo working again 2018-04-03 18:10:59 +00:00			`go func() {`
			`err := l.Serve()`
			`if err != nil {`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 2020-01-28 23:50:41 +00:00			`p.logger.Error("listener stopped with error", "listener", name, "error", err)`
Rework connect/proxy and command/connect/proxy. End to end demo working again 2018-04-03 18:10:59 +00:00			`return`
			`}`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 2020-01-28 23:50:41 +00:00			`p.logger.Info("listener stopped", "listener", name)`
Rework connect/proxy and command/connect/proxy. End to end demo working again 2018-04-03 18:10:59 +00:00			`}()`

			`go func() {`
			`<-p.stopChan`
			`l.Close()`
TLS watching integrated into Service with some basic tests. There are also a lot of small bug fixes found when testing lots of things end-to-end for the first time and some cleanup now it's integrated with real CA code. 2018-04-26 13:01:20 +00:00
Rework connect/proxy and command/connect/proxy. End to end demo working again 2018-04-03 18:10:59 +00:00			`}()`

			`return nil`
			`}`

			`// Close stops the proxy and terminates all active connections. It must be`
			`// called only once.`
			`func (p *Proxy) Close() {`
			`close(p.stopChan)`
			`}`