Include virtual services from discovery chain in intention topology (#16862)

This commit is contained in:
Kyle Havlovitz 2023-04-21 09:58:13 -07:00 committed by GitHub
parent d5277af70d
commit 6d01d07cf8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 124 additions and 6 deletions

View File

@ -3039,6 +3039,30 @@ func (s *Store) VirtualIPForService(psn structs.PeeredServiceName) (string, erro
return result.String(), nil
}
func (s *Store) ServiceVirtualIPs() (uint64, []ServiceVirtualIP, error) {
tx := s.db.Txn(false)
defer tx.Abort()
return servicesVirtualIPsTxn(tx)
}
func servicesVirtualIPsTxn(tx ReadTxn) (uint64, []ServiceVirtualIP, error) {
iter, err := tx.Get(tableServiceVirtualIPs, indexID)
if err != nil {
return 0, nil, err
}
var vips []ServiceVirtualIP
for raw := iter.Next(); raw != nil; raw = iter.Next() {
vip := raw.(ServiceVirtualIP)
vips = append(vips, vip)
}
idx := maxIndexWatchTxn(tx, nil, tableServiceVirtualIPs)
return idx, vips, nil
}
func (s *Store) ServiceManualVIPs(psn structs.PeeredServiceName) (*ServiceVirtualIP, error) {
tx := s.db.Txn(false)
defer tx.Abort()

View File

@ -1063,12 +1063,40 @@ func (s *Store) intentionTopologyTxn(
// Ideally those should be excluded as well, since they can't be upstreams/downstreams without a proxy.
// Maybe narrow serviceNamesOfKindTxn to services represented by proxies? (ingress, sidecar-
wildcardMeta := structs.WildcardEnterpriseMetaInPartition(structs.WildcardSpecifier)
var services []*KindServiceName
services := make(map[structs.ServiceName]struct{})
addSvcs := func(svcs []*KindServiceName) {
for _, s := range svcs {
services[s.Service] = struct{}{}
}
}
var tempServices []*KindServiceName
if intentionTarget == structs.IntentionTargetService {
index, services, err = serviceNamesOfKindTxn(tx, ws, structs.ServiceKindTypical, *wildcardMeta)
index, tempServices, err = serviceNamesOfKindTxn(tx, ws, structs.ServiceKindTypical, *wildcardMeta)
if err != nil {
return index, nil, fmt.Errorf("failed to list service names: %v", err)
}
addSvcs(tempServices)
// Query the virtual ip table as well to include virtual services that don't have a registered instance yet.
vipIndex, vipServices, err := servicesVirtualIPsTxn(tx)
if err != nil {
return index, nil, fmt.Errorf("failed to list service virtual IPs: %v", err)
}
for _, svc := range vipServices {
services[svc.Service.ServiceName] = struct{}{}
}
if vipIndex > index {
index = vipIndex
}
} else {
// destinations can only ever be upstream, since they are only allowed as intention destination.
index, services, err = serviceNamesOfKindTxn(tx, ws, structs.ServiceKindDestination, *wildcardMeta)
index, tempServices, err = serviceNamesOfKindTxn(tx, ws, structs.ServiceKindDestination, *wildcardMeta)
if err != nil {
return index, nil, fmt.Errorf("failed to list destination service names: %v", err)
}
addSvcs(tempServices)
}
if err != nil {
return index, nil, fmt.Errorf("failed to list ingress service names: %v", err)
@ -1086,7 +1114,7 @@ func (s *Store) intentionTopologyTxn(
if index > maxIdx {
maxIdx = index
}
services = append(services, ingress...)
addSvcs(ingress)
}
// When checking authorization to upstreams, the match type for the decision is `destination` because we are deciding
@ -1097,8 +1125,7 @@ func (s *Store) intentionTopologyTxn(
decisionMatchType = structs.IntentionMatchSource
}
result := make([]ServiceWithDecision, 0, len(services))
for _, svc := range services {
candidate := svc.Service
for candidate := range services {
if candidate.Name == structs.ConsulServiceName {
continue
}

View File

@ -2161,6 +2161,7 @@ func TestStore_IntentionTopology(t *testing.T) {
name string
defaultDecision acl.EnforcementDecision
intentions []structs.ServiceIntentionsConfigEntry
discoveryChains []structs.ConfigEntry
target structs.ServiceName
downstreams bool
expect expect
@ -2192,6 +2193,68 @@ func TestStore_IntentionTopology(t *testing.T) {
},
},
},
{
name: "(upstream) acl allow includes virtual service",
defaultDecision: acl.Allow,
discoveryChains: []structs.ConfigEntry{
&structs.ServiceResolverConfigEntry{
Kind: structs.ServiceResolver,
Name: "backend",
},
},
target: structs.NewServiceName("web", nil),
downstreams: false,
expect: expect{
idx: 10,
services: structs.ServiceList{
{
Name: "api",
EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(),
},
{
Name: "backend",
EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(),
},
{
Name: "mysql",
EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(),
},
},
},
},
{
name: "(upstream) acl deny all intentions allow virtual service",
defaultDecision: acl.Deny,
discoveryChains: []structs.ConfigEntry{
&structs.ServiceResolverConfigEntry{
Kind: structs.ServiceResolver,
Name: "backend",
},
},
intentions: []structs.ServiceIntentionsConfigEntry{
{
Kind: structs.ServiceIntentions,
Name: "backend",
Sources: []*structs.SourceIntention{
{
Name: "web",
Action: structs.IntentionActionAllow,
},
},
},
},
target: structs.NewServiceName("web", nil),
downstreams: false,
expect: expect{
idx: 11,
services: structs.ServiceList{
{
Name: "backend",
EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(),
},
},
},
},
{
name: "(upstream) acl deny all intentions allow one",
defaultDecision: acl.Deny,
@ -2378,6 +2441,10 @@ func TestStore_IntentionTopology(t *testing.T) {
require.NoError(t, s.EnsureConfigEntry(idx, &ixn))
idx++
}
for _, entry := range tt.discoveryChains {
require.NoError(t, s.EnsureConfigEntry(idx, entry))
idx++
}
idx, got, err := s.IntentionTopology(nil, tt.target, tt.downstreams, tt.defaultDecision, structs.IntentionTargetService)
require.NoError(t, err)