Remove intermediate representation of SPIFFE IDs

xDS only ever uses the string representation, so we can avoid passing
around connect.SpiffeIDService objects around.
This commit is contained in:
freddygv 2022-05-26 19:24:55 -06:00 committed by Freddy
parent 870e7c72d7
commit c8edec0ab6
2 changed files with 24 additions and 33 deletions

View File

@ -180,7 +180,6 @@ func makePassthroughClusters(cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message,
} }
for targetID := range targetMap { for targetID := range targetMap {
uid := proxycfg.NewUpstreamIDFromTargetID(targetID) uid := proxycfg.NewUpstreamIDFromTargetID(targetID)
sni := connect.ServiceSNI( sni := connect.ServiceSNI(
@ -216,7 +215,7 @@ func makePassthroughClusters(cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message,
cfgSnap.Leaf(), cfgSnap.Leaf(),
makeTLSParametersFromProxyTLSConfig(cfgSnap.MeshConfigTLSOutgoing()), makeTLSParametersFromProxyTLSConfig(cfgSnap.MeshConfigTLSOutgoing()),
) )
err := injectSANMatcher(commonTLSContext, spiffeID) err := injectSANMatcher(commonTLSContext, spiffeID.URI().String())
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to inject SAN matcher rules for cluster %q: %v", sni, err) return nil, fmt.Errorf("failed to inject SAN matcher rules for cluster %q: %v", sni, err)
} }
@ -399,7 +398,7 @@ func (s *ResourceGenerator) injectGatewayServiceAddons(cfgSnap *proxycfg.ConfigS
} }
if mapping.SNI != "" { if mapping.SNI != "" {
tlsContext.Sni = mapping.SNI tlsContext.Sni = mapping.SNI
if err := injectRawSANMatcher(tlsContext.CommonTlsContext, []string{mapping.SNI}); err != nil { if err := injectSANMatcher(tlsContext.CommonTlsContext, mapping.SNI); err != nil {
return fmt.Errorf("failed to inject SNI matcher into TLS context: %v", err) return fmt.Errorf("failed to inject SNI matcher into TLS context: %v", err)
} }
} }
@ -574,7 +573,7 @@ func (s *ResourceGenerator) makeUpstreamClusterForPreparedQuery(upstream structs
endpoints := cfgSnap.ConnectProxy.PreparedQueryEndpoints[uid] endpoints := cfgSnap.ConnectProxy.PreparedQueryEndpoints[uid]
var ( var (
spiffeIDs = make([]connect.SpiffeIDService, 0) spiffeIDs = make([]string, 0)
seen = make(map[string]struct{}) seen = make(map[string]struct{})
) )
for _, e := range endpoints { for _, e := range endpoints {
@ -588,13 +587,14 @@ func (s *ResourceGenerator) makeUpstreamClusterForPreparedQuery(upstream structs
if e.Service.Connect.Native { if e.Service.Connect.Native {
name = e.Service.Service name = e.Service.Service
} }
spiffeIDs = append(spiffeIDs, connect.SpiffeIDService{ spiffeIDs = append(spiffeIDs, connect.SpiffeIDService{
Host: cfgSnap.Roots.TrustDomain, Host: cfgSnap.Roots.TrustDomain,
Namespace: e.Service.NamespaceOrDefault(), Namespace: e.Service.NamespaceOrDefault(),
Partition: e.Service.PartitionOrDefault(), Partition: e.Service.PartitionOrDefault(),
Datacenter: e.Node.Datacenter, Datacenter: e.Node.Datacenter,
Service: name, Service: name,
}) }.URI().String())
} }
// Enable TLS upstream with the configured client certificate. // Enable TLS upstream with the configured client certificate.
@ -683,7 +683,7 @@ func (s *ResourceGenerator) makeUpstreamClustersForDiscoveryChain(
Partition: target.Partition, Partition: target.Partition,
Datacenter: target.Datacenter, Datacenter: target.Datacenter,
Service: target.Service, Service: target.Service,
} }.URI().String()
if failoverThroughMeshGateway { if failoverThroughMeshGateway {
actualTargetID := firstHealthyTarget( actualTargetID := firstHealthyTarget(
@ -699,9 +699,9 @@ func (s *ResourceGenerator) makeUpstreamClustersForDiscoveryChain(
} }
} }
spiffeIDs := []connect.SpiffeIDService{targetSpiffeID} spiffeIDs := []string{targetSpiffeID}
seenIDs := map[string]struct{}{ seenIDs := map[string]struct{}{
targetSpiffeID.URI().String(): {}, targetSpiffeID: {},
} }
if failover != nil { if failover != nil {
@ -719,19 +719,19 @@ func (s *ResourceGenerator) makeUpstreamClustersForDiscoveryChain(
Partition: target.Partition, Partition: target.Partition,
Datacenter: target.Datacenter, Datacenter: target.Datacenter,
Service: target.Service, Service: target.Service,
} }.URI().String()
// Failover targets might be subsets of the same service, so these are deduplicated. // Failover targets might be subsets of the same service, so these are deduplicated.
if _, ok := seenIDs[id.URI().String()]; ok { if _, ok := seenIDs[id]; ok {
continue continue
} }
seenIDs[id.URI().String()] = struct{}{} seenIDs[id] = struct{}{}
spiffeIDs = append(spiffeIDs, id) spiffeIDs = append(spiffeIDs, id)
} }
} }
sort.Slice(spiffeIDs, func(i, j int) bool { sort.Slice(spiffeIDs, func(i, j int) bool {
return spiffeIDs[i].URI().String() < spiffeIDs[j].URI().String() return spiffeIDs[i] < spiffeIDs[j]
}) })
s.Logger.Debug("generating cluster for", "cluster", clusterName) s.Logger.Debug("generating cluster for", "cluster", clusterName)
@ -823,16 +823,7 @@ func (s *ResourceGenerator) makeUpstreamClustersForDiscoveryChain(
} }
// injectSANMatcher updates a TLS context so that it verifies the upstream SAN. // injectSANMatcher updates a TLS context so that it verifies the upstream SAN.
func injectSANMatcher(tlsContext *envoy_tls_v3.CommonTlsContext, spiffeIDs ...connect.SpiffeIDService) error { func injectSANMatcher(tlsContext *envoy_tls_v3.CommonTlsContext, matchStrings ...string) error {
var matchStrings []string
for _, id := range spiffeIDs {
matchStrings = append(matchStrings, id.URI().String())
}
return injectRawSANMatcher(tlsContext, matchStrings)
}
func injectRawSANMatcher(tlsContext *envoy_tls_v3.CommonTlsContext, matchStrings []string) error {
validationCtx, ok := tlsContext.ValidationContextType.(*envoy_tls_v3.CommonTlsContext_ValidationContext) validationCtx, ok := tlsContext.ValidationContextType.(*envoy_tls_v3.CommonTlsContext_ValidationContext)
if !ok { if !ok {
return fmt.Errorf("invalid type: expected CommonTlsContext_ValidationContext, got %T", return fmt.Errorf("invalid type: expected CommonTlsContext_ValidationContext, got %T",

View File

@ -234,9 +234,9 @@ func xdsNewUpstreamTransportSocket(
t *testing.T, t *testing.T,
snap *proxycfg.ConfigSnapshot, snap *proxycfg.ConfigSnapshot,
sni string, sni string,
uri ...connect.SpiffeIDService, spiffeID ...string,
) *envoy_core_v3.TransportSocket { ) *envoy_core_v3.TransportSocket {
return xdsNewTransportSocket(t, snap, false, false, sni, uri...) return xdsNewTransportSocket(t, snap, false, false, sni, spiffeID...)
} }
func xdsNewTransportSocket( func xdsNewTransportSocket(
@ -245,7 +245,7 @@ func xdsNewTransportSocket(
downstream bool, downstream bool,
requireClientCert bool, requireClientCert bool,
sni string, sni string,
uri ...connect.SpiffeIDService, spiffeID ...string,
) *envoy_core_v3.TransportSocket { ) *envoy_core_v3.TransportSocket {
// Assume just one root for now, can get fancier later if needed. // Assume just one root for now, can get fancier later if needed.
caPEM := snap.Roots.Roots[0].RootCert caPEM := snap.Roots.Roots[0].RootCert
@ -262,8 +262,8 @@ func xdsNewTransportSocket(
}, },
}, },
} }
if len(uri) > 0 { if len(spiffeID) > 0 {
require.NoError(t, injectSANMatcher(commonTLSContext, uri...)) require.NoError(t, injectSANMatcher(commonTLSContext, spiffeID...))
} }
var tlsContext proto.Message var tlsContext proto.Message
@ -365,22 +365,22 @@ func makeTestCluster(t *testing.T, snap *proxycfg.ConfigSnapshot, fixtureName st
Namespace: "default", Namespace: "default",
Datacenter: "dc1", Datacenter: "dc1",
Service: "db", Service: "db",
} }.URI().String()
geocacheSNI = "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul" geocacheSNI = "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul"
geocacheURIs = []connect.SpiffeIDService{ geocacheURIs = []string{
{ connect.SpiffeIDService{
Host: "11111111-2222-3333-4444-555555555555.consul", Host: "11111111-2222-3333-4444-555555555555.consul",
Namespace: "default", Namespace: "default",
Datacenter: "dc1", Datacenter: "dc1",
Service: "geo-cache-target", Service: "geo-cache-target",
}, }.URI().String(),
{ connect.SpiffeIDService{
Host: "11111111-2222-3333-4444-555555555555.consul", Host: "11111111-2222-3333-4444-555555555555.consul",
Namespace: "default", Namespace: "default",
Datacenter: "dc2", Datacenter: "dc2",
Service: "geo-cache-target", Service: "geo-cache-target",
}, }.URI().String(),
} }
) )