consul/agent/configentry/merge_service_config.go
Derek Menteer af3439b53d
Ensure that upstream configuration is properly normalized. (#19076)
This PR fixes an issue where upstreams did not correctly inherit the proper
namespace / partition from the parent service when attempting to fetch the
upstream protocol due to inconsistent normalization.

Some of the merge-service-configuration logic would normalize to default, while
some of the proxycfg logic would normalize to match the parent service. Due to
this mismatch in logic, an incorrect service-defaults configuration entry would
be fetched and have its protocol applied to the upstream.
2023-10-06 13:59:47 -05:00

259 lines
8.9 KiB
Go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package configentry
import (
"fmt"
"github.com/hashicorp/go-hclog"
"github.com/hashicorp/go-memdb"
"github.com/imdario/mergo"
"github.com/mitchellh/copystructure"
"github.com/hashicorp/consul/acl"
"github.com/hashicorp/consul/agent/structs"
)
type StateStore interface {
ReadResolvedServiceConfigEntries(memdb.WatchSet, string, *acl.EnterpriseMeta, []structs.ServiceID, structs.ProxyMode) (uint64, *ResolvedServiceConfigSet, error)
}
// MergeNodeServiceWithCentralConfig merges a service instance (NodeService) with the
// proxy-defaults/global and service-defaults/:service config entries.
// This common helper is used by the blocking query function of different RPC endpoints
// that need to return a fully resolved service defintion.
func MergeNodeServiceWithCentralConfig(
ws memdb.WatchSet,
state StateStore,
unmergedNS *structs.NodeService,
logger hclog.Logger) (uint64, *structs.NodeService, error) {
ns := unmergedNS.WithNormalizedUpstreams()
serviceName := ns.Service
if ns.IsSidecarProxy() {
// This is a sidecar proxy, ignore the proxy service's config since we are
// managed by the target service config.
serviceName = ns.Proxy.DestinationServiceName
}
var upstreams []structs.PeeredServiceName
for _, us := range ns.Proxy.Upstreams {
if us.DestinationType == "" || us.DestinationType == structs.UpstreamDestTypeService {
upstreams = append(upstreams, us.DestinationID())
}
}
configReq := &structs.ServiceConfigRequest{
Name: serviceName,
MeshGateway: ns.Proxy.MeshGateway,
Mode: ns.Proxy.Mode,
UpstreamServiceNames: upstreams,
EnterpriseMeta: ns.EnterpriseMeta,
}
// prefer using this vs directly calling the ConfigEntry.ResolveServiceConfig RPC
// so as to pass down the same watch set to also watch on changes to
// proxy-defaults/global and service-defaults.
cfgIndex, configEntries, err := state.ReadResolvedServiceConfigEntries(
ws,
configReq.Name,
&configReq.EnterpriseMeta,
configReq.GetLocalUpstreamIDs(),
configReq.Mode,
)
if err != nil {
return 0, nil, fmt.Errorf("Failure looking up service config entries for %s: %v",
ns.ID, err)
}
defaults, err := ComputeResolvedServiceConfig(
configReq,
configEntries,
logger,
)
if err != nil {
return 0, nil, fmt.Errorf("Failure computing service defaults for %s: %v",
ns.ID, err)
}
mergedns, err := MergeServiceConfig(defaults, ns)
if err != nil {
return 0, nil, fmt.Errorf("Failure merging service definition with config entry defaults for %s: %v",
ns.ID, err)
}
return cfgIndex, mergedns, nil
}
// MergeServiceConfig merges the service into defaults to produce the final effective
// config for the specified service.
func MergeServiceConfig(defaults *structs.ServiceConfigResponse, service *structs.NodeService) (*structs.NodeService, error) {
if defaults == nil {
return service, nil
}
// We don't want to change s.registration in place since it is our source of
// truth about what was actually registered before defaults applied. So copy
// it first.
nsRaw, err := copystructure.Copy(service)
if err != nil {
return nil, err
}
// Merge proxy defaults
ns := nsRaw.(*structs.NodeService)
if err := mergo.Merge(&ns.Proxy.Config, defaults.ProxyConfig); err != nil {
return nil, err
}
if err := mergo.Merge(&ns.Proxy.Expose, defaults.Expose); err != nil {
return nil, err
}
if err := mergo.Merge(&ns.Proxy.AccessLogs, defaults.AccessLogs); err != nil {
return nil, err
}
// defaults.EnvoyExtensions contains the extensions from the proxy defaults config entry followed by extensions from
// the service defaults config entry. This adds the extensions to structs.NodeService.Proxy which in turn is copied
// into the proxycfg snapshot to ensure the local service's extensions are accessible from the snapshot.
//
// This will replace any existing extensions in the NodeService but that is ok because defaults.EnvoyExtensions
// should have the latest extensions computed from service defaults and proxy defaults.
ns.Proxy.EnvoyExtensions = nil
if len(defaults.EnvoyExtensions) > 0 {
nsExtensions := make([]structs.EnvoyExtension, len(defaults.EnvoyExtensions))
for i, ext := range defaults.EnvoyExtensions {
nsExtensions[i] = structs.EnvoyExtension{
Name: ext.Name,
Required: ext.Required,
Arguments: ext.Arguments,
}
}
ns.Proxy.EnvoyExtensions = nsExtensions
}
if ratelimit := defaults.RateLimits.ToEnvoyExtension(); ratelimit != nil {
ns.Proxy.EnvoyExtensions = append(ns.Proxy.EnvoyExtensions, *ratelimit)
}
if ns.Proxy.MeshGateway.Mode == structs.MeshGatewayModeDefault {
ns.Proxy.MeshGateway.Mode = defaults.MeshGateway.Mode
}
if ns.Proxy.Mode == structs.ProxyModeDefault {
ns.Proxy.Mode = defaults.Mode
}
if ns.Proxy.TransparentProxy.OutboundListenerPort == 0 {
ns.Proxy.TransparentProxy.OutboundListenerPort = defaults.TransparentProxy.OutboundListenerPort
}
if !ns.Proxy.TransparentProxy.DialedDirectly {
ns.Proxy.TransparentProxy.DialedDirectly = defaults.TransparentProxy.DialedDirectly
}
if ns.Proxy.MutualTLSMode == structs.MutualTLSModeDefault {
ns.Proxy.MutualTLSMode = defaults.MutualTLSMode
}
// remoteUpstreams contains synthetic Upstreams generated from central config (service-defaults.UpstreamConfigs).
remoteUpstreams := make(map[structs.PeeredServiceName]structs.Upstream)
// If the arguments did not fully normalize tenancy stuff, take care of that now.
entMeta := ns.EnterpriseMeta
entMeta.Normalize()
for _, us := range defaults.UpstreamConfigs {
parsed, err := structs.ParseUpstreamConfigNoDefaults(us.Config)
if err != nil {
return nil, fmt.Errorf("failed to parse upstream config map for %s: %v", us.Upstream.String(), err)
}
// If the defaults did not fully normalize tenancy stuff, take care of
// that now too.
psn := us.Upstream // only normalize the copy
psn.ServiceName.EnterpriseMeta.Normalize()
// Normalize the partition field specially.
if psn.Peer != "" {
psn.ServiceName.OverridePartition(entMeta.PartitionOrDefault())
}
remoteUpstreams[psn] = structs.Upstream{
DestinationNamespace: psn.ServiceName.NamespaceOrDefault(),
DestinationPartition: psn.ServiceName.PartitionOrDefault(),
DestinationName: psn.ServiceName.Name,
DestinationPeer: psn.Peer,
Config: us.Config,
MeshGateway: parsed.MeshGateway,
CentrallyConfigured: true,
}
}
// localUpstreams stores the upstreams seen from the local registration so that we can merge in the synthetic entries.
// In transparent proxy mode ns.Proxy.Upstreams will likely be empty because users do not need to define upstreams explicitly.
// So to store upstream-specific flags from central config, we add entries to ns.Proxy.Upstreams with those values.
localUpstreams := make(map[structs.PeeredServiceName]struct{})
// Merge upstream defaults into the local registration
for i := range ns.Proxy.Upstreams {
// Get a pointer not a value copy of the upstream struct
us := &ns.Proxy.Upstreams[i]
if us.DestinationType != "" && us.DestinationType != structs.UpstreamDestTypeService {
continue
}
uid := us.DestinationID()
// Normalize the partition field specially.
if uid.Peer != "" {
uid.ServiceName.OverridePartition(entMeta.PartitionOrDefault())
}
localUpstreams[uid] = struct{}{}
remoteCfg, ok := remoteUpstreams[uid]
if !ok {
// No config defaults to merge
continue
}
// The local upstream config mode has the highest precedence, so only overwrite when it's set to the default
if us.MeshGateway.Mode == structs.MeshGatewayModeDefault {
us.MeshGateway.Mode = remoteCfg.MeshGateway.Mode
}
preMergeProtocol, found := us.Config["protocol"]
// Merge in everything else that is read from the map
if err := mergo.Merge(&us.Config, remoteCfg.Config); err != nil {
return nil, err
}
// Reset the protocol to its pre-merged version for peering upstreams.
if us.DestinationPeer != "" {
if found {
us.Config["protocol"] = preMergeProtocol
} else {
delete(us.Config, "protocol")
}
}
// Delete the mesh gateway key from opaque config since this is the value that was resolved from
// the servers and NOT the final merged value for this upstream.
// Note that we use the "mesh_gateway" key and not other variants like "MeshGateway" because
// UpstreamConfig.MergeInto and ResolveServiceConfig only use "mesh_gateway".
delete(us.Config, "mesh_gateway")
}
// Ensure upstreams present in central config are represented in the local configuration.
// This does not apply outside of transparent mode because in that situation every possible upstream already exists
// inside of ns.Proxy.Upstreams.
if ns.Proxy.Mode == structs.ProxyModeTransparent {
for id, remote := range remoteUpstreams {
if _, ok := localUpstreams[id]; ok {
// Remote upstream is already present locally
continue
}
ns.Proxy.Upstreams = append(ns.Proxy.Upstreams, remote)
}
}
return ns, err
}