sds: additional support for symlink-based key rotation.

[htuch]

There are a few limitations in our existing support for symlink-based
key rotation:

• We don't atomically resolve symlinks, so a single snapshot might have
  inconsistent symlink resolutions for different watched files.
• Watches are on parent directories, e.g. for /foo/bar/baz on /foo/bar,
  which doesn't support common key rotation schemes were /foo/new/baz
  is rotated via a mv -Tf /foo/new /foo/bar.

The solution is to provide a structured WatchedDirectory for Secrets to
opt into when monitoring DataSources. SDS will used WatchedDirectory
to setup the inotify watch instead of the DataSource path. On update, it will
read key/cert twice, verifying file content hash consistency.

Risk level: Low (opt-in feature)
Testing: Unit and integration tests added.

Fixes #13663
Fixes #10979
Fixes #13370

Signed-off-by: Harvey Tuch [email protected]

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/envoy/.
CC @envoyproxy/api-watchers: FYI only for changes made to api/envoy/.

🐱

Caused by: #13721 was opened by htuch.

see: more, trace.

[htuch]

@mattklein123 @lizan @tsaarni can you take a look? This will address #13663, #10979 and #13370, I'd like to obtain consensus on the API before adding implementation and tests.

[tsaarni]

Regardless of working with only a subset of all DataSource use cases, I like this API.

This will work nicely with Kubernetes symlink swap as well, by leaving subdirectory optional 👍

[mattklein123]

At a high level LGTM with a few comments.

[htuch]

I've updated the API to avoid modifying DataSource, introducing a new concept of an opt-in WatchedDirectory. I've also added a draft implementation and a very basis integration test. I'd like to achieve agreement on API and design, at which point I can clean up the implementation and fill out the rest of the tests. @lizan @mattklein123 @tsaarni PTAL.

[htuch]

This now uses hash-based comparison of files after reading twice and validated consistency. This is similar to what gRPC is doing.

[tsaarni]

Looks good to me after the unbound loop in SdsApi::onWatchUpdate() is resolved.

[mattklein123]

Thanks agreed this seems like a better direction. Flushing out a few API questions/comments.

/wait

[htuch]

PTAL, if this makes sense now in terms of API and hash-based comparison implementation then I can fill in the missing tests/docs and move this out of draft.

[mattklein123]

From an API perspective this LGTM with one question. LMK when ready for review and I can take a look.

/wait

[mattklein123]

LGTM with some API comments, thank you!

/wait

[htuch]

@mattklein123 to deal with failure scenarios I had to add some stats, which then forced me to fix SDS stats more generally, since they were broken before (they all ended up anonymously in the root namespace). PTAL and LMK if there's anything else needed around stats here.

[mattklein123]

Thanks LGTM with small questions.

/wait-any

[mattklein123]

I still don't understand how this does anything if there is only a single file above? What's the utility?

[htuch]

Let's say you have a trusted CA files /foo/bar/baz/ca.pem. By default, envoy watches /foo/bar/baz. If you want to reload when baz is atomically moved, you need to set the watch on /foo/bar. This is what this field allows.

[mattklein123]

OK I think having a concrete example might help for this stuff (or ref link back to the docs where you have the example) as it was pretty hard for me to understand the difference.

[mattklein123]

LGTM. Feel free to do any doc updates as a follow up.

[htuch]

Sure, will merge as some folks are depending on this, but I'll take an AI to do the docs followups next week. Thanks.