Implementation of SDS

include/envoy/secret/BUILD

@@ -8,10 +8,16 @@ load(
 
 envoy_package()
 
+envoy_cc_library(
+    name = "secret_callbacks_interface",
+    hdrs = ["secret_callbacks.h"],
+)
+
 envoy_cc_library(
     name = "secret_provider_interface",
     hdrs = ["secret_provider.h"],
     deps = [
+        ":secret_callbacks_interface",
         "//include/envoy/ssl:tls_certificate_config_interface",
     ],
 )
@@ -22,5 +28,6 @@ envoy_cc_library(
     deps = [
         ":secret_provider_interface",
         "@envoy_api//envoy/api/v2/auth:cert_cc",
+        "@envoy_api//envoy/api/v2/core:config_source_cc",
     ],
 )

include/envoy/secret/secret_callbacks.h

@@ -0,0 +1,19 @@
+#pragma once
+
+#include "envoy/common/pure.h"
+
+namespace Envoy {
+namespace Secret {
+
+/**
+ * Callbacks invoked by a dynamic secret provider.
+ */
+class SecretCallbacks {
+public:
+  virtual ~SecretCallbacks() {}
+
+  virtual void onAddOrUpdateSecret() PURE;
+};
+
+} // namespace Secret
+} // namespace Envoy

include/envoy/secret/secret_manager.h

@@ -6,12 +6,17 @@
 #include "envoy/secret/secret_provider.h"
 
 namespace Envoy {
+
+namespace Server {
+namespace Configuration {
+class TransportSocketFactoryContext;
+} // namespace Configuration
+} // namespace Server
+
 namespace Secret {
 
 /**
- * A manager for static secrets.
- *
- * TODO(jaebong) Support dynamic secrets.
+ * A manager for static and dynamic secrets.
  */
 class SecretManager {
 public:
@@ -37,6 +42,20 @@ class SecretManager {
    */
   virtual TlsCertificateConfigProviderSharedPtr createInlineTlsCertificateProvider(
       const envoy::api::v2::auth::TlsCertificate& tls_certificate) PURE;
+
+  /**
+   * Finds and returns a dynamic secret provider associated to SDS config. Create
+   * a new one if such provider does not exist.
+   *
+   * @param config_source a protobuf message object contains SDS config source.
+   * @param config_name a name that uniquely refers to the SDS config source
+   * @param secret_provider_context context that provides components for creating and initializing
+   * secret provider.
+   * @return the dynamic TLS secret provider.
+   */
+  virtual TlsCertificateConfigProviderSharedPtr findOrCreateDynamicSecretProvider(
+      const envoy::api::v2::core::ConfigSource& config_source, const std::string& config_name,
+      Server::Configuration::TransportSocketFactoryContext& secret_provider_context) PURE;
 };
 
 } // namespace Secret

include/envoy/secret/secret_provider.h

@@ -1,6 +1,7 @@
 #pragma once
 
 #include "envoy/common/pure.h"
+#include "envoy/secret/secret_callbacks.h"
 #include "envoy/ssl/tls_certificate_config.h"
 
 namespace Envoy {
@@ -18,7 +19,17 @@ template <class SecretType> class SecretProvider {
    */
   virtual const SecretType* secret() const PURE;
 
-  // TODO(lizan): Add more methods for dynamic secret provider.
+  /**
+   * Add secret callback into secret provider.
+   * @param callback callback that is executed by secret provider.
+   */
+  virtual void addUpdateCallback(SecretCallbacks& callback) PURE;
+
+  /**
+   * Remove secret callback from secret provider.
+   * @param callback callback that is executed by secret provider.
+   */
+  virtual void removeUpdateCallback(SecretCallbacks& callback) PURE;
 };
 
 typedef SecretProvider<Ssl::TlsCertificateConfig> TlsCertificateConfigProvider;

include/envoy/server/BUILD

@@ -177,6 +177,7 @@ envoy_cc_library(
     hdrs = ["transport_socket_config.h"],
     deps = [
         "//include/envoy/event:dispatcher_interface",
+        "//include/envoy/init:init_interface",
         "//include/envoy/local_info:local_info_interface",
         "//include/envoy/network:transport_socket_interface",
         "//include/envoy/runtime:runtime_interface",

include/envoy/server/transport_socket_config.h

@@ -3,6 +3,7 @@
 #include <string>
 
 #include "envoy/event/dispatcher.h"
+#include "envoy/init/init.h"
 #include "envoy/local_info/local_info.h"
 #include "envoy/network/transport_socket.h"
 #include "envoy/runtime/runtime.h"
@@ -63,6 +64,18 @@ class TransportSocketFactoryContext {
    * @return the server-wide stats store.
    */
   virtual Stats::Store& stats() PURE;
+
+  /**
+   * Pass an init manager to register dynamic secret provider.
+   * @param init_manager instance of init manager.
+   */
+  virtual void setInitManager(Init::Manager& init_manager) PURE;
+
+  /**
+   * @return a pointer pointing to the instance of an init manager, or nullptr
+   * if not set.
+   */
+  virtual Init::Manager* initManager() PURE;
 };
 
 class TransportSocketConfigFactory {

include/envoy/ssl/BUILD

@@ -22,7 +22,7 @@ envoy_cc_library(
     name = "context_config_interface",
     hdrs = ["context_config.h"],
     deps = [
-        ":tls_certificate_config_interface",
+        "//include/envoy/secret:secret_provider_interface",
     ],
 )
 

include/envoy/ssl/context_config.h

@@ -5,7 +5,8 @@
 #include <vector>
 
 #include "envoy/common/pure.h"
-#include "envoy/ssl/tls_certificate_config.h"
+#include "envoy/secret/secret_callbacks.h"
+#include "envoy/secret/secret_provider.h"
 
 namespace Envoy {
 namespace Ssl {
@@ -95,6 +96,19 @@ class ContextConfig {
    * @return The maximum TLS protocol version to negotiate.
    */
   virtual unsigned maxProtocolVersion() const PURE;
+
+  /**
+   * @return true if the ContextConfig is able to provide secrets to create SSL context,
+   * and false if dynamic secrets are expected but are not downloaded from SDS server yet.
+   */
+  virtual bool isReady() const PURE;
+
+  /**
+   * Add secret callback into context config. When dynamic secrets are in use and new secrets
+   * are downloaded from SDS server, this callback is invoked to update SSL context.
+   * @param callback callback that is executed by context config.
+   */
+  virtual void setSecretUpdateCallback(Secret::SecretCallbacks& callback) PURE;
 };
 
 class ClientContextConfig : public virtual ContextConfig {

source/common/common/logger.h

@@ -44,6 +44,7 @@ namespace Logger {
   FUNCTION(router)               \
   FUNCTION(runtime)              \
   FUNCTION(stats)                \
+  FUNCTION(secret)               \
   FUNCTION(testing)              \
   FUNCTION(thrift)               \
   FUNCTION(tracing)              \

source/common/config/BUILD

@@ -242,6 +242,7 @@ envoy_cc_library(
     hdrs = ["protobuf_link_hacks.h"],
     deps = [
         "@envoy_api//envoy/service/discovery/v2:ads_cc",
+        "@envoy_api//envoy/service/discovery/v2:sds_cc",
         "@envoy_api//envoy/service/ratelimit/v2:rls_cc",
     ],
 )

source/common/config/protobuf_link_hacks.h

@@ -1,6 +1,7 @@
 #pragma once
 
 #include "envoy/service/discovery/v2/ads.pb.h"
+#include "envoy/service/discovery/v2/sds.pb.h"
 #include "envoy/service/ratelimit/v2/rls.pb.h"
 
 namespace Envoy {
@@ -9,4 +10,5 @@ namespace Envoy {
 // This file should be included ONLY if this hack is required.
 const envoy::service::discovery::v2::AdsDummy _ads_dummy;
 const envoy::service::ratelimit::v2::RateLimitRequest _rls_dummy;
+const envoy::service::discovery::v2::SdsDummy _sds_dummy;
 } // namespace Envoy

source/common/config/resources.h

@@ -15,6 +15,7 @@ class TypeUrlValues {
   const std::string Listener{"type.googleapis.com/envoy.api.v2.Listener"};
   const std::string Cluster{"type.googleapis.com/envoy.api.v2.Cluster"};
   const std::string ClusterLoadAssignment{"type.googleapis.com/envoy.api.v2.ClusterLoadAssignment"};
+  const std::string Secret{"type.googleapis.com/envoy.api.v2.auth.Secret"};
   const std::string RouteConfiguration{"type.googleapis.com/envoy.api.v2.RouteConfiguration"};
 };
 

source/common/secret/BUILD

@@ -13,8 +13,11 @@ envoy_cc_library(
     srcs = ["secret_manager_impl.cc"],
     hdrs = ["secret_manager_impl.h"],
     deps = [
+        ":sds_api_lib",
         ":secret_provider_impl_lib",
         "//include/envoy/secret:secret_manager_interface",
+        "//include/envoy/server:transport_socket_config_interface",
+        "//source/common/common:assert_lib",
         "//source/common/common:minimal_logger_lib",
         "@envoy_api//envoy/api/v2/auth:cert_cc",
     ],
@@ -30,3 +33,22 @@ envoy_cc_library(
         "@envoy_api//envoy/api/v2/auth:cert_cc",
     ],
 )
+
+envoy_cc_library(
+    name = "sds_api_lib",
+    srcs = ["sds_api.cc"],
+    hdrs = ["sds_api.h"],
+    deps = [
+        "//include/envoy/config:subscription_interface",
+        "//include/envoy/event:dispatcher_interface",
+        "//include/envoy/init:init_interface",
+        "//include/envoy/local_info:local_info_interface",
+        "//include/envoy/runtime:runtime_interface",
+        "//include/envoy/secret:secret_provider_interface",
+        "//include/envoy/stats:stats_interface",
+        "//source/common/config:resources_lib",
+        "//source/common/config:subscription_factory_lib",
+        "//source/common/protobuf:utility_lib",
+        "//source/common/ssl:tls_certificate_config_impl_lib",
+    ],
+)

source/common/secret/sds_api.cc

@@ -0,0 +1,89 @@
+#include "common/secret/sds_api.h"
+
+#include <unordered_map>
+
+#include "envoy/api/v2/auth/cert.pb.validate.h"
+
+#include "common/config/resources.h"
+#include "common/config/subscription_factory.h"
+#include "common/protobuf/utility.h"
+#include "common/ssl/tls_certificate_config_impl.h"
+
+namespace Envoy {
+namespace Secret {
+
+SdsApi::SdsApi(const LocalInfo::LocalInfo& local_info, Event::Dispatcher& dispatcher,
+               Runtime::RandomGenerator& random, Stats::Store& stats,
+               Upstream::ClusterManager& cluster_manager, Init::Manager& init_manager,
+               const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name,
+               std::function<void()> unregister_secret_provider)
+    : local_info_(local_info), dispatcher_(dispatcher), random_(random), stats_(stats),
+      cluster_manager_(cluster_manager), sds_config_(sds_config), sds_config_name_(sds_config_name),
+      secret_hash_(0), unregister_secret_provider_cb_(unregister_secret_provider) {
+  // TODO(JimmyCYJ): Implement chained_init_manager, so that multiple init_manager
+  // can be chained together to behave as one init_manager. In that way, we let
+  // two listeners which share same SdsApi to register at separate init managers, and
+  // each init manager has a chance to initialize its targets.
+  init_manager.registerTarget(*this);
+}
+
+SdsApi::~SdsApi() { unregister_secret_provider_cb_(); }
+
+void SdsApi::initialize(std::function<void()> callback) {
+  initialize_callback_ = callback;
+
+  subscription_ = Envoy::Config::SubscriptionFactory::subscriptionFromConfigSource<
+      envoy::api::v2::auth::Secret>(
+      sds_config_, local_info_, dispatcher_, cluster_manager_, random_, stats_,
+      /* rest_legacy_constructor */ nullptr,
+      "envoy.service.discovery.v2.SecretDiscoveryService.FetchSecrets",
+      "envoy.service.discovery.v2.SecretDiscoveryService.StreamSecrets");
+  Config::Utility::checkLocalInfo("sds", local_info_);
+
+  subscription_->start({sds_config_name_}, *this);
+}
+
+void SdsApi::onConfigUpdate(const ResourceVector& resources, const std::string&) {
+  if (resources.empty()) {
+    throw EnvoyException(
+        fmt::format("Missing SDS resources for {} in onConfigUpdate()", sds_config_name_));
+  }
+  if (resources.size() != 1) {
+    throw EnvoyException(fmt::format("Unexpected SDS secrets length: {}", resources.size()));
+  }
+  const auto& secret = resources[0];
+  MessageUtil::validate(secret);
+  if (!(secret.name() == sds_config_name_)) {
+    throw EnvoyException(
+        fmt::format("Unexpected SDS secret (expecting {}): {}", sds_config_name_, secret.name()));
+  }
+
+  const uint64_t new_hash = MessageUtil::hash(secret);
+  if (new_hash != secret_hash_ &&
+      secret.type_case() == envoy::api::v2::auth::Secret::TypeCase::kTlsCertificate) {
+    secret_hash_ = new_hash;
+    tls_certificate_secrets_ =
+        std::make_unique<Ssl::TlsCertificateConfigImpl>(secret.tls_certificate());
+
+    for (auto cb : update_callbacks_) {
+      cb->onAddOrUpdateSecret();
+    }
+  }
+
+  runInitializeCallbackIfAny();
+}
+
+void SdsApi::onConfigUpdateFailed(const EnvoyException*) {
+  // We need to allow server startup to continue, even if we have a bad config.
+  runInitializeCallbackIfAny();
+}
+
+void SdsApi::runInitializeCallbackIfAny() {
+  if (initialize_callback_) {
+    initialize_callback_();
+    initialize_callback_ = nullptr;
+  }
+}
+
+} // namespace Secret
+} // namespace Envoy