From d1a49bc6aac5dc6712a1ce4e53dc62e6a18b11df Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Fri, 26 Jan 2024 15:24:06 -0800 Subject: [PATCH 1/2] bug: fix printable for ir xds Signed-off-by: Arko Dasgupta --- internal/gatewayapi/runner/runner.go | 8 ++------ internal/ir/infra.go | 6 ++++++ internal/ir/xds.go | 18 ++++++++++++++---- 3 files changed, 22 insertions(+), 10 deletions(-) diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go index 835ce10fd05..f0c6a4743ff 100644 --- a/internal/gatewayapi/runner/runner.go +++ b/internal/gatewayapi/runner/runner.go @@ -10,7 +10,6 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" v1 "sigs.k8s.io/gateway-api/apis/v1" - "sigs.k8s.io/yaml" "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway/config" @@ -77,11 +76,6 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { // Translate to IR result := t.Translate(val) - yamlXdsIR, _ := yaml.Marshal(&result.XdsIR) - r.Logger.WithValues("output", "xds-ir").Info(string(yamlXdsIR)) - yamlInfraIR, _ := yaml.Marshal(&result.InfraIR) - r.Logger.WithValues("output", "infra-ir").Info(string(yamlInfraIR)) - var curKeys, newKeys []string // Get current IR keys for key := range r.InfraIR.LoadAll() { @@ -91,6 +85,7 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { // Publish the IRs. // Also validate the ir before sending it. for key, val := range result.InfraIR { + r.Logger.WithValues("infra-ir", key).Info(val.YAMLString()) if err := val.Validate(); err != nil { r.Logger.Error(err, "unable to validate infra ir, skipped sending it") errChan <- err @@ -101,6 +96,7 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { } for key, val := range result.XdsIR { + r.Logger.WithValues("xds-ir", key).Info(val.YAMLString()) if err := val.Validate(); err != nil { r.Logger.Error(err, "unable to validate xds ir, skipped sending it") errChan <- err diff --git a/internal/ir/infra.go b/internal/ir/infra.go index 27813573648..fd9e02d4fbe 100644 --- a/internal/ir/infra.go +++ b/internal/ir/infra.go @@ -13,6 +13,7 @@ import ( "golang.org/x/exp/slices" utilerrors "k8s.io/apimachinery/pkg/util/errors" + "sigs.k8s.io/yaml" "github.com/envoyproxy/gateway/api/v1alpha1" ) @@ -28,6 +29,11 @@ type Infra struct { Proxy *ProxyInfra `json:"proxy" yaml:"proxy"` } +func (i Infra) YAMLString() string { + y, _ := yaml.Marshal(&i) + return string(y) +} + // ProxyInfra defines managed proxy infrastructure. // +k8s:deepcopy-gen=true type ProxyInfra struct { diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 54283111099..af848def83e 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -13,11 +13,11 @@ import ( "reflect" "golang.org/x/exp/slices" - apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/util/validation" + "sigs.k8s.io/yaml" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" egv1a1validation "github.com/envoyproxy/gateway/api/v1alpha1/validation" @@ -155,20 +155,30 @@ func (x Xds) GetUDPListener(name string) *UDPListener { return nil } +func (x Xds) YAMLString() string { + y, _ := yaml.Marshal(x.Printable()) + return string(y) +} + // Printable returns a deep copy of the resource that can be safely logged. func (x Xds) Printable() *Xds { + redacted := []byte("[redacted]") out := x.DeepCopy() for _, listener := range out.HTTP { // Omit field - listener.TLS = nil + if listener.TLS != nil { + for i := range listener.TLS.Certificates { + listener.TLS.Certificates[i].PrivateKey = redacted + } + } for _, route := range listener.Routes { // Omit field if route.OIDC != nil { - route.OIDC.ClientSecret = []byte{} + route.OIDC.ClientSecret = redacted } if route.BasicAuth != nil { - route.BasicAuth.Users = []byte{} + route.BasicAuth.Users = redacted } } } From d0088060185386d43acd6919d6759cbdc719dd10 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Fri, 26 Jan 2024 16:23:57 -0800 Subject: [PATCH 2/2] fix test Signed-off-by: Arko Dasgupta --- internal/ir/xds.go | 3 ++- internal/ir/xds_test.go | 16 +++++++++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/internal/ir/xds.go b/internal/ir/xds.go index af848def83e..fa03a6aef15 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -57,6 +57,8 @@ var ( ErrHCHTTPExpectedStatusesInvalid = errors.New("field HTTPHealthChecker.ExpectedStatuses should be specified") ErrHealthCheckPayloadInvalid = errors.New("one of Text, Binary fields must be set in payload") ErrHTTPStatusInvalid = errors.New("HTTPStatus should be in [200,600)") + + redacted = []byte("[redacted]") ) // Xds holds the intermediate representation of a Gateway and is @@ -162,7 +164,6 @@ func (x Xds) YAMLString() string { // Printable returns a deep copy of the resource that can be safely logged. func (x Xds) Printable() *Xds { - redacted := []byte("[redacted]") out := x.DeepCopy() for _, listener := range out.HTTP { // Omit field diff --git a/internal/ir/xds_test.go b/internal/ir/xds_test.go index 6145fd1e93a..c2a55a4ea2e 100644 --- a/internal/ir/xds_test.go +++ b/internal/ir/xds_test.go @@ -42,6 +42,20 @@ var ( }}}, Routes: []*HTTPRoute{&happyHTTPRoute}, } + redactedHappyHTTPSListener = HTTPListener{ + Name: "happy", + Address: "0.0.0.0", + Port: 80, + Hostnames: []string{"example.com"}, + TLS: &TLSConfig{ + Certificates: []TLSCertificate{{ + + Name: "happy", + ServerCertificate: []byte{1, 2, 3}, + PrivateKey: redacted, + }}}, + Routes: []*HTTPRoute{&happyHTTPRoute}, + } invalidAddrHTTPListener = HTTPListener{ Name: "invalid-addr", Address: "1.0.0", @@ -1217,7 +1231,7 @@ func TestPrintable(t *testing.T) { HTTP: []*HTTPListener{&happyHTTPSListener}, }, want: &Xds{ - HTTP: []*HTTPListener{&happyHTTPListener}, + HTTP: []*HTTPListener{&redactedHappyHTTPSListener}, }, }, }