Update proxycfg to hold more ingress config state

3 years ago · ccbda0c285
4 changed files with 37 additions and 18 deletions
--- a/agent/proxycfg/ingress_gateway.go
+++ b/agent/proxycfg/ingress_gateway.go
@ -80,13 +80,13 @@ func (s *handlerIngressGateway) handleUpdate(ctx context.Context, u cache.Update
 			return fmt.Errorf("invalid type for config entry: %T", resp.Entry)
 		}

-		snap.IngressGateway.TLSEnabled = gatewayConf.TLS.Enabled
-		snap.IngressGateway.TLSSet = true
+		snap.IngressGateway.GatewayConfigLoaded = true
+		snap.IngressGateway.TLSConfig = gatewayConf.TLS

 		// Load each listener's config from the config entry so we don't have to
 		// pass listener config through "upstreams" types as that grows.
 		for _, l := range gatewayConf.Listeners {
-			key := IngressListenerKey{Protocol: l.Protocol, Port: l.Port}
+			key := IngressListenerKeyFromListener(l)
 			snap.IngressGateway.Listeners[key] = l
 		}

@ -123,7 +123,7 @@ func (s *handlerIngressGateway) handleUpdate(ctx context.Context, u cache.Update

 			hosts = append(hosts, service.Hosts...)

-			id := IngressListenerKey{Protocol: service.Protocol, Port: service.Port}
+			id := IngressListenerKeyFromGWService(*service)
 			upstreamsMap[id] = append(upstreamsMap[id], u)
 		}

@ -169,7 +169,9 @@ func makeUpstream(g *structs.GatewayService) structs.Upstream {
 }

 func (s *handlerIngressGateway) watchIngressLeafCert(ctx context.Context, snap *ConfigSnapshot) error {
-	if !snap.IngressGateway.TLSSet || !snap.IngressGateway.HostsSet {
+	// Note that we DON'T test for TLS.Enabled because we need a leaf cert for the
+	// gateway even without TLS to use as a client cert.
+	if !snap.IngressGateway.GatewayConfigLoaded || !snap.IngressGateway.HostsSet {
 		return nil
 	}

@ -197,7 +199,7 @@ func (s *handlerIngressGateway) watchIngressLeafCert(ctx context.Context, snap *
 func (s *handlerIngressGateway) generateIngressDNSSANs(snap *ConfigSnapshot) []string {
 	// Update our leaf cert watch with wildcard entries for our DNS domains as well as any
 	// configured custom hostnames from the service.
-	if !snap.IngressGateway.TLSEnabled {
+	if !snap.IngressGateway.TLSConfig.Enabled {
 		return nil
 	}

--- a/agent/proxycfg/snapshot.go
+++ b/agent/proxycfg/snapshot.go
@ -306,13 +306,13 @@ func (c *configSnapshotMeshGateway) IsEmpty() bool {
 type configSnapshotIngressGateway struct {
 	ConfigSnapshotUpstreams

-	// TLSEnabled is whether this gateway's listeners should have TLS configured.
-	TLSEnabled bool
+	// SDSConfig is the gateway-level SDS configuration. Listener/service level
+	// config is preserved in the Listeners map below.
+	TLSConfig structs.GatewayTLSConfig

-	// TODO(banks): rename to "ConfigLoaded" or something or just remove it since
-	// only usages seem to be places that really should be checking TLSEnabled ==
-	// true anyway?
-	TLSSet bool
+	// GatewayConfigLoaded is used to determine if we have received the initial
+	// ingress-gateway config entry yet.
+	GatewayConfigLoaded bool

 	// Hosts is the list of extra host entries to add to our leaf cert's DNS SANs.
 	Hosts    []string
@ -351,6 +351,14 @@ func (k *IngressListenerKey) RouteName() string {
 	return fmt.Sprintf("%d", k.Port)
 }

+func IngressListenerKeyFromGWService(s structs.GatewayService) IngressListenerKey {
+	return IngressListenerKey{Protocol: s.Protocol, Port: s.Port}
+}
+
+func IngressListenerKeyFromListener(l structs.IngressListener) IngressListenerKey {
+	return IngressListenerKey{Protocol: l.Protocol, Port: l.Port}
+}
+
 // ConfigSnapshot captures all the resulting config needed for a proxy instance.
 // It is meant to be point-in-time coherent and is used to deliver the current
 // config state to observers who need it to be pushed in (e.g. XDS server).
@ -408,7 +416,7 @@ func (s *ConfigSnapshot) Valid() bool {
 	case structs.ServiceKindIngressGateway:
 		return s.Roots != nil &&
 			s.IngressGateway.Leaf != nil &&
-			s.IngressGateway.TLSSet &&
+			s.IngressGateway.GatewayConfigLoaded &&
 			s.IngressGateway.HostsSet
 	default:
 		return false
--- a/agent/proxycfg/state_test.go
+++ b/agent/proxycfg/state_test.go
@ -942,8 +942,8 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 					},
 					verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
 						require.False(t, snap.Valid(), "gateway without hosts set is not valid")
-						require.True(t, snap.IngressGateway.TLSSet)
-						require.False(t, snap.IngressGateway.TLSEnabled)
+						require.True(t, snap.IngressGateway.GatewayConfigLoaded)
+						require.False(t, snap.IngressGateway.TLSConfig.Enabled)
 					},
 				},
 				{
@ -1111,8 +1111,8 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 					},
 					verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
 						require.True(t, snap.Valid())
-						require.True(t, snap.IngressGateway.TLSSet)
-						require.True(t, snap.IngressGateway.TLSEnabled)
+						require.True(t, snap.IngressGateway.GatewayConfigLoaded)
+						require.True(t, snap.IngressGateway.TLSConfig.Enabled)
 						require.True(t, snap.IngressGateway.HostsSet)
 						require.Len(t, snap.IngressGateway.Hosts, 1)
 						require.Len(t, snap.IngressGateway.Upstreams, 1)
--- a/agent/proxycfg/testing.go
+++ b/agent/proxycfg/testing.go
@ -1622,7 +1622,16 @@ func TestConfigSnapshotIngress(t testing.T) *ConfigSnapshot {

 func TestConfigSnapshotIngressWithTLSListener(t testing.T) *ConfigSnapshot {
 	snap := testConfigSnapshotIngressGateway(t, true, "tcp", "default")
-	snap.IngressGateway.TLSEnabled = true
+	snap.IngressGateway.TLSConfig.Enabled = true
+	return snap
+}
+
+func TestConfigSnapshotIngressWithGatewaySDS(t testing.T) *ConfigSnapshot {
+	snap := testConfigSnapshotIngressGateway(t, true, "tcp", "default")
+	snap.IngressGateway.TLSConfig.SDS = &structs.GatewayTLSSDSConfig{
+		ClusterName:  "sds-cluster",
+		CertResource: "cert-resource",
+	}
 	return snap
 }