github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Update proxycfg to hold more ingress config state

Browse Source
pull/10903/head
Paul Banks 3 years ago
parent 4e39f03d5b
commit ccbda0c285
4 changed files with 37 additions and 18 deletions
Show Stats Download Patch File Download Diff File

14
agent/proxycfg/ingress_gateway.go
Unescape View File

@ -80,13 +80,13 @@ func (s *handlerIngressGateway) handleUpdate(ctx context.Context, u cache.Update
return fmt.Errorf("invalid type for config entry: %T", resp.Entry) return fmt.Errorf("invalid type for config entry: %T", resp.Entry)
} }
snap.IngressGateway.TLSEnabled = gatewayConf.TLS.Enabled snap.IngressGateway.GatewayConfigLoaded = true
snap.IngressGateway.TLSSet = true snap.IngressGateway.TLSConfig = gatewayConf.TLS
// Load each listener's config from the config entry so we don't have to // Load each listener's config from the config entry so we don't have to
// pass listener config through "upstreams" types as that grows. // pass listener config through "upstreams" types as that grows.
for _, l := range gatewayConf.Listeners { for _, l := range gatewayConf.Listeners {
key := IngressListenerKey{Protocol: l.Protocol, Port: l.Port} key := IngressListenerKeyFromListener(l)
snap.IngressGateway.Listeners[key] = l snap.IngressGateway.Listeners[key] = l
} }
@ -123,7 +123,7 @@ func (s *handlerIngressGateway) handleUpdate(ctx context.Context, u cache.Update
hosts = append(hosts, service.Hosts...) hosts = append(hosts, service.Hosts...)
id := IngressListenerKey{Protocol: service.Protocol, Port: service.Port} id := IngressListenerKeyFromGWService(*service)
upstreamsMap[id] = append(upstreamsMap[id], u) upstreamsMap[id] = append(upstreamsMap[id], u)
} }
@ -169,7 +169,9 @@ func makeUpstream(g *structs.GatewayService) structs.Upstream {
} }
func (s *handlerIngressGateway) watchIngressLeafCert(ctx context.Context, snap *ConfigSnapshot) error { func (s *handlerIngressGateway) watchIngressLeafCert(ctx context.Context, snap *ConfigSnapshot) error {
if !snap.IngressGateway.TLSSet || !snap.IngressGateway.HostsSet { // Note that we DON'T test for TLS.Enabled because we need a leaf cert for the
// gateway even without TLS to use as a client cert.
if !snap.IngressGateway.GatewayConfigLoaded || !snap.IngressGateway.HostsSet {
return nil return nil
} }
@ -197,7 +199,7 @@ func (s *handlerIngressGateway) watchIngressLeafCert(ctx context.Context, snap *
func (s *handlerIngressGateway) generateIngressDNSSANs(snap *ConfigSnapshot) []string { func (s *handlerIngressGateway) generateIngressDNSSANs(snap *ConfigSnapshot) []string {
// Update our leaf cert watch with wildcard entries for our DNS domains as well as any // Update our leaf cert watch with wildcard entries for our DNS domains as well as any
// configured custom hostnames from the service. // configured custom hostnames from the service.
if !snap.IngressGateway.TLSEnabled { if !snap.IngressGateway.TLSConfig.Enabled {
return nil return nil
} }

22
agent/proxycfg/snapshot.go
Unescape View File

@ -306,13 +306,13 @@ func (c *configSnapshotMeshGateway) IsEmpty() bool {
type configSnapshotIngressGateway struct { type configSnapshotIngressGateway struct {
ConfigSnapshotUpstreams ConfigSnapshotUpstreams
// TLSEnabled is whether this gateway's listeners should have TLS configured. // SDSConfig is the gateway-level SDS configuration. Listener/service level
TLSEnabled bool // config is preserved in the Listeners map below.
TLSConfig structs.GatewayTLSConfig
// TODO(banks): rename to "ConfigLoaded" or something or just remove it since // GatewayConfigLoaded is used to determine if we have received the initial
// only usages seem to be places that really should be checking TLSEnabled == // ingress-gateway config entry yet.
// true anyway? GatewayConfigLoaded bool
TLSSet bool
// Hosts is the list of extra host entries to add to our leaf cert's DNS SANs. // Hosts is the list of extra host entries to add to our leaf cert's DNS SANs.
Hosts []string Hosts []string
@ -351,6 +351,14 @@ func (k *IngressListenerKey) RouteName() string {
return fmt.Sprintf("%d", k.Port) return fmt.Sprintf("%d", k.Port)
} }
func IngressListenerKeyFromGWService(s structs.GatewayService) IngressListenerKey {
return IngressListenerKey{Protocol: s.Protocol, Port: s.Port}
}
func IngressListenerKeyFromListener(l structs.IngressListener) IngressListenerKey {
return IngressListenerKey{Protocol: l.Protocol, Port: l.Port}
}
// ConfigSnapshot captures all the resulting config needed for a proxy instance. // ConfigSnapshot captures all the resulting config needed for a proxy instance.
// It is meant to be point-in-time coherent and is used to deliver the current // It is meant to be point-in-time coherent and is used to deliver the current
// config state to observers who need it to be pushed in (e.g. XDS server). // config state to observers who need it to be pushed in (e.g. XDS server).
@ -408,7 +416,7 @@ func (s *ConfigSnapshot) Valid() bool {
case structs.ServiceKindIngressGateway: case structs.ServiceKindIngressGateway:
return s.Roots != nil && return s.Roots != nil &&
s.IngressGateway.Leaf != nil && s.IngressGateway.Leaf != nil &&
s.IngressGateway.TLSSet && s.IngressGateway.GatewayConfigLoaded &&
s.IngressGateway.HostsSet s.IngressGateway.HostsSet
default: default:
return false return false

8
agent/proxycfg/state_test.go
Unescape View File

@ -942,8 +942,8 @@ func TestState_WatchesAndUpdates(t *testing.T) {
}, },
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) { verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
require.False(t, snap.Valid(), "gateway without hosts set is not valid") require.False(t, snap.Valid(), "gateway without hosts set is not valid")
require.True(t, snap.IngressGateway.TLSSet) require.True(t, snap.IngressGateway.GatewayConfigLoaded)
require.False(t, snap.IngressGateway.TLSEnabled) require.False(t, snap.IngressGateway.TLSConfig.Enabled)
}, },
}, },
{ {
@ -1111,8 +1111,8 @@ func TestState_WatchesAndUpdates(t *testing.T) {
}, },
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) { verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
require.True(t, snap.Valid()) require.True(t, snap.Valid())
require.True(t, snap.IngressGateway.TLSSet) require.True(t, snap.IngressGateway.GatewayConfigLoaded)
require.True(t, snap.IngressGateway.TLSEnabled) require.True(t, snap.IngressGateway.TLSConfig.Enabled)
require.True(t, snap.IngressGateway.HostsSet) require.True(t, snap.IngressGateway.HostsSet)
require.Len(t, snap.IngressGateway.Hosts, 1) require.Len(t, snap.IngressGateway.Hosts, 1)
require.Len(t, snap.IngressGateway.Upstreams, 1) require.Len(t, snap.IngressGateway.Upstreams, 1)

11
agent/proxycfg/testing.go
Unescape View File

@ -1622,7 +1622,16 @@ func TestConfigSnapshotIngress(t testing.T) *ConfigSnapshot {
func TestConfigSnapshotIngressWithTLSListener(t testing.T) *ConfigSnapshot { func TestConfigSnapshotIngressWithTLSListener(t testing.T) *ConfigSnapshot {
snap := testConfigSnapshotIngressGateway(t, true, "tcp", "default") snap := testConfigSnapshotIngressGateway(t, true, "tcp", "default")
snap.IngressGateway.TLSEnabled = true snap.IngressGateway.TLSConfig.Enabled = true
return snap
}
func TestConfigSnapshotIngressWithGatewaySDS(t testing.T) *ConfigSnapshot {
snap := testConfigSnapshotIngressGateway(t, true, "tcp", "default")
snap.IngressGateway.TLSConfig.SDS = &structs.GatewayTLSSDSConfig{
ClusterName: "sds-cluster",
CertResource: "cert-resource",
}
return snap return snap
} }

Write Preview
Loading…
Cancel
Save