diff --git a/go.mod b/go.mod index a81968f..4863a56 100644 --- a/go.mod +++ b/go.mod @@ -4,15 +4,15 @@ go 1.12 require ( github.com/aws/aws-sdk-go v1.20.5 - github.com/envoyproxy/go-control-plane v0.8.4 + github.com/envoyproxy/go-control-plane v0.9.2 github.com/ghodss/yaml v1.0.0 github.com/gogo/protobuf v1.2.2-0.20190730201129-28a6bbf47e48 - github.com/golang/protobuf v1.3.2-0.20190517061210-b285ee9cfc6c + github.com/golang/protobuf v1.3.2 github.com/google/go-cmp v0.2.0 github.com/google/uuid v1.1.1 github.com/hashicorp/golang-lru v0.5.1 // indirect github.com/juju/loggo v0.0.0-20190526231331-6e530bcce5d8 golang.org/x/crypto v0.0.0-20190618222545-ea8f1a30c443 - google.golang.org/grpc v1.21.1 + google.golang.org/grpc v1.25.1 gopkg.in/yaml.v2 v2.2.2 ) diff --git a/go.sum b/go.sum index 982ee4c..3ec4897 100644 --- a/go.sum +++ b/go.sum @@ -2,15 +2,23 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/aws/aws-sdk-go v1.20.5 h1:Ytq5AxpA2pr4vRJM9onvgAjjVRZKKO63WStbG/jLHw0= github.com/aws/aws-sdk-go v1.20.5/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f h1:WBZRG4aNOuI15bLRrCgN8fCq8E5Xuty6jGbmSNEvSsU= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/envoyproxy/go-control-plane v0.8.0 h1:uE6Fp4fOcAJdc1wTQXLJ+SYistkbG1dNoi6Zs1+Ybvk= github.com/envoyproxy/go-control-plane v0.8.0/go.mod h1:GSSbY9P1neVhdY7G4wu+IK1rk/dqhiCC/4ExuWJZVuk= github.com/envoyproxy/go-control-plane v0.8.4 h1:moNlmfa71yZkzDxAb4Fz5qwaW1giZmTtwn6P/gYIK6E= github.com/envoyproxy/go-control-plane v0.8.4/go.mod h1:XB9+ce7x+IrsjgIVnRnql0O61gj/np0/bGDfhJI3sCU= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.2 h1:GJ5MKABRjz+QuET1GHm0KD9HC/mAzb3g2FznLQ0aThc= +github.com/envoyproxy/go-control-plane v0.9.2/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/protoc-gen-validate v0.0.0-20190405222122-d6164de49109 h1:FNgqGzbOm637YKRbYGKb9cqGo8i50++w/LWvMau7jrw= github.com/envoyproxy/protoc-gen-validate v0.0.0-20190405222122-d6164de49109/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.0.14 h1:YBW6/cKy9prEGRYLnaGa4IDhzxZhRCtKsax8srGKDnM= github.com/envoyproxy/protoc-gen-validate v0.0.14/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/envoyproxy/protoc-gen-validate v0.1.0 h1:EQciDnbrYxy13PgWoY8AqoxGiPrpgBZ1R8UNe3ddc+A= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/gogo/googleapis v1.1.0 h1:kFkMAZBNAn4j7K0GiZr8cRYzejq68VbheufiV3YuyFI= @@ -25,6 +33,8 @@ github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfb github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2-0.20190517061210-b285ee9cfc6c h1:zqAKixg3cTcIasAMJV+EcfVbWwLpOZ7LeoWJvcuD/5Q= github.com/golang/protobuf v1.3.2-0.20190517061210-b285ee9cfc6c/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/google/go-cmp v0.2.0 h1:+dTQ8DZQJz0Mb/HjFlkptS1FeQ4cWSnN941F8aEG4SQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY= @@ -37,24 +47,32 @@ github.com/juju/loggo v0.0.0-20190526231331-6e530bcce5d8/go.mod h1:vgyd7OREkbtVE github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190618222545-ea8f1a30c443 h1:IcSOAf4PyMp3U3XbIEj1/xJ2BjNN2jWv7JoyOsMxXUU= golang.org/x/crypto v0.0.0-20190618222545-ea8f1a30c443/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 h1:0GoQqolDA55aaLxZyTzK/Y2ePZzZTUrRacwib7cNsYQ= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c h1:uOCk1iQW6Vc18bnC13MfzScl+wdKBmM9Y9kU7Z83/lw= golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190508220229-2d0786266e9c h1:hDn6jm7snBX2O7+EeTk6Q4WXJfKt7MWgtiCCRi1rBoY= golang.org/x/sys v0.0.0-20190508220229-2d0786266e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= @@ -62,18 +80,28 @@ golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGm golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8 h1:Nw54tB0rB7hY/N0NQvRW8DG4Yk3Q6T9cu9RcFQDu1tc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55 h1:gSJIx1SDwno+2ElGhA4+qG2zF97qiUzTM+rQ0klBOcE= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.19.1/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.21.1 h1:j6XxA85m/6txkUCHvzlV5f+HBNl/1r5cZ2A/3IEFOO8= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.25.1 h1:wdKvqQk7IttEw92GoRyKG2IDrUIpgpj6H6m81yfeMW0= +google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= istio.io/gogo-genproto v0.0.0-20190124151557-6d926a6e6feb/go.mod h1:eIDJ6jNk/IeJz6ODSksHl5Aiczy5JUq6vFhJWI5OtiI= istio.io/gogo-genproto v0.0.0-20190731221249-06e20ada0df2 h1:AZ+aTgKSBmBc6KtZU+P+Wr2dOdPriJu09cU8wGMG+/M= istio.io/gogo-genproto v0.0.0-20190731221249-06e20ada0df2/go.mod h1:IjvrbUlRbbw4JCpsgvgihcz9USUwEoNTL/uwMtyV5yk= diff --git a/pkg/envoy/authzfilter.go b/pkg/envoy/authzfilter.go index 09f6bbc..7bb9807 100644 --- a/pkg/envoy/authzfilter.go +++ b/pkg/envoy/authzfilter.go @@ -4,10 +4,11 @@ import ( "time" api "github.com/envoyproxy/go-control-plane/envoy/api/v2" - "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" - "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener" + core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" + listener "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener" extAuthz "github.com/envoyproxy/go-control-plane/envoy/config/filter/http/ext_authz/v2" - "github.com/gogo/protobuf/types" + "github.com/golang/protobuf/ptypes" + any "github.com/golang/protobuf/ptypes/any" ) type AuthzFilter struct{} @@ -38,7 +39,7 @@ func (a *AuthzFilter) updateListenersWithAuthzFilter(cache *WorkQueueCache, para updateHTTPFilterWithConfig(&manager.HttpFilters, "envoy.ext_authz", authzConfigEncoded) // update manager in cache - pbst, err := types.MarshalAny(&manager) + pbst, err := ptypes.MarshalAny(&manager) if err != nil { return err } @@ -54,12 +55,12 @@ func (a *AuthzFilter) updateListenersWithAuthzFilter(cache *WorkQueueCache, para return nil } -func (a *AuthzFilter) getAuthzFilterEncoded(params ListenerParams) (*types.Any, error) { +func (a *AuthzFilter) getAuthzFilterEncoded(params ListenerParams) (*any.Any, error) { authzConfig, err := a.getAuthzFilter(params) if err != nil { return nil, err } - authzConfigEncoded, err := types.MarshalAny(authzConfig) + authzConfigEncoded, err := ptypes.MarshalAny(authzConfig) if err != nil { return nil, err } @@ -75,7 +76,7 @@ func (a *AuthzFilter) getAuthzFilter(params ListenerParams) (*extAuthz.ExtAuthz, FailureModeAllow: params.Authz.FailureModeAllow, Services: &extAuthz.ExtAuthz_GrpcService{ GrpcService: &core.GrpcService{ - Timeout: types.DurationProto(timeout), + Timeout: ptypes.DurationProto(timeout), TargetSpecifier: &core.GrpcService_EnvoyGrpc_{ EnvoyGrpc: &core.GrpcService_EnvoyGrpc{ ClusterName: params.Name, diff --git a/pkg/envoy/callback.go b/pkg/envoy/callback.go index b64a52b..4994cf3 100644 --- a/pkg/envoy/callback.go +++ b/pkg/envoy/callback.go @@ -4,7 +4,7 @@ import ( "context" v2 "github.com/envoyproxy/go-control-plane/envoy/api/v2" - "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" + core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" ) type Callback struct { diff --git a/pkg/envoy/cluster.go b/pkg/envoy/cluster.go index b04b51f..4c238d5 100644 --- a/pkg/envoy/cluster.go +++ b/pkg/envoy/cluster.go @@ -5,10 +5,11 @@ import ( "time" api "github.com/envoyproxy/go-control-plane/envoy/api/v2" - "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth" - "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" - "github.com/envoyproxy/go-control-plane/envoy/api/v2/endpoint" - "github.com/envoyproxy/go-control-plane/pkg/cache" + auth "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth" + core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" + endpoint "github.com/envoyproxy/go-control-plane/envoy/api/v2/endpoint" + cache "github.com/envoyproxy/go-control-plane/pkg/cache" + "github.com/golang/protobuf/ptypes" ) type Cluster struct{} @@ -42,10 +43,19 @@ func (c *Cluster) getAllClusterNames(clusters []cache.Resource) []string { } func (c *Cluster) createCluster(params ClusterParams) *api.Cluster { - var tlsContext *auth.UpstreamTlsContext + var transportSocket *core.TransportSocket if params.Port == 443 { - tlsContext = &auth.UpstreamTlsContext{ + tlsContext, err := ptypes.MarshalAny(&auth.UpstreamTlsContext{ Sni: params.TargetHostname, + }) + if err != nil { + panic(err) + } + transportSocket = &core.TransportSocket{ + Name: "tls", + ConfigType: &core.TransportSocket_TypedConfig{ + TypedConfig: tlsContext, + }, } } @@ -54,7 +64,7 @@ func (c *Cluster) createCluster(params ClusterParams) *api.Cluster { address := &core.Address{Address: &core.Address_SocketAddress{ SocketAddress: &core.SocketAddress{ Address: params.TargetHostname, - Protocol: core.TCP, + Protocol: core.SocketAddress_TCP, PortSpecifier: &core.SocketAddress_PortValue{ PortValue: uint32(params.Port), }, @@ -68,10 +78,10 @@ func (c *Cluster) createCluster(params ClusterParams) *api.Cluster { ClusterDiscoveryType: &api.Cluster_Type{ Type: api.Cluster_STRICT_DNS, }, - ConnectTimeout: &connectTimeout, + ConnectTimeout: ptypes.DurationProto(connectTimeout), DnsLookupFamily: api.Cluster_V4_ONLY, LbPolicy: api.Cluster_ROUND_ROBIN, - TlsContext: tlsContext, + TransportSocket: transportSocket, LoadAssignment: &api.ClusterLoadAssignment{ ClusterName: params.Name, Endpoints: []*endpoint.LocalityLbEndpoints{ diff --git a/pkg/envoy/hasher.go b/pkg/envoy/hasher.go index 9733735..1dc4180 100644 --- a/pkg/envoy/hasher.go +++ b/pkg/envoy/hasher.go @@ -1,7 +1,7 @@ package envoy import ( - "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" + core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" ) // Hasher returns node ID as an ID diff --git a/pkg/envoy/jwtprovider.go b/pkg/envoy/jwtprovider.go index eda44dd..21a20d2 100644 --- a/pkg/envoy/jwtprovider.go +++ b/pkg/envoy/jwtprovider.go @@ -3,14 +3,16 @@ package envoy import ( "fmt" "sort" + "time" api "github.com/envoyproxy/go-control-plane/envoy/api/v2" - "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" - "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener" - "github.com/envoyproxy/go-control-plane/envoy/api/v2/route" + core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" + listener "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener" + route "github.com/envoyproxy/go-control-plane/envoy/api/v2/route" jwtAuth "github.com/envoyproxy/go-control-plane/envoy/config/filter/http/jwt_authn/v2alpha" hcm "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/http_connection_manager/v2" - "github.com/gogo/protobuf/types" + matcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher" + "github.com/golang/protobuf/ptypes" ) type JwtProvider struct{} @@ -105,8 +107,11 @@ func (j *JwtProvider) getJwtRule(conditions Conditions, clusterName string, jwtP if len(methodHeaders) == 0 { rules = append(rules, &jwtAuth.RequirementRule{ Match: &route.RouteMatch{ - PathSpecifier: &route.RouteMatch_Regex{ - Regex: conditions.Regex, + PathSpecifier: &route.RouteMatch_SafeRegex{ + SafeRegex: &matcher.RegexMatcher{ + Regex: conditions.Regex, + EngineType: &matcher.RegexMatcher_GoogleRe2{GoogleRe2: &matcher.RegexMatcher_GoogleRE2{}}, + }, }, Headers: hostnameHeaders, }, @@ -116,8 +121,11 @@ func (j *JwtProvider) getJwtRule(conditions Conditions, clusterName string, jwtP for _, methodHeader := range methodHeaders { rules = append(rules, &jwtAuth.RequirementRule{ Match: &route.RouteMatch{ - PathSpecifier: &route.RouteMatch_Regex{ - Regex: conditions.Regex, + PathSpecifier: &route.RouteMatch_SafeRegex{ + SafeRegex: &matcher.RegexMatcher{ + Regex: conditions.Regex, + EngineType: &matcher.RegexMatcher_GoogleRe2{GoogleRe2: &matcher.RegexMatcher_GoogleRE2{}}, + }, }, Headers: append(hostnameHeaders, methodHeader), }, @@ -133,7 +141,7 @@ func (j *JwtProvider) getJwtRule(conditions Conditions, clusterName string, jwtP func (j *JwtProvider) jwtRuleExist(rules []*jwtAuth.RequirementRule, rule *jwtAuth.RequirementRule) bool { ruleFound := false for _, v := range rules { - if v.Match.Equal(rule.Match) && v.Requires.RequiresType.(*jwtAuth.JwtRequirement_ProviderName).ProviderName == rule.Requires.RequiresType.(*jwtAuth.JwtRequirement_ProviderName).ProviderName { + if routeMatchEqual(v.Match, rule.Match) && v.Requires.RequiresType.(*jwtAuth.JwtRequirement_ProviderName).ProviderName == rule.Requires.RequiresType.(*jwtAuth.JwtRequirement_ProviderName).ProviderName { ruleFound = true } } @@ -153,7 +161,8 @@ func (j *JwtProvider) getJwtConfig(auth Auth) *jwtAuth.JwtAuthentication { JwksSourceSpecifier: &jwtAuth.JwtProvider_RemoteJwks{ RemoteJwks: &jwtAuth.RemoteJwks{ HttpUri: &core.HttpUri{ - Uri: auth.RemoteJwks, + Uri: auth.RemoteJwks, + Timeout: ptypes.DurationProto(30 * time.Second), HttpUpstreamType: &core.HttpUri_Cluster{ Cluster: "jwtProvider_" + auth.JwtProvider, }, @@ -186,14 +195,14 @@ func (j *JwtProvider) updateListenerWithJwtProvider(cache *WorkQueueCache, param jwtConfig.Providers[params.Auth.JwtProvider] = jwtNewConfig.Providers[params.Auth.JwtProvider] logger.Debugf("Adding/updating %s to jwt config", params.Auth.JwtProvider) - jwtConfigEncoded, err := types.MarshalAny(&jwtConfig) + jwtConfigEncoded, err := ptypes.MarshalAny(&jwtConfig) if err != nil { panic(err) } updateHTTPFilterWithConfig(&manager.HttpFilters, "envoy.filters.http.jwt_authn", jwtConfigEncoded) - pbst, err := types.MarshalAny(&manager) + pbst, err := ptypes.MarshalAny(&manager) if err != nil { panic(err) } @@ -274,14 +283,14 @@ func (j *JwtProvider) UpdateJwtRule(cache *WorkQueueCache, params ListenerParams jwtConfig.Rules = append(jwtConfig.Rules, newJwtRule) } } - jwtConfigEncoded, err := types.MarshalAny(&jwtConfig) + jwtConfigEncoded, err := ptypes.MarshalAny(&jwtConfig) if err != nil { panic(err) } updateHTTPFilterWithConfig(&manager.HttpFilters, "envoy.filters.http.jwt_authn", jwtConfigEncoded) - pbst, err := types.MarshalAny(&manager) + pbst, err := ptypes.MarshalAny(&manager) if err != nil { panic(err) } @@ -351,7 +360,7 @@ func (j *JwtProvider) DeleteJwtRule(cache *WorkQueueCache, params ListenerParams index := j.requirementRuleIndex(jwtConfig.Rules, rule) jwtConfig.Rules = append(jwtConfig.Rules[:index], jwtConfig.Rules[index+1:]...) } - jwtConfigEncoded, err := types.MarshalAny(&jwtConfig) + jwtConfigEncoded, err := ptypes.MarshalAny(&jwtConfig) if err != nil { panic(err) } @@ -361,7 +370,7 @@ func (j *JwtProvider) DeleteJwtRule(cache *WorkQueueCache, params ListenerParams logger.Debugf("Couldn't find jwt provider %s during deleteRoute", params.Auth.JwtProvider) } - pbst, err := types.MarshalAny(&manager) + pbst, err := ptypes.MarshalAny(&manager) if err != nil { panic(err) } diff --git a/pkg/envoy/listener.go b/pkg/envoy/listener.go index 8777926..dc4ffab 100644 --- a/pkg/envoy/listener.go +++ b/pkg/envoy/listener.go @@ -7,15 +7,17 @@ import ( "strings" api "github.com/envoyproxy/go-control-plane/envoy/api/v2" - "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth" - "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" - "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener" - "github.com/envoyproxy/go-control-plane/envoy/api/v2/route" + auth "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth" + core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" + listener "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener" + route "github.com/envoyproxy/go-control-plane/envoy/api/v2/route" hcm "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/http_connection_manager/v2" envoyType "github.com/envoyproxy/go-control-plane/envoy/type" + matcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher" "github.com/envoyproxy/go-control-plane/pkg/cache" - "github.com/envoyproxy/go-control-plane/pkg/util" - "github.com/gogo/protobuf/types" + "github.com/envoyproxy/go-control-plane/pkg/wellknown" + "github.com/golang/protobuf/ptypes" + any "github.com/golang/protobuf/ptypes/any" ) const Error_NoFilterChainFound = "NoFilterChainFound" @@ -30,35 +32,44 @@ func newListener() *Listener { listener := &Listener{} listener.httpFilter = []*hcm.HttpFilter{ { - Name: util.Router, + Name: wellknown.Router, }, } return listener } func (l *Listener) newTLSFilterChain(params TLSParams) *listener.FilterChain { - return &listener.FilterChain{ - FilterChainMatch: &listener.FilterChainMatch{ - ServerNames: []string{params.Domain}, - }, - TlsContext: &auth.DownstreamTlsContext{ - CommonTlsContext: &auth.CommonTlsContext{ - TlsCertificates: []*auth.TlsCertificate{ - { - CertificateChain: &core.DataSource{ - Specifier: &core.DataSource_InlineString{ - InlineString: params.CertBundle, - }, + tlsContext, err := ptypes.MarshalAny(&auth.DownstreamTlsContext{ + CommonTlsContext: &auth.CommonTlsContext{ + TlsCertificates: []*auth.TlsCertificate{ + { + CertificateChain: &core.DataSource{ + Specifier: &core.DataSource_InlineString{ + InlineString: params.CertBundle, }, - PrivateKey: &core.DataSource{ - Specifier: &core.DataSource_InlineString{ - InlineString: params.PrivateKey, - }, + }, + PrivateKey: &core.DataSource{ + Specifier: &core.DataSource_InlineString{ + InlineString: params.PrivateKey, }, }, }, }, }, + }) + if err != nil { + panic(err) + } + return &listener.FilterChain{ + FilterChainMatch: &listener.FilterChainMatch{ + ServerNames: []string{params.Domain}, + }, + TransportSocket: &core.TransportSocket{ + Name: "tls", + ConfigType: &core.TransportSocket_TypedConfig{ + TypedConfig: tlsContext, + }, + }, } } func (l *Listener) updateListenerWithNewCert(cache *WorkQueueCache, params TLSParams) error { @@ -74,7 +85,7 @@ func (l *Listener) updateListenerWithNewCert(cache *WorkQueueCache, params TLSPa } else { logger.Debugf("Updating existing filterchain in %s with certificate for domain %s", ll.Name, params.Domain) filterChain := l.newTLSFilterChain(params) - ll.FilterChains[filterId].TlsContext = filterChain.TlsContext + ll.FilterChains[filterId].TransportSocket = filterChain.TransportSocket } } } @@ -134,7 +145,7 @@ func (l *Listener) updateListenerWithChallenge(cache *WorkQueueCache, challenge }) } manager.RouteSpecifier = routeSpecifier - pbst, err := types.MarshalAny(&manager) + pbst, err := ptypes.MarshalAny(&manager) if err != nil { panic(err) } @@ -239,8 +250,11 @@ func (l *Listener) getVirtualHost(hostname, targetHostname, targetPrefix, cluste if len(headers) == 0 { routes = append(routes, &route.Route{ Match: &route.RouteMatch{ - PathSpecifier: &route.RouteMatch_Regex{ - Regex: targetPrefix, + PathSpecifier: &route.RouteMatch_SafeRegex{ + SafeRegex: &matcher.RegexMatcher{ + Regex: targetPrefix, + EngineType: &matcher.RegexMatcher_GoogleRe2{GoogleRe2: &matcher.RegexMatcher_GoogleRE2{}}, + }, }, }, Action: routeAction, @@ -249,8 +263,11 @@ func (l *Listener) getVirtualHost(hostname, targetHostname, targetPrefix, cluste for _, header := range headers { routes = append(routes, &route.Route{ Match: &route.RouteMatch{ - PathSpecifier: &route.RouteMatch_Regex{ - Regex: targetPrefix, + PathSpecifier: &route.RouteMatch_SafeRegex{ + SafeRegex: &matcher.RegexMatcher{ + Regex: targetPrefix, + EngineType: &matcher.RegexMatcher_GoogleRe2{GoogleRe2: &matcher.RegexMatcher_GoogleRE2{}}, + }, }, Headers: []*route.HeaderMatcher{header}, }, @@ -292,12 +309,12 @@ func (l *Listener) newTLSFilter(params ListenerParams, paramsTLS TLSParams, list Routes: []*route.Route{}, } manager := l.newManager(strings.Replace(listenerName, "l_", "r_", 1), []*route.VirtualHost{newEmptyVirtualHost}, httpFilters) - pbst, err := types.MarshalAny(manager) + pbst, err := ptypes.MarshalAny(manager) if err != nil { panic(err) } return []*listener.Filter{{ - Name: util.HTTPConnectionManager, + Name: wellknown.HTTPConnectionManager, ConfigType: &listener.Filter_TypedConfig{ TypedConfig: pbst, }, @@ -386,7 +403,7 @@ func (l *Listener) updateListener(cache *WorkQueueCache, params ListenerParams, } manager.RouteSpecifier = routeSpecifier - pbst, err := types.MarshalAny(&manager) + pbst, err := ptypes.MarshalAny(&manager) if err != nil { panic(err) } @@ -413,7 +430,7 @@ func (l *Listener) updateListener(cache *WorkQueueCache, params ListenerParams, func (l *Listener) routeExist(routes []*route.Route, route *route.Route) bool { routeFound := false for _, v := range routes { - if cmpMatch(v.Match, route.Match) && v.Action.Equal(route.Action) { + if cmpMatch(v.Match, route.Match) && routeActionEqual(v, route) { routeFound = true } } @@ -421,7 +438,7 @@ func (l *Listener) routeExist(routes []*route.Route, route *route.Route) bool { } func (l *Listener) routeIndex(routes []*route.Route, route *route.Route) int { for index, v := range routes { - if cmpMatch(v.Match, route.Match) && v.Action.Equal(route.Action) { + if cmpMatch(v.Match, route.Match) && routeActionEqual(v, route) { return index } } @@ -430,7 +447,7 @@ func (l *Listener) routeIndex(routes []*route.Route, route *route.Route) int { func (l *Listener) newManager(routeName string, virtualHosts []*route.VirtualHost, httpFilters []*hcm.HttpFilter) *hcm.HttpConnectionManager { httpConnectionManager := &hcm.HttpConnectionManager{ - CodecType: hcm.AUTO, + CodecType: hcm.HttpConnectionManager_AUTO, StatPrefix: "ingress_http", RouteSpecifier: &hcm.HttpConnectionManager_RouteConfig{ RouteConfig: &api.RouteConfiguration{ @@ -456,7 +473,7 @@ func (l *Listener) createListener(params ListenerParams, paramsTLS TLSParams) *a httpFilters := l.newHTTPRouterFilter() manager := l.newManager(strings.Replace(listenerName, "l_", "r_", 1), []*route.VirtualHost{}, httpFilters) - pbst, err := types.MarshalAny(manager) + pbst, err := ptypes.MarshalAny(manager) if err != nil { panic(err) } @@ -466,7 +483,7 @@ func (l *Listener) createListener(params ListenerParams, paramsTLS TLSParams) *a Address: &core.Address{ Address: &core.Address_SocketAddress{ SocketAddress: &core.SocketAddress{ - Protocol: core.TCP, + Protocol: core.SocketAddress_TCP, Address: "0.0.0.0", PortSpecifier: &core.SocketAddress_PortValue{ PortValue: listenerPort, @@ -476,7 +493,7 @@ func (l *Listener) createListener(params ListenerParams, paramsTLS TLSParams) *a }, FilterChains: []*listener.FilterChain{{ Filters: []*listener.Filter{{ - Name: util.HTTPConnectionManager, + Name: wellknown.HTTPConnectionManager, ConfigType: &listener.Filter_TypedConfig{ TypedConfig: pbst, }, @@ -497,7 +514,7 @@ func (l *Listener) createListener(params ListenerParams, paramsTLS TLSParams) *a ServerNames: []string{params.Conditions.Hostname}, } // add cert and key to tls listener - newListener.FilterChains[0].TlsContext = &auth.DownstreamTlsContext{ + tlsContext, err := ptypes.MarshalAny(&auth.DownstreamTlsContext{ CommonTlsContext: &auth.CommonTlsContext{ TlsCertificates: []*auth.TlsCertificate{ { @@ -514,6 +531,15 @@ func (l *Listener) createListener(params ListenerParams, paramsTLS TLSParams) *a }, }, }, + }) + if err != nil { + panic(err) + } + newListener.FilterChains[0].TransportSocket = &core.TransportSocket{ + Name: "tls", + ConfigType: &core.TransportSocket_TypedConfig{ + TypedConfig: tlsContext, + }, } } return newListener @@ -590,7 +616,7 @@ func (l *Listener) DeleteRoute(cache *WorkQueueCache, params ListenerParams, par } manager.RouteSpecifier = routeSpecifier - pbst, err := types.MarshalAny(&manager) + pbst, err := ptypes.MarshalAny(&manager) if err != nil { panic(err) } @@ -626,7 +652,7 @@ func (l *Listener) validateListeners(listeners []cache.Resource, clusterNames [] for _, virtualHostRoute := range virtualHost.Routes { if virtualHostRoute.Action != nil { switch reflect.TypeOf(virtualHostRoute.Action).String() { - case "*route.Route_Route": + case "*envoy_api_v2_route.Route_Route": clusterFound := false virtualHostRouteClusterName := virtualHostRoute.Action.(*route.Route_Route).Route.ClusterSpecifier.(*route.RouteAction_Cluster).Cluster for _, clusterName := range clusterNames { @@ -637,7 +663,7 @@ func (l *Listener) validateListeners(listeners []cache.Resource, clusterNames [] if !clusterFound { return false, fmt.Errorf("Cluster not found: %s", virtualHostRouteClusterName) } - case "*route.Route_DirectResponse": + case "*envoy_api_v2_route.Route_DirectResponse": logger.Debugf("Validation: DirectResponse, no cluster validation necessary") // no validation necessary default: @@ -652,7 +678,7 @@ func (l *Listener) validateListeners(listeners []cache.Resource, clusterNames [] return true, nil } -func (l *Listener) updateDefaultHTTPRouterFilter(filterName string, filterConfig *types.Any) { +func (l *Listener) updateDefaultHTTPRouterFilter(filterName string, filterConfig *any.Any) { updateHTTPFilterWithConfig(&l.httpFilter, filterName, filterConfig) } @@ -691,15 +717,15 @@ func (l *Listener) printListener(cache *WorkQueueCache) (string, error) { if virtualHostRoute.Match.GetPrefix() != "" { res += "Match prefix: " + virtualHostRoute.Match.GetPrefix() + "\n" } - if virtualHostRoute.Match.GetRegex() != "" { - res += "Match regex: " + virtualHostRoute.Match.GetRegex() + "\n" + if virtualHostRoute.Match.GetSafeRegex().GetRegex() != "" { + res += "Match regex: " + virtualHostRoute.Match.GetSafeRegex().GetRegex() + "\n" } } if virtualHostRoute.Action != nil { switch reflect.TypeOf(virtualHostRoute.Action).String() { - case "*route.Route_Route": + case "*envoy_api_v2_route.Route_Route": res += "Route action (cluster): " + virtualHostRoute.Action.(*route.Route_Route).Route.ClusterSpecifier.(*route.RouteAction_Cluster).Cluster + "\n" - case "*route.Route_DirectResponse": + case "*envoy_api_v2_route.Route_DirectResponse": res += "Route action (directResponse): " res += fmt.Sprint(virtualHostRoute.Action.(*route.Route_DirectResponse).DirectResponse.GetStatus()) + " " res += virtualHostRoute.Action.(*route.Route_DirectResponse).DirectResponse.Body.GetInlineString() + "\n" diff --git a/pkg/envoy/listener_test.go b/pkg/envoy/listener_test.go index 2f7c47d..61b6ead 100644 --- a/pkg/envoy/listener_test.go +++ b/pkg/envoy/listener_test.go @@ -9,12 +9,13 @@ import ( "time" api "github.com/envoyproxy/go-control-plane/envoy/api/v2" - "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" - "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener" - "github.com/envoyproxy/go-control-plane/envoy/api/v2/route" + core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" + listener "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener" + route "github.com/envoyproxy/go-control-plane/envoy/api/v2/route" extAuthz "github.com/envoyproxy/go-control-plane/envoy/config/filter/http/ext_authz/v2" jwtAuth "github.com/envoyproxy/go-control-plane/envoy/config/filter/http/jwt_authn/v2alpha" hcm "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/http_connection_manager/v2" + matcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher" "github.com/envoyproxy/go-control-plane/pkg/cache" "github.com/gogo/protobuf/types" "github.com/juju/loggo" @@ -637,12 +638,15 @@ func validateDomainTLS(listeners []cache.Resource, params ListenerParams, tlsPar if filterId == -1 { return fmt.Errorf("Filter not found for domain %s", params.Conditions.Hostname) } - - if len(cachedListener.FilterChains[filterId].TlsContext.CommonTlsContext.TlsCertificates) == 0 { + tlsContext, err := getTransportSocketDownStreamTlsSocket(cachedListener.FilterChains[filterId].GetTransportSocket().GetConfigType().(*core.TransportSocket_TypedConfig)) + if err != nil { + panic(err) + } + if len(tlsContext.GetCommonTlsContext().GetTlsCertificates()) == 0 { return fmt.Errorf("No certificates found in filter chain for domain %s", params.Conditions.Hostname) } - tlsBundle := cachedListener.FilterChains[filterId].TlsContext.CommonTlsContext.TlsCertificates[0].CertificateChain.Specifier.(*core.DataSource_InlineString).InlineString - privateKey := cachedListener.FilterChains[filterId].TlsContext.CommonTlsContext.TlsCertificates[0].PrivateKey.Specifier.(*core.DataSource_InlineString).InlineString + tlsBundle := tlsContext.GetCommonTlsContext().TlsCertificates[0].CertificateChain.Specifier.(*core.DataSource_InlineString).InlineString + privateKey := tlsContext.GetCommonTlsContext().TlsCertificates[0].PrivateKey.Specifier.(*core.DataSource_InlineString).InlineString if tlsBundle != tlsParams.CertBundle { return fmt.Errorf("TLS bundle not found. Got: %s, Expected: %s", tlsBundle, tlsParams.CertBundle) @@ -699,16 +703,16 @@ func validateAttributes(manager hcm.HttpConnectionManager, params ListenerParams domainFound = true for _, r := range virtualhost.Routes { switch reflect.TypeOf(r.Match.PathSpecifier).String() { - case "*route.RouteMatch_Prefix": + case "*envoy_api_v2_route.RouteMatch_Prefix": if r.Match.PathSpecifier.(*route.RouteMatch_Prefix).Prefix == params.Conditions.Prefix { prefixFound = true } - case "*route.RouteMatch_Path": + case "*envoy_api_v2_route.RouteMatch_Path": if r.Match.PathSpecifier.(*route.RouteMatch_Path).Path == params.Conditions.Path { pathFound = true } - case "*route.RouteMatch_Regex": - if r.Match.PathSpecifier.(*route.RouteMatch_Regex).Regex == params.Conditions.Regex { + case "*envoy_api_v2_route.RouteMatch_SafeRegex": + if r.Match.PathSpecifier.(*route.RouteMatch_SafeRegex).SafeRegex.GetRegex() == params.Conditions.Regex { regexFound = true } default: @@ -724,9 +728,9 @@ func validateAttributes(manager hcm.HttpConnectionManager, params ListenerParams } } switch reflect.TypeOf(r.Action).String() { - case "*route.Route_Route": + case "*envoy_api_v2_route.Route_Route": // do nothing here - case "*route.Route_DirectResponse": + case "*envoy_api_v2_route.Route_DirectResponse": d := r.Action.(*route.Route_DirectResponse).DirectResponse if params.DirectResponse.Status == d.GetStatus() && params.DirectResponse.Body == d.GetBody().GetInlineString() { directResponseFound = true @@ -885,16 +889,16 @@ func validateJWT(manager hcm.HttpConnectionManager, params ListenerParams) error matchedEntries := 0 for _, rule := range jwtConfig.Rules { switch reflect.TypeOf(rule.Match.PathSpecifier).String() { - case "*route.RouteMatch_Prefix": + case "*envoy_api_v2_route.RouteMatch_Prefix": if rule.Match.PathSpecifier.(*route.RouteMatch_Prefix).Prefix == params.Conditions.Prefix { prefixFound = true } - case "*route.RouteMatch_Path": + case "*envoy_api_v2_route.RouteMatch_Path": if rule.Match.PathSpecifier.(*route.RouteMatch_Path).Path == params.Conditions.Path { pathFound = true } - case "*route.RouteMatch_Regex": - if rule.Match.PathSpecifier.(*route.RouteMatch_Regex).Regex == params.Conditions.Regex { + case "*envoy_api_v2_route.RouteMatch_SafeRegex": + if rule.Match.PathSpecifier.(*route.RouteMatch_SafeRegex).SafeRegex.GetRegex() == params.Conditions.Regex { regexFound = true } default: @@ -1037,3 +1041,25 @@ func validateAuthzConfig(authzConfig extAuthz.ExtAuthz, params ListenerParams, l return nil } + +func TestRegexMatcher(t *testing.T) { + a := &matcher.RegexMatcher{ + Regex: "/a.*/", + } + b := &matcher.RegexMatcher{ + Regex: "/a.*/", + } + c := &matcher.RegexMatcher{ + Regex: "", + } + if !regexMatchEqual(a, b) { + t.Error("regex didn't match but should (a, b)") + return + } + if regexMatchEqual(b, c) { + t.Error("regex match but should (b, c)") + return + } + + return +} diff --git a/pkg/envoy/listener_utils.go b/pkg/envoy/listener_utils.go index 2de6824..7a77ab8 100644 --- a/pkg/envoy/listener_utils.go +++ b/pkg/envoy/listener_utils.go @@ -2,14 +2,19 @@ package envoy import ( "fmt" + "reflect" api "github.com/envoyproxy/go-control-plane/envoy/api/v2" - "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener" - "github.com/envoyproxy/go-control-plane/envoy/api/v2/route" + auth "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth" + core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" + listener "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener" + route "github.com/envoyproxy/go-control-plane/envoy/api/v2/route" extAuthz "github.com/envoyproxy/go-control-plane/envoy/config/filter/http/ext_authz/v2" jwtAuth "github.com/envoyproxy/go-control-plane/envoy/config/filter/http/jwt_authn/v2alpha" hcm "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/http_connection_manager/v2" - "github.com/gogo/protobuf/types" + matcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher" + "github.com/golang/protobuf/ptypes" + "github.com/golang/protobuf/ptypes/any" ) // static listener functions @@ -31,13 +36,25 @@ func getListenerHTTPConnectionManager(ll *api.Listener) (hcm.HttpConnectionManag func getManager(typedConfig *listener.Filter_TypedConfig) (hcm.HttpConnectionManager, error) { var manager hcm.HttpConnectionManager - err := types.UnmarshalAny(typedConfig.TypedConfig, &manager) + err := ptypes.UnmarshalAny(typedConfig.TypedConfig, &manager) if err != nil { return manager, err } return manager, nil } + +func getTransportSocketDownStreamTlsSocket(typedConfig *core.TransportSocket_TypedConfig) (auth.DownstreamTlsContext, error) { + var tlsContext auth.DownstreamTlsContext + + err := ptypes.UnmarshalAny(typedConfig.TypedConfig, &tlsContext) + if err != nil { + return tlsContext, err + } + + return tlsContext, nil +} + func getListenerHTTPConnectionManagerTLS(ll *api.Listener, hostname string) (hcm.HttpConnectionManager, error) { var err error var manager hcm.HttpConnectionManager @@ -86,7 +103,7 @@ func getListenerHTTPFilterJwtAuth(httpFilter []*hcm.HttpFilter) (jwtAuth.JwtAuth if httpFilterPos == -1 { return jwtConfig, fmt.Errorf("HttpFilter for jwt missing") } - err := types.UnmarshalAny(httpFilter[httpFilterPos].GetTypedConfig(), &jwtConfig) + err := ptypes.UnmarshalAny(httpFilter[httpFilterPos].GetTypedConfig(), &jwtConfig) if err != nil { return jwtConfig, err } @@ -98,7 +115,7 @@ func getListenerHTTPFilterAuthz(httpFilter []*hcm.HttpFilter) (extAuthz.ExtAuthz if httpFilterPos == -1 { return authzConfig, fmt.Errorf("HttpFilter for authz missing") } - err := types.UnmarshalAny(httpFilter[httpFilterPos].GetTypedConfig(), &authzConfig) + err := ptypes.UnmarshalAny(httpFilter[httpFilterPos].GetTypedConfig(), &authzConfig) if err != nil { return authzConfig, err } @@ -154,7 +171,7 @@ func getListenerAttributes(params ListenerParams, paramsTLS TLSParams) (bool, st } return tls, targetPrefix, virtualHostName, listenerName, listenerPort, matchType } -func updateHTTPFilterWithConfig(httpFilter *[]*hcm.HttpFilter, filterName string, filterConfig *types.Any) { +func updateHTTPFilterWithConfig(httpFilter *[]*hcm.HttpFilter, filterName string, filterConfig *any.Any) { // check whether filter exists httpFilterPos := getListenerHTTPFilterIndex(filterName, *httpFilter) @@ -204,7 +221,106 @@ func cmpMatch(a *route.RouteMatch, b *route.RouteMatch) bool { } } - if !a.Equal(b) { + if !routeMatchEqual(a, b) { + return false + } + + return true +} + +func headerMatchEqual(a, b *route.HeaderMatcher) bool { + if a.GetName() != b.GetName() { + return false + } + if a.GetExactMatch() != b.GetExactMatch() { + return false + } + if a.GetInvertMatch() != b.GetInvertMatch() { + return false + } + if a.GetPrefixMatch() != b.GetPrefixMatch() { + return false + } + if a.GetRangeMatch() != b.GetRangeMatch() { + return false + } + if a.GetSafeRegexMatch().GetRegex() != b.GetSafeRegexMatch().GetRegex() { + return false + } + if a.GetPresentMatch() != b.GetPresentMatch() { + return false + } + if a.GetSafeRegexMatch() != b.GetSafeRegexMatch() { + return false + } + if a.GetSuffixMatch() != b.GetSuffixMatch() { + return false + } + return true +} + +func regexMatchEqual(a, b *matcher.RegexMatcher) bool { + if a != nil { + if b == nil { + return false + } + if a.Regex != b.Regex { + return false + } + } + if b != nil { + if a == nil { + return false + } + if a.Regex != b.Regex { + return false + } + } + return true +} + +func routeMatchEqual(a, b *route.RouteMatch) bool { + if a.GetPrefix() != b.GetPrefix() { + return false + } + if a.GetPath() != b.GetPath() { + return false + } + if !regexMatchEqual(a.GetSafeRegex(), b.GetSafeRegex()) { + return false + } + + for _, v1 := range a.GetHeaders() { + isMatch := false + for _, v2 := range b.GetHeaders() { + if headerMatchEqual(v1, v2) { + isMatch = true + } + } + if !isMatch { + return false + } + } + return true +} +func routeActionEqual(a, b *route.Route) bool { + if reflect.TypeOf(a.Action).String() != reflect.TypeOf(b.Action).String() { + return false + } + switch reflect.TypeOf(a.Action).String() { + case "*envoy_api_v2_route.Route_Route": + cluster1 := a.Action.(*route.Route_Route).Route.ClusterSpecifier.(*route.RouteAction_Cluster).Cluster + cluster2 := b.Action.(*route.Route_Route).Route.ClusterSpecifier.(*route.RouteAction_Cluster).Cluster + if cluster1 != cluster2 { + return false + } + case "*envoy_api_v2_route.Route_DirectResponse": + status1 := a.Action.(*route.Route_DirectResponse).DirectResponse.GetStatus() + status2 := b.Action.(*route.Route_DirectResponse).DirectResponse.GetStatus() + if status1 != status2 { + return false + } + default: return false } diff --git a/pkg/envoy/tracing.go b/pkg/envoy/tracing.go index e05acab..b25f655 100644 --- a/pkg/envoy/tracing.go +++ b/pkg/envoy/tracing.go @@ -2,10 +2,10 @@ package envoy import ( api "github.com/envoyproxy/go-control-plane/envoy/api/v2" - "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener" + listener "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener" hcm "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/http_connection_manager/v2" envoyType "github.com/envoyproxy/go-control-plane/envoy/type" - "github.com/gogo/protobuf/types" + "github.com/golang/protobuf/ptypes" ) type Tracing struct{} @@ -33,7 +33,7 @@ func (t *Tracing) updateListenersWithTracing(cache *WorkQueueCache, tracing Trac } // update manager in cache - pbst, err := types.MarshalAny(&manager) + pbst, err := ptypes.MarshalAny(&manager) if err != nil { return err } diff --git a/pkg/envoy/workqueue.go b/pkg/envoy/workqueue.go index 6cd615d..0cc0318 100644 --- a/pkg/envoy/workqueue.go +++ b/pkg/envoy/workqueue.go @@ -56,7 +56,7 @@ func NewWorkQueue(s storage.Storage, acmeContact string) (*WorkQueue, error) { return w, nil } func (w *WorkQueue) InitCache() cache.SnapshotCache { - w.cache.snapshotCache = cache.NewSnapshotCache(false, Hasher{}, logger) + w.cache.snapshotCache = cache.NewSnapshotCache(false, Hasher{}, nil) return w.cache.snapshotCache } func (w *WorkQueue) InitCallback() *Callback { @@ -329,7 +329,7 @@ func InArray(a []string, v string) (ret bool, i int) { func (w *WorkQueue) updateXds() { now := time.Now().UnixNano() atomic.AddInt64(&w.cache.version, 1) - w.latestSnapshot = cache.NewSnapshot(fmt.Sprint(now)+"-"+fmt.Sprint(w.cache.version), nil, w.cache.clusters, nil, w.cache.listeners) + w.latestSnapshot = cache.NewSnapshot(fmt.Sprint(now)+"-"+fmt.Sprint(w.cache.version), nil, w.cache.clusters, nil, w.cache.listeners, nil) var nodeUpdated []string for _, v := range w.callback.connections { if ret, _ := InArray(nodeUpdated, v.Id); !ret { diff --git a/pkg/envoy/xds.go b/pkg/envoy/xds.go index d03c81b..4bef0ef 100644 --- a/pkg/envoy/xds.go +++ b/pkg/envoy/xds.go @@ -1,6 +1,7 @@ package envoy import ( + "context" "crypto/x509" "encoding/pem" "fmt" @@ -42,7 +43,7 @@ func NewXDS(s storage.Storage, acmeContact, port string) *XDS { acmeContact: acmeContact, } - server := xds.NewServer(x.workQueue.InitCache(), x.workQueue.InitCallback()) + server := xds.NewServer(context.Background(), x.workQueue.InitCache(), x.workQueue.InitCallback()) if port != "" { grpcServer := grpc.NewServer() lis, _ := net.Listen("tcp", ":"+port) diff --git a/pkg/envoy/xds_test.go b/pkg/envoy/xds_test.go index feb15bd..0d9922b 100644 --- a/pkg/envoy/xds_test.go +++ b/pkg/envoy/xds_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/envoyproxy/go-control-plane/envoy/api/v2/route" + route "github.com/envoyproxy/go-control-plane/envoy/api/v2/route" "github.com/in4it/roxprox/pkg/storage" localStorage "github.com/in4it/roxprox/pkg/storage/local" "github.com/juju/loggo"