Skip to content

Commit bf9a1ae

Browse files
sayborasmichi-covalent
authored andcommitted
bugtool: Add post-processing masking function for Envoy
[upstream commit 48a9976] This commit is to explicitly mask the below fields from Envoy config dump: - api_key (used in kafka L7 policy) - TLSContext (used in Cilium NetworkPolicy) One round of scanning on existing Cilium protobuf was done. Related docs: https://www.envoyproxy.io/docs/envoy/latest/operations/admin#get--config_dump Signed-off-by: Tam Mach <tam.mach@cilium.io>
1 parent 958d7b7 commit bf9a1ae

File tree

1 file changed

+45
-4
lines changed

1 file changed

+45
-4
lines changed

Diff for: bugtool/cmd/root.go

+45-4
Original file line numberDiff line numberDiff line change
@@ -174,6 +174,18 @@ func isValidArchiveType(archiveType string) bool {
174174

175175
type postProcessFunc func(output []byte) ([]byte, error)
176176

177+
var envoySecretMask = jsonFieldMaskPostProcess([]string{
178+
// Cilium LogEntry -> KafkaLogEntry{l7} -> KafkaLogEntry{api_key}
179+
"api_key",
180+
// This could be from one of the following:
181+
// - Cilium NetworkPolicy -> PortNetworkPolicy{ingress_per_port_policies, egress_per_port_policies}
182+
// -> PortNetworkPolicyRule{rules} -> TLSContext{downstream_tls_context, upstream_tls_context}
183+
// - Upstream Envoy tls_certificate
184+
"trusted_ca",
185+
"certificate_chain",
186+
"private_key",
187+
})
188+
177189
func runTool() {
178190
// Validate archive type
179191
if !isValidArchiveType(archiveType) {
@@ -220,13 +232,13 @@ func runTool() {
220232
}
221233
} else {
222234
if envoyDump {
223-
if err := dumpEnvoy(cmdDir, "http://admin/config_dump?include_eds", "envoy-config.json"); err != nil {
235+
if err := dumpEnvoy(cmdDir, "http://admin/config_dump?include_eds", "envoy-config.json", envoySecretMask); err != nil {
224236
fmt.Fprintf(os.Stderr, "Unable to dump envoy config: %s\n", err)
225237
}
226238
}
227239

228240
if envoyMetrics {
229-
if err := dumpEnvoy(cmdDir, "http://admin/stats/prometheus", "envoy-metrics.txt"); err != nil {
241+
if err := dumpEnvoy(cmdDir, "http://admin/stats/prometheus", "envoy-metrics.txt", nil); err != nil {
230242
fmt.Fprintf(os.Stderr, "Unable to retrieve envoy prometheus metrics: %s\n", err)
231243
}
232244
}
@@ -520,7 +532,7 @@ func dumpHubbleMetrics(rootDir string) error {
520532
return downloadToFile(httpClient, url, filepath.Join(rootDir, "hubble-metrics.txt"))
521533
}
522534

523-
func dumpEnvoy(rootDir string, resource string, fileName string) error {
535+
func dumpEnvoy(rootDir string, resource string, fileName string, postProcess postProcessFunc) error {
524536
// curl --unix-socket /var/run/cilium/envoy-admin.sock http:/admin/config_dump\?include_eds > dump.json
525537
c := &http.Client{
526538
Transport: &http.Transport{
@@ -529,7 +541,11 @@ func dumpEnvoy(rootDir string, resource string, fileName string) error {
529541
},
530542
},
531543
}
532-
return downloadToFile(c, resource, filepath.Join(rootDir, fileName))
544+
545+
if postProcess == nil {
546+
return downloadToFile(c, resource, filepath.Join(rootDir, fileName))
547+
}
548+
return downloadToFileWithPostProcess(c, resource, filepath.Join(rootDir, fileName), postProcess)
533549
}
534550

535551
func pprofTraces(rootDir string, pprofDebug int) error {
@@ -593,3 +609,28 @@ func downloadToFile(client *http.Client, url, file string) error {
593609
_, err = io.Copy(out, resp.Body)
594610
return err
595611
}
612+
613+
// downloadToFileWithPostProcess downloads the content from the given URL and writes it to the given file.
614+
// The content is then post-processed using the given postProcess function before being written to the file.
615+
// Note: Please use downloadToFile instead of this function if no post-processing is required.
616+
func downloadToFileWithPostProcess(client *http.Client, url, file string, postProcess postProcessFunc) error {
617+
resp, err := client.Get(url)
618+
if err != nil {
619+
return err
620+
}
621+
defer resp.Body.Close()
622+
if resp.StatusCode != http.StatusOK {
623+
return fmt.Errorf("bad status: %s", resp.Status)
624+
}
625+
626+
b, err := io.ReadAll(resp.Body)
627+
if err != nil {
628+
return err
629+
}
630+
631+
b, err = postProcess(b)
632+
if err != nil {
633+
return err
634+
}
635+
return os.WriteFile(file, b, 0644)
636+
}

0 commit comments

Comments
 (0)