tls: splitting config into downstream and upstream

Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
envoyproxy · May 9, 2024 · d901731 · d901731
1 parent 7b7ab06
commit d901731
Show file tree

Hide file tree

Showing 13 changed files with 141 additions and 53 deletions.
diff --git a/mobile/envoy_build_config/BUILD b/mobile/envoy_build_config/BUILD
@@ -43,7 +43,7 @@ envoy_cc_library(
         "@envoy//source/extensions/request_id/uuid:config",
         "@envoy//source/extensions/transport_sockets/http_11_proxy:upstream_config",
         "@envoy//source/extensions/transport_sockets/raw_buffer:config",
-        "@envoy//source/extensions/transport_sockets/tls:config",
+        "@envoy//source/extensions/transport_sockets/tls:upstream_config",
         "@envoy//source/extensions/upstreams/http/generic:config",
         "@envoy_mobile//library/common/extensions/cert_validator/platform_bridge:config",
         "@envoy_mobile//library/common/extensions/filters/http/local_error:config",

diff --git a/mobile/envoy_build_config/extension_registry.cc b/mobile/envoy_build_config/extension_registry.cc
@@ -28,7 +28,7 @@
 #include "source/extensions/request_id/uuid/config.h"
 #include "source/extensions/transport_sockets/http_11_proxy/config.h"
 #include "source/extensions/transport_sockets/raw_buffer/config.h"
-#include "source/extensions/transport_sockets/tls/config.h"
+#include "source/extensions/transport_sockets/tls/upstream_config.h"
 #include "source/extensions/upstreams/http/generic/config.h"
 
 #ifdef ENVOY_MOBILE_ENABLE_LISTENER

diff --git a/mobile/envoy_build_config/extensions_build_config.bzl b/mobile/envoy_build_config/extensions_build_config.bzl
@@ -24,7 +24,7 @@ EXTENSIONS = {
     "envoy.retry.options.network_configuration":           "@envoy_mobile//library/common/extensions/retry/options/network_configuration:config",
     "envoy.transport_sockets.http_11_proxy":               "//source/extensions/transport_sockets/http_11_proxy:upstream_config",
     "envoy.transport_sockets.raw_buffer":                  "//source/extensions/transport_sockets/raw_buffer:config",
-    "envoy.transport_sockets.tls":                         "//source/extensions/transport_sockets/tls:config",
+    "envoy.transport_sockets.tls":                         "//source/extensions/transport_sockets/tls:upstream_config",
     "envoy.http.stateful_header_formatters.preserve_case": "//source/extensions/http/header_formatters/preserve_case:config",
     "envoy_mobile.cert_validator.platform_bridge_cert_validator": "@envoy_mobile//library/common/extensions/cert_validator/platform_bridge:config",
     "envoy.listener_manager_impl.api":                     "@envoy_mobile//library/common/extensions/listener_managers/api_listener_manager:api_listener_manager_lib",

diff --git a/mobile/test/performance/files_em_does_not_use b/mobile/test/performance/files_em_does_not_use
@@ -10,3 +10,4 @@ source/server/options_impl.cc
 source/extensions/access_loggers/common/file_access_log_impl.h
 source/common/router/scoped_rds.h
 source/extensions/load_balancing_policies/subset/subset_lb.h
+source/extensions/transport_sockets/tls/upstream_config.h
diff --git a/source/exe/BUILD b/source/exe/BUILD
@@ -158,6 +158,7 @@ envoy_cc_library(
         ":main_common_with_all_extensions_lib",
         # These are compiled as extensions so Envoy Mobile doesn't have to link them in.
         # Envoy requires them.
+        "//source/extensions/transport_sockets/tls:config",
         "//source/common/listener_manager:listener_manager_lib",
         "//source/extensions/listener_managers/validation_listener_manager:validation_listener_manager_lib",
         "//source/common/version:version_linkstamp",

diff --git a/source/extensions/all_extensions.bzl b/source/extensions/all_extensions.bzl
@@ -6,7 +6,6 @@ load("@envoy_build_config//:extensions_build_config.bzl", "EXTENSIONS")
 _required_extensions = {
     "envoy.http.original_ip_detection.xff": "//source/extensions/http/original_ip_detection/xff:config",
     "envoy.request_id.uuid": "//source/extensions/request_id/uuid:config",
-    "envoy.transport_sockets.tls": "//source/extensions/transport_sockets/tls:config",
     # To provide default round robin load balancer.
     "envoy.load_balancing_policies.round_robin": "//source/extensions/load_balancing_policies/round_robin:config",
 }

diff --git a/source/extensions/transport_sockets/tls/BUILD b/source/extensions/transport_sockets/tls/BUILD
@@ -1,6 +1,7 @@
 load(
     "//bazel:envoy_build_system.bzl",
     "envoy_cc_extension",
+    "envoy_cc_library",
     "envoy_extension_package",
 )
 
@@ -10,17 +11,52 @@ licenses(["notice"])  # Apache 2
 
 envoy_extension_package()
 
-envoy_cc_extension(
-    name = "config",
-    srcs = ["config.cc"],
+envoy_cc_library(
+    name = "base_config",
     hdrs = ["config.h"],
-    # TLS is core functionality.
-    visibility = ["//visibility:public"],
     deps = [
         "//envoy/network:transport_socket_interface",
         "//envoy/registry",
         "//envoy/server:transport_socket_config_interface",
         "//source/common/tls:ssl_socket_lib",
+    ],
+)
+
+envoy_cc_library(
+    name = "downstream_config",
+    srcs = ["downstream_config.cc"],
+    hdrs = ["downstream_config.h"],
+    deps = [
+        ":base_config",
+        "//envoy/network:transport_socket_interface",
+        "//envoy/registry",
+        "//envoy/server:transport_socket_config_interface",
+        "//source/common/tls:ssl_socket_lib",
         "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto",
     ],
+    alwayslink = True,
+)
+
+envoy_cc_library(
+    name = "upstream_config",
+    srcs = ["upstream_config.cc"],
+    hdrs = ["upstream_config.h"],
+    deps = [
+        ":base_config",
+        "//envoy/network:transport_socket_interface",
+        "//envoy/registry",
+        "//envoy/server:transport_socket_config_interface",
+        "//source/common/tls:ssl_socket_lib",
+        "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto",
+    ],
+    alwayslink = True,
+)
+
+envoy_cc_extension(
+    name = "config",
+    visibility = ["//visibility:public"],
+    deps = [
+        ":downstream_config",
+        ":upstream_config",
+    ],
 )
diff --git a/source/extensions/transport_sockets/tls/config.h b/source/extensions/transport_sockets/tls/config.h
@@ -18,30 +18,6 @@ class SslSocketConfigFactory : public virtual Server::Configuration::TransportSo
   std::string name() const override { return "envoy.transport_sockets.tls"; }
 };
 
-class UpstreamSslSocketFactory : public Server::Configuration::UpstreamTransportSocketConfigFactory,
-                                 public SslSocketConfigFactory {
-public:
-  Network::UpstreamTransportSocketFactoryPtr createTransportSocketFactory(
-      const Protobuf::Message& config,
-      Server::Configuration::TransportSocketFactoryContext& context) override;
-  ProtobufTypes::MessagePtr createEmptyConfigProto() override;
-};
-
-DECLARE_FACTORY(UpstreamSslSocketFactory);
-
-class DownstreamSslSocketFactory
-    : public Server::Configuration::DownstreamTransportSocketConfigFactory,
-      public SslSocketConfigFactory {
-public:
-  Network::DownstreamTransportSocketFactoryPtr
-  createTransportSocketFactory(const Protobuf::Message& config,
-                               Server::Configuration::TransportSocketFactoryContext& context,
-                               const std::vector<std::string>& server_names) override;
-  ProtobufTypes::MessagePtr createEmptyConfigProto() override;
-};
-
-DECLARE_FACTORY(DownstreamSslSocketFactory);
-
 } // namespace Tls
 } // namespace TransportSockets
 } // namespace Extensions

diff --git a/...xtensions/transport_sockets/tls/config.cc → ...ransport_sockets/tls/downstream_config.cc b/...xtensions/transport_sockets/tls/config.cc → ...ransport_sockets/tls/downstream_config.cc
@@ -1,4 +1,4 @@
-#include "source/extensions/transport_sockets/tls/config.h"
+#include "source/extensions/transport_sockets/tls/downstream_config.h"
 
 #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h"
 #include "envoy/extensions/transport_sockets/tls/v3/tls.pb.validate.h"
@@ -12,25 +12,6 @@ namespace Extensions {
 namespace TransportSockets {
 namespace Tls {
 
-Network::UpstreamTransportSocketFactoryPtr UpstreamSslSocketFactory::createTransportSocketFactory(
-    const Protobuf::Message& message,
-    Server::Configuration::TransportSocketFactoryContext& context) {
-  auto client_config = std::make_unique<ClientContextConfigImpl>(
-      MessageUtil::downcastAndValidate<
-          const envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext&>(
-          message, context.messageValidationVisitor()),
-      context);
-  return std::make_unique<ClientSslSocketFactory>(
-      std::move(client_config), context.sslContextManager(), context.statsScope());
-}
-
-ProtobufTypes::MessagePtr UpstreamSslSocketFactory::createEmptyConfigProto() {
-  return std::make_unique<envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext>();
-}
-
-LEGACY_REGISTER_FACTORY(UpstreamSslSocketFactory,
-                        Server::Configuration::UpstreamTransportSocketConfigFactory, "tls");
-
 Network::DownstreamTransportSocketFactoryPtr
 DownstreamSslSocketFactory::createTransportSocketFactory(
     const Protobuf::Message& message, Server::Configuration::TransportSocketFactoryContext& context,

diff --git a/source/extensions/transport_sockets/tls/downstream_config.h b/source/extensions/transport_sockets/tls/downstream_config.h
@@ -0,0 +1,29 @@
+#pragma once
+
+#include "envoy/registry/registry.h"
+#include "envoy/server/transport_socket_config.h"
+
+#include "source/extensions/transport_sockets/tls/config.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace TransportSockets {
+namespace Tls {
+
+class DownstreamSslSocketFactory
+    : public Server::Configuration::DownstreamTransportSocketConfigFactory,
+      public SslSocketConfigFactory {
+public:
+  Network::DownstreamTransportSocketFactoryPtr
+  createTransportSocketFactory(const Protobuf::Message& config,
+                               Server::Configuration::TransportSocketFactoryContext& context,
+                               const std::vector<std::string>& server_names) override;
+  ProtobufTypes::MessagePtr createEmptyConfigProto() override;
+};
+
+DECLARE_FACTORY(DownstreamSslSocketFactory);
+
+} // namespace Tls
+} // namespace TransportSockets
+} // namespace Extensions
+} // namespace Envoy
diff --git a/source/extensions/transport_sockets/tls/upstream_config.cc b/source/extensions/transport_sockets/tls/upstream_config.cc
@@ -0,0 +1,37 @@
+#include "source/extensions/transport_sockets/tls/upstream_config.h"
+
+#include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h"
+#include "envoy/extensions/transport_sockets/tls/v3/tls.pb.validate.h"
+
+#include "source/common/protobuf/utility.h"
+#include "source/common/tls/context_config_impl.h"
+#include "source/common/tls/ssl_socket.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace TransportSockets {
+namespace Tls {
+
+Network::UpstreamTransportSocketFactoryPtr UpstreamSslSocketFactory::createTransportSocketFactory(
+    const Protobuf::Message& message,
+    Server::Configuration::TransportSocketFactoryContext& context) {
+  auto client_config = std::make_unique<ClientContextConfigImpl>(
+      MessageUtil::downcastAndValidate<
+          const envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext&>(
+          message, context.messageValidationVisitor()),
+      context);
+  return std::make_unique<ClientSslSocketFactory>(
+      std::move(client_config), context.sslContextManager(), context.statsScope());
+}
+
+ProtobufTypes::MessagePtr UpstreamSslSocketFactory::createEmptyConfigProto() {
+  return std::make_unique<envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext>();
+}
+
+LEGACY_REGISTER_FACTORY(UpstreamSslSocketFactory,
+                        Server::Configuration::UpstreamTransportSocketConfigFactory, "tls");
+
+} // namespace Tls
+} // namespace TransportSockets
+} // namespace Extensions
+} // namespace Envoy
diff --git a/source/extensions/transport_sockets/tls/upstream_config.h b/source/extensions/transport_sockets/tls/upstream_config.h
@@ -0,0 +1,27 @@
+#pragma once
+
+#include "envoy/registry/registry.h"
+#include "envoy/server/transport_socket_config.h"
+
+#include "source/extensions/transport_sockets/tls/config.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace TransportSockets {
+namespace Tls {
+
+class UpstreamSslSocketFactory : public Server::Configuration::UpstreamTransportSocketConfigFactory,
+                                 public SslSocketConfigFactory {
+public:
+  Network::UpstreamTransportSocketFactoryPtr createTransportSocketFactory(
+      const Protobuf::Message& config,
+      Server::Configuration::TransportSocketFactoryContext& context) override;
+  ProtobufTypes::MessagePtr createEmptyConfigProto() override;
+};
+
+DECLARE_FACTORY(UpstreamSslSocketFactory);
+
+} // namespace Tls
+} // namespace TransportSockets
+} // namespace Extensions
+} // namespace Envoy
diff --git a/tools/code_format/config.yaml b/tools/code_format/config.yaml
@@ -414,3 +414,4 @@ visibility_excludes:
 - source/extensions/load_balancing_policies/random/
 - source/extensions/load_balancing_policies/cluster_provided/
 - source/extensions/filters/http/match_delegate/
+- source/extensions/transport_sockets/tls/