Sds api: implement SDS api

[JimmyCYJ]

Implement SDS api which fetches dynamic secrets.

Description:
Implement SDS api that fetches secrets from remote SDS server. Secrets are stored in Secret Manager.
Updating secrets at listener and cluster will follow.

From the high level design PR: #3748,
or a smaller PR (istio#4) which has removed the changes from this PR and #3754.

Here is the lifetime and ownership of DynamicSecretProvider.

1. Same config_source shares same DynamicSecretProvider object.
2. Each ContextConfigImpl owns a ref_count to the DynamicSecretProvider object.
3. ContextConfigImpl is owned by SslSocketFactory which is owned by ListenImpl.

When all ListenImpl instances are going away, DynamicSecretProvider object will be deleted.

Here is the relationship between SecretCallback and DynamicSecretProvider.

1. Multiple ContextConfigImpl instances may share same DynamicSecretProvider If they have same config_source.
2. SslSocketFactory owns ContextConfigImpl and Context. It implements SecretCallback interface to wait for dynamic secret update. The callback is registered to DynamicSecretProvider. When the secret is updated, the callback will be called. SslSocketFactory will create a new Context, the new connections will start to use the new Context.
3. Context is shared_ptr. The ssl_socket is holding a ref_count of Context to keep the Context it is using alive.

Risk Level: Low

Fixes #1194

Signed-off-by: Jimmy Chen jimmychen.0102@gmail.com

[lizan]

use {{ test_rundir }} and substitute, same for readFileToStringForTest below

[JimmyCYJ]

Done. Thanks!

[lizan]

I think you can just use StreamSecrets here, no?

[JimmyCYJ]

Changed to StreamSecrets and removed TODO.

[lizan]

@JimmyCYJ can you take a look on test failures?

@PiotrSikora @mattklein123 PTAL once test passes.

[mattklein123]

Please ping me when ready.

[JimmyCYJ]

@lizan both coverage and ipv6_tests show that some directories do not exist. I am not clear how to fix them. Have you seen that before?
"bazel-out/k8-dbg/genfiles/external/com_lyft_protoc_gen_validate: warning: directory does not exist.
bazel-out/k8-dbg/genfiles/external/com_google_protobuf/src: warning: directory does not exist.
bazel-out/k8-dbg/genfiles/external/googleapis: warning: directory does not exist."

[lizan]

@JimmyCYJ you can ignore those warnings, download full log. The coverage failure is due to the test coverage is 97.9%, which is below envoy threshold 98.0%.

See https://67413-65214191-gh.circle-artifacts.com/0/build/envoy/generated/coverage/coverage.html for detail reports.

[qiwzhang]

not need for this destructor. or just change SecretManagerUtil to namespace

[qiwzhang]

it seems that it is only used in one place, so not need to have it as a separate file. call in inside the findOrCreateDynamicSecretProvider.

[qiwzhang]

Rename it to readCertChainConfig

[qiwzhang]

Where is this function defined?

[qiwzhang]

can we combine this static secret config with overall config defined in line 307? I think it will be easier to read.

[JimmyCYJ]

Per offline discussion, I am going to keep it this way.

[qiwzhang]

Wrap it with NiceMock<> to eliminate these warnings:

Uninteresting mock function call - taking default action specified at:
test/mocks/server/mocks.cc:124:
Function call: random()
Returns: @0x7ffff7fc3ff8 8-byte object <F8-F5 C6-04 00-00 00-00>
unknown file: Failure

[JimmyCYJ]

@mattklein123, would you mind to take a look? Thanks!

[mattklein123]

Thanks for working on this. Some comments to get started. I didn't review tests yet. Please make sure you have 100% test coverage for all the code you added. Thank you!

[mattklein123]

Is the plan here to add other secret types? Otherwise should this be named DynamicTlsCertificateSecretProvider or similar?

[JimmyCYJ]

Yes, we plan to support other secret types, https://github.com/envoyproxy/data-plane-api/blob/master/envoy/api/v2/auth/cert.proto#L320. Is it okay to add TODO here and keep the name?

[mattklein123]

This is a bit different from the static secret API, so I would match what we did there and make these typed, or change static to be similar.

[JimmyCYJ]

I see. Then I will rename it to DynamicTlsCertificateSecretProvider. Thanks!

[mattklein123]

per comment above should this be specific to TlsCertificates for now like the static versions?

[mattklein123]

why is this needed?

[JimmyCYJ]

This method is going to be used in next PR. Please refer to our high level design PR(https://github.com/envoyproxy/envoy/pull/3748/files). For example, ContextManagerImpl::createSslClientContext() needs this method to decide whether to create ssl client context.
I find it is convenient to use this method in tests when I add tests into context_impl_test.cc.

[mattklein123]

Sorry I don't have time to go through the other change. It seems a bit odd to have an isValid() on this. The context should always be valid or it should throw an exception, so I would change the logic and remove this. Is there something I'm missing here?

[JimmyCYJ]

Maybe isValid() is not accurate. It returns true if we have static secrets to create context, or we have created a dynamic secret provider and the provider has downloaded secrets already. We are going to check if secrets are ready or not before creating any context objects. If we have created a secret provider but that provider has not downloaded any secret, then we should not create context. Does that make sense? Is it better to rename it to isSecretAvailable()?

[mattklein123]

What will you do if the secrets aren't ready? Can this ever happen with warming? I don't think it should ever happen...

[JimmyCYJ]

We are considering that if the gRPC connection breaks when envoy is waiting for secrets, then maybe we need isValid() before creating context. I am going to remove isValid() from this PR, and come up with a better idea in the next PR.

[mattklein123]

can this return a const pointer?

[JimmyCYJ]

According to high level design PR(https://github.com/envoyproxy/envoy/pull/3748/files), this method is needed for adding and removing callbacks. Perhaps I can remove it from this PR.

[mattklein123]

Please remove code that is not used in this PR. It's hard to review without context.

[mattklein123]

Should this be moved into https://github.com/envoyproxy/envoy/blob/master/source/common/config/utility.h or some other common location? Also, can we just use https://github.com/envoyproxy/envoy/blob/master/source/common/protobuf/utility.h#L141 here?

[JimmyCYJ]

Thanks for the advice! I will use MessageUtil::hash() to replace this hash function.

[mattklein123]

don't we need to throw some type of config error here if neither of the above cases are true?

[JimmyCYJ]

I think it is okay to do nothing here. Without this change, the readConfig() returns empty string.
https://github.com/envoyproxy/envoy/blob/master/source/common/ssl/context_config_impl.cc#L19
In that case cert_chain_ and private_key_ are empty. I am trying to make this readCertChainConfig() consistent with existing behavior.

[mattklein123]

const

[mattklein123]

Why is this lock needed? AFAICT all processing in this area should happen on the main thread.

[JimmyCYJ]

This lock will be removed.

[mattklein123]

Why is this lock needed?

[JimmyCYJ]

It is not needed. I will remove this lock and the one above.

[mattklein123]

Where do you handle removal? If there is no removal do we need a weak pointer here? Though it seems like we should handle removal?

[JimmyCYJ]

I have updated the PR description, that covers the lifetime and ownership of DynamicTlsCertificateSecretProvider. This DynamicTlsCertificateSecretProvider object will be removed if nobody is using it. The weak_ptr entry will remain in this map.

[JimmyCYJ]

Both SdsApi and SecretManager are covered 100%
https://68858-65214191-gh.circle-artifacts.com/0/build/envoy/generated/coverage/coverage.source_common_secret_sds_api.cc.html,
https://68858-65214191-gh.circle-artifacts.com/0/build/envoy/generated/coverage/coverage.source_common_secret_secret_manager_impl.cc.html

[JimmyCYJ]

@mattklein123 PTAL, thanks!

[mattklein123]

Few more comments to work through, then will take another pass.

[mattklein123]

const std::string& config_name

[mattklein123]

is this needed?

[mattklein123]

del

[mattklein123]

I don't believe this is correct in all cases. For listener secrets, you are going to need to use the listener init manager, not the server manager. Likewise for cluster secrets you need to use the cluster init manager (which might be the server during startup). You should remove all references to server in these files are pass the init manager directly.

[JimmyCYJ]

Thanks for pointing this out.

I think we can add this method into SdsApi,

void SdsApi::registerInitTarget(Init::Manager& init_manager) {
  init_manager.registerTarget(*this);
}

and add secret_provider_->registerInitTarget(init_manager) into ContextConfigImpl::readCertChainConfig().

We can add accessor virtual Init::Manager&initManager() PURE into Configuration::TransportSocketFactoryContext.

1. Pass listener init manager to ContextConfigImpl.
   As ListenerImpl inherits TransportSocketFactoryContext and provides initManager(), we can modify ServerContextConfigImpl(), and pass context.initManager() into ServerContextConfigImpl() via DownstreamSslSocketFactory::createTransportSocketFactory(), and then pass initManager to ContextConfigImpl().

2. Pass cluster init manager to ContextConfigImpl.
   To pass cluster init manager to ClientContextConfigImpl, we can implement ClusterInfoImpl::initManager(), as ClusterInfoImpl inherits Server::Configuration::TransportSocketFactoryContext(). Then pass initManager to ClientContextConfigImpl() via UpstreamSslSocketFactory::createTransportSocketFactory().

Does this make sense? I haven't figured out an convenient way to pass initManager to ClusterInfoImpl. Not sure if it is okay to just let ClusterInfoImpl::initManager() return secret_manager_.Server() (assume that we expose SecretManager::server_). Do you have any suggestions? Thanks!

[mattklein123]

No, we definitely cannot add any concept of InitManager to ClusterInfo. The init manager stuff must happen on the main thread only and cluster info is a multi-threaded concept. I would need to sit down with the code in detail to figure out the right way to handle this, but it's possible that the overall design will need rethinking. In the mean time I would consult with @lizan and @PiotrSikora and see if they can help you.

[JimmyCYJ]

@mattklein123 @lizan and @PiotrSikora I have added a new member sds_init_manager_ into ClusterImplBase, and register SdsApi target at sds_init_manager_. sds_init_manager_ initializes registered targets when ClusterImplBase::onPreInitComplete() is called.

Both cluster init manager and listener manager are passed to TransportSocketFactoryContext, so that ContextConfigImpl could use init manager to create SdsApi objects.

[qiwzhang]

If context_config object is holding a reference to init_manager, need to make sure its life time is longer than context_config. For LDS, its initManager is the whole ListenerImpl, which is fine. Not sure about ClusterManagerImpl initManager, what is its lifetime?

[JimmyCYJ]

Per offline discussion, this init_manager_ is now removed from ContextConfigImpl. Only the ClusterInfoImpl owns a reference to ClusterImplBase::sds_init_manager_.

We registered SDS api at this init manager within the constructor of ClusterInfoImpl, and ClusterInfoImpl is created by the constructor of ClusterImplBase.

This ClusterImplBase::sds_init_manager_ is only called to initialize SDS api within ClusterImplBase::onPreInitComplete(). Nobody is using it once ClusterImplBase is destructed. I think it is safe.

[qiwzhang]

please add comment to state that this init_manager is only used by SDS api.

[qiwzhang]

This is wrong.

How about split the ClusterImplBase::onPreInitComplete into following two functions:

ClusterImplBase::onPreInitComplete() {
   sds_init_manager_.initialize( [this]() { onSdsInitDone(); });
}

ClusterImplBase::onSdsInitDone() {
// exact same code as onPreInitComplete
}

[mattklein123]

I'm going to look at this change in detail later today. Something about all of this does not sound right to me, but until I look in detail I don't have a lot to say about it.

[qiwzhang]

update the comment as:
At this point, shared init starts sds_init_manager_ initialization and determines if there is an initial health check pass needed, etc.

[mattklein123]

@JimmyCYJ @lizan @PiotrSikora I went through the code. Largely, I think we are in good shape, but there is something I think we need to change to not confuse things in the future. I don't think it's a super fundamental design change so I think it shouldn't be too hard to do. I'm going to describe my concerns and the solutions below.

Primarily, the cluster init manager has be owned by the cluster manager, and not the cluster info. The cluster manager is actually where init happens and in the future we might add other things that require init at this level. So we we want to add an init manager concept within the cluster manager, and pass that through as needed.

Concretely, there are two changes I would like to make:

1. Instead of creating an SDS specific init manager within cluster info, I would like you to handle it at the cluster manager level. Fundamentally, you are going to have to plumb an InitManager into the loadCluster calls (e.g., https://github.com/envoyproxy/envoy/blob/master/source/common/upstream/cluster_manager_impl.cc#L383). Take a look at listener_manager_impl in terms of how we sometimes use the server/global init manager and sometimes we use a dynamic/local init manager. You will need to do the same thing here with almost identical logic. Right now in the cluster manager we just use the cluster init callback to move things forward, so I would take a look at the logic and see what makes the most sense in terms of how to manage the flow here (does cluster manager own it all, is it split a bit between CM and the cluster, etc.). There are other additional things to think about here. For example, should we allow SDS configuration for clusters in phase 1 init (static, etc.) since then we can get into a deadlock situation and never initialize? Because of how tricky this is, I would like you to start a new PR that just adds init manager support to cluster manager and plumbs it through, with tests. Then we can sort this out. Once that part is in place I think the rest of this PR is pretty straightforward.

2. This is pre-existing code, but I would prefer it if we change ClusterInfoImpl to not derive from Server::Configuration::TransportSocketFactoryContext. I think it's a little confusing. AFAICT, there is only needed in the constructor where we call createTransportSocketFactory. Can we instead stack allocate a factory context for the transport socket and just call it with constructor args? I think this will simplify things and avoid storing extra state that we don't need and might be abused later.

Thank you for working on this and please LMK if this makes sense or if you need additional clarification before proceeding. Hopefully, @lizan can also help you more directly with this set of changes.

[lizan]

extract this part to a function, use weak_ptr::expired and std::remove_if.

[JimmyCYJ]

I have extracted this part into SecretManagerImpl::removeDeletedSecretProvider(), and use weak_ptr::expired() instead of lock(). Thanks!

[qiwzhang]

Not need to be a member function. It can be a global function in the annoymous namespace.

[qiwzhang]

can be a global function inside annoymous namespace

[qiwzhang]

Is stats_scope_ needed in this class?

[lizan]

You'll need this to own the scope, it is passed by rvalue-ref.

[qiwzhang]

You need following in the ClusterImplBase constuctor

 ClusterImplBase:: ClusterImplBase(...) {
    auto stat_scope = generateStatsScope(cluster, stats);
    auto socket_factory = createTransportSocketFactory(cluster, *stat_scope, ...);
    info_ = std::make_unique<ClusterInfoImpl>(...,  socket_factory,  std::move(stat_scope), ...);
...
}

[qiwzhang]

@lizan @PiotrSikora This PR is ready for review. Could you help to review it? Thanks

[lizan]

Would isReady be better name for this?

[mattklein123]

+1

[lizan]

removeExpiredSecretProvider?

[lizan]

@qiwzhang @JimmyCYJ Sorry I might miss some context for this PR during vacation, what is the reason to refactor this and create TransportSocketFactoryContextImpl?

[mattklein123]

@lizan sorry for the missing context. I had them do this. Before we were passing a bunch of stuff into ClusterInfo and also exposing accessors, which IMO was pretty confusing as Info is multi-threaded where is the cluster base is only for the main thread. IMO what is done now is clearer and easier to understand.

[lizan]

Thanks for explanation. I'm OK with this, just was curious why :)

[lizan]

You'll need this to own the scope, it is passed by rvalue-ref.

[mattklein123]

Thanks @JimmyCYJ @qiwzhang for your hard work. This is close. Just some more questions and minor comments.

[mattklein123]

Where does this function actually end up getting called. Is it always on the main thread? Or will it be called from multiple threads? I'm not sure this is thread safe. Can you explain the full flow? This ends up being quite confusing.

[qiwzhang]

It is called from the main thread. It is called in the ContextManagerImpl::createClientContext() and createServerContext(), if pass-in ContextConfig is not valid, return nullptr for SocketFactory.

In the next PR, SocketFactory will register a UpdateCallback to SDS_api, if SDS secret is fetched, it will call the onUpdate(), SocketFactory will call ContextManagerImpl::createClientContext() again to create a valid Context if ContextConfig is valid. This is called in the main thread too since SDS_api onConfigUpdate will be called in the main thread.

[mattklein123]

OK thanks. I think we will need proper locking around the shared_ptr swaps and we might want to use TLS at a later time, but this should work for now and we can figure it out in the follow up PR.

[mattklein123]

@lizan sorry for the missing context. I had them do this. Before we were passing a bunch of stuff into ClusterInfo and also exposing accessors, which IMO was pretty confusing as Info is multi-threaded where is the cluster base is only for the main thread. IMO what is done now is clearer and easier to understand.

[mattklein123]

Remove SDS from comments, this is generic for the future.

[mattklein123]

How is this going to work on the future? Can you take me through the logic that is coming in the follow up update PRs so I understand? Right now, this will return a null context which is fine, things will fail (and we can have integration tests in this PR just proving things fail). But in the future, how is the context going to get updated inside the transport factory?

[qiwzhang]

I copied this from my other comment.

In the next PR, SocketFactory will register a UpdateCallback to SDS_api, if SDS secret is fetched or updated, it will call the SocketFactory::onUpdate(), SocketFactory will call ContextManagerImpl::createClientContext() to create a valid Context if ContextConfig is valid. This is called in the main thread too since SDS_api::onConfigUpdate will be called in the main thread.

[mattklein123]

@JimmyCYJ @qiwzhang @lizan two other things that we need (can be done as follow up PRs):

• SDS API specific stats (secrets added, secrets updated, secrets removed, secrets total, etc.)
• The block we discussed so that if a cluster type other than EDS tries to use SDS it will fail for now.

Can you please add some TODOs to this PR for ^ and we can do both of these in follow ups? Thank you.

[JimmyCYJ]

@mattklein123 Thanks for the advice, will add TODO in this PR.

[stale]

This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[stale]

This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[qiwzhang]

Just updated this PR with all changes needed to support dynamic SDS.

This PR only serves as a reference PR for complete implementation. Its changes will be split into smaller PR to actual code review.

[stale]

This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[mattklein123]

@JimmyCYJ @lizan can we close this now? I think we have the last PR up and this doesn't serve much purpose anymore?

[JimmyCYJ]

@mattklein123 Yes, I am closing it. Thanks!