-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(kuma-cp) refactor SDS to go-control-plane building blocks #721
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some minor comments
|
||
parts := strings.Split(currentSnapshot.GetVersion(envoy_resource.SecretType), "-") | ||
if len(parts) != 2 { | ||
return false, errors.New(`invalid snapshot version format. Format should be "UnixNano-NameOfTheCA"`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any way cache contains snapshots with invalid version format? From what I see we generate it ourselves in generateSnapshot
. That might simplify signature of shouldGenerateSnapshot
and get rid of error in return values
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really, unless someone connects to the control plane and explicitly set the version. Or we change it in the future and it won't be compatible with current format.
But let's say it should not happen. What is the alternative? Panic or ignore the error?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we want to protect ourselves from our future changes in the format, then it feels more like panic
. But that's really minor comment, so up to you :)
02dd9ef
to
ed50690
Compare
Summary
This PR refactors SDS to use the same patterns as our XDS implementation.
Until now, SDS was custom implementation operating on raw Envoy protos.
The problem with this implementation is that
DP has 1000 outbound listeners. Since it is mTLS, we have to configure every outbound listener with DP cert and CA cert. Every DP will open 2000 streams (one for CA, one for DP cert) and send a request on every stream. This will generate 1000 certs for one DP instead of one.
Given that there can be thousands of such dataplanes and CA can be external system, we can overload the system with generating millions of certs.
In this implementation we use SnapshotCache from go-control-plane which will store the same cert for subsequent requests, so we only generate 1 certificate per Dataplane.
This will also helps us to solve #719