xds

package
v1.8.9-beta1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 11, 2021 License: MPL-2.0 Imports: 57 Imported by: 32

Documentation

Overview

Package xds provides an implementation of a gRPC service that exports Envoy's xDS API for config discovery. Specifically we support the Aggregated Discovery Service (ADS) only as we control all config.

A full description of the XDS protocol can be found at https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol

xds.Server also support ext_authz network filter API to authorize incoming connections to Envoy.

Index

Constants

View Source 
const (

	// EndpointType is the TypeURL for Endpoint discovery responses.
	EndpointType = typePrefix + "ClusterLoadAssignment"

	// ClusterType is the TypeURL for Cluster discovery responses.
	ClusterType = typePrefix + "Cluster"

	// RouteType is the TypeURL for Route discovery responses.
	RouteType = typePrefix + "RouteConfiguration"

	// ListenerType is the TypeURL for Listener discovery responses.
	ListenerType = typePrefix + "Listener"

	// PublicListenerName is the name we give the public listener in Envoy config.
	PublicListenerName = "public_listener"

	// LocalAppClusterName is the name we give the local application "cluster" in
	// Envoy config. Note that all cluster names may collide with service names
	// since we want cluster names and service names to match to enable nice
	// metrics correlation without massaging prefixes on cluster names.
	//
	// We should probably make this more unlikely to collide however changing it
	// potentially breaks upgrade compatibility without restarting all Envoy's as
	// it will no longer match their existing cluster name. Changing this will
	// affect metrics output so could break dashboards (for local app traffic).
	//
	// We should probably just make it configurable if anyone actually has
	// services named "local_app" in the future.
	LocalAppClusterName = "local_app"

	// LocalAgentClusterName is the name we give the local agent "cluster" in
	// Envoy config. Note that all cluster names may collide with service names
	// since we want cluster names and service names to match to enable nice
	// metrics correlation without massaging prefixes on cluster names.
	//
	// We should probably make this more unlikely to collied however changing it
	// potentially breaks upgrade compatibility without restarting all Envoy's as
	// it will no longer match their existing cluster name. Changing this will
	// affect metrics output so could break dashboards (for local agent traffic).
	//
	// We should probably just make it configurable if anyone actually has
	// services named "local_agent" in the future.
	LocalAgentClusterName = "local_agent"

	// DefaultAuthCheckFrequency is the default value for
	// Server.AuthCheckFrequency to use when the zero value is provided.
	DefaultAuthCheckFrequency = 5 * time.Minute
)
View Source 
const (
	UnnamedSubset = ""
)

Variables

This section is empty.

Functions

func CustomizeClusterName added in v1.6.0 

func CustomizeClusterName(clusterName string, chain *structs.CompiledDiscoveryChain) string

func TestCheckRequest 

func TestCheckRequest(t testing.T, source, dest string) *envoyauth.CheckRequest

TestCheckRequest creates an envoyauth.CheckRequest with the source and destination service names.

Types

type ACLResolverFunc 

type ACLResolverFunc func(id string) (acl.Authorizer, error)

ACLResolverFunc is a shim to resolve ACLs. Since ACL enforcement is so far entirely agent-local and all uses private methods this allows a simple shim to be written in the agent package to allow resolving without tightly coupling this to the agent.

type ADSStream 

type ADSStream = envoydisco.AggregatedDiscoveryService_StreamAggregatedResourcesServer

ADSStream is a shorter way of referring to this thing...

type ConfigFetcher added in v1.6.2 

type ConfigFetcher interface {
	AdvertiseAddrLAN() string
}

ConfigFetcher is the interface the agent needs to expose for the xDS server to fetch agent config, currently only one field is fetched

type ConfigManager 

type ConfigManager interface {
	Watch(proxyID structs.ServiceID) (<-chan *proxycfg.ConfigSnapshot, proxycfg.CancelFunc)
}

ConfigManager is the interface xds.Server requires to consume proxy config updates. It's satisfied normally by the agent's proxycfg.Manager, but allows easier testing without several layers of mocked cache, local state and proxycfg.Manager.

type ConnectAuthz 

type ConnectAuthz interface {
	// ConnectAuthorize is implemented by Agent.ConnectAuthorize
	ConnectAuthorize(token string, req *structs.ConnectAuthorizeRequest) (authz bool, reason string, m *cache.ResultMeta, err error)
}

ConnectAuthz is the interface the agent needs to expose to be able to re-use the authorization logic between both APIs.

type GatewayConfig added in v1.8.0 

type GatewayConfig struct {
	// BindTaggedAddresses when set will cause all of the services tagged
	// addresses to have listeners bound to them in addition to the main service
	// address listener. This is only suitable when the tagged addresses are IP
	// addresses of network interfaces Envoy can see. i.e. When using DNS names
	// for those addresses or where an external entity maps that IP to the Envoy
	// (like AWS EC2 mapping a public IP to the private interface) then this
	// cannot be used. See the BindAddresses config instead
	BindTaggedAddresses bool `mapstructure:"envoy_gateway_bind_tagged_addresses" alias:"envoy_mesh_gateway_bind_tagged_addresses"`

	// BindAddresses additional bind addresses to configure listeners for
	BindAddresses map[string]structs.ServiceAddress `mapstructure:"envoy_gateway_bind_addresses" alias:"envoy_mesh_gateway_bind_addresses"`

	// NoDefaultBind indicates that we should not bind to the default address of the
	// gateway service
	NoDefaultBind bool `mapstructure:"envoy_gateway_no_default_bind" alias:"envoy_mesh_gateway_no_default_bind"`

	// DNSDiscoveryType indicates the DNS service discovery type.
	// See: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/service_discovery#arch-overview-service-discovery-types
	DNSDiscoveryType string `mapstructure:"envoy_dns_discovery_type"`

	// ConnectTimeoutMs is the number of milliseconds to timeout making a new
	// connection to this upstream. Defaults to 5000 (5 seconds) if not set.
	ConnectTimeoutMs int `mapstructure:"connect_timeout_ms"`
}

func ParseGatewayConfig added in v1.8.0 

func ParseGatewayConfig(m map[string]interface{}) (GatewayConfig, error)

ParseGatewayConfig returns the GatewayConfig parsed from an opaque map. If an error occurs during parsing, it is returned along with the default config. This allows the caller to choose whether and how to report the error

type HTTPCheckFetcher added in v1.6.2 

type HTTPCheckFetcher interface {
	ServiceHTTPBasedChecks(serviceID structs.ServiceID) []structs.CheckType
}

ServiceChecks is the interface the agent needs to expose for the xDS server to fetch a service's HTTP check definitions

type PassiveHealthCheck added in v1.8.0 

type PassiveHealthCheck struct {
	// Interval between health check analysis sweeps. Each sweep may remove
	// hosts or return hosts to the pool.
	Interval time.Duration
	// MaxFailures is the count of consecutive failures that results in a host
	// being removed from the pool.
	MaxFailures uint32 `mapstructure:"max_failures"`
}

func (PassiveHealthCheck) AsOutlierDetection added in v1.8.0 

func (p PassiveHealthCheck) AsOutlierDetection() *envoycluster.OutlierDetection

Return an envoy.OutlierDetection populated by the values from this struct. If all values are zero a default empty OutlierDetection will be returned to enable outlier detection with default values.

type ProxyConfig added in v1.5.0 

type ProxyConfig struct {
	// PublicListenerJSON is a complete override ("escape hatch") for the
	// upstream's public listener. The Connect server TLS certificate and
	// validation context will be injected overriding any TLS settings present. An
	// AuthZ filter will also be prepended to each filterChain provided to enforce
	// Connect's access control.
	//
	// Note: This escape hatch is compatible with the discovery chain.
	PublicListenerJSON string `mapstructure:"envoy_public_listener_json"`

	// LocalClusterJSON is a complete override ("escape hatch") for the
	// local application cluster.
	//
	// Note: This escape hatch is compatible with the discovery chain.
	LocalClusterJSON string `mapstructure:"envoy_local_cluster_json"`

	// LocalConnectTimeoutMs is the number of milliseconds to timeout making a new
	// connection to the local app instance. Defaults to 5000 (5 seconds) if not
	// set.
	LocalConnectTimeoutMs int `mapstructure:"local_connect_timeout_ms"`

	// Protocol describes the service's protocol. Valid values are "tcp",
	// "http" and "grpc". Anything else is treated as tcp. This enables
	// protocol aware features like per-request metrics and connection
	// pooling, tracing, routing etc.
	Protocol string `mapstructure:"protocol"`

	// BindAddress overrides the address the proxy's listener binds to. This
	// enables proxies in network namespaces to bind to a different address
	// than the host address.
	BindAddress string `mapstructure:"bind_address"`

	// BindPort overrides the port the proxy's listener binds to. This
	// enable proxies in network namespaces to bind to a different port
	// than the host port being advertised.
	BindPort int `mapstructure:"bind_port"`
}

ProxyConfig describes the keys we understand from Connect.Proxy.Config. Note that this only includes config keys that affects runtime config delivered by xDS. For Envoy config keys that affect bootstrap generation see command/connect/envoy/bootstrap_config.go.

func ParseProxyConfig added in v1.5.0 

func ParseProxyConfig(m map[string]interface{}) (ProxyConfig, error)

ParseProxyConfig returns the ProxyConfig parsed from the an opaque map. If an error occurs during parsing it is returned along with the default config this allows caller to choose whether and how to report the error.

type Server 

type Server struct {
	Logger       hclog.Logger
	CfgMgr       ConfigManager
	Authz        ConnectAuthz
	ResolveToken ACLResolverFunc
	// AuthCheckFrequency is how often we should re-check the credentials used
	// during a long-lived gRPC Stream after it has been initially established.
	// This is only used during idle periods of stream interactions (i.e. when
	// there has been no recent DiscoveryRequest).
	AuthCheckFrequency time.Duration
	CheckFetcher       HTTPCheckFetcher
	CfgFetcher         ConfigFetcher
}

Server represents a gRPC server that can handle both XDS and ext_authz requests from Envoy. All of it's public members must be set before the gRPC server is started.

A full description of the XDS protocol can be found at https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol

func (*Server) Check 

func (s *Server) Check(ctx context.Context, r *envoyauthz.CheckRequest) (*envoyauthz.CheckResponse, error)

Check implements envoyauthz.AuthorizationServer.

func (*Server) DeltaAggregatedResources added in v1.5.2 

func (s *Server) DeltaAggregatedResources(_ envoydisco.AggregatedDiscoveryService_DeltaAggregatedResourcesServer) error

DeltaAggregatedResources implements envoydisco.AggregatedDiscoveryServiceServer

func (*Server) GRPCServer 

func (s *Server) GRPCServer(tlsConfigurator *tlsutil.Configurator) (*grpc.Server, error)

GRPCServer returns a server instance that can handle XDS and ext_authz requests.

func (*Server) Initialize added in v1.4.3 

func (s *Server) Initialize()

Initialize will finish configuring the Server for first use.

func (*Server) StreamAggregatedResources 

func (s *Server) StreamAggregatedResources(stream ADSStream) error

StreamAggregatedResources implements envoydisco.AggregatedDiscoveryServiceServer. This is the ADS endpoint which is the only xDS API we directly support for now.

type TestADSStream 

type TestADSStream struct {
	// contains filtered or unexported fields
}

TestADSStream mocks discovery.AggregatedDiscoveryService_StreamAggregatedResourcesServer to allow testing ADS handler.

func NewTestADSStream 

func NewTestADSStream(t testing.T, ctx context.Context) *TestADSStream

NewTestADSStream makes a new TestADSStream

func (*TestADSStream) Context 

func (s *TestADSStream) Context() context.Context

Context implements ADSStream

func (*TestADSStream) Recv 

func (s *TestADSStream) Recv() (*envoy.DiscoveryRequest, error)

Recv implements ADSStream

func (*TestADSStream) RecvMsg 

func (s *TestADSStream) RecvMsg(m interface{}) error

RecvMsg implements ADSStream

func (*TestADSStream) Send 

func (s *TestADSStream) Send(r *envoy.DiscoveryResponse) error

Send implements ADSStream

func (*TestADSStream) SendHeader 

func (s *TestADSStream) SendHeader(metadata.MD) error

SendHeader implements ADSStream

func (*TestADSStream) SendMsg 

func (s *TestADSStream) SendMsg(m interface{}) error

SendMsg implements ADSStream

func (*TestADSStream) SetHeader 

func (s *TestADSStream) SetHeader(metadata.MD) error

SetHeader implements ADSStream

func (*TestADSStream) SetTrailer 

func (s *TestADSStream) SetTrailer(metadata.MD)

SetTrailer implements ADSStream

type TestEnvoy 

type TestEnvoy struct {
	sync.Mutex
	// contains filtered or unexported fields
}

TestEnvoy is a helper to simulate Envoy ADS requests.

func NewTestEnvoy 

func NewTestEnvoy(t testing.T, proxyID, token string) *TestEnvoy

NewTestEnvoy creates a TestEnvoy instance.

func (*TestEnvoy) Close 

func (e *TestEnvoy) Close() error

Close closes the client and cancels it's request context.

func (*TestEnvoy) SendReq 

func (e *TestEnvoy) SendReq(t testing.T, typeURL string, version, nonce uint64)

SendReq sends a request from the test server.

type UpstreamConfig added in v1.5.0 

type UpstreamConfig struct {
	// ListenerJSON is a complete override ("escape hatch") for the upstream's
	// listener.
	//
	// Note: This escape hatch is NOT compatible with the discovery chain and
	// will be ignored if a discovery chain is active.
	ListenerJSON string `mapstructure:"envoy_listener_json"`

	// ClusterJSON is a complete override ("escape hatch") for the upstream's
	// cluster. The Connect client TLS certificate and context will be injected
	// overriding any TLS settings present.
	//
	// Note: This escape hatch is NOT compatible with the discovery chain and
	// will be ignored if a discovery chain is active.
	ClusterJSON string `mapstructure:"envoy_cluster_json"`

	// Protocol describes the upstream's service protocol. Valid values are "tcp",
	// "http" and "grpc". Anything else is treated as tcp. The enables protocol
	// aware features like per-request metrics and connection pooling, tracing,
	// routing etc.
	Protocol string `mapstructure:"protocol"`

	// ConnectTimeoutMs is the number of milliseconds to timeout making a new
	// connection to this upstream. Defaults to 5000 (5 seconds) if not set.
	ConnectTimeoutMs int `mapstructure:"connect_timeout_ms"`

	// Limits are the set of limits that are applied to the proxy for a specific upstream of a
	// service instance.
	Limits UpstreamLimits `mapstructure:"limits"`

	// PassiveHealthCheck configuration
	PassiveHealthCheck PassiveHealthCheck `mapstructure:"passive_health_check"`
}

UpstreamConfig describes the keys we understand from Connect.Proxy.Upstream[*].Config.

func ParseUpstreamConfig added in v1.5.0 

func ParseUpstreamConfig(m map[string]interface{}) (UpstreamConfig, error)

ParseUpstreamConfig returns the UpstreamConfig parsed from an opaque map. If an error occurs during parsing it is returned along with the default config this allows caller to choose whether and how to report the error.

func ParseUpstreamConfigNoDefaults added in v1.6.0 

func ParseUpstreamConfigNoDefaults(m map[string]interface{}) (UpstreamConfig, error)

type UpstreamLimits added in v1.7.0 

type UpstreamLimits struct {
	// MaxConnections is the maximum number of connections the local proxy can
	// make to the upstream service.
	MaxConnections *int `mapstructure:"max_connections"`

	// MaxPendingRequests is the maximum number of requests that will be queued
	// waiting for an available connection. This is mostly applicable to HTTP/1.1
	// clusters since all HTTP/2 requests are streamed over a single
	// connection.
	MaxPendingRequests *int `mapstructure:"max_pending_requests"`

	// MaxConcurrentRequests is the maximum number of in-flight requests that will be allowed
	// to the upstream cluster at a point in time. This is mostly applicable to HTTP/2
	// clusters since all HTTP/1.1 requests are limited by MaxConnections.
	MaxConcurrentRequests *int `mapstructure:"max_concurrent_requests"`
}

UpstreamLimits describes the limits that are associated with a specific upstream of a service instance.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.