Version: v1.10.1 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Jul 15, 2021 License: MPL-2.0 Imports: 27 Imported by: 30



Package proxycfg provides a component that monitors local agent state for Connect proxy service registrations and maintains the necessary cache state for those proxies locally. Local cache state keeps pull based proxies (e.g. the built in one) performant even on first request/startup, and allows for push-based proxy APIs (e.g. xDS for Envoy) to be notified of updates to the proxy configuration.

The relationship with other agent components looks like this:

   | AGENT                                    |
   |                                          |
   | +--------+  1.  +----------+             |
   | | local  |<-----+ proxycfg |<--------+   |
   | | state  +----->| Manager  |<---+    |   |
   | +--------+  2.  +^---+-----+    |    |   |
   |                5.|   |          |    |   |
   |       +----------+   |  +-------+--+ |4. |
   |       |              +->| proxycfg | |   |
   |       |            3.|  |  State   | |   |
   |       |              |  +----------+ |   |
   |       |              |               |   |
   |       |              |  +----------+ |   |
   |       |              +->| proxycfg +-+   |
   |       |                 |  State   |     |
   |       |                 +----------+     |
   |       |6.                                |
   |  +----v---+                              |
   |  |   xDS  |                              |
   |  | Server |                              |
   |  +--------+                              |
   |                                          |

1. Manager watches local state for changes.
2. On local state change manager is notified and iterates through state
   looking for proxy service registrations.
3. For each proxy service registered, the manager maintains a State
   instance, recreating on change, removing when deregistered.
4. State instance copies the parts of the the proxy service registration
   needed to configure proxy, and sets up blocking watches on the local
   agent cache for all remote state needed: root and leaf certs, intentions,
   and service discovery results for the specified upstreams. This ensures
   these results are always in local cache for "pull" based proxies like the
   built-in one.
5. If needed, pull-based proxy config APIs like the xDS server can Watch the
   config for a given proxy service.
6. Watchers get notified every time something changes the current snapshot
   of config for the proxy. That might be changes to the registration,
   certificate rotations, changes to the upstreams required (needing
   different listener config), or changes to the service discovery results
   for any upstream (e.g. new instance of upstream service came up).



This section is empty.


View Source
var (
	// ErrStopped is returned from Run if the manager instance has already been
	// stopped.
	ErrStopped = errors.New("manager stopped")

	// ErrStarted is returned from Run if the manager instance has already run.
	ErrStarted = errors.New("manager was already run")


func TestCacheWithTypes

func TestCacheWithTypes(t testing.T, types *TestCacheTypes) *cache.Cache

TestCacheWithTypes registers ControllableCacheTypes for all types that proxycfg will watch suitable for testing a proxycfg.State or Manager.

func TestCerts

func TestCerts(t testing.T) (*structs.IndexedCARoots, *structs.IssuedCert)

TestCerts generates a CA and Leaf suitable for returning as mock CA root/leaf cache requests.

func TestGatewayNodesDC1 added in v1.6.0

func TestGatewayNodesDC1(t testing.T) structs.CheckServiceNodes

func TestGatewayNodesDC2 added in v1.6.0

func TestGatewayNodesDC2(t testing.T) structs.CheckServiceNodes

func TestGatewayNodesDC3 added in v1.6.0

func TestGatewayNodesDC3(t testing.T) structs.CheckServiceNodes

func TestGatewayNodesDC4Hostname added in v1.8.0

func TestGatewayNodesDC4Hostname(t testing.T) structs.CheckServiceNodes

func TestGatewayNodesDC5Hostname added in v1.8.0

func TestGatewayNodesDC5Hostname(t testing.T) structs.CheckServiceNodes

func TestGatewayNodesDC6Hostname added in v1.8.1

func TestGatewayNodesDC6Hostname(t testing.T) structs.CheckServiceNodes

func TestGatewayServiceGroupBarDC1 added in v1.6.0

func TestGatewayServiceGroupBarDC1(t testing.T) structs.CheckServiceNodes

func TestGatewayServiceGroupFooDC1 added in v1.6.0

func TestGatewayServiceGroupFooDC1(t testing.T) structs.CheckServiceNodes

func TestIntentions

func TestIntentions() *structs.IndexedIntentionMatches

TestIntentions returns a sample intentions match result useful to mocking service discovery cache results.

func TestLeafForCA

func TestLeafForCA(t testing.T, ca *structs.CARoot) *structs.IssuedCert

TestLeafForCA generates new Leaf suitable for returning as mock CA leaf cache response, signed by an existing CA.

func TestUpstreamNodes

func TestUpstreamNodes(t testing.T) structs.CheckServiceNodes

TestUpstreamNodes returns a sample service discovery result useful to mocking service discovery cache results.

func TestUpstreamNodesAlternate added in v1.6.0

func TestUpstreamNodesAlternate(t testing.T) structs.CheckServiceNodes

func TestUpstreamNodesDC2 added in v1.6.0

func TestUpstreamNodesDC2(t testing.T) structs.CheckServiceNodes

func TestUpstreamNodesDC3 added in v1.6.0

func TestUpstreamNodesDC3(t testing.T) structs.CheckServiceNodes

func TestUpstreamNodesInStatus added in v1.6.0

func TestUpstreamNodesInStatus(t testing.T, status string) structs.CheckServiceNodes

func TestUpstreamNodesInStatusDC2 added in v1.6.0

func TestUpstreamNodesInStatusDC2(t testing.T, status string) structs.CheckServiceNodes


type CacheNotifier added in v1.6.0

type CacheNotifier interface {
	Notify(ctx context.Context, t string, r cache.Request,
		correlationID string, ch chan<- cache.UpdateEvent) error

type CancelFunc

type CancelFunc func()

CancelFunc is a type for a returned function that can be called to cancel a watch.

type ConfigSnapshot

type ConfigSnapshot struct {
	Kind                  structs.ServiceKind
	Service               string
	ProxyID               structs.ServiceID
	Address               string
	Port                  int
	ServiceMeta           map[string]string
	TaggedAddresses       map[string]structs.ServiceAddress
	Proxy                 structs.ConnectProxyConfig
	Datacenter            string
	IntentionDefaultAllow bool

	ServerSNIFn ServerSNIFunc
	Roots       *structs.IndexedCARoots

	// connect-proxy specific
	ConnectProxy configSnapshotConnectProxy

	// terminating-gateway specific
	TerminatingGateway configSnapshotTerminatingGateway

	// mesh-gateway specific
	MeshGateway configSnapshotMeshGateway

	// ingress-gateway specific
	IngressGateway configSnapshotIngressGateway

ConfigSnapshot captures all the resulting config needed for a proxy instance. It is meant to be point-in-time coherent and is used to deliver the current config state to observers who need it to be pushed in (e.g. XDS server).

func TestConfigSnapshot

func TestConfigSnapshot(t testing.T) *ConfigSnapshot

TestConfigSnapshot returns a fully populated snapshot

func TestConfigSnapshotDiscoveryChain added in v1.6.0

func TestConfigSnapshotDiscoveryChain(t testing.T) *ConfigSnapshot

TestConfigSnapshotDiscoveryChain returns a fully populated snapshot using a discovery chain

func TestConfigSnapshotDiscoveryChainDefault added in v1.6.0

func TestConfigSnapshotDiscoveryChainDefault(t testing.T) *ConfigSnapshot

func TestConfigSnapshotDiscoveryChainDefaultWithEntries added in v1.10.0

func TestConfigSnapshotDiscoveryChainDefaultWithEntries(t testing.T, additionalEntries ...structs.ConfigEntry) *ConfigSnapshot

func TestConfigSnapshotDiscoveryChainExternalSNI added in v1.6.0

func TestConfigSnapshotDiscoveryChainExternalSNI(t testing.T) *ConfigSnapshot

func TestConfigSnapshotDiscoveryChainWithDoubleFailoverThroughLocalGateway added in v1.6.0

func TestConfigSnapshotDiscoveryChainWithDoubleFailoverThroughLocalGateway(t testing.T) *ConfigSnapshot

func TestConfigSnapshotDiscoveryChainWithDoubleFailoverThroughLocalGatewayTriggered added in v1.6.0

func TestConfigSnapshotDiscoveryChainWithDoubleFailoverThroughLocalGatewayTriggered(t testing.T) *ConfigSnapshot

func TestConfigSnapshotDiscoveryChainWithDoubleFailoverThroughRemoteGateway added in v1.6.0

func TestConfigSnapshotDiscoveryChainWithDoubleFailoverThroughRemoteGateway(t testing.T) *ConfigSnapshot

func TestConfigSnapshotDiscoveryChainWithDoubleFailoverThroughRemoteGatewayTriggered added in v1.6.0

func TestConfigSnapshotDiscoveryChainWithDoubleFailoverThroughRemoteGatewayTriggered(t testing.T) *ConfigSnapshot

func TestConfigSnapshotDiscoveryChainWithEntries added in v1.6.0

func TestConfigSnapshotDiscoveryChainWithEntries(t testing.T, additionalEntries ...structs.ConfigEntry) *ConfigSnapshot

func TestConfigSnapshotDiscoveryChainWithFailover added in v1.6.0

func TestConfigSnapshotDiscoveryChainWithFailover(t testing.T) *ConfigSnapshot

func TestConfigSnapshotDiscoveryChainWithFailoverThroughLocalGateway added in v1.6.0

func TestConfigSnapshotDiscoveryChainWithFailoverThroughLocalGateway(t testing.T) *ConfigSnapshot

func TestConfigSnapshotDiscoveryChainWithFailoverThroughLocalGatewayTriggered added in v1.6.0

func TestConfigSnapshotDiscoveryChainWithFailoverThroughLocalGatewayTriggered(t testing.T) *ConfigSnapshot

func TestConfigSnapshotDiscoveryChainWithFailoverThroughRemoteGateway added in v1.6.0

func TestConfigSnapshotDiscoveryChainWithFailoverThroughRemoteGateway(t testing.T) *ConfigSnapshot

func TestConfigSnapshotDiscoveryChainWithFailoverThroughRemoteGatewayTriggered added in v1.6.0

func TestConfigSnapshotDiscoveryChainWithFailoverThroughRemoteGatewayTriggered(t testing.T) *ConfigSnapshot

func TestConfigSnapshotDiscoveryChainWithGRPCRouter added in v1.8.0

func TestConfigSnapshotDiscoveryChainWithGRPCRouter(t testing.T) *ConfigSnapshot

func TestConfigSnapshotDiscoveryChainWithLB added in v1.9.0

func TestConfigSnapshotDiscoveryChainWithLB(t testing.T) *ConfigSnapshot

func TestConfigSnapshotDiscoveryChainWithOverrides added in v1.6.0

func TestConfigSnapshotDiscoveryChainWithOverrides(t testing.T) *ConfigSnapshot

func TestConfigSnapshotDiscoveryChainWithRouter added in v1.8.0

func TestConfigSnapshotDiscoveryChainWithRouter(t testing.T) *ConfigSnapshot

func TestConfigSnapshotDiscoveryChainWithSplitter added in v1.8.0

func TestConfigSnapshotDiscoveryChainWithSplitter(t testing.T) *ConfigSnapshot

func TestConfigSnapshotDiscoveryChain_SplitterWithResolverRedirectMultiDC added in v1.6.0

func TestConfigSnapshotDiscoveryChain_SplitterWithResolverRedirectMultiDC(t testing.T) *ConfigSnapshot

func TestConfigSnapshotExposeConfig added in v1.6.2

func TestConfigSnapshotExposeConfig(t testing.T) *ConfigSnapshot

func TestConfigSnapshotGRPCExposeHTTP1 added in v1.8.0

func TestConfigSnapshotGRPCExposeHTTP1(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngress added in v1.8.0

func TestConfigSnapshotIngress(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngressDiscoveryChainWithEntries added in v1.8.0

func TestConfigSnapshotIngressDiscoveryChainWithEntries(t testing.T, additionalEntries ...structs.ConfigEntry) *ConfigSnapshot

func TestConfigSnapshotIngressExternalSNI added in v1.8.0

func TestConfigSnapshotIngressExternalSNI(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngressGateway added in v1.8.0

func TestConfigSnapshotIngressGateway(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngressGatewayNoServices added in v1.8.0

func TestConfigSnapshotIngressGatewayNoServices(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngressWithDoubleFailoverThroughLocalGateway added in v1.8.0

func TestConfigSnapshotIngressWithDoubleFailoverThroughLocalGateway(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngressWithDoubleFailoverThroughLocalGatewayTriggered added in v1.8.0

func TestConfigSnapshotIngressWithDoubleFailoverThroughLocalGatewayTriggered(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngressWithDoubleFailoverThroughRemoteGateway added in v1.8.0

func TestConfigSnapshotIngressWithDoubleFailoverThroughRemoteGateway(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngressWithDoubleFailoverThroughRemoteGatewayTriggered added in v1.8.0

func TestConfigSnapshotIngressWithDoubleFailoverThroughRemoteGatewayTriggered(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngressWithFailover added in v1.8.0

func TestConfigSnapshotIngressWithFailover(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngressWithFailoverThroughLocalGateway added in v1.8.0

func TestConfigSnapshotIngressWithFailoverThroughLocalGateway(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngressWithFailoverThroughLocalGatewayTriggered added in v1.8.0

func TestConfigSnapshotIngressWithFailoverThroughLocalGatewayTriggered(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngressWithFailoverThroughRemoteGateway added in v1.8.0

func TestConfigSnapshotIngressWithFailoverThroughRemoteGateway(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngressWithFailoverThroughRemoteGatewayTriggered added in v1.8.0

func TestConfigSnapshotIngressWithFailoverThroughRemoteGatewayTriggered(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngressWithGRPCRouter added in v1.8.0

func TestConfigSnapshotIngressWithGRPCRouter(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngressWithLB added in v1.9.0

func TestConfigSnapshotIngressWithLB(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngressWithOverrides added in v1.8.0

func TestConfigSnapshotIngressWithOverrides(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngressWithRouter added in v1.8.0

func TestConfigSnapshotIngressWithRouter(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngressWithSplitter added in v1.8.0

func TestConfigSnapshotIngressWithSplitter(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngressWithTLSListener added in v1.8.0

func TestConfigSnapshotIngressWithTLSListener(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngress_HTTPMultipleServices added in v1.8.0

func TestConfigSnapshotIngress_HTTPMultipleServices(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngress_MultipleListenersDuplicateService added in v1.8.0

func TestConfigSnapshotIngress_MultipleListenersDuplicateService(t testing.T) *ConfigSnapshot

func TestConfigSnapshotIngress_SplitterWithResolverRedirectMultiDC added in v1.8.0

func TestConfigSnapshotIngress_SplitterWithResolverRedirectMultiDC(t testing.T) *ConfigSnapshot

func TestConfigSnapshotMeshGateway added in v1.6.0

func TestConfigSnapshotMeshGateway(t testing.T) *ConfigSnapshot

func TestConfigSnapshotMeshGatewayNoServices added in v1.6.2

func TestConfigSnapshotMeshGatewayNoServices(t testing.T) *ConfigSnapshot

func TestConfigSnapshotMeshGatewayUsingFederationStates added in v1.8.0

func TestConfigSnapshotMeshGatewayUsingFederationStates(t testing.T) *ConfigSnapshot

func TestConfigSnapshotTerminatingGateway added in v1.8.0

func TestConfigSnapshotTerminatingGateway(t testing.T) *ConfigSnapshot

func TestConfigSnapshotTerminatingGatewayNoServices added in v1.8.0

func TestConfigSnapshotTerminatingGatewayNoServices(t testing.T) *ConfigSnapshot

func (*ConfigSnapshot) Clone

func (s *ConfigSnapshot) Clone() (*ConfigSnapshot, error)

Clone makes a deep copy of the snapshot we can send to other goroutines without worrying that they will racily read or mutate shared maps etc.

func (*ConfigSnapshot) Leaf

func (s *ConfigSnapshot) Leaf() *structs.IssuedCert

func (*ConfigSnapshot) Valid

func (s *ConfigSnapshot) Valid() bool

Valid returns whether or not the snapshot has all required fields filled yet.

type ConfigSnapshotUpstreams added in v1.8.0

type ConfigSnapshotUpstreams struct {
	Leaf *structs.IssuedCert
	// DiscoveryChain is a map of upstream.Identifier() ->
	// CompiledDiscoveryChain's, and is used to determine what services could be
	// targeted by this upstream. We then instantiate watches for those targets.
	DiscoveryChain map[string]*structs.CompiledDiscoveryChain

	// WatchedDiscoveryChains is a map of upstream.Identifier() -> CancelFunc's
	// in order to cancel any watches when the proxy's configuration is
	// changed. Ingress gateways and transparent proxies need this because
	// discovery chain watches are added and removed through the lifecycle
	// of a single proxycfg state instance.
	WatchedDiscoveryChains map[string]context.CancelFunc

	// WatchedUpstreams is a map of upstream.Identifier() -> (map of TargetID ->
	// CancelFunc's) in order to cancel any watches when the configuration is
	// changed.
	WatchedUpstreams map[string]map[string]context.CancelFunc

	// WatchedUpstreamEndpoints is a map of upstream.Identifier() -> (map of
	// TargetID -> CheckServiceNodes) and is used to determine the backing
	// endpoints of an upstream.
	WatchedUpstreamEndpoints map[string]map[string]structs.CheckServiceNodes

	// WatchedGateways is a map of upstream.Identifier() -> (map of
	// TargetID -> CancelFunc) in order to cancel watches for mesh gateways
	WatchedGateways map[string]map[string]context.CancelFunc

	// WatchedGatewayEndpoints is a map of upstream.Identifier() -> (map of
	// TargetID -> CheckServiceNodes) and is used to determine the backing
	// endpoints of a mesh gateway.
	WatchedGatewayEndpoints map[string]map[string]structs.CheckServiceNodes

	// UpstreamConfig is a map to an upstream's configuration.
	UpstreamConfig map[string]*structs.Upstream

	// PassthroughEndpoints is a map of: ServiceName -> ServicePassthroughAddrs.
	PassthroughUpstreams map[string]ServicePassthroughAddrs

TODO(ingress): Can we think of a better for this bag of data? A shared data structure that contains information about discovered upstreams

type ControllableCacheType

type ControllableCacheType struct {
	// contains filtered or unexported fields

ControllableCacheType is a cache.Type that simulates a typical blocking RPC but lets us control the responses and when they are delivered easily.

func NewControllableCacheType

func NewControllableCacheType(t testing.T) *ControllableCacheType

NewControllableCacheType returns a cache.Type that can be controlled for testing.

func (*ControllableCacheType) Fetch

Fetch implements cache.Type. It simulates blocking or non-blocking queries.

func (*ControllableCacheType) RegisterOptions added in v1.8.0

func (ct *ControllableCacheType) RegisterOptions() cache.RegisterOptions

func (*ControllableCacheType) Set

func (ct *ControllableCacheType) Set(key string, value interface{})

Set sets the response value to be returned from subsequent cache gets for the type.

type DNSConfig added in v1.8.0

type DNSConfig struct {
	Domain    string
	AltDomain string

type Health added in v1.10.0

type Health interface {
	Notify(ctx context.Context, req structs.ServiceSpecificRequest, correlationID string, ch chan<- cache.UpdateEvent) error

type IngressListenerKey added in v1.8.0

type IngressListenerKey struct {
	Protocol string
	Port     int

func (*IngressListenerKey) RouteName added in v1.8.0

func (k *IngressListenerKey) RouteName() string

type Manager

type Manager struct {
	// contains filtered or unexported fields

Manager is a component that integrates into the agent and manages Connect proxy configuration state. This should not be confused with the deprecated "managed proxy" concept where the agent supervises the actual proxy process. proxycfg.Manager is oblivious to the distinction and manages state for any service registered with Kind == connect-proxy.

The Manager ensures that any Connect proxy registered on the agent has all the state it needs cached locally via the agent cache. State includes certificates, intentions, and service discovery results for any declared upstreams. See package docs for more detail.

func NewManager

func NewManager(cfg ManagerConfig) (*Manager, error)

NewManager constructs a manager from the provided agent cache.

func (*Manager) Close

func (m *Manager) Close() error

Close removes all state and stops all running goroutines.

func (*Manager) Run

func (m *Manager) Run() error

Run is the long-running method that handles state syncing. It should be run in it's own goroutine and will continue until a fatal error is hit or Close is called. Run will return an error if it is called more than once, or called after Close.

func (*Manager) Watch

func (m *Manager) Watch(proxyID structs.ServiceID) (<-chan *ConfigSnapshot, CancelFunc)

Watch registers a watch on a proxy. It might not exist yet in which case this will not fail, but no updates will be delivered until the proxy is registered. If there is already a valid snapshot in memory, it will be delivered immediately.

type ManagerConfig

type ManagerConfig struct {
	// Cache is the agent's cache instance that can be used to retrieve, store and
	// monitor state for the proxies.
	Cache *cache.Cache
	// Health provides service health updates on a notification channel.
	Health Health
	// state is the agent's local state to be watched for new proxy registrations.
	State *local.State
	// source describes the current agent's identity, it's used directly for
	// prepared query discovery but also indirectly as a way to pass current
	// Datacenter name into other request types that need it. This is sufficient
	// for now and cleaner than passing the entire RuntimeConfig.
	Source *structs.QuerySource
	// DNSConfig is the agent's relevant DNS config for any proxies.
	DNSConfig DNSConfig
	// logger is the agent's logger to be used for logging logs.
	Logger          hclog.Logger
	TLSConfigurator *tlsutil.Configurator

	// IntentionDefaultAllow is set by the agent so that we can pass this
	// information to proxies that need to make intention decisions on their
	// own.
	IntentionDefaultAllow bool

ManagerConfig holds the required external dependencies for a Manager instance. All fields must be set to something valid or the manager will panic. The ManagerConfig is passed by value to NewManager so the passed value can be mutated safely.

type ServerSNIFunc added in v1.8.0

type ServerSNIFunc func(dc, nodeName string) string

type ServicePassthroughAddrs added in v1.10.0

type ServicePassthroughAddrs struct {
	// SNI is the Service SNI of the upstream.
	SNI string

	// SpiffeID is the SPIFFE ID to use for upstream SAN validation.
	SpiffeID connect.SpiffeIDService

	// Addrs is a set of the best LAN addresses for the instances of the upstream.
	Addrs map[string]struct{}

ServicePassthroughAddrs contains the LAN addrs

type TestCacheTypes

type TestCacheTypes struct {
	// contains filtered or unexported fields

TestCacheTypes encapsulates all the different cache types proxycfg.State will watch/request for controlling one during testing.

func NewTestCacheTypes

func NewTestCacheTypes(t testing.T) *TestCacheTypes

NewTestCacheTypes creates a set of ControllableCacheTypes for all types that proxycfg will watch suitable for testing a proxycfg.State or Manager.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL