From 31aa1a5c486fdb85b414def18b81d1578b52ceca Mon Sep 17 00:00:00 2001 From: Easwar Swaminathan Date: Thu, 25 Mar 2021 14:44:00 -0700 Subject: [PATCH] xds: add env var protection for client-side security (#4247) (#4296) --- xds/internal/client/cds_test.go | 58 +++++++++++++++++++++++++++++++++ xds/internal/client/xds.go | 12 +++++-- xds/internal/env/env.go | 18 ++++++++-- 3 files changed, 82 insertions(+), 6 deletions(-) diff --git a/xds/internal/client/cds_test.go b/xds/internal/client/cds_test.go index 5d2366d6488..56fa679db01 100644 --- a/xds/internal/client/cds_test.go +++ b/xds/internal/client/cds_test.go @@ -223,7 +223,65 @@ func (s) TestValidateCluster_Success(t *testing.T) { } } +func (s) TestValidateClusterWithSecurityConfig_EnvVarOff(t *testing.T) { + // Turn off the env var protection for client-side security. + origClientSideSecurityEnvVar := env.ClientSideSecuritySupport + env.ClientSideSecuritySupport = false + defer func() { env.ClientSideSecuritySupport = origClientSideSecurityEnvVar }() + + cluster := &v3clusterpb.Cluster{ + ClusterDiscoveryType: &v3clusterpb.Cluster_Type{Type: v3clusterpb.Cluster_EDS}, + EdsClusterConfig: &v3clusterpb.Cluster_EdsClusterConfig{ + EdsConfig: &v3corepb.ConfigSource{ + ConfigSourceSpecifier: &v3corepb.ConfigSource_Ads{ + Ads: &v3corepb.AggregatedConfigSource{}, + }, + }, + ServiceName: serviceName, + }, + LbPolicy: v3clusterpb.Cluster_ROUND_ROBIN, + TransportSocket: &v3corepb.TransportSocket{ + Name: "envoy.transport_sockets.tls", + ConfigType: &v3corepb.TransportSocket_TypedConfig{ + TypedConfig: &anypb.Any{ + TypeUrl: version.V3UpstreamTLSContextURL, + Value: func() []byte { + tls := &v3tlspb.UpstreamTlsContext{ + CommonTlsContext: &v3tlspb.CommonTlsContext{ + ValidationContextType: &v3tlspb.CommonTlsContext_ValidationContextCertificateProviderInstance{ + ValidationContextCertificateProviderInstance: &v3tlspb.CommonTlsContext_CertificateProviderInstance{ + InstanceName: "rootInstance", + CertificateName: "rootCert", + }, + }, + }, + } + mtls, _ := proto.Marshal(tls) + return mtls + }(), + }, + }, + }, + } + wantUpdate := ClusterUpdate{ + ServiceName: serviceName, + EnableLRS: false, + } + gotUpdate, err := validateCluster(cluster) + if err != nil { + t.Errorf("validateCluster() failed: %v", err) + } + if diff := cmp.Diff(wantUpdate, gotUpdate); diff != "" { + t.Errorf("validateCluster() returned unexpected diff (-want, got):\n%s", diff) + } +} + func (s) TestValidateClusterWithSecurityConfig(t *testing.T) { + // Turn on the env var protection for client-side security. + origClientSideSecurityEnvVar := env.ClientSideSecuritySupport + env.ClientSideSecuritySupport = true + defer func() { env.ClientSideSecuritySupport = origClientSideSecurityEnvVar }() + const ( identityPluginInstance = "identityPluginInstance" identityCertName = "identityCert" diff --git a/xds/internal/client/xds.go b/xds/internal/client/xds.go index e2a008200a6..a292442a0a1 100644 --- a/xds/internal/client/xds.go +++ b/xds/internal/client/xds.go @@ -410,10 +410,16 @@ func validateCluster(cluster *v3clusterpb.Cluster) (ClusterUpdate, error) { return emptyUpdate, fmt.Errorf("xds: unexpected lbPolicy %v in response: %+v", cluster.GetLbPolicy(), cluster) } - sc, err := securityConfigFromCluster(cluster) - if err != nil { - return emptyUpdate, err + // Process security configuration received from the control plane iff the + // corresponding environment variable is set. + var sc *SecurityConfig + if env.ClientSideSecuritySupport { + var err error + if sc, err = securityConfigFromCluster(cluster); err != nil { + return emptyUpdate, err + } } + return ClusterUpdate{ ServiceName: cluster.GetEdsClusterConfig().GetServiceName(), EnableLRS: cluster.GetLrsServer().GetSelf() != nil, diff --git a/xds/internal/env/env.go b/xds/internal/env/env.go index 3d75bc3e86f..a28d741f356 100644 --- a/xds/internal/env/env.go +++ b/xds/internal/env/env.go @@ -37,9 +37,11 @@ const ( // and kept in variable BootstrapFileName. // // When both bootstrap FileName and FileContent are set, FileName is used. - BootstrapFileContentEnv = "GRPC_XDS_BOOTSTRAP_CONFIG" - circuitBreakingSupportEnv = "GRPC_XDS_EXPERIMENTAL_CIRCUIT_BREAKING" - timeoutSupportEnv = "GRPC_XDS_EXPERIMENTAL_ENABLE_TIMEOUT" + BootstrapFileContentEnv = "GRPC_XDS_BOOTSTRAP_CONFIG" + circuitBreakingSupportEnv = "GRPC_XDS_EXPERIMENTAL_CIRCUIT_BREAKING" + timeoutSupportEnv = "GRPC_XDS_EXPERIMENTAL_ENABLE_TIMEOUT" + faultInjectionSupportEnv = "GRPC_XDS_EXPERIMENTAL_FAULT_INJECTION" + clientSideSecuritySupportEnv = "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" ) var ( @@ -63,4 +65,14 @@ var ( // route actions is enabled. This can be enabled by setting the // environment variable "GRPC_XDS_EXPERIMENTAL_ENABLE_TIMEOUT" to "true". TimeoutSupport = strings.EqualFold(os.Getenv(timeoutSupportEnv), "true") + // FaultInjectionSupport is used to control both fault injection and HTTP + // filter support. + FaultInjectionSupport = strings.EqualFold(os.Getenv(faultInjectionSupportEnv), "true") + // ClientSideSecuritySupport is used to control processing of security + // configuration on the client-side. + // + // Note that there is no env var protection for the server-side because we + // have a brand new API on the server-side and users explicitly need to use + // the new API to get security integration on the server. + ClientSideSecuritySupport = strings.EqualFold(os.Getenv(clientSideSecuritySupportEnv), "true") )