Skip to content

Commit

Permalink
xds: add env var protection for client-side security (#4247) (#4296)
Browse files Browse the repository at this point in the history
  • Loading branch information
easwars authored Mar 25, 2021
1 parent b96b7d4 commit 31aa1a5
Show file tree
Hide file tree
Showing 3 changed files with 82 additions and 6 deletions.
58 changes: 58 additions & 0 deletions xds/internal/client/cds_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -223,7 +223,65 @@ func (s) TestValidateCluster_Success(t *testing.T) {
}
}

func (s) TestValidateClusterWithSecurityConfig_EnvVarOff(t *testing.T) {
// Turn off the env var protection for client-side security.
origClientSideSecurityEnvVar := env.ClientSideSecuritySupport
env.ClientSideSecuritySupport = false
defer func() { env.ClientSideSecuritySupport = origClientSideSecurityEnvVar }()

cluster := &v3clusterpb.Cluster{
ClusterDiscoveryType: &v3clusterpb.Cluster_Type{Type: v3clusterpb.Cluster_EDS},
EdsClusterConfig: &v3clusterpb.Cluster_EdsClusterConfig{
EdsConfig: &v3corepb.ConfigSource{
ConfigSourceSpecifier: &v3corepb.ConfigSource_Ads{
Ads: &v3corepb.AggregatedConfigSource{},
},
},
ServiceName: serviceName,
},
LbPolicy: v3clusterpb.Cluster_ROUND_ROBIN,
TransportSocket: &v3corepb.TransportSocket{
Name: "envoy.transport_sockets.tls",
ConfigType: &v3corepb.TransportSocket_TypedConfig{
TypedConfig: &anypb.Any{
TypeUrl: version.V3UpstreamTLSContextURL,
Value: func() []byte {
tls := &v3tlspb.UpstreamTlsContext{
CommonTlsContext: &v3tlspb.CommonTlsContext{
ValidationContextType: &v3tlspb.CommonTlsContext_ValidationContextCertificateProviderInstance{
ValidationContextCertificateProviderInstance: &v3tlspb.CommonTlsContext_CertificateProviderInstance{
InstanceName: "rootInstance",
CertificateName: "rootCert",
},
},
},
}
mtls, _ := proto.Marshal(tls)
return mtls
}(),
},
},
},
}
wantUpdate := ClusterUpdate{
ServiceName: serviceName,
EnableLRS: false,
}
gotUpdate, err := validateCluster(cluster)
if err != nil {
t.Errorf("validateCluster() failed: %v", err)
}
if diff := cmp.Diff(wantUpdate, gotUpdate); diff != "" {
t.Errorf("validateCluster() returned unexpected diff (-want, got):\n%s", diff)
}
}

func (s) TestValidateClusterWithSecurityConfig(t *testing.T) {
// Turn on the env var protection for client-side security.
origClientSideSecurityEnvVar := env.ClientSideSecuritySupport
env.ClientSideSecuritySupport = true
defer func() { env.ClientSideSecuritySupport = origClientSideSecurityEnvVar }()

const (
identityPluginInstance = "identityPluginInstance"
identityCertName = "identityCert"
Expand Down
12 changes: 9 additions & 3 deletions xds/internal/client/xds.go
Original file line number Diff line number Diff line change
Expand Up @@ -410,10 +410,16 @@ func validateCluster(cluster *v3clusterpb.Cluster) (ClusterUpdate, error) {
return emptyUpdate, fmt.Errorf("xds: unexpected lbPolicy %v in response: %+v", cluster.GetLbPolicy(), cluster)
}

sc, err := securityConfigFromCluster(cluster)
if err != nil {
return emptyUpdate, err
// Process security configuration received from the control plane iff the
// corresponding environment variable is set.
var sc *SecurityConfig
if env.ClientSideSecuritySupport {
var err error
if sc, err = securityConfigFromCluster(cluster); err != nil {
return emptyUpdate, err
}
}

return ClusterUpdate{
ServiceName: cluster.GetEdsClusterConfig().GetServiceName(),
EnableLRS: cluster.GetLrsServer().GetSelf() != nil,
Expand Down
18 changes: 15 additions & 3 deletions xds/internal/env/env.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,11 @@ const (
// and kept in variable BootstrapFileName.
//
// When both bootstrap FileName and FileContent are set, FileName is used.
BootstrapFileContentEnv = "GRPC_XDS_BOOTSTRAP_CONFIG"
circuitBreakingSupportEnv = "GRPC_XDS_EXPERIMENTAL_CIRCUIT_BREAKING"
timeoutSupportEnv = "GRPC_XDS_EXPERIMENTAL_ENABLE_TIMEOUT"
BootstrapFileContentEnv = "GRPC_XDS_BOOTSTRAP_CONFIG"
circuitBreakingSupportEnv = "GRPC_XDS_EXPERIMENTAL_CIRCUIT_BREAKING"
timeoutSupportEnv = "GRPC_XDS_EXPERIMENTAL_ENABLE_TIMEOUT"
faultInjectionSupportEnv = "GRPC_XDS_EXPERIMENTAL_FAULT_INJECTION"
clientSideSecuritySupportEnv = "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
)

var (
Expand All @@ -63,4 +65,14 @@ var (
// route actions is enabled. This can be enabled by setting the
// environment variable "GRPC_XDS_EXPERIMENTAL_ENABLE_TIMEOUT" to "true".
TimeoutSupport = strings.EqualFold(os.Getenv(timeoutSupportEnv), "true")
// FaultInjectionSupport is used to control both fault injection and HTTP
// filter support.
FaultInjectionSupport = strings.EqualFold(os.Getenv(faultInjectionSupportEnv), "true")
// ClientSideSecuritySupport is used to control processing of security
// configuration on the client-side.
//
// Note that there is no env var protection for the server-side because we
// have a brand new API on the server-side and users explicitly need to use
// the new API to get security integration on the server.
ClientSideSecuritySupport = strings.EqualFold(os.Getenv(clientSideSecuritySupportEnv), "true")
)

0 comments on commit 31aa1a5

Please sign in to comment.