2023-03-28 18:39:22 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
|
2022-10-10 17:40:27 +00:00
|
|
|
package configentry
|
2022-05-25 20:20:17 +00:00
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
|
|
"github.com/hashicorp/go-hclog"
|
|
|
|
|
memdb "github.com/hashicorp/go-memdb"
|
|
|
|
|
"github.com/imdario/mergo"
|
|
|
|
|
"github.com/mitchellh/copystructure"
|
2022-09-01 14:45:07 +00:00
|
|
|
|
2022-10-10 17:40:27 +00:00
|
|
|
"github.com/hashicorp/consul/acl"
|
2022-09-01 14:45:07 +00:00
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
2022-05-25 20:20:17 +00:00
|
|
|
)
|
|
|
|
|
|
2022-10-10 17:40:27 +00:00
|
|
|
type StateStore interface {
|
|
|
|
|
ReadResolvedServiceConfigEntries(memdb.WatchSet, string, *acl.EnterpriseMeta, []structs.ServiceID, structs.ProxyMode) (uint64, *ResolvedServiceConfigSet, error)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// MergeNodeServiceWithCentralConfig merges a service instance (NodeService) with the
|
2022-05-25 20:20:17 +00:00
|
|
|
// proxy-defaults/global and service-defaults/:service config entries.
|
|
|
|
|
// This common helper is used by the blocking query function of different RPC endpoints
|
|
|
|
|
// that need to return a fully resolved service defintion.
|
2022-10-10 17:40:27 +00:00
|
|
|
func MergeNodeServiceWithCentralConfig(
|
2022-05-25 20:20:17 +00:00
|
|
|
ws memdb.WatchSet,
|
2022-10-10 17:40:27 +00:00
|
|
|
state StateStore,
|
2022-05-25 20:20:17 +00:00
|
|
|
ns *structs.NodeService,
|
|
|
|
|
logger hclog.Logger) (uint64, *structs.NodeService, error) {
|
|
|
|
|
|
|
|
|
|
serviceName := ns.Service
|
2023-02-03 15:51:53 +00:00
|
|
|
var upstreams []structs.PeeredServiceName
|
2022-05-25 20:20:17 +00:00
|
|
|
if ns.IsSidecarProxy() {
|
|
|
|
|
// This is a sidecar proxy, ignore the proxy service's config since we are
|
|
|
|
|
// managed by the target service config.
|
|
|
|
|
serviceName = ns.Proxy.DestinationServiceName
|
|
|
|
|
|
|
|
|
|
// Also if we have any upstreams defined, add them to the defaults lookup request
|
|
|
|
|
// so we can learn about their configs.
|
|
|
|
|
for _, us := range ns.Proxy.Upstreams {
|
|
|
|
|
if us.DestinationType == "" || us.DestinationType == structs.UpstreamDestTypeService {
|
2023-02-03 15:51:53 +00:00
|
|
|
psn := us.DestinationID()
|
|
|
|
|
if psn.Peer == "" {
|
|
|
|
|
psn.ServiceName.EnterpriseMeta.Merge(&ns.EnterpriseMeta)
|
|
|
|
|
} else {
|
|
|
|
|
// Peer services should not have their namespace overwritten.
|
|
|
|
|
psn.ServiceName.EnterpriseMeta.OverridePartition(ns.EnterpriseMeta.PartitionOrDefault())
|
|
|
|
|
}
|
|
|
|
|
upstreams = append(upstreams, psn)
|
2022-05-25 20:20:17 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
configReq := &structs.ServiceConfigRequest{
|
2023-02-03 15:51:53 +00:00
|
|
|
Name: serviceName,
|
|
|
|
|
MeshGateway: ns.Proxy.MeshGateway,
|
|
|
|
|
Mode: ns.Proxy.Mode,
|
|
|
|
|
UpstreamServiceNames: upstreams,
|
|
|
|
|
EnterpriseMeta: ns.EnterpriseMeta,
|
2022-05-25 20:20:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// prefer using this vs directly calling the ConfigEntry.ResolveServiceConfig RPC
|
|
|
|
|
// so as to pass down the same watch set to also watch on changes to
|
|
|
|
|
// proxy-defaults/global and service-defaults.
|
|
|
|
|
cfgIndex, configEntries, err := state.ReadResolvedServiceConfigEntries(
|
|
|
|
|
ws,
|
|
|
|
|
configReq.Name,
|
|
|
|
|
&configReq.EnterpriseMeta,
|
2023-02-03 15:51:53 +00:00
|
|
|
configReq.GetLocalUpstreamIDs(),
|
2022-05-25 20:20:17 +00:00
|
|
|
configReq.Mode,
|
|
|
|
|
)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return 0, nil, fmt.Errorf("Failure looking up service config entries for %s: %v",
|
|
|
|
|
ns.ID, err)
|
|
|
|
|
}
|
|
|
|
|
|
2022-10-10 17:40:27 +00:00
|
|
|
defaults, err := ComputeResolvedServiceConfig(
|
2022-05-25 20:20:17 +00:00
|
|
|
configReq,
|
|
|
|
|
configEntries,
|
|
|
|
|
logger,
|
|
|
|
|
)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return 0, nil, fmt.Errorf("Failure computing service defaults for %s: %v",
|
|
|
|
|
ns.ID, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
mergedns, err := MergeServiceConfig(defaults, ns)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return 0, nil, fmt.Errorf("Failure merging service definition with config entry defaults for %s: %v",
|
|
|
|
|
ns.ID, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return cfgIndex, mergedns, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// MergeServiceConfig merges the service into defaults to produce the final effective
|
|
|
|
|
// config for the specified service.
|
|
|
|
|
func MergeServiceConfig(defaults *structs.ServiceConfigResponse, service *structs.NodeService) (*structs.NodeService, error) {
|
|
|
|
|
if defaults == nil {
|
|
|
|
|
return service, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// We don't want to change s.registration in place since it is our source of
|
|
|
|
|
// truth about what was actually registered before defaults applied. So copy
|
|
|
|
|
// it first.
|
|
|
|
|
nsRaw, err := copystructure.Copy(service)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Merge proxy defaults
|
|
|
|
|
ns := nsRaw.(*structs.NodeService)
|
|
|
|
|
|
|
|
|
|
if err := mergo.Merge(&ns.Proxy.Config, defaults.ProxyConfig); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if err := mergo.Merge(&ns.Proxy.Expose, defaults.Expose); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2022-12-22 20:18:15 +00:00
|
|
|
if err := mergo.Merge(&ns.Proxy.AccessLogs, defaults.AccessLogs); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2022-05-25 20:20:17 +00:00
|
|
|
|
2022-12-22 18:03:33 +00:00
|
|
|
// defaults.EnvoyExtensions contains the extensions from the proxy defaults config entry followed by extensions from
|
|
|
|
|
// the service defaults config entry. This adds the extensions to structs.NodeService.Proxy which in turn is copied
|
|
|
|
|
// into the proxycfg snapshot to ensure the local service's extensions are accessible from the snapshot.
|
|
|
|
|
//
|
|
|
|
|
// This will replace any existing extensions in the NodeService but that is ok because defaults.EnvoyExtensions
|
|
|
|
|
// should have the latest extensions computed from service defaults and proxy defaults.
|
|
|
|
|
ns.Proxy.EnvoyExtensions = nil
|
|
|
|
|
if len(defaults.EnvoyExtensions) > 0 {
|
|
|
|
|
nsExtensions := make([]structs.EnvoyExtension, len(defaults.EnvoyExtensions))
|
|
|
|
|
for i, ext := range defaults.EnvoyExtensions {
|
|
|
|
|
nsExtensions[i] = structs.EnvoyExtension{
|
|
|
|
|
Name: ext.Name,
|
|
|
|
|
Required: ext.Required,
|
|
|
|
|
Arguments: ext.Arguments,
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
ns.Proxy.EnvoyExtensions = nsExtensions
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-25 20:20:17 +00:00
|
|
|
if ns.Proxy.MeshGateway.Mode == structs.MeshGatewayModeDefault {
|
|
|
|
|
ns.Proxy.MeshGateway.Mode = defaults.MeshGateway.Mode
|
|
|
|
|
}
|
|
|
|
|
if ns.Proxy.Mode == structs.ProxyModeDefault {
|
|
|
|
|
ns.Proxy.Mode = defaults.Mode
|
|
|
|
|
}
|
|
|
|
|
if ns.Proxy.TransparentProxy.OutboundListenerPort == 0 {
|
|
|
|
|
ns.Proxy.TransparentProxy.OutboundListenerPort = defaults.TransparentProxy.OutboundListenerPort
|
|
|
|
|
}
|
|
|
|
|
if !ns.Proxy.TransparentProxy.DialedDirectly {
|
|
|
|
|
ns.Proxy.TransparentProxy.DialedDirectly = defaults.TransparentProxy.DialedDirectly
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-19 19:45:00 +00:00
|
|
|
if ns.Proxy.MutualTLSMode == structs.MutualTLSModeDefault {
|
|
|
|
|
ns.Proxy.MutualTLSMode = defaults.MutualTLSMode
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-25 20:20:17 +00:00
|
|
|
// remoteUpstreams contains synthetic Upstreams generated from central config (service-defaults.UpstreamConfigs).
|
2023-02-03 15:51:53 +00:00
|
|
|
remoteUpstreams := make(map[structs.PeeredServiceName]structs.Upstream)
|
|
|
|
|
|
2023-04-28 17:36:08 +00:00
|
|
|
// If the arguments did not fully normalize tenancy stuff, take care of that now.
|
|
|
|
|
entMeta := ns.EnterpriseMeta
|
|
|
|
|
entMeta.Normalize()
|
|
|
|
|
|
2023-04-11 15:20:33 +00:00
|
|
|
for _, us := range defaults.UpstreamConfigs {
|
|
|
|
|
parsed, err := structs.ParseUpstreamConfigNoDefaults(us.Config)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("failed to parse upstream config map for %s: %v", us.Upstream.String(), err)
|
2022-05-25 20:20:17 +00:00
|
|
|
}
|
|
|
|
|
|
2023-04-28 17:36:08 +00:00
|
|
|
// If the defaults did not fully normalize tenancy stuff, take care of
|
|
|
|
|
// that now too.
|
|
|
|
|
psn := us.Upstream // only normalize the copy
|
|
|
|
|
psn.ServiceName.EnterpriseMeta.Normalize()
|
|
|
|
|
|
|
|
|
|
// Normalize the partition field specially.
|
|
|
|
|
if psn.Peer != "" {
|
|
|
|
|
psn.ServiceName.OverridePartition(entMeta.PartitionOrDefault())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
remoteUpstreams[psn] = structs.Upstream{
|
|
|
|
|
DestinationNamespace: psn.ServiceName.NamespaceOrDefault(),
|
|
|
|
|
DestinationPartition: psn.ServiceName.PartitionOrDefault(),
|
|
|
|
|
DestinationName: psn.ServiceName.Name,
|
|
|
|
|
DestinationPeer: psn.Peer,
|
2023-04-11 15:20:33 +00:00
|
|
|
Config: us.Config,
|
|
|
|
|
MeshGateway: parsed.MeshGateway,
|
|
|
|
|
CentrallyConfigured: true,
|
2022-05-25 20:20:17 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// localUpstreams stores the upstreams seen from the local registration so that we can merge in the synthetic entries.
|
|
|
|
|
// In transparent proxy mode ns.Proxy.Upstreams will likely be empty because users do not need to define upstreams explicitly.
|
Fix mesh gateway configuration with proxy-defaults (#15186)
* Fix mesh gateway proxy-defaults not affecting upstreams.
* Clarify distinction with upstream settings
Top-level mesh gateway mode in proxy-defaults and service-defaults gets
merged into NodeService.Proxy.MeshGateway, and only gets merged with
the mode attached to an an upstream in proxycfg/xds.
* Fix mgw mode usage for peered upstreams
There were a couple issues with how mgw mode was being handled for
peered upstreams.
For starters, mesh gateway mode from proxy-defaults
and the top-level of service-defaults gets stored in
NodeService.Proxy.MeshGateway, but the upstream watch for peered data
was only considering the mesh gateway config attached in
NodeService.Proxy.Upstreams[i]. This means that applying a mesh gateway
mode via global proxy-defaults or service-defaults on the downstream
would not have an effect.
Separately, transparent proxy watches for peered upstreams didn't
consider mesh gateway mode at all.
This commit addresses the first issue by ensuring that we overlay the
upstream config for peered upstreams as we do for non-peered. The second
issue is addressed by re-using setupWatchesForPeeredUpstream when
handling transparent proxy updates.
Note that for transparent proxies we do not yet support mesh gateway
mode per upstream, so the NodeService.Proxy.MeshGateway mode is used.
* Fix upstream mesh gateway mode handling in xds
This commit ensures that when determining the mesh gateway mode for
peered upstreams we consider the NodeService.Proxy.MeshGateway config as
a baseline.
In absense of this change, setting a mesh gateway mode via
proxy-defaults or the top-level of service-defaults will not have an
effect for peered upstreams.
* Merge service/proxy defaults in cfg resolver
Previously the mesh gateway mode for connect proxies would be
merged at three points:
1. On servers, in ComputeResolvedServiceConfig.
2. On clients, in MergeServiceConfig.
3. On clients, in proxycfg/xds.
The first merge returns a ServiceConfigResponse where there is a
top-level MeshGateway config from proxy/service-defaults, along with
per-upstream config.
The second merge combines per-upstream config specified at the service
instance with per-upstream config specified centrally.
The third merge combines the NodeService.Proxy.MeshGateway
config containing proxy/service-defaults data with the per-upstream
mode. This third merge is easy to miss, which led to peered upstreams
not considering the mesh gateway mode from proxy-defaults.
This commit removes the third merge, and ensures that all mesh gateway
config is available at the upstream. This way proxycfg/xds do not need
to do additional overlays.
* Ensure that proxy-defaults is considered in wc
Upstream defaults become a synthetic Upstream definition under a
wildcard key "*". Now that proxycfg/xds expect Upstream definitions to
have the final MeshGateway values, this commit ensures that values from
proxy-defaults/service-defaults are the default for this synthetic
upstream.
* Add changelog.
Co-authored-by: freddygv <freddy@hashicorp.com>
2022-11-09 16:14:29 +00:00
|
|
|
// So to store upstream-specific flags from central config, we add entries to ns.Proxy.Upstreams with those values.
|
2023-02-03 15:51:53 +00:00
|
|
|
localUpstreams := make(map[structs.PeeredServiceName]struct{})
|
2022-05-25 20:20:17 +00:00
|
|
|
|
|
|
|
|
// Merge upstream defaults into the local registration
|
|
|
|
|
for i := range ns.Proxy.Upstreams {
|
|
|
|
|
// Get a pointer not a value copy of the upstream struct
|
|
|
|
|
us := &ns.Proxy.Upstreams[i]
|
|
|
|
|
if us.DestinationType != "" && us.DestinationType != structs.UpstreamDestTypeService {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-03 15:51:53 +00:00
|
|
|
uid := us.DestinationID()
|
2023-04-28 17:36:08 +00:00
|
|
|
|
|
|
|
|
// Normalize the partition field specially.
|
|
|
|
|
if uid.Peer != "" {
|
|
|
|
|
uid.ServiceName.OverridePartition(entMeta.PartitionOrDefault())
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-03 15:51:53 +00:00
|
|
|
localUpstreams[uid] = struct{}{}
|
|
|
|
|
remoteCfg, ok := remoteUpstreams[uid]
|
2022-05-25 20:20:17 +00:00
|
|
|
if !ok {
|
|
|
|
|
// No config defaults to merge
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The local upstream config mode has the highest precedence, so only overwrite when it's set to the default
|
|
|
|
|
if us.MeshGateway.Mode == structs.MeshGatewayModeDefault {
|
|
|
|
|
us.MeshGateway.Mode = remoteCfg.MeshGateway.Mode
|
|
|
|
|
}
|
|
|
|
|
|
2022-10-27 19:27:07 +00:00
|
|
|
preMergeProtocol, found := us.Config["protocol"]
|
2022-05-25 20:20:17 +00:00
|
|
|
// Merge in everything else that is read from the map
|
|
|
|
|
if err := mergo.Merge(&us.Config, remoteCfg.Config); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2022-10-27 19:27:07 +00:00
|
|
|
// Reset the protocol to its pre-merged version for peering upstreams.
|
|
|
|
|
if us.DestinationPeer != "" {
|
|
|
|
|
if found {
|
|
|
|
|
us.Config["protocol"] = preMergeProtocol
|
|
|
|
|
} else {
|
|
|
|
|
delete(us.Config, "protocol")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-25 20:20:17 +00:00
|
|
|
// Delete the mesh gateway key from opaque config since this is the value that was resolved from
|
|
|
|
|
// the servers and NOT the final merged value for this upstream.
|
|
|
|
|
// Note that we use the "mesh_gateway" key and not other variants like "MeshGateway" because
|
|
|
|
|
// UpstreamConfig.MergeInto and ResolveServiceConfig only use "mesh_gateway".
|
|
|
|
|
delete(us.Config, "mesh_gateway")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Ensure upstreams present in central config are represented in the local configuration.
|
|
|
|
|
// This does not apply outside of transparent mode because in that situation every possible upstream already exists
|
|
|
|
|
// inside of ns.Proxy.Upstreams.
|
|
|
|
|
if ns.Proxy.Mode == structs.ProxyModeTransparent {
|
|
|
|
|
for id, remote := range remoteUpstreams {
|
|
|
|
|
if _, ok := localUpstreams[id]; ok {
|
|
|
|
|
// Remote upstream is already present locally
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ns.Proxy.Upstreams = append(ns.Proxy.Upstreams, remote)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ns, err
|
|
|
|
|
}
|