open-consul/agent/pool/conn.go

package pool

type RPCType byte

func (t RPCType) ALPNString() string {
	switch t {
	case RPCConsul:
		return ALPN_RPCConsul
	case RPCRaft:
		return ALPN_RPCRaft
	case RPCMultiplex:
		return "" // unsupported
	case RPCTLS:
		return "" // unsupported
	case RPCMultiplexV2:
		return ALPN_RPCMultiplexV2
	case RPCSnapshot:
		return ALPN_RPCSnapshot
	case RPCGossip:
		return ALPN_RPCGossip
	case RPCTLSInsecure:
		return "" // unsupported
	default:
		return "" // unsupported
	}
}

const (
	// keep numbers unique.
	RPCConsul      RPCType = 0
	RPCRaft                = 1
	RPCMultiplex           = 2 // Old Muxado byte, no longer supported.
	RPCTLS                 = 3
	RPCMultiplexV2         = 4
	RPCSnapshot            = 5
	RPCGossip              = 6
	// RPCTLSInsecure is used to flag RPC calls that require verify
	// incoming to be disabled, even when it is turned on in the
	// configuration. At the time of writing there is only AutoEncrypt.Sign
	// that is supported and it might be the only one there
	// ever is.
	RPCTLSInsecure = 7

	// RPCMaxTypeValue is the maximum rpc type byte value currently used for
	// the various protocols riding over our "rpc" port.
	//
	// Currently our 0-7 values are mutually exclusive with any valid first
	// byte of a TLS header.  The first TLS header byte will begin with a TLS
	// content type and the values 0-19 are all explicitly unassigned and
	// marked as requiring coordination. RFC 7983 does the marking and goes
	// into some details about multiplexing connections and identifying TLS.
	//
	// We use this value to determine if the incoming request is actual real
	// native TLS (where we can demultiplex based on ALPN protocol) or our
	// older type-byte system when new connections are established.
	//
	// NOTE: if you add new RPCTypes beyond this value, you must similarly bump
	// this value.
	RPCMaxTypeValue = 7
)

const (
	// regular old rpc (note there is no equivalent of RPCMultiplex, RPCTLS, or RPCTLSInsecure)
	ALPN_RPCConsul      = "consul/rpc-single"   // RPCConsul
	ALPN_RPCRaft        = "consul/raft"         // RPCRaft
	ALPN_RPCMultiplexV2 = "consul/rpc-multi"    // RPCMultiplexV2
	ALPN_RPCSnapshot    = "consul/rpc-snapshot" // RPCSnapshot
	ALPN_RPCGossip      = "consul/rpc-gossip"   // RPCGossip
	// wan federation additions
	ALPN_WANGossipPacket = "consul/wan-gossip/packet"
	ALPN_WANGossipStream = "consul/wan-gossip/stream"
)

var RPCNextProtos = []string{
	ALPN_RPCConsul,
	ALPN_RPCRaft,
	ALPN_RPCMultiplexV2,
	ALPN_RPCSnapshot,
	ALPN_RPCGossip,
	ALPN_WANGossipPacket,
	ALPN_WANGossipStream,
}
agent: move conn pool for muxed connections into separate pkg 2017-06-15 13:16:16 +00:00			`package pool`

			`type RPCType byte`

wan federation via mesh gateways (#6884) This is like a Möbius strip of code due to the fact that low-level components (serf/memberlist) are connected to high-level components (the catalog and mesh-gateways) in a twisty maze of references which make it hard to dive into. With that in mind here's a high level summary of what you'll find in the patch: There are several distinct chunks of code that are affected: * new flags and config options for the server * retry join WAN is slightly different * retry join code is shared to discover primary mesh gateways from secondary datacenters * because retry join logic runs in the agent and the results of that operation for primary mesh gateways are needed in the server there are some methods like `RefreshPrimaryGatewayFallbackAddresses` that must occur at multiple layers of abstraction just to pass the data down to the right layer. * new cache type `FederationStateListMeshGatewaysName` for use in `proxycfg/xds` layers * the function signature for RPC dialing picked up a new required field (the node name of the destination) * several new RPCs for manipulating a FederationState object: `FederationState:{Apply,Get,List,ListMeshGateways}` * 3 read-only internal APIs for debugging use to invoke those RPCs from curl * raft and fsm changes to persist these FederationStates * replication for FederationStates as they are canonically stored in the Primary and replicated to the Secondaries. * a special derivative of anti-entropy that runs in secondaries to snapshot their local mesh gateway `CheckServiceNodes` and sync them into their upstream FederationState in the primary (this works in conjunction with the replication to distribute addresses for all mesh gateways in all DCs to all other DCs) * a "gateway locator" convenience object to make use of this data to choose the addresses of gateways to use for any given RPC or gossip operation to a remote DC. This gets data from the "retry join" logic in the agent and also directly calls into the FSM. * RPC (`:8300`) on the server sniffs the first byte of a new connection to determine if it's actually doing native TLS. If so it checks the ALPN header for protocol determination (just like how the existing system uses the type-byte marker). * 2 new kinds of protocols are exclusively decoded via this native TLS mechanism: one for ferrying "packet" operations (udp-like) from the gossip layer and one for "stream" operations (tcp-like). The packet operations re-use sockets (using length-prefixing) to cut down on TLS re-negotiation overhead. * the server instances specially wrap the `memberlist.NetTransport` when running with gateway federation enabled (in a `wanfed.Transport`). The general gist is that if it tries to dial a node in the SAME datacenter (deduced by looking at the suffix of the node name) there is no change. If dialing a DIFFERENT datacenter it is wrapped up in a TLS+ALPN blob and sent through some mesh gateways to eventually end up in a server's :8300 port. * a new flag when launching a mesh gateway via `consul connect envoy` to indicate that the servers are to be exposed. This sets a special service meta when registering the gateway into the catalog. * `proxycfg/xds` notice this metadata blob to activate additional watches for the FederationState objects as well as the location of all of the consul servers in that datacenter. * `xds:` if the extra metadata is in place additional clusters are defined in a DC to bulk sink all traffic to another DC's gateways. For the current datacenter we listen on a wildcard name (`server.<dc>.consul`) that load balances all servers as well as one mini-cluster per node (`<node>.server.<dc>.consul`) * the `consul tls cert create` command got a new flag (`-node`) to help create an additional SAN in certs that can be used with this flavor of federation. 2020-03-09 20:59:02 +00:00			`func (t RPCType) ALPNString() string {`
			`switch t {`
			`case RPCConsul:`
			`return ALPN_RPCConsul`
			`case RPCRaft:`
			`return ALPN_RPCRaft`
			`case RPCMultiplex:`
			`return "" // unsupported`
			`case RPCTLS:`
			`return "" // unsupported`
			`case RPCMultiplexV2:`
			`return ALPN_RPCMultiplexV2`
			`case RPCSnapshot:`
			`return ALPN_RPCSnapshot`
			`case RPCGossip:`
			`return ALPN_RPCGossip`
			`case RPCTLSInsecure:`
			`return "" // unsupported`
			`default:`
			`return "" // unsupported`
			`}`
			`}`

agent: move conn pool for muxed connections into separate pkg 2017-06-15 13:16:16 +00:00			`const (`
			`// keep numbers unique.`
			`RPCConsul RPCType = 0`
			`RPCRaft = 1`
			`RPCMultiplex = 2 // Old Muxado byte, no longer supported.`
			`RPCTLS = 3`
			`RPCMultiplexV2 = 4`
			`RPCSnapshot = 5`
			`RPCGossip = 6`
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597) 2019-06-27 20:22:07 +00:00			`// RPCTLSInsecure is used to flag RPC calls that require verify`
			`// incoming to be disabled, even when it is turned on in the`
wan federation via mesh gateways (#6884) This is like a Möbius strip of code due to the fact that low-level components (serf/memberlist) are connected to high-level components (the catalog and mesh-gateways) in a twisty maze of references which make it hard to dive into. With that in mind here's a high level summary of what you'll find in the patch: There are several distinct chunks of code that are affected: * new flags and config options for the server * retry join WAN is slightly different * retry join code is shared to discover primary mesh gateways from secondary datacenters * because retry join logic runs in the agent and the results of that operation for primary mesh gateways are needed in the server there are some methods like `RefreshPrimaryGatewayFallbackAddresses` that must occur at multiple layers of abstraction just to pass the data down to the right layer. * new cache type `FederationStateListMeshGatewaysName` for use in `proxycfg/xds` layers * the function signature for RPC dialing picked up a new required field (the node name of the destination) * several new RPCs for manipulating a FederationState object: `FederationState:{Apply,Get,List,ListMeshGateways}` * 3 read-only internal APIs for debugging use to invoke those RPCs from curl * raft and fsm changes to persist these FederationStates * replication for FederationStates as they are canonically stored in the Primary and replicated to the Secondaries. * a special derivative of anti-entropy that runs in secondaries to snapshot their local mesh gateway `CheckServiceNodes` and sync them into their upstream FederationState in the primary (this works in conjunction with the replication to distribute addresses for all mesh gateways in all DCs to all other DCs) * a "gateway locator" convenience object to make use of this data to choose the addresses of gateways to use for any given RPC or gossip operation to a remote DC. This gets data from the "retry join" logic in the agent and also directly calls into the FSM. * RPC (`:8300`) on the server sniffs the first byte of a new connection to determine if it's actually doing native TLS. If so it checks the ALPN header for protocol determination (just like how the existing system uses the type-byte marker). * 2 new kinds of protocols are exclusively decoded via this native TLS mechanism: one for ferrying "packet" operations (udp-like) from the gossip layer and one for "stream" operations (tcp-like). The packet operations re-use sockets (using length-prefixing) to cut down on TLS re-negotiation overhead. * the server instances specially wrap the `memberlist.NetTransport` when running with gateway federation enabled (in a `wanfed.Transport`). The general gist is that if it tries to dial a node in the SAME datacenter (deduced by looking at the suffix of the node name) there is no change. If dialing a DIFFERENT datacenter it is wrapped up in a TLS+ALPN blob and sent through some mesh gateways to eventually end up in a server's :8300 port. * a new flag when launching a mesh gateway via `consul connect envoy` to indicate that the servers are to be exposed. This sets a special service meta when registering the gateway into the catalog. * `proxycfg/xds` notice this metadata blob to activate additional watches for the FederationState objects as well as the location of all of the consul servers in that datacenter. * `xds:` if the extra metadata is in place additional clusters are defined in a DC to bulk sink all traffic to another DC's gateways. For the current datacenter we listen on a wildcard name (`server.<dc>.consul`) that load balances all servers as well as one mini-cluster per node (`<node>.server.<dc>.consul`) * the `consul tls cert create` command got a new flag (`-node`) to help create an additional SAN in certs that can be used with this flavor of federation. 2020-03-09 20:59:02 +00:00			`// configuration. At the time of writing there is only AutoEncrypt.Sign`
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597) 2019-06-27 20:22:07 +00:00			`// that is supported and it might be the only one there`
			`// ever is.`
			`RPCTLSInsecure = 7`
Add note about RPC multiplexing and TLS content type mutual exc… (#6698) 2019-10-30 13:24:30 +00:00
wan federation via mesh gateways (#6884) This is like a Möbius strip of code due to the fact that low-level components (serf/memberlist) are connected to high-level components (the catalog and mesh-gateways) in a twisty maze of references which make it hard to dive into. With that in mind here's a high level summary of what you'll find in the patch: There are several distinct chunks of code that are affected: * new flags and config options for the server * retry join WAN is slightly different * retry join code is shared to discover primary mesh gateways from secondary datacenters * because retry join logic runs in the agent and the results of that operation for primary mesh gateways are needed in the server there are some methods like `RefreshPrimaryGatewayFallbackAddresses` that must occur at multiple layers of abstraction just to pass the data down to the right layer. * new cache type `FederationStateListMeshGatewaysName` for use in `proxycfg/xds` layers * the function signature for RPC dialing picked up a new required field (the node name of the destination) * several new RPCs for manipulating a FederationState object: `FederationState:{Apply,Get,List,ListMeshGateways}` * 3 read-only internal APIs for debugging use to invoke those RPCs from curl * raft and fsm changes to persist these FederationStates * replication for FederationStates as they are canonically stored in the Primary and replicated to the Secondaries. * a special derivative of anti-entropy that runs in secondaries to snapshot their local mesh gateway `CheckServiceNodes` and sync them into their upstream FederationState in the primary (this works in conjunction with the replication to distribute addresses for all mesh gateways in all DCs to all other DCs) * a "gateway locator" convenience object to make use of this data to choose the addresses of gateways to use for any given RPC or gossip operation to a remote DC. This gets data from the "retry join" logic in the agent and also directly calls into the FSM. * RPC (`:8300`) on the server sniffs the first byte of a new connection to determine if it's actually doing native TLS. If so it checks the ALPN header for protocol determination (just like how the existing system uses the type-byte marker). * 2 new kinds of protocols are exclusively decoded via this native TLS mechanism: one for ferrying "packet" operations (udp-like) from the gossip layer and one for "stream" operations (tcp-like). The packet operations re-use sockets (using length-prefixing) to cut down on TLS re-negotiation overhead. * the server instances specially wrap the `memberlist.NetTransport` when running with gateway federation enabled (in a `wanfed.Transport`). The general gist is that if it tries to dial a node in the SAME datacenter (deduced by looking at the suffix of the node name) there is no change. If dialing a DIFFERENT datacenter it is wrapped up in a TLS+ALPN blob and sent through some mesh gateways to eventually end up in a server's :8300 port. * a new flag when launching a mesh gateway via `consul connect envoy` to indicate that the servers are to be exposed. This sets a special service meta when registering the gateway into the catalog. * `proxycfg/xds` notice this metadata blob to activate additional watches for the FederationState objects as well as the location of all of the consul servers in that datacenter. * `xds:` if the extra metadata is in place additional clusters are defined in a DC to bulk sink all traffic to another DC's gateways. For the current datacenter we listen on a wildcard name (`server.<dc>.consul`) that load balances all servers as well as one mini-cluster per node (`<node>.server.<dc>.consul`) * the `consul tls cert create` command got a new flag (`-node`) to help create an additional SAN in certs that can be used with this flavor of federation. 2020-03-09 20:59:02 +00:00			`// RPCMaxTypeValue is the maximum rpc type byte value currently used for`
			`// the various protocols riding over our "rpc" port.`
			`//`
			`// Currently our 0-7 values are mutually exclusive with any valid first`
			`// byte of a TLS header. The first TLS header byte will begin with a TLS`
			`// content type and the values 0-19 are all explicitly unassigned and`
			`// marked as requiring coordination. RFC 7983 does the marking and goes`
			`// into some details about multiplexing connections and identifying TLS.`
			`//`
			`// We use this value to determine if the incoming request is actual real`
			`// native TLS (where we can demultiplex based on ALPN protocol) or our`
			`// older type-byte system when new connections are established.`
			`//`
			`// NOTE: if you add new RPCTypes beyond this value, you must similarly bump`
			`// this value.`
			`RPCMaxTypeValue = 7`
agent: move conn pool for muxed connections into separate pkg 2017-06-15 13:16:16 +00:00			`)`
wan federation via mesh gateways (#6884) This is like a Möbius strip of code due to the fact that low-level components (serf/memberlist) are connected to high-level components (the catalog and mesh-gateways) in a twisty maze of references which make it hard to dive into. With that in mind here's a high level summary of what you'll find in the patch: There are several distinct chunks of code that are affected: * new flags and config options for the server * retry join WAN is slightly different * retry join code is shared to discover primary mesh gateways from secondary datacenters * because retry join logic runs in the agent and the results of that operation for primary mesh gateways are needed in the server there are some methods like `RefreshPrimaryGatewayFallbackAddresses` that must occur at multiple layers of abstraction just to pass the data down to the right layer. * new cache type `FederationStateListMeshGatewaysName` for use in `proxycfg/xds` layers * the function signature for RPC dialing picked up a new required field (the node name of the destination) * several new RPCs for manipulating a FederationState object: `FederationState:{Apply,Get,List,ListMeshGateways}` * 3 read-only internal APIs for debugging use to invoke those RPCs from curl * raft and fsm changes to persist these FederationStates * replication for FederationStates as they are canonically stored in the Primary and replicated to the Secondaries. * a special derivative of anti-entropy that runs in secondaries to snapshot their local mesh gateway `CheckServiceNodes` and sync them into their upstream FederationState in the primary (this works in conjunction with the replication to distribute addresses for all mesh gateways in all DCs to all other DCs) * a "gateway locator" convenience object to make use of this data to choose the addresses of gateways to use for any given RPC or gossip operation to a remote DC. This gets data from the "retry join" logic in the agent and also directly calls into the FSM. * RPC (`:8300`) on the server sniffs the first byte of a new connection to determine if it's actually doing native TLS. If so it checks the ALPN header for protocol determination (just like how the existing system uses the type-byte marker). * 2 new kinds of protocols are exclusively decoded via this native TLS mechanism: one for ferrying "packet" operations (udp-like) from the gossip layer and one for "stream" operations (tcp-like). The packet operations re-use sockets (using length-prefixing) to cut down on TLS re-negotiation overhead. * the server instances specially wrap the `memberlist.NetTransport` when running with gateway federation enabled (in a `wanfed.Transport`). The general gist is that if it tries to dial a node in the SAME datacenter (deduced by looking at the suffix of the node name) there is no change. If dialing a DIFFERENT datacenter it is wrapped up in a TLS+ALPN blob and sent through some mesh gateways to eventually end up in a server's :8300 port. * a new flag when launching a mesh gateway via `consul connect envoy` to indicate that the servers are to be exposed. This sets a special service meta when registering the gateway into the catalog. * `proxycfg/xds` notice this metadata blob to activate additional watches for the FederationState objects as well as the location of all of the consul servers in that datacenter. * `xds:` if the extra metadata is in place additional clusters are defined in a DC to bulk sink all traffic to another DC's gateways. For the current datacenter we listen on a wildcard name (`server.<dc>.consul`) that load balances all servers as well as one mini-cluster per node (`<node>.server.<dc>.consul`) * the `consul tls cert create` command got a new flag (`-node`) to help create an additional SAN in certs that can be used with this flavor of federation. 2020-03-09 20:59:02 +00:00
			`const (`
			`// regular old rpc (note there is no equivalent of RPCMultiplex, RPCTLS, or RPCTLSInsecure)`
			`ALPN_RPCConsul = "consul/rpc-single" // RPCConsul`
			`ALPN_RPCRaft = "consul/raft" // RPCRaft`
			`ALPN_RPCMultiplexV2 = "consul/rpc-multi" // RPCMultiplexV2`
			`ALPN_RPCSnapshot = "consul/rpc-snapshot" // RPCSnapshot`
			`ALPN_RPCGossip = "consul/rpc-gossip" // RPCGossip`
			`// wan federation additions`
			`ALPN_WANGossipPacket = "consul/wan-gossip/packet"`
			`ALPN_WANGossipStream = "consul/wan-gossip/stream"`
			`)`

			`var RPCNextProtos = []string{`
			`ALPN_RPCConsul,`
			`ALPN_RPCRaft,`
			`ALPN_RPCMultiplexV2,`
			`ALPN_RPCSnapshot,`
			`ALPN_RPCGossip,`
			`ALPN_WANGossipPacket,`
			`ALPN_WANGossipStream,`
			`}`