3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-06 02:09:15 +02:00
Code Issues Projects Releases Packages Wiki Activity

support loading route configuration via rds

Browse source
This commit is contained in:
Caleb Doxsey 2023-04-04 13:45:19 -06:00
parent 850a903341
commit d23a110e6e
3 changed files with 131 additions and 64 deletions
Download patch file Download diff file Expand all files Collapse all files

72
config/envoyconfig/listeners.go
View file

@ -257,61 +257,6 @@ func (b *Builder) buildMainHTTPConnectionManagerFilter(
options *config.Options, options *config.Options,
certs ...tls.Certificate, certs ...tls.Certificate,
) (*envoy_config_listener_v3.Filter, error) { ) (*envoy_config_listener_v3.Filter, error) {
authorizeURLs, err := options.GetInternalAuthorizeURLs()
if err != nil {
return nil, err
}
dataBrokerURLs, err := options.GetInternalDataBrokerURLs()
if err != nil {
return nil, err
}
allHosts, err := getAllRouteableHosts(options, options.Addr)
if err != nil {
return nil, err
}
var virtualHosts []*envoy_config_route_v3.VirtualHost
for _, host := range allHosts {
requireStrictTransportSecurity := cryptutil.HasCertificateForServerName(certs, host)
vh, err := b.buildVirtualHost(options, host, host, requireStrictTransportSecurity)
if err != nil {
return nil, err
}
if options.Addr == options.GetGRPCAddr() {
// if this is a gRPC service domain and we're supposed to handle that, add those routes
if (config.IsAuthorize(options.Services) && urlsMatchHost(authorizeURLs, host)) ||
(config.IsDataBroker(options.Services) && urlsMatchHost(dataBrokerURLs, host)) {
rs, err := b.buildGRPCRoutes()
if err != nil {
return nil, err
}
vh.Routes = append(vh.Routes, rs...)
}
}
// if we're the proxy, add all the policy routes
if config.IsProxy(options.Services) {
rs, err := b.buildPolicyRoutes(options, host)
if err != nil {
return nil, err
}
vh.Routes = append(vh.Routes, rs...)
}
if len(vh.Routes) > 0 {
virtualHosts = append(virtualHosts, vh)
}
}
vh, err := b.buildVirtualHost(options, "catch-all", "*", false)
if err != nil {
return nil, err
}
virtualHosts = append(virtualHosts, vh)
var grpcClientTimeout *durationpb.Duration var grpcClientTimeout *durationpb.Duration
if options.GRPCClientTimeout != 0 { if options.GRPCClientTimeout != 0 {
grpcClientTimeout = durationpb.New(options.GRPCClientTimeout) grpcClientTimeout = durationpb.New(options.GRPCClientTimeout)
@ -333,10 +278,6 @@ func (b *Builder) buildMainHTTPConnectionManagerFilter(
maxStreamDuration = durationpb.New(options.WriteTimeout) maxStreamDuration = durationpb.New(options.WriteTimeout)
} }
rc, err := b.buildRouteConfiguration("main", virtualHosts)
if err != nil {
return nil, err
}
tracingProvider, err := buildTracingHTTP(options) tracingProvider, err := buildTracingHTTP(options)
if err != nil { if err != nil {
return nil, err return nil, err
@ -347,8 +288,14 @@ func (b *Builder) buildMainHTTPConnectionManagerFilter(
CodecType: options.GetCodecType().ToEnvoy(), CodecType: options.GetCodecType().ToEnvoy(),
StatPrefix: "ingress", StatPrefix: "ingress",
RouteSpecifier: &envoy_http_connection_manager.HttpConnectionManager_RouteConfig{ RouteSpecifier: &envoy_http_connection_manager.HttpConnectionManager_Rds{
RouteConfig: rc, Rds: &envoy_http_connection_manager.Rds{
ConfigSource: &envoy_config_core_v3.ConfigSource{
ResourceApiVersion: envoy_config_core_v3.ApiVersion_V3,
ConfigSourceSpecifier: &envoy_config_core_v3.ConfigSource_Ads{},
},
RouteConfigName: "main",
},
}, },
HttpFilters: filters, HttpFilters: filters,
AccessLog: buildAccessLogs(options), AccessLog: buildAccessLogs(options),
@ -546,7 +493,8 @@ func (b *Builder) buildDownstreamTLSContextMulti(
TlsCertificates: envoyCerts, TlsCertificates: envoyCerts,
AlpnProtocols: getALPNProtos(cfg.Options), AlpnProtocols: getALPNProtos(cfg.Options),
ValidationContextType: b.buildDownstreamValidationContext(ctx, cfg), ValidationContextType: b.buildDownstreamValidationContext(ctx, cfg),
}}, nil },
}, nil
} }
func getALPNProtos(opts *config.Options) []string { func getALPNProtos(opts *config.Options) []string {

105
config/envoyconfig/route_configurations.go Normal file
View file

@ -0,0 +1,105 @@
package envoyconfig
import (
"context"
"crypto/tls"
envoy_config_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
"github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/pkg/cryptutil"
)
// BuildRouteConfigurations builds the route configurations for the RDS service.
func (b *Builder) BuildRouteConfigurations(
ctx context.Context,
cfg *config.Config,
) ([]*envoy_config_route_v3.RouteConfiguration, error) {
var routeConfigurations []*envoy_config_route_v3.RouteConfiguration
if config.IsAuthenticate(cfg.Options.Services) || config.IsProxy(cfg.Options.Services) {
rc, err := b.buildMainRouteConfiguration(ctx, cfg)
if err != nil {
return nil, err
}
routeConfigurations = append(routeConfigurations, rc)
}
return routeConfigurations, nil
}
func (b *Builder) buildMainRouteConfiguration(
ctx context.Context,
cfg *config.Config,
) (*envoy_config_route_v3.RouteConfiguration, error) {
var certs []tls.Certificate
if !cfg.Options.InsecureServer {
var err error
certs, err = getAllCertificates(cfg)
if err != nil {
return nil, err
}
}
authorizeURLs, err := cfg.Options.GetInternalAuthorizeURLs()
if err != nil {
return nil, err
}
dataBrokerURLs, err := cfg.Options.GetInternalDataBrokerURLs()
if err != nil {
return nil, err
}
allHosts, err := getAllRouteableHosts(cfg.Options, cfg.Options.Addr)
if err != nil {
return nil, err
}
var virtualHosts []*envoy_config_route_v3.VirtualHost
for _, host := range allHosts {
requireStrictTransportSecurity := cryptutil.HasCertificateForServerName(certs, host)
vh, err := b.buildVirtualHost(cfg.Options, host, host, requireStrictTransportSecurity)
if err != nil {
return nil, err
}
if cfg.Options.Addr == cfg.Options.GetGRPCAddr() {
// if this is a gRPC service domain and we're supposed to handle that, add those routes
if (config.IsAuthorize(cfg.Options.Services) && urlsMatchHost(authorizeURLs, host)) ||
(config.IsDataBroker(cfg.Options.Services) && urlsMatchHost(dataBrokerURLs, host)) {
rs, err := b.buildGRPCRoutes()
if err != nil {
return nil, err
}
vh.Routes = append(vh.Routes, rs...)
}
}
// if we're the proxy, add all the policy routes
if config.IsProxy(cfg.Options.Services) {
rs, err := b.buildPolicyRoutes(cfg.Options, host)
if err != nil {
return nil, err
}
vh.Routes = append(vh.Routes, rs...)
}
if len(vh.Routes) > 0 {
virtualHosts = append(virtualHosts, vh)
}
}
vh, err := b.buildVirtualHost(cfg.Options, "catch-all", "*", false)
if err != nil {
return nil, err
}
virtualHosts = append(virtualHosts, vh)
rc, err := b.buildRouteConfiguration("main", virtualHosts)
if err != nil {
return nil, err
}
return rc, nil
}

18
internal/controlplane/xds.go
View file

@ -11,8 +11,9 @@ import (
) )
const ( const (
clusterTypeURL = "type.googleapis.com/envoy.config.cluster.v3.Cluster" clusterTypeURL = "type.googleapis.com/envoy.config.cluster.v3.Cluster"
listenerTypeURL = "type.googleapis.com/envoy.config.listener.v3.Listener" listenerTypeURL = "type.googleapis.com/envoy.config.listener.v3.Listener"
routeConfigurationTypeURL = "type.googleapis.com/envoy.config.route.v3.RouteConfiguration"
) )
func (srv *Server) buildDiscoveryResources(ctx context.Context) (map[string][]*envoy_service_discovery_v3.Resource, error) { func (srv *Server) buildDiscoveryResources(ctx context.Context) (map[string][]*envoy_service_discovery_v3.Resource, error) {
@ -44,5 +45,18 @@ func (srv *Server) buildDiscoveryResources(ctx context.Context) (map[string][]*e
Resource: any, Resource: any,
}) })
} }
routeConfigurations, err := srv.Builder.BuildRouteConfigurations(ctx, cfg.Config)
if err != nil {
return nil, err
}
for _, routeConfiguration := range routeConfigurations {
resources[routeConfigurationTypeURL] = append(resources[routeConfigurationTypeURL], &envoy_service_discovery_v3.Resource{
Name: routeConfiguration.Name,
Version: hex.EncodeToString(cryptutil.HashProto(routeConfiguration)),
Resource: protoutil.NewAny(routeConfiguration),
})
}
return resources, nil return resources, nil
} }