ref(injector): load bootstrap SDS configuration from filesystem (#4635)

Loads the SDS configuration for the envoy bootstrap config 
from the file system. Previously, the certificates were provided
inline to the Envoy bootstrap configuration which was stored
in k8s Secret volume mounted to the Pod. This change will 
allow OSM to update the certificates used when establishing a
connection with xDS without having to recreate the Pod. This
allows the envoy xDS certificates to be rotated without potential
data plane downtime. 

This change updates the existing envoy bootstrap k8s secret
to include the TLS and validation context SDS configs, xDS 
certificate, key, and ca cert.

This change is a part of the automated root certificate rotation
work (#4502)

Signed-off-by: jaellio <[email protected]>

Author: jaellio

cmd/osm-controller/gateway.go

@@ -20,18 +20,15 @@ import (
 	"github.com/openservicemesh/osm/pkg/utils"
 )
 
-const (
-	gatewayBootstrapSecretName = "osm-multicluster-gateway-bootstrap-config" // #nosec G101: Potential hardcoded credentials
-	bootstrapConfigKey         = "bootstrap.yaml"
-)
+const gatewayBootstrapSecretName = "osm-multicluster-gateway-bootstrap-config" // #nosec G101: Potential hardcoded credentials
 
 func bootstrapOSMMulticlusterGateway(kubeClient kubernetes.Interface, certManager certificate.Manager, osmNamespace string) error {
 	secret, err := kubeClient.CoreV1().Secrets(osmNamespace).Get(context.Background(), gatewayBootstrapSecretName, metav1.GetOptions{})
 	if err != nil {
 		return errors.Errorf("Error fetching OSM gateway's bootstrap config %s/%s", osmNamespace, gatewayBootstrapSecretName)
 	}
 
-	if bootstrapData, ok := secret.Data[bootstrapConfigKey]; !ok {
+	if bootstrapData, ok := secret.Data[bootstrap.EnvoyBootstrapConfigFile]; !ok {
 		return errors.Errorf("Missing OSM gateway bootstrap config in %s/%s", osmNamespace, gatewayBootstrapSecretName)
 	} else if isValidBootstrapData(bootstrapData) {
 		// If there is a valid bootstrap config, it means we do not need to reconfigure it. It implies
@@ -47,14 +44,11 @@ func bootstrapOSMMulticlusterGateway(kubeClient kubernetes.Interface, certManage
 	}
 
 	bootstrapConfig, err := bootstrap.BuildFromConfig(bootstrap.Config{
-		NodeID:           bootstrapCert.GetCommonName().String(),
-		AdminPort:        constants.EnvoyAdminPort,
-		XDSClusterName:   constants.OSMControllerName,
-		XDSHost:          fmt.Sprintf("%s.%s.svc.%s", constants.OSMControllerName, osmNamespace, identity.ClusterLocalTrustDomain),
-		XDSPort:          constants.ADSServerPort,
-		TrustedCA:        bootstrapCert.GetIssuingCA(),
-		CertificateChain: bootstrapCert.GetCertificateChain(),
-		PrivateKey:       bootstrapCert.GetPrivateKey(),
+		NodeID:         bootstrapCert.GetCommonName().String(),
+		AdminPort:      constants.EnvoyAdminPort,
+		XDSClusterName: constants.OSMControllerName,
+		XDSHost:        fmt.Sprintf("%s.%s.svc.%s", constants.OSMControllerName, osmNamespace, identity.ClusterLocalTrustDomain),
+		XDSPort:        constants.ADSServerPort,
 	})
 	if err != nil {
 		return errors.Errorf("Error building OSM gateway's bootstrap config from %s/%s", osmNamespace, gatewayBootstrapSecretName)
@@ -71,7 +65,7 @@ func bootstrapOSMMulticlusterGateway(kubeClient kubernetes.Interface, certManage
 			Namespace: osmNamespace,
 		},
 		Data: map[string][]byte{
-			bootstrapConfigKey: bootstrapData,
+			bootstrap.EnvoyBootstrapConfigFile: bootstrapData,
 		},
 	}
 

cmd/osm-controller/gateway_test.go

@@ -11,6 +11,7 @@ import (
 	"k8s.io/client-go/kubernetes/fake"
 
 	tresorFake "github.com/openservicemesh/osm/pkg/certificate/providers/tresor/fake"
+	"github.com/openservicemesh/osm/pkg/envoy/bootstrap"
 )
 
 func TestBootstrapOSMMulticlusterGateway(t *testing.T) {
@@ -37,7 +38,7 @@ func TestBootstrapOSMMulticlusterGateway(t *testing.T) {
 					Namespace: osmNamespace,
 				},
 				Data: map[string][]byte{
-					bootstrapConfigKey: []byte("-- placeholder --"),
+					bootstrap.EnvoyBootstrapConfigFile: []byte("-- placeholder --"),
 				},
 			},
 			expectError: false,
@@ -50,7 +51,7 @@ func TestBootstrapOSMMulticlusterGateway(t *testing.T) {
 					Namespace: osmNamespace,
 				},
 				Data: map[string][]byte{
-					bootstrapConfigKey: []byte(`admin:
+					bootstrap.EnvoyBootstrapConfigFile: []byte(`admin:
   access_log:
   - name: envoy.access_loggers.stream
     typed_config:

pkg/envoy/bootstrap/config.go

@@ -1,6 +1,8 @@
 package bootstrap
 
 import (
+	"path/filepath"
+
 	xds_accesslog_config "github.com/envoyproxy/go-control-plane/envoy/config/accesslog/v3"
 	xds_bootstrap "github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3"
 	xds_cluster "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"
@@ -9,6 +11,7 @@ import (
 	xds_accesslog_stream "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/stream/v3"
 	xds_transport_sockets "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
 	xds_upstream_http "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/v3"
+	xds_discovery "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
 	"github.com/golang/protobuf/ptypes/any"
 	"google.golang.org/protobuf/types/known/anypb"
 
@@ -17,6 +20,98 @@ import (
 	"github.com/openservicemesh/osm/pkg/errcode"
 )
 
+const (
+	envoyTLSCertificateSecretName    = "tls_sds"
+	envoyValidationContextSecretName = "validation_context_sds"
+
+	// EnvoyBootstrapConfigFile is the name Envoy bootstrap configuration file
+	EnvoyBootstrapConfigFile = "bootstrap.yaml"
+
+	// EnvoyTLSCertificateSDSSecretFile is the name of the Envoy TLS certificate SDS config file
+	EnvoyTLSCertificateSDSSecretFile = "tls_certificate_sds_secret.yaml"
+
+	// EnvoyValidationContextSDSSecretFile is the name of the Envoy validation context SDS config file
+	EnvoyValidationContextSDSSecretFile = "validation_context_sds_secret.yaml"
+
+	// EnvoyProxyConfigPath is the path where the Envoy bootstrap config info is located
+	EnvoyProxyConfigPath = "/etc/envoy"
+
+	// EnvoyXDSCACertFile is the name of the Envoy XDS CA certificate file
+	EnvoyXDSCACertFile = "cacert.pem"
+
+	// EnvoyXDSCertFile is the name of the Envoy XDS certificate file
+	EnvoyXDSCertFile = "sds_cert.pem"
+
+	// EnvoyXDSKeyFile is the name of the Envoy XDS private key file
+	EnvoyXDSKeyFile = "sds_key.pem"
+)
+
+var (
+	envoyTLSCertificateConfigPath    = filepath.Join(EnvoyProxyConfigPath, EnvoyTLSCertificateSDSSecretFile)
+	envoyValidationContextConfigPath = filepath.Join(EnvoyProxyConfigPath, EnvoyValidationContextSDSSecretFile)
+
+	envoyXDSCertPath   = filepath.Join(EnvoyProxyConfigPath, EnvoyXDSCertFile)
+	envoyXDSKeyPath    = filepath.Join(EnvoyProxyConfigPath, EnvoyXDSKeyFile)
+	envoyXDSCACertPath = filepath.Join(EnvoyProxyConfigPath, EnvoyXDSCACertFile)
+)
+
+// BuildTLSSecret builds and returns an Envoy Discovery Response object for Envoy's xDS TLS
+// Certificate
+func BuildTLSSecret() (*xds_discovery.DiscoveryResponse, error) {
+	secret := &xds_transport_sockets.Secret{
+		Name: envoyTLSCertificateSecretName,
+		Type: &xds_transport_sockets.Secret_TlsCertificate{
+			TlsCertificate: &xds_transport_sockets.TlsCertificate{
+				CertificateChain: &xds_core.DataSource{
+					Specifier: &xds_core.DataSource_Filename{
+						Filename: envoyXDSCertPath,
+					},
+				},
+				PrivateKey: &xds_core.DataSource{
+					Specifier: &xds_core.DataSource_Filename{
+						Filename: envoyXDSKeyPath,
+					},
+				},
+			},
+		},
+	}
+	marshalledSecret, err := anypb.New(secret)
+	if err != nil {
+		log.Error().Err(err).Msg("Error marshalling Secret for Envoy's xDS TLS certificate resource")
+		return nil, err
+	}
+
+	return &xds_discovery.DiscoveryResponse{
+		Resources: []*any.Any{marshalledSecret},
+	}, nil
+}
+
+// BuildValidationSecret builds and returns an Envoy Discovery Response object for Envoy's xDS
+// Validation Context
+func BuildValidationSecret() (*xds_discovery.DiscoveryResponse, error) {
+	secret := &xds_transport_sockets.Secret{
+		Name: envoyValidationContextSecretName,
+		Type: &xds_transport_sockets.Secret_ValidationContext{
+			ValidationContext: &xds_transport_sockets.CertificateValidationContext{
+				TrustedCa: &xds_core.DataSource{
+					Specifier: &xds_core.DataSource_Filename{
+						Filename: envoyXDSCACertPath,
+					},
+				},
+			},
+		},
+	}
+	marshalledSecret, err := anypb.New(secret)
+	if err != nil {
+		log.Error().Err(err).Msg("Error marshalling Secret for Envoy's xDS Validation Context resource")
+		return nil, err
+	}
+
+	return &xds_discovery.DiscoveryResponse{
+		Resources: []*any.Any{marshalledSecret},
+	}, nil
+}
+
 // BuildFromConfig builds and returns an Envoy Bootstrap object from the given config
 func BuildFromConfig(config Config) (*xds_bootstrap.Bootstrap, error) {
 	httpProtocolOptions := &xds_upstream_http.HttpProtocolOptions{
@@ -51,11 +146,12 @@ func BuildFromConfig(config Config) (*xds_bootstrap.Bootstrap, error) {
 			AlpnProtocols: []string{
 				"h2",
 			},
-			ValidationContextType: &xds_transport_sockets.CommonTlsContext_ValidationContext{
-				ValidationContext: &xds_transport_sockets.CertificateValidationContext{
-					TrustedCa: &xds_core.DataSource{
-						Specifier: &xds_core.DataSource_InlineBytes{
-							InlineBytes: config.TrustedCA,
+			ValidationContextType: &xds_transport_sockets.CommonTlsContext_ValidationContextSdsSecretConfig{
+				ValidationContextSdsSecretConfig: &xds_transport_sockets.SdsSecretConfig{
+					Name: envoyValidationContextSecretName,
+					SdsConfig: &xds_core.ConfigSource{
+						ConfigSourceSpecifier: &xds_core.ConfigSource_Path{
+							Path: envoyValidationContextConfigPath,
 						},
 					},
 				},
@@ -66,16 +162,12 @@ func BuildFromConfig(config Config) (*xds_bootstrap.Bootstrap, error) {
 				CipherSuites:              config.CipherSuites,
 				EcdhCurves:                config.ECDHCurves,
 			},
-			TlsCertificates: []*xds_transport_sockets.TlsCertificate{
+			TlsCertificateSdsSecretConfigs: []*xds_transport_sockets.SdsSecretConfig{
 				{
-					CertificateChain: &xds_core.DataSource{
-						Specifier: &xds_core.DataSource_InlineBytes{
-							InlineBytes: config.CertificateChain,
-						},
-					},
-					PrivateKey: &xds_core.DataSource{
-						Specifier: &xds_core.DataSource_InlineBytes{
-							InlineBytes: config.PrivateKey,
+					Name: envoyTLSCertificateSecretName,
+					SdsConfig: &xds_core.ConfigSource{
+						ConfigSourceSpecifier: &xds_core.ConfigSource_Path{
+							Path: envoyTLSCertificateConfigPath,
 						},
 					},
 				},

pkg/envoy/bootstrap/config_test.go

@@ -18,9 +18,6 @@ func TestBuildFromConfig(t *testing.T) {
 		NodeID:                cert.GetCommonName().String(),
 		AdminPort:             15000,
 		XDSClusterName:        constants.OSMControllerName,
-		TrustedCA:             cert.GetIssuingCA(),
-		CertificateChain:      cert.GetCertificateChain(),
-		PrivateKey:            cert.GetPrivateKey(),
 		XDSHost:               "osm-controller.osm-system.svc.cluster.local",
 		XDSPort:               15128,
 		TLSMinProtocolVersion: "TLSv1_0",
@@ -80,11 +77,10 @@ static_resources:
         common_tls_context:
           alpn_protocols:
           - h2
-          tls_certificates:
-          - certificate_chain:
-              inline_bytes: eHg=
-            private_key:
-              inline_bytes: eXk=
+          tls_certificate_sds_secret_configs:
+          - name: tls_sds
+            sds_config:
+              path: /etc/envoy/tls_certificate_sds_secret.yaml
           tls_params:
             cipher_suites:
             - abc
@@ -94,9 +90,10 @@ static_resources:
             - XYZ
             tls_maximum_protocol_version: TLSv1_2
             tls_minimum_protocol_version: TLSv1_0
-          validation_context:
-            trusted_ca:
-              inline_bytes: eHg=
+          validation_context_sds_secret_config:
+            name: validation_context_sds
+            sds_config:
+              path: /etc/envoy/validation_context_sds_secret.yaml
     type: LOGICAL_DNS
     typed_extension_protocol_options:
       envoy.extensions.upstreams.http.v3.HttpProtocolOptions:

pkg/envoy/bootstrap/types.go

@@ -24,16 +24,6 @@ type Config struct {
 	// NodeID is the proxy's node ID
 	NodeID string
 
-	// TrustedCA is the trusted certificate authority used to validate the certificate
-	// presented by the XDS cluster during a TLS handshake
-	TrustedCA []byte
-
-	// CertificateChain is the certificate used by the proxy to connect to the XDS cluster
-	CertificateChain []byte
-
-	// PrivateKey is the private key for the certificate used by the proxy to connect to the XDS cluster
-	PrivateKey []byte
-
 	// TLSMinProtocolVersion is the minimum supported TLS protocol version
 	TLSMinProtocolVersion string
 

pkg/injector/envoy_config.go

@@ -24,9 +24,6 @@ func getEnvoyConfigYAML(config envoyBootstrapConfigMeta, cfg configurator.Config
 		NodeID:                config.NodeID,
 		AdminPort:             constants.EnvoyAdminPort,
 		XDSClusterName:        constants.OSMControllerName,
-		TrustedCA:             config.RootCert,
-		CertificateChain:      config.Cert,
-		PrivateKey:            config.Key,
 		XDSHost:               config.XDSHost,
 		XDSPort:               config.XDSPort,
 		TLSMinProtocolVersion: config.TLSMinProtocolVersion,
@@ -55,6 +52,38 @@ func getEnvoyConfigYAML(config envoyBootstrapConfigMeta, cfg configurator.Config
 	return configYAML, nil
 }
 
+func getTLSSDSConfigYAML() ([]byte, error) {
+	tlsSDSConfig, err := bootstrap.BuildTLSSecret()
+	if err != nil {
+		log.Error().Err(err).Msgf("Error building Envoy TLS Certificate SDS Config")
+		return nil, err
+	}
+
+	configYAML, err := utils.ProtoToYAML(tlsSDSConfig)
+	if err != nil {
+		log.Error().Err(err).Str(errcode.Kind, errcode.GetErrCodeWithMetric(errcode.ErrMarshallingProtoToYAML)).
+			Msgf("Failed to marshal Envoy TLS Certificate SDS Config to yaml")
+		return nil, err
+	}
+	return configYAML, nil
+}
+
+func getValidationContextSDSConfigYAML() ([]byte, error) {
+	validationContextSDSConfig, err := bootstrap.BuildValidationSecret()
+	if err != nil {
+		log.Error().Err(err).Msgf("Error building Envoy Validation Context SDS Config")
+		return nil, err
+	}
+
+	configYAML, err := utils.ProtoToYAML(validationContextSDSConfig)
+	if err != nil {
+		log.Error().Err(err).Str(errcode.Kind, errcode.GetErrCodeWithMetric(errcode.ErrMarshallingProtoToYAML)).
+			Msgf("Failed to marshal Envoy Validation Context SDS Config to yaml")
+		return nil, err
+	}
+	return configYAML, nil
+}
+
 // getProbeResources returns the listener and cluster objects that are statically configured to serve
 // startup, readiness and liveness probes.
 // These will not change during the lifetime of the Pod.
@@ -107,10 +136,6 @@ func (wh *mutatingWebhook) createEnvoyBootstrapConfig(name, namespace, osmNamesp
 		XDSClusterName: constants.OSMControllerName,
 		NodeID:         cert.GetCommonName().String(),
 
-		RootCert: cert.GetIssuingCA(),
-		Cert:     cert.GetCertificateChain(),
-		Key:      cert.GetPrivateKey(),
-
 		XDSHost: fmt.Sprintf("%s.%s.svc.cluster.local", constants.OSMControllerName, osmNamespace),
 		XDSPort: constants.ADSServerPort,
 
@@ -123,12 +148,24 @@ func (wh *mutatingWebhook) createEnvoyBootstrapConfig(name, namespace, osmNamesp
 		CipherSuites:          wh.configurator.GetMeshConfig().Spec.Sidecar.CipherSuites,
 		ECDHCurves:            wh.configurator.GetMeshConfig().Spec.Sidecar.ECDHCurves,
 	}
-	yamlContent, err := getEnvoyConfigYAML(configMeta, wh.configurator)
+	configYamlContent, err := getEnvoyConfigYAML(configMeta, wh.configurator)
 	if err != nil {
 		log.Error().Err(err).Msg("Error creating Envoy bootstrap YAML")
 		return nil, err
 	}
 
+	tlsYamlContent, err := getTLSSDSConfigYAML()
+	if err != nil {
+		log.Error().Err(err).Msg("Error creating Envoy TLS Certificate SDS Config YAML")
+		return nil, err
+	}
+
+	validationYamlContent, err := getValidationContextSDSConfigYAML()
+	if err != nil {
+		log.Error().Err(err).Msg("Error creating Envoy Validation Context SDS Config YAML")
+		return nil, err
+	}
+
 	secret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: name,
@@ -139,7 +176,12 @@ func (wh *mutatingWebhook) createEnvoyBootstrapConfig(name, namespace, osmNamesp
 			},
 		},
 		Data: map[string][]byte{
-			envoyBootstrapConfigFile: yamlContent,
+			bootstrap.EnvoyBootstrapConfigFile:            configYamlContent,
+			bootstrap.EnvoyTLSCertificateSDSSecretFile:    tlsYamlContent,
+			bootstrap.EnvoyValidationContextSDSSecretFile: validationYamlContent,
+			bootstrap.EnvoyXDSCACertFile:                  cert.GetIssuingCA(),
+			bootstrap.EnvoyXDSCertFile:                    cert.GetCertificateChain(),
+			bootstrap.EnvoyXDSKeyFile:                     cert.GetPrivateKey(),
 		},
 	}
 	if existing, err := wh.kubeClient.CoreV1().Secrets(namespace).Get(context.Background(), name, metav1.GetOptions{}); err == nil {