-
Notifications
You must be signed in to change notification settings - Fork 268
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor mTLS & identity crates #1333
Conversation
The `linkerd-proxy-identity` crate, which is responsible for obtaining certificates from the identity service, currently has a hard dependency on our rustls crate. This change introduces a `linkerd_proxy_identity::Credentials` trait which provides an API for publishing certificates obtained from the identity service.
The `linkerd-tls` crate has a test dependency on `linkerd-tls-rustls`, which itself depends on `linkerd-tls`. This is an avoidable circular dependency. This change moves all of the TLS testdata from the `linkerd-tls-rustls` crate to the new `linkerd-tls-test-util` crate. The `tls_accept` test is moved from `linkerd-tls` to `linkerd-tls-rustls` so that `linkerd-tls` no longer depends on `linkerd-tls-rustls`.
The `linkerd-proxy-identity` crate, which is responsible for obtaining certificates from the identity service, currently has a hard dependency on our `linkerd-tls-rustls` crate. This change introduces trait so that the identity API client can be generic over the TLS implementation that receives certificate updates. To accomodate this, the identity/mtls crates are refactored as follows: * `linkerd-proxy-identity` gets a new `Credentials` trait so that the `certify` module is responsible for refreshing certificates from the API without hardcoding a TLS implementation. * The `linkerd-tls-rustls` crate is moved to `linkerd-proxy-identity-default` and compltely encapsulates the ring/rustls/webpki dependencies. This module provides an implementation of `Credentials` that validates and publishes rustls configurations to receivers--either `NewClient` or `Server`. * The _app_ crates currently have a hard dependency on the `identity-default` crate, but this will be made configurable in follow-up changes. There are no functional changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry it took so long to read through this one --- for the most part, this looks good to me. i noticed one thing that seems like a potential bug (the JoinHandle
in Server
) and it would be nice to know what's going on there. other than that, most of my comments were style and naming nits, or questions that would be nice to answer, not blockers.
} | ||
|
||
#[derive(Clone)] | ||
pub struct Documents { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cute name :)
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { | ||
f.debug_struct("Documents") | ||
.field("id", &self.id) | ||
.field("trust_anchors_pem", &self.trust_anchors_pem) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit/tioli: maybe worth a comment on why some fields aren't included?
expiry: Arc<Mutex<SystemTime>>, | ||
refreshes: Arc<Counter>, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a reason we need two separate Arc
s for this? can't there just be one Arc
around the Metrics
?
not a blocker.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no... but I'll probably do some more work on the metrics before this is done and will address it there.
linkerd/proxy/tap/src/accept.rs
Outdated
@@ -5,6 +5,7 @@ use linkerd_conditional::Conditional; | |||
use linkerd_error::Error; | |||
use linkerd_io as io; | |||
use linkerd_proxy_http::{trace, HyperServerSvc}; | |||
use linkerd_proxy_identity_default as mtls; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit/tioli: elsewhere we import this as identity
, should we maybe be consistent about that? IMO mtls
is maybe clearer at least when the IO types are imported...not a big deal though!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so, I didn't want to just use an Arc<Notify>
, since then there's an ordering concern about whether the receiver watches before the first notification is sent. We could use an Arc with an AtomicBool, but it seems easier just to use the watch and as this is only used during startup, I'm not really worried about minimizing overhead absolutely. I'd rather be more confident we don't have subtle bugs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(i think this was supposed to be a reply to a different comment) sure, that makes sense, i just wasn't entirely clear on why the bool was important, which is what i wanted to understand here...
// The background task completes when the original sender is closed or when all receivers | ||
// are dropped. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
This release improves retries so that requests without a `content-length` can be retried. This should permit requests emitted by grpc-go to be retried. Discovery diagnostics have also been improved by ensuring that service discovery updates are logged at DEBUG. Previously these messages were only emitted at the TRACE level. --- * build(deps): bump hdrhistogram from 7.3.0 to 7.4.0 (linkerd/linkerd2-proxy#1330) * build(deps): bump libc from 0.2.104 to 0.2.105 (linkerd/linkerd2-proxy#1332) * tracing: update `tracing-subscriber` to v0.3.x (linkerd/linkerd2-proxy#1327) * tls: Avoid circular dependencies (linkerd/linkerd2-proxy#1334) * Fix misspecified dependencies (linkerd/linkerd2-proxy#1335) * build(deps): bump tracing-subscriber from 0.2.25 to 0.3.1 (linkerd/linkerd2-proxy#1328) * update `tonic`, `prost`, and `linkerd2-proxy-api` (linkerd/linkerd2-proxy#1339) * Refactor mTLS & identity crates (linkerd/linkerd2-proxy#1333) * Log discovery changes at DEBUG (linkerd/linkerd2-proxy#1340) * build(deps): bump tokio-util from 0.6.8 to 0.6.9 (linkerd/linkerd2-proxy#1342) * build(deps): bump tokio from 1.12.0 to 1.13.0 (linkerd/linkerd2-proxy#1343) * build(deps): bump tokio-stream from 0.1.7 to 0.1.8 (linkerd/linkerd2-proxy#1344) * retry: allow retrying requests without content-length headers (linkerd/linkerd2-proxy#1341) * retry: Simplify ReplayBody::poll_data for readability (linkerd/linkerd2-proxy#1346) * build(deps): bump libc from 0.2.105 to 0.2.106 (linkerd/linkerd2-proxy#1348) * reorg: Decouple TLS implementation from proxy client (linkerd/linkerd2-proxy#1349) * build(deps): bump actions/checkout from 2.3.5 to 2.4.0 (linkerd/linkerd2-proxy#1352) * Introduce `meshtls` facade to hide rustls crate (linkerd/linkerd2-proxy#1353)
This release improves retries so that requests without a `content-length` can be retried. This should permit requests emitted by grpc-go to be retried. Discovery diagnostics have also been improved by ensuring that service discovery updates are logged at DEBUG. Previously these messages were only emitted at the TRACE level. --- * build(deps): bump hdrhistogram from 7.3.0 to 7.4.0 (linkerd/linkerd2-proxy#1330) * build(deps): bump libc from 0.2.104 to 0.2.105 (linkerd/linkerd2-proxy#1332) * tracing: update `tracing-subscriber` to v0.3.x (linkerd/linkerd2-proxy#1327) * tls: Avoid circular dependencies (linkerd/linkerd2-proxy#1334) * Fix misspecified dependencies (linkerd/linkerd2-proxy#1335) * build(deps): bump tracing-subscriber from 0.2.25 to 0.3.1 (linkerd/linkerd2-proxy#1328) * update `tonic`, `prost`, and `linkerd2-proxy-api` (linkerd/linkerd2-proxy#1339) * Refactor mTLS & identity crates (linkerd/linkerd2-proxy#1333) * Log discovery changes at DEBUG (linkerd/linkerd2-proxy#1340) * build(deps): bump tokio-util from 0.6.8 to 0.6.9 (linkerd/linkerd2-proxy#1342) * build(deps): bump tokio from 1.12.0 to 1.13.0 (linkerd/linkerd2-proxy#1343) * build(deps): bump tokio-stream from 0.1.7 to 0.1.8 (linkerd/linkerd2-proxy#1344) * retry: allow retrying requests without content-length headers (linkerd/linkerd2-proxy#1341) * retry: Simplify ReplayBody::poll_data for readability (linkerd/linkerd2-proxy#1346) * build(deps): bump libc from 0.2.105 to 0.2.106 (linkerd/linkerd2-proxy#1348) * reorg: Decouple TLS implementation from proxy client (linkerd/linkerd2-proxy#1349) * build(deps): bump actions/checkout from 2.3.5 to 2.4.0 (linkerd/linkerd2-proxy#1352) * Introduce `meshtls` facade to hide rustls crate (linkerd/linkerd2-proxy#1353) * rustls: Configure the initial TLS client with trust roots (linkerd/linkerd2-proxy#1355)
The
linkerd-proxy-identity
crate, which is responsible for obtainingcertificates from the identity service, currently has a hard dependency
on our
linkerd-tls-rustls
crate.This change introduces trait
so that the identity API client can be generic over the TLS
implementation that receives certificate updates.
To accomodate this, the identity/mtls crates are refactored as follows:
linkerd-proxy-identity
gets a newCredentials
trait so that thecertify
module is responsible for refreshing certificates from theAPI without hardcoding a TLS implementation.
linkerd-tls-rustls
crate is moved tolinkerd-proxy-identity-default
and compltely encapsulates thering/rustls/webpki dependencies. This module provides an
implementation of
Credentials
that validates and publishes rustlsconfigurations to receivers--either
NewClient
orServer
.identity-default
crate, but this will be made configurable infollow-up changes.
There are no functional changes.