feat: envoy control plane

goto · Dec 2, 2024 · 8969b28 · 8969b28
1 parent b2e804a
commit 8969b28
Show file tree

Hide file tree

Showing 8 changed files with 43 additions and 25 deletions.
diff --git a/cmd/serve.go b/cmd/serve.go
@@ -34,6 +34,7 @@ import (
 	"github.com/goto/shield/core/user"
 	"github.com/goto/shield/internal/adapter"
 	"github.com/goto/shield/internal/api"
+	proxycfg "github.com/goto/shield/internal/proxy"
 	"github.com/goto/shield/internal/schema"
 	"github.com/goto/shield/internal/server"
 	"github.com/goto/shield/internal/store/blob"
@@ -181,7 +182,7 @@ func StartServer(logger *log.Zap, cfg *config.Shield) error {
 	// serving proxies
 	var cbs []func() error
 	var cps []func(context.Context) error
-	if cfg.Proxy.EnvoyAgent.XDS.Host != "" && cfg.Proxy.EnvoyAgent.XDS.Port != 0 {
+	if cfg.Proxy.Type == proxycfg.ENVOY_PROXY {
 		cbs, err = serveXDS(ctx, logger, cfg.Proxy, pgRuleRepository)
 	} else {
 		cbs, cps, err = serveProxies(ctx, logger, cfg.App.IdentityProxyHeader, cfg.App.UserIDHeader, cfg.Proxy, pgRuleRepository, deps.ResourceService, deps.RelationService, deps.UserService, deps.GroupService, deps.ProjectService, deps.RelationAdapter)

diff --git a/config/config.yaml b/config/config.yaml
@@ -37,6 +37,16 @@ spicedb:
 
 # proxy configuration
 proxy:
+  # proxy type configuration
+  # valid values are "shield" and "envoy", with the default set to "shield"
+  type: shield
+  # envoy proxy configuration, will be ignored if proxy type set to "shield"
+  envoy:
+    xds:
+      host: 127.0.0.1
+      port: 8082
+      refresh_interval: 10s
+  # proxy services configuration
   services:
     - name: test
       host: 0.0.0.0

diff --git a/internal/proxy/config.go b/internal/proxy/config.go
@@ -2,7 +2,13 @@ package proxy
 
 import "time"
 
+const (
+	SHIELD_PROXY = "shield"
+	ENVOY_PROXY  = "envoy"
+)
+
 type ServicesConfig struct {
+	Type       string     `yaml:"type" mapstructure:"type"`
 	EnvoyAgent EnvoyAgent `yaml:"envoy" mapstructure:"envoy"`
 	Services   []Config   `yaml:"services" mapstructure:"services"`
 }
@@ -12,7 +18,7 @@ type EnvoyAgent struct {
 }
 
 type XDS struct {
-	Host            string        `yaml:"host" mapstructure:"host"`
+	Host            string        `yaml:"host" mapstructure:"host" default:"shield"`
 	Port            int           `yaml:"port" mapstructure:"port"`
 	RefreshInterval time.Duration `yaml:"refresh_interval" mapstructure:"refresh_interval" default:"60s"`
 }

diff --git a/internal/proxy/envoy/xds/ads/ads.go b/internal/proxy/envoy/xds/ads/ads.go
@@ -4,18 +4,15 @@ import (
 	"context"
 	"time"
 
+	"github.com/envoyproxy/go-control-plane/pkg/resource/v3"
 	"github.com/goto/shield/core/rule"
 )
 
 const (
-	CLUSTER_TYPE_URL             = "type.googleapis.com/envoy.config.cluster.v3.Cluster"
-	LISTENER_TYPE_URL            = "type.googleapis.com/envoy.config.listener.v3.Listener"
-	ROUTE_CONFIGURATION_TYPE_URL = "type.googleapis.com/envoy.config.route.v3.RouteConfiguration"
-
-	HTTP_CONNECTION_MANAGER_TYPE_URL = "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
-	ROUTER_TYPE_URL                  = "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
-	URI_TEMPLATE_TYPE_URL            = "type.googleapis.com/envoy.extensions.path.match.uri_template.v3.UriTemplateMatchConfig"
-	STDOUT_LOGGER_TYPE_URL           = "type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog"
+	HTTP_CONNECTION_MANAGER_TYPE_URL = resource.APITypePrefix + "envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
+	ROUTER_TYPE_URL                  = resource.APITypePrefix + "envoy.extensions.filters.http.router.v3.Router"
+	URI_TEMPLATE_TYPE_URL            = resource.APITypePrefix + "envoy.extensions.path.match.uri_template.v3.UriTemplateMatchConfig"
+	STDOUT_LOGGER_TYPE_URL           = resource.APITypePrefix + "envoy.extensions.access_loggers.stream.v3.StdoutAccessLog"
 )
 
 type Repository interface {

diff --git a/internal/proxy/envoy/xds/ads/pubsub_test.go b/internal/proxy/envoy/xds/ads/pubsub_test.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"testing"
 
+	"github.com/envoyproxy/go-control-plane/pkg/resource/v3"
 	"github.com/goto/shield/internal/proxy/envoy/xds/ads"
 	"github.com/stretchr/testify/assert"
 )
@@ -13,7 +14,7 @@ func TestPush(t *testing.T) {
 		NodeID:      "node-1",
 		VersionInfo: "v1",
 		Nonce:       "test",
-		TypeUrl:     ads.CLUSTER_TYPE_URL,
+		TypeUrl:     resource.ClusterType,
 	}
 	messageChan := make(ads.MessageChan, 1)
 

diff --git a/internal/proxy/envoy/xds/ads/response.go b/internal/proxy/envoy/xds/ads/response.go
@@ -4,6 +4,7 @@ import (
 	cluster "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"
 	listener "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
 	route "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
+	"github.com/envoyproxy/go-control-plane/pkg/resource/v3"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/anypb"
 
@@ -29,7 +30,7 @@ func (s ResponseStream) StreamCDS(clusters []*cluster.Cluster) error {
 		}
 
 		resources = append(resources, &anypb.Any{
-			TypeUrl: CLUSTER_TYPE_URL,
+			TypeUrl: resource.ClusterType,
 			Value:   res,
 		})
 	}
@@ -38,7 +39,7 @@ func (s ResponseStream) StreamCDS(clusters []*cluster.Cluster) error {
 		VersionInfo: s.versionInfo,
 		Nonce:       s.nonce,
 		Resources:   resources,
-		TypeUrl:     CLUSTER_TYPE_URL,
+		TypeUrl:     resource.ClusterType,
 	}
 
 	return s.stream.Send(resp)
@@ -57,7 +58,7 @@ func (s ResponseStream) StreamLDS(listeners []*listener.Listener) error {
 		}
 
 		resources = append(resources, &anypb.Any{
-			TypeUrl: LISTENER_TYPE_URL,
+			TypeUrl: resource.ListenerType,
 			Value:   res,
 		})
 	}
@@ -66,7 +67,7 @@ func (s ResponseStream) StreamLDS(listeners []*listener.Listener) error {
 		VersionInfo: s.versionInfo,
 		Nonce:       s.nonce,
 		Resources:   resources,
-		TypeUrl:     LISTENER_TYPE_URL,
+		TypeUrl:     resource.ListenerType,
 	}
 	return s.stream.Send(resp)
 }
@@ -84,7 +85,7 @@ func (s ResponseStream) StreamRDS(routes []*route.RouteConfiguration) error {
 		}
 
 		resources = append(resources, &anypb.Any{
-			TypeUrl: ROUTE_CONFIGURATION_TYPE_URL,
+			TypeUrl: resource.RouteType,
 			Value:   res,
 		})
 	}
@@ -93,7 +94,7 @@ func (s ResponseStream) StreamRDS(routes []*route.RouteConfiguration) error {
 		VersionInfo: s.versionInfo,
 		Nonce:       s.nonce,
 		Resources:   resources,
-		TypeUrl:     ROUTE_CONFIGURATION_TYPE_URL,
+		TypeUrl:     resource.RouteType,
 	}
 
 	return s.stream.Send(resp)

diff --git a/internal/proxy/envoy/xds/ads/response_test.go b/internal/proxy/envoy/xds/ads/response_test.go
@@ -7,6 +7,7 @@ import (
 	listenerv3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
 	routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
 	xds "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
+	"github.com/envoyproxy/go-control-plane/pkg/resource/v3"
 	"github.com/goto/shield/internal/proxy/envoy/xds/ads"
 	"github.com/goto/shield/internal/proxy/envoy/xds/ads/mocks"
 	"github.com/stretchr/testify/assert"
@@ -18,21 +19,21 @@ var (
 	testClusterStream    = &clusterv3.Cluster{}
 	testClusterBytes, _  = proto.Marshal(testClusterStream)
 	testClusterResources = &anypb.Any{
-		TypeUrl: ads.CLUSTER_TYPE_URL,
+		TypeUrl: resource.ClusterType,
 		Value:   testClusterBytes,
 	}
 
 	testListenerStream    = &listenerv3.Listener{}
 	testListenerBytes, _  = proto.Marshal(testListenerStream)
 	testListenerResources = &anypb.Any{
-		TypeUrl: ads.LISTENER_TYPE_URL,
+		TypeUrl: resource.ListenerType,
 		Value:   testListenerBytes,
 	}
 
 	testRouteStream    = &routev3.RouteConfiguration{}
 	testRouteBytes, _  = proto.Marshal(testRouteStream)
 	testRouteResources = &anypb.Any{
-		TypeUrl: ads.ROUTE_CONFIGURATION_TYPE_URL,
+		TypeUrl: resource.RouteType,
 		Value:   testRouteBytes,
 	}
 )
@@ -56,7 +57,7 @@ func TestStreamCDS(t *testing.T) {
 					VersionInfo: "v1",
 					Nonce:       "test",
 					Resources:   []*anypb.Any{testClusterResources},
-					TypeUrl:     ads.CLUSTER_TYPE_URL,
+					TypeUrl:     resource.ClusterType,
 				}).Return(nil)
 				return ads.NewResponseStream(&stream, "v1", "test")
 			},
@@ -97,7 +98,7 @@ func TestStreamLDS(t *testing.T) {
 					VersionInfo: "v1",
 					Nonce:       "test",
 					Resources:   []*anypb.Any{testListenerResources},
-					TypeUrl:     ads.LISTENER_TYPE_URL,
+					TypeUrl:     resource.ListenerType,
 				}).Return(nil)
 				return ads.NewResponseStream(&stream, "v1", "test")
 			},
@@ -138,7 +139,7 @@ func TestStreamRDS(t *testing.T) {
 					VersionInfo: "v1",
 					Nonce:       "test",
 					Resources:   []*anypb.Any{testRouteResources},
-					TypeUrl:     ads.ROUTE_CONFIGURATION_TYPE_URL,
+					TypeUrl:     resource.RouteType,
 				}).Return(nil)
 				return ads.NewResponseStream(&stream, "v1", "test")
 			},

diff --git a/internal/proxy/envoy/xds/ads/stream.go b/internal/proxy/envoy/xds/ads/stream.go
@@ -10,6 +10,7 @@ import (
 	listener "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
 	route "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
 	xds "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
+	"github.com/envoyproxy/go-control-plane/pkg/resource/v3"
 	"github.com/goto/salt/log"
 )
 
@@ -121,11 +122,11 @@ func (s Stream) streamResponses(message Message) error {
 
 	responseStream := NewResponseStream(s.stream, message.VersionInfo, message.Nonce)
 	switch message.TypeUrl {
-	case CLUSTER_TYPE_URL:
+	case resource.ClusterType:
 		if err := responseStream.StreamCDS(cfg.Clusters); err != nil {
 			return err
 		}
-	case LISTENER_TYPE_URL:
+	case resource.ListenerType:
 		if err := responseStream.StreamLDS(cfg.Listeners); err != nil {
 			return err
 		}