Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

xDS Server Implementation #4731

Merged
merged 6 commits into from
Oct 3, 2018
Merged

xDS Server Implementation #4731

merged 6 commits into from
Oct 3, 2018

Conversation

banks
Copy link
Member

@banks banks commented Oct 1, 2018

Note: this PR targets merging into f-envoy and depends directly on #4730. This is part of a series of PRs that were developed together but split for easier review.

This is the actual xDS API server implementation. It authenticates gRPC streams, fetches config and watches for changes from the proxycfg.Manager from #4729, and then delivers updates to Envoy for TLS, upstream listeners and service discovery results.

Overview

proxy config manager

Notably Missing

  • xDS server is not wired up to the agent in this PR, that, the connect envoy CLI command and some other plumbing will be in a separate PR next. End to end tests aren't really possible at this point so I'll wait.
  • Documentation: this is left for later since the whole of f-envoy branch needs a large docs overhaul. That will all be addressed separately once this code is in review.

@banks banks requested a review from a team October 1, 2018 16:14
@pearkes pearkes added this to the 1.3.0 milestone Oct 1, 2018
@banks banks mentioned this pull request Oct 1, 2018
1 task
agent/xds/server.go Outdated Show resolved Hide resolved
agent/xds/server.go Show resolved Hide resolved
agent/xds/server.go Show resolved Hide resolved
@banks banks force-pushed the xds-server-config branch from eaba4bb to f9d5008 Compare October 2, 2018 15:08
Copy link
Member

@mkeeler mkeeler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this start the xDS server somewhere or am I missing something?

if cfgSnap == nil {
return nil, errors.New("nil config given")
}
// Inlude the "app" cluster for the public listener
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: typo "Inlude" -> "Include"

@mitchellh
Copy link
Contributor

Does this start the xDS server somewhere or am I missing something?

@mkeeler It starts in #4735.

agent/cache/watch.go Outdated Show resolved Hide resolved
agent/proxycfg/manager.go Outdated Show resolved Hide resolved
agent/xds/clusters.go Outdated Show resolved Hide resolved
agent/xds/endpoints.go Outdated Show resolved Hide resolved
agent/xds/listeners.go Outdated Show resolved Hide resolved
// as JSON and decoding again!!
cfgStruct, err := util.MessageToStruct(cfg)
if err != nil {
panic(err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So practically speaking I'm guessing this is never going to happen?

case stateInit:
if req == nil {
// This can't happen (tm) since stateCh is nil until after the first req
// is recieved but lets not panic about it.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo: s/recieved/received/

// range the map which has no determined order. It's important because:
//
// 1. Envoy needs to see a consistent snapshot to avoid potentially
// dropping or misrouting traffic due to inconsitencies. This is the
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo: s/inconsitencies/inconsistencies/

agent/xds/server.go Outdated Show resolved Hide resolved
@banks banks force-pushed the xds-server-config branch from f9d5008 to a8455b2 Compare October 3, 2018 12:38
continue
}
// TODO(banks): need to work out when to default some stuff. For example
// Proxy.LocalServicePort is practially necessary for any sidecar and can
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo: s/practially/practically/

}
}

// ensureProxyServiceLocked adss or changes the proxy to our state.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo: s/adss/adds/

return nil
}

// We are updating the proxy, close it's old state
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/it's/its/

}

// We are updating the proxy, close it's old state
state.Close()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about the error this returns?

ch := state.Watch()
for {
select {
case snap, ok := <-ch:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you only have the one case, why bother with the select at all? You could just do a bare snap, ok := <-ch


// Closing state will let the goroutine we started in Ensure finish since
// watch chan is closed.
state.Close()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

handle the error?

// TODO(banks): should we close their chan here to force them to eventually
// notice they are too slow? Not sure if it really helps.
select {
case ch <- snap:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this the thing I already commented on in the prior PR with the head-swapping of the topmost item in a chan-of-size-1?

return nil
}

// removeProxyService is called when a service deregisteres and frees all
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/deregisteres/deregisters/

@banks banks changed the base branch from xds-server-config to f-envoy October 3, 2018 15:32
@banks
Copy link
Member Author

banks commented Oct 3, 2018

Last commits addressed most of the points here which were awesome.

I also realised that the "let the user give us custom config" was a bit too liberal to be useful at all - they would also not get Connect certs or Authz that way!

The new behaviour implemented (and tested) in last few commits is to override the TLS config and insert the ext_authz filter onto the start of every configured filter chain even ones coming from the user. This at least ensures their main public listener as advertised in Consul will have the right TLS configs and with do Auth correctly before anything else.

I also realised we probably need to allow customisation of the Cluster config too for some features but we can iterate on that after this PR/initial release.

@banks banks merged commit d0a3346 into f-envoy Oct 3, 2018
@banks banks deleted the xds-server branch October 3, 2018 20:14
banks added a commit that referenced this pull request Oct 4, 2018
* Vendor updates for gRPC and xDS server

* xDS server implementation for serving Envoy as a Connect proxy

* Address initial review comments

* consistent envoy package aliases; typos fixed; override TLS and authz for custom listeners

* Moar Typos

* Moar typos
banks added a commit that referenced this pull request Oct 9, 2018
* Vendor updates for gRPC and xDS server

* xDS server implementation for serving Envoy as a Connect proxy

* Address initial review comments

* consistent envoy package aliases; typos fixed; override TLS and authz for custom listeners

* Moar Typos

* Moar typos
banks added a commit that referenced this pull request Oct 10, 2018
* Vendor updates for gRPC and xDS server

* xDS server implementation for serving Envoy as a Connect proxy

* Address initial review comments

* consistent envoy package aliases; typos fixed; override TLS and authz for custom listeners

* Moar Typos

* Moar typos
banks added a commit that referenced this pull request Oct 10, 2018
* Vendor updates for gRPC and xDS server

* xDS server implementation for serving Envoy as a Connect proxy

* Address initial review comments

* consistent envoy package aliases; typos fixed; override TLS and authz for custom listeners

* Moar Typos

* Moar typos
}

func makeFilter(name string, cfg proto.Message) (envoylistener.Filter, error) {
// Ridiculous dance to make that pbstruct into types.Struct by... encoding it
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@banks I love this comment, hits close to home 😂 seems like an unavoidable dance sometimes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants