envoyproxy · liverbirdkte · Feb 15, 2022 · Feb 25, 2022 · Feb 22, 2022 · Mar 2, 2022
diff --git a/api/BUILD b/api/BUILD
@@ -128,6 +128,7 @@ proto_library(
         "//envoy/extensions/access_loggers/wasm/v3:pkg",
         "//envoy/extensions/bootstrap/internal_listener/v3:pkg",
         "//envoy/extensions/cache/simple_http_cache/v3:pkg",
+        "//envoy/extensions/certificate_providers/local_certificate/v3:pkg",
         "//envoy/extensions/clusters/aggregate/v3:pkg",
         "//envoy/extensions/clusters/dynamic_forward_proxy/v3:pkg",
         "//envoy/extensions/clusters/redis/v3:pkg",

diff --git a/api/envoy/config/bootstrap/v3/bootstrap.proto b/api/envoy/config/bootstrap/v3/bootstrap.proto
@@ -315,9 +315,8 @@ message Bootstrap {
 
   // Global map of CertificateProvider instances. These instances are referred to by name in the
   // :ref:`CommonTlsContext.CertificateProviderInstance.instance_name
-  // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CommonTlsContext.CertificateProviderInstance.instance_name>`
+  // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance.instance_name>`
   // field.
-  // [#not-implemented-hide:]
   map<string, core.v3.TypedExtensionConfig> certificate_provider_instances = 25;
 
   // Specifies a set of headers that need to be registered as inline header. This configuration

diff --git a/api/envoy/extensions/certificate_providers/local_certificate/v3/BUILD b/api/envoy/extensions/certificate_providers/local_certificate/v3/BUILD
@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
diff --git a/api/envoy/extensions/certificate_providers/local_certificate/v3/local_certificate.proto b/api/envoy/extensions/certificate_providers/local_certificate/v3/local_certificate.proto
@@ -0,0 +1,23 @@
+syntax = "proto3";
+
+package envoy.extensions.certificate_providers.local_certificate.v3;
+
+import "envoy/config/core/v3/base.proto";
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.certificate_providers.local_certificate.v3";
+option java_outer_classname = "LocalCertificateProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/certificate_providers/local_certificate/v3;local_certificatev3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Local Certificate Provider]
+
+// [#extension: envoy.certificate_providers.local_certificate]
+message LocalCertificate {
+  // Key and cert of root ca used to sign certificates.
+  config.core.v3.DataSource rootca_cert = 1;
+
+  config.core.v3.DataSource rootca_key = 2;
+}
diff --git a/api/envoy/extensions/filters/network/bumping/v3/BUILD b/api/envoy/extensions/filters/network/bumping/v3/BUILD
@@ -0,0 +1,13 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/accesslog/v3:pkg",
+        "//envoy/extensions/transport_sockets/tls/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
diff --git a/api/envoy/extensions/filters/network/bumping/v3/bumping.proto b/api/envoy/extensions/filters/network/bumping/v3/bumping.proto
@@ -0,0 +1,43 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.network.bumping.v3;
+
+import "envoy/config/accesslog/v3/accesslog.proto";
+import "envoy/extensions/transport_sockets/tls/v3/common.proto";
+
+import "google/protobuf/wrappers.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.network.bumping.v3";
+option java_outer_classname = "BumpingProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/bumping/v3;bumpingv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Bumping]
+// Bumping :ref:`configuration overview <config_network_filters_bumping>`.
+// [#extension: envoy.filters.network.bumping]
+
+// [#next-free-field: 6]
+message Bumping {
+  // The prefix to use when emitting :ref:`statistics
+  // <config_network_filters_bumping_stats>`.
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
+
+  // The upstream cluster to connect to.
+  string cluster = 2;
+
+  // Configuration for :ref:`access logs <arch_overview_access_logs>`
+  // emitted by the this bumping filter.
+  repeated config.accesslog.v3.AccessLog access_log = 3;
+
+  // The maximum number of unsuccessful connection attempts that will be made before
+  // giving up. If the parameter is not specified, 1 connection attempt will be made.
+  google.protobuf.UInt32Value max_connect_attempts = 4 [(validate.rules).uint32 = {gte: 1}];
+
+  // Certificate provider instance for fetching TLS certificates.
+  transport_sockets.tls.v3.CertificateProviderPluginInstance
+      tls_certificate_provider_instance = 5;
+}
diff --git a/api/envoy/extensions/transport_sockets/tls/v3/common.proto b/api/envoy/extensions/transport_sockets/tls/v3/common.proto
@@ -239,7 +239,6 @@ message TlsSessionTicketKeys {
 // The plugin instances are defined in the client's bootstrap file.
 // The plugin allows certificates to be fetched/refreshed over the network asynchronously with
 // respect to the TLS handshake.
-// [#not-implemented-hide:]
 message CertificateProviderPluginInstance {
   // Provider instance name. If not present, defaults to "default".
   //
@@ -335,7 +334,6 @@ message CertificateValidationContext {
   // Certificate provider instance for fetching TLS certificates.
   //
   // Only one of ``trusted_ca`` and ``ca_certificate_provider_instance`` may be specified.
-  // [#not-implemented-hide:]
   CertificateProviderPluginInstance ca_certificate_provider_instance = 13
       [(udpa.annotations.field_migrate).oneof_promotion = "ca_cert_source"];
 

diff --git a/api/envoy/extensions/transport_sockets/tls/v3/tls.proto b/api/envoy/extensions/transport_sockets/tls/v3/tls.proto
@@ -259,7 +259,6 @@ message CommonTlsContext {
   //
   // Only one of ``tls_certificates``, ``tls_certificate_sds_secret_configs``,
   // and ``tls_certificate_provider_instance`` may be used.
-  // [#not-implemented-hide:]
   CertificateProviderPluginInstance tls_certificate_provider_instance = 14;
 
   // Certificate provider for fetching TLS certificates.

diff --git a/api/versioning/BUILD b/api/versioning/BUILD
@@ -65,6 +65,7 @@ proto_library(
         "//envoy/extensions/access_loggers/wasm/v3:pkg",
         "//envoy/extensions/bootstrap/internal_listener/v3:pkg",
         "//envoy/extensions/cache/simple_http_cache/v3:pkg",
+        "//envoy/extensions/certificate_providers/local_certificate/v3:pkg",
         "//envoy/extensions/clusters/aggregate/v3:pkg",
         "//envoy/extensions/clusters/dynamic_forward_proxy/v3:pkg",
         "//envoy/extensions/clusters/redis/v3:pkg",
@@ -134,6 +135,7 @@ proto_library(
         "//envoy/extensions/filters/listener/original_src/v3:pkg",
         "//envoy/extensions/filters/listener/proxy_protocol/v3:pkg",
         "//envoy/extensions/filters/listener/tls_inspector/v3:pkg",
+        "//envoy/extensions/filters/network/bumping/v3:pkg",
         "//envoy/extensions/filters/network/connection_limit/v3:pkg",
         "//envoy/extensions/filters/network/direct_response/v3:pkg",
         "//envoy/extensions/filters/network/dubbo_proxy/router/v3:pkg",

diff --git a/envoy/certificate_provider/BUILD b/envoy/certificate_provider/BUILD
@@ -0,0 +1,48 @@
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_package",
+)
+
+licenses(["notice"])  # Apache 2
+
+envoy_package()
+
+envoy_cc_library(
+    name = "certificate_provider_interface",
+    hdrs = ["certificate_provider.h"],
+    external_deps = [
+        "ssl",
+    ],
+    deps = [
+        "//envoy/common:callback",
+        "//envoy/event:dispatcher_interface",
+        "//envoy/ssl:connection_interface",
+        "@com_google_absl//absl/strings",
+        "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto",
+    ],
+)
+
+envoy_cc_library(
+    name = "certificate_provider_manager_interface",
+    hdrs = [
+        "certificate_provider_manager.h",
+    ],
+    deps = [
+        ":certificate_provider_interface",
+        "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
+    ],
+)
+
+envoy_cc_library(
+    name = "certificate_provider_factory_lib",
+    hdrs = [
+        "certificate_provider_factory.h",
+    ],
+    deps = [
+        ":certificate_provider_interface",
+        "//envoy/registry",
+        "@com_google_absl//absl/strings",
+        "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
+    ],
+)
diff --git a/envoy/certificate_provider/certificate_provider.h b/envoy/certificate_provider/certificate_provider.h
@@ -0,0 +1,114 @@
+#pragma once
+
+#include <list>
+
+#include "envoy/common/callback.h"
+#include "envoy/common/pure.h"
+#include "envoy/event/dispatcher.h"
+#include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h"
+#include "envoy/ssl/connection.h"
+
+#include "absl/strings/string_view.h"
+#include "openssl/ssl.h"
+#include "openssl/x509v3.h"
+
+namespace Envoy {
+namespace CertificateProvider {
+
+class OnDemandUpdateMetadata {
+public:
+  virtual ~OnDemandUpdateMetadata() = default;
+
+  virtual Envoy::Ssl::ConnectionInfoConstSharedPtr connectionInfo() const PURE;
+};
+
+using OnDemandUpdateMetadataPtr = std::shared_ptr<OnDemandUpdateMetadata>;
+
+class OnDemandUpdateCallbacks {
+public:
+  virtual ~OnDemandUpdateCallbacks() = default;
+
+  /**
+   * Called when cert is already in cache.
+   * @param host supplies host of cert.
+   */
+  virtual void onCacheHit(const std::string& host) const PURE;
+  /**
+   * Called when cert cache is missed.
+   * @param host supplies host of cert.
+   */
+  virtual void onCacheMiss(const std::string& host) const PURE;
+};
+
+enum class OnDemandUpdateStatus {
+  // The cert is in cache. No self-signing needed.
+  InCache,
+  // The cert is not in cache. Self-sign cert, callbacks will be called at a later time unless
+  // cancelled.
+  Loading,
+};
+
+class OnDemandUpdateHandle {
+public:
+  virtual ~OnDemandUpdateHandle() = default;
+};
+
+using OnDemandUpdateHandlePtr = std::unique_ptr<OnDemandUpdateHandle>;
+
+struct OnDemandUpdateResult {
+  OnDemandUpdateStatus status_;
+  OnDemandUpdateHandlePtr handle_;
+};
+
+class CertificateProvider {
+public:
+  struct Capabilities {
+    /* whether or not a provider supports generating identity certificates on demand */
+    bool provide_on_demand_identity_certs = false;
+  };
+
+  virtual ~CertificateProvider() = default;
+
+  virtual Capabilities capabilities() const PURE;
+
+  /**
+   * @return CA certificate used for validation
+   */
+  virtual const std::string trustedCA(const std::string& cert_name) const PURE;
+
+  /**
+   * Certificate provider instance which used to get tls certificates
+   * should provide at least one tls certificate.
+   * @return Identity certificates used for handshake
+   */
+  virtual std::vector<const envoy::extensions::transport_sockets::tls::v3::TlsCertificate*>
+  tlsCertificates(const std::string& cert_name) const PURE;
+
+  /**
+   * Add on-demand callback into certificate provider, this function might be invoked from worker
+   * thread during runtime
+   *
+   * @param cert_name is certificate provider name in commontlscontext configuration.
+   * @param metadata is passed to provider for certs fetching/refreshing.
+   * @param thread_local_dispatcher is the dispatcher from callee's thread.
+   * @param callback registers callback to be executed for on demand update.
+   * @return CallbackHandle the handle which can remove that update callback.
+   */
+  virtual OnDemandUpdateResult addOnDemandUpdateCallback(
+      const std::string& cert_name, Envoy::CertificateProvider::OnDemandUpdateMetadataPtr metadata,
+      Event::Dispatcher& thread_local_dispatcher, OnDemandUpdateCallbacks& callback) PURE;
+
+  /**
+   * Add certificate update callback into certificate provider for asychronous usage.
+   *
+   * @param callback callback that is executed by certificate provider.
+   * @return CallbackHandle the handle which can remove that update callback.
+   */
+  virtual Common::CallbackHandlePtr addUpdateCallback(const std::string& cert_name,
+                                                      std::function<void()> callback) PURE;
+};
+
+using CertificateProviderSharedPtr = std::shared_ptr<CertificateProvider>;
+
+} // namespace CertificateProvider
+} // namespace Envoy
diff --git a/envoy/certificate_provider/certificate_provider_factory.h b/envoy/certificate_provider/certificate_provider_factory.h
@@ -0,0 +1,29 @@
+#pragma once
+
+#include "envoy/certificate_provider/certificate_provider.h"
+#include "envoy/common/pure.h"
+#include "envoy/config/core/v3/extension.pb.h"
+#include "envoy/registry/registry.h"
+
+#include "absl/strings/string_view.h"
+
+namespace Envoy {
+namespace Server {
+namespace Configuration {
+class TransportSocketFactoryContext;
+} // namespace Configuration
+} // namespace Server
+namespace CertificateProvider {
+
+class CertificateProviderFactory : public Config::TypedFactory {
+public:
+  virtual Envoy::CertificateProvider::CertificateProviderSharedPtr
+  createCertificateProviderInstance(
+      const envoy::config::core::v3::TypedExtensionConfig& config,
+      Server::Configuration::TransportSocketFactoryContext& factory_context, Api::Api& api) PURE;
+
+  std::string category() const override { return "envoy.certificate_providers"; }
+};
+
+} // namespace CertificateProvider
+} // namespace Envoy
diff --git a/envoy/certificate_provider/certificate_provider_manager.h b/envoy/certificate_provider/certificate_provider_manager.h
@@ -0,0 +1,35 @@
+#pragma once
+
+#include <string>
+
+#include "envoy/certificate_provider/certificate_provider.h"
+#include "envoy/common/pure.h"
+#include "envoy/config/core/v3/extension.pb.h"
+#include "envoy/singleton/instance.h"
+
+namespace Envoy {
+namespace Server {
+namespace Configuration {
+class TransportSocketFactoryContext;
+} // namespace Configuration
+} // namespace Server
+namespace CertificateProvider {
+
+/**
+ * A manager for certificate provider instances.
+ */
+class CertificateProviderManager : public Singleton::Instance {
+public:
+  ~CertificateProviderManager() override = default;
+
+  virtual void addCertificateProvider(
+      absl::string_view name, const envoy::config::core::v3::TypedExtensionConfig& config,
+      Server::Configuration::TransportSocketFactoryContext& factory_context) PURE;
+
+  virtual CertificateProviderSharedPtr getCertificateProvider(absl::string_view name) PURE;
+};
+
+using CertificateProviderManagerPtr = std::unique_ptr<CertificateProviderManager>;
+
+} // namespace CertificateProvider
+} // namespace Envoy
diff --git a/envoy/network/connection.h b/envoy/network/connection.h
@@ -351,6 +351,8 @@ class Connection : public Event::DeferredDeletable,
    * return value is cwnd(in packets) times the connection's MSS.
    */
   virtual absl::optional<uint64_t> congestionWindowInBytes() const PURE;
+
+  bool write_disable{false};
 };
 
 using ConnectionPtr = std::unique_ptr<Connection>;