sds: clusters and listeners read static secrets from Bootstrap.static_resources

include/envoy/secret/BUILD

@@ -0,0 +1,18 @@
+licenses(["notice"])  # Apache 2
+
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_package",
+)
+
+envoy_package()
+
+envoy_cc_library(
+    name = "secret_manager_interface",
+    hdrs = ["secret_manager.h"],
+    deps = [
+        "//include/envoy/ssl:tls_certificate_config_interface",
+        "@envoy_api//envoy/api/v2/auth:cert_cc",
+    ],
+)

include/envoy/secret/secret_manager.h

@@ -0,0 +1,34 @@
+#pragma once
+
+#include <string>
+
+#include "envoy/api/v2/auth/cert.pb.h"
+#include "envoy/ssl/tls_certificate_config.h"
+
+namespace Envoy {
+namespace Secret {
+
+/**
+ * A manager for static secrets.
+ *
+ * TODO(jaebong) Support dynamic secrets.
+ */
+class SecretManager {
+public:
+  virtual ~SecretManager() {}
+
+  /**
+   * @param secret a protobuf message of envoy::api::v2::auth::Secret.
+   * @throw an EnvoyException if the secret is invalid or not supported.
+   */
+  virtual void addOrUpdateSecret(const envoy::api::v2::auth::Secret& secret) PURE;
+
+  /**
+   * @param name a name of the Ssl::TlsCertificateConfig.
+   * @return the TlsCertificate secret. Returns nullptr if the secret is not found.
+   */
+  virtual const Ssl::TlsCertificateConfig* findTlsCertificate(const std::string& name) const PURE;
+};
+
+} // namespace Secret
+} // namespace Envoy

include/envoy/server/BUILD

@@ -96,6 +96,7 @@ envoy_cc_library(
         "//include/envoy/local_info:local_info_interface",
         "//include/envoy/ratelimit:ratelimit_interface",
         "//include/envoy/runtime:runtime_interface",
+        "//include/envoy/secret:secret_manager_interface",
         "//include/envoy/ssl:context_manager_interface",
         "//include/envoy/thread_local:thread_local_interface",
         "//include/envoy/tracing:http_tracer_interface",
@@ -172,6 +173,7 @@ envoy_cc_library(
     hdrs = ["transport_socket_config.h"],
     deps = [
         "//include/envoy/network:transport_socket_interface",
+        "//include/envoy/secret:secret_manager_interface",
         "//include/envoy/ssl:context_manager_interface",
         "//source/common/protobuf",
     ],

include/envoy/server/instance.h

@@ -11,6 +11,7 @@
 #include "envoy/network/listen_socket.h"
 #include "envoy/ratelimit/ratelimit.h"
 #include "envoy/runtime/runtime.h"
+#include "envoy/secret/secret_manager.h"
 #include "envoy/server/admin.h"
 #include "envoy/server/drain_manager.h"
 #include "envoy/server/hot_restart.h"
@@ -113,6 +114,11 @@ class Instance {
    */
   virtual ListenerManager& listenerManager() PURE;
 
+  /**
+   * @return the server's secret manager
+   */
+  virtual Secret::SecretManager& secretManager() PURE;
+
   /**
    * @return the server's CLI options.
    */

include/envoy/server/transport_socket_config.h

@@ -3,6 +3,7 @@
 #include <string>
 
 #include "envoy/network/transport_socket.h"
+#include "envoy/secret/secret_manager.h"
 #include "envoy/ssl/context_manager.h"
 
 #include "common/protobuf/protobuf.h"
@@ -19,14 +20,19 @@ class TransportSocketFactoryContext {
   virtual ~TransportSocketFactoryContext() {}
 
   /**
-   * @return Ssl::ContextManager& the SSL context manager
+   * @return Ssl::ContextManager& the SSL context manager.
    */
   virtual Ssl::ContextManager& sslContextManager() PURE;
 
   /**
    * @return Stats::Scope& the transport socket's stats scope.
    */
   virtual Stats::Scope& statsScope() const PURE;
+
+  /**
+   * Return the instance of secret manager.
+   */
+  virtual Secret::SecretManager& secretManager() PURE;
 };
 
 class TransportSocketConfigFactory {

include/envoy/ssl/BUILD

@@ -32,3 +32,8 @@ envoy_cc_library(
         "//include/envoy/stats:stats_interface",
     ],
 )
+
+envoy_cc_library(
+    name = "tls_certificate_config_interface",
+    hdrs = ["tls_certificate_config.h"],
+)

include/envoy/ssl/tls_certificate_config.h

@@ -0,0 +1,29 @@
+#pragma once
+
+#include <memory>
+#include <string>
+
+#include "envoy/common/pure.h"
+
+namespace Envoy {
+namespace Ssl {
+
+class TlsCertificateConfig {
+public:
+  virtual ~TlsCertificateConfig() {}
+
+  /**
+   * @return a string of certificate chain
+   */
+  virtual const std::string& certificateChain() const PURE;
+
+  /**
+   * @return a string of private key
+   */
+  virtual const std::string& privateKey() const PURE;
+};
+
+typedef std::unique_ptr<TlsCertificateConfig> TlsCertificateConfigPtr;
+
+} // namespace Ssl
+} // namespace Envoy

include/envoy/upstream/BUILD

@@ -22,6 +22,7 @@ envoy_cc_library(
         "//include/envoy/http:conn_pool_interface",
         "//include/envoy/local_info:local_info_interface",
         "//include/envoy/runtime:runtime_interface",
+        "//include/envoy/secret:secret_manager_interface",
         "//include/envoy/server:admin_interface",
         "@envoy_api//envoy/api/v2:cds_cc",
         "@envoy_api//envoy/config/bootstrap/v2:bootstrap_cc",

include/envoy/upstream/cluster_manager.h

@@ -15,6 +15,7 @@
 #include "envoy/http/conn_pool.h"
 #include "envoy/local_info/local_info.h"
 #include "envoy/runtime/runtime.h"
+#include "envoy/secret/secret_manager.h"
 #include "envoy/server/admin.h"
 #include "envoy/upstream/load_balancer.h"
 #include "envoy/upstream/thread_local_cluster.h"
@@ -232,7 +233,8 @@ class ClusterManagerFactory {
   clusterManagerFromProto(const envoy::config::bootstrap::v2::Bootstrap& bootstrap,
                           Stats::Store& stats, ThreadLocal::Instance& tls, Runtime::Loader& runtime,
                           Runtime::RandomGenerator& random, const LocalInfo::LocalInfo& local_info,
-                          AccessLog::AccessLogManager& log_manager, Server::Admin& admin) PURE;
+                          AccessLog::AccessLogManager& log_manager, Server::Admin& admin,
+                          Secret::SecretManager& secret_manager) PURE;
 
   /**
    * Allocate an HTTP connection pool for the host. Pools are separated by 'priority',
@@ -249,7 +251,8 @@ class ClusterManagerFactory {
   virtual ClusterSharedPtr clusterFromProto(const envoy::api::v2::Cluster& cluster,
                                             ClusterManager& cm,
                                             Outlier::EventLoggerSharedPtr outlier_event_logger,
-                                            bool added_via_api) PURE;
+                                            bool added_via_api,
+                                            Secret::SecretManager& secret_manager) PURE;
 
   /**
    * Create a CDS API provider from configuration proto.

source/common/secret/BUILD

@@ -0,0 +1,21 @@
+licenses(["notice"])  # Apache 2
+
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_package",
+)
+
+envoy_package()
+
+envoy_cc_library(
+    name = "secret_manager_impl_lib",
+    srcs = ["secret_manager_impl.cc"],
+    hdrs = ["secret_manager_impl.h"],
+    deps = [
+        "//include/envoy/secret:secret_manager_interface",
+        "//source/common/common:minimal_logger_lib",
+        "//source/common/ssl:tls_certificate_config_impl_lib",
+        "@envoy_api//envoy/api/v2/auth:cert_cc",
+    ],
+)

source/common/secret/secret_manager_impl.cc

@@ -0,0 +1,28 @@
+#include "common/secret/secret_manager_impl.h"
+
+#include "envoy/common/exception.h"
+
+#include "common/ssl/tls_certificate_config_impl.h"
+
+namespace Envoy {
+namespace Secret {
+
+void SecretManagerImpl::addOrUpdateSecret(const envoy::api::v2::auth::Secret& secret) {
+  switch (secret.type_case()) {
+  case envoy::api::v2::auth::Secret::TypeCase::kTlsCertificate:
+    tls_certificate_secrets_[secret.name()] =
+        std::make_unique<Ssl::TlsCertificateConfigImpl>(secret.tls_certificate());
+    break;
+  default:
+    throw EnvoyException("Secret type not implemented");
+  }
+}
+
+const Ssl::TlsCertificateConfig*
+SecretManagerImpl::findTlsCertificate(const std::string& name) const {
+  auto secret = tls_certificate_secrets_.find(name);
+  return (secret != tls_certificate_secrets_.end()) ? secret->second.get() : nullptr;
+}
+
+} // namespace Secret
+} // namespace Envoy

source/common/secret/secret_manager_impl.h

@@ -0,0 +1,23 @@
+#pragma once
+
+#include <unordered_map>
+
+#include "envoy/secret/secret_manager.h"
+#include "envoy/ssl/tls_certificate_config.h"
+
+#include "common/common/logger.h"
+
+namespace Envoy {
+namespace Secret {
+
+class SecretManagerImpl : public SecretManager, Logger::Loggable<Logger::Id::upstream> {
+public:
+  void addOrUpdateSecret(const envoy::api::v2::auth::Secret& secret) override;
+  const Ssl::TlsCertificateConfig* findTlsCertificate(const std::string& name) const override;
+
+private:
+  std::unordered_map<std::string, Ssl::TlsCertificateConfigPtr> tls_certificate_secrets_;
+};
+
+} // namespace Secret
+} // namespace Envoy

source/common/ssl/BUILD

@@ -33,8 +33,10 @@ envoy_cc_library(
         "ssl",
     ],
     deps = [
+        "//include/envoy/secret:secret_manager_interface",
         "//include/envoy/ssl:context_config_interface",
         "//source/common/common:assert_lib",
+        "//source/common/common:empty_string",
         "//source/common/config:datasource_lib",
         "//source/common/config:tls_context_json_lib",
         "//source/common/json:json_loader_lib",
@@ -66,3 +68,14 @@ envoy_cc_library(
         "//source/common/common:hex_lib",
     ],
 )
+
+envoy_cc_library(
+    name = "tls_certificate_config_impl_lib",
+    srcs = ["tls_certificate_config_impl.cc"],
+    hdrs = ["tls_certificate_config_impl.h"],
+    deps = [
+        "//include/envoy/ssl:tls_certificate_config_interface",
+        "//source/common/config:datasource_lib",
+        "@envoy_api//envoy/api/v2/auth:cert_cc",
+    ],
+)