multicluster: Adding GetMulticlusterGatewaySubjectCommonName() (#3857)

Signed-off-by: Delyan Raychev <[email protected]>
openservicemesh · Jul 26, 2021 · 7f90827 · 7f90827
1 parent fb1a3d6
commit 7f90827
Show file tree

Hide file tree

Showing 5 changed files with 68 additions and 3 deletions.
diff --git a/cmd/osm-controller/gateway.go b/cmd/osm-controller/gateway.go
@@ -6,7 +6,6 @@ import (
 	"fmt"
 
 	"github.com/ghodss/yaml"
-	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -15,9 +14,9 @@ import (
 
 	"github.com/openservicemesh/osm/pkg/certificate"
 	"github.com/openservicemesh/osm/pkg/constants"
-	"github.com/openservicemesh/osm/pkg/envoy"
 	"github.com/openservicemesh/osm/pkg/envoy/bootstrap"
 	"github.com/openservicemesh/osm/pkg/identity"
+	"github.com/openservicemesh/osm/pkg/multicluster"
 	"github.com/openservicemesh/osm/pkg/utils"
 )
 
@@ -41,7 +40,7 @@ func bootstrapOSMGateway(kubeClient kubernetes.Interface, certManager certificat
 		return nil
 	}
 
-	gatewayCN := envoy.NewXDSCertCommonName(uuid.New(), envoy.KindGateway, osmServiceAccount, osmNamespace)
+	gatewayCN := multicluster.GetMulticlusterGatewaySubjectCommonName(osmServiceAccount, osmNamespace)
 	bootstrapCert, err := certManager.IssueCertificate(gatewayCN, constants.XDSCertificateValidityPeriod)
 	if err != nil {
 		return errors.Errorf("Error issuing bootstrap certificate for OSM gateway: %s", err)

diff --git a/pkg/envoy/xdsutil.go b/pkg/envoy/xdsutil.go
@@ -409,3 +409,13 @@ func GetServiceIdentityFromProxyCertificate(cn certificate.CommonName) (identity
 
 	return cnMeta.ServiceIdentity, nil
 }
+
+// GetKindFromProxyCertificate returns the proxy kind, which is encoded in the Common Name of the XDS certificate.
+func GetKindFromProxyCertificate(cn certificate.CommonName) (ProxyKind, error) {
+	cnMeta, err := getCertificateCommonNameMeta(cn)
+	if err != nil {
+		return "", err
+	}
+
+	return cnMeta.ProxyKind, nil
+}
diff --git a/pkg/envoy/xdsutil_test.go b/pkg/envoy/xdsutil_test.go
@@ -1,8 +1,11 @@
 package envoy
 
 import (
+	"fmt"
 	"testing"
 
+	"github.com/openservicemesh/osm/pkg/certificate"
+
 	core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	xds_core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	xds_accesslog "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/stream/v3"
@@ -364,3 +367,12 @@ var _ = Describe("Test Envoy tools", func() {
 		})
 	})
 })
+
+func TestGetKindFromProxyCertificate(t *testing.T) {
+	assert := tassert.New(t)
+	cn := certificate.CommonName("fcbd7396-2e8c-49dc-91ff-7267d81287ba.gateway.2.3.4.5.6.7.8")
+	actualProxyKind, err := GetKindFromProxyCertificate(cn)
+	assert.Nil(err, fmt.Sprintf("Expected err to be nil; Actually it was %+v", err))
+	expectedProxyKind := KindGateway
+	assert.Equal(expectedProxyKind, actualProxyKind)
+}
diff --git a/pkg/multicluster/gateway.go b/pkg/multicluster/gateway.go
@@ -0,0 +1,17 @@
+package multicluster
+
+import (
+	"github.com/google/uuid"
+
+	"github.com/openservicemesh/osm/pkg/certificate"
+	"github.com/openservicemesh/osm/pkg/envoy"
+)
+
+// GetMulticlusterGatewaySubjectCommonName creates a unique certificate.CommonName
+// specifically for a Multicluster Gateway. Each gateway will have its own unique
+// cert. The kind of Envoy (gateway) is encoded in the cert CN by convention.
+func GetMulticlusterGatewaySubjectCommonName(serviceAccount, namespace string) certificate.CommonName {
+	gatewayUID := uuid.New()
+	envoyType := envoy.KindGateway
+	return envoy.NewXDSCertCommonName(gatewayUID, envoyType, serviceAccount, namespace)
+}
diff --git a/pkg/multicluster/gateway_test.go b/pkg/multicluster/gateway_test.go
@@ -0,0 +1,27 @@
+package multicluster
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/openservicemesh/osm/pkg/envoy"
+
+	tassert "github.com/stretchr/testify/assert"
+)
+
+func TestMulticlusterHelpers(t *testing.T) {
+	assert := tassert.New(t)
+	serviceAccount := "-svc-account-"
+	namespace := "-namespace-"
+
+	actualCN := GetMulticlusterGatewaySubjectCommonName(serviceAccount, namespace)
+	expectedSuffix := ".gateway.-svc-account-.-namespace-.cluster.local"
+	assert.True(strings.HasSuffix(actualCN.String(), expectedSuffix), fmt.Sprintf("Expected the Proxy Cert's Common Name to end with %s", expectedSuffix))
+
+	// Is the kind of proxy properly encoded in this certificate?
+	actualProxyKind, err := envoy.GetKindFromProxyCertificate(actualCN)
+	assert.Nil(err, fmt.Sprintf("Expected error to be nil; It was %+v", err))
+	expectedProxyKind := envoy.KindGateway
+	assert.Equal(expectedProxyKind, actualProxyKind, fmt.Sprintf("Expected proxy kind to be %s; it was actually %s", expectedProxyKind, actualProxyKind))
+}