Support mesh monitor mTLS (#528)

* Support mesh monitor mTLS * Unify agent config to one API * Adjust config fields * Add reporter type * fix renaming * Simplify append type
easegress-io · Mar 17, 2022 · 0f4c911 · 0f4c911
1 parent 19b6662
commit 0f4c911
Show file tree

Hide file tree

Showing 7 changed files with 224 additions and 166 deletions.
diff --git a/doc/reference/controllers.md b/doc/reference/controllers.md
@@ -31,6 +31,9 @@
  - [easemonitormetrics.Kafka](#easemonitormetricskafka)
  - [nacos.ServerSpec](#nacosserverspec)
  - [autocertmanager.DomainSpec](#autocertmanagerdomainspec)
+ - [mesh.Security](#meshsecurity)
+ - [mesh.MonitorMTLS](#meshmonitormtls)
+ - [mesh.MonitorCert](#meshmonitorcert)
 
 As the [architecture diagram](../imgs/architecture.png) shows, the controller is the core entity to control kinds of working. There are two kinds of controllers overall:
 
@@ -151,7 +154,7 @@ kafka:
 
 ### FaaSController
 
-A FaaSController is a business controller for handling Easegress and FaaS products integration purposes. It abstracts `FaasFunction`, `FaaSStore` and, `FaasProvider`. Currently, we only support `Knative` type `FaaSProvider`. 
+A FaaSController is a business controller for handling Easegress and FaaS products integration purposes. It abstracts `FaasFunction`, `FaaSStore` and, `FaasProvider`. Currently, we only support `Knative` type `FaaSProvider`.
 
 For the full reference document please check - [FaaS Controller](./faascontroller.md)
 
@@ -198,13 +201,21 @@ serviceName: service-001
 externalServiceRegistry: consul-service-registry-example
 ```
 
-| Name | Type | Description | Required |
-| ----------------------- | ------ | ------------------------------------------------------------------------- | --------------------- |
-| heartbeatInterval | string | Interval for one service instance reporting its heartbeat | Yes (default: 5s) |
-| registryType | string | Protocol the registry center accepts, support `eureka`, `consul`, `nacos` | Yes (default: eureka) |
-| apiPort | int | Port listening on for worker's API server | Yes (default: 13009) |
-| ingressPort | int | Port listening on for for ingress traffic | Yes (default: 13010) |
-| externalServiceRegistry | string | External service registry name | No |
+| Name | Type | Description | Required |
+|---------------------------|-------------------------------------|----------------------------------------------------------------------------------|-----------------------|
+| heartbeatInterval | string | Interval for one service instance reporting its heartbeat | Yes (default: 5s) |
+| registryType | string | Protocol the registry center accepts, support `eureka`, `consul`, `nacos` | Yes (default: eureka) |
+| apiPort | int | Port listening on for worker's API server | Yes (default: 13009) |
+| ingressPort | int | Port listening on for for ingress traffic | Yes (default: 13010) |
+| externalServiceRegistry | string | External service registry name | No |
+| cleanExternalRegistry | bool | Clean external registry services while externalServiceRegistry changing to empty | No |
+| security | [mesh.Security](#meshSecurity) | Security config for Mesh | No |
+| imageRegistryURL | string | Image registry URL to inject | No |
+| imagePullPolicy | string | Image pull policy to inject | No |
+| sidecarImageName | string | Sidecar image name to inject | No |
+| agentInitializerImageName | string | Agent initializer image name to inject | No |
+| log4jConfigName | string | Log4j config name to inject | No |
+| monitorMTLS | [mesh.MonitorMTLS](#meshMonitorMTLS) | Monitor mTLS config for Mesh | No |
 
 ### ConsulServiceRegistry
 
@@ -451,3 +462,32 @@ Below table list other required fields for each supported DNS provider (Note: `g
 | hetzner | authApiToken |
 | route53 | accessKeyId, secretAccessKey, awsProfile |
 | vultr | apiToken |
+
+### mesh.Security
+
+| Name | Type | Description | Required |
+|--------------|--------|---------------------------------------------------|----------|
+| mtlsMode | string | mTLS mode (support permissive, strict) | Yes |
+| certProvider | string | certificate provider (only support selfSign) | Yes |
+| rootCertTTL | string | TTL of root certificate (format: duration) | Yes |
+| appCertTTL | string | TTL of application certificate (format: duration) | Yes |
+
+
+### mesh.MonitorMTLS
+
+| Name | Type | Description | Required |
+|--------------|--------------------------------------|-------------------------------------------------|----------|
+| enabled | bool | Enable monitor mTLS | Yes |
+| url | string | URL of monitor gateway to report metrics | Yes |
+| username | string | Username for monitor gateway endpoint | Yes |
+| password | string | Password for monitor gateway endpoint | Yes |
+| caCertBase64 | string | CA of PEM encoded data in base64 encoded format | Yes |
+| certs | [mesh.MonitorCert](#meshMonitorCert) | Certificate pairs of services | Yes |
+
+### mesh.MonitorCert
+
+| Name | Type | Description | Required |
+|------------|----------|----------------------------------------------------------|----------|
+| certBase64 | string | Public key of PEM encoded data in base64 encoded format | Yes |
+| keyBase64 | string | Private key of PEM encoded data in base64 encoded format | Yes |
+| services | []string | Services that use the certificate pair | Yes |
diff --git a/pkg/cluster/config.go b/pkg/cluster/config.go
@@ -104,7 +104,8 @@ func CreateStaticClusterEtcdConfig(opt *option.Options) (*embed.Config, error) {
  }
  ec.InitialCluster = opt.InitialClusterToString()
 
- logger.Infof("etcd config: init-cluster:%s cluster-state:%s force-new-cluster:%v",
+ logger.Infof("etcd config: advertise-client-urls: %+v advertise-peer-urls: %+v init-cluster: %s cluster-state: %s force-new-cluster: %v",
+ ec.ACUrls, ec.APUrls,
  ec.InitialCluster, ec.ClusterState, ec.ForceNewCluster)
 
  return ec, nil
@@ -175,7 +176,8 @@ func CreateEtcdConfig(opt *option.Options, members *members) (*embed.Config, err
  ec.InitialCluster = members.initCluster()
  }
 
- logger.Infof("etcd config: init-cluster:%s cluster-state:%s force-new-cluster:%v",
+ logger.Infof("etcd config: advertise-client-urls: %+v advertise-peer-urls: %+v init-cluster: %s cluster-state: %s force-new-cluster: %v",
+ ec.ACUrls, ec.APUrls,
  ec.InitialCluster, ec.ClusterState, ec.ForceNewCluster)
 
  return ec, nil

diff --git a/pkg/object/meshcontroller/spec/spec.go b/pkg/object/meshcontroller/spec/spec.go
@@ -133,15 +133,36 @@ type (
  SidecarImageName string `yaml:"sidecarImageName" jsonschema:"omitempty"`
  AgentInitializerImageName string `yaml:"agentInitializerImageName" jsonschema:"omitempty"`
  Log4jConfigName string `yaml:"log4jConfigName" jsonschema:"omitempty"`
+
+ MonitorMTLS *MonitorMTLS `yaml:"monitorMTLS" jsonschema:"omitempty"`
+ }
+
+ // MonitorMTLS is the spec of mTLS specification of monitor.
+ MonitorMTLS struct {
+ Enabled bool `yaml:"enabled" jsonschema:"required"`
+ URL string `yaml:"url" jsonschema:"required"`
+ Username string `yaml:"username" jsonschema:"required"`
+ Password string `yaml:"password" jsonschema:"required"`
+
+ ReporterAppendType string `yaml:"reporterAppendType"`
+ CaCertBase64 string `yaml:"caCertBase64" jsonschema:"required,format=base64"`
+ Certs []*MonitorCert `yaml:"certs" jsonschema:"required"`
+ }
+
+ // MonitorCert is the spec for single pack of mTLS.
+ MonitorCert struct {
+ CertBase64 string `yaml:"certBase64" jsonschema:"required,format=base64"`
+ KeyBase64 string `yaml:"keyBase64" jsonschema:"required,format=base64"`
+ Services []string `yaml:"services" jsonschema:"required"`
  }
 
  // Security is the spec for mesh-wide security.
  Security struct {
  MTLSMode string `yaml:"mtlsMode" jsonschema:"required"`
  CertProvider string `yaml:"certProvider" jsonschema:"required"`
 
- RootCertTTL string `yaml:"rootCertTTL" jsonschema:"required, format=duration"`
- AppCertTTL string `yaml:"appCertTTL" jsonschema:"required, format=duration"`
+ RootCertTTL string `yaml:"rootCertTTL" jsonschema:"required,format=duration"`
+ AppCertTTL string `yaml:"appCertTTL" jsonschema:"required,format=duration"`
  }
 
  // Service contains the information of service.
@@ -210,10 +231,19 @@ type (
  ServiceHeaders map[string][]string `yaml:"serviceHeaders" jsonschema:"omitempty"`
  }
 
- // GlobalTransmission is the spec of global transmission data.
- // All endpoints of mesh should pass them.
+ // GlobalTransmission is the spec of global transmission data for Agent.
  GlobalTransmission struct {
+ // Headers are the canary headers, all endpoints of mesh should transmit them.
  Headers []string `yaml:"headers" jsonschema:"omitempty"`
+
+ MomitorMTLS *MTLSTransmission `yaml:"monitorMTLS"`
+ }
+
+ // MTLSTransmission is the mTLS config for Agent.
+ MTLSTransmission struct {
+ CaCertBase64 string `yaml:"caCertBase64" jsonschema:"required,format=base64"`
+ CertBase64 string `yaml:"certBase64" jsonschema:"required,format=base64"`
+ KeyBase64 string `yaml:"keyBase64" jsonschema:"required,format=base64"`
  }
 
  // LoadBalance is the spec of service load balance.
@@ -502,6 +532,19 @@ func (a Admin) Validate() error {
  }
  }
 
+ if a.MonitorMTLS != nil {
+ serviceMap := map[string]struct{}{}
+ for _, cert := range a.MonitorMTLS.Certs {
+ for _, service := range cert.Services {
+ _, exists := serviceMap[service]
+ if exists {
+ return fmt.Errorf("service %s in monitotMTLS.certs occurred multiple times", service)
+ }
+ serviceMap[service] = struct{}{}
+ }
+ }
+ }
+
  return nil
 }
 

diff --git a/pkg/object/meshcontroller/worker/observability.go b/pkg/object/meshcontroller/worker/observability.go
@@ -18,16 +18,11 @@
 package worker
 
 import (
- "fmt"
-
- "github.com/megaease/easegress/pkg/object/meshcontroller/spec"
  "github.com/megaease/easegress/pkg/util/jmxtool"
 )
 
 const (
  easeAgentConfigManager = "com.megaease.easeagent:type=ConfigManager"
- updateServiceOperation = "updateService"
- updateCanaryOperation = "updateCanary"
 )
 
 type (
@@ -46,22 +41,3 @@ func NewObservabilityServer(serviceName string) *ObservabilityManager {
  agentClient: client,
  }
 }
-
-// UpdateService updates service.
-func (server *ObservabilityManager) UpdateService(newService *spec.Service, version int64) error {
- err := server.agentClient.UpdateService(newService, version)
- if err != nil {
- return fmt.Errorf("Update Service Spec failed: %v ", err)
- }
-
- return nil
-}
-
-// UpdateGlobalTransmission updates global transmission.
-func (server *ObservabilityManager) UpdateGlobalTransmission(transmission *spec.GlobalTransmission) error {
- err := server.agentClient.UpdateGlobalTransmission(transmission)
- if err != nil {
- return fmt.Errorf("Update Canary Spec: %v ", err)
- }
- return nil
-}