Add a map to manage FileBasedMetadataConfig (istio#11753)

* use CredentialName for SIMPLE * cvc * rootca * update test. * update test * fix format * update gateway config * fix test * fix lint * fix test * add comments. * add nolint * update cvc * update * update * update * update * update * update * format * dep ensure --update istio.io/api * Revise per comments * Revise * lint * Marshal SDS call credential config using deterministic order * update * update * revise * add comment * update
xun1009 · Feb 20, 2019 · 3632361 · 3632361
1 parent 44c6b5f
commit 3632361
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 6 deletions.
diff --git a/pilot/pkg/model/authentication.go b/pilot/pkg/model/authentication.go
@@ -232,7 +232,9 @@ func constructgRPCCallCredentials(tokenFileName, headerKey string) []*core.GrpcS
 		},
 		HeaderKey: headerKey,
 	}
-	any, _ := types.MarshalAny(config)
+
+	any := findOrMarshalFileBasedMetadataConfig(tokenFileName, headerKey, config)
+
 	return []*core.GrpcService_GoogleGrpc_CallCredentials{
 		&core.GrpcService_GoogleGrpc_CallCredentials{
 			CredentialSpecifier: &core.GrpcService_GoogleGrpc_CallCredentials_FromPlugin{
@@ -245,3 +247,32 @@ func constructgRPCCallCredentials(tokenFileName, headerKey string) []*core.GrpcS
 		},
 	}
 }
+
+type fbMetadataAnyKey struct {
+	tokenFileName string
+	headerKey     string
+}
+
+var fileBasedMetadataConfigAnyMap = map[fbMetadataAnyKey]*types.Any{}
+
+// findOrMarshalFileBasedMetadataConfig searches google.protobuf.Any in fileBasedMetadataConfigAnyMap
+// by tokenFileName and headerKey, and returns google.protobuf.Any proto if found. If not found,
+// it takes the fbMetadata and marshals it into google.protobuf.Any, and stores this new
+// google.protobuf.Any into fileBasedMetadataConfigAnyMap.
+// FileBasedMetadataConfig only supports non-deterministic marshaling. As each SDS config contains
+// marshaled FileBasedMetadataConfig, the SDS config would differ if marshaling FileBasedMetadataConfig
+// returns different result. Once SDS config differs, Envoy will create multiple SDS clients to fetch
+// same SDS resource. To solve this problem, we use findOrMarshalFileBasedMetadataConfig so that
+// FileBasedMetadataConfig is marshaled once, and is reused in all SDS configs.
+func findOrMarshalFileBasedMetadataConfig(tokenFileName, headerKey string, fbMetadata *v2alpha.FileBasedMetadataConfig) *types.Any {
+	key := fbMetadataAnyKey{
+		tokenFileName: tokenFileName,
+		headerKey:     headerKey,
+	}
+	if marshalAny, found := fileBasedMetadataConfigAnyMap[key]; found {
+		return marshalAny
+	}
+	any, _ := types.MarshalAny(fbMetadata)
+	fileBasedMetadataConfigAnyMap[key] = any
+	return any
+}
diff --git a/pilot/pkg/model/authentication_test.go b/pilot/pkg/model/authentication_test.go
@@ -21,7 +21,6 @@ import (
 	"github.com/envoyproxy/go-control-plane/envoy/api/v2/auth"
 	"github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
 	"github.com/envoyproxy/go-control-plane/envoy/config/grpc_credential/v2alpha"
-	"github.com/gogo/protobuf/proto"
 	"github.com/gogo/protobuf/types"
 )
 
@@ -151,7 +150,7 @@ func TestConstructSdsSecretConfig(t *testing.T) {
 			useTrustworthyJwt: true,
 			expected: &auth.SdsSecretConfig{
 				Name:      "spiffe://cluster.local/ns/bar/sa/foo",
-				SdsConfig: constructsdsconfighelper(trustworthyMetaConfig),
+				SdsConfig: constructsdsconfighelper(K8sSATrustworthyJwtFileName, k8sSAJwtTokenHeaderKey, trustworthyMetaConfig),
 			},
 		},
 		{
@@ -160,7 +159,7 @@ func TestConstructSdsSecretConfig(t *testing.T) {
 			useNormalJwt:   true,
 			expected: &auth.SdsSecretConfig{
 				Name:      "spiffe://cluster.local/ns/bar/sa/foo",
-				SdsConfig: constructsdsconfighelper(normalMetaConfig),
+				SdsConfig: constructsdsconfighelper(K8sSAJwtFileName, k8sSAJwtTokenHeaderKey, normalMetaConfig),
 			},
 		},
 		{
@@ -248,8 +247,8 @@ func constructGCECallCredConfig() *core.GrpcService_GoogleGrpc_CallCredentials {
 	}
 }
 
-func constructsdsconfighelper(metaConfig proto.Message) *core.ConfigSource {
-	any, _ := types.MarshalAny(metaConfig)
+func constructsdsconfighelper(tokenFileName, headerKey string, metaConfig *v2alpha.FileBasedMetadataConfig) *core.ConfigSource {
+	any := findOrMarshalFileBasedMetadataConfig(tokenFileName, headerKey, metaConfig)
 	return &core.ConfigSource{
 		ConfigSourceSpecifier: &core.ConfigSource_ApiConfigSource{
 			ApiConfigSource: &core.ApiConfigSource{