istio · qiwzhang · Jun 14, 2018 · Jun 14, 2018 · Jun 14, 2018 · Jun 14, 2018
diff --git a/api/bazel/api_build_system.bzl b/api/bazel/api_build_system.bzl
@@ -4,9 +4,13 @@ load("@io_bazel_rules_go//proto:def.bzl", "go_grpc_library", "go_proto_library")
 load("@io_bazel_rules_go//go:def.bzl", "go_test")
 
 _PY_SUFFIX = "_py"
+
 _CC_SUFFIX = "_cc"
+
 _GO_PROTO_SUFFIX = "_go_proto"
+
 _GO_GRPC_SUFFIX = "_go_grpc"
+
 _GO_IMPORTPATH_PREFIX = "github.com/envoyproxy/data-plane-api/api/"
 
 def _Suffix(d, suffix):

diff --git a/api/bazel/repositories.bzl b/api/bazel/repositories.bzl
@@ -1,6 +1,9 @@
 GOOGLEAPIS_SHA = "d642131a6e6582fc226caf9893cb7fe7885b3411"  # May 23, 2018
+
 GOGOPROTO_SHA = "1adfc126b41513cc696b209667c8656ea7aac67c"  # v1.0.0
+
 PROMETHEUS_SHA = "99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c"  # Nov 17, 2017
+
 OPENCENSUS_SHA = "ab82e5fdec8267dc2a726544b10af97675970847"  # May 23, 2018
 
 PGV_GIT_SHA = "f9d2b11e44149635b23a002693b76512b01ae515"

diff --git a/bazel/cc_configure.bzl b/bazel/cc_configure.bzl
@@ -1,4 +1,7 @@
-load("@bazel_tools//tools/cpp:cc_configure.bzl", _upstream_cc_autoconf_impl = "cc_autoconf_impl")
+load(
+    "@bazel_tools//tools/cpp:cc_configure.bzl",
+    _upstream_cc_autoconf_impl = "cc_autoconf_impl",
+)
 load("@bazel_tools//tools/cpp:lib_cc_configure.bzl", "get_cpu_value")
 load("@bazel_tools//tools/cpp:unix_cc_configure.bzl", "find_cc")
 
@@ -82,7 +85,6 @@ def cc_autoconf_impl(repository_ctx):
     return _upstream_cc_autoconf_impl(repository_ctx, overriden_tools = overriden_tools)
 
 cc_autoconf = repository_rule(
-    implementation = cc_autoconf_impl,
     attrs = {
         "_envoy_cc_wrapper": attr.label(default = "@envoy//bazel:cc_wrapper.py"),
     },
@@ -118,6 +120,7 @@ cc_autoconf = repository_rule(
         "VS120COMNTOOLS",
         "VS140COMNTOOLS",
     ],
+    implementation = cc_autoconf_impl,
 )
 
 def cc_configure():

diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
@@ -105,10 +105,10 @@ def _default_envoy_build_config_impl(ctx):
     ctx.symlink(ctx.attr.config, "extensions_build_config.bzl")
 
 _default_envoy_build_config = repository_rule(
-    implementation = _default_envoy_build_config_impl,
     attrs = {
         "config": attr.label(default = "@envoy//source/extensions:extensions_build_config.bzl"),
     },
+    implementation = _default_envoy_build_config_impl,
 )
 
 def _default_envoy_api_impl(ctx):
@@ -126,10 +126,10 @@ def _default_envoy_api_impl(ctx):
         ctx.symlink(ctx.path(ctx.attr.api).dirname.get_child(d), d)
 
 _default_envoy_api = repository_rule(
-    implementation = _default_envoy_api_impl,
     attrs = {
         "api": attr.label(default = "@envoy//api:BUILD"),
     },
+    implementation = _default_envoy_api_impl,
 )
 
 # Python dependencies. If these become non-trivial, we might be better off using a virtualenv to

diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
@@ -4,14 +4,10 @@ REPOSITORY_LOCATIONS = dict(
         commit = "2a52ce799382c87cd3119f3b44fbbebf97061ab6",  # chromium-67.0.3396.62
         remote = "https://github.com/google/boringssl",
     ),
-    com_google_absl = dict(
-        commit = "92020a042c0cd46979db9f6f0cb32783dc07765e",  # 2018-06-08
-        remote = "https://github.com/abseil/abseil-cpp",
-    ),
     com_github_apache_thrift = dict(
         sha256 = "7d59ac4fdcb2c58037ebd4a9da5f9a49e3e034bf75b3f26d9fe48ba3d8806e6b",
-        urls = ["https://files.pythonhosted.org/packages/c6/b4/510617906f8e0c5660e7d96fbc5585113f83ad547a3989b80297ac72a74c/thrift-0.11.0.tar.gz"],  # 0.11.0
         strip_prefix = "thrift-0.11.0",
+        urls = ["https://files.pythonhosted.org/packages/c6/b4/510617906f8e0c5660e7d96fbc5585113f83ad547a3989b80297ac72a74c/thrift-0.11.0.tar.gz"],  # 0.11.0
     ),
     com_github_bombela_backward = dict(
         commit = "44ae9609e860e3428cd057f7052e505b4819eb84",  # 2018-02-06
@@ -43,6 +39,10 @@ REPOSITORY_LOCATIONS = dict(
         commit = "c0d77201039c7b119b18bc7fb991564c602dd75d",
         remote = "https://github.com/gcovr/gcovr",
     ),
+    com_github_google_jwt_verify = dict(
+        commit = "4eb9e96485b71e00d43acc7207501caafb085b4a",
+        remote = "https://github.com/google/jwt_verify_lib",
+    ),
     com_github_google_libprotobuf_mutator = dict(
         commit = "c3d2faf04a1070b0b852b0efdef81e1a81ba925e",
         remote = "https://github.com/google/libprotobuf-mutator",
@@ -51,22 +51,6 @@ REPOSITORY_LOCATIONS = dict(
         commit = "bec3b5ada2c5e5d782dff0b7b5018df646b65cb0",  # v1.12.0
         remote = "https://github.com/grpc/grpc.git",
     ),
-    io_opentracing_cpp = dict(
-        commit = "3b36b084a4d7fffc196eac83203cf24dfb8696b3",  # v1.4.2
-        remote = "https://github.com/opentracing/opentracing-cpp",
-    ),
-    com_lightstep_tracer_cpp = dict(
-        commit = "ae6a6bba65f8c4d438a6a3ac855751ca8f52e1dc",
-        remote = "https://github.com/lightstep/lightstep-tracer-cpp",  # v0.7.1
-    ),
-    lightstep_vendored_googleapis = dict(
-        commit = "d6f78d948c53f3b400bb46996eb3084359914f9b",
-        remote = "https://github.com/google/googleapis",
-    ),
-    com_github_google_jwt_verify = dict(
-        commit = "4eb9e96485b71e00d43acc7207501caafb085b4a",
-        remote = "https://github.com/google/jwt_verify_lib",
-    ),
     com_github_nodejs_http_parser = dict(
         # 2018-07-20 snapshot to pick up:
         # A performance fix, nodejs/http-parser PR 422.
@@ -87,20 +71,24 @@ REPOSITORY_LOCATIONS = dict(
         commit = "f54b0e47a08782a6131cc3d60f94d038fa6e0a51",  # v1.1.0
         remote = "https://github.com/tencent/rapidjson",
     ),
+    com_github_twitter_common_finagle_thrift = dict(
+        sha256 = "1e3a57d11f94f58745e6b83348ecd4fa74194618704f45444a15bc391fde497a",
+        strip_prefix = "twitter.common.finagle-thrift-0.3.9/src",
+        urls = ["https://files.pythonhosted.org/packages/f9/e7/4f80d582578f8489226370762d2cf6bc9381175d1929eba1754e03f70708/twitter.common.finagle-thrift-0.3.9.tar.gz"],  # 0.3.9
+    ),
     com_github_twitter_common_lang = dict(
         sha256 = "56d1d266fd4767941d11c27061a57bc1266a3342e551bde3780f9e9eb5ad0ed1",
-        urls = ["https://files.pythonhosted.org/packages/08/bc/d6409a813a9dccd4920a6262eb6e5889e90381453a5f58938ba4cf1d9420/twitter.common.lang-0.3.9.tar.gz"],  # 0.3.9
         strip_prefix = "twitter.common.lang-0.3.9/src",
+        urls = ["https://files.pythonhosted.org/packages/08/bc/d6409a813a9dccd4920a6262eb6e5889e90381453a5f58938ba4cf1d9420/twitter.common.lang-0.3.9.tar.gz"],  # 0.3.9
     ),
     com_github_twitter_common_rpc = dict(
         sha256 = "0792b63fb2fb32d970c2e9a409d3d00633190a22eb185145fe3d9067fdaa4514",
-        urls = ["https://files.pythonhosted.org/packages/be/97/f5f701b703d0f25fbf148992cd58d55b4d08d3db785aad209255ee67e2d0/twitter.common.rpc-0.3.9.tar.gz"],  # 0.3.9
         strip_prefix = "twitter.common.rpc-0.3.9/src",
+        urls = ["https://files.pythonhosted.org/packages/be/97/f5f701b703d0f25fbf148992cd58d55b4d08d3db785aad209255ee67e2d0/twitter.common.rpc-0.3.9.tar.gz"],  # 0.3.9
     ),
-    com_github_twitter_common_finagle_thrift = dict(
-        sha256 = "1e3a57d11f94f58745e6b83348ecd4fa74194618704f45444a15bc391fde497a",
-        urls = ["https://files.pythonhosted.org/packages/f9/e7/4f80d582578f8489226370762d2cf6bc9381175d1929eba1754e03f70708/twitter.common.finagle-thrift-0.3.9.tar.gz"],  # 0.3.9
-        strip_prefix = "twitter.common.finagle-thrift-0.3.9/src",
+    com_google_absl = dict(
+        commit = "92020a042c0cd46979db9f6f0cb32783dc07765e",  # 2018-06-08
+        remote = "https://github.com/abseil/abseil-cpp",
     ),
     com_google_googletest = dict(
         commit = "43863938377a9ea1399c0596269e0890b5c5515a",
@@ -114,6 +102,10 @@ REPOSITORY_LOCATIONS = dict(
         commit = "6a4fec616ec4b20f54d5fb530808b855cb664390",
         remote = "https://github.com/google/protobuf",
     ),
+    com_lightstep_tracer_cpp = dict(
+        commit = "ae6a6bba65f8c4d438a6a3ac855751ca8f52e1dc",
+        remote = "https://github.com/lightstep/lightstep-tracer-cpp",  # v0.7.1
+    ),
     grpc_httpjson_transcoding = dict(
         commit = "05a15e4ecd0244a981fdf0348a76658def62fa9c",  # 2018-05-30
         remote = "https://github.com/grpc-ecosystem/grpc-httpjson-transcoding",
@@ -122,6 +114,14 @@ REPOSITORY_LOCATIONS = dict(
         commit = "0.11.1",
         remote = "https://github.com/bazelbuild/rules_go",
     ),
+    io_opentracing_cpp = dict(
+        commit = "3b36b084a4d7fffc196eac83203cf24dfb8696b3",  # v1.4.2
+        remote = "https://github.com/opentracing/opentracing-cpp",
+    ),
+    lightstep_vendored_googleapis = dict(
+        commit = "d6f78d948c53f3b400bb46996eb3084359914f9b",
+        remote = "https://github.com/google/googleapis",
+    ),
     six_archive = dict(
         sha256 = "105f8d68616f8248e24bf0e9372ef04d3cc10104f1980f54d57b2ce73a5ad56a",
         strip_prefix = "",

diff --git a/include/envoy/secret/BUILD b/include/envoy/secret/BUILD
@@ -8,11 +8,34 @@ load(
 
 envoy_package()
 
+envoy_cc_library(
+    name = "dynamic_secret_provider_interface",
+    hdrs = ["dynamic_secret_provider.h"],
+    deps = [
+        "//include/envoy/ssl:tls_certificate_config_interface",
+    ],
+)
+
+envoy_cc_library(
+    name = "dynamic_secret_provider_factory_interface",
+    hdrs = ["dynamic_secret_provider_factory.h"],
+    deps = [
+        ":dynamic_secret_provider_interface",
+        "//include/envoy/event:dispatcher_interface",
+        "//include/envoy/local_info:local_info_interface",
+        "//include/envoy/runtime:runtime_interface",
+        "//include/envoy/stats:stats_interface",
+        "//include/envoy/upstream:cluster_manager_interface",
+        "@envoy_api//envoy/api/v2/core:config_source_cc",
+    ],
+)
+
 envoy_cc_library(
     name = "secret_manager_interface",
     hdrs = ["secret_manager.h"],
     deps = [
-        "//include/envoy/ssl:tls_certificate_config_interface",
+        ":dynamic_secret_provider_interface",
         "@envoy_api//envoy/api/v2/auth:cert_cc",
+        "@envoy_api//envoy/api/v2/core:config_source_cc",
     ],
 )
diff --git a/include/envoy/secret/dynamic_secret_provider.h b/include/envoy/secret/dynamic_secret_provider.h
@@ -0,0 +1,27 @@
+#pragma once
+
+#include "envoy/ssl/tls_certificate_config.h"
+
+namespace Envoy {
+namespace Secret {
+
+/**
+ * An interface to fetch dynamic secret.
+ *
+ * TODO(JimmyCYJ): Support other types of secrets.
+ */
+class DynamicTlsCertificateSecretProvider {
+public:
+  virtual ~DynamicTlsCertificateSecretProvider() {}
+
+  /**
+   * @return the TlsCertificate secret. Returns nullptr if the secret is not found.
+   */
+  virtual const Ssl::TlsCertificateConfig* secret() const PURE;
+};
+
+typedef std::shared_ptr<DynamicTlsCertificateSecretProvider>
+    DynamicTlsCertificateSecretProviderSharedPtr;
+
+} // namespace Secret
+} // namespace Envoy
diff --git a/include/envoy/secret/dynamic_secret_provider_factory.h b/include/envoy/secret/dynamic_secret_provider_factory.h
@@ -0,0 +1,38 @@
+#pragma once
+
+#include "envoy/api/v2/core/config_source.pb.h"
+#include "envoy/event/dispatcher.h"
+#include "envoy/local_info/local_info.h"
+#include "envoy/runtime/runtime.h"
+#include "envoy/secret/dynamic_secret_provider.h"
+#include "envoy/stats/stats.h"
+#include "envoy/upstream/cluster_manager.h"
+
+namespace Envoy {
+namespace Secret {
+
+/**
+ * Factory for creating dynamic TlsCertificate secret provider.
+ */
+class DynamicTlsCertificateSecretProviderFactory {
+public:
+  virtual ~DynamicTlsCertificateSecretProviderFactory() {}
+
+  /**
+   * Finds and returns a secret provider associated to SDS config. Create a new one
+   * if such provider does not exist.
+   *
+   * @param config_source a protobuf message object contains SDS config source.
+   * @param config_name a name that uniquely refers to the SDS config source.
+   * @return the dynamic tls certificate secret provider.
+   */
+  virtual DynamicTlsCertificateSecretProviderSharedPtr
+  findOrCreate(const envoy::api::v2::core::ConfigSource& sds_config,
+               std::string sds_config_name) PURE;
+};
+
+typedef std::unique_ptr<DynamicTlsCertificateSecretProviderFactory>
+    DynamicTlsCertificateSecretProviderFactoryPtr;
+
+} // namespace Secret
+} // namespace Envoy
diff --git a/include/envoy/secret/secret_manager.h b/include/envoy/secret/secret_manager.h
@@ -3,15 +3,14 @@
 #include <string>
 
 #include "envoy/api/v2/auth/cert.pb.h"
+#include "envoy/secret/dynamic_secret_provider.h"
 #include "envoy/ssl/tls_certificate_config.h"
 
 namespace Envoy {
 namespace Secret {
 
 /**
- * A manager for static secrets.
- *
- * TODO(jaebong) Support dynamic secrets.
+ * A manager for static and dynamic secrets.
  */
 class SecretManager {
 public:
@@ -21,13 +20,37 @@ class SecretManager {
    * @param secret a protobuf message of envoy::api::v2::auth::Secret.
    * @throw an EnvoyException if the secret is invalid or not supported.
    */
-  virtual void addOrUpdateSecret(const envoy::api::v2::auth::Secret& secret) PURE;
+  virtual void addStaticSecret(const envoy::api::v2::auth::Secret& secret) PURE;
 
   /**
    * @param name a name of the Ssl::TlsCertificateConfig.
    * @return the TlsCertificate secret. Returns nullptr if the secret is not found.
    */
-  virtual const Ssl::TlsCertificateConfig* findTlsCertificate(const std::string& name) const PURE;
+  virtual const Ssl::TlsCertificateConfig*
+  findStaticTlsCertificate(const std::string& name) const PURE;
+
+  /**
+   * Finds and returns a secret provider associated to SDS config. Return nullptr
+   * if such provider does not exist.
+   *
+   * @param config_source a protobuf message object contains SDS config source.
+   * @param config_name a name that uniquely refers to the SDS config source.
+   * @return the dynamic tls certificate secret provider.
+   */
+  virtual DynamicTlsCertificateSecretProviderSharedPtr
+  findDynamicTlsCertificateSecretProvider(const envoy::api::v2::core::ConfigSource& config_source,
+                                          const std::string& config_name) PURE;
+
+  /**
+   * Add new dynamic tls certificate secret provider into secret manager.
+   *
+   * @param config_source a protobuf message object contains SDS config source.
+   * @param config_name a name that uniquely refers to the SDS config source.
+   * @param provider the dynamic tls certificate secret provider to be added into secret manager.
+   */
+  virtual void setDynamicTlsCertificateSecretProvider(
+      const envoy::api::v2::core::ConfigSource& config_source, const std::string& config_name,
+      DynamicTlsCertificateSecretProviderSharedPtr provider) PURE;
 };
 
 } // namespace Secret

diff --git a/include/envoy/server/BUILD b/include/envoy/server/BUILD
@@ -175,9 +175,16 @@ envoy_cc_library(
     name = "transport_socket_config_interface",
     hdrs = ["transport_socket_config.h"],
     deps = [
+        "//include/envoy/event:dispatcher_interface",
+        "//include/envoy/init:init_interface",
+        "//include/envoy/local_info:local_info_interface",
         "//include/envoy/network:transport_socket_interface",
+        "//include/envoy/runtime:runtime_interface",
+        "//include/envoy/secret:dynamic_secret_provider_factory_interface",
         "//include/envoy/secret:secret_manager_interface",
         "//include/envoy/ssl:context_manager_interface",
+        "//include/envoy/stats:stats_interface",
+        "//include/envoy/upstream:cluster_manager_interface",
         "//source/common/protobuf",
     ],
 )