Skip to content

Added BackendDefaults to Virtual Node #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 28 commits into
base: master
Choose a base branch
from
Open

Added BackendDefaults to Virtual Node #3

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
5326284
Added BackendDefaults to Virtual Node
sshver Oct 29, 2020
e476ae7
Merge remote-tracking branch 'upstream/master' into feature/backendDe…
sshver Nov 3, 2020
dbc5870
Modeled TLSClientValidation to enforce trust in file or acm cetificate
sshver Nov 4, 2020
5b4c97b
Merge remote-tracking branch 'upstream/master' into feature/backendDe…
sshver Nov 10, 2020
b4b7f95
Added check to have only one backendDefault per virtual node
sshver Nov 11, 2020
ce35692
Merge remote-tracking branch 'upstream/master' into feature/backendDe…
sshver Nov 11, 2020
4aea038
adding backend validation context
sshver Nov 12, 2020
25208a4
created a seperate module validation-context
sshver Nov 12, 2020
5b260be
Created a seperate client-policy file as client policy wont be only s…
sshver Nov 18, 2020
a55a305
Merge remote-tracking branch 'upstream/master' into feature/backendDe…
sshver Nov 18, 2020
7ca64da
Updated comments and removed newlines
sshver Nov 18, 2020
01be91b
1. Addressed comments
sshver Nov 24, 2020
7e2ddbc
Merge remote-tracking branch 'upstream/master' into feature/backendDe…
sshver Nov 24, 2020
49824b1
Added skeleton L2 for ACMPCA and addressed comments
sshver Nov 30, 2020
0306a36
Merge remote-tracking branch 'upstream/master' into feature/backendDe…
sshver Nov 30, 2020
045d2a7
Fixed minor comments
sshver Dec 2, 2020
2cad882
Merge remote-tracking branch 'upstream/master' into feature/backendDe…
sshver Dec 2, 2020
20c0e96
Fixed comments
sshver Dec 3, 2020
d36fc42
Added validation check to ensure certificateAuthorityArns is not empty
sshver Dec 4, 2020
4e07587
Minor fix
sshver Dec 4, 2020
da25261
Merge remote-tracking branch 'upstream/master' into feature/backendDe…
sshver Dec 4, 2020
41d2c12
Updated README and fixed build errors
sshver Dec 4, 2020
d18fdc4
Merge remote-tracking branch 'upstream/master' into feature/backendDe…
sshver Dec 4, 2020
4ec4b21
Merge remote-tracking branch 'upstream/master' into feature/backendDe…
sshver Dec 4, 2020
8b0b863
Minor changes
sshver Dec 7, 2020
bd2d85e
Updated README.md
sshver Dec 7, 2020
8b707ce
Merge remote-tracking branch 'upstream/master' into feature/backendDe…
sshver Dec 7, 2020
de939c3
Merge branch 'master' into feature/backendDefaults
mergify[bot] Dec 7, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
150 changes: 116 additions & 34 deletions packages/@aws-cdk/aws-appmesh/lib/virtual-node.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,39 +113,135 @@ export interface VirtualNodeBaseProps {
}

/**
* Default Configuration for Virtual Nodes
* Default configuration that is applied to all backends for the virtual node.
* Any configuration defined will be overwritten by configurations specified for a particular backend.
*/
export interface BackendDefaults {
/**
* Client policy for TLS
*/
readonly tlsClientPolicy: TLSClientPolicyProps;
}

/**
* Properties with respect to TLS backend default.
*/
export interface TLSClientPolicyProps {
Copy link

@dfezzie dfezzie Nov 5, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the Props name is reserved for class constructors. (Found this out in a PR I have out now)

Let's have this named TLSClientPolicyOptions

/**
* TLS enforced if True.
Copy link

@dfezzie dfezzie Nov 5, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can reword this to be more descriptive

TLS Connections with downstream server will always be enforced if True

Something to that effect.

*
* @default - none
* @default - True
*/
readonly enforce?: boolean
readonly enforce?: boolean;

/**
* TLS enforced on these ports. If not specified it is enforced on all ports.
*
* @default - none
*/
readonly ports?: number[]
readonly ports?: number[];

/**
* Certificate discovery method, ACM-PCA or Local file hosting.
* To enforce the trust is one of file, acmpca, or sds.
Copy link

@dfezzie dfezzie Nov 5, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we haven't introduced SDS yet, let's remove the reference here

We can also reword this to

Policy used to determine if the TLS certificate the server presents is accepted

*
* @default - none
*/
readonly certificateType: string;
readonly validation: TLSClientValidation;
Copy link

@dfezzie dfezzie Nov 5, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs to be optional

Copy link
Owner Author

@sshver sshver Nov 11, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't it be required ? I found this reference doc where in it says this field in required

}

/**
* Defines the TLS validation context trust.
*/
export abstract class TLSClientValidation {
/**
* Certificate File path or Certificate ARN.
*
* @default - none
* TLS validation context trust for a local file
*/
public static fileTrustValidation(props: FileTrustProps): TLSClientValidation {
Copy link

@dfezzie dfezzie Nov 5, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could shorten this to fileTrust(...)

Copy link

@dfezzie dfezzie Nov 5, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could also potentially accept just the path to the certificate chain instead of having a props interface. Makes it simpler to use for customers, but has the drawback of not being as extensible in the future, but there are plenty of ways around that.

return new FileTrust(props);
}

/**
* TLS validation context trust for AWS Certicate Manager (ACM) certificate.
Copy link

@dfezzie dfezzie Nov 5, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I want to specify this is acm-pca somehow, but it doesn't flow great :P You have any ideas?

*/
public static acmTrustValidation(props: ACMTrustProps): TLSClientValidation {
return new ACMTrust(props);
}

/**
* Returns Trust context based on trust type.
*/
public abstract bind(scope: cdk.Construct): CfnVirtualNode.TlsValidationContextProperty;
Copy link

@dfezzie dfezzie Nov 5, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bind should return a Config object here

}

/**
* ACM Trust Properties
*/
export interface ACMTrustProps {
/**
* Amazon Resource Name of the Certificates
Copy link

@dfezzie dfezzie Nov 5, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should specify ACM PCA here

Amazon Resource Names (ARN) of trusted ACM Private Certificate Authorities

*/
readonly certificateAuthorityArns: string[];
Copy link

@dfezzie dfezzie Nov 5, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should be an array of ACM Private Certificate Authorities. I think I mentioned this in the previous rev, since acm-pca is not modeled in CDK yet this is tricky. Will need to coordinate with Adam on this.

}

/**
* File Trust Properties
*/
export interface FileTrustProps {
/**
* Path to the Certificate Chain file on the file system where the Envoy is deployed.
*/
readonly certificate: string[];
readonly certificateChain: string;
}

/**
* Represents a Transport Layer Security (TLS) validation context trust for a local file
*/
export class FileTrust extends TLSClientValidation {
/**
* Path to the Certificate Chain file on the file system where the Envoy is deployed.
*/
readonly certificateChain: string;

constructor(props: FileTrustProps) {
super();
this.certificateChain = props.certificateChain;
}

public bind(_scope: cdk.Construct): CfnVirtualNode.TlsValidationContextProperty {
return {
trust: {
file: {
certificateChain: this.certificateChain,
},
},
};
}
}

/**
* Represents a TLS validation context trust for an AWS Certicate Manager (ACM) certificate.
*/
export class ACMTrust extends TLSClientValidation {
Copy link

@dfezzie dfezzie Nov 5, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not need to be exported. Same for above

/**
* Amazon Resource Name of the Certificates
*/
readonly certificateAuthorityArns: string[];

constructor(props: ACMTrustProps) {
super();
this.certificateAuthorityArns = props.certificateAuthorityArns;
}

public bind(_scope: cdk.Construct): CfnVirtualNode.TlsValidationContextProperty {
return {
trust: {
acm: {
certificateAuthorityArns: this.certificateAuthorityArns,
},
},
};
}
}

/**
* The properties used when creating a new VirtualNode
Expand Down Expand Up @@ -189,31 +285,17 @@ abstract class VirtualNodeBase extends cdk.Resource implements IVirtualNode {
* Adds Default Backend Configuration for virtual node to communicate with Virtual Services.
*/
public addBackendDefaults(backendDefaults: BackendDefaults) {
if (Object.keys(backendDefaults).length!==0) {
const enforce = backendDefaults.enforce || false;
const ports = backendDefaults.ports || undefined;
const certificateType = backendDefaults.certificateType || 'acm';
const certificate = backendDefaults.certificate || [];
this.backendDefaults.push({
clientPolicy: {
tls: {
enforce: enforce,
ports: ports,
validation: {
trust: certificateType === 'acm' ? {
acm: {
certificateAuthorityArns: certificate,
},
} : {
file: {
certificateChain: certificate[0],
},
},
},
},
// eslint-disable-next-line no-console
console.log(backendDefaults.tlsClientPolicy.enforce);
this.backendDefaults.push({
clientPolicy: {
tls: {
enforce: backendDefaults.tlsClientPolicy.enforce === undefined ? true : backendDefaults.tlsClientPolicy.enforce,
Copy link

@dfezzie dfezzie Nov 5, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think enforce: backendDefaults.tlsClientPolicy.enforce ?? true would work here?

validation: backendDefaults.tlsClientPolicy.validation.bind(this),
ports: backendDefaults.tlsClientPolicy.ports ? backendDefaults.tlsClientPolicy.ports : undefined,
Copy link

@dfezzie dfezzie Nov 5, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be simplified to just backendDefaults.tlsClientPolicy.ports since it accepts undefined.

},
});
}
},
});
}

/**
Expand Down
4 changes: 2 additions & 2 deletions packages/@aws-cdk/aws-appmesh/test/integ.mesh.expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -698,7 +698,7 @@
"Validation": {
"Trust": {
"File": {
"CertificateChain": "Path to Certificate"
"CertificateChain": "path-to-file"
}
}
}
Expand Down Expand Up @@ -760,7 +760,7 @@
"Validation": {
"Trust": {
"File": {
"CertificateChain": "Path to Certificate"
"CertificateChain": "path-to-file"
}
}
}
Expand Down
16 changes: 10 additions & 6 deletions packages/@aws-cdk/aws-appmesh/test/integ.mesh.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,9 +75,11 @@ const node2 = mesh.addVirtualNode('node2', {
},
},
backendDefaults: {
enforce: true,
certificate: ['Path to Certificate'],
certificateType: 'file',
tlsClientPolicy: {
validation: appmesh.TLSClientValidation.fileTrustValidation({
certificateChain: 'path-to-file',
}),
},
},
backends: [
new appmesh.VirtualService(stack, 'service-3', {
Expand All @@ -104,9 +106,11 @@ const node3 = mesh.addVirtualNode('node3', {
});

node3.addBackendDefaults({
enforce: true,
certificate: ['Path to Certificate'],
certificateType: 'file',
tlsClientPolicy: {
validation: appmesh.TLSClientValidation.fileTrustValidation({
certificateChain: 'path-to-file',
}),
},
});

router.addRoute('route-2', {
Expand Down
13 changes: 9 additions & 4 deletions packages/@aws-cdk/aws-appmesh/test/test.virtual-node.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,8 +122,12 @@ export = {
});

node.addBackendDefaults({
certificateType: 'file',
certificate: ['path to certificate'],
tlsClientPolicy: {
validation: appmesh.TLSClientValidation.fileTrustValidation({
certificateChain: 'path-to-certificate',
}),
ports: [8080, 8081],
},
});

// THEN
Expand All @@ -141,11 +145,12 @@ export = {
BackendDefaults: {
ClientPolicy: {
TLS: {
Enforce: false,
Enforce: true,
Ports: [8080, 8081],
Validation: {
Trust: {
File: {
CertificateChain: 'path to certificate',
CertificateChain: 'path-to-certificate',
},
},
},
Expand Down