blob: 4c4fc704dea45589e14557a7646c5316198f4418 [file] [log] [blame]
package bootstrap
import (
import (
import (
mesh_proto ""
xds_config ""
bootstrap_config ""
core_mesh ""
core_manager ""
core_store ""
core_xds ""
type BootstrapGenerator interface {
Generate(ctx context.Context, request types.BootstrapRequest) (proto.Message, DubboDpBootstrap, error)
func NewDefaultBootstrapGenerator(
resManager core_manager.ResourceManager,
serverConfig *bootstrap_config.BootstrapServerConfig,
proxyConfig xds_config.Proxy,
dpServerCertFile string,
authEnabledForProxyType map[string]bool,
enableReloadableTokens bool,
hdsEnabled bool,
defaultAdminPort uint32,
) (BootstrapGenerator, error) {
hostsAndIps, err := hostsAndIPs()
if err != nil {
return nil, err
if serverConfig.Params.XdsHost != "" && !hostsAndIps[serverConfig.Params.XdsHost] {
return nil, errors.Errorf("hostname: %s set by DUBBO_BOOTSTRAP_SERVER_PARAMS_XDS_HOST is not available in the DP Server certificate. Available hostnames: %q. Change the hostname or generate certificate with proper hostname.", serverConfig.Params.XdsHost, hostsAndIps.slice())
return &bootstrapGenerator{
resManager: resManager,
config: serverConfig,
proxyConfig: proxyConfig,
xdsCertFile: dpServerCertFile,
authEnabledForProxyType: authEnabledForProxyType,
enableReloadableTokens: enableReloadableTokens,
hostsAndIps: hostsAndIps,
hdsEnabled: hdsEnabled,
defaultAdminPort: defaultAdminPort,
}, nil
func hostsAndIPs() (SANSet, error) {
hostsAndIps := map[string]bool{}
interfaces, err := net.Interfaces()
if err != nil {
return nil, err
for _, iface := range interfaces {
addrs, err := iface.Addrs()
if err != nil {
return nil, err
for _, addr := range addrs {
ipNet, ok := addr.(*net.IPNet)
if ok {
hostsAndIps[ipNet.IP.String()] = true
hostname, err := os.Hostname()
if err != nil {
return nil, err
hostsAndIps[hostname] = true
hostsAndIps["localhost"] = true
return hostsAndIps, nil
type bootstrapGenerator struct {
resManager core_manager.ResourceManager
config *bootstrap_config.BootstrapServerConfig
proxyConfig xds_config.Proxy
authEnabledForProxyType map[string]bool
enableReloadableTokens bool
xdsCertFile string
hostsAndIps SANSet
hdsEnabled bool
defaultAdminPort uint32
type SANSet map[string]bool
func (s SANSet) slice() []string {
sans := []string{}
for san := range s {
sans = append(sans, san)
return sans
func hostsAndIPsFromCertFile(dpServerCertFile string) (SANSet, error) {
certBytes, err := os.ReadFile(dpServerCertFile)
if err != nil {
return nil, errors.Wrap(err, "could not read certificate")
pemCert, _ := pem.Decode(certBytes)
if pemCert == nil {
return nil, errors.New("could not parse certificate")
cert, err := x509.ParseCertificate(pemCert.Bytes)
if err != nil {
return nil, errors.Wrap(err, "could not parse certificate")
hostsAndIps := map[string]bool{}
for _, dnsName := range cert.DNSNames {
hostsAndIps[dnsName] = true
for _, ip := range cert.IPAddresses {
hostsAndIps[ip.String()] = true
return hostsAndIps, nil
func (b *bootstrapGenerator) Generate(ctx context.Context, request types.BootstrapRequest) (proto.Message, DubboDpBootstrap, error) {
if request.ProxyType == "" {
request.ProxyType = string(mesh_proto.DataplaneProxyType)
dubboDpBootstrap := DubboDpBootstrap{}
//if err := b.validateRequest(request); err != nil {
// return nil, dubboDpBootstrap, err
accessLogSocketPath := request.AccessLogSocketPath
if accessLogSocketPath == "" {
accessLogSocketPath = core_xds.AccessLogSocketName(os.TempDir(), request.Name, request.Mesh)
metricsSocketPath := request.MetricsResources.SocketPath
if metricsSocketPath == "" {
metricsSocketPath = core_xds.MetricsHijackerSocketName(os.TempDir(), request.Name, request.Mesh)
proxyId := core_xds.BuildProxyId(request.Mesh, request.Name)
params := configParameters{
Id: proxyId.String(),
AdminAddress: b.config.Params.AdminAddress,
AdminAccessLogPath: b.adminAccessLogPath(request.OperatingSystem),
XdsHost: b.xdsHost(request),
XdsPort: b.config.Params.XdsPort,
XdsConnectTimeout: b.config.Params.XdsConnectTimeout.Duration,
DataplaneToken: request.DataplaneToken,
DataplaneTokenPath: request.DataplaneTokenPath,
DataplaneResource: request.DataplaneResource,
Version: &mesh_proto.Version{
DubboDp: &mesh_proto.DubboDpVersion{
Version: request.Version.DubboDp.Version,
GitTag: request.Version.DubboDp.GitTag,
GitCommit: request.Version.DubboDp.GitCommit,
BuildDate: request.Version.DubboDp.BuildDate,
Envoy: &mesh_proto.EnvoyVersion{
Version: request.Version.Envoy.Version,
Build: request.Version.Envoy.Build,
DubboDpCompatible: request.Version.Envoy.DubboDpCompatible,
DynamicMetadata: request.DynamicMetadata,
DNSPort: request.DNSPort,
EmptyDNSPort: request.EmptyDNSPort,
ProxyType: request.ProxyType,
Features: request.Features,
Resources: request.Resources,
Workdir: request.Workdir,
AccessLogSocketPath: accessLogSocketPath,
MetricsSocketPath: metricsSocketPath,
MetricsCertPath: request.MetricsResources.CertPath,
MetricsKeyPath: request.MetricsResources.KeyPath,
setAdminPort := func(adminPortFromResource uint32) {
if adminPortFromResource != 0 {
params.AdminPort = adminPortFromResource
} else {
params.AdminPort = b.defaultAdminPort
switch mesh_proto.ProxyType(params.ProxyType) {
case mesh_proto.IngressProxyType:
zoneIngress, err := b.zoneIngressFor(ctx, request, proxyId)
if err != nil {
return nil, dubboDpBootstrap, err
params.Service = "ingress"
case mesh_proto.EgressProxyType:
zoneEgress, err := b.zoneEgressFor(ctx, request, proxyId)
if err != nil {
return nil, dubboDpBootstrap, err
params.Service = "egress"
return nil, dubboDpBootstrap, errors.Errorf("unknown proxy type %v", params.ProxyType)
var err error
config, err := genConfig(params, b.proxyConfig, b.enableReloadableTokens)
if err != nil {
return nil, dubboDpBootstrap, errors.Wrap(err, "failed creating bootstrap conf")
if err = config.Validate(); err != nil {
return nil, dubboDpBootstrap, errors.Wrap(err, "Envoy bootstrap config is not valid")
return config, dubboDpBootstrap, nil
func (b *bootstrapGenerator) xdsHost(request types.BootstrapRequest) string {
if b.config.Params.XdsHost != "" { // XdsHost from config takes precedence over Host from request
return b.config.Params.XdsHost
} else {
return request.Host
var DpTokenRequired = errors.New("Dataplane Token is required. Generate token using 'dubboctl generate dataplane-token > /path/file' and provide it via --dataplane-token-file=/path/file argument to Dubbo DP")
var NotCA = errors.New("A data plane proxy is trying to verify the control plane using the certificate which is not a certificate authority (basic constraint 'CA' is set to 'false').\n" +
"Provide CA that was used to sign a certificate used in the control plane by using 'dubbo-dp run --ca-cert-file=file' or via KUMA_CONTROL_PLANE_CA_CERT_FILE")
func SANMismatchErr(host string, sans []string) error {
return errors.Errorf("A data plane proxy is trying to connect to the control plane using %q address, but the certificate in the control plane has the following SANs %q. "+
"Either change the --cp-address in dubbo-dp to one of those or execute the following steps:\n"+
"1) Generate a new certificate with the address you are trying to use. It is recommended to use trusted Certificate Authority, but you can also generate self-signed certificates using 'dubboctl generate tls-certificate --type=server --cp-hostname=%s'\n"+
"2) Set DUBBO_GENERAL_TLS_CERT_FILE and DUBBO_GENERAL_TLS_KEY_FILE or the equivalent in Dubbo CP config file to the new certificate.\n"+
"3) Restart the control plane to read the new certificate and start dubbo-dp.", host, sans, host)
func ISSANMismatchErr(err error) bool {
if err == nil {
return false
return strings.HasPrefix(err.Error(), "A data plane proxy is trying to connect to the control plane using")
// caCert gets CA cert that was used to signed cert that DP server is protected with.
// Technically result of this function does not have to be a valid CA.
// When user provides custom cert + key and does not provide --ca-cert-file to dubbo-dp run, this can return just a regular cert
func (b *bootstrapGenerator) adminAccessLogPath(operatingSystem string) string {
if operatingSystem == "" { // backwards compatibility
return b.config.Params.AdminAccessLogPath
if b.config.Params.AdminAccessLogPath == os.DevNull && operatingSystem == "windows" {
// when AdminAccessLogPath was not explicitly set and DPP OS is Windows we need to set window specific DevNull.
// otherwise when CP is on Linux, we would set /dev/null which is not valid on Windows.
return "NUL"
return b.config.Params.AdminAccessLogPath
func (b *bootstrapGenerator) validateRequest(request types.BootstrapRequest) error {
if b.authEnabledForProxyType[request.ProxyType] && request.DataplaneToken == "" && request.DataplaneTokenPath == "" {
return DpTokenRequired
if b.config.Params.XdsHost == "" { // XdsHost takes precedence over Host in the request, so validate only when it is not set
if !b.hostsAndIps[request.Host] {
return SANMismatchErr(request.Host, b.hostsAndIps.slice())
return nil
func (b *bootstrapGenerator) zoneEgressFor(ctx context.Context, request types.BootstrapRequest, proxyId *core_xds.ProxyId) (*core_mesh.ZoneEgressResource, error) {
if request.DataplaneResource != "" {
res, err := rest.YAML.UnmarshalCore([]byte(request.DataplaneResource))
if err != nil {
return nil, err
zoneEgress, ok := res.(*core_mesh.ZoneEgressResource)
if !ok {
return nil, errors.Errorf("invalid resource")
if err := zoneEgress.Validate(); err != nil {
return nil, err
return zoneEgress, nil
} else {
zoneEgress := core_mesh.NewZoneEgressResource()
if err := b.resManager.Get(ctx, zoneEgress, core_store.GetBy(proxyId.ToResourceKey())); err != nil {
return nil, err
return zoneEgress, nil
func (b *bootstrapGenerator) zoneIngressFor(ctx context.Context, request types.BootstrapRequest, proxyId *core_xds.ProxyId) (*core_mesh.ZoneIngressResource, error) {
if request.DataplaneResource != "" {
res, err := rest.YAML.UnmarshalCore([]byte(request.DataplaneResource))
if err != nil {
return nil, err
zoneIngress, ok := res.(*core_mesh.ZoneIngressResource)
if !ok {
return nil, errors.Errorf("invalid resource")
if err := zoneIngress.Validate(); err != nil {
return nil, err
return zoneIngress, nil
} else {
zoneIngress := core_mesh.NewZoneIngressResource()
if err := b.resManager.Get(ctx, zoneIngress, core_store.GetBy(proxyId.ToResourceKey())); err != nil {
return nil, err
return zoneIngress, nil