sds: secret discovery service. (#180)

Signed-off-by: Piotr Sikora <piotrsikora@google.com>

README.md

@@ -33,7 +33,7 @@ The LDS/CDS/EDS/RDS APIs are now frozen and will maintain backwards
 compatibility according to standard proto rules (e.g. new fields will not reuse
 tags, field types will not change, fields will not be renumbered, etc.).
 
-The remainder of the API (ADS, HDS, RLS, filter fragments other than HTTP
+The remainder of the API (ADS, HDS, RLS, SDS, filter fragments other than HTTP
 connection manager, the bootstrap proto) are draft work-in-progress. Input is
 welcome via issue filing. Small, localized PRs are also welcome, but any major
 changes or suggestions should be coordinated in a tracking issue with the
@@ -74,7 +74,7 @@ closed issue should also be included.
   this repository.
 
 * REST-JSON API equivalents will be provided for the basic singleton xDS
-  subscription services CDS/EDS/LDS/EDS. Advanced APIs such as HDS, ADS and
+  subscription services CDS/EDS/LDS/RDS/SDS. Advanced APIs such as HDS, ADS and
   EDS multi-dimensional LB will be gRPC only. This avoids having to map
   complicated bidirectional stream semantics onto REST.
 
@@ -110,6 +110,7 @@ Unless otherwise stated, the APIs with the same names as v1 APIs have a similar
 * [Listener Discovery Service (LDS)](api/lds.proto). This new API supports dynamic discovery of the listener configuration (which ports to bind to, TLS details, filter chains, etc.).
 * [Rate Limit Service (RLS)](api/rls.proto)
 * [Route Discovery Service (RDS)](api/rds.proto).
+* [Secret Discovery Service (SDS)](api/sds.proto).
 
 In addition to the above APIs, an aggregation API will be provided to allow for
 fine grained control over the sequencing of API updates across discovery
@@ -168,6 +169,6 @@ repeated below and some new v2 terms introduced.
 
 * Upstream: An upstream host receives connections and requests from Envoy and returns responses.
 
-* xDS: CDS/EDS/HDS/LDS/RLS/RDS APIs.
+* xDS: CDS/EDS/HDS/LDS/RLS/RDS/SDS APIs.
 
 * Zone: Availability Zone (AZ) in AWS, Zone in GCP.

api/BUILD

@@ -21,6 +21,7 @@ api_proto_library(
         ":base",
         ":cds",
         ":lds",
+        ":sds",
     ],
 )
 
@@ -30,11 +31,6 @@ api_proto_library(
     deps = [":base"],
 )
 
-api_proto_library(
-    name = "tls_context",
-    srcs = ["tls_context.proto"],
-)
-
 api_proto_library(
     name = "cds",
     srcs = ["cds.proto"],
@@ -45,7 +41,7 @@ api_proto_library(
         ":discovery",
         ":health_check",
         ":protocol",
-        ":tls_context",
+        ":sds",
     ],
 )
 
@@ -86,7 +82,7 @@ api_proto_library(
         ":address",
         ":base",
         ":discovery",
-        ":tls_context",
+        ":sds",
     ],
 )
 
@@ -110,3 +106,13 @@ api_proto_library(
         ":discovery",
     ],
 )
+
+api_proto_library(
+    name = "sds",
+    srcs = ["sds.proto"],
+    has_services = 1,
+    deps = [
+        ":base",
+        ":discovery",
+    ],
+)

api/bootstrap.proto

@@ -10,6 +10,7 @@ import "api/address.proto";
 import "api/base.proto";
 import "api/cds.proto";
 import "api/lds.proto";
+import "api/sds.proto";
 
 import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
@@ -230,6 +231,7 @@ message Bootstrap {
     // to know how to speak to the management server. These cluster definitions
     // may not use EDS (i.e. they should be static IP or DNS-based).
     repeated Cluster clusters = 2;
+    repeated Secret secrets = 3;
   }
   StaticResources static_resources = 2;
 

api/cds.proto

@@ -7,7 +7,7 @@ import "api/base.proto";
 import "api/discovery.proto";
 import "api/health_check.proto";
 import "api/protocol.proto";
-import "api/tls_context.proto";
+import "api/sds.proto";
 
 import "google/api/annotations.proto";
 import "google/protobuf/duration.proto";

api/lds.proto

@@ -9,7 +9,7 @@ package envoy.api.v2;
 import "api/address.proto";
 import "api/base.proto";
 import "api/discovery.proto";
-import "api/tls_context.proto";
+import "api/sds.proto";
 
 import "google/api/annotations.proto";
 import "google/protobuf/struct.proto";

api/sds.proto

@@ -2,8 +2,26 @@ syntax = "proto3";
 
 package envoy.api.v2;
 
+import "api/base.proto";
+import "api/discovery.proto";
+
+import "google/api/annotations.proto";
 import "google/protobuf/wrappers.proto";
 
+service SecretDiscoveryService{
+  rpc StreamSecrets(stream DiscoveryRequest)
+      returns (stream DiscoveryResponse) {
+  }
+
+  rpc FetchSecrets(DiscoveryRequest)
+      returns (DiscoveryResponse) {
+    option (google.api.http) = {
+      post: "/v2/discovery:secrets"
+      body: "*"
+    };
+  }
+}
+
 message DataSource {
   oneof specifier {
     string filename = 1;
@@ -74,7 +92,9 @@ message CommonTlsContext {
 
   // Multiple TLS certificates can be associated with the same context,
   // e.g. to allow both RSA and ECDSA certificates [V2-API-DIFF].
+  // TLS certificates can be either configured locally or fetched from SDS.
   repeated TlsCertificate tls_certificates = 2;
+  repeated SdsSecretConfig sds_secret_configs = 6;
 
   // How to validate peer certificates.
   CertificateValidationContext validation_context = 3;
@@ -111,3 +131,19 @@ message DownstreamTlsContext {
   // If specified, Envoy will reject connections without a valid and matching SNI.
   google.protobuf.BoolValue require_sni = 3;
 }
+
+message SdsSecretConfig {
+  // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
+  // When both name and config are specified, then secret can be fetched and/or reloaded via SDS.
+  // When only name is specified, then secret will be loaded from static resources [V2-API-DIFF].
+  string name = 1;
+  ConfigSource sds_config = 2;
+}
+
+message Secret {
+  // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
+  string name = 1;
+  oneof type {
+    TlsCertificate tls_certificate = 2;
+  }
+}