Merge pull request #11 from dheerajng/master

Citrix Istio Adaptor v1.2.1-beta

Author: subashd

Dockerfile

@@ -1,5 +1,7 @@
 # STEP 1 build executable binary
 FROM golang:1.12 as builder
+# https://unix.stackexchange.com/questions/96892/what-does-adduser-disabled-login-do
+RUN adduser --uid 32024 --disabled-login --gecos "" citrixuser
 
 COPY . $GOPATH/src/citrix-istio-adaptor
 
@@ -12,6 +14,8 @@ RUN GOARCH=amd64 CGO_ENABLED=0 GOOS=linux go install -ldflags "-extldflags -stat
 FROM scratch
 # Copy our static executable
 COPY --from=builder /go/bin/istio-adaptor /go/bin/istio-adaptor
+COPY --from=builder /etc/passwd /etc/passwd
 COPY Version /etc/
 
+USER citrixuser
 ENTRYPOINT ["/go/bin/istio-adaptor"]

Makefile

@@ -1,5 +1,5 @@
 .PHONY: docker_build test clean coverage 
-TARGETS=nsconfigengine adsclient istio-adaptor tests
+TARGETS=nsconfigengine adsclient istio-adaptor delayserver tests
 
 build:
 	go install citrix-istio-adaptor/istio-adaptor
@@ -26,7 +26,7 @@ create_certs:
 	sh tests/create_cert.sh
 
 unit_test:
-	go test -p 1 -race -timeout 1m -cover -coverprofile=unittestcov.out -v citrix-istio-adaptor/nsconfigengine citrix-istio-adaptor/adsclient citrix-istio-adaptor/istio-adaptor
+	go test -p 1 -race -timeout 1m -cover -coverprofile=unittestcov.out -v citrix-istio-adaptor/nsconfigengine citrix-istio-adaptor/adsclient citrix-istio-adaptor/istio-adaptor citrix-istio-adaptor/delayserver
 
 integration_test:
 	go test -race -timeout 1m -cover -coverprofile=integrationtestcov.out -coverpkg=citrix-istio-adaptor/adsclient,citrix-istio-adaptor/nsconfigengine -v citrix-istio-adaptor/tests

README.md

@@ -25,7 +25,7 @@ This repository contains various integrations of [Citrix ADC](https://www.citrix
 6. [Example: Deploying Bookinfo with Citrix ADC](#example)
 7. [Blogs](#blogs)
 8. [Release Notes](#release-notes)
-9. [Contributions and Development](#contributions)
+9. [Contributions](#contributions)
 10. [Questions](#questions)
 11. [Issues](#issues)
 12. [Code of Conduct](#code-of-conduct)
@@ -64,8 +64,6 @@ In Istio service mesh, Citrix ADC can act as an Ingress and/or sidecar proxy in
 | Citrix ADC | Envoyproxy | Yes |
 | Envoyproxy | Citrix ADC CPX | Yes |
 
-You can deploy Citrix ADC with Istio using Kubernetes YAML or Helm charts. To deploy Citrix ADC with Istio using Kubernetes YAML, see [Deployment](deployment/README.md).
-
 To deploy Citrix ADC with Istio using Helm charts, see the following links:
 
 - [Deploy Citrix ADC as an Ingress Gateway using Helm charts](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-adc-istio-ingress-gateway/README.md)
@@ -138,16 +136,16 @@ Follow this [link](https://github.com/citrix/citrix-helm-charts/blob/master/exam
 1. [Citrix ADC as an Istio Ingress Gateway: Part 1 Deployment](https://www.citrix.com/blogs/2019/11/13/citrix-adc-as-an-istio-ingress-gateway-part-1-deployment/)
 2. [Citrix ADC as an Istio Ingress Gateway: Part 2 Configuration](https://www.citrix.com/blogs/2019/11/14/citrix-adc-as-an-istio-ingress-gateway-part-2-configuration/)
 3. [Citrix ADC in OpenShift Service Mesh](https://blog.openshift.com/citrix-adc-in-openshift-service-mesh/)
+4. [Traffic Mirroring: Risk-free app upgrades in Istio with Citrix ADC](https://www.citrix.com/blogs/2020/04/29/traffic-mirroring-risk-free-app-upgrades-in-istio-with-citrix-adc/)
+5. [End-user authentication in Istio Service Mesh with Citrix](https://www.citrix.com/blogs/2020/03/19/end-user-authentication-in-istio-service-mesh-with-citrix/)
 
 ## <a name="release-notes">Release Notes</a>
 
 Click [here](docs/release-notes.md) for the release notes of the latest Citrix `istio-adaptor`.
 
-## <a name="contributions">Contributions and Development</a>
-
-Refer [Contributions](CONTRIBUTING.md)
+## <a name="contributions">Contributions</a>
 
-Please read the [Developer Guide](docs/developer-guide.md).
+Contributions are always welcome! Please read the [Developer Guide](docs/developer_guide.md).
 
 ## <a name="questions">Questions</a>
 

Version

@@ -1 +1 @@
-1.2.0
+1.2.1

adsclient/ads_client.go

@@ -41,6 +41,26 @@ type ldsAddHandlerType func(*configAdaptor, *xdsapi.Listener) map[string]interfa
 type ldsDelHandlerType func(*configAdaptor, string)
 type rdsAddHandlerType func(*configAdaptor, []*xdsapi.RouteConfiguration, interface{}) map[string]interface{}
 
+//AdsDetails will define the members which will be read up at bootup time
+type AdsDetails struct {
+	AdsServerURL      string
+	AdsServerSpiffeID string
+	SecureConnect     bool
+	NodeID            string
+	ApplicationName   string
+}
+
+//NSDetails will define the members which will be read up at bootup time
+type NSDetails struct {
+	NetscalerURL      string
+	NetscalerUsername string
+	NetscalerPassword string
+	NetscalerVIP      string
+	NetProfile        string
+	AnalyticsServerIP string
+	LogProxyURL       string
+}
+
 type apiRequest struct {
 	typeURL     string
 	versionInfo string
@@ -120,6 +140,7 @@ func cdsHandler(client *AdsClient, m *xdsapi.DiscoveryResponse) {
 	cdsResource := &xdsapi.Cluster{}
 	for _, resource := range m.Resources {
 		if err := types.UnmarshalAny(resource, cdsResource); err != nil {
+			log.Printf("[TRACE]:Could not find Unmarshal resources in CDS Handler")
 			continue
 		}
 		clusterNames[cdsResource.Name] = true
@@ -155,6 +176,8 @@ func ldsHandler(client *AdsClient, m *xdsapi.DiscoveryResponse) {
 	ldsResource := &xdsapi.Listener{}
 	for _, resource := range m.Resources {
 		if err := types.UnmarshalAny(resource, ldsResource); err != nil {
+			log.Printf("[TRACE]:Could not find Unmarshal resources in LDS handler")
+			continue
 		}
 		ldsResources[ldsResource.Name] = true
 		dependentResources := client.ldsAddHandler(client.nsConfigAdaptor, ldsResource)
@@ -196,6 +219,8 @@ func edsHandler(client *AdsClient, m *xdsapi.DiscoveryResponse) {
 	edsResource := &xdsapi.ClusterLoadAssignment{}
 	for _, resource := range m.Resources {
 		if err := types.UnmarshalAny(resource, edsResource); err != nil {
+			log.Printf("[TRACE]:Could not find Unmarshal resources in EDS handler")
+			continue
 		}
 		if _, ok := client.apiRequests[edsURL].resources[edsResource.GetClusterName()]; !ok {
 			log.Printf("[ERROR]: received an EDS resource that we haven't yet subscribed for %s ... ignoring", edsResource.GetClusterName())
@@ -265,30 +290,27 @@ func (client *AdsClient) reloadCds() {
 	stream.CloseSend()
 }
 
-// NewAdsClient returns a new Aggregated Discovery Service client
-func NewAdsClient(adsServerURL string, adsServerSpiffeID string, secureConnect bool,
-	nodeID string, applicationName string, netscalerURL string,
-	netscalerUsername string, netscalerPassword string, netscalerVIP string,
-	netProfile string, analyticsServerIP string, logProxyURL string) (*AdsClient, error) {
+//NewAdsClient returns a new Aggregated Discovery Service client
+func NewAdsClient(adsinfo *AdsDetails, nsinfo *NSDetails) (*AdsClient, error) {
 	var err error
 	adsClient := new(AdsClient)
-	adsClient.adsServerURL = adsServerURL
-	adsClient.adsServerSpiffeID = adsServerSpiffeID
-	adsClient.secureConnect = secureConnect
-	adsClient.nodeID = &envoy_api_v2_core.Node{Id: nodeID, Cluster: applicationName}
+	adsClient.adsServerURL = adsinfo.AdsServerURL
+	adsClient.adsServerSpiffeID = adsinfo.AdsServerSpiffeID
+	adsClient.secureConnect = adsinfo.SecureConnect
+	adsClient.nodeID = &envoy_api_v2_core.Node{Id: adsinfo.NodeID, Cluster: adsinfo.ApplicationName}
 	adsClient.quit = make(chan int)
 	adsClient.cdsAddHandler = clusterAdd
 	adsClient.cdsDelHandler = clusterDel
 	adsClient.ldsAddHandler = listenerAdd
 	adsClient.ldsDelHandler = listenerDel
 	adsClient.edsAddHandler = clusterEndpointUpdate
 	adsClient.rdsAddHandler = routeUpdate
-	s := strings.Split(adsServerURL, ":")
+	s := strings.Split(adsinfo.AdsServerURL, ":")
 	adsServerPort := "unknown"
 	if len(s) > 1 {
 		adsServerPort = s[1]
 	}
-	adsClient.nsConfigAdaptor, err = newConfigAdaptor(netscalerURL, netscalerUsername, netscalerPassword, adsServerPort, netscalerVIP, netProfile, analyticsServerIP, logProxyURL)
+	adsClient.nsConfigAdaptor, err = newConfigAdaptor(nsinfo, adsServerPort)
 	if err != nil {
 		return nil, err
 	}

adsclient/ads_client_test.go

@@ -21,15 +21,30 @@ import (
 
 func Test_StartClient(t *testing.T) {
 	t.Logf("ads StartClient with unreachable secure ads grpc server")
-	adsClient, err := NewAdsClient("loaclhost:15011", "", true, "ads_client_node_1", "test-app", env.GetNetscalerURL(), env.GetNetscalerUser(), env.GetNetscalerPassword(), "nsip", "", "", "ns-logproxy.citrix-system")
+	nsinfo := new(NSDetails)
+	adsinfo := new(AdsDetails)
+	adsinfo.AdsServerURL = "localhost:15011"
+	adsinfo.AdsServerSpiffeID = ""
+	adsinfo.SecureConnect = false
+	adsinfo.NodeID = "ads_client_node_1"
+	adsinfo.ApplicationName = "test-app"
+	nsinfo.NetscalerURL = env.GetNetscalerURL()
+	nsinfo.NetscalerUsername = env.GetNetscalerUser()
+	nsinfo.NetscalerPassword = env.GetNetscalerPassword()
+	nsinfo.NetscalerVIP = "nsip"
+	nsinfo.NetProfile = ""
+	nsinfo.AnalyticsServerIP = ""
+	nsinfo.LogProxyURL = "ns-logproxy.citrix-system"
+	adsClient, err := NewAdsClient(adsinfo, nsinfo)
 	if err != nil {
 		t.Errorf("newAdsClient failed with %v", err)
 	}
 	adsClient.StartClient()
 	time.Sleep(3 * time.Second)
 	adsClient.StopClient()
 	t.Logf("ads StartClient with unreachable insecure ads grpc server")
-	adsClient, err = NewAdsClient("localhost:15010", "", false, "ads_client_node_1", "test-app", env.GetNetscalerURL(), env.GetNetscalerUser(), env.GetNetscalerPassword(), "nsip", "", "", "ns-logproxy.citrix-system")
+	adsinfo.AdsServerURL = "localhost:15010"
+	adsClient, err = NewAdsClient(adsinfo, nsinfo)
 	if err != nil {
 		t.Errorf("newAdsClient failed with %v", err)
 	}

adsclient/ads_handler.go

@@ -14,6 +14,7 @@ limitations under the License.
 package adsclient
 
 import (
+	"citrix-istio-adaptor/delayserver"
 	"citrix-istio-adaptor/nsconfigengine"
 	"fmt"
 	"log"
@@ -176,8 +177,15 @@ func clusterAdd(nsConfig *configAdaptor, cluster *xdsapi.Cluster, data interface
 		}
 	} else if cluster.GetType() == xdsapi.Cluster_ORIGINAL_DST { // Original Dst type has no load assignment or hosts! Extract info from name.
 		staticAndDNSTypeClusterEndpointUpdate(nsConfig, cluster)
+	} else if cluster.GetType() == xdsapi.Cluster_EDS {
+		if cluster.GetEdsClusterConfig().GetServiceName() != "" {
+			return cluster.GetEdsClusterConfig().GetServiceName()
+		}
+		if cluster.GetEdsClusterConfig().GetEdsConfig().GetAds() != nil {
+			return cluster.Name
+		}
 	}
-	return cluster.GetEdsClusterConfig().GetServiceName()
+	return ""
 }
 
 func clusterDel(nsConfig *configAdaptor, clusterName string) {
@@ -564,6 +572,7 @@ func getFault(typedPerFilterConfig map[string]*types.Any) nsconfigengine.Fault {
 				}
 			}
 			if envoyFaultConfig.GetDelay() != nil {
+				delayserver.StartDelayServer()
 				percent := envoyFaultConfig.GetDelay().GetPercentage()
 				numerator := percent.GetNumerator()
 				den := envoyType.FractionalPercent_DenominatorType_name[int32(percent.GetDenominator())]

adsclient/ads_handler_test.go

@@ -25,6 +25,7 @@ import (
 	xdsapi "github.com/envoyproxy/go-control-plane/envoy/api/v2"
 	"github.com/envoyproxy/go-control-plane/envoy/api/v2/auth"
 	v2Cluster "github.com/envoyproxy/go-control-plane/envoy/api/v2/cluster"
+	v2Core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
 	envoyUtil "github.com/envoyproxy/go-control-plane/pkg/util"
 	"github.com/gogo/protobuf/types"
 )
@@ -134,6 +135,7 @@ func Test_clusterAdd(t *testing.T) {
 	}
 
 	log.Println("HTTPS cluster add")
+	cds.EdsClusterConfig = &xdsapi.Cluster_EdsClusterConfig{EdsConfig: &v2Core.ConfigSource{ConfigSourceSpecifier: &v2Core.ConfigSource_Ads{Ads: &v2Core.AggregatedConfigSource{}}}}
 	cds.CircuitBreakers = &v2Cluster.CircuitBreakers{Thresholds: []*v2Cluster.CircuitBreakers_Thresholds{&v2Cluster.CircuitBreakers_Thresholds{MaxConnections: &types.UInt32Value{Value: uint32(500)}, MaxRequests: &types.UInt32Value{Value: uint32(750)}}}}
 	cds.MaxRequestsPerConnection = &types.UInt32Value{Value: uint32(100)}
 	cds.TlsContext = &auth.UpstreamTlsContext{CommonTlsContext: env.MakeTLSContext("/etc/certs/server-cert.crt", "/etc/certs/server-key.key", "")}

adsclient/nsconf_adaptor.go

@@ -16,6 +16,8 @@ package adsclient
 import (
 	"citrix-istio-adaptor/nsconfigengine"
 	"container/list"
+	"crypto/rand"
+	"crypto/sha256"
 	"fmt"
 	"io/ioutil"
 	"log"
@@ -45,7 +47,9 @@ const (
 	edsAdd
 	rdsAdd
 	//MSS for setting various tcp profiles
-	MSS = 1410
+	MSS            = 1410
+	cpxConnRetries = 60
+	vpxConnRetries = 3
 )
 
 type configBlock struct {
@@ -73,33 +77,58 @@ type configAdaptor struct {
 	analyticsProfiles []string // Two analyticspofile needed. One for TCP Insight, one for Web Insight
 }
 
-func newConfigAdaptor(url, username, password, adsServerPort, vserverIP, netProfile, analyticsServerIP, logProxyURL string) (*configAdaptor, error) {
+// Check if the given ADC is CPX or VPX/MPX
+func isCPX(url string) bool {
+	if strings.Contains(url, "localhost") || strings.Contains(url, localHostIP) {
+		return true
+	}
+	return false
+}
+
+func newConfigAdaptor(nsinfo *NSDetails, adsServerPort string) (*configAdaptor, error) {
 	configAdaptor := new(configAdaptor)
 	configAdaptor.adsServerPort = adsServerPort
-	configAdaptor.vserverIP = vserverIP
-	configAdaptor.netProfile = netProfile
+	configAdaptor.vserverIP = nsinfo.NetscalerVIP
+	configAdaptor.netProfile = nsinfo.NetProfile
 	configAdaptor.configs = list.New()
 	configAdaptor.cdsHash = make(map[string]*list.Element)
 	configAdaptor.edsHash = make(map[string]*list.Element)
 	configAdaptor.ldsHash = make(map[string]*list.Element)
 	configAdaptor.rdsHash = make(map[string]*list.Element)
 	configAdaptor.quit = make(chan bool)
-	configAdaptor.analyticsServerIP = analyticsServerIP
-	configAdaptor.logProxyURL = logProxyURL
+	configAdaptor.analyticsServerIP = nsinfo.AnalyticsServerIP
+	configAdaptor.logProxyURL = nsinfo.LogProxyURL
 	var err error
-	configAdaptor.client, err = netscaler.NewNitroClientFromParams(netscaler.NitroParams{Url: url, Username: username, Password: password})
+	masterkey := make([]byte, 32)
+	_, err = rand.Read(masterkey)
 	if err != nil {
+		log.Printf("[ERROR]: Could not generate cryptographically secure random number")
 		return nil, err
 	}
-	for {
+	// 32-byte key will be derived using PBKDF2 which uses 8-byte cryptographic salt and SHA256 hash function in 1000 iterations.
+	keyspec := netscaler.NewKeyspec(masterkey, 8, 1000, 32, sha256.New) // Saltsize: 8, Iterations: 1000, Key-length: 32, HMAC: SHA256
+	configAdaptor.client, err = netscaler.NewNitroClientFromParams(netscaler.NitroParams{Url: nsinfo.NetscalerURL, Username: nsinfo.NetscalerUsername, Password: nsinfo.NetscalerPassword, Keyspec: keyspec})
+	if err != nil {
+		return nil, err
+	}
+	i := 0
+	connRetries := vpxConnRetries
+	if isCPX(nsinfo.NetscalerURL) {
+		connRetries = cpxConnRetries
+	}
+	for i = 0; i < connRetries; i++ {
 		nsip, err := configAdaptor.getNitroObject(netscaler.Nsip.Type(), map[string]string{"type": "NSIP"})
 		if err == nil {
 			configAdaptor.nsip = nsip["ipaddress"].(string)
 			break
 		}
 		time.Sleep(1 * time.Second)
 	}
-	if strings.Contains(url, "localhost") || strings.Contains(url, "127.0.0.1") {
+	if i == connRetries {
+		log.Println("[ERROR]: Could not establish connectivity with the ADC. Exiting!")
+		return nil, fmt.Errorf("Connection establishment with ADC is unsuccessful")
+	}
+	if isCPX(nsinfo.NetscalerURL) {
 		err = configAdaptor.sidecarBootstrapConfig()
 		if err != nil {
 			return nil, err
@@ -113,11 +142,7 @@ func newConfigAdaptor(url, username, password, adsServerPort, vserverIP, netProf
 	if err != nil {
 		log.Println("[WARN] Logproxy related config is not successful. Err = ", err)
 	}
-	if strings.Contains(url, "localhost") || strings.Contains(url, "127.0.0.1") {
-		/* Citrix ADC CPX Case Saving the initial bootstrap configuration */
-		configAdaptor.client.SaveConfig()
-	}
-	if vserverIP == "nsip" {
+	if nsinfo.NetscalerVIP == "nsip" {
 		configAdaptor.vserverIP = configAdaptor.nsip
 	}
 	build, err := configAdaptor.client.FindResource(netscaler.Nsversion.Type(), "")

adsclient/nsconf_adaptor_test.go

@@ -15,10 +15,11 @@ package adsclient
 
 import (
 	"citrix-istio-adaptor/tests/env"
-	"github.com/chiradeep/go-nitro/netscaler"
 	"log"
 	"strings"
 	"testing"
+
+	"github.com/chiradeep/go-nitro/netscaler"
 )
 
 func init() {
@@ -68,7 +69,15 @@ func verifyModes(t *testing.T, client *netscaler.NitroClient, modes []string) {
 func Test_bootstrapConfig(t *testing.T) {
 	t.Log("Verify BootStrap Config")
 	var err interface{}
-	configAd, err := newConfigAdaptor(env.GetNetscalerURL(), env.GetNetscalerUser(), env.GetNetscalerPassword(), "15010", "", "k8s", "", "ns-logproxy.citrix-system")
+	nsinfo := new(NSDetails)
+	nsinfo.NetscalerURL = env.GetNetscalerURL()
+	nsinfo.NetscalerUsername = env.GetNetscalerUser()
+	nsinfo.NetscalerPassword = env.GetNetscalerPassword()
+	nsinfo.NetscalerVIP = ""
+	nsinfo.NetProfile = "k8s"
+	nsinfo.AnalyticsServerIP = ""
+	nsinfo.LogProxyURL = "ns-logproxy.citrix-system"
+	configAd, err := newConfigAdaptor(nsinfo, "15010")
 	if err != nil {
 		t.Errorf("Unable to get a config adaptor. newConfigAdaptor failed with %v", err)
 	}