certificate selector: on demand SDS (#42072)

Commit Message: add an extension to load certs via SDS on-demand instead
of warming SDS secret
Additional Description: the following objects are involved:
- `AsyncSelector` is the handshake override that pauses the handshake
with a callback;
- `SecretManager` maintains the set of TLS context configurations and
realized SSL objects;
- `AsyncContextConfig` maintains an active SDS subscription and emits
update events to `SecretManager` on SDS updates;
- `AsyncContext` converts SDS certificate into SSL objects using the
outer TLS configuration context;
- `SelectionHandle` a callback registration into `SecretManager` from
`AsyncSelector`.

A basic flow is as follows:
- `AsyncSelector` is invoked when a TLS handshake happens on the worker;
- It queries `SecretManager` thread-local storage for an active
`AsyncContext` for a mapped secret name;
- If it finds one, it latches onto it, and supplies its inner SSL
objects;
- If it doesn't find one, it forwards the handshake callback to
`SecretManager` on the main thread;
- `SecretManager` responds by creating an active SDS subscription. It's
possible a thread local did not make it to the worker, so it can
immediately answer the callback. More likely, it needs to save the
callback into a queue.
- When a `SecretManager` receives an SDS response, it tries creating
`AsyncContext` from it. If it succeeds, it can drain the callback queue
and post a thread local update.
- `SelectionHandle` is held as a weak_ptr to detect interrupted
handshakes and avoid responding to them.

Note that there is no locking involved, and at the steady state,
certificates are available on all workers.

Risk Level: low, new extension, secret code refactor should not impact
current behavior
Testing: added integration tests
Docs Changes: yes
Release Notes: yes
Issue: #30600

---------

Signed-off-by: Kuat Yessenov <kuat@google.com>

Author: kyessenov

CODEOWNERS

@@ -57,6 +57,10 @@ extensions/filters/common/original_src @klarose @mattklein123
 /*/extensions/transport_sockets/tls @RyanTheOptimist @ggreenway @botengyao
 # tls SPIFFE certificate validator extension
 /*/extensions/transport_sockets/tls/cert_validator/spiffe @mathetake @botengyao @tyxia
+# On demand secret provider
+/*/extensions/transport_sockets/tls/cert_selectors/on_demand @kyessenov @tonya11en
+/*/extensions/transport_sockets/tls/cert_mappers/static_name @kyessenov @tonya11en
+/*/extensions/transport_sockets/tls/cert_mappers/sni @kyessenov @tonya11en
 # proxy protocol socket extension
 /*/extensions/transport_sockets/proxy_protocol @botengyao @wez470
 # common transport socket

api/BUILD

@@ -386,6 +386,9 @@ proto_library(
         "//envoy/extensions/transport_sockets/starttls/v3:pkg",
         "//envoy/extensions/transport_sockets/tap/v3:pkg",
         "//envoy/extensions/transport_sockets/tcp_stats/v3:pkg",
+        "//envoy/extensions/transport_sockets/tls/cert_mappers/sni/v3:pkg",
+        "//envoy/extensions/transport_sockets/tls/cert_mappers/static_name/v3:pkg",
+        "//envoy/extensions/transport_sockets/tls/cert_selectors/on_demand_secret/v3:pkg",
         "//envoy/extensions/transport_sockets/tls/v3:pkg",
         "//envoy/extensions/udp_packet_writer/v3:pkg",
         "//envoy/extensions/upstreams/http/generic/v3:pkg",

api/envoy/extensions/transport_sockets/tls/cert_mappers/sni/v3/BUILD

@@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_xds//udpa/annotations:pkg"],
+)

api/envoy/extensions/transport_sockets/tls/cert_mappers/sni/v3/config.proto

@@ -0,0 +1,21 @@
+syntax = "proto3";
+
+package envoy.extensions.transport_sockets.tls.cert_mappers.sni.v3;
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.cert_mappers.sni.v3";
+option java_outer_classname = "ConfigProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/cert_mappers/sni/v3;sniv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: SNI certificate mapper]
+// [#extension: envoy.tls.certificate_mappers.sni]
+
+// Uses the SNI value from the TLS client hello as the secret resource name.
+message SNI {
+  // The value to use as the secret name when SNI is empty or absent.
+  string default_value = 1 [(validate.rules).string = {min_len: 1}];
+}

api/envoy/extensions/transport_sockets/tls/cert_mappers/static_name/v3/BUILD

@@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_xds//udpa/annotations:pkg"],
+)

api/envoy/extensions/transport_sockets/tls/cert_mappers/static_name/v3/config.proto

@@ -0,0 +1,21 @@
+syntax = "proto3";
+
+package envoy.extensions.transport_sockets.tls.cert_mappers.static_name.v3;
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.cert_mappers.static_name.v3";
+option java_outer_classname = "ConfigProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/cert_mappers/static_name/v3;static_namev3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Static secret certificate mapper]
+// [#extension: envoy.tls.certificate_mappers.static_name]
+
+// A mapping to a fixed secret name for all certificates.
+message StaticName {
+  // The name for the secret to use for all connections.
+  string name = 1 [(validate.rules).string = {min_len: 1}];
+}

api/envoy/extensions/transport_sockets/tls/cert_selectors/on_demand_secret/v3/BUILD

@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "@com_github_cncf_xds//udpa/annotations:pkg",
+    ],
+)

api/envoy/extensions/transport_sockets/tls/cert_selectors/on_demand_secret/v3/config.proto

@@ -0,0 +1,42 @@
+syntax = "proto3";
+
+package envoy.extensions.transport_sockets.tls.cert_selectors.on_demand_secret.v3;
+
+import "envoy/config/core/v3/config_source.proto";
+import "envoy/config/core/v3/extension.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.cert_selectors.on_demand_secret.v3";
+option java_outer_classname = "ConfigProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/cert_selectors/on_demand_secret/v3;on_demand_secretv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: On-demand secret certificate selector]
+// [#extension: envoy.tls.certificate_selectors.on_demand_secret]
+
+// Fetches the secret on-demand while allowing the parent cluster or listener to accept connections
+// without warming. During the handshake, a secret name is derived from the peer hello message, an
+// SDS resource request starts, and the handshake is paused. Once an SDS response is received with a
+// resource, the handshake is resumed with the provided certificate. If the SDS server indicates the
+// resource removal, the handshake is failed, and the SDS subscription to the resource is stopped.
+//
+// Similar to the regular SDS, the certificate is configured using the outer common TLS context,
+// e.g. by setting the FIPS compliance policy on the loaded certificate.
+message Config {
+  // Defines the configuration source of the secrets.
+  config.core.v3.ConfigSource config_source = 1 [(validate.rules).message = {required: true}];
+
+  // Extension point to specify a function to compute the secret name. The extension is called
+  // during the TLS handshake after receiving the "CLIENT HELLO" message from the client.
+  // [#extension-category: envoy.tls.certificate_mappers]
+  config.core.v3.TypedExtensionConfig certificate_mapper = 2
+      [(validate.rules).message = {required: true}];
+
+  // A list of secret resource names to start fetching on configuration load (prior to receiving any
+  // requests). The parent resource initializes immediately without waiting for the fetch to
+  // complete.
+  repeated string prefetch_secret_names = 3;
+}

api/envoy/extensions/transport_sockets/tls/v3/tls.proto

@@ -300,6 +300,7 @@ message CommonTlsContext {
   // Select TLS certificate based on TLS client hello.
   // If empty, defaults to native TLS certificate selection behavior:
   // DNS SANs or Subject Common Name in TLS certificates is extracted as server name pattern to match SNI.
+  // [#extension-category: envoy.tls.certificate_selectors]
   config.core.v3.TypedExtensionConfig custom_tls_certificate_selector = 16;
 
   // Certificate provider for fetching TLS certificates.

api/versioning/BUILD

@@ -326,6 +326,9 @@ proto_library(
         "//envoy/extensions/transport_sockets/starttls/v3:pkg",
         "//envoy/extensions/transport_sockets/tap/v3:pkg",
         "//envoy/extensions/transport_sockets/tcp_stats/v3:pkg",
+        "//envoy/extensions/transport_sockets/tls/cert_mappers/sni/v3:pkg",
+        "//envoy/extensions/transport_sockets/tls/cert_mappers/static_name/v3:pkg",
+        "//envoy/extensions/transport_sockets/tls/cert_selectors/on_demand_secret/v3:pkg",
         "//envoy/extensions/transport_sockets/tls/v3:pkg",
         "//envoy/extensions/udp_packet_writer/v3:pkg",
         "//envoy/extensions/upstreams/http/generic/v3:pkg",