clear old context from contexts when secret is updated (envoyproxy#13752)

When secret is updated via SDS, the old contexts still linger in the context list making the "/certs" render them and also "DaysUntilFirstCertExpiry" is incorrect - it reflects the replaced stats.

Fixes envoyproxy#8614

Signed-off-by: Rama Chavali <[email protected]>

Author: ramaraochavali

include/envoy/ssl/context_manager.h

@@ -22,23 +22,25 @@ class ContextManager {
   /**
    * Builds a ClientContext from a ClientContextConfig.
    */
-  virtual ClientContextSharedPtr createSslClientContext(Stats::Scope& scope,
-                                                        const ClientContextConfig& config) PURE;
+  virtual ClientContextSharedPtr
+  createSslClientContext(Stats::Scope& scope, const ClientContextConfig& config,
+                         Envoy::Ssl::ClientContextSharedPtr old_context) PURE;
 
   /**
    * Builds a ServerContext from a ServerContextConfig.
    */
   virtual ServerContextSharedPtr
   createSslServerContext(Stats::Scope& scope, const ServerContextConfig& config,
-                         const std::vector<std::string>& server_names) PURE;
+                         const std::vector<std::string>& server_names,
+                         Envoy::Ssl::ServerContextSharedPtr old_context) PURE;
 
   /**
    * @return the number of days until the next certificate being managed will expire.
    */
   virtual size_t daysUntilFirstCertExpires() const PURE;
 
   /**
-   * Iterate through all currently allocated contexts.
+   * Iterates through the contexts currently attached to a listener.
    */
   virtual void iterateContexts(std::function<void(const Context&)> callback) PURE;
 

source/extensions/transport_sockets/tls/context_manager_impl.cc

@@ -24,30 +24,44 @@ void ContextManagerImpl::removeEmptyContexts() {
   contexts_.remove_if([](const std::weak_ptr<Envoy::Ssl::Context>& n) { return n.expired(); });
 }
 
+void ContextManagerImpl::removeOldContext(std::shared_ptr<Envoy::Ssl::Context> old_context) {
+  if (old_context) {
+    contexts_.remove_if([old_context](const std::weak_ptr<Envoy::Ssl::Context>& n) {
+      std::shared_ptr<Envoy::Ssl::Context> sp = n.lock();
+      if (sp) {
+        return old_context == sp;
+      }
+      return false;
+    });
+  }
+}
+
 Envoy::Ssl::ClientContextSharedPtr
 ContextManagerImpl::createSslClientContext(Stats::Scope& scope,
-                                           const Envoy::Ssl::ClientContextConfig& config) {
+                                           const Envoy::Ssl::ClientContextConfig& config,
+                                           Envoy::Ssl::ClientContextSharedPtr old_context) {
   if (!config.isReady()) {
     return nullptr;
   }
 
   Envoy::Ssl::ClientContextSharedPtr context =
       std::make_shared<ClientContextImpl>(scope, config, time_source_);
+  removeOldContext(old_context);
   removeEmptyContexts();
   contexts_.emplace_back(context);
   return context;
 }
 
-Envoy::Ssl::ServerContextSharedPtr
-ContextManagerImpl::createSslServerContext(Stats::Scope& scope,
-                                           const Envoy::Ssl::ServerContextConfig& config,
-                                           const std::vector<std::string>& server_names) {
+Envoy::Ssl::ServerContextSharedPtr ContextManagerImpl::createSslServerContext(
+    Stats::Scope& scope, const Envoy::Ssl::ServerContextConfig& config,
+    const std::vector<std::string>& server_names, Envoy::Ssl::ServerContextSharedPtr old_context) {
   if (!config.isReady()) {
     return nullptr;
   }
 
   Envoy::Ssl::ServerContextSharedPtr context =
       std::make_shared<ServerContextImpl>(scope, config, server_names, time_source_);
+  removeOldContext(old_context);
   removeEmptyContexts();
   contexts_.emplace_back(context);
   return context;

source/extensions/transport_sockets/tls/context_manager_impl.h

@@ -29,11 +29,12 @@ class ContextManagerImpl final : public Envoy::Ssl::ContextManager {
 
   // Ssl::ContextManager
   Ssl::ClientContextSharedPtr
-  createSslClientContext(Stats::Scope& scope,
-                         const Envoy::Ssl::ClientContextConfig& config) override;
+  createSslClientContext(Stats::Scope& scope, const Envoy::Ssl::ClientContextConfig& config,
+                         Envoy::Ssl::ClientContextSharedPtr old_context) override;
   Ssl::ServerContextSharedPtr
   createSslServerContext(Stats::Scope& scope, const Envoy::Ssl::ServerContextConfig& config,
-                         const std::vector<std::string>& server_names) override;
+                         const std::vector<std::string>& server_names,
+                         Envoy::Ssl::ServerContextSharedPtr old_context) override;
   size_t daysUntilFirstCertExpires() const override;
   absl::optional<uint64_t> secondsUntilFirstOcspResponseExpires() const override;
   void iterateContexts(std::function<void(const Envoy::Ssl::Context&)> callback) override;
@@ -43,6 +44,7 @@ class ContextManagerImpl final : public Envoy::Ssl::ContextManager {
 
 private:
   void removeEmptyContexts();
+  void removeOldContext(std::shared_ptr<Envoy::Ssl::Context> old_context);
   TimeSource& time_source_;
   std::list<std::weak_ptr<Envoy::Ssl::Context>> contexts_;
   PrivateKeyMethodManagerImpl private_key_method_manager_{};

source/extensions/transport_sockets/tls/ssl_socket.cc

@@ -327,7 +327,7 @@ ClientSslSocketFactory::ClientSslSocketFactory(Envoy::Ssl::ClientContextConfigPt
                                                Stats::Scope& stats_scope)
     : manager_(manager), stats_scope_(stats_scope), stats_(generateStats("client", stats_scope)),
       config_(std::move(config)),
-      ssl_ctx_(manager_.createSslClientContext(stats_scope_, *config_)) {
+      ssl_ctx_(manager_.createSslClientContext(stats_scope_, *config_, nullptr)) {
   config_->setSecretUpdateCallback([this]() { onAddOrUpdateSecret(); });
 }
 
@@ -357,7 +357,7 @@ void ClientSslSocketFactory::onAddOrUpdateSecret() {
   ENVOY_LOG(debug, "Secret is updated.");
   {
     absl::WriterMutexLock l(&ssl_ctx_mu_);
-    ssl_ctx_ = manager_.createSslClientContext(stats_scope_, *config_);
+    ssl_ctx_ = manager_.createSslClientContext(stats_scope_, *config_, ssl_ctx_);
   }
   stats_.ssl_context_update_by_sds_.inc();
 }
@@ -368,7 +368,7 @@ ServerSslSocketFactory::ServerSslSocketFactory(Envoy::Ssl::ServerContextConfigPt
                                                const std::vector<std::string>& server_names)
     : manager_(manager), stats_scope_(stats_scope), stats_(generateStats("server", stats_scope)),
       config_(std::move(config)), server_names_(server_names),
-      ssl_ctx_(manager_.createSslServerContext(stats_scope_, *config_, server_names_)) {
+      ssl_ctx_(manager_.createSslServerContext(stats_scope_, *config_, server_names_, nullptr)) {
   config_->setSecretUpdateCallback([this]() { onAddOrUpdateSecret(); });
 }
 
@@ -398,7 +398,7 @@ void ServerSslSocketFactory::onAddOrUpdateSecret() {
   ENVOY_LOG(debug, "Secret is updated.");
   {
     absl::WriterMutexLock l(&ssl_ctx_mu_);
-    ssl_ctx_ = manager_.createSslServerContext(stats_scope_, *config_, server_names_);
+    ssl_ctx_ = manager_.createSslServerContext(stats_scope_, *config_, server_names_, ssl_ctx_);
   }
   stats_.ssl_context_update_by_sds_.inc();
 }

source/server/ssl_context_manager.cc

@@ -14,14 +14,16 @@ namespace Server {
 class SslContextManagerNoTlsStub final : public Envoy::Ssl::ContextManager {
   Ssl::ClientContextSharedPtr
   createSslClientContext(Stats::Scope& /* scope */,
-                         const Envoy::Ssl::ClientContextConfig& /* config */) override {
+                         const Envoy::Ssl::ClientContextConfig& /* config */,
+                         Envoy::Ssl::ClientContextSharedPtr /* old_context */) override {
     throwException();
   }
 
   Ssl::ServerContextSharedPtr
   createSslServerContext(Stats::Scope& /* scope */,
                          const Envoy::Ssl::ServerContextConfig& /* config */,
-                         const std::vector<std::string>& /* server_names */) override {
+                         const std::vector<std::string>& /* server_names */,
+                         Envoy::Ssl::ServerContextSharedPtr /* old_context */) override {
     throwException();
   }
 

test/extensions/clusters/dynamic_forward_proxy/cluster_test.cc

@@ -43,7 +43,7 @@ class ClusterTest : public testing::Test,
         admin_, ssl_context_manager_, *scope, cm_, local_info_, dispatcher_, stats_store_,
         singleton_manager_, tls_, validation_visitor_, *api_);
     if (uses_tls) {
-      EXPECT_CALL(ssl_context_manager_, createSslClientContext(_, _));
+      EXPECT_CALL(ssl_context_manager_, createSslClientContext(_, _, _));
     }
     EXPECT_CALL(*dns_cache_manager_, getCache(_));
     // Below we return a nullptr handle which has no effect on the code under test but isn't