Added BackendDefaults to Virtual Node #3
Conversation
| } | ||
|
|
||
| /** | ||
| * Default Configuration for Virtual Nodes |
There was a problem hiding this comment.
I think we should be more descriptive here.
Default configuration that is applied to all backends for the virtual node. Any configuration defined will be overwritten by configurations specified for a particular backend.
| readonly enforce?: boolean | ||
|
|
||
| /** | ||
| * TLS enforced on these ports. If not specified it is enforced on all ports. | ||
| * | ||
| * @default - none | ||
| */ | ||
| readonly ports?: number[] | ||
|
|
||
| /** | ||
| * Certificate discovery method, ACM-PCA or Local file hosting. | ||
| * | ||
| * @default - none | ||
| */ | ||
| readonly certificateType: string; | ||
|
|
||
| /** | ||
| * Certificate File path or Certificate ARN. | ||
| * | ||
| * @default - none | ||
| */ | ||
| readonly certificate: string[]; |
There was a problem hiding this comment.
These should not be top level properties. These are specific to the client configuration with regard to TLS. There may be other types of backend defaults we could apply in the future.
You could model this more like
interface BackendDefaults {
readonly tlsClientPolicy: TLSClientPolicy;
}
interface TLSClientPolicy {
/**
* @default - True
*/
readonly enforce?: boolean;
...
readonly validation: TLSClientValidation;
}TLSClientValidation could be modeled as a bind class to enforce the trust is one of file, acmpca, or sds (in the future). We may want to accept the Certificate Authority construct from ACMPCA, which is not yet built. Adam can help with that, we'll just need to coordinate with him
We also want to be aware of the changes that are going to be made with aws/aws-app-mesh-roadmap#34 and be able to accommodate them easily
| /** | ||
| * TLS enforced if True. | ||
| * | ||
| * @default - none |
There was a problem hiding this comment.
The default in our API is true, let's mirror that here
There was a problem hiding this comment.
set enforce to true by default.
| */ | ||
| export interface BackendDefaults { | ||
| /** | ||
| * Client policy for TLS |
There was a problem hiding this comment.
So the Props name is reserved for class constructors. (Found this out in a PR I have out now)
Let's have this named TLSClientPolicyOptions
dfezzie
left a comment
dfezzie
left a comment
There was a problem hiding this comment.
Nice work! This will set up an easy win for adding the ClientPolicy to backends!
| /** | ||
| * Client policy for TLS | ||
| */ | ||
| readonly tlsClientPolicy: TLSClientPolicyProps; |
There was a problem hiding this comment.
Maybe we can reword this to be more descriptive
TLS Connections with downstream server will always be enforced if
True
Something to that effect.
|
|
||
| /** | ||
| * TLS enforced on these ports. If not specified it is enforced on all ports. | ||
| * |
There was a problem hiding this comment.
Since we haven't introduced SDS yet, let's remove the reference here
We can also reword this to
Policy used to determine if the TLS certificate the server presents is accepted
| */ | ||
| readonly ports?: number[] | ||
| readonly ports?: number[]; | ||
|
|
There was a problem hiding this comment.
Shouldn't it be required ? I found this reference doc where in it says this field in required
|
|
||
| /** | ||
| * Defines the TLS validation context trust. | ||
| */ |
There was a problem hiding this comment.
We could shorten this to fileTrust(...)
There was a problem hiding this comment.
We could also potentially accept just the path to the certificate chain instead of having a props interface. Makes it simpler to use for customers, but has the drawback of not being as extensible in the future, but there are plenty of ways around that.
| export abstract class TLSClientValidation { | ||
| /** | ||
| * Certificate File path or Certificate ARN. | ||
| * |
There was a problem hiding this comment.
I want to specify this is acm-pca somehow, but it doesn't flow great :P You have any ideas?
|
|
||
| /** | ||
| * Returns Trust context based on trust type. | ||
| */ |
There was a problem hiding this comment.
We should specify ACM PCA here
Amazon Resource Names (ARN) of trusted ACM Private Certificate Authorities
| file: { | ||
| certificateChain: this.certificateChain, | ||
| }, | ||
| }, |
There was a problem hiding this comment.
This does not need to be exported. Same for above
|
|
||
| /** | ||
| * TLS validation context trust for AWS Certicate Manager (ACM) certificate. | ||
| */ |
There was a problem hiding this comment.
Bind should return a Config object here
| certificateChain: certificate[0], | ||
| }, | ||
| }, | ||
| }, |
There was a problem hiding this comment.
This could be simplified to just backendDefaults.tlsClientPolicy.ports since it accepts undefined.
| } : { | ||
| file: { | ||
| certificateChain: certificate[0], | ||
| }, |
There was a problem hiding this comment.
I think enforce: backendDefaults.tlsClientPolicy.enforce ?? true would work here?
dfezzie
left a comment
dfezzie
left a comment
There was a problem hiding this comment.
Looks good to me. Just a few comments.
Any reason not to implement this for Virtual Gateways?
| */ | ||
| export abstract class TLSClientValidation { | ||
| /** | ||
| * TLS validation context trust for a local file |
There was a problem hiding this comment.
nit: TLS validation provided from the local file system
This struct tells the envoy where to fetch the validation context from
same comment below
| readonly accessLog?: AccessLog; | ||
|
|
||
| /** | ||
| * Default Configuration Virtual Node uses to communicate with Vritual Service |
| */ | ||
| public readonly mesh: IMesh; | ||
|
|
||
| private readonly backendDefaults = new Array<CfnVirtualNode.BackendDefaultsProperty>(); |
There was a problem hiding this comment.
Why use an Array here? This could just be CfnVirtualNode.BackendDefaultsProperty
There was a problem hiding this comment.
If the backendDefaults is of type CfnVirtualNode.BackendDefaultsProperty and a private member of VirtualNode, I would have to initialize it say, with an empty object because it cannot be undefined. There are no options to omit the empty object and all the resources would have backendDefaults: {}, if not provided by the client. Whereas if we use Array we could set omitEmptyArray true.
There was a problem hiding this comment.
Or something like this would work as well.
if (props.backendDefaults) {
this.backendDefaults = this.addBackendDefaults(props.backendDefaults);
} else {
this.backendDefaults = {};
}
const node = new CfnVirtualNode(this, 'Resource', {
backendDefaults: Object.keys(this.backendDefaults).length != 0 ? this.backendDefaults : undefined,
. . .
});| /** | ||
| * Adds Default Backend Configuration for virtual node to communicate with Virtual Services. | ||
| */ | ||
| public addBackendDefaults(clientPolicy: ClientPolicy) { |
There was a problem hiding this comment.
I was under the impression that the backendDefault can be added to virtual node after it has been created. Hence a public method.
There was a problem hiding this comment.
As discussed offline, I have made this method private.
| this.backendDefaults.push({ | ||
| clientPolicy: { | ||
| tls: { | ||
| enforce: clientPolicy.tlsClientPolicy.enforce ?? true, |
There was a problem hiding this comment.
Technically we could just do clientPolicy.tlsClientPolicy.enforce and accept the undefined since the API defaults to true. Not sure what the right thing to do here for CDK is
| /** | ||
| * Defines the TLS validation context trust. | ||
| */ | ||
| export abstract class TLSClientValidation { |
There was a problem hiding this comment.
Backend Client Policies won't be the only shapes that support validation contexts. Listeners could support validation contexts in the future (ex. mTLS).
Unless there is a limitation that forces us to have 2 different shapes for client validation and server validation, I'd recommend changing the name here to a more general TLSValidationContext. And creating a separate file for client policy shapes.
There was a problem hiding this comment.
Fair point. I have updated the PR.
…hapes that support validation context
Added backend defaults for Virtual Gateways in the latest commit. |
2. Updated bind() to return client policy
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license