refactor(app/env): move tls config into submodule (#4439)

* refactor: invoke `watch()` by name directly

Signed-off-by: katelyn martin <kate@buoyant.io>

* refactor(identity): inline `TlsParams` into `Config`

this commit performs an incremental step, and inlines the tls
parameters into the identity client's configuration.

a temporary type alias is left in place for now, to avoid introducing
noise here.

Signed-off-by: katelyn martin <kate@buoyant.io>

* refactor(app/env): move identity logic into submodule

we now move the two functions responsible for parsing identity
configuration (parse_tls_params and parse_linkerd_identity_config), into
an identity submodule. we also move the block expression, which also
performs some further steps, into a function named
parse_identity_config.

there is one wrinkle that is highlighted by this change, which is that
we slightly delay the propagation of an error in the event of parameters
being invalid.

we'll change that later, but for now faithfully move code without making
*any* behavioral alterations.

Signed-off-by: katelyn martin <kate@buoyant.io>

* refactor(app/env): move `parse_tls_params()` call

Signed-off-by: katelyn martin <kate@buoyant.io>

* refactor(app/env): remove frivolous `pub` directives

in the wake of our changes, we now have a single top-level function
that's responsible for parsing our identity configuration.

the other functions that parse one type of identity configuration, and
parts of it, needn't be public.

Signed-off-by: katelyn martin <kate@buoyant.io>

* nit(app/env): address clippy lints

Signed-off-by: katelyn martin <kate@buoyant.io>

* refactor(app): remove temporary type alias

this commit addresses a lingering todo comment that was pointed out
during review. this is straightforward to inline inside of a function's
return signature.

Signed-off-by: katelyn martin <kate@buoyant.io>

---------

Signed-off-by: katelyn martin <kate@buoyant.io>

Author: cratelyn

linkerd/app/src/env.rs

@@ -1,4 +1,4 @@
-use crate::{dns, gateway, identity, inbound, outbound, policy, spire, trace_collector};
+use crate::{dns, gateway, inbound, outbound, policy, spire, trace_collector};
 use linkerd_app_core::{
     addr,
     config::*,
@@ -14,6 +14,7 @@ use tracing::{debug, error, info, warn};
 
 mod control;
 mod http2;
+mod identity;
 mod trace;
 mod types;
 
@@ -433,8 +434,6 @@ pub fn parse_config<S: Strings>(strings: &S) -> Result<super::Config, EnvError>
     let dns_min_ttl = parse(strings, ENV_DNS_MIN_TTL, parse_duration);
     let dns_max_ttl = parse(strings, ENV_DNS_MAX_TTL, parse_duration);
 
-    let tls = parse_tls_params(strings);
-
     let hostname = strings.get(ENV_HOSTNAME);
 
     let trace_collector_addr = parse_control_addr(strings, ENV_TRACE_COLLECTOR_SVC_BASE);
@@ -875,75 +874,7 @@ pub fn parse_config<S: Strings>(strings: &S) -> Result<super::Config, EnvError>
         })
         .unwrap_or(super::tap::Config::Disabled);
 
-    let identity = {
-        let tls = tls?;
-
-        match parse_deprecated(
-            strings,
-            ENV_IDENTITY_SPIRE_WORKLOAD_API_ADDRESS,
-            ENV_IDENTITY_SPIRE_SOCKET,
-            |s| Ok(s.to_string()),
-        )? {
-            Some(workload_api_addr) => match &tls.id {
-                // TODO: perform stricter SPIFFE ID validation following:
-                // https://github.com/spiffe/spiffe/blob/27b59b81ba8c56885ac5d4be73b35b9b3305fd7a/standards/SPIFFE-ID.md
-                identity::Id::Uri(uri)
-                    if uri.scheme().eq_ignore_ascii_case(SPIFFE_ID_URI_SCHEME) =>
-                {
-                    identity::Config::Spire {
-                        tls,
-                        client: spire::Config {
-                            workload_api_addr: std::sync::Arc::new(workload_api_addr),
-                            backoff: parse_backoff(
-                                strings,
-                                IDENTITY_SPIRE_BASE,
-                                DEFAULT_SPIRE_BACKOFF,
-                            )?,
-                        },
-                    }
-                }
-                _ => {
-                    error!("Spire support requires a SPIFFE TLS Id");
-                    return Err(EnvError::InvalidEnvVar);
-                }
-            },
-            None => {
-                match (&tls.id, &tls.server_name) {
-                    (linkerd_app_core::identity::Id::Dns(id), sni) if id == sni => {}
-                    (_id, _sni) => {
-                        return Err(EnvError::TlsIdAndServerNameNotMatching);
-                    }
-                };
-
-                let (addr, certify) = parse_linkerd_identity_config(strings)?;
-
-                // If the address doesn't have a server identity, then we're on localhost.
-                let connect = if addr.addr.is_loopback() {
-                    inbound.proxy.connect.clone()
-                } else {
-                    outbound.proxy.connect.clone()
-                };
-                let failfast_timeout = if addr.addr.is_loopback() {
-                    inbound.http_request_queue.failfast_timeout
-                } else {
-                    outbound.http_request_queue.failfast_timeout
-                };
-
-                identity::Config::Linkerd {
-                    certify,
-                    tls,
-                    client: ControlConfig {
-                        addr,
-                        connect,
-                        buffer: QueueConfig {
-                            capacity: DEFAULT_CONTROL_QUEUE_CAPACITY,
-                            failfast_timeout,
-                        },
-                    },
-                }
-            }
-        }
-    };
+    let identity = self::identity::parse_identity_config(strings, &inbound, &outbound)?;
 
     Ok(super::Config {
         admin,
@@ -1137,113 +1068,6 @@ pub fn parse_control_addr<S: Strings>(
     }
 }
 
-pub fn parse_tls_params<S: Strings>(strings: &S) -> Result<identity::TlsParams, EnvError> {
-    let ta = parse(strings, ENV_IDENTITY_TRUST_ANCHORS, |s| {
-        if s.is_empty() {
-            return Err(ParseError::InvalidTrustAnchors);
-        }
-        Ok(s.to_string())
-    });
-
-    // The assumtion here is that if `ENV_IDENTITY_IDENTITY_LOCAL_NAME` has been set
-    // we will use that for both tls id and server name.
-    let (server_id_env_var, server_name_env_var) =
-        if strings.get(ENV_IDENTITY_IDENTITY_LOCAL_NAME)?.is_some() {
-            (
-                ENV_IDENTITY_IDENTITY_LOCAL_NAME,
-                ENV_IDENTITY_IDENTITY_LOCAL_NAME,
-            )
-        } else {
-            (
-                ENV_IDENTITY_IDENTITY_SERVER_ID,
-                ENV_IDENTITY_IDENTITY_SERVER_NAME,
-            )
-        };
-
-    let server_id = parse(strings, server_id_env_var, parse_identity);
-    let server_name = parse(strings, server_name_env_var, parse_dns_name);
-
-    if strings
-        .get(ENV_IDENTITY_DISABLED)?
-        .map(|d| !d.is_empty())
-        .unwrap_or(false)
-    {
-        error!("{ENV_IDENTITY_DISABLED} is no longer supported. Identity is must be enabled.");
-        return Err(EnvError::InvalidEnvVar);
-    }
-
-    match (ta?, server_id?, server_name?) {
-        (Some(trust_anchors_pem), Some(server_id), Some(server_name)) => {
-            let params = identity::TlsParams {
-                id: server_id,
-                server_name,
-                trust_anchors_pem,
-            };
-            Ok(params)
-        }
-        (trust_anchors_pem, server_id, server_name) => {
-            for (unset, name) in &[
-                (trust_anchors_pem.is_none(), ENV_IDENTITY_TRUST_ANCHORS),
-                (server_id.is_none(), server_id_env_var),
-                (server_name.is_none(), server_name_env_var),
-            ] {
-                if *unset {
-                    error!("{} must be set.", name);
-                }
-            }
-            Err(EnvError::InvalidEnvVar)
-        }
-    }
-}
-
-pub fn parse_linkerd_identity_config<S: Strings>(
-    strings: &S,
-) -> Result<(ControlAddr, identity::client::linkerd::Config), EnvError> {
-    let control = parse_control_addr(strings, ENV_IDENTITY_SVC_BASE);
-    let dir = parse(strings, ENV_IDENTITY_DIR, |ref s| Ok(PathBuf::from(s)));
-    let tok = parse(strings, ENV_IDENTITY_TOKEN_FILE, |ref s| {
-        identity::client::linkerd::TokenSource::if_nonempty_file(s.to_string()).map_err(|e| {
-            error!("Could not read {ENV_IDENTITY_TOKEN_FILE}: {e}");
-            ParseError::InvalidTokenSource
-        })
-    });
-
-    let min_refresh = parse(strings, ENV_IDENTITY_MIN_REFRESH, parse_duration);
-    let max_refresh = parse(strings, ENV_IDENTITY_MAX_REFRESH, parse_duration);
-
-    match (control?, dir?, tok?, min_refresh?, max_refresh?) {
-        (Some(control), Some(dir), Some(token), min_refresh, max_refresh) => {
-            let certify = identity::client::linkerd::Config {
-                token,
-                min_refresh: min_refresh.unwrap_or(DEFAULT_IDENTITY_MIN_REFRESH),
-                max_refresh: max_refresh.unwrap_or(DEFAULT_IDENTITY_MAX_REFRESH),
-                documents: identity::client::linkerd::certify::Documents::load(dir).map_err(
-                    |error| {
-                        error!(%error, "Failed to read identity documents");
-                        EnvError::InvalidEnvVar
-                    },
-                )?,
-            };
-
-            Ok((control, certify))
-        }
-        (addr, end_entity_dir, token, _minr, _maxr) => {
-            let s = format!("{ENV_IDENTITY_SVC_BASE}_ADDR and {ENV_IDENTITY_SVC_BASE}_NAME");
-            let svc_env: &str = s.as_str();
-            for (unset, name) in &[
-                (addr.is_none(), svc_env),
-                (end_entity_dir.is_none(), ENV_IDENTITY_DIR),
-                (token.is_none(), ENV_IDENTITY_TOKEN_FILE),
-            ] {
-                if *unset {
-                    error!("{name} must be set.");
-                }
-            }
-            Err(EnvError::InvalidEnvVar)
-        }
-    }
-}
-
 #[cfg(test)]
 impl Strings for std::collections::HashMap<&'static str, &'static str> {
     fn get(&self, key: &str) -> Result<Option<String>, EnvError> {

linkerd/app/src/env/identity.rs

@@ -0,0 +1,183 @@
+use super::*;
+use crate::identity::Id;
+
+pub fn parse_identity_config<S: Strings>(
+    strings: &S,
+    inbound: &inbound::Config,
+    outbound: &outbound::Config,
+) -> Result<crate::identity::Config, EnvError> {
+    let (id, server_name, trust_anchors_pem) = parse_tls_params(strings)?;
+
+    match parse_deprecated(
+        strings,
+        ENV_IDENTITY_SPIRE_WORKLOAD_API_ADDRESS,
+        ENV_IDENTITY_SPIRE_SOCKET,
+        |s| Ok(s.to_string()),
+    )? {
+        Some(workload_api_addr) => match &id {
+            // TODO: perform stricter SPIFFE ID validation following:
+            // https://github.com/spiffe/spiffe/blob/27b59b81ba8c56885ac5d4be73b35b9b3305fd7a/standards/SPIFFE-ID.md
+            crate::identity::Id::Uri(uri)
+                if uri.scheme().eq_ignore_ascii_case(SPIFFE_ID_URI_SCHEME) =>
+            {
+                Ok(crate::identity::Config::Spire {
+                    id,
+                    server_name,
+                    trust_anchors_pem,
+                    client: spire::Config {
+                        workload_api_addr: std::sync::Arc::new(workload_api_addr),
+                        backoff: parse_backoff(
+                            strings,
+                            IDENTITY_SPIRE_BASE,
+                            DEFAULT_SPIRE_BACKOFF,
+                        )?,
+                    },
+                })
+            }
+            _ => {
+                error!("Spire support requires a SPIFFE TLS Id");
+                Err(EnvError::InvalidEnvVar)
+            }
+        },
+        None => {
+            match (&id, &server_name) {
+                (linkerd_app_core::identity::Id::Dns(id), sni) if id == sni => {}
+                (_id, _sni) => {
+                    return Err(EnvError::TlsIdAndServerNameNotMatching);
+                }
+            };
+
+            let (addr, certify) = self::identity::parse_linkerd_identity_config(strings)?;
+
+            // If the address doesn't have a server identity, then we're on localhost.
+            let connect = if addr.addr.is_loopback() {
+                inbound.proxy.connect.clone()
+            } else {
+                outbound.proxy.connect.clone()
+            };
+            let failfast_timeout = if addr.addr.is_loopback() {
+                inbound.http_request_queue.failfast_timeout
+            } else {
+                outbound.http_request_queue.failfast_timeout
+            };
+
+            Ok(crate::identity::Config::Linkerd {
+                certify,
+                id,
+                server_name,
+                trust_anchors_pem,
+                client: ControlConfig {
+                    addr,
+                    connect,
+                    buffer: QueueConfig {
+                        capacity: DEFAULT_CONTROL_QUEUE_CAPACITY,
+                        failfast_timeout,
+                    },
+                },
+            })
+        }
+    }
+}
+
+fn parse_linkerd_identity_config<S: Strings>(
+    strings: &S,
+) -> Result<(ControlAddr, crate::identity::client::linkerd::Config), EnvError> {
+    let control = parse_control_addr(strings, ENV_IDENTITY_SVC_BASE);
+    let dir = parse(strings, ENV_IDENTITY_DIR, |ref s| Ok(PathBuf::from(s)));
+    let tok = parse(strings, ENV_IDENTITY_TOKEN_FILE, |ref s| {
+        crate::identity::client::linkerd::TokenSource::if_nonempty_file(s.to_string()).map_err(
+            |e| {
+                error!("Could not read {ENV_IDENTITY_TOKEN_FILE}: {e}");
+                ParseError::InvalidTokenSource
+            },
+        )
+    });
+
+    let min_refresh = parse(strings, ENV_IDENTITY_MIN_REFRESH, parse_duration);
+    let max_refresh = parse(strings, ENV_IDENTITY_MAX_REFRESH, parse_duration);
+
+    match (control?, dir?, tok?, min_refresh?, max_refresh?) {
+        (Some(control), Some(dir), Some(token), min_refresh, max_refresh) => {
+            let certify = crate::identity::client::linkerd::Config {
+                token,
+                min_refresh: min_refresh.unwrap_or(DEFAULT_IDENTITY_MIN_REFRESH),
+                max_refresh: max_refresh.unwrap_or(DEFAULT_IDENTITY_MAX_REFRESH),
+                documents: crate::identity::client::linkerd::certify::Documents::load(dir)
+                    .map_err(|error| {
+                        error!(%error, "Failed to read identity documents");
+                        EnvError::InvalidEnvVar
+                    })?,
+            };
+
+            Ok((control, certify))
+        }
+        (addr, end_entity_dir, token, _minr, _maxr) => {
+            let s = format!("{ENV_IDENTITY_SVC_BASE}_ADDR and {ENV_IDENTITY_SVC_BASE}_NAME");
+            let svc_env: &str = s.as_str();
+            for (unset, name) in &[
+                (addr.is_none(), svc_env),
+                (end_entity_dir.is_none(), ENV_IDENTITY_DIR),
+                (token.is_none(), ENV_IDENTITY_TOKEN_FILE),
+            ] {
+                if *unset {
+                    error!("{name} must be set.");
+                }
+            }
+            Err(EnvError::InvalidEnvVar)
+        }
+    }
+}
+
+fn parse_tls_params<S: Strings>(strings: &S) -> Result<(Id, dns::Name, String), EnvError> {
+    let ta = parse(strings, ENV_IDENTITY_TRUST_ANCHORS, |s| {
+        if s.is_empty() {
+            return Err(ParseError::InvalidTrustAnchors);
+        }
+        Ok(s.to_string())
+    });
+
+    // The assumtion here is that if `ENV_IDENTITY_IDENTITY_LOCAL_NAME` has been set
+    // we will use that for both tls id and server name.
+    let (server_id_env_var, server_name_env_var) =
+        if strings.get(ENV_IDENTITY_IDENTITY_LOCAL_NAME)?.is_some() {
+            (
+                ENV_IDENTITY_IDENTITY_LOCAL_NAME,
+                ENV_IDENTITY_IDENTITY_LOCAL_NAME,
+            )
+        } else {
+            (
+                ENV_IDENTITY_IDENTITY_SERVER_ID,
+                ENV_IDENTITY_IDENTITY_SERVER_NAME,
+            )
+        };
+
+    let server_id = parse(strings, server_id_env_var, parse_identity);
+    let server_name = parse(strings, server_name_env_var, parse_dns_name);
+
+    if strings
+        .get(ENV_IDENTITY_DISABLED)?
+        .map(|d| !d.is_empty())
+        .unwrap_or(false)
+    {
+        error!("{ENV_IDENTITY_DISABLED} is no longer supported. Identity is must be enabled.");
+        return Err(EnvError::InvalidEnvVar);
+    }
+
+    match (ta?, server_id?, server_name?) {
+        (Some(trust_anchors_pem), Some(server_id), Some(server_name)) => {
+            Ok((server_id, server_name, trust_anchors_pem))
+        }
+        (trust_anchors_pem, server_id, server_name) => {
+            for (unset, name) in &[
+                (trust_anchors_pem.is_none(), ENV_IDENTITY_TRUST_ANCHORS),
+                (server_id.is_none(), server_id_env_var),
+                (server_name.is_none(), server_name_env_var),
+            ] {
+                if *unset {
+                    error!("{} must be set.", name);
+                }
+            }
+            Err(EnvError::InvalidEnvVar)
+        }
+    }
+}