WIP datadog tracing for envoy

DEVELOPER.md

@@ -26,7 +26,7 @@ Below is a list of additional documentation to aid the development process:
 
 - [Envoy filter example project (how to consume and extend Envoy as a submodule)](https://github.com/envoyproxy/envoy-filter-example)
 
-- [Performance testing Envoy with `tcmalloc`/`pprof`](https://github.com/envoyproxy/envoy/tree/bazel/PPROF.md)
+- [Performance testing Envoy with `tcmalloc`/`pprof`](https://github.com/envoyproxy/envoy/blob/master/bazel/PPROF.md)
 
 And some documents on components of Envoy architecture:
 

api/envoy/config/rbac/v2alpha/rbac.proto

@@ -126,6 +126,27 @@ message Permission {
     // match, this permission would not match. Conversely, if the value of `not_rule` would not
     // match, this permission would match.
     Permission not_rule = 8;
+
+    // The request server from the client's connection request. This is
+    // typically TLS SNI.
+    //
+    // .. attention::
+    //
+    //   The behavior of this field may be affected by how Envoy is configured
+    //   as explained below.
+    //
+    //   * If the :ref:`TLS Inspector <config_listener_filters_tls_inspector>`
+    //     filter is not added, and if a `FilterChainMatch` is not defined for
+    //     the :ref:`server name <envoy_api_field_Listener.FilterChainMatch.server_names>`,
+    //     a TLS connection's requested SNI server name will be treated as if it
+    //     wasn't present.
+    //
+    //   * A :ref:`listener filter <arch_overview_listener_filters>` may
+    //     overwrite a connection's requested server name within Envoy.
+    //
+    // Please refer to :ref:`this FAQ entry <faq_how_to_setup_sni>` to learn to
+    // setup SNI.
+    envoy.type.matcher.StringMatcher requested_server_name = 9;
   }
 }
 

api/envoy/config/trace/v2/trace.proto

@@ -80,6 +80,14 @@ message DynamicOtConfig {
   google.protobuf.Struct config = 2;
 }
 
+// Configuration for the Datadog tracer.
+message DatadogConfig {
+  // The cluster to use for submitting traces to the Datadog agent.
+  string collector_cluster = 1 [(validate.rules).string.min_bytes = 1];
+  string service_name = 2 [(validate.rules).string.min_bytes = 1];
+  bool priority_sampling = 3;
+}
+
 // Configuration structure.
 message TraceServiceConfig {
   // The upstream gRPC cluster that hosts the metrics service.

bazel/external/BUILD

@@ -6,6 +6,7 @@ cc_library(
     deps = [
         "@com_google_googletest//:gtest",
         "@com_lightstep_tracer_cpp//:lightstep_tracer",
+        "@com_github_datadog_dd_opentracing_cpp//:dd_opentracing_cpp",
         "@io_opentracing_cpp//:opentracing",
     ],
 )

bazel/repositories.bzl

@@ -311,6 +311,7 @@ def envoy_dependencies(path = "@envoy_deps//", skip_targets = []):
     _com_github_google_libprotobuf_mutator()
     _io_opentracing_cpp()
     _com_lightstep_tracer_cpp()
+    _com_github_datadog_dd_opentracing_cpp()
     _com_github_grpc_grpc()
     _com_github_google_jwt_verify()
     _com_github_nanopb_nanopb()
@@ -432,6 +433,17 @@ def _com_lightstep_tracer_cpp():
         actual = "@com_lightstep_tracer_cpp//:lightstep_tracer",
     )
 
+def _com_github_datadog_dd_opentracing_cpp():
+    _repository_impl("com_github_datadog_dd_opentracing_cpp")
+    _repository_impl(
+        name = "com_github_msgpack_msgpack_c",
+        build_file = "@com_github_datadog_dd_opentracing_cpp//:bazel/external/msgpack.BUILD",
+    )
+    native.bind(
+        name = "dd_opentracing_cpp",
+        actual = "@com_github_datadog_dd_opentracing_cpp//:dd_opentracing_cpp",
+    )
+
 def _com_github_tencent_rapidjson():
     _repository_impl(
         name = "com_github_tencent_rapidjson",

bazel/repository_locations.bzl

@@ -82,6 +82,14 @@ REPOSITORY_LOCATIONS = dict(
         commit = "d6f78d948c53f3b400bb46996eb3084359914f9b",
         remote = "https://github.com/google/googleapis",
     ),
+    com_github_datadog_dd_opentracing_cpp = dict(
+        commit = "92d7ee11f61361ca23e00b48d328fb4e494534c4",  # v0.3.1
+        remote = "https://github.com/DataDog/dd-opentracing-cpp",
+    ),
+    com_github_msgpack_msgpack_c = dict(
+        commit = "83a82e3eb512b18d4149cabb7eb43c7e8bc081af",
+        remote = "https://github.com/msgpack/msgpack-c",  # v3.1.1
+    ),
     com_github_google_jwt_verify = dict(
         commit = "66792a057ec54e4b75c6a2eeda4e98220bd12a9a",  # 2018-08-17
         remote = "https://github.com/google/jwt_verify_lib",

docs/root/intro/version_history.rst

@@ -10,6 +10,7 @@ Version history
 * http: no longer adding whitespace when appending X-Forwarded-For headers. **Warning**: this is not
   compatible with 1.7.0 builds prior to `9d3a4eb4ac44be9f0651fcc7f87ad98c538b01ee <https://github.com/envoyproxy/envoy/pull/3610>`_.
   See `#3611 <https://github.com/envoyproxy/envoy/issues/3611>`_ for details.
+* rbac: added support for permission matching by :ref:`requested server name <envoy_api_field_config.rbac.v2alpha.Permission.requested_server_name>`.
 * router: added ability to configure arbitrary :ref:`retriable status codes. <envoy_api_field_route.RouteAction.RetryPolicy.retriable_status_codes>`
 * router: added ability to set attempt count in upstream requests, see :ref:`virtual host's include request
   attempt count flag <envoy_api_field_route.VirtualHost.include_request_attempt_count>`.

source/common/common/matchers.cc

@@ -64,7 +64,7 @@ bool StringMatcher::match(const ProtobufWkt::Value& value) const {
   return match(value.string_value());
 }
 
-bool StringMatcher::match(const std::string& value) const {
+bool StringMatcher::match(const absl::string_view value) const {
   switch (matcher_.match_pattern_case()) {
   case envoy::type::matcher::StringMatcher::kExact:
     return matcher_.exact() == value;
@@ -73,7 +73,7 @@ bool StringMatcher::match(const std::string& value) const {
   case envoy::type::matcher::StringMatcher::kSuffix:
     return absl::EndsWith(value, matcher_.suffix());
   case envoy::type::matcher::StringMatcher::kRegex:
-    return std::regex_match(value, regex_);
+    return std::regex_match(value.begin(), value.end(), regex_);
   default:
     NOT_REACHED_GCOVR_EXCL_LINE;
   }

source/common/common/matchers.h

@@ -78,7 +78,7 @@ class StringMatcher : public ValueMatcher {
     }
   }
 
-  bool match(const std::string& value) const;
+  bool match(const absl::string_view value) const;
 
   bool match(const ProtobufWkt::Value& value) const override;
 

source/common/http/conn_manager_impl.cc

@@ -587,10 +587,10 @@ void ConnectionManagerImpl::ActiveStream::decodeHeaders(HeaderMapPtr&& headers,
   }
 
   // Currently we only support relative paths at the application layer. We expect the codec to have
-  // broken the path into pieces if applicable. NOTE: Currently the HTTP/1.1 codec does not do this
-  // so we only support relative paths in all cases. https://tools.ietf.org/html/rfc7230#section-5.3
-  // We also need to check for the existence of :path because CONNECT does not have a path, and we
-  // don't support that currently.
+  // broken the path into pieces if applicable. NOTE: Currently the HTTP/1.1 codec only does this
+  // when the allow_absolute_url flag is enabled on the HCM.
+  // https://tools.ietf.org/html/rfc7230#section-5.3 We also need to check for the existence of
+  // :path because CONNECT does not have a path, and we don't support that currently.
   if (!request_headers_->Path() || request_headers_->Path()->value().c_str()[0] != '/') {
     connection_manager_.stats_.named_.downstream_rq_non_relative_path_.inc();
     sendLocalReply(Grpc::Common::hasGrpcContentType(*request_headers_), Code::NotFound, "", nullptr,

source/common/ssl/utility.cc

@@ -59,6 +59,7 @@ std::string Utility::getSubjectFromCertificate(X509& cert) {
 }
 
 int32_t Utility::getDaysUntilExpiration(X509* cert) {
+  // TODO(lizan): Plumbing TimeSource to here.
   if (cert == nullptr) {
     return std::numeric_limits<int>::max();
   }

source/extensions/extensions_build_config.bzl

@@ -100,6 +100,7 @@ EXTENSIONS = {
 
     "envoy.tracers.dynamic_ot":                         "//source/extensions/tracers/dynamic_ot:config",
     "envoy.tracers.lightstep":                          "//source/extensions/tracers/lightstep:config",
+    "envoy.tracers.datadog":                            "//source/extensions/tracers/datadog:config",
     "envoy.tracers.zipkin":                             "//source/extensions/tracers/zipkin:config",
 
     #

source/extensions/filters/common/rbac/matchers.cc

@@ -26,6 +26,8 @@ MatcherConstSharedPtr Matcher::create(const envoy::config::rbac::v2alpha::Permis
     return std::make_shared<const MetadataMatcher>(permission.metadata());
   case envoy::config::rbac::v2alpha::Permission::RuleCase::kNotRule:
     return std::make_shared<const NotMatcher>(permission.not_rule());
+  case envoy::config::rbac::v2alpha::Permission::RuleCase::kRequestedServerName:
+    return std::make_shared<const RequestedServerNameMatcher>(permission.requested_server_name());
   default:
     NOT_REACHED_GCOVR_EXCL_LINE;
   }
@@ -157,6 +159,12 @@ bool PolicyMatcher::matches(const Network::Connection& connection,
          principals_.matches(connection, headers, metadata);
 }
 
+bool RequestedServerNameMatcher::matches(const Network::Connection& connection,
+                                         const Envoy::Http::HeaderMap&,
+                                         const envoy::api::v2::core::Metadata&) const {
+  return match(connection.requestedServerName());
+}
+
 } // namespace RBAC
 } // namespace Common
 } // namespace Filters

source/extensions/filters/common/rbac/matchers.h

@@ -202,6 +202,19 @@ class MetadataMatcher : public Matcher {
   const Envoy::Matchers::MetadataMatcher matcher_;
 };
 
+/**
+ * Perform a match against the request server from the client's connection
+ * request. This is typically TLS SNI.
+ */
+class RequestedServerNameMatcher : public Matcher, Envoy::Matchers::StringMatcher {
+public:
+  RequestedServerNameMatcher(const envoy::type::matcher::StringMatcher& requested_server_name)
+      : Envoy::Matchers::StringMatcher(requested_server_name) {}
+
+  bool matches(const Network::Connection& connection, const Envoy::Http::HeaderMap& headers,
+               const envoy::api::v2::core::Metadata&) const override;
+};
+
 } // namespace RBAC
 } // namespace Common
 } // namespace Filters

source/extensions/tracers/datadog/BUILD

@@ -0,0 +1,37 @@
+licenses(["notice"])  # Apache 2
+
+# Trace driver for Datadog (https://datadoghq.com/)
+
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_package",
+)
+
+envoy_package()
+
+envoy_cc_library(
+    name = "datadog_tracer_lib",
+    srcs = [
+        "datadog_tracer_impl.cc",
+    ],
+    hdrs = [
+        "datadog_tracer_impl.h",
+    ],
+    external_deps = ["dd_opentracing_cpp"],
+    deps = [
+        "//source/common/tracing:http_tracer_lib",
+        "//source/extensions/tracers/common/ot:opentracing_driver_lib",
+    ],
+)
+
+envoy_cc_library(
+    name = "config",
+    srcs = ["config.cc"],
+    hdrs = ["config.h"],
+    deps = [
+        ":datadog_tracer_lib",
+        "//source/extensions/tracers:well_known_names",
+        "//source/server:configuration_lib",
+    ],
+)

source/extensions/tracers/datadog/config.cc

@@ -0,0 +1,48 @@
+#include "extensions/tracers/datadog/config.h"
+
+#include "envoy/registry/registry.h"
+
+#include "common/common/utility.h"
+#include "common/tracing/http_tracer_impl.h"
+
+#include "extensions/tracers/datadog/datadog_tracer_impl.h"
+#include "extensions/tracers/well_known_names.h"
+
+#include "datadog/opentracing.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace Tracers {
+namespace Datadog {
+
+Tracing::HttpTracerPtr
+DatadogTracerFactory::createHttpTracer(const envoy::config::trace::v2::Tracing& configuration,
+                                       Server::Instance& server) {
+
+  ProtobufTypes::MessagePtr config_ptr = createEmptyConfigProto();
+
+  if (configuration.http().has_config()) {
+    MessageUtil::jsonConvert(configuration.http().config(), *config_ptr);
+  }
+
+  const auto& datadog_config =
+      dynamic_cast<const envoy::config::trace::v2::DatadogConfig&>(*config_ptr);
+
+  Tracing::DriverPtr datadog_driver{new Driver{datadog_config, server.clusterManager(),
+                                               server.stats(), server.threadLocal(),
+                                               server.runtime()}};
+  return std::make_unique<Tracing::HttpTracerImpl>(std::move(datadog_driver), server.localInfo());
+}
+
+std::string DatadogTracerFactory::name() { return TracerNames::get().Datadog; }
+
+/**
+ * Static registration for the Datadog tracer. @see RegisterFactory.
+ */
+static Registry::RegisterFactory<DatadogTracerFactory, Server::Configuration::TracerFactory>
+    register_;
+
+} // namespace Datadog
+} // namespace Tracers
+} // namespace Extensions
+} // namespace Envoy

source/extensions/tracers/datadog/config.h

@@ -0,0 +1,33 @@
+#pragma once
+
+#include <string>
+
+#include "envoy/server/instance.h"
+
+#include "server/configuration_impl.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace Tracers {
+namespace Datadog {
+
+/**
+ * Config registration for the Datadog tracer. @see TracerFactory.
+ */
+class DatadogTracerFactory : public Server::Configuration::TracerFactory {
+public:
+  // TracerFactory
+  Tracing::HttpTracerPtr createHttpTracer(const envoy::config::trace::v2::Tracing& configuration,
+                                          Server::Instance& server) override;
+
+  ProtobufTypes::MessagePtr createEmptyConfigProto() override {
+    return std::make_unique<envoy::config::trace::v2::DatadogConfig>();
+  }
+
+  std::string name() override;
+};
+
+} // namespace Datadog
+} // namespace Tracers
+} // namespace Extensions
+} // namespace Envoy