Generate self signed certificates instead of importing them

Add Readme

fix rebase

update to register the service

contrib/envoyproxy/go-control-plane/cmd/serviceextensions/Dockerfile

@@ -1,18 +1,33 @@
 # Build stage
 FROM golang:1.23-alpine AS builder
 ENV CGO_ENABLED=1
+
 WORKDIR /app
 COPY . .
-RUN apk add --no-cache --update git build-base
+
+RUN apk add --no-cache --update git build-base openssl
+
+# Generate SSL self-signed localhost certificate
+RUN openssl genrsa -out localhost.key 3072
+RUN openssl req -new \
+  -key localhost.key \
+  -subj "/C=US/ST=New York/O=Datadog/OU=gRPC/CN=localhost" \
+  -out request.csr 
+RUN openssl x509 -req -days 3660 \
+  -in request.csr \
+  -signkey localhost.key \
+  -out localhost.crt
+
+# Build the serviceextensions binary
 RUN go build -tags=appsec -o ./contrib/envoyproxy/go-control-plane/cmd/serviceextensions/serviceextensions ./contrib/envoyproxy/go-control-plane/cmd/serviceextensions
 
 # Runtime stage
 FROM alpine:3.20.3
 RUN apk --no-cache add ca-certificates tzdata libc6-compat libgcc libstdc++
 WORKDIR /app
 COPY --from=builder /app/contrib/envoyproxy/go-control-plane/cmd/serviceextensions/serviceextensions /app/serviceextensions
-COPY ./contrib/envoyproxy/go-control-plane/cmd/serviceextensions/localhost.crt /app/localhost.crt
-COPY ./contrib/envoyproxy/go-control-plane/cmd/serviceextensions/localhost.key /app/localhost.key
+COPY --from=builder /app/localhost.crt /app/localhost.crt
+COPY --from=builder /app/localhost.key /app/localhost.key
 
 EXPOSE 80
 EXPOSE 443

contrib/envoyproxy/go-control-plane/cmd/serviceextensions/README.md

@@ -0,0 +1,42 @@
+# ASM Service Extension
+
+[GCP Services Extensions](https://cloud.google.com/service-extensions/docs/overview) enable Google Cloud users to provide programmability and extensibility on Cloud Load Balancing data paths and at the edge.
+
+## Installation
+
+### From Release
+
+This package provides a docker image to be used with Google Cloud Service Extensions.
+The images are published at each release of the tracer and can be found in [the repo registry](https://github.com/DataDog/dd-trace-go/pkgs/container/dd-trace-go%2Fservice-extensions-callout).
+
+### Build image
+
+The docker image can be build locally using docker. Start by cloning the `dd-trace-go` repo, `cd` inside it and run that command:
+```sh
+docker build --build-arg -f contrib/envoyproxy/go-control-plane/cmd/serviceextensions/Dockerfile -t datadog/dd-trace-go/service-extensions-callout:local .
+```
+
+## Configuration
+
+The ASM Service Extension expose some configuration. The configuration can be tweaked if the Service Extension is only used as an External Processor for Envoy that is not operated by GCP.
+
+>**GCP requires that the default configuration for the Service Extension should not change.**
+
+| Environment variable | Default value | Description |
+|---|---|---|
+| `DD_SERVICE_EXTENSION_HOST` | `0.0.0.0` | Host on where the gRPC and HTTP server should listen to. |
+| `DD_SERVICE_EXTENSION_PORT` | `443` | Port used by the gRPC Server.<br>Envoy Google backend’s is only using secure connection to Service Extension. |
+| `DD_SERVICE_EXTENSION_HEALTHCHECK_PORT` | `80` | Port used for the HTTP server for the health check. |
+
+> The Service Extension need to be connected to a deployed [Datadog agent](https://docs.datadoghq.com/agent).
+
+| Environment variable | Default value | Description |
+|---|---|---|
+| `DD_AGENT_HOST` | `N/A` | Host of a running Datadog Agent. |
+| `DD_TRACE_AGENT_PORT` | `8126` | Port of a running Datadog Agent. |
+
+### SSL Configuration
+
+The Envoy of GCP is configured to communicate to the Service Extension with TLS.
+
+`localhost` self signed certificates are generated and bundled into the ASM Service Extension docker image and loaded at the start of the gRPC server.

contrib/envoyproxy/go-control-plane/cmd/serviceextensions/main.go

@@ -13,7 +13,7 @@ import (
 	"os"
 	"strconv"
 
-	"gopkg.in/DataDog/dd-trace-go.v1/contrib/envoyproxy/go-control-plane"
+	gocontrolplane "gopkg.in/DataDog/dd-trace-go.v1/contrib/envoyproxy/go-control-plane"
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/log"
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/version"
 
@@ -51,7 +51,7 @@ func loadConfig() serviceExtensionConfig {
 
 	extensionHost := internal.IpEnv("DD_SERVICE_EXTENSION_HOST", "0.0.0.0")
 	extensionPortStr := strconv.FormatInt(int64(extensionPortInt), 10)
-	healthcheckPortStr := strconv.FormatInt(int64(extensionPortInt), 10)
+	healthcheckPortStr := strconv.FormatInt(int64(healthcheckPortInt), 10)
 
 	// check if the ports are free
 	l, err := net.Listen("tcp", extensionHost+":"+extensionPortStr)
@@ -129,20 +129,26 @@ func StartGPRCSsl(service extproc.ExternalProcessorServer, config serviceExtensi
 	cert, err := tls.LoadX509KeyPair("localhost.crt", "localhost.key")
 	if err != nil {
 		log.Error("service_extension: failed to load key pair: %v\n", err)
+		os.Exit(1)
+		return
 	}
 
 	lis, err := net.Listen("tcp", config.extensionHost+":"+config.extensionPort)
 	if err != nil {
 		log.Error("service_extension: gRPC server failed to listen: %v\n", err)
+		os.Exit(1)
+		return
 	}
 
-	si := go_control_plane.StreamServerInterceptor()
-	creds := credentials.NewServerTLSFromCert(&cert)
-	grpcServer := grpc.NewServer(grpc.StreamInterceptor(si), grpc.Creds(creds))
+	grpcCredentials := credentials.NewServerTLSFromCert(&cert)
+	grpcServer := grpc.NewServer(grpc.Creds(grpcCredentials))
 
-	extproc.RegisterExternalProcessorServer(grpcServer, service)
+	appsecEnvoyExternalProcessorServer := gocontrolplane.AppsecEnvoyExternalProcessorServer(service)
+
+	extproc.RegisterExternalProcessorServer(grpcServer, appsecEnvoyExternalProcessorServer)
 	reflection.Register(grpcServer)
 	if err := grpcServer.Serve(lis); err != nil {
 		log.Error("service_extension: error starting gRPC server: %v\n", err)
+		os.Exit(1)
 	}
 }