luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity
open-consul/agent/xds/routes.go

1085 lines
33 KiB
Go
Raw Normal View History

copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files
2023-03-28 18:39:22 +00:00
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
xDS Server Implementation (#4731) * Vendor updates for gRPC and xDS server * xDS server implementation for serving Envoy as a Connect proxy * Address initial review comments * consistent envoy package aliases; typos fixed; override TLS and authz for custom listeners * Moar Typos * Moar typos
2018-10-03 18:18:55 +00:00
package xds
import (
"errors"
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
"fmt"
Append port number to ingress host domain (#8190) A port can be sent in the Host header as defined in the HTTP RFC, so we take any hosts that we want to match traffic to and also add another host with the listener port added. Also fix an issue with envoy integration tests not running the case-ingress-gateway-tls test.
2020-07-07 15:43:04 +00:00
"net"
Tgtwy egress HTTP support (#13953) * add golden files * add support to http in tgateway egress destination * fix slice sorting to include both address and port when using server_names * fix listener loop for http destination * fix routes to generate a route per port and a virtualhost per port-address combination * sort virtual hosts list to have a stable order * extract redundant serviceNode
2022-08-01 18:12:43 +00:00
"sort"
connect: allow L7 routers to match on http methods (#6164) Fixes #6158
2019-07-24 01:56:39 +00:00
"strings"
Add session flag to cookie config
2020-09-12 00:34:03 +00:00
"time"
xDS Server Implementation (#4731) * Vendor updates for gRPC and xDS server * xDS server implementation for serving Envoy as a Connect proxy * Address initial review comments * consistent envoy package aliases; typos fixed; override TLS and authz for custom listeners * Moar Typos * Moar typos
2018-10-03 18:18:55 +00:00
Ingress gateway header manip plumbing
2021-07-13 12:53:59 +00:00
envoy_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
envoy_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
envoy_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
xds: remove deprecated usages of xDS (#9602) Note that this does NOT upgrade to xDS v3. That will come in a future PR. Additionally: - Ignored staticcheck warnings about how github.com/golang/protobuf is deprecated. - Shuffled some agent/xds imports in advance of a later xDS v3 upgrade. - Remove support for envoy 1.13.x but don't add in 1.17.x yet. We have to wait until the xDS v3 support is added in a follow-up PR. Fixes #8425
2021-02-22 21:00:15 +00:00
Protobuf Modernization (#15949) * Protobuf Modernization Remove direct usage of golang/protobuf in favor of google.golang.org/protobuf Marshallers (protobuf and json) needed some changes to account for different APIs. Moved to using the google.golang.org/protobuf/types/known/* for the well known types including replacing some custom Struct manipulation with whats available in the structpb well known type package. This also updates our devtools script to install protoc-gen-go from the right location so that files it generates conform to the correct interfaces. * Fix go-mod-tidy make target to work on all modules
2023-01-11 14:39:10 +00:00
"google.golang.org/protobuf/proto"
xds: mesh gateways now correctly load up peer-exported discovery chains using L7 protocols (#13624) A mesh gateway will now configure the filter chains for L7 exported services using the correct discovery chain information.
2022-06-28 19:52:25 +00:00
"google.golang.org/protobuf/types/known/durationpb"
xds: remove deprecated usages of xDS (#9602) Note that this does NOT upgrade to xDS v3. That will come in a future PR. Additionally: - Ignored staticcheck warnings about how github.com/golang/protobuf is deprecated. - Shuffled some agent/xds imports in advance of a later xDS v3 upgrade. - Remove support for envoy 1.13.x but don't add in 1.17.x yet. We have to wait until the xDS v3 support is added in a follow-up PR. Fixes #8425
2021-02-22 21:00:15 +00:00
Pass LB config to Envoy via xDS
2020-08-28 20:27:40 +00:00
"github.com/hashicorp/consul/agent/connect"
xDS Server Implementation (#4731) * Vendor updates for gRPC and xDS server * xDS server implementation for serving Envoy as a Connect proxy * Address initial review comments * consistent envoy package aliases; typos fixed; override TLS and authz for custom listeners * Moar Typos * Moar typos
2018-10-03 18:18:55 +00:00
"github.com/hashicorp/consul/agent/proxycfg"
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
"github.com/hashicorp/consul/agent/structs"
xDS Server Implementation (#4731) * Vendor updates for gRPC and xDS server * xDS server implementation for serving Envoy as a Connect proxy * Address initial review comments * consistent envoy package aliases; typos fixed; override TLS and authz for custom listeners * Moar Typos * Moar typos
2018-10-03 18:18:55 +00:00
)
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
// routesFromSnapshot returns the xDS API representation of the "routes" in the
// snapshot.
Support Incremental xDS mode (#9855) This adds support for the Incremental xDS protocol when using xDS v3. This is best reviewed commit-by-commit and will not be squashed when merged. Union of all commit messages follows to give an overarching summary: xds: exclusively support incremental xDS when using xDS v3 Attempts to use SoTW via v3 will fail, much like attempts to use incremental via v2 will fail. Work around a strange older envoy behavior involving empty CDS responses over incremental xDS. xds: various cleanups and refactors that don't strictly concern the addition of incremental xDS support Dissolve the connectionInfo struct in favor of per-connection ResourceGenerators instead. Do a better job of ensuring the xds code uses a well configured logger that accurately describes the connected client. xds: pull out checkStreamACLs method in advance of a later commit xds: rewrite SoTW xDS protocol tests to use protobufs rather than hand-rolled json strings In the test we very lightly reuse some of the more boring protobuf construction helper code that is also technically under test. The important thing of the protocol tests is testing the protocol. The actual inputs and outputs are largely already handled by the xds golden output tests now so these protocol tests don't have to do double-duty. This also updates the SoTW protocol test to exclusively use xDS v2 which is the only variant of SoTW that will be supported in Consul 1.10. xds: default xds.Server.AuthCheckFrequency at use-time instead of construction-time
2021-04-29 18:54:05 +00:00
func (s *ResourceGenerator) routesFromSnapshot(cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message, error) {
xDS Server Implementation (#4731) * Vendor updates for gRPC and xDS server * xDS server implementation for serving Envoy as a Connect proxy * Address initial review comments * consistent envoy package aliases; typos fixed; override TLS and authz for custom listeners * Moar Typos * Moar typos
2018-10-03 18:18:55 +00:00
if cfgSnap == nil {
return nil, errors.New("nil config given")
}
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
switch cfgSnap.Kind {
case structs.ServiceKindConnectProxy:
Validate chains are associated with upstreams Previously we could get into a state where discovery chain entries were not cleaned up after the associated watch was cancelled. These changes add handling for that case where stray chain references are encountered.
2021-12-13 22:30:49 +00:00
return s.routesForConnectProxy(cfgSnap)
Add http routing support and integration test to ingress gateways
2020-04-03 19:41:10 +00:00
case structs.ServiceKindIngressGateway:
proxycfg: change how various proxycfg test helpers for making ConfigSnapshot copies works to be more correct and less error prone (#12531) Prior to this PR for the envoy xDS golden tests in the agent/xds package we were hand-creating a proxycfg.ConfigSnapshot structure in the proper format for input to the xDS generator. Over time this intermediate structure has gotten trickier to build correctly for the various tests. This PR proposes to switch to using the existing mechanism for turning a structs.NodeService and a sequence of cache.UpdateEvent copies into a proxycfg.ConfigSnapshot, as that is less error prone to construct and aligns more with how the data arrives. NOTE: almost all of this is in test-related code. I tried super hard to craft correct event inputs to get the golden files to be the same, or similar enough after construction to feel ok that i recreated the spirit of the original test cases.
2022-03-07 17:47:14 +00:00
return s.routesForIngressGateway(cfgSnap)
Implement APIGateway proxycfg snapshot (#16194) * Stub proxycfg handler for API gateway * Add Service Kind constants/handling for API Gateway * Begin stubbing for SDS * Add new Secret type to xDS order of operations * Continue stubbing of SDS * Iterate on proxycfg handler for API gateway * Handle BoundAPIGateway config entry subscription in proxycfg-glue * Add API gateway to config snapshot validation * Add API gateway to config snapshot clone, leaf, etc. * Subscribe to bound route + cert config entries on bound-api-gateway * Track routes + certs on API gateway config snapshot * Generate DeepCopy() for types used in watch.Map * Watch all active references on api-gateway, unwatch inactive * Track loading of initial bound-api-gateway config entry * Use proper proto package for SDS mapping * Use ResourceReference instead of ServiceName, collect resources * Fix typo, add + remove TODOs * Watch discovery chains for TCPRoute * Add TODO for updating gateway services for api-gateway * make proto * Regenerate deep-copy for proxycfg * Set datacenter on upstream ID from query source * Watch discovery chains for http-route service backends * Add ServiceName getter to HTTP+TCP Service structs * Clean up unwatched discovery chains on API Gateway * Implement watch for ingress leaf certificate * Collect upstreams on http-route + tcp-route updates * Remove unused GatewayServices update handler * Remove unnecessary gateway services logic for API Gateway * Remove outdate TODO * Use .ToIngress where appropriate, including TODO for cleaning up * Cancel before returning error * Remove GatewayServices subscription * Add godoc for handlerAPIGateway functions * Update terminology from Connect => Consul Service Mesh Consistent with terminology changes in https://github.com/hashicorp/consul/pull/12690 * Add missing TODO * Remove duplicate switch case * Rerun deep-copy generator * Use correct property on config snapshot * Remove unnecessary leaf cert watch * Clean up based on code review feedback * Note handler properties that are initialized but set elsewhere * Add TODO for moving helper func into structs pkg * Update generated DeepCopy code * gofmt * Generate DeepCopy() for API gateway listener types * Improve variable name * Regenerate DeepCopy() code * Fix linting issue * Temporarily remove the secret type from resource generation
2023-02-08 21:52:12 +00:00
case structs.ServiceKindAPIGateway:
// TODO Find a cleaner solution, can't currently pass unexported property types
API Gateway to Ingress Gateway Snapshot Translation and Routes to Virtual Routers and Splitters (#16127) * Stub proxycfg handler for API gateway * Add Service Kind constants/handling for API Gateway * Begin stubbing for SDS * Add new Secret type to xDS order of operations * Continue stubbing of SDS * Iterate on proxycfg handler for API gateway * Handle BoundAPIGateway config entry subscription in proxycfg-glue * Add API gateway to config snapshot validation * Add API gateway to config snapshot clone, leaf, etc. * Subscribe to bound route + cert config entries on bound-api-gateway * Track routes + certs on API gateway config snapshot * Generate DeepCopy() for types used in watch.Map * Watch all active references on api-gateway, unwatch inactive * Track loading of initial bound-api-gateway config entry * Use proper proto package for SDS mapping * Use ResourceReference instead of ServiceName, collect resources * Fix typo, add + remove TODOs * Watch discovery chains for TCPRoute * Add TODO for updating gateway services for api-gateway * make proto * Regenerate deep-copy for proxycfg * Set datacenter on upstream ID from query source * Watch discovery chains for http-route service backends * Add ServiceName getter to HTTP+TCP Service structs * Clean up unwatched discovery chains on API Gateway * Implement watch for ingress leaf certificate * Collect upstreams on http-route + tcp-route updates * Remove unused GatewayServices update handler * Remove unnecessary gateway services logic for API Gateway * Remove outdate TODO * Use .ToIngress where appropriate, including TODO for cleaning up * Cancel before returning error * Remove GatewayServices subscription * Add godoc for handlerAPIGateway functions * Update terminology from Connect => Consul Service Mesh Consistent with terminology changes in https://github.com/hashicorp/consul/pull/12690 * Add missing TODO * Remove duplicate switch case * Rerun deep-copy generator * Use correct property on config snapshot * Remove unnecessary leaf cert watch * Clean up based on code review feedback * Note handler properties that are initialized but set elsewhere * Add TODO for moving helper func into structs pkg * Update generated DeepCopy code * gofmt * Begin stubbing for SDS * Start adding tests * Remove second BoundAPIGateway case in glue * TO BE PICKED: fix formatting of str * WIP * Fix merge conflict * Implement HTTP Route to Discovery Chain config entries * Stub out function to create discovery chain * Add discovery chain merging code (#16131) * Test adding TCP and HTTP routes * Add some tests for the synthesizer * Run go mod tidy * Pairing with N8 * Run deep copy * Clean up GatewayChainSynthesizer * Fix missing assignment of BoundAPIGateway topic * Separate out synthesizeChains and toIngressTLS * Fix build errors * Ensure synthesizer skips non-matching routes by protocol * Rebase on N8s work * Generate DeepCopy() for API gateway listener types * Improve variable name * Regenerate DeepCopy() code * Fix linting issue * fix protobuf import * Fix more merge conflict errors * Fix synthesize test * Run deep copy * Add URLRewrite to proto * Update agent/consul/discoverychain/gateway_tcproute.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Remove APIGatewayConfigEntry that was extra * Error out if route kind is unknown * Fix formatting errors in proto --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com>
2023-02-09 17:58:55 +00:00
var err error
cfgSnap.IngressGateway, err = cfgSnap.APIGateway.ToIngress(cfgSnap.Datacenter)
if err != nil {
return nil, err
}
Implement APIGateway proxycfg snapshot (#16194) * Stub proxycfg handler for API gateway * Add Service Kind constants/handling for API Gateway * Begin stubbing for SDS * Add new Secret type to xDS order of operations * Continue stubbing of SDS * Iterate on proxycfg handler for API gateway * Handle BoundAPIGateway config entry subscription in proxycfg-glue * Add API gateway to config snapshot validation * Add API gateway to config snapshot clone, leaf, etc. * Subscribe to bound route + cert config entries on bound-api-gateway * Track routes + certs on API gateway config snapshot * Generate DeepCopy() for types used in watch.Map * Watch all active references on api-gateway, unwatch inactive * Track loading of initial bound-api-gateway config entry * Use proper proto package for SDS mapping * Use ResourceReference instead of ServiceName, collect resources * Fix typo, add + remove TODOs * Watch discovery chains for TCPRoute * Add TODO for updating gateway services for api-gateway * make proto * Regenerate deep-copy for proxycfg * Set datacenter on upstream ID from query source * Watch discovery chains for http-route service backends * Add ServiceName getter to HTTP+TCP Service structs * Clean up unwatched discovery chains on API Gateway * Implement watch for ingress leaf certificate * Collect upstreams on http-route + tcp-route updates * Remove unused GatewayServices update handler * Remove unnecessary gateway services logic for API Gateway * Remove outdate TODO * Use .ToIngress where appropriate, including TODO for cleaning up * Cancel before returning error * Remove GatewayServices subscription * Add godoc for handlerAPIGateway functions * Update terminology from Connect => Consul Service Mesh Consistent with terminology changes in https://github.com/hashicorp/consul/pull/12690 * Add missing TODO * Remove duplicate switch case * Rerun deep-copy generator * Use correct property on config snapshot * Remove unnecessary leaf cert watch * Clean up based on code review feedback * Note handler properties that are initialized but set elsewhere * Add TODO for moving helper func into structs pkg * Update generated DeepCopy code * gofmt * Generate DeepCopy() for API gateway listener types * Improve variable name * Regenerate DeepCopy() code * Fix linting issue * Temporarily remove the secret type from resource generation
2023-02-08 21:52:12 +00:00
return s.routesForIngressGateway(cfgSnap)
Pass LB config to Envoy via xDS
2020-08-28 20:27:40 +00:00
case structs.ServiceKindTerminatingGateway:
xds: mesh gateways now correctly load up peer-exported discovery chains using L7 protocols (#13624) A mesh gateway will now configure the filter chains for L7 exported services using the correct discovery chain information.
2022-06-28 19:52:25 +00:00
return s.routesForTerminatingGateway(cfgSnap)
Support Incremental xDS mode (#9855) This adds support for the Incremental xDS protocol when using xDS v3. This is best reviewed commit-by-commit and will not be squashed when merged. Union of all commit messages follows to give an overarching summary: xds: exclusively support incremental xDS when using xDS v3 Attempts to use SoTW via v3 will fail, much like attempts to use incremental via v2 will fail. Work around a strange older envoy behavior involving empty CDS responses over incremental xDS. xds: various cleanups and refactors that don't strictly concern the addition of incremental xDS support Dissolve the connectionInfo struct in favor of per-connection ResourceGenerators instead. Do a better job of ensuring the xds code uses a well configured logger that accurately describes the connected client. xds: pull out checkStreamACLs method in advance of a later commit xds: rewrite SoTW xDS protocol tests to use protobufs rather than hand-rolled json strings In the test we very lightly reuse some of the more boring protobuf construction helper code that is also technically under test. The important thing of the protocol tests is testing the protocol. The actual inputs and outputs are largely already handled by the xds golden output tests now so these protocol tests don't have to do double-duty. This also updates the SoTW protocol test to exclusively use xDS v2 which is the only variant of SoTW that will be supported in Consul 1.10. xds: default xds.Server.AuthCheckFrequency at use-time instead of construction-time
2021-04-29 18:54:05 +00:00
case structs.ServiceKindMeshGateway:
xds: mesh gateways now correctly load up peer-exported discovery chains using L7 protocols (#13624) A mesh gateway will now configure the filter chains for L7 exported services using the correct discovery chain information.
2022-06-28 19:52:25 +00:00
return s.routesForMeshGateway(cfgSnap)
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
default:
return nil, fmt.Errorf("Invalid service kind: %v", cfgSnap.Kind)
}
}
PR comments
2020-09-11 16:49:26 +00:00
// routesFromSnapshotConnectProxy returns the xDS API representation of the
// "routes" in the snapshot.
Validate chains are associated with upstreams Previously we could get into a state where discovery chain entries were not cleaned up after the associated watch was cancelled. These changes add handling for that case where stray chain references are encountered.
2021-12-13 22:30:49 +00:00
func (s *ResourceGenerator) routesForConnectProxy(cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message, error) {
PR comments
2020-09-11 16:49:26 +00:00
var resources []proto.Message
proxycfg: introduce explicit UpstreamID in lieu of bare string (#12125) The gist here is that now we use a value-type struct proxycfg.UpstreamID as the map key in ConfigSnapshot maps where we used to use "upstream id-ish" strings. These are internal only and used just for bidirectional trips through the agent cache keyspace (like the discovery chain target struct). For the few places where the upstream id needs to be projected into xDS, that's what (proxycfg.UpstreamID).EnvoyID() is for. This lets us ALWAYS inject the partition and namespace into these things without making stuff like the golden testdata diverge.
2022-01-20 16:12:04 +00:00
for uid, chain := range cfgSnap.ConnectProxy.DiscoveryChain {
server: ensure that service-defaults meta is incorporated into the discovery chain response (#12511) Also add a new "Default" field to the discovery chain response to clients
2022-03-30 15:04:18 +00:00
if chain.Default {
Update xds for transparent proxy
2021-03-17 19:40:49 +00:00
continue
PR comments
2020-09-11 16:49:26 +00:00
}
proxycfg: introduce explicit UpstreamID in lieu of bare string (#12125) The gist here is that now we use a value-type struct proxycfg.UpstreamID as the map key in ConfigSnapshot maps where we used to use "upstream id-ish" strings. These are internal only and used just for bidirectional trips through the agent cache keyspace (like the discovery chain target struct). For the few places where the upstream id needs to be projected into xDS, that's what (proxycfg.UpstreamID).EnvoyID() is for. This lets us ALWAYS inject the partition and namespace into these things without making stuff like the golden testdata diverge.
2022-01-20 16:12:04 +00:00
explicit := cfgSnap.ConnectProxy.UpstreamConfig[uid].HasLocalPortOrSocket()
Check if an upstream is implicit from either intentions or peered services
2022-07-13 20:12:01 +00:00
implicit := cfgSnap.ConnectProxy.IsImplicitUpstream(uid)
if !implicit && !explicit {
Validate chains are associated with upstreams Previously we could get into a state where discovery chain entries were not cleaned up after the associated watch was cancelled. These changes add handling for that case where stray chain references are encountered.
2021-12-13 22:30:49 +00:00
// Discovery chain is not associated with a known explicit or implicit upstream so it is skipped.
continue
}
Implement Cluster Peering Redirects (#14445) implement cluster peering redirects
2022-09-09 17:58:28 +00:00
virtualHost, err := s.makeUpstreamRouteForDiscoveryChain(cfgSnap, uid, chain, []string{"*"}, false)
Update xds for transparent proxy
2021-03-17 19:40:49 +00:00
if err != nil {
return nil, err
}
PR comments
2020-09-11 16:49:26 +00:00
Update xds for transparent proxy
2021-03-17 19:40:49 +00:00
route := &envoy_route_v3.RouteConfiguration{
proxycfg: introduce explicit UpstreamID in lieu of bare string (#12125) The gist here is that now we use a value-type struct proxycfg.UpstreamID as the map key in ConfigSnapshot maps where we used to use "upstream id-ish" strings. These are internal only and used just for bidirectional trips through the agent cache keyspace (like the discovery chain target struct). For the few places where the upstream id needs to be projected into xDS, that's what (proxycfg.UpstreamID).EnvoyID() is for. This lets us ALWAYS inject the partition and namespace into these things without making stuff like the golden testdata diverge.
2022-01-20 16:12:04 +00:00
Name: uid.EnvoyID(),
Update xds for transparent proxy
2021-03-17 19:40:49 +00:00
VirtualHosts: []*envoy_route_v3.VirtualHost{virtualHost},
// ValidateClusters defaults to true when defined statically and false
Replace use of 'sane' where appropriate HashiCorp voice, style, and language guidelines recommend avoiding ableist language unless its reference to ability is accurate in a particular use.
2021-07-02 16:18:46 +00:00
// when done via RDS. Re-set the reasonable value of true to prevent
Update xds for transparent proxy
2021-03-17 19:40:49 +00:00
// null-routing traffic.
ValidateClusters: makeBoolValue(true),
PR comments
2020-09-11 16:49:26 +00:00
}
Update xds for transparent proxy
2021-03-17 19:40:49 +00:00
resources = append(resources, route)
PR comments
2020-09-11 16:49:26 +00:00
}
Tgtwy egress HTTP support (#13953) * add golden files * add support to http in tgateway egress destination * fix slice sorting to include both address and port when using server_names * fix listener loop for http destination * fix routes to generate a route per port and a virtualhost per port-address combination * sort virtual hosts list to have a stable order * extract redundant serviceNode
2022-08-01 18:12:43 +00:00
addressesMap := make(map[string]map[string]string)
err := cfgSnap.ConnectProxy.DestinationsUpstream.ForEachKeyE(func(uid proxycfg.UpstreamID) error {
svcConfig, ok := cfgSnap.ConnectProxy.DestinationsUpstream.Get(uid)
if !ok || svcConfig == nil {
return nil
}
if !structs.IsProtocolHTTPLike(svcConfig.Protocol) {
// Routes can only be defined for HTTP services
return nil
}
for _, address := range svcConfig.Destination.Addresses {
routeName := clusterNameForDestination(cfgSnap, "~http", fmt.Sprintf("%d", svcConfig.Destination.Port), svcConfig.NamespaceOrDefault(), svcConfig.PartitionOrDefault())
if _, ok := addressesMap[routeName]; !ok {
addressesMap[routeName] = make(map[string]string)
}
// cluster name is unique per address/port so we should not be doing any override here
clusterName := clusterNameForDestination(cfgSnap, svcConfig.Name, address, svcConfig.NamespaceOrDefault(), svcConfig.PartitionOrDefault())
addressesMap[routeName][clusterName] = address
}
return nil
})
if err != nil {
return nil, err
}
for routeName, clusters := range addressesMap {
routes, err := s.makeRoutesForAddresses(routeName, clusters)
if err != nil {
return nil, err
}
if routes != nil {
resources = append(resources, routes...)
}
}
PR comments
2020-09-11 16:49:26 +00:00
// TODO(rb): make sure we don't generate an empty result
return resources, nil
}
Tgtwy egress HTTP support (#13953) * add golden files * add support to http in tgateway egress destination * fix slice sorting to include both address and port when using server_names * fix listener loop for http destination * fix routes to generate a route per port and a virtualhost per port-address combination * sort virtual hosts list to have a stable order * extract redundant serviceNode
2022-08-01 18:12:43 +00:00
func (s *ResourceGenerator) makeRoutesForAddresses(routeName string, addresses map[string]string) ([]proto.Message, error) {
var resources []proto.Message
route, err := makeNamedAddressesRoute(routeName, addresses)
if err != nil {
s.Logger.Error("failed to make route", "cluster", "error", err)
return nil, err
}
resources = append(resources, route)
return resources, nil
}
Pass LB config to Envoy via xDS
2020-08-28 20:27:40 +00:00
// routesFromSnapshotTerminatingGateway returns the xDS API representation of the "routes" in the snapshot.
// For any HTTP service we will return a default route.
xds: mesh gateways now correctly load up peer-exported discovery chains using L7 protocols (#13624) A mesh gateway will now configure the filter chains for L7 exported services using the correct discovery chain information.
2022-06-28 19:52:25 +00:00
func (s *ResourceGenerator) routesForTerminatingGateway(cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message, error) {
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
if cfgSnap == nil {
return nil, errors.New("nil config given")
}
var resources []proto.Message
Restructure structs and other PR comments
2020-09-02 15:10:50 +00:00
for _, svc := range cfgSnap.TerminatingGateway.ValidServices() {
add partition to SNI when partition is non default (#10917)
2021-09-01 14:35:39 +00:00
clusterName := connect.ServiceSNI(svc.Name, "", svc.NamespaceOrDefault(), svc.PartitionOrDefault(), cfgSnap.Datacenter, cfgSnap.Roots.TrustDomain)
Tgtwy egress HTTP support (#13953) * add golden files * add support to http in tgateway egress destination * fix slice sorting to include both address and port when using server_names * fix listener loop for http destination * fix routes to generate a route per port and a virtualhost per port-address combination * sort virtual hosts list to have a stable order * extract redundant serviceNode
2022-08-01 18:12:43 +00:00
cfg, err := ParseProxyConfig(cfgSnap.TerminatingGateway.ServiceConfigs[svc].ProxyConfig)
if err != nil {
// Don't hard fail on a config typo, just warn. The parse func returns
// default config if there is an error so it's safe to continue.
s.Logger.Warn(
"failed to parse Proxy.Config",
"service", svc.String(),
"error", err,
)
}
if !structs.IsProtocolHTTPLike(cfg.Protocol) {
// Routes can only be defined for HTTP services
continue
}
feat: connect proxy xDS for destinations Signed-off-by: Dhia Ayachi <dhia@hashicorp.com>
2022-07-14 18:45:51 +00:00
routes, err := s.makeRoutes(cfgSnap, svc, clusterName, true)
Fix http assertion in route creation
2020-09-03 16:21:20 +00:00
if err != nil {
feat: connect proxy xDS for destinations Signed-off-by: Dhia Ayachi <dhia@hashicorp.com>
2022-07-14 18:45:51 +00:00
return nil, err
Fix http assertion in route creation
2020-09-03 16:21:20 +00:00
}
feat: connect proxy xDS for destinations Signed-off-by: Dhia Ayachi <dhia@hashicorp.com>
2022-07-14 18:45:51 +00:00
if routes != nil {
resources = append(resources, routes...)
Pass LB config to Envoy via xDS
2020-08-28 20:27:40 +00:00
}
feat: connect proxy xDS for destinations Signed-off-by: Dhia Ayachi <dhia@hashicorp.com>
2022-07-14 18:45:51 +00:00
}
Pass LB config to Envoy via xDS
2020-08-28 20:27:40 +00:00
feat: connect proxy xDS for destinations Signed-off-by: Dhia Ayachi <dhia@hashicorp.com>
2022-07-14 18:45:51 +00:00
for _, svc := range cfgSnap.TerminatingGateway.ValidDestinations() {
feat: convert destination address to slice
2022-07-18 21:10:06 +00:00
svcConfig := cfgSnap.TerminatingGateway.ServiceConfigs[svc]
for _, address := range svcConfig.Destination.Addresses {
clusterName := clusterNameForDestination(cfgSnap, svc.Name, address, svc.NamespaceOrDefault(), svc.PartitionOrDefault())
Tgtwy egress HTTP support (#13953) * add golden files * add support to http in tgateway egress destination * fix slice sorting to include both address and port when using server_names * fix listener loop for http destination * fix routes to generate a route per port and a virtualhost per port-address combination * sort virtual hosts list to have a stable order * extract redundant serviceNode
2022-08-01 18:12:43 +00:00
cfg, err := ParseProxyConfig(cfgSnap.TerminatingGateway.ServiceConfigs[svc].ProxyConfig)
if err != nil {
// Don't hard fail on a config typo, just warn. The parse func returns
// default config if there is an error so it's safe to continue.
s.Logger.Warn(
"failed to parse Proxy.Config",
"service", svc.String(),
"error", err,
)
}
if !structs.IsProtocolHTTPLike(cfg.Protocol) {
// Routes can only be defined for HTTP services
continue
}
feat: convert destination address to slice
2022-07-18 21:10:06 +00:00
routes, err := s.makeRoutes(cfgSnap, svc, clusterName, false)
if err != nil {
return nil, err
}
if routes != nil {
resources = append(resources, routes...)
}
Restructure structs and other PR comments
2020-09-02 15:10:50 +00:00
}
feat: connect proxy xDS for destinations Signed-off-by: Dhia Ayachi <dhia@hashicorp.com>
2022-07-14 18:45:51 +00:00
}
return resources, nil
}
func (s *ResourceGenerator) makeRoutes(
cfgSnap *proxycfg.ConfigSnapshot,
svc structs.ServiceName,
clusterName string,
autoHostRewrite bool) ([]proto.Message, error) {
resolver, hasResolver := cfgSnap.TerminatingGateway.ServiceResolvers[svc]
if !hasResolver {
// Use a zero value resolver with no timeout and no subsets
resolver = &structs.ServiceResolverConfigEntry{}
}
var resources []proto.Message
var lb *structs.LoadBalancer
if resolver.LoadBalancer != nil {
lb = resolver.LoadBalancer
}
Add ServiceResolver RequestTimeout for route timeouts to make TerminatingGateway upstream timeouts configurable (#16495) * Leverage ServiceResolver ConnectTimeout for route timeouts to make TerminatingGateway upstream timeouts configurable * Regenerate golden files * Add RequestTimeout field * Add changelog entry
2023-03-03 14:37:12 +00:00
route, err := makeNamedDefaultRouteWithLB(clusterName, lb, resolver.RequestTimeout, autoHostRewrite)
feat: connect proxy xDS for destinations Signed-off-by: Dhia Ayachi <dhia@hashicorp.com>
2022-07-14 18:45:51 +00:00
if err != nil {
s.Logger.Error("failed to make route", "cluster", clusterName, "error", err)
return nil, err
}
resources = append(resources, route)
// If there is a service-resolver for this service then also setup routes for each subset
for name := range resolver.Subsets {
clusterName = connect.ServiceSNI(svc.Name, name, svc.NamespaceOrDefault(), svc.PartitionOrDefault(), cfgSnap.Datacenter, cfgSnap.Roots.TrustDomain)
Add ServiceResolver RequestTimeout for route timeouts to make TerminatingGateway upstream timeouts configurable (#16495) * Leverage ServiceResolver ConnectTimeout for route timeouts to make TerminatingGateway upstream timeouts configurable * Regenerate golden files * Add RequestTimeout field * Add changelog entry
2023-03-03 14:37:12 +00:00
route, err := makeNamedDefaultRouteWithLB(clusterName, lb, resolver.RequestTimeout, true)
Pass LB config to Envoy via xDS
2020-08-28 20:27:40 +00:00
if err != nil {
Support Incremental xDS mode (#9855) This adds support for the Incremental xDS protocol when using xDS v3. This is best reviewed commit-by-commit and will not be squashed when merged. Union of all commit messages follows to give an overarching summary: xds: exclusively support incremental xDS when using xDS v3 Attempts to use SoTW via v3 will fail, much like attempts to use incremental via v2 will fail. Work around a strange older envoy behavior involving empty CDS responses over incremental xDS. xds: various cleanups and refactors that don't strictly concern the addition of incremental xDS support Dissolve the connectionInfo struct in favor of per-connection ResourceGenerators instead. Do a better job of ensuring the xds code uses a well configured logger that accurately describes the connected client. xds: pull out checkStreamACLs method in advance of a later commit xds: rewrite SoTW xDS protocol tests to use protobufs rather than hand-rolled json strings In the test we very lightly reuse some of the more boring protobuf construction helper code that is also technically under test. The important thing of the protocol tests is testing the protocol. The actual inputs and outputs are largely already handled by the xds golden output tests now so these protocol tests don't have to do double-duty. This also updates the SoTW protocol test to exclusively use xDS v2 which is the only variant of SoTW that will be supported in Consul 1.10. xds: default xds.Server.AuthCheckFrequency at use-time instead of construction-time
2021-04-29 18:54:05 +00:00
s.Logger.Error("failed to make route", "cluster", clusterName, "error", err)
feat: connect proxy xDS for destinations Signed-off-by: Dhia Ayachi <dhia@hashicorp.com>
2022-07-14 18:45:51 +00:00
return nil, err
Pass LB config to Envoy via xDS
2020-08-28 20:27:40 +00:00
}
resources = append(resources, route)
}
return resources, nil
}
xds: mesh gateways now correctly load up peer-exported discovery chains using L7 protocols (#13624) A mesh gateway will now configure the filter chains for L7 exported services using the correct discovery chain information.
2022-06-28 19:52:25 +00:00
func (s *ResourceGenerator) routesForMeshGateway(cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message, error) {
if cfgSnap == nil {
return nil, errors.New("nil config given")
}
var resources []proto.Message
for _, svc := range cfgSnap.MeshGatewayValidExportedServices() {
chain := cfgSnap.MeshGateway.DiscoveryChain[svc]
if !structs.IsProtocolHTTPLike(chain.Protocol) {
xds: modify rbac rules to use the XFCC header for peered L7 enforcement (#13629) When the protocol is http-like, and an intention has a peered source then the normal RBAC mTLS SAN field check is replaces with a joint combo of: mTLS SAN field must be the service's local mesh gateway leaf cert AND the first XFCC header (from the MGW) must have a URI field that matches the original intention source Also: - Update the regex program limit to be much higher than the teeny defaults, since the RBAC regex constructions are more complicated now. - Fix a few stray panics in xds generation.
2022-06-29 15:29:54 +00:00
continue // ignore; not relevant
}
if cfgSnap.MeshGateway.Leaf == nil {
continue // ignore; not ready
xds: mesh gateways now correctly load up peer-exported discovery chains using L7 protocols (#13624) A mesh gateway will now configure the filter chains for L7 exported services using the correct discovery chain information.
2022-06-28 19:52:25 +00:00
}
uid := proxycfg.NewUpstreamIDFromServiceName(svc)
Implement Cluster Peering Redirects (#14445) implement cluster peering redirects
2022-09-09 17:58:28 +00:00
virtualHost, err := s.makeUpstreamRouteForDiscoveryChain(
cfgSnap,
uid,
xds: mesh gateways now correctly load up peer-exported discovery chains using L7 protocols (#13624) A mesh gateway will now configure the filter chains for L7 exported services using the correct discovery chain information.
2022-06-28 19:52:25 +00:00
chain,
[]string{"*"},
Implement Cluster Peering Redirects (#14445) implement cluster peering redirects
2022-09-09 17:58:28 +00:00
true,
xds: mesh gateways now correctly load up peer-exported discovery chains using L7 protocols (#13624) A mesh gateway will now configure the filter chains for L7 exported services using the correct discovery chain information.
2022-06-28 19:52:25 +00:00
)
if err != nil {
return nil, err
}
route := &envoy_route_v3.RouteConfiguration{
Name: uid.EnvoyID(),
VirtualHosts: []*envoy_route_v3.VirtualHost{virtualHost},
// ValidateClusters defaults to true when defined statically and false
// when done via RDS. Re-set the reasonable value of true to prevent
// null-routing traffic.
ValidateClusters: makeBoolValue(true),
}
resources = append(resources, route)
}
return resources, nil
}
Add ServiceResolver RequestTimeout for route timeouts to make TerminatingGateway upstream timeouts configurable (#16495) * Leverage ServiceResolver ConnectTimeout for route timeouts to make TerminatingGateway upstream timeouts configurable * Regenerate golden files * Add RequestTimeout field * Add changelog entry
2023-03-03 14:37:12 +00:00
func makeNamedDefaultRouteWithLB(clusterName string, lb *structs.LoadBalancer, timeout time.Duration, autoHostRewrite bool) (*envoy_route_v3.RouteConfiguration, error) {
Pass LB config to Envoy via xDS
2020-08-28 20:27:40 +00:00
action := makeRouteActionFromName(clusterName)
Restructure structs and other PR comments
2020-09-02 15:10:50 +00:00
Remove LB infix and move injection to xds
2020-09-02 21:13:50 +00:00
if err := injectLBToRouteAction(lb, action.Route); err != nil {
Pass LB config to Envoy via xDS
2020-08-28 20:27:40 +00:00
return nil, fmt.Errorf("failed to apply load balancer configuration to route action: %v", err)
}
Auto Rewrite Host Headers for Terminating Gateways Tries to partially address https://github.com/hashicorp/consul/issues/8707
2020-10-23 09:53:29 +00:00
// Configure Envoy to rewrite Host header
if autoHostRewrite {
Merge branch 'master' of github.com:hashicorp/consul into tg-rewrite
2021-04-06 09:05:26 +00:00
action.Route.HostRewriteSpecifier = &envoy_route_v3.RouteAction_AutoHostRewrite{
Auto Rewrite Host Headers for Terminating Gateways Tries to partially address https://github.com/hashicorp/consul/issues/8707
2020-10-23 09:53:29 +00:00
AutoHostRewrite: makeBoolValue(true),
}
}
Add ServiceResolver RequestTimeout for route timeouts to make TerminatingGateway upstream timeouts configurable (#16495) * Leverage ServiceResolver ConnectTimeout for route timeouts to make TerminatingGateway upstream timeouts configurable * Regenerate golden files * Add RequestTimeout field * Add changelog entry
2023-03-03 14:37:12 +00:00
if timeout != 0 {
action.Route.Timeout = durationpb.New(timeout)
}
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
return &envoy_route_v3.RouteConfiguration{
Pass LB config to Envoy via xDS
2020-08-28 20:27:40 +00:00
Name: clusterName,
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
VirtualHosts: []*envoy_route_v3.VirtualHost{
Pass LB config to Envoy via xDS
2020-08-28 20:27:40 +00:00
{
Name: clusterName,
Domains: []string{"*"},
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
Routes: []*envoy_route_v3.Route{
Pass LB config to Envoy via xDS
2020-08-28 20:27:40 +00:00
{
Match: makeDefaultRouteMatch(),
Action: action,
},
},
},
},
// ValidateClusters defaults to true when defined statically and false
Replace use of 'sane' where appropriate HashiCorp voice, style, and language guidelines recommend avoiding ableist language unless its reference to ability is accurate in a particular use.
2021-07-02 16:18:46 +00:00
// when done via RDS. Re-set the reasonable value of true to prevent
Pass LB config to Envoy via xDS
2020-08-28 20:27:40 +00:00
// null-routing traffic.
ValidateClusters: makeBoolValue(true),
}, nil
}
Tgtwy egress HTTP support (#13953) * add golden files * add support to http in tgateway egress destination * fix slice sorting to include both address and port when using server_names * fix listener loop for http destination * fix routes to generate a route per port and a virtualhost per port-address combination * sort virtual hosts list to have a stable order * extract redundant serviceNode
2022-08-01 18:12:43 +00:00
func makeNamedAddressesRoute(routeName string, addresses map[string]string) (*envoy_route_v3.RouteConfiguration, error) {
route := &envoy_route_v3.RouteConfiguration{
Name: routeName,
// ValidateClusters defaults to true when defined statically and false
// when done via RDS. Re-set the reasonable value of true to prevent
// null-routing traffic.
ValidateClusters: makeBoolValue(true),
}
for clusterName, address := range addresses {
action := makeRouteActionFromName(clusterName)
virtualHost := &envoy_route_v3.VirtualHost{
Name: clusterName,
Domains: []string{address},
Routes: []*envoy_route_v3.Route{
{
Match: makeDefaultRouteMatch(),
Action: action,
},
},
}
route.VirtualHosts = append(route.VirtualHosts, virtualHost)
}
// sort virtual hosts to have a stable order
sort.SliceStable(route.VirtualHosts, func(i, j int) bool {
return route.VirtualHosts[i].Name > route.VirtualHosts[j].Name
})
return route, nil
}
Pass LB config to Envoy via xDS
2020-08-28 20:27:40 +00:00
// routesForIngressGateway returns the xDS API representation of the
Allow ingress gateways to route traffic based on Host header This commit adds the necessary changes to allow an ingress gateway to route traffic from a single defined port to multiple different upstream services in the Consul mesh. To do this, we now require all HTTP requests coming into the ingress gateway to specify a Host header that matches "<service-name>.*" in order to correctly route traffic to the correct service. - Differentiate multiple listener's route names by port - Adds a case in xds for allowing default discovery chains to create a route configuration when on an ingress gateway. This allows default services to easily use host header routing - ingress-gateways have a single route config for each listener that utilizes domain matching to route to different services.
2020-04-16 23:24:11 +00:00
// "routes" in the snapshot.
proxycfg: change how various proxycfg test helpers for making ConfigSnapshot copies works to be more correct and less error prone (#12531) Prior to this PR for the envoy xDS golden tests in the agent/xds package we were hand-creating a proxycfg.ConfigSnapshot structure in the proper format for input to the xDS generator. Over time this intermediate structure has gotten trickier to build correctly for the various tests. This PR proposes to switch to using the existing mechanism for turning a structs.NodeService and a sequence of cache.UpdateEvent copies into a proxycfg.ConfigSnapshot, as that is less error prone to construct and aligns more with how the data arrives. NOTE: almost all of this is in test-related code. I tried super hard to craft correct event inputs to get the golden files to be the same, or similar enough after construction to feel ok that i recreated the spirit of the original test cases.
2022-03-07 17:47:14 +00:00
func (s *ResourceGenerator) routesForIngressGateway(cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message, error) {
Allow ingress gateways to route traffic based on Host header This commit adds the necessary changes to allow an ingress gateway to route traffic from a single defined port to multiple different upstream services in the Consul mesh. To do this, we now require all HTTP requests coming into the ingress gateway to specify a Host header that matches "<service-name>.*" in order to correctly route traffic to the correct service. - Differentiate multiple listener's route names by port - Adds a case in xds for allowing default discovery chains to create a route configuration when on an ingress gateway. This allows default services to easily use host header routing - ingress-gateways have a single route config for each listener that utilizes domain matching to route to different services.
2020-04-16 23:24:11 +00:00
var result []proto.Message
proxycfg: change how various proxycfg test helpers for making ConfigSnapshot copies works to be more correct and less error prone (#12531) Prior to this PR for the envoy xDS golden tests in the agent/xds package we were hand-creating a proxycfg.ConfigSnapshot structure in the proper format for input to the xDS generator. Over time this intermediate structure has gotten trickier to build correctly for the various tests. This PR proposes to switch to using the existing mechanism for turning a structs.NodeService and a sequence of cache.UpdateEvent copies into a proxycfg.ConfigSnapshot, as that is less error prone to construct and aligns more with how the data arrives. NOTE: almost all of this is in test-related code. I tried super hard to craft correct event inputs to get the golden files to be the same, or similar enough after construction to feel ok that i recreated the spirit of the original test cases.
2022-03-07 17:47:14 +00:00
for listenerKey, upstreams := range cfgSnap.IngressGateway.Upstreams {
Allow ingress gateways to route traffic based on Host header This commit adds the necessary changes to allow an ingress gateway to route traffic from a single defined port to multiple different upstream services in the Consul mesh. To do this, we now require all HTTP requests coming into the ingress gateway to specify a Host header that matches "<service-name>.*" in order to correctly route traffic to the correct service. - Differentiate multiple listener's route names by port - Adds a case in xds for allowing default discovery chains to create a route configuration when on an ingress gateway. This allows default services to easily use host header routing - ingress-gateways have a single route config for each listener that utilizes domain matching to route to different services.
2020-04-16 23:24:11 +00:00
// Do not create any route configuration for TCP listeners
if listenerKey.Protocol == "tcp" {
continue
}
Update xDS routes to support ingress services with different TLS config
2021-08-24 14:25:22 +00:00
// Depending on their TLS config, upstreams are either attached to the
// default route or have their own routes. We'll add any upstreams that
// don't have custom filter chains and routes to this.
defaultRoute := &envoy_route_v3.RouteConfiguration{
Allow ingress gateways to route traffic based on Host header This commit adds the necessary changes to allow an ingress gateway to route traffic from a single defined port to multiple different upstream services in the Consul mesh. To do this, we now require all HTTP requests coming into the ingress gateway to specify a Host header that matches "<service-name>.*" in order to correctly route traffic to the correct service. - Differentiate multiple listener's route names by port - Adds a case in xds for allowing default discovery chains to create a route configuration when on an ingress gateway. This allows default services to easily use host header routing - ingress-gateways have a single route config for each listener that utilizes domain matching to route to different services.
2020-04-16 23:24:11 +00:00
Name: listenerKey.RouteName(),
// ValidateClusters defaults to true when defined statically and false
Replace use of 'sane' where appropriate HashiCorp voice, style, and language guidelines recommend avoiding ableist language unless its reference to ability is accurate in a particular use.
2021-07-02 16:18:46 +00:00
// when done via RDS. Re-set the reasonable value of true to prevent
Allow ingress gateways to route traffic based on Host header This commit adds the necessary changes to allow an ingress gateway to route traffic from a single defined port to multiple different upstream services in the Consul mesh. To do this, we now require all HTTP requests coming into the ingress gateway to specify a Host header that matches "<service-name>.*" in order to correctly route traffic to the correct service. - Differentiate multiple listener's route names by port - Adds a case in xds for allowing default discovery chains to create a route configuration when on an ingress gateway. This allows default services to easily use host header routing - ingress-gateways have a single route config for each listener that utilizes domain matching to route to different services.
2020-04-16 23:24:11 +00:00
// null-routing traffic.
ValidateClusters: makeBoolValue(true),
}
Update xDS routes to support ingress services with different TLS config
2021-08-24 14:25:22 +00:00
Allow ingress gateways to route traffic based on Host header This commit adds the necessary changes to allow an ingress gateway to route traffic from a single defined port to multiple different upstream services in the Consul mesh. To do this, we now require all HTTP requests coming into the ingress gateway to specify a Host header that matches "<service-name>.*" in order to correctly route traffic to the correct service. - Differentiate multiple listener's route names by port - Adds a case in xds for allowing default discovery chains to create a route configuration when on an ingress gateway. This allows default services to easily use host header routing - ingress-gateways have a single route config for each listener that utilizes domain matching to route to different services.
2020-04-16 23:24:11 +00:00
for _, u := range upstreams {
proxycfg: introduce explicit UpstreamID in lieu of bare string (#12125) The gist here is that now we use a value-type struct proxycfg.UpstreamID as the map key in ConfigSnapshot maps where we used to use "upstream id-ish" strings. These are internal only and used just for bidirectional trips through the agent cache keyspace (like the discovery chain target struct). For the few places where the upstream id needs to be projected into xDS, that's what (proxycfg.UpstreamID).EnvoyID() is for. This lets us ALWAYS inject the partition and namespace into these things without making stuff like the golden testdata diverge.
2022-01-20 16:12:04 +00:00
uid := proxycfg.NewUpstreamID(&u)
proxycfg: change how various proxycfg test helpers for making ConfigSnapshot copies works to be more correct and less error prone (#12531) Prior to this PR for the envoy xDS golden tests in the agent/xds package we were hand-creating a proxycfg.ConfigSnapshot structure in the proper format for input to the xDS generator. Over time this intermediate structure has gotten trickier to build correctly for the various tests. This PR proposes to switch to using the existing mechanism for turning a structs.NodeService and a sequence of cache.UpdateEvent copies into a proxycfg.ConfigSnapshot, as that is less error prone to construct and aligns more with how the data arrives. NOTE: almost all of this is in test-related code. I tried super hard to craft correct event inputs to get the golden files to be the same, or similar enough after construction to feel ok that i recreated the spirit of the original test cases.
2022-03-07 17:47:14 +00:00
chain := cfgSnap.IngressGateway.DiscoveryChain[uid]
Allow Hosts field to be set on an ingress config entry - Validate that this cannot be set on a 'tcp' listener nor on a wildcard service. - Add Hosts field to api and test in consul config write CLI - xds: Configure envoy with user-provided hosts from ingress gateways
2020-04-23 15:06:19 +00:00
if chain == nil {
continue
}
Append port number to ingress host domain (#8190) A port can be sent in the Host header as defined in the HTTP RFC, so we take any hosts that we want to match traffic to and also add another host with the listener port added. Also fix an issue with envoy integration tests not running the case-ingress-gateway-tls test.
2020-07-07 15:43:04 +00:00
domains := generateUpstreamIngressDomains(listenerKey, u)
Implement Cluster Peering Redirects (#14445) implement cluster peering redirects
2022-09-09 17:58:28 +00:00
virtualHost, err := s.makeUpstreamRouteForDiscoveryChain(cfgSnap, uid, chain, domains, false)
Allow Hosts field to be set on an ingress config entry - Validate that this cannot be set on a 'tcp' listener nor on a wildcard service. - Add Hosts field to api and test in consul config write CLI - xds: Configure envoy with user-provided hosts from ingress gateways
2020-04-23 15:06:19 +00:00
if err != nil {
return nil, err
Allow ingress gateways to route traffic based on Host header This commit adds the necessary changes to allow an ingress gateway to route traffic from a single defined port to multiple different upstream services in the Consul mesh. To do this, we now require all HTTP requests coming into the ingress gateway to specify a Host header that matches "<service-name>.*" in order to correctly route traffic to the correct service. - Differentiate multiple listener's route names by port - Adds a case in xds for allowing default discovery chains to create a route configuration when on an ingress gateway. This allows default services to easily use host header routing - ingress-gateways have a single route config for each listener that utilizes domain matching to route to different services.
2020-04-16 23:24:11 +00:00
}
Ingress gateway header manip plumbing
2021-07-13 12:53:59 +00:00
Update xDS routes to support ingress services with different TLS config
2021-08-24 14:25:22 +00:00
// Lookup listener and service config details from ingress gateway
// definition.
proxycfg: change how various proxycfg test helpers for making ConfigSnapshot copies works to be more correct and less error prone (#12531) Prior to this PR for the envoy xDS golden tests in the agent/xds package we were hand-creating a proxycfg.ConfigSnapshot structure in the proper format for input to the xDS generator. Over time this intermediate structure has gotten trickier to build correctly for the various tests. This PR proposes to switch to using the existing mechanism for turning a structs.NodeService and a sequence of cache.UpdateEvent copies into a proxycfg.ConfigSnapshot, as that is less error prone to construct and aligns more with how the data arrives. NOTE: almost all of this is in test-related code. I tried super hard to craft correct event inputs to get the golden files to be the same, or similar enough after construction to feel ok that i recreated the spirit of the original test cases.
2022-03-07 17:47:14 +00:00
lCfg, ok := cfgSnap.IngressGateway.Listeners[listenerKey]
Update xDS routes to support ingress services with different TLS config
2021-08-24 14:25:22 +00:00
if !ok {
proxycfg: change how various proxycfg test helpers for making ConfigSnapshot copies works to be more correct and less error prone (#12531) Prior to this PR for the envoy xDS golden tests in the agent/xds package we were hand-creating a proxycfg.ConfigSnapshot structure in the proper format for input to the xDS generator. Over time this intermediate structure has gotten trickier to build correctly for the various tests. This PR proposes to switch to using the existing mechanism for turning a structs.NodeService and a sequence of cache.UpdateEvent copies into a proxycfg.ConfigSnapshot, as that is less error prone to construct and aligns more with how the data arrives. NOTE: almost all of this is in test-related code. I tried super hard to craft correct event inputs to get the golden files to be the same, or similar enough after construction to feel ok that i recreated the spirit of the original test cases.
2022-03-07 17:47:14 +00:00
return nil, fmt.Errorf("missing ingress listener config (service %q listener on proto/port %s/%d)",
u.DestinationID(), listenerKey.Protocol, listenerKey.Port)
Update xDS routes to support ingress services with different TLS config
2021-08-24 14:25:22 +00:00
}
svc := findIngressServiceMatchingUpstream(lCfg, u)
if svc == nil {
proxycfg: change how various proxycfg test helpers for making ConfigSnapshot copies works to be more correct and less error prone (#12531) Prior to this PR for the envoy xDS golden tests in the agent/xds package we were hand-creating a proxycfg.ConfigSnapshot structure in the proper format for input to the xDS generator. Over time this intermediate structure has gotten trickier to build correctly for the various tests. This PR proposes to switch to using the existing mechanism for turning a structs.NodeService and a sequence of cache.UpdateEvent copies into a proxycfg.ConfigSnapshot, as that is less error prone to construct and aligns more with how the data arrives. NOTE: almost all of this is in test-related code. I tried super hard to craft correct event inputs to get the golden files to be the same, or similar enough after construction to feel ok that i recreated the spirit of the original test cases.
2022-03-07 17:47:14 +00:00
return nil, fmt.Errorf("missing service in listener config (service %q listener on proto/port %s/%d)",
u.DestinationID(), listenerKey.Protocol, listenerKey.Port)
Update xDS routes to support ingress services with different TLS config
2021-08-24 14:25:22 +00:00
}
if err := injectHeaderManipToVirtualHost(svc, virtualHost); err != nil {
return nil, err
}
Minor PR typo and cleanup fixes
2021-09-13 12:03:16 +00:00
// See if this upstream has its own route/filter chain
svcRouteName := routeNameForUpstream(lCfg, *svc)
Ingress gateway header manip plumbing
2021-07-13 12:53:59 +00:00
Update xDS routes to support ingress services with different TLS config
2021-08-24 14:25:22 +00:00
// If the routeName is the same as the default one, merge the virtual host
// to the default route
if svcRouteName == defaultRoute.Name {
defaultRoute.VirtualHosts = append(defaultRoute.VirtualHosts, virtualHost)
} else {
svcRoute := &envoy_route_v3.RouteConfiguration{
Name: svcRouteName,
ValidateClusters: makeBoolValue(true),
VirtualHosts: []*envoy_route_v3.VirtualHost{virtualHost},
}
result = append(result, svcRoute)
}
Allow ingress gateways to route traffic based on Host header This commit adds the necessary changes to allow an ingress gateway to route traffic from a single defined port to multiple different upstream services in the Consul mesh. To do this, we now require all HTTP requests coming into the ingress gateway to specify a Host header that matches "<service-name>.*" in order to correctly route traffic to the correct service. - Differentiate multiple listener's route names by port - Adds a case in xds for allowing default discovery chains to create a route configuration when on an ingress gateway. This allows default services to easily use host header routing - ingress-gateways have a single route config for each listener that utilizes domain matching to route to different services.
2020-04-16 23:24:11 +00:00
}
Update xDS routes to support ingress services with different TLS config
2021-08-24 14:25:22 +00:00
if len(defaultRoute.VirtualHosts) > 0 {
result = append(result, defaultRoute)
}
Allow ingress gateways to route traffic based on Host header This commit adds the necessary changes to allow an ingress gateway to route traffic from a single defined port to multiple different upstream services in the Consul mesh. To do this, we now require all HTTP requests coming into the ingress gateway to specify a Host header that matches "<service-name>.*" in order to correctly route traffic to the correct service. - Differentiate multiple listener's route names by port - Adds a case in xds for allowing default discovery chains to create a route configuration when on an ingress gateway. This allows default services to easily use host header routing - ingress-gateways have a single route config for each listener that utilizes domain matching to route to different services.
2020-04-16 23:24:11 +00:00
}
return result, nil
}
Ingress gateway header manip plumbing
2021-07-13 12:53:59 +00:00
func makeHeadersValueOptions(vals map[string]string, add bool) []*envoy_core_v3.HeaderValueOption {
opts := make([]*envoy_core_v3.HeaderValueOption, 0, len(vals))
for k, v := range vals {
o := &envoy_core_v3.HeaderValueOption{
Header: &envoy_core_v3.HeaderValue{
Key: k,
Value: v,
},
Append: makeBoolValue(add),
}
opts = append(opts, o)
}
return opts
}
func findIngressServiceMatchingUpstream(l structs.IngressListener, u structs.Upstream) *structs.IngressService {
// Hunt through for the matching service. We validate now that there is
// only one IngressService for each unique name although originally that
// wasn't checked as it didn't matter. Assume there is only one now
// though!
[OSS] Add Peer field to service-defaults upstream overrides (#15956) * Add Peer field to service-defaults upstream overrides. * add api changes, compat mode for service default overrides * Fixes based on testing --------- Co-authored-by: DanStough <dan.stough@hashicorp.com>
2023-02-03 15:51:53 +00:00
wantSID := u.DestinationID().ServiceName.ToServiceID()
Update xDS routes to support ingress services with different TLS config
2021-08-24 14:25:22 +00:00
var foundSameNSWildcard *structs.IngressService
Ingress gateway header manip plumbing
2021-07-13 12:53:59 +00:00
for _, s := range l.Services {
sid := structs.NewServiceID(s.Name, &s.EnterpriseMeta)
if wantSID.Matches(sid) {
return &s
}
Update xDS routes to support ingress services with different TLS config
2021-08-24 14:25:22 +00:00
if s.Name == structs.WildcardSpecifier &&
Fix subtle loop bug and add test
2021-09-22 15:05:11 +00:00
s.NamespaceOrDefault() == wantSID.NamespaceOrDefault() &&
s.PartitionOrDefault() == wantSID.PartitionOrDefault() {
// Make a copy so we don't take a reference to the loop variable
found := s
foundSameNSWildcard = &found
Update xDS routes to support ingress services with different TLS config
2021-08-24 14:25:22 +00:00
}
Ingress gateway header manip plumbing
2021-07-13 12:53:59 +00:00
}
Update xDS routes to support ingress services with different TLS config
2021-08-24 14:25:22 +00:00
// Didn't find an exact match. Return the wildcard from same service if we
// found one.
return foundSameNSWildcard
Ingress gateway header manip plumbing
2021-07-13 12:53:59 +00:00
}
Append port number to ingress host domain (#8190) A port can be sent in the Host header as defined in the HTTP RFC, so we take any hosts that we want to match traffic to and also add another host with the listener port added. Also fix an issue with envoy integration tests not running the case-ingress-gateway-tls test.
2020-07-07 15:43:04 +00:00
func generateUpstreamIngressDomains(listenerKey proxycfg.IngressListenerKey, u structs.Upstream) []string {
var domains []string
domainsSet := make(map[string]bool)
namespace := u.GetEnterpriseMeta().NamespaceOrDefault()
switch {
case len(u.IngressHosts) > 0:
// If a user has specified hosts, do not add the default
// "<service-name>.ingress.*" prefixes
domains = u.IngressHosts
case namespace != structs.IntentionDefaultNamespace:
domains = []string{fmt.Sprintf("%s.ingress.%s.*", u.DestinationName, namespace)}
default:
domains = []string{fmt.Sprintf("%s.ingress.*", u.DestinationName)}
}
for _, h := range domains {
domainsSet[h] = true
}
// Host headers may contain port numbers in them, so we need to make sure
// we match on the host with and without the port number. Well-known
// ports like HTTP/HTTPS are stripped from Host headers, but other ports
// will be in the header.
for _, h := range domains {
_, _, err := net.SplitHostPort(h)
// Error message from Go's net/ipsock.go
// We check to see if a port is not missing, and ignore the
// error from SplitHostPort otherwise, since we have previously
// validated the Host values and should trust the user's input.
if err == nil || !strings.Contains(err.Error(), "missing port in address") {
continue
}
domainWithPort := fmt.Sprintf("%s:%d", h, listenerKey.Port)
// Do not add a duplicate domain if a hostname with port is already in the
// set
if !domainsSet[domainWithPort] {
domains = append(domains, domainWithPort)
}
}
return domains
}
Implement Cluster Peering Redirects (#14445) implement cluster peering redirects
2022-09-09 17:58:28 +00:00
func (s *ResourceGenerator) makeUpstreamRouteForDiscoveryChain(
cfgSnap *proxycfg.ConfigSnapshot,
uid proxycfg.UpstreamID,
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
chain *structs.CompiledDiscoveryChain,
Allow Hosts field to be set on an ingress config entry - Validate that this cannot be set on a 'tcp' listener nor on a wildcard service. - Add Hosts field to api and test in consul config write CLI - xds: Configure envoy with user-provided hosts from ingress gateways
2020-04-23 15:06:19 +00:00
serviceDomains []string,
Implement Cluster Peering Redirects (#14445) implement cluster peering redirects
2022-09-09 17:58:28 +00:00
forMeshGateway bool,
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
) (*envoy_route_v3.VirtualHost, error) {
Implement Cluster Peering Redirects (#14445) implement cluster peering redirects
2022-09-09 17:58:28 +00:00
routeName := uid.EnvoyID()
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
var routes []*envoy_route_v3.Route
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
connect: simplify the compiled discovery chain data structures (#6242) This should make them better for sending over RPC or the API. Instead of a chain implemented explicitly like a linked list (nodes holding pointers to other nodes) instead switch to a flat map of named nodes with nodes linking other other nodes by name. The shipped structure is just a map and a string to indicate which key to start from. Other changes: * inline the compiler option InferDefaults as true * introduce compiled target config to avoid needing to send back additional maps of Resolvers; future target-specific compiled state can go here * move compiled MeshGateway out of the Resolver and into the TargetConfig where it makes more sense.
2019-08-02 03:44:05 +00:00
startNode := chain.Nodes[chain.StartNode]
if startNode == nil {
connect: use stronger validation that ingress gateways have compatible protocols defined for their upstreams (#8470) Fixes #8466 Since Consul 1.8.0 there was a bug in how ingress gateway protocol compatibility was enforced. At the point in time that an ingress-gateway config entry was modified the discovery chain for each upstream was checked to ensure the ingress gateway protocol matched. Unfortunately future modifications of other config entries were not validated against existing ingress-gateway definitions, such as: 1. create tcp ingress-gateway pointing to 'api' (ok) 2. create service-defaults for 'api' setting protocol=http (worked, but not ok) 3. create service-splitter or service-router for 'api' (worked, but caused an agent panic) If you were to do these in a different order, it would fail without a crash: 1. create service-defaults for 'api' setting protocol=http (ok) 2. create service-splitter or service-router for 'api' (ok) 3. create tcp ingress-gateway pointing to 'api' (fail with message about protocol mismatch) This PR introduces the missing validation. The two new behaviors are: 1. create tcp ingress-gateway pointing to 'api' (ok) 2. (NEW) create service-defaults for 'api' setting protocol=http ("ok" for back compat) 3. (NEW) create service-splitter or service-router for 'api' (fail with message about protocol mismatch) In consideration for any existing users that may be inadvertently be falling into item (2) above, that is now officiall a valid configuration to be in. For anyone falling into item (3) above while you cannot use the API to manufacture that scenario anymore, anyone that has old (now bad) data will still be able to have the agent use them just enough to generate a new agent/proxycfg error message rather than a panic. Unfortunately we just don't have enough information to properly fix the config entries.
2020-08-12 16:19:20 +00:00
return nil, fmt.Errorf("missing first node in compiled discovery chain for: %s", chain.ServiceName)
connect: simplify the compiled discovery chain data structures (#6242) This should make them better for sending over RPC or the API. Instead of a chain implemented explicitly like a linked list (nodes holding pointers to other nodes) instead switch to a flat map of named nodes with nodes linking other other nodes by name. The shipped structure is just a map and a string to indicate which key to start from. Other changes: * inline the compiler option InferDefaults as true * introduce compiled target config to avoid needing to send back additional maps of Resolvers; future target-specific compiled state can go here * move compiled MeshGateway out of the Resolver and into the TargetConfig where it makes more sense.
2019-08-02 03:44:05 +00:00
}
Implement Cluster Peering Redirects (#14445) implement cluster peering redirects
2022-09-09 17:58:28 +00:00
upstreamsSnapshot, err := cfgSnap.ToConfigSnapshotUpstreams()
if err != nil && !forMeshGateway {
return nil, err
}
connect: simplify the compiled discovery chain data structures (#6242) This should make them better for sending over RPC or the API. Instead of a chain implemented explicitly like a linked list (nodes holding pointers to other nodes) instead switch to a flat map of named nodes with nodes linking other other nodes by name. The shipped structure is just a map and a string to indicate which key to start from. Other changes: * inline the compiler option InferDefaults as true * introduce compiled target config to avoid needing to send back additional maps of Resolvers; future target-specific compiled state can go here * move compiled MeshGateway out of the Resolver and into the TargetConfig where it makes more sense.
2019-08-02 03:44:05 +00:00
switch startNode.Type {
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
case structs.DiscoveryGraphNodeTypeRouter:
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
routes = make([]*envoy_route_v3.Route, 0, len(startNode.Routes))
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
connect: simplify the compiled discovery chain data structures (#6242) This should make them better for sending over RPC or the API. Instead of a chain implemented explicitly like a linked list (nodes holding pointers to other nodes) instead switch to a flat map of named nodes with nodes linking other other nodes by name. The shipped structure is just a map and a string to indicate which key to start from. Other changes: * inline the compiler option InferDefaults as true * introduce compiled target config to avoid needing to send back additional maps of Resolvers; future target-specific compiled state can go here * move compiled MeshGateway out of the Resolver and into the TargetConfig where it makes more sense.
2019-08-02 03:44:05 +00:00
for _, discoveryRoute := range startNode.Routes {
Support Incremental xDS mode (#9855) This adds support for the Incremental xDS protocol when using xDS v3. This is best reviewed commit-by-commit and will not be squashed when merged. Union of all commit messages follows to give an overarching summary: xds: exclusively support incremental xDS when using xDS v3 Attempts to use SoTW via v3 will fail, much like attempts to use incremental via v2 will fail. Work around a strange older envoy behavior involving empty CDS responses over incremental xDS. xds: various cleanups and refactors that don't strictly concern the addition of incremental xDS support Dissolve the connectionInfo struct in favor of per-connection ResourceGenerators instead. Do a better job of ensuring the xds code uses a well configured logger that accurately describes the connected client. xds: pull out checkStreamACLs method in advance of a later commit xds: rewrite SoTW xDS protocol tests to use protobufs rather than hand-rolled json strings In the test we very lightly reuse some of the more boring protobuf construction helper code that is also technically under test. The important thing of the protocol tests is testing the protocol. The actual inputs and outputs are largely already handled by the xds golden output tests now so these protocol tests don't have to do double-duty. This also updates the SoTW protocol test to exclusively use xDS v2 which is the only variant of SoTW that will be supported in Consul 1.10. xds: default xds.Server.AuthCheckFrequency at use-time instead of construction-time
2021-04-29 18:54:05 +00:00
routeMatch := makeRouteMatchForDiscoveryRoute(discoveryRoute)
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
var (
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
routeAction *envoy_route_v3.Route_Route
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
err error
)
connect: simplify the compiled discovery chain data structures (#6242) This should make them better for sending over RPC or the API. Instead of a chain implemented explicitly like a linked list (nodes holding pointers to other nodes) instead switch to a flat map of named nodes with nodes linking other other nodes by name. The shipped structure is just a map and a string to indicate which key to start from. Other changes: * inline the compiler option InferDefaults as true * introduce compiled target config to avoid needing to send back additional maps of Resolvers; future target-specific compiled state can go here * move compiled MeshGateway out of the Resolver and into the TargetConfig where it makes more sense.
2019-08-02 03:44:05 +00:00
nextNode := chain.Nodes[discoveryRoute.NextNode]
PR comments
2020-09-11 16:49:26 +00:00
var lb *structs.LoadBalancer
Restructure structs and other PR comments
2020-09-02 15:10:50 +00:00
if nextNode.LoadBalancer != nil {
Revert EnvoyConfig nesting
2020-09-11 15:21:43 +00:00
lb = nextNode.LoadBalancer
Restructure structs and other PR comments
2020-09-02 15:10:50 +00:00
}
connect: simplify the compiled discovery chain data structures (#6242) This should make them better for sending over RPC or the API. Instead of a chain implemented explicitly like a linked list (nodes holding pointers to other nodes) instead switch to a flat map of named nodes with nodes linking other other nodes by name. The shipped structure is just a map and a string to indicate which key to start from. Other changes: * inline the compiler option InferDefaults as true * introduce compiled target config to avoid needing to send back additional maps of Resolvers; future target-specific compiled state can go here * move compiled MeshGateway out of the Resolver and into the TargetConfig where it makes more sense.
2019-08-02 03:44:05 +00:00
switch nextNode.Type {
case structs.DiscoveryGraphNodeTypeSplitter:
Implement Cluster Peering Redirects (#14445) implement cluster peering redirects
2022-09-09 17:58:28 +00:00
routeAction, err = s.makeRouteActionForSplitter(upstreamsSnapshot, nextNode.Splits, chain, forMeshGateway)
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
if err != nil {
connect: upgrade github.com/envoyproxy/go-control-plane to v0.9.5 (#8165)
2020-06-23 20:19:56 +00:00
return nil, err
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
}
connect: simplify the compiled discovery chain data structures (#6242) This should make them better for sending over RPC or the API. Instead of a chain implemented explicitly like a linked list (nodes holding pointers to other nodes) instead switch to a flat map of named nodes with nodes linking other other nodes by name. The shipped structure is just a map and a string to indicate which key to start from. Other changes: * inline the compiler option InferDefaults as true * introduce compiled target config to avoid needing to send back additional maps of Resolvers; future target-specific compiled state can go here * move compiled MeshGateway out of the Resolver and into the TargetConfig where it makes more sense.
2019-08-02 03:44:05 +00:00
case structs.DiscoveryGraphNodeTypeResolver:
Implement Cluster Peering Redirects (#14445) implement cluster peering redirects
2022-09-09 17:58:28 +00:00
ra, ok := s.makeRouteActionForChainCluster(upstreamsSnapshot, nextNode.Resolver.Target, chain, forMeshGateway)
if !ok {
continue
}
routeAction = ra
Pass LB config to Envoy via xDS
2020-08-28 20:27:40 +00:00
connect: simplify the compiled discovery chain data structures (#6242) This should make them better for sending over RPC or the API. Instead of a chain implemented explicitly like a linked list (nodes holding pointers to other nodes) instead switch to a flat map of named nodes with nodes linking other other nodes by name. The shipped structure is just a map and a string to indicate which key to start from. Other changes: * inline the compiler option InferDefaults as true * introduce compiled target config to avoid needing to send back additional maps of Resolvers; future target-specific compiled state can go here * move compiled MeshGateway out of the Resolver and into the TargetConfig where it makes more sense.
2019-08-02 03:44:05 +00:00
default:
connect: upgrade github.com/envoyproxy/go-control-plane to v0.9.5 (#8165)
2020-06-23 20:19:56 +00:00
return nil, fmt.Errorf("unexpected graph node after route %q", nextNode.Type)
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
}
Header manip for service-router plumbed through
2021-07-13 15:15:04 +00:00
if err := injectLBToRouteAction(lb, routeAction.Route); err != nil {
return nil, fmt.Errorf("failed to apply load balancer configuration to route action: %v", err)
}
implement some missing service-router features and add more xDS testing (#6065) - also implement OnlyPassing filters for non-gateway clusters
2019-07-12 19:16:21 +00:00
// TODO(rb): Better help handle the envoy case where you need (prefix=/foo/,rewrite=/) and (exact=/foo,rewrite=/) to do a full rewrite
destination := discoveryRoute.Definition.Destination
Header manip for service-router plumbed through
2021-07-13 15:15:04 +00:00
route := &envoy_route_v3.Route{}
implement some missing service-router features and add more xDS testing (#6065) - also implement OnlyPassing filters for non-gateway clusters
2019-07-12 19:16:21 +00:00
if destination != nil {
if destination.PrefixRewrite != "" {
routeAction.Route.PrefixRewrite = destination.PrefixRewrite
}
if destination.RequestTimeout > 0 {
Fix proto lint errors after version bump
2022-05-25 01:44:54 +00:00
routeAction.Route.Timeout = durationpb.New(destination.RequestTimeout)
implement some missing service-router features and add more xDS testing (#6065) - also implement OnlyPassing filters for non-gateway clusters
2019-07-12 19:16:21 +00:00
}
Add support for configuring Envoys route idle_timeout (#14340) * Add idleTimeout Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: Dhia Ayachi <dhia@hashicorp.com>
2022-11-29 22:43:15 +00:00
if destination.IdleTimeout > 0 {
routeAction.Route.IdleTimeout = durationpb.New(destination.IdleTimeout)
}
implement some missing service-router features and add more xDS testing (#6065) - also implement OnlyPassing filters for non-gateway clusters
2019-07-12 19:16:21 +00:00
if destination.HasRetryFeatures() {
Add the ability to retry on reset connection to service-routers (#12890)
2022-10-05 17:06:44 +00:00
routeAction.Route.RetryPolicy = getRetryPolicyForDestination(destination)
implement some missing service-router features and add more xDS testing (#6065) - also implement OnlyPassing filters for non-gateway clusters
2019-07-12 19:16:21 +00:00
}
Header manip for service-router plumbed through
2021-07-13 15:15:04 +00:00
if err := injectHeaderManipToRoute(destination, route); err != nil {
return nil, fmt.Errorf("failed to apply header manipulation configuration to route: %v", err)
}
implement some missing service-router features and add more xDS testing (#6065) - also implement OnlyPassing filters for non-gateway clusters
2019-07-12 19:16:21 +00:00
}
Header manip for service-router plumbed through
2021-07-13 15:15:04 +00:00
route.Match = routeMatch
route.Action = routeAction
routes = append(routes, route)
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
}
case structs.DiscoveryGraphNodeTypeSplitter:
Implement Cluster Peering Redirects (#14445) implement cluster peering redirects
2022-09-09 17:58:28 +00:00
routeAction, err := s.makeRouteActionForSplitter(upstreamsSnapshot, startNode.Splits, chain, forMeshGateway)
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
if err != nil {
connect: upgrade github.com/envoyproxy/go-control-plane to v0.9.5 (#8165)
2020-06-23 20:19:56 +00:00
return nil, err
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
}
PR comments
2020-09-11 16:49:26 +00:00
var lb *structs.LoadBalancer
Restructure structs and other PR comments
2020-09-02 15:10:50 +00:00
if startNode.LoadBalancer != nil {
Revert EnvoyConfig nesting
2020-09-11 15:21:43 +00:00
lb = startNode.LoadBalancer
Restructure structs and other PR comments
2020-09-02 15:10:50 +00:00
}
Remove LB infix and move injection to xds
2020-09-02 21:13:50 +00:00
if err := injectLBToRouteAction(lb, routeAction.Route); err != nil {
Pass LB config to Envoy via xDS
2020-08-28 20:27:40 +00:00
return nil, fmt.Errorf("failed to apply load balancer configuration to route action: %v", err)
}
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
defaultRoute := &envoy_route_v3.Route{
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
Match: makeDefaultRouteMatch(),
Action: routeAction,
}
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
routes = []*envoy_route_v3.Route{defaultRoute}
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
connect: simplify the compiled discovery chain data structures (#6242) This should make them better for sending over RPC or the API. Instead of a chain implemented explicitly like a linked list (nodes holding pointers to other nodes) instead switch to a flat map of named nodes with nodes linking other other nodes by name. The shipped structure is just a map and a string to indicate which key to start from. Other changes: * inline the compiler option InferDefaults as true * introduce compiled target config to avoid needing to send back additional maps of Resolvers; future target-specific compiled state can go here * move compiled MeshGateway out of the Resolver and into the TargetConfig where it makes more sense.
2019-08-02 03:44:05 +00:00
case structs.DiscoveryGraphNodeTypeResolver:
Implement Cluster Peering Redirects (#14445) implement cluster peering redirects
2022-09-09 17:58:28 +00:00
routeAction, ok := s.makeRouteActionForChainCluster(upstreamsSnapshot, startNode.Resolver.Target, chain, forMeshGateway)
if !ok {
break
}
PR comments
2020-09-11 16:49:26 +00:00
var lb *structs.LoadBalancer
Restructure structs and other PR comments
2020-09-02 15:10:50 +00:00
if startNode.LoadBalancer != nil {
Revert EnvoyConfig nesting
2020-09-11 15:21:43 +00:00
lb = startNode.LoadBalancer
Restructure structs and other PR comments
2020-09-02 15:10:50 +00:00
}
Remove LB infix and move injection to xds
2020-09-02 21:13:50 +00:00
if err := injectLBToRouteAction(lb, routeAction.Route); err != nil {
Pass LB config to Envoy via xDS
2020-08-28 20:27:40 +00:00
return nil, fmt.Errorf("failed to apply load balancer configuration to route action: %v", err)
}
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
Add ServiceResolver RequestTimeout for route timeouts to make TerminatingGateway upstream timeouts configurable (#16495) * Leverage ServiceResolver ConnectTimeout for route timeouts to make TerminatingGateway upstream timeouts configurable * Regenerate golden files * Add RequestTimeout field * Add changelog entry
2023-03-03 14:37:12 +00:00
if startNode.Resolver.RequestTimeout > 0 {
routeAction.Route.Timeout = durationpb.New(startNode.Resolver.RequestTimeout)
}
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
defaultRoute := &envoy_route_v3.Route{
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
Match: makeDefaultRouteMatch(),
Action: routeAction,
}
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
routes = []*envoy_route_v3.Route{defaultRoute}
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
default:
connect: use stronger validation that ingress gateways have compatible protocols defined for their upstreams (#8470) Fixes #8466 Since Consul 1.8.0 there was a bug in how ingress gateway protocol compatibility was enforced. At the point in time that an ingress-gateway config entry was modified the discovery chain for each upstream was checked to ensure the ingress gateway protocol matched. Unfortunately future modifications of other config entries were not validated against existing ingress-gateway definitions, such as: 1. create tcp ingress-gateway pointing to 'api' (ok) 2. create service-defaults for 'api' setting protocol=http (worked, but not ok) 3. create service-splitter or service-router for 'api' (worked, but caused an agent panic) If you were to do these in a different order, it would fail without a crash: 1. create service-defaults for 'api' setting protocol=http (ok) 2. create service-splitter or service-router for 'api' (ok) 3. create tcp ingress-gateway pointing to 'api' (fail with message about protocol mismatch) This PR introduces the missing validation. The two new behaviors are: 1. create tcp ingress-gateway pointing to 'api' (ok) 2. (NEW) create service-defaults for 'api' setting protocol=http ("ok" for back compat) 3. (NEW) create service-splitter or service-router for 'api' (fail with message about protocol mismatch) In consideration for any existing users that may be inadvertently be falling into item (2) above, that is now officiall a valid configuration to be in. For anyone falling into item (3) above while you cannot use the API to manufacture that scenario anymore, anyone that has old (now bad) data will still be able to have the agent use them just enough to generate a new agent/proxycfg error message rather than a panic. Unfortunately we just don't have enough information to properly fix the config entries.
2020-08-12 16:19:20 +00:00
return nil, fmt.Errorf("unknown first node in discovery chain of type: %s", startNode.Type)
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
}
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
host := &envoy_route_v3.VirtualHost{
Allow ingress gateways to route traffic based on Host header This commit adds the necessary changes to allow an ingress gateway to route traffic from a single defined port to multiple different upstream services in the Consul mesh. To do this, we now require all HTTP requests coming into the ingress gateway to specify a Host header that matches "<service-name>.*" in order to correctly route traffic to the correct service. - Differentiate multiple listener's route names by port - Adds a case in xds for allowing default discovery chains to create a route configuration when on an ingress gateway. This allows default services to easily use host header routing - ingress-gateways have a single route config for each listener that utilizes domain matching to route to different services.
2020-04-16 23:24:11 +00:00
Name: routeName,
Allow Hosts field to be set on an ingress config entry - Validate that this cannot be set on a 'tcp' listener nor on a wildcard service. - Add Hosts field to api and test in consul config write CLI - xds: Configure envoy with user-provided hosts from ingress gateways
2020-04-23 15:06:19 +00:00
Domains: serviceDomains,
Allow ingress gateways to route traffic based on Host header This commit adds the necessary changes to allow an ingress gateway to route traffic from a single defined port to multiple different upstream services in the Consul mesh. To do this, we now require all HTTP requests coming into the ingress gateway to specify a Host header that matches "<service-name>.*" in order to correctly route traffic to the correct service. - Differentiate multiple listener's route names by port - Adds a case in xds for allowing default discovery chains to create a route configuration when on an ingress gateway. This allows default services to easily use host header routing - ingress-gateways have a single route config for each listener that utilizes domain matching to route to different services.
2020-04-16 23:24:11 +00:00
Routes: routes,
}
return host, nil
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
}
Add the ability to retry on reset connection to service-routers (#12890)
2022-10-05 17:06:44 +00:00
func getRetryPolicyForDestination(destination *structs.ServiceRouteDestination) *envoy_route_v3.RetryPolicy {
retryPolicy := &envoy_route_v3.RetryPolicy{}
if destination.NumRetries > 0 {
retryPolicy.NumRetries = makeUint32Value(int(destination.NumRetries))
}
// The RetryOn magic values come from: https://www.envoyproxy.io/docs/envoy/v1.10.0/configuration/http_filters/router_filter#config-http-filters-router-x-envoy-retry-on
var retryStrings []string
if len(destination.RetryOn) > 0 {
retryStrings = append(retryStrings, destination.RetryOn...)
}
if destination.RetryOnConnectFailure {
// connect-failure can be enabled by either adding connect-failure to the RetryOn list or by using the legacy RetryOnConnectFailure option
// Check that it's not already in the RetryOn list, so we don't set it twice
connectFailureExists := false
for _, r := range retryStrings {
if r == "connect-failure" {
connectFailureExists = true
}
}
if !connectFailureExists {
retryStrings = append(retryStrings, "connect-failure")
}
}
if len(destination.RetryOnStatusCodes) > 0 {
retryStrings = append(retryStrings, "retriable-status-codes")
retryPolicy.RetriableStatusCodes = destination.RetryOnStatusCodes
}
retryPolicy.RetryOn = strings.Join(retryStrings, ",")
return retryPolicy
}
Support Incremental xDS mode (#9855) This adds support for the Incremental xDS protocol when using xDS v3. This is best reviewed commit-by-commit and will not be squashed when merged. Union of all commit messages follows to give an overarching summary: xds: exclusively support incremental xDS when using xDS v3 Attempts to use SoTW via v3 will fail, much like attempts to use incremental via v2 will fail. Work around a strange older envoy behavior involving empty CDS responses over incremental xDS. xds: various cleanups and refactors that don't strictly concern the addition of incremental xDS support Dissolve the connectionInfo struct in favor of per-connection ResourceGenerators instead. Do a better job of ensuring the xds code uses a well configured logger that accurately describes the connected client. xds: pull out checkStreamACLs method in advance of a later commit xds: rewrite SoTW xDS protocol tests to use protobufs rather than hand-rolled json strings In the test we very lightly reuse some of the more boring protobuf construction helper code that is also technically under test. The important thing of the protocol tests is testing the protocol. The actual inputs and outputs are largely already handled by the xds golden output tests now so these protocol tests don't have to do double-duty. This also updates the SoTW protocol test to exclusively use xDS v2 which is the only variant of SoTW that will be supported in Consul 1.10. xds: default xds.Server.AuthCheckFrequency at use-time instead of construction-time
2021-04-29 18:54:05 +00:00
func makeRouteMatchForDiscoveryRoute(discoveryRoute *structs.DiscoveryRoute) *envoy_route_v3.RouteMatch {
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
match := discoveryRoute.Definition.Match
if match == nil || match.IsEmpty() {
return makeDefaultRouteMatch()
}
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
em := &envoy_route_v3.RouteMatch{}
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
switch {
case match.HTTP.PathExact != "":
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
em.PathSpecifier = &envoy_route_v3.RouteMatch_Path{
implement some missing service-router features and add more xDS testing (#6065) - also implement OnlyPassing filters for non-gateway clusters
2019-07-12 19:16:21 +00:00
Path: match.HTTP.PathExact,
}
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
case match.HTTP.PathPrefix != "":
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
em.PathSpecifier = &envoy_route_v3.RouteMatch_Prefix{
implement some missing service-router features and add more xDS testing (#6065) - also implement OnlyPassing filters for non-gateway clusters
2019-07-12 19:16:21 +00:00
Prefix: match.HTTP.PathPrefix,
}
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
case match.HTTP.PathRegex != "":
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
em.PathSpecifier = &envoy_route_v3.RouteMatch_SafeRegex{
xds: add support for envoy 1.15.0 and drop support for 1.11.x (#8424) Related changes: - hard-fail the xDS connection attempt if the envoy version is known to be too old to be supported - remove the RouterMatchSafeRegex proxy feature since all supported envoy versions have it - stop using --max-obj-name-len (due to: envoyproxy/envoy#11740)
2020-07-31 20:52:49 +00:00
SafeRegex: makeEnvoyRegexMatch(match.HTTP.PathRegex),
implement some missing service-router features and add more xDS testing (#6065) - also implement OnlyPassing filters for non-gateway clusters
2019-07-12 19:16:21 +00:00
}
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
default:
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
em.PathSpecifier = &envoy_route_v3.RouteMatch_Prefix{
implement some missing service-router features and add more xDS testing (#6065) - also implement OnlyPassing filters for non-gateway clusters
2019-07-12 19:16:21 +00:00
Prefix: "/",
}
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
}
if len(match.HTTP.Header) > 0 {
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
em.Headers = make([]*envoy_route_v3.HeaderMatcher, 0, len(match.HTTP.Header))
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
for _, hdr := range match.HTTP.Header {
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
eh := &envoy_route_v3.HeaderMatcher{
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
Name: hdr.Name,
}
switch {
case hdr.Exact != "":
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_ExactMatch{
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
ExactMatch: hdr.Exact,
}
case hdr.Regex != "":
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_SafeRegexMatch{
xds: add support for envoy 1.15.0 and drop support for 1.11.x (#8424) Related changes: - hard-fail the xDS connection attempt if the envoy version is known to be too old to be supported - remove the RouterMatchSafeRegex proxy feature since all supported envoy versions have it - stop using --max-obj-name-len (due to: envoyproxy/envoy#11740)
2020-07-31 20:52:49 +00:00
SafeRegexMatch: makeEnvoyRegexMatch(hdr.Regex),
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
}
case hdr.Prefix != "":
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_PrefixMatch{
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
PrefixMatch: hdr.Prefix,
}
case hdr.Suffix != "":
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_SuffixMatch{
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
SuffixMatch: hdr.Suffix,
}
case hdr.Present:
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
eh.HeaderMatchSpecifier = &envoy_route_v3.HeaderMatcher_PresentMatch{
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
PresentMatch: true,
}
default:
continue // skip this impossible situation
}
if hdr.Invert {
eh.InvertMatch = true
}
em.Headers = append(em.Headers, eh)
}
}
connect: allow L7 routers to match on http methods (#6164) Fixes #6158
2019-07-24 01:56:39 +00:00
if len(match.HTTP.Methods) > 0 {
methodHeaderRegex := strings.Join(match.HTTP.Methods, "|")
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
eh := &envoy_route_v3.HeaderMatcher{
connect: allow L7 routers to match on http methods (#6164) Fixes #6158
2019-07-24 01:56:39 +00:00
Name: ":method",
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
HeaderMatchSpecifier: &envoy_route_v3.HeaderMatcher_SafeRegexMatch{
xds: version sniff envoy and switch regular expressions from 'regex' to 'safe_regex' on newer envoy versions (#8222) - cut down on extra node metadata transmission - split the golden file generation to compare all envoy version
2020-07-09 22:04:51 +00:00
SafeRegexMatch: makeEnvoyRegexMatch(methodHeaderRegex),
xds: add support for envoy 1.15.0 and drop support for 1.11.x (#8424) Related changes: - hard-fail the xDS connection attempt if the envoy version is known to be too old to be supported - remove the RouterMatchSafeRegex proxy feature since all supported envoy versions have it - stop using --max-obj-name-len (due to: envoyproxy/envoy#11740)
2020-07-31 20:52:49 +00:00
},
connect: allow L7 routers to match on http methods (#6164) Fixes #6158
2019-07-24 01:56:39 +00:00
}
xds: version sniff envoy and switch regular expressions from 'regex' to 'safe_regex' on newer envoy versions (#8222) - cut down on extra node metadata transmission - split the golden file generation to compare all envoy version
2020-07-09 22:04:51 +00:00
connect: allow L7 routers to match on http methods (#6164) Fixes #6158
2019-07-24 01:56:39 +00:00
em.Headers = append(em.Headers, eh)
}
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
if len(match.HTTP.QueryParam) > 0 {
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
em.QueryParameters = make([]*envoy_route_v3.QueryParameterMatcher, 0, len(match.HTTP.QueryParam))
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
for _, qm := range match.HTTP.QueryParam {
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
eq := &envoy_route_v3.QueryParameterMatcher{
connect: change router syntax for matching query parameters to resemble the syntax for matching paths and headers for consistency. (#6163) This is a breaking change, but only in the context of the beta series.
2019-07-24 01:55:26 +00:00
Name: qm.Name,
}
switch {
case qm.Exact != "":
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
eq.QueryParameterMatchSpecifier = &envoy_route_v3.QueryParameterMatcher_StringMatch{
StringMatch: &envoy_matcher_v3.StringMatcher{
MatchPattern: &envoy_matcher_v3.StringMatcher_Exact{
xds: add support for envoy 1.15.0 and drop support for 1.11.x (#8424) Related changes: - hard-fail the xDS connection attempt if the envoy version is known to be too old to be supported - remove the RouterMatchSafeRegex proxy feature since all supported envoy versions have it - stop using --max-obj-name-len (due to: envoyproxy/envoy#11740)
2020-07-31 20:52:49 +00:00
Exact: qm.Exact,
xds: version sniff envoy and switch regular expressions from 'regex' to 'safe_regex' on newer envoy versions (#8222) - cut down on extra node metadata transmission - split the golden file generation to compare all envoy version
2020-07-09 22:04:51 +00:00
},
xds: add support for envoy 1.15.0 and drop support for 1.11.x (#8424) Related changes: - hard-fail the xDS connection attempt if the envoy version is known to be too old to be supported - remove the RouterMatchSafeRegex proxy feature since all supported envoy versions have it - stop using --max-obj-name-len (due to: envoyproxy/envoy#11740)
2020-07-31 20:52:49 +00:00
},
xds: version sniff envoy and switch regular expressions from 'regex' to 'safe_regex' on newer envoy versions (#8222) - cut down on extra node metadata transmission - split the golden file generation to compare all envoy version
2020-07-09 22:04:51 +00:00
}
connect: change router syntax for matching query parameters to resemble the syntax for matching paths and headers for consistency. (#6163) This is a breaking change, but only in the context of the beta series.
2019-07-24 01:55:26 +00:00
case qm.Regex != "":
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
eq.QueryParameterMatchSpecifier = &envoy_route_v3.QueryParameterMatcher_StringMatch{
StringMatch: &envoy_matcher_v3.StringMatcher{
MatchPattern: &envoy_matcher_v3.StringMatcher_SafeRegex{
xds: add support for envoy 1.15.0 and drop support for 1.11.x (#8424) Related changes: - hard-fail the xDS connection attempt if the envoy version is known to be too old to be supported - remove the RouterMatchSafeRegex proxy feature since all supported envoy versions have it - stop using --max-obj-name-len (due to: envoyproxy/envoy#11740)
2020-07-31 20:52:49 +00:00
SafeRegex: makeEnvoyRegexMatch(qm.Regex),
xds: version sniff envoy and switch regular expressions from 'regex' to 'safe_regex' on newer envoy versions (#8222) - cut down on extra node metadata transmission - split the golden file generation to compare all envoy version
2020-07-09 22:04:51 +00:00
},
xds: add support for envoy 1.15.0 and drop support for 1.11.x (#8424) Related changes: - hard-fail the xDS connection attempt if the envoy version is known to be too old to be supported - remove the RouterMatchSafeRegex proxy feature since all supported envoy versions have it - stop using --max-obj-name-len (due to: envoyproxy/envoy#11740)
2020-07-31 20:52:49 +00:00
},
xds: version sniff envoy and switch regular expressions from 'regex' to 'safe_regex' on newer envoy versions (#8222) - cut down on extra node metadata transmission - split the golden file generation to compare all envoy version
2020-07-09 22:04:51 +00:00
}
connect: change router syntax for matching query parameters to resemble the syntax for matching paths and headers for consistency. (#6163) This is a breaking change, but only in the context of the beta series.
2019-07-24 01:55:26 +00:00
case qm.Present:
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
eq.QueryParameterMatchSpecifier = &envoy_route_v3.QueryParameterMatcher_PresentMatch{
xds: add support for envoy 1.15.0 and drop support for 1.11.x (#8424) Related changes: - hard-fail the xDS connection attempt if the envoy version is known to be too old to be supported - remove the RouterMatchSafeRegex proxy feature since all supported envoy versions have it - stop using --max-obj-name-len (due to: envoyproxy/envoy#11740)
2020-07-31 20:52:49 +00:00
PresentMatch: true,
xds: version sniff envoy and switch regular expressions from 'regex' to 'safe_regex' on newer envoy versions (#8222) - cut down on extra node metadata transmission - split the golden file generation to compare all envoy version
2020-07-09 22:04:51 +00:00
}
connect: change router syntax for matching query parameters to resemble the syntax for matching paths and headers for consistency. (#6163) This is a breaking change, but only in the context of the beta series.
2019-07-24 01:55:26 +00:00
default:
continue // skip this impossible situation
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
}
em.QueryParameters = append(em.QueryParameters, eq)
}
}
return em
}
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
func makeDefaultRouteMatch() *envoy_route_v3.RouteMatch {
return &envoy_route_v3.RouteMatch{
PathSpecifier: &envoy_route_v3.RouteMatch_Prefix{
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
Prefix: "/",
},
// TODO(banks) Envoy supports matching only valid GRPC
// requests which might be nice to add here for gRPC services
// but it's not supported in our current envoy SDK version
// although docs say it was supported by 1.8.0. Going to defer
// that until we've updated the deps.
}
}
Implement Cluster Peering Redirects (#14445) implement cluster peering redirects
2022-09-09 17:58:28 +00:00
func (s *ResourceGenerator) makeRouteActionForChainCluster(
upstreamsSnapshot *proxycfg.ConfigSnapshotUpstreams,
xds: mesh gateways now correctly load up peer-exported discovery chains using L7 protocols (#13624) A mesh gateway will now configure the filter chains for L7 exported services using the correct discovery chain information.
2022-06-28 19:52:25 +00:00
targetID string,
chain *structs.CompiledDiscoveryChain,
Implement Cluster Peering Redirects (#14445) implement cluster peering redirects
2022-09-09 17:58:28 +00:00
forMeshGateway bool,
) (*envoy_route_v3.Route_Route, bool) {
Refactor the disco chain -> xds logic (#16392)
2023-02-23 16:32:32 +00:00
clusterName := s.getTargetClusterName(upstreamsSnapshot, chain, targetID, forMeshGateway, false)
if clusterName == "" {
Implement Cluster Peering Redirects (#14445) implement cluster peering redirects
2022-09-09 17:58:28 +00:00
return nil, false
}
Refactor the disco chain -> xds logic (#16392)
2023-02-23 16:32:32 +00:00
return makeRouteActionFromName(clusterName), true
Pass LB config to Envoy via xDS
2020-08-28 20:27:40 +00:00
}
connect: expose an API endpoint to compile the discovery chain (#6248) In addition to exposing compilation over the API cleaned up the structures that would be exchanged to be cleaner and easier to support and understand. Also removed ability to configure the envoy OverprovisioningFactor.
2019-08-02 20:34:54 +00:00
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
func makeRouteActionFromName(clusterName string) *envoy_route_v3.Route_Route {
return &envoy_route_v3.Route_Route{
Route: &envoy_route_v3.RouteAction{
ClusterSpecifier: &envoy_route_v3.RouteAction_Cluster{
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
Cluster: clusterName,
},
},
}
}
Implement Cluster Peering Redirects (#14445) implement cluster peering redirects
2022-09-09 17:58:28 +00:00
func (s *ResourceGenerator) makeRouteActionForSplitter(
upstreamsSnapshot *proxycfg.ConfigSnapshotUpstreams,
xds: mesh gateways now correctly load up peer-exported discovery chains using L7 protocols (#13624) A mesh gateway will now configure the filter chains for L7 exported services using the correct discovery chain information.
2022-06-28 19:52:25 +00:00
splits []*structs.DiscoverySplit,
chain *structs.CompiledDiscoveryChain,
Implement Cluster Peering Redirects (#14445) implement cluster peering redirects
2022-09-09 17:58:28 +00:00
forMeshGateway bool,
xds: mesh gateways now correctly load up peer-exported discovery chains using L7 protocols (#13624) A mesh gateway will now configure the filter chains for L7 exported services using the correct discovery chain information.
2022-06-28 19:52:25 +00:00
) (*envoy_route_v3.Route_Route, error) {
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
clusters := make([]*envoy_route_v3.WeightedCluster_ClusterWeight, 0, len(splits))
NET-2904 Fixes API Gateway Route Service Weight Division Error
2023-03-06 13:41:57 +00:00
totalWeight := 0
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
for _, split := range splits {
connect: simplify the compiled discovery chain data structures (#6242) This should make them better for sending over RPC or the API. Instead of a chain implemented explicitly like a linked list (nodes holding pointers to other nodes) instead switch to a flat map of named nodes with nodes linking other other nodes by name. The shipped structure is just a map and a string to indicate which key to start from. Other changes: * inline the compiler option InferDefaults as true * introduce compiled target config to avoid needing to send back additional maps of Resolvers; future target-specific compiled state can go here * move compiled MeshGateway out of the Resolver and into the TargetConfig where it makes more sense.
2019-08-02 03:44:05 +00:00
nextNode := chain.Nodes[split.NextNode]
if nextNode.Type != structs.DiscoveryGraphNodeTypeResolver {
return nil, fmt.Errorf("unexpected splitter destination node type: %s", nextNode.Type)
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
}
connect: expose an API endpoint to compile the discovery chain (#6248) In addition to exposing compilation over the API cleaned up the structures that would be exchanged to be cleaner and easier to support and understand. Also removed ability to configure the envoy OverprovisioningFactor.
2019-08-02 20:34:54 +00:00
targetID := nextNode.Resolver.Target
Refactor the disco chain -> xds logic (#16392)
2023-02-23 16:32:32 +00:00
clusterName := s.getTargetClusterName(upstreamsSnapshot, chain, targetID, forMeshGateway, false)
if clusterName == "" {
Implement Cluster Peering Redirects (#14445) implement cluster peering redirects
2022-09-09 17:58:28 +00:00
continue
}
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
implement some missing service-router features and add more xDS testing (#6065) - also implement OnlyPassing filters for non-gateway clusters
2019-07-12 19:16:21 +00:00
// The smallest representable weight is 1/10000 or .01% but envoy
// deals with integers so scale everything up by 100x.
NET-2904 Fixes API Gateway Route Service Weight Division Error
2023-03-06 13:41:57 +00:00
weight := int(split.Weight * 100)
totalWeight += weight
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
cw := &envoy_route_v3.WeightedCluster_ClusterWeight{
NET-2904 Fixes API Gateway Route Service Weight Division Error
2023-03-06 13:41:57 +00:00
Weight: makeUint32Value(weight),
Refactor the disco chain -> xds logic (#16392)
2023-02-23 16:32:32 +00:00
Name: clusterName,
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
}
Header manip for split legs plumbing
2021-07-13 18:49:14 +00:00
if err := injectHeaderManipToWeightedCluster(split.Definition, cw); err != nil {
return nil, err
}
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
clusters = append(clusters, cw)
}
Flakiness test: case-cfg-splitter-peering-ingress-gateways (#15707) * integ-test: fix flaky test - case-cfg-splitter-peering-ingress-gateways * add retry peering to all peering cases Co-authored-by: Dan Stough <dan.stough@hashicorp.com>
2022-12-08 01:19:34 +00:00
if len(clusters) <= 0 {
return nil, fmt.Errorf("number of clusters in splitter must be > 0; got %d", len(clusters))
}
NET-2904 Fixes API Gateway Route Service Weight Division Error
2023-03-06 13:41:57 +00:00
envoyWeightScale := 10000
if envoyWeightScale < totalWeight {
clusters[0].Weight.Value += uint32(totalWeight - envoyWeightScale)
} else {
clusters[0].Weight.Value += uint32(envoyWeightScale - totalWeight)
}
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
return &envoy_route_v3.Route_Route{
Route: &envoy_route_v3.RouteAction{
ClusterSpecifier: &envoy_route_v3.RouteAction_WeightedClusters{
WeightedClusters: &envoy_route_v3.WeightedCluster{
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
Clusters: clusters,
NET-2904 Fixes API Gateway Route Service Weight Division Error
2023-03-06 13:41:57 +00:00
TotalWeight: makeUint32Value(envoyWeightScale), // scaled up 100%
activate most discovery chain features in xDS for envoy (#6024)
2019-07-02 03:10:51 +00:00
},
},
},
}, nil
xDS Server Implementation (#4731) * Vendor updates for gRPC and xDS server * xDS server implementation for serving Envoy as a Connect proxy * Address initial review comments * consistent envoy package aliases; typos fixed; override TLS and authz for custom listeners * Moar Typos * Moar typos
2018-10-03 18:18:55 +00:00
}
Remove LB infix and move injection to xds
2020-09-02 21:13:50 +00:00
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
func injectLBToRouteAction(lb *structs.LoadBalancer, action *envoy_route_v3.RouteAction) error {
Revert EnvoyConfig nesting
2020-09-11 15:21:43 +00:00
if lb == nil || !lb.IsHashBased() {
Remove LB infix and move injection to xds
2020-09-02 21:13:50 +00:00
return nil
}
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
result := make([]*envoy_route_v3.RouteAction_HashPolicy, 0, len(lb.HashPolicies))
Revert EnvoyConfig nesting
2020-09-11 15:21:43 +00:00
for _, policy := range lb.HashPolicies {
Remove LB infix and move injection to xds
2020-09-02 21:13:50 +00:00
if policy.SourceIP {
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
result = append(result, &envoy_route_v3.RouteAction_HashPolicy{
PolicySpecifier: &envoy_route_v3.RouteAction_HashPolicy_ConnectionProperties_{
ConnectionProperties: &envoy_route_v3.RouteAction_HashPolicy_ConnectionProperties{
Remove LB infix and move injection to xds
2020-09-02 21:13:50 +00:00
SourceIp: true,
},
},
Terminal: policy.Terminal,
})
continue
}
switch policy.Field {
case structs.HashPolicyHeader:
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
result = append(result, &envoy_route_v3.RouteAction_HashPolicy{
PolicySpecifier: &envoy_route_v3.RouteAction_HashPolicy_Header_{
Header: &envoy_route_v3.RouteAction_HashPolicy_Header{
Remove LB infix and move injection to xds
2020-09-02 21:13:50 +00:00
HeaderName: policy.FieldValue,
},
},
Terminal: policy.Terminal,
})
case structs.HashPolicyCookie:
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
cookie := envoy_route_v3.RouteAction_HashPolicy_Cookie{
Remove LB infix and move injection to xds
2020-09-02 21:13:50 +00:00
Name: policy.FieldValue,
}
if policy.CookieConfig != nil {
cookie.Path = policy.CookieConfig.Path
Add session flag to cookie config
2020-09-12 00:34:03 +00:00
if policy.CookieConfig.TTL != 0*time.Second {
Fix proto lint errors after version bump
2022-05-25 01:44:54 +00:00
cookie.Ttl = durationpb.New(policy.CookieConfig.TTL)
Add session flag to cookie config
2020-09-12 00:34:03 +00:00
}
// Envoy will generate a session cookie if the ttl is present and zero.
if policy.CookieConfig.Session {
Fix proto lint errors after version bump
2022-05-25 01:44:54 +00:00
cookie.Ttl = durationpb.New(0 * time.Second)
Add session flag to cookie config
2020-09-12 00:34:03 +00:00
}
Remove LB infix and move injection to xds
2020-09-02 21:13:50 +00:00
}
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
result = append(result, &envoy_route_v3.RouteAction_HashPolicy{
PolicySpecifier: &envoy_route_v3.RouteAction_HashPolicy_Cookie_{
Remove LB infix and move injection to xds
2020-09-02 21:13:50 +00:00
Cookie: &cookie,
},
Terminal: policy.Terminal,
})
case structs.HashPolicyQueryParam:
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
result = append(result, &envoy_route_v3.RouteAction_HashPolicy{
PolicySpecifier: &envoy_route_v3.RouteAction_HashPolicy_QueryParameter_{
QueryParameter: &envoy_route_v3.RouteAction_HashPolicy_QueryParameter{
Remove LB infix and move injection to xds
2020-09-02 21:13:50 +00:00
Name: policy.FieldValue,
},
},
Terminal: policy.Terminal,
})
default:
return fmt.Errorf("unsupported load balancer hash policy field: %v", policy.Field)
}
}
action.HashPolicy = result
return nil
}
Header manip for service-router plumbed through
2021-07-13 15:15:04 +00:00
func injectHeaderManipToRoute(dest *structs.ServiceRouteDestination, r *envoy_route_v3.Route) error {
Header manip for split legs plumbing
2021-07-13 18:49:14 +00:00
if !dest.RequestHeaders.IsZero() {
Header manip for service-router plumbed through
2021-07-13 15:15:04 +00:00
r.RequestHeadersToAdd = append(
r.RequestHeadersToAdd,
makeHeadersValueOptions(dest.RequestHeaders.Add, true)...,
)
r.RequestHeadersToAdd = append(
r.RequestHeadersToAdd,
makeHeadersValueOptions(dest.RequestHeaders.Set, false)...,
)
r.RequestHeadersToRemove = append(
r.RequestHeadersToRemove,
dest.RequestHeaders.Remove...,
)
}
Header manip for split legs plumbing
2021-07-13 18:49:14 +00:00
if !dest.ResponseHeaders.IsZero() {
Header manip for service-router plumbed through
2021-07-13 15:15:04 +00:00
r.ResponseHeadersToAdd = append(
r.ResponseHeadersToAdd,
makeHeadersValueOptions(dest.ResponseHeaders.Add, true)...,
)
r.ResponseHeadersToAdd = append(
r.ResponseHeadersToAdd,
makeHeadersValueOptions(dest.ResponseHeaders.Set, false)...,
)
r.ResponseHeadersToRemove = append(
r.ResponseHeadersToRemove,
Update xDS routes to support ingress services with different TLS config
2021-08-24 14:25:22 +00:00
dest.ResponseHeaders.Remove...,
)
}
return nil
}
func injectHeaderManipToVirtualHost(dest *structs.IngressService, vh *envoy_route_v3.VirtualHost) error {
if !dest.RequestHeaders.IsZero() {
vh.RequestHeadersToAdd = append(
vh.RequestHeadersToAdd,
makeHeadersValueOptions(dest.RequestHeaders.Add, true)...,
)
vh.RequestHeadersToAdd = append(
vh.RequestHeadersToAdd,
makeHeadersValueOptions(dest.RequestHeaders.Set, false)...,
)
vh.RequestHeadersToRemove = append(
vh.RequestHeadersToRemove,
dest.RequestHeaders.Remove...,
)
}
if !dest.ResponseHeaders.IsZero() {
vh.ResponseHeadersToAdd = append(
vh.ResponseHeadersToAdd,
makeHeadersValueOptions(dest.ResponseHeaders.Add, true)...,
)
vh.ResponseHeadersToAdd = append(
vh.ResponseHeadersToAdd,
makeHeadersValueOptions(dest.ResponseHeaders.Set, false)...,
)
vh.ResponseHeadersToRemove = append(
vh.ResponseHeadersToRemove,
Header manip for service-router plumbed through
2021-07-13 15:15:04 +00:00
dest.ResponseHeaders.Remove...,
)
}
return nil
}
Header manip for split legs plumbing
2021-07-13 18:49:14 +00:00
func injectHeaderManipToWeightedCluster(split *structs.ServiceSplit, c *envoy_route_v3.WeightedCluster_ClusterWeight) error {
if !split.RequestHeaders.IsZero() {
c.RequestHeadersToAdd = append(
c.RequestHeadersToAdd,
makeHeadersValueOptions(split.RequestHeaders.Add, true)...,
)
c.RequestHeadersToAdd = append(
c.RequestHeadersToAdd,
makeHeadersValueOptions(split.RequestHeaders.Set, false)...,
)
c.RequestHeadersToRemove = append(
c.RequestHeadersToRemove,
split.RequestHeaders.Remove...,
)
}
if !split.ResponseHeaders.IsZero() {
c.ResponseHeadersToAdd = append(
c.ResponseHeadersToAdd,
makeHeadersValueOptions(split.ResponseHeaders.Add, true)...,
)
c.ResponseHeadersToAdd = append(
c.ResponseHeadersToAdd,
makeHeadersValueOptions(split.ResponseHeaders.Set, false)...,
)
c.ResponseHeadersToRemove = append(
c.ResponseHeadersToRemove,
split.ResponseHeaders.Remove...,
)
}
return nil
}