envoy: Add typeURL for envoy resources

This commit is to add typeURL for below resources: - cilium.network - cilium.tls_wrapper - envoy.filters.http.router - envoy.filters.listener.tls_inspector Fixes: cilium/proxy#108 Signed-off-by: Tam Mach <[email protected]>
rockc2020 · Feb 17, 2023 · b839e86 · b839e86
1 parent e3308f2
commit b839e86
Show file tree

Hide file tree

Showing 14 changed files with 1,380 additions and 19 deletions.
diff --git a/go.mod b/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/cilium/ipam v0.0.0-20220824141044-46ef3d556735
 	github.com/cilium/kafka v0.0.0-20180809090225-01ce283b732b
 	github.com/cilium/lumberjack/v2 v2.3.0
-	github.com/cilium/proxy v0.0.0-20230205220247-5b9c892d59cd
+	github.com/cilium/proxy v0.0.0-20230215154421-edb6834301da
 	github.com/cilium/workerpool v1.1.3
 	github.com/containernetworking/cni v1.1.2
 	github.com/containernetworking/plugins v1.1.1

diff --git a/go.sum b/go.sum
diff --git a/operator/pkg/ciliumenvoyconfig/envoy_config.go b/operator/pkg/ciliumenvoyconfig/envoy_config.go
@@ -11,6 +11,8 @@ import (
 	envoy_config_core_v3 "github.com/cilium/proxy/go/envoy/config/core/v3"
 	envoy_config_listener "github.com/cilium/proxy/go/envoy/config/listener/v3"
 	envoy_config_route_v3 "github.com/cilium/proxy/go/envoy/config/route/v3"
+	envoy_extensions_filters_http_router_v3 "github.com/cilium/proxy/go/envoy/extensions/filters/http/router/v3"
+	envoy_extensions_listener_tls_inspector_v3 "github.com/cilium/proxy/go/envoy/extensions/filters/listener/tls_inspector/v3"
 	envoy_extensions_filters_network_http_connection_manager_v3 "github.com/cilium/proxy/go/envoy/extensions/filters/network/http_connection_manager/v3"
 	envoy_config_upstream "github.com/cilium/proxy/go/envoy/extensions/upstreams/http/v3"
 	"google.golang.org/protobuf/proto"
@@ -232,6 +234,9 @@ func (m *Manager) getListenerResource(svc *slim_corev1.Service) (ciliumv2.XDSRes
 		ListenerFilters: []*envoy_config_listener.ListenerFilter{
 			{
 				Name: "envoy.filters.listener.tls_inspector",
+				ConfigType: &envoy_config_listener.ListenerFilter_TypedConfig{
+					TypedConfig: toAny(&envoy_extensions_listener_tls_inspector_v3.TlsInspector{}),
+				},
 			},
 		},
 	}
@@ -262,7 +267,12 @@ func (m *Manager) getConnectionManager(svc *slim_corev1.Service) (ciliumv2.XDSRe
 			},
 		},
 		HttpFilters: []*envoy_extensions_filters_network_http_connection_manager_v3.HttpFilter{
-			{Name: "envoy.filters.http.router"},
+			{
+				Name: "envoy.filters.http.router",
+				ConfigType: &envoy_extensions_filters_network_http_connection_manager_v3.HttpFilter_TypedConfig{
+					TypedConfig: toAny(&envoy_extensions_filters_http_router_v3.Router{}),
+				},
+			},
 		},
 	}
 

diff --git a/operator/pkg/model/translation/envoy_http_connection_manager.go b/operator/pkg/model/translation/envoy_http_connection_manager.go
@@ -4,6 +4,7 @@
 package translation
 
 import (
+	httpRouterv3 "github.com/cilium/proxy/go/envoy/extensions/filters/http/router/v3"
 	httpConnectionManagerv3 "github.com/cilium/proxy/go/envoy/extensions/filters/network/http_connection_manager/v3"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/anypb"
@@ -23,7 +24,12 @@ func NewHTTPConnectionManager(name, routeName string, mutationFunc ...HttpConnec
 			Rds: &httpConnectionManagerv3.Rds{RouteConfigName: routeName},
 		},
 		HttpFilters: []*httpConnectionManagerv3.HttpFilter{
-			{Name: "envoy.filters.http.router"},
+			{
+				Name: "envoy.filters.http.router",
+				ConfigType: &httpConnectionManagerv3.HttpFilter_TypedConfig{
+					TypedConfig: toAny(&httpRouterv3.Router{}),
+				},
+			},
 		},
 		UpgradeConfigs: []*httpConnectionManagerv3.HttpConnectionManager_UpgradeConfig{
 			{UpgradeType: "websocket"},

diff --git a/operator/pkg/model/translation/envoy_listener.go b/operator/pkg/model/translation/envoy_listener.go
@@ -9,6 +9,7 @@ import (
 
 	envoy_config_core_v3 "github.com/cilium/proxy/go/envoy/config/core/v3"
 	envoy_config_listener "github.com/cilium/proxy/go/envoy/config/listener/v3"
+	envoy_extensions_listener_tls_inspector_v3 "github.com/cilium/proxy/go/envoy/extensions/filters/listener/tls_inspector/v3"
 	envoy_extensions_transport_sockets_tls_v3 "github.com/cilium/proxy/go/envoy/extensions/transport_sockets/tls/v3"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/anypb"
@@ -146,9 +147,16 @@ func NewListener(name string, ciliumSecretNamespace string, tls map[model.TLSSec
 	}
 
 	listener := &envoy_config_listener.Listener{
-		Name:            name,
-		FilterChains:    filterChains,
-		ListenerFilters: []*envoy_config_listener.ListenerFilter{{Name: tlsInspectorType}},
+		Name:         name,
+		FilterChains: filterChains,
+		ListenerFilters: []*envoy_config_listener.ListenerFilter{
+			{
+				Name: tlsInspectorType,
+				ConfigType: &envoy_config_listener.ListenerFilter_TypedConfig{
+					TypedConfig: toAny(&envoy_extensions_listener_tls_inspector_v3.TlsInspector{}),
+				},
+			},
+		},
 	}
 
 	for _, fn := range mutatorFunc {

diff --git a/pkg/envoy/ciliumenvoyconfig.go b/pkg/envoy/ciliumenvoyconfig.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"time"
 
+	cilium "github.com/cilium/proxy/go/cilium/api"
 	envoy_config_cluster "github.com/cilium/proxy/go/envoy/config/cluster/v3"
 	envoy_config_core "github.com/cilium/proxy/go/envoy/config/core/v3"
 	envoy_config_endpoint "github.com/cilium/proxy/go/envoy/config/endpoint/v3"
@@ -226,6 +227,9 @@ func ParseResources(cecNamespace string, cecName string, anySlice []cilium_v2.XD
 							fc.Filters = append(fc.Filters[:i+1], fc.Filters[i:]...)
 							fc.Filters[i] = &envoy_config_listener.Filter{
 								Name: "cilium.network",
+								ConfigType: &envoy_config_listener.Filter_TypedConfig{
+									TypedConfig: toAny(&cilium.NetworkFilter{}),
+								},
 							}
 						}
 					}

diff --git a/pkg/envoy/server.go b/pkg/envoy/server.go
@@ -22,6 +22,8 @@ import (
 	envoy_config_endpoint "github.com/cilium/proxy/go/envoy/config/endpoint/v3"
 	envoy_config_listener "github.com/cilium/proxy/go/envoy/config/listener/v3"
 	envoy_config_route "github.com/cilium/proxy/go/envoy/config/route/v3"
+	envoy_extensions_filters_http_router_v3 "github.com/cilium/proxy/go/envoy/extensions/filters/http/router/v3"
+	envoy_extensions_listener_tls_inspector_v3 "github.com/cilium/proxy/go/envoy/extensions/filters/listener/tls_inspector/v3"
 	envoy_config_http "github.com/cilium/proxy/go/envoy/extensions/filters/network/http_connection_manager/v3"
 	envoy_mongo_proxy "github.com/cilium/proxy/go/envoy/extensions/filters/network/mongo_proxy/v3"
 	envoy_config_tcp "github.com/cilium/proxy/go/envoy/extensions/filters/network/tcp_proxy/v3"
@@ -280,6 +282,9 @@ func (s *XDSServer) getHttpFilterChainProto(clusterName string, tls bool) *envoy
 			getCiliumHttpFilter(),
 			{
 				Name: "envoy.filters.http.router",
+				ConfigType: &envoy_config_http.HttpFilter_TypedConfig{
+					TypedConfig: toAny(&envoy_extensions_filters_http_router_v3.Router{}),
+				},
 			},
 		},
 		StreamIdleTimeout: &durationpb.Duration{}, // 0 == disabled
@@ -347,6 +352,9 @@ func (s *XDSServer) getHttpFilterChainProto(clusterName string, tls bool) *envoy
 	chain := &envoy_config_listener.FilterChain{
 		Filters: []*envoy_config_listener.Filter{{
 			Name: "cilium.network",
+			ConfigType: &envoy_config_listener.Filter_TypedConfig{
+				TypedConfig: toAny(&cilium.NetworkFilter{}),
+			},
 		}, {
 			Name: "envoy.filters.network.http_connection_manager",
 			ConfigType: &envoy_config_listener.Filter_TypedConfig{
@@ -361,6 +369,9 @@ func (s *XDSServer) getHttpFilterChainProto(clusterName string, tls bool) *envoy
 		}
 		chain.TransportSocket = &envoy_config_core.TransportSocket{
 			Name: "cilium.tls_wrapper",
+			ConfigType: &envoy_config_core.TransportSocket_TypedConfig{
+				TypedConfig: toAny(&cilium.DownstreamTlsWrapperContext{}),
+			},
 		}
 	}
 
@@ -434,6 +445,9 @@ func (s *XDSServer) getTcpFilterChainProto(clusterName string, filterName string
 		}
 		chain.TransportSocket = &envoy_config_core.TransportSocket{
 			Name: "cilium.tls_wrapper",
+			ConfigType: &envoy_config_core.TransportSocket_TypedConfig{
+				TypedConfig: toAny(&cilium.DownstreamTlsWrapperContext{}),
+			},
 		}
 	} else {
 		chain.FilterChainMatch = &envoy_config_listener.FilterChainMatch{
@@ -483,6 +497,9 @@ func (s *XDSServer) AddMetricsListener(port uint16, wg *completion.WaitGroup) {
 			StatPrefix: metricsListenerName,
 			HttpFilters: []*envoy_config_http.HttpFilter{{
 				Name: "envoy.filters.http.router",
+				ConfigType: &envoy_config_http.HttpFilter_TypedConfig{
+					TypedConfig: toAny(&envoy_extensions_filters_http_router_v3.Router{}),
+				},
 			}},
 			StreamIdleTimeout: &durationpb.Duration{}, // 0 == disabled
 			RouteSpecifier: &envoy_config_http.HttpConnectionManager_RouteConfig{
@@ -749,6 +766,9 @@ func (s *XDSServer) getListenerConf(name string, kind policy.L7ParserType, port
 			// Always insert tls_inspector as the first filter
 			{
 				Name: "envoy.filters.listener.tls_inspector",
+				ConfigType: &envoy_config_listener.ListenerFilter_TypedConfig{
+					TypedConfig: toAny(&envoy_extensions_listener_tls_inspector_v3.TlsInspector{}),
+				},
 			},
 			getListenerFilter(isIngress, mayUseOriginalSourceAddr, false),
 		},
@@ -1174,6 +1194,9 @@ func createBootstrap(filePath string, nodeId, cluster string, xdsSock, egressClu
 					TypedExtensionProtocolOptions: useDownstreamProtocolAutoSNI,
 					TransportSocket: &envoy_config_core.TransportSocket{
 						Name: "cilium.tls_wrapper",
+						ConfigType: &envoy_config_core.TransportSocket_TypedConfig{
+							TypedConfig: toAny(&cilium.UpstreamTlsWrapperContext{}),
+						},
 					},
 				},
 				{
@@ -1193,6 +1216,9 @@ func createBootstrap(filePath string, nodeId, cluster string, xdsSock, egressClu
 					TypedExtensionProtocolOptions: useDownstreamProtocolAutoSNI,
 					TransportSocket: &envoy_config_core.TransportSocket{
 						Name: "cilium.tls_wrapper",
+						ConfigType: &envoy_config_core.TransportSocket_TypedConfig{
+							TypedConfig: toAny(&cilium.UpstreamTlsWrapperContext{}),
+						},
 					},
 				},
 				{
@@ -1263,16 +1289,6 @@ func createBootstrap(filePath string, nodeId, cluster string, xdsSock, egressClu
 						}},
 					},
 				},
-				{
-					Name: "deprecation",
-					LayerSpecifier: &envoy_config_bootstrap.RuntimeLayer_StaticLayer{
-						StaticLayer: &structpb.Struct{Fields: map[string]*structpb.Value{
-							// This is to avoid empty type URL issue for cilium.tls_wrapper
-							// TODO: Remove this once we have a type URL for upstream and downstream cilium.tls_wrapper
-							"envoy.reloadable_features.no_extension_lookup_by_name": {Kind: &structpb.Value_BoolValue{BoolValue: false}},
-						}},
-					},
-				},
 			},
 		},
 	}