Add http3 support to EG

Signed-off-by: tanujd11 <[email protected]>

api/v1alpha1/clienttrafficpolicy_types.go

@@ -53,6 +53,10 @@ type ClientTrafficPolicySpec struct {
 	//
 	// +optional
 	TCPKeepalive *TCPKeepalive `json:"tcpKeepalive,omitempty"`
+	// EnableHTTP3 enables HTTP/3 support on the listener.
+	// Disabled by default.
+	// +optional
+	EnableHTTP3 bool `json:"enableHTTP3,omitempty"`
 }
 
 // TCPKeepalive define the TCP Keepalive configuration.

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml

@@ -44,6 +44,10 @@ spec:
           spec:
             description: Spec defines the desired state of ClientTrafficPolicy.
             properties:
+              enableHTTP3:
+                description: EnableHTTP3 enables HTTP/3 support on the listener. Disabled
+                  by default.
+                type: boolean
               targetRef:
                 description: TargetRef is the name of the Gateway resource this policy
                   is being attached to. This Policy and the TargetRef MUST be in the

internal/gatewayapi/clienttrafficpolicy.go

@@ -31,9 +31,9 @@ func hasSectionName(policy *egv1a1.ClientTrafficPolicy) bool {
 	return policy.Spec.TargetRef.SectionName != nil
 }
 
-func ProcessClientTrafficPolicies(clientTrafficPolicies []*egv1a1.ClientTrafficPolicy,
+func (t *Translator) ProcessClientTrafficPolicies(clientTrafficPolicies []*egv1a1.ClientTrafficPolicy,
 	gateways []*GatewayContext,
-	xdsIR XdsIRMap) []*egv1a1.ClientTrafficPolicy {
+	xdsIR XdsIRMap, infraIR InfraIRMap) []*egv1a1.ClientTrafficPolicy {
 	var res []*egv1a1.ClientTrafficPolicy
 
 	// Sort based on timestamp
@@ -91,7 +91,7 @@ func ProcessClientTrafficPolicies(clientTrafficPolicies []*egv1a1.ClientTrafficP
 			// Translate for listener matching section name
 			for _, l := range gateway.listeners {
 				if string(l.Name) == section {
-					translateClientTrafficPolicyForListener(&policy.Spec, l, xdsIR)
+					t.translateClientTrafficPolicyForListener(&policy.Spec, l, xdsIR, infraIR)
 					break
 				}
 			}
@@ -168,7 +168,7 @@ func ProcessClientTrafficPolicies(clientTrafficPolicies []*egv1a1.ClientTrafficP
 					continue
 				}
 
-				translateClientTrafficPolicyForListener(&policy.Spec, l, xdsIR)
+				t.translateClientTrafficPolicyForListener(&policy.Spec, l, xdsIR, infraIR)
 			}
 
 			// Set Accepted=True
@@ -265,7 +265,7 @@ func resolveCTPolicyTargetRef(policy *egv1a1.ClientTrafficPolicy, gateways []*Ga
 	return gateway
 }
 
-func translateClientTrafficPolicyForListener(policySpec *egv1a1.ClientTrafficPolicySpec, l *ListenerContext, xdsIR XdsIRMap) {
+func (t *Translator) translateClientTrafficPolicyForListener(policySpec *egv1a1.ClientTrafficPolicySpec, l *ListenerContext, xdsIR XdsIRMap, infraIR InfraIRMap) {
 	// Find IR
 	irKey := irStringKey(l.gateway.Namespace, l.gateway.Name)
 	// It must exist since we've already finished processing the gateways
@@ -288,6 +288,20 @@ func translateClientTrafficPolicyForListener(policySpec *egv1a1.ClientTrafficPol
 	if httpIR != nil {
 		// Translate TCPKeepalive
 		translateListenerTCPKeepalive(policySpec.TCPKeepalive, httpIR)
+		// enable http3 if set and TLS is enabled
+		if httpIR.TLS != nil {
+			httpIR.EnableHTTP3 = policySpec.EnableHTTP3
+			var proxyListenerIR *ir.ProxyListener
+			for _, proxyListener := range infraIR[irKey].Proxy.Listeners {
+				if proxyListener.Name == irListenerName {
+					proxyListenerIR = proxyListener
+					break
+				}
+			}
+			if proxyListenerIR != nil {
+				proxyListenerIR.EnableHTTP3 = policySpec.EnableHTTP3
+			}
+		}
 	}
 }
 

internal/gatewayapi/listener.go

@@ -138,15 +138,19 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap
 				if t.MergeGateways {
 					infraPortName = irHTTPListenerName(listener)
 				}
-
 				infraPort := ir.ListenerPort{
 					Name:          infraPortName,
 					Protocol:      proto,
 					ServicePort:   servicePort.port,
 					ContainerPort: containerPort,
 				}
-				// Only 1 listener is supported.
-				infraIR[irKey].Proxy.Listeners[0].Ports = append(infraIR[irKey].Proxy.Listeners[0].Ports, infraPort)
+
+				proxyListener := &ir.ProxyListener{
+					Name:  irHTTPListenerName(listener),
+					Ports: []ir.ListenerPort{infraPort},
+				}
+
+				infraIR[irKey].Proxy.Listeners = append(infraIR[irKey].Proxy.Listeners, proxyListener)
 			}
 		}
 	}

internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml

@@ -305,6 +305,7 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http
         ports:
         - containerPort: 10080
           name: http
@@ -319,11 +320,15 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-2/http
         ports:
         - containerPort: 10080
           name: http
           protocol: HTTP
           servicePort: 80
+      - address: ""
+        name: envoy-gateway/gateway-2/tcp
+        ports:
         - containerPort: 10053
           name: tcp
           protocol: TCP

internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml

@@ -202,6 +202,7 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http
         ports:
         - containerPort: 10080
           name: http
@@ -216,6 +217,7 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-2/http
         ports:
         - containerPort: 10080
           name: http

internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml

@@ -220,6 +220,7 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http
         ports:
         - containerPort: 10080
           name: http
@@ -234,6 +235,7 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-2/http
         ports:
         - containerPort: 10080
           name: http

internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml

@@ -261,6 +261,7 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http
         ports:
         - containerPort: 10080
           name: http
@@ -275,11 +276,15 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-2/http
         ports:
         - containerPort: 10080
           name: http
           protocol: HTTP
           servicePort: 80
+      - address: ""
+        name: envoy-gateway/gateway-2/tcp
+        ports:
         - containerPort: 10053
           name: tcp
           protocol: TCP

internal/gatewayapi/testdata/clienttrafficpolicy-tcp-keepalive.out.yaml

@@ -124,11 +124,15 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http-1
         ports:
         - containerPort: 10080
           name: http-1
           protocol: HTTP
           servicePort: 80
+      - address: ""
+        name: envoy-gateway/gateway-1/http-2
+        ports:
         - containerPort: 8080
           name: http-2
           protocol: HTTP

internal/gatewayapi/testdata/disable-accesslog.out.yaml

@@ -105,6 +105,7 @@ infraIR:
         status: {}
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http
         ports:
         - containerPort: 10080
           name: http

internal/gatewayapi/testdata/envoypatchpolicy-cross-ns-target.out.yaml

@@ -44,6 +44,7 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http
         ports:
         - containerPort: 10080
           name: http

internal/gatewayapi/testdata/envoypatchpolicy-invalid-target-kind.out.yaml

@@ -44,6 +44,7 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http
         ports:
         - containerPort: 10080
           name: http

internal/gatewayapi/testdata/envoypatchpolicy-valid.out.yaml

@@ -44,6 +44,7 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http
         ports:
         - containerPort: 10080
           name: http

internal/gatewayapi/testdata/envoyproxy-accesslog-file-json-no-format.out.yaml

@@ -111,6 +111,7 @@ infraIR:
         status: {}
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http
         ports:
         - containerPort: 10080
           name: http

internal/gatewayapi/testdata/envoyproxy-accesslog-file-json.out.yaml

@@ -114,6 +114,7 @@ infraIR:
         status: {}
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http
         ports:
         - containerPort: 10080
           name: http

internal/gatewayapi/testdata/envoyproxy-accesslog-with-bad-sinks.out.yaml

@@ -112,6 +112,7 @@ infraIR:
         status: {}
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http
         ports:
         - containerPort: 10080
           name: http

internal/gatewayapi/testdata/envoyproxy-accesslog.out.yaml

@@ -119,6 +119,7 @@ infraIR:
         status: {}
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http
         ports:
         - containerPort: 10080
           name: http

internal/gatewayapi/testdata/envoyproxy-valid.out.yaml

@@ -102,6 +102,7 @@ infraIR:
         status: {}
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http
         ports:
         - containerPort: 10080
           name: http

internal/gatewayapi/testdata/extensions/httproute-with-extension-filter-invalid-group.out.yaml

@@ -92,6 +92,7 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http
         ports:
         - containerPort: 10080
           name: http

internal/gatewayapi/testdata/extensions/httproute-with-non-matching-extension-filter.out.yaml

@@ -90,6 +90,7 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http
         ports:
         - containerPort: 10080
           name: http

internal/gatewayapi/testdata/extensions/httproute-with-unsupported-extension-filter.out.yaml

@@ -90,6 +90,7 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http
         ports:
         - containerPort: 10080
           name: http

internal/gatewayapi/testdata/extensions/httproute-with-valid-extension-filter.out.yaml

@@ -90,6 +90,7 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http
         ports:
         - containerPort: 10080
           name: http

internal/gatewayapi/testdata/gateway-allows-same-namespace-with-allowed-httproute.out.yaml

@@ -79,6 +79,7 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http
         ports:
         - containerPort: 10080
           name: http

internal/gatewayapi/testdata/gateway-allows-same-namespace-with-disallowed-httproute.out.yaml

@@ -79,6 +79,7 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http
         ports:
         - containerPort: 10080
           name: http

internal/gatewayapi/testdata/gateway-with-addresses-with-ipaddress.out.yaml

@@ -49,6 +49,7 @@ infraIR:
       - 5.6.7.8
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/tcp
         ports:
         - containerPort: 10080
           name: tcp

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-namespaces-selector.out.yaml

@@ -80,8 +80,6 @@ httpRoutes:
 infraIR:
   envoy-gateway/gateway-1:
     proxy:
-      listeners:
-      - address: ""
       metadata:
         labels:
           gateway.envoyproxy.io/owning-gateway-name: gateway-1

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-group.out.yaml

@@ -71,8 +71,6 @@ httpRoutes:
 infraIR:
   envoy-gateway/gateway-1:
     proxy:
-      listeners:
-      - address: ""
       metadata:
         labels:
           gateway.envoyproxy.io/owning-gateway-name: gateway-1

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind-and-supported.out.yaml

@@ -73,8 +73,6 @@ httpRoutes:
 infraIR:
   envoy-gateway/gateway-1:
     proxy:
-      listeners:
-      - address: ""
       metadata:
         labels:
           gateway.envoyproxy.io/owning-gateway-name: gateway-1

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind.out.yaml

@@ -71,8 +71,6 @@ httpRoutes:
 infraIR:
   envoy-gateway/gateway-1:
     proxy:
-      listeners:
-      - address: ""
       metadata:
         labels:
           gateway.envoyproxy.io/owning-gateway-name: gateway-1

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.out.yaml

@@ -39,8 +39,6 @@ gateways:
 infraIR:
   envoy-gateway/gateway-1:
     proxy:
-      listeners:
-      - address: ""
       metadata:
         labels:
           gateway.envoyproxy.io/owning-gateway-name: gateway-1

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.out.yaml

@@ -86,8 +86,6 @@ httpRoutes:
 infraIR:
   envoy-gateway/gateway-1:
     proxy:
-      listeners:
-      - address: ""
       metadata:
         labels:
           gateway.envoyproxy.io/owning-gateway-name: gateway-1

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.out.yaml

@@ -79,8 +79,6 @@ httpRoutes:
 infraIR:
   envoy-gateway/gateway-1:
     proxy:
-      listeners:
-      - address: ""
       metadata:
         labels:
           gateway.envoyproxy.io/owning-gateway-name: gateway-1