From 0fe10c3e8c484b0ec00884db9bd27164810454e4 Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Wed, 3 Aug 2022 13:48:28 +0200 Subject: [PATCH 01/11] feat(gateway): set listener connection limits Signed-off-by: Mike Beaumont --- api/mesh/v1alpha1/gateway.pb.go | 188 +++++++++++++----- api/mesh/v1alpha1/gateway.proto | 4 + pkg/plugins/runtime/gateway/generator.go | 43 +++- .../runtime/gateway/listener_generator.go | 24 ++- pkg/xds/bootstrap/template_v3.go | 39 ++-- 5 files changed, 221 insertions(+), 77 deletions(-) diff --git a/api/mesh/v1alpha1/gateway.pb.go b/api/mesh/v1alpha1/gateway.pb.go index 7e25102b6cb0..7c51283aa7a3 100644 --- a/api/mesh/v1alpha1/gateway.pb.go +++ b/api/mesh/v1alpha1/gateway.pb.go @@ -286,7 +286,8 @@ type MeshGateway_Listener struct { Tags map[string]string `protobuf:"bytes,5,rep,name=tags,proto3" json:"tags,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` // CrossMesh enables traffic to flow to this listener only from other // meshes. - CrossMesh bool `protobuf:"varint,6,opt,name=crossMesh,proto3" json:"crossMesh,omitempty"` + CrossMesh bool `protobuf:"varint,6,opt,name=crossMesh,proto3" json:"crossMesh,omitempty"` + Resources *MeshGateway_Listener_Resources `protobuf:"bytes,7,opt,name=resources,proto3" json:"resources,omitempty"` } func (x *MeshGateway_Listener) Reset() { @@ -363,6 +364,13 @@ func (x *MeshGateway_Listener) GetCrossMesh() bool { return false } +func (x *MeshGateway_Listener) GetResources() *MeshGateway_Listener_Resources { + if x != nil { + return x.Resources + } + return nil +} + // Conf defines the desired state of MeshGateway. // // Aligns with MeshGatewaySpec. @@ -533,6 +541,53 @@ func (x *MeshGateway_TLS_Conf) GetOptions() *MeshGateway_TLS_Options { return nil } +type MeshGateway_Listener_Resources struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + ConnectionLimit uint32 `protobuf:"varint,1,opt,name=connectionLimit,proto3" json:"connectionLimit,omitempty"` +} + +func (x *MeshGateway_Listener_Resources) Reset() { + *x = MeshGateway_Listener_Resources{} + if protoimpl.UnsafeEnabled { + mi := &file_mesh_v1alpha1_gateway_proto_msgTypes[7] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *MeshGateway_Listener_Resources) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*MeshGateway_Listener_Resources) ProtoMessage() {} + +func (x *MeshGateway_Listener_Resources) ProtoReflect() protoreflect.Message { + mi := &file_mesh_v1alpha1_gateway_proto_msgTypes[7] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use MeshGateway_Listener_Resources.ProtoReflect.Descriptor instead. +func (*MeshGateway_Listener_Resources) Descriptor() ([]byte, []int) { + return file_mesh_v1alpha1_gateway_proto_rawDescGZIP(), []int{0, 1, 0} +} + +func (x *MeshGateway_Listener_Resources) GetConnectionLimit() uint32 { + if x != nil { + return x.ConnectionLimit + } + return 0 +} + var File_mesh_v1alpha1_gateway_proto protoreflect.FileDescriptor var file_mesh_v1alpha1_gateway_proto_rawDesc = []byte{ @@ -546,7 +601,7 @@ var file_mesh_v1alpha1_gateway_proto_rawDesc = []byte{ 0x6f, 0x1a, 0x20, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x64, 0x61, 0x74, 0x61, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x17, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2f, 0x76, 0x61, - 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x96, 0x09, 0x0a, + 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x9f, 0x0a, 0x0a, 0x0b, 0x4d, 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x12, 0x44, 0x0a, 0x09, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x6b, 0x75, 0x6d, 0x61, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, @@ -578,7 +633,7 @@ var file_mesh_v1alpha1_gateway_proto_rawDesc = []byte{ 0x07, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x30, 0x0a, 0x04, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x08, 0x0a, 0x04, 0x4e, 0x4f, 0x4e, 0x45, 0x10, 0x00, 0x12, 0x0d, 0x0a, 0x09, 0x54, 0x45, 0x52, 0x4d, 0x49, 0x4e, 0x41, 0x54, 0x45, 0x10, 0x01, 0x12, 0x0f, 0x0a, 0x0b, 0x50, 0x41, 0x53, - 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55, 0x47, 0x48, 0x10, 0x02, 0x1a, 0xaa, 0x03, 0x0a, 0x08, 0x4c, + 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55, 0x47, 0x48, 0x10, 0x02, 0x1a, 0xb3, 0x04, 0x0a, 0x08, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, @@ -597,35 +652,44 @@ var file_mesh_v1alpha1_gateway_proto_rawDesc = []byte{ 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x2e, 0x54, 0x61, 0x67, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x04, 0x74, 0x61, 0x67, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x63, 0x72, 0x6f, 0x73, 0x73, 0x4d, 0x65, 0x73, 0x68, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x63, - 0x72, 0x6f, 0x73, 0x73, 0x4d, 0x65, 0x73, 0x68, 0x1a, 0x37, 0x0a, 0x09, 0x54, 0x61, 0x67, 0x73, - 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, - 0x01, 0x22, 0x44, 0x0a, 0x08, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x08, 0x0a, - 0x04, 0x4e, 0x4f, 0x4e, 0x45, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x54, 0x43, 0x50, 0x10, 0x01, - 0x12, 0x07, 0x0a, 0x03, 0x55, 0x44, 0x50, 0x10, 0x02, 0x12, 0x07, 0x0a, 0x03, 0x54, 0x4c, 0x53, - 0x10, 0x03, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x54, 0x54, 0x50, 0x10, 0x04, 0x12, 0x09, 0x0a, 0x05, - 0x48, 0x54, 0x54, 0x50, 0x53, 0x10, 0x05, 0x1a, 0x58, 0x0a, 0x04, 0x43, 0x6f, 0x6e, 0x66, 0x12, - 0x50, 0x0a, 0x09, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x73, 0x18, 0x02, 0x20, 0x03, - 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x6b, 0x75, 0x6d, 0x61, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, - 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, - 0x77, 0x61, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x42, 0x08, 0xfa, 0x42, - 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x09, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, - 0x73, 0x1a, 0x37, 0x0a, 0x09, 0x54, 0x61, 0x67, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, + 0x72, 0x6f, 0x73, 0x73, 0x4d, 0x65, 0x73, 0x68, 0x12, 0x50, 0x0a, 0x09, 0x72, 0x65, 0x73, 0x6f, + 0x75, 0x72, 0x63, 0x65, 0x73, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x6b, 0x75, + 0x6d, 0x61, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, + 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x2e, 0x4c, 0x69, 0x73, + 0x74, 0x65, 0x6e, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, + 0x09, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x1a, 0x35, 0x0a, 0x09, 0x52, 0x65, + 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x12, 0x28, 0x0a, 0x0f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, + 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, + 0x52, 0x0f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4c, 0x69, 0x6d, 0x69, + 0x74, 0x1a, 0x37, 0x0a, 0x09, 0x54, 0x61, 0x67, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x3a, 0x59, 0xaa, 0x8c, 0x89, 0xa6, - 0x01, 0x15, 0x0a, 0x13, 0x4d, 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x52, - 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0xaa, 0x8c, 0x89, 0xa6, 0x01, 0x0d, 0x12, 0x0b, 0x4d, - 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0xaa, 0x8c, 0x89, 0xa6, 0x01, 0x06, - 0x22, 0x04, 0x6d, 0x65, 0x73, 0x68, 0xaa, 0x8c, 0x89, 0xa6, 0x01, 0x04, 0x52, 0x02, 0x10, 0x01, - 0xaa, 0x8c, 0x89, 0xa6, 0x01, 0x0f, 0x3a, 0x0d, 0x0a, 0x0b, 0x6d, 0x65, 0x73, 0x68, 0x67, 0x61, - 0x74, 0x65, 0x77, 0x61, 0x79, 0x42, 0x4c, 0x5a, 0x28, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, - 0x63, 0x6f, 0x6d, 0x2f, 0x6b, 0x75, 0x6d, 0x61, 0x68, 0x71, 0x2f, 0x6b, 0x75, 0x6d, 0x61, 0x2f, - 0x61, 0x70, 0x69, 0x2f, 0x6d, 0x65, 0x73, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, - 0x31, 0x8a, 0xb5, 0x18, 0x1e, 0x50, 0x01, 0xa2, 0x01, 0x0b, 0x4d, 0x65, 0x73, 0x68, 0x47, 0x61, - 0x74, 0x65, 0x77, 0x61, 0x79, 0xf2, 0x01, 0x0b, 0x6d, 0x65, 0x73, 0x68, 0x67, 0x61, 0x74, 0x65, - 0x77, 0x61, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x44, 0x0a, 0x08, 0x50, 0x72, + 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x08, 0x0a, 0x04, 0x4e, 0x4f, 0x4e, 0x45, 0x10, 0x00, + 0x12, 0x07, 0x0a, 0x03, 0x54, 0x43, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x55, 0x44, 0x50, + 0x10, 0x02, 0x12, 0x07, 0x0a, 0x03, 0x54, 0x4c, 0x53, 0x10, 0x03, 0x12, 0x08, 0x0a, 0x04, 0x48, + 0x54, 0x54, 0x50, 0x10, 0x04, 0x12, 0x09, 0x0a, 0x05, 0x48, 0x54, 0x54, 0x50, 0x53, 0x10, 0x05, + 0x1a, 0x58, 0x0a, 0x04, 0x43, 0x6f, 0x6e, 0x66, 0x12, 0x50, 0x0a, 0x09, 0x6c, 0x69, 0x73, 0x74, + 0x65, 0x6e, 0x65, 0x72, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x6b, 0x75, + 0x6d, 0x61, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, + 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x2e, 0x4c, 0x69, 0x73, + 0x74, 0x65, 0x6e, 0x65, 0x72, 0x42, 0x08, 0xfa, 0x42, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, + 0x09, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x73, 0x1a, 0x37, 0x0a, 0x09, 0x54, 0x61, + 0x67, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, + 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, + 0x02, 0x38, 0x01, 0x3a, 0x59, 0xaa, 0x8c, 0x89, 0xa6, 0x01, 0x15, 0x0a, 0x13, 0x4d, 0x65, 0x73, + 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, + 0xaa, 0x8c, 0x89, 0xa6, 0x01, 0x0d, 0x12, 0x0b, 0x4d, 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, + 0x77, 0x61, 0x79, 0xaa, 0x8c, 0x89, 0xa6, 0x01, 0x06, 0x22, 0x04, 0x6d, 0x65, 0x73, 0x68, 0xaa, + 0x8c, 0x89, 0xa6, 0x01, 0x04, 0x52, 0x02, 0x10, 0x01, 0xaa, 0x8c, 0x89, 0xa6, 0x01, 0x0f, 0x3a, + 0x0d, 0x0a, 0x0b, 0x6d, 0x65, 0x73, 0x68, 0x67, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x42, 0x4c, + 0x5a, 0x28, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6b, 0x75, 0x6d, + 0x61, 0x68, 0x71, 0x2f, 0x6b, 0x75, 0x6d, 0x61, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6d, 0x65, 0x73, + 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x8a, 0xb5, 0x18, 0x1e, 0x50, 0x01, + 0xa2, 0x01, 0x0b, 0x4d, 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0xf2, 0x01, + 0x0b, 0x6d, 0x65, 0x73, 0x68, 0x67, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -641,37 +705,39 @@ func file_mesh_v1alpha1_gateway_proto_rawDescGZIP() []byte { } var file_mesh_v1alpha1_gateway_proto_enumTypes = make([]protoimpl.EnumInfo, 2) -var file_mesh_v1alpha1_gateway_proto_msgTypes = make([]protoimpl.MessageInfo, 8) +var file_mesh_v1alpha1_gateway_proto_msgTypes = make([]protoimpl.MessageInfo, 9) var file_mesh_v1alpha1_gateway_proto_goTypes = []interface{}{ - (MeshGateway_TLS_Mode)(0), // 0: kuma.mesh.v1alpha1.MeshGateway.TLS.Mode - (MeshGateway_Listener_Protocol)(0), // 1: kuma.mesh.v1alpha1.MeshGateway.Listener.Protocol - (*MeshGateway)(nil), // 2: kuma.mesh.v1alpha1.MeshGateway - (*MeshGateway_TLS)(nil), // 3: kuma.mesh.v1alpha1.MeshGateway.TLS - (*MeshGateway_Listener)(nil), // 4: kuma.mesh.v1alpha1.MeshGateway.Listener - (*MeshGateway_Conf)(nil), // 5: kuma.mesh.v1alpha1.MeshGateway.Conf - nil, // 6: kuma.mesh.v1alpha1.MeshGateway.TagsEntry - (*MeshGateway_TLS_Options)(nil), // 7: kuma.mesh.v1alpha1.MeshGateway.TLS.Options - (*MeshGateway_TLS_Conf)(nil), // 8: kuma.mesh.v1alpha1.MeshGateway.TLS.Conf - nil, // 9: kuma.mesh.v1alpha1.MeshGateway.Listener.TagsEntry - (*Selector)(nil), // 10: kuma.mesh.v1alpha1.Selector - (*v1alpha1.DataSource)(nil), // 11: kuma.system.v1alpha1.DataSource + (MeshGateway_TLS_Mode)(0), // 0: kuma.mesh.v1alpha1.MeshGateway.TLS.Mode + (MeshGateway_Listener_Protocol)(0), // 1: kuma.mesh.v1alpha1.MeshGateway.Listener.Protocol + (*MeshGateway)(nil), // 2: kuma.mesh.v1alpha1.MeshGateway + (*MeshGateway_TLS)(nil), // 3: kuma.mesh.v1alpha1.MeshGateway.TLS + (*MeshGateway_Listener)(nil), // 4: kuma.mesh.v1alpha1.MeshGateway.Listener + (*MeshGateway_Conf)(nil), // 5: kuma.mesh.v1alpha1.MeshGateway.Conf + nil, // 6: kuma.mesh.v1alpha1.MeshGateway.TagsEntry + (*MeshGateway_TLS_Options)(nil), // 7: kuma.mesh.v1alpha1.MeshGateway.TLS.Options + (*MeshGateway_TLS_Conf)(nil), // 8: kuma.mesh.v1alpha1.MeshGateway.TLS.Conf + (*MeshGateway_Listener_Resources)(nil), // 9: kuma.mesh.v1alpha1.MeshGateway.Listener.Resources + nil, // 10: kuma.mesh.v1alpha1.MeshGateway.Listener.TagsEntry + (*Selector)(nil), // 11: kuma.mesh.v1alpha1.Selector + (*v1alpha1.DataSource)(nil), // 12: kuma.system.v1alpha1.DataSource } var file_mesh_v1alpha1_gateway_proto_depIdxs = []int32{ - 10, // 0: kuma.mesh.v1alpha1.MeshGateway.selectors:type_name -> kuma.mesh.v1alpha1.Selector + 11, // 0: kuma.mesh.v1alpha1.MeshGateway.selectors:type_name -> kuma.mesh.v1alpha1.Selector 6, // 1: kuma.mesh.v1alpha1.MeshGateway.tags:type_name -> kuma.mesh.v1alpha1.MeshGateway.TagsEntry 5, // 2: kuma.mesh.v1alpha1.MeshGateway.conf:type_name -> kuma.mesh.v1alpha1.MeshGateway.Conf 1, // 3: kuma.mesh.v1alpha1.MeshGateway.Listener.protocol:type_name -> kuma.mesh.v1alpha1.MeshGateway.Listener.Protocol 8, // 4: kuma.mesh.v1alpha1.MeshGateway.Listener.tls:type_name -> kuma.mesh.v1alpha1.MeshGateway.TLS.Conf - 9, // 5: kuma.mesh.v1alpha1.MeshGateway.Listener.tags:type_name -> kuma.mesh.v1alpha1.MeshGateway.Listener.TagsEntry - 4, // 6: kuma.mesh.v1alpha1.MeshGateway.Conf.listeners:type_name -> kuma.mesh.v1alpha1.MeshGateway.Listener - 0, // 7: kuma.mesh.v1alpha1.MeshGateway.TLS.Conf.mode:type_name -> kuma.mesh.v1alpha1.MeshGateway.TLS.Mode - 11, // 8: kuma.mesh.v1alpha1.MeshGateway.TLS.Conf.certificates:type_name -> kuma.system.v1alpha1.DataSource - 7, // 9: kuma.mesh.v1alpha1.MeshGateway.TLS.Conf.options:type_name -> kuma.mesh.v1alpha1.MeshGateway.TLS.Options - 10, // [10:10] is the sub-list for method output_type - 10, // [10:10] is the sub-list for method input_type - 10, // [10:10] is the sub-list for extension type_name - 10, // [10:10] is the sub-list for extension extendee - 0, // [0:10] is the sub-list for field type_name + 10, // 5: kuma.mesh.v1alpha1.MeshGateway.Listener.tags:type_name -> kuma.mesh.v1alpha1.MeshGateway.Listener.TagsEntry + 9, // 6: kuma.mesh.v1alpha1.MeshGateway.Listener.resources:type_name -> kuma.mesh.v1alpha1.MeshGateway.Listener.Resources + 4, // 7: kuma.mesh.v1alpha1.MeshGateway.Conf.listeners:type_name -> kuma.mesh.v1alpha1.MeshGateway.Listener + 0, // 8: kuma.mesh.v1alpha1.MeshGateway.TLS.Conf.mode:type_name -> kuma.mesh.v1alpha1.MeshGateway.TLS.Mode + 12, // 9: kuma.mesh.v1alpha1.MeshGateway.TLS.Conf.certificates:type_name -> kuma.system.v1alpha1.DataSource + 7, // 10: kuma.mesh.v1alpha1.MeshGateway.TLS.Conf.options:type_name -> kuma.mesh.v1alpha1.MeshGateway.TLS.Options + 11, // [11:11] is the sub-list for method output_type + 11, // [11:11] is the sub-list for method input_type + 11, // [11:11] is the sub-list for extension type_name + 11, // [11:11] is the sub-list for extension extendee + 0, // [0:11] is the sub-list for field type_name } func init() { file_mesh_v1alpha1_gateway_proto_init() } @@ -753,6 +819,18 @@ func file_mesh_v1alpha1_gateway_proto_init() { return nil } } + file_mesh_v1alpha1_gateway_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*MeshGateway_Listener_Resources); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } } type x struct{} out := protoimpl.TypeBuilder{ @@ -760,7 +838,7 @@ func file_mesh_v1alpha1_gateway_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_mesh_v1alpha1_gateway_proto_rawDesc, NumEnums: 2, - NumMessages: 8, + NumMessages: 9, NumExtensions: 0, NumServices: 0, }, diff --git a/api/mesh/v1alpha1/gateway.proto b/api/mesh/v1alpha1/gateway.proto index 7e21b614426a..354a2e8c3e85 100644 --- a/api/mesh/v1alpha1/gateway.proto +++ b/api/mesh/v1alpha1/gateway.proto @@ -82,6 +82,8 @@ message MeshGateway { } message Listener { + message Resources { uint32 connectionLimit = 1; } + enum Protocol { NONE = 0; TCP = 1; @@ -121,6 +123,8 @@ message MeshGateway { // CrossMesh enables traffic to flow to this listener only from other // meshes. bool crossMesh = 6; + + Resources resources = 7; } // Conf defines the desired state of MeshGateway. diff --git a/pkg/plugins/runtime/gateway/generator.go b/pkg/plugins/runtime/gateway/generator.go index 4d27f11004e2..289a318583bc 100644 --- a/pkg/plugins/runtime/gateway/generator.go +++ b/pkg/plugins/runtime/gateway/generator.go @@ -5,6 +5,7 @@ import ( "sort" "strings" + envoy_service_runtime_v3 "github.com/envoyproxy/go-control-plane/envoy/service/runtime/v3" "github.com/pkg/errors" mesh_proto "github.com/kumahq/kuma/api/mesh/v1alpha1" @@ -15,6 +16,7 @@ import ( "github.com/kumahq/kuma/pkg/plugins/runtime/gateway/match" "github.com/kumahq/kuma/pkg/plugins/runtime/gateway/merge" "github.com/kumahq/kuma/pkg/plugins/runtime/gateway/route" + util_proto "github.com/kumahq/kuma/pkg/util/proto" xds_context "github.com/kumahq/kuma/pkg/xds/context" envoy_listeners "github.com/kumahq/kuma/pkg/xds/envoy/listeners" envoy_names "github.com/kumahq/kuma/pkg/xds/envoy/names" @@ -62,6 +64,7 @@ type GatewayListener struct { // CrossMesh is important because for generation we need to treat such a // listener as if we have HTTPS with the Mesh cert for this Dataplane CrossMesh bool + Resources *mesh_proto.MeshGateway_Listener_Resources // TODO verify these don't conflict when merging } // GatewayListenerInfo holds everything needed to generate resources for a @@ -211,6 +214,8 @@ func (g Generator) Generate(ctx xds_context.Context, proxy *core_xds.Proxy) (*co return nil, errors.Wrap(err, "error generating listener info from Proxy") } + var limits []RuntimeResoureLimitListener + for _, info := range listenerInfos { // This is checked by the gateway validator if !SupportsProtocol(info.Listener.Protocol) { @@ -223,12 +228,16 @@ func (g Generator) Generate(ctx xds_context.Context, proxy *core_xds.Proxy) (*co } resources.AddSet(cdsResources) - ldsResources, err := g.generateLDS(ctx, info, info.HostInfos) + ldsResources, limit, err := g.generateLDS(ctx, info, info.HostInfos) if err != nil { return nil, err } resources.AddSet(ldsResources) + if limit != nil { + limits = append(limits, *limit) + } + rdsResources, err := g.generateRDS(ctx, info, info.HostInfos) if err != nil { return nil, err @@ -236,12 +245,33 @@ func (g Generator) Generate(ctx xds_context.Context, proxy *core_xds.Proxy) (*co resources.AddSet(rdsResources) } + resources.Add(g.generateRTDS(limits)) + return resources, nil } -func (g Generator) generateLDS(ctx xds_context.Context, info GatewayListenerInfo, hostInfos []GatewayHostInfo) (*core_xds.ResourceSet, error) { +func (g Generator) generateRTDS(limits []RuntimeResoureLimitListener) *core_xds.Resource { + layer := map[string]interface{}{} + for _, limit := range limits { + layer[fmt.Sprintf("envoy.resource_limits.listener.%s.connection_limit", limit.Name)] = limit.ConnectionLimit + } + + res := &core_xds.Resource{ + Name: "gateway.listeners", + Origin: OriginGateway, + Resource: &envoy_service_runtime_v3.Runtime{ + Name: "gateway.listeners", + Layer: util_proto.MustStruct(layer), + }, + } + + return res +} + +func (g Generator) generateLDS(ctx xds_context.Context, info GatewayListenerInfo, hostInfos []GatewayHostInfo) (*core_xds.ResourceSet, *RuntimeResoureLimitListener, error) { resources := core_xds.NewResourceSet() - listenerBuilder := GenerateListener(info) + + listenerBuilder, limit := GenerateListener(info) var gatewayHosts []GatewayHost for _, hostInfo := range hostInfos { @@ -254,7 +284,7 @@ func (g Generator) generateLDS(ctx xds_context.Context, info GatewayListenerInfo } res, filterChainBuilders, err := g.FilterChainGenerators.FilterChainGenerators[protocol].Generate(ctx, info, gatewayHosts) if err != nil { - return nil, err + return nil, limit, err } resources.AddSet(res) @@ -264,11 +294,11 @@ func (g Generator) generateLDS(ctx xds_context.Context, info GatewayListenerInfo res, err = BuildResourceSet(listenerBuilder) if err != nil { - return nil, errors.Wrapf(err, "failed to build listener resource") + return nil, limit, errors.Wrapf(err, "failed to build listener resource") } resources.AddSet(res) - return resources, nil + return resources, limit, nil } func (g Generator) generateCDS(ctx xds_context.Context, info GatewayListenerInfo, hostInfos []GatewayHostInfo) (*core_xds.ResourceSet, error) { @@ -335,6 +365,7 @@ func MakeGatewayListener( listeners[0].GetPort(), ), CrossMesh: listeners[0].CrossMesh, + Resources: listeners[0].GetResources(), } // Hostnames must be unique to a listener to remove ambiguity diff --git a/pkg/plugins/runtime/gateway/listener_generator.go b/pkg/plugins/runtime/gateway/listener_generator.go index cffa835273da..d097589a4db7 100644 --- a/pkg/plugins/runtime/gateway/listener_generator.go +++ b/pkg/plugins/runtime/gateway/listener_generator.go @@ -27,7 +27,12 @@ func SupportsProtocol(p mesh_proto.MeshGateway_Listener_Protocol) bool { } } -func GenerateListener(info GatewayListenerInfo) *envoy_listeners.ListenerBuilder { +type RuntimeResoureLimitListener struct { + Name string + ConnectionLimit uint32 +} + +func GenerateListener(info GatewayListenerInfo) (*envoy_listeners.ListenerBuilder, *RuntimeResoureLimitListener) { // TODO(jpeach) what we really need to do here is to // generate a HTTP filter chain for each // host on the same HTTPConnectionManager. Each HTTP filter @@ -48,12 +53,23 @@ func GenerateListener(info GatewayListenerInfo) *envoy_listeners.ListenerBuilder "protocol", protocol, ) - // TODO(jpeach) if proxy protocol is enabled, add the proxy protocol listener filter. + name := envoy_names.GetGatewayListenerName(info.Gateway.Meta.GetName(), protocol.String(), port) + var limits *RuntimeResoureLimitListener + if resources := info.Listener.Resources; resources != nil { + if resources.ConnectionLimit > 0 { + limits = &RuntimeResoureLimitListener{ + Name: name, + ConnectionLimit: resources.ConnectionLimit, + } + } + } + + // TODO(jpeach) if proxy protocol is enabled, add the proxy protocol listener filter. return envoy_listeners.NewListenerBuilder(info.Proxy.APIVersion). Configure( envoy_listeners.InboundListener( - envoy_names.GetGatewayListenerName(info.Gateway.Meta.GetName(), protocol.String(), port), + name, address, port, core_xds.SocketAddressProtocolTCP), // Limit default buffering for edge connections. envoy_listeners.ConnectionBufferLimit(DefaultConnectionBuffer), @@ -61,5 +77,5 @@ func GenerateListener(info GatewayListenerInfo) *envoy_listeners.ListenerBuilder envoy_listeners.EnableReusePort(true), // Always sniff for TLS. envoy_listeners.TLSInspector(), - ) + ), limits } diff --git a/pkg/xds/bootstrap/template_v3.go b/pkg/xds/bootstrap/template_v3.go index b4bf30ee5880..022a942f831d 100644 --- a/pkg/xds/bootstrap/template_v3.go +++ b/pkg/xds/bootstrap/template_v3.go @@ -46,6 +46,32 @@ func genConfig(parameters configParameters, useTokenPath bool) (*envoy_bootstrap features = append(features, feature) } + runtimeLayers := []*envoy_bootstrap_v3.RuntimeLayer{{ + Name: "kuma", + LayerSpecifier: &envoy_bootstrap_v3.RuntimeLayer_StaticLayer{ + StaticLayer: util_proto.MustStruct(map[string]interface{}{ + "envoy.restart_features.use_apple_api_for_dns_lookups": false, + "re2.max_program_size.error_level": 4294967295, + "re2.max_program_size.warn_level": 1000, + }), + }, + }} + + if parameters.IsGatewayDataplane { + runtimeLayers = append(runtimeLayers, &envoy_bootstrap_v3.RuntimeLayer{ + Name: "gateway.listeners", + LayerSpecifier: &envoy_bootstrap_v3.RuntimeLayer_RtdsLayer_{ + RtdsLayer: &envoy_bootstrap_v3.RuntimeLayer_RtdsLayer{ + Name: "gateway.listeners", + RtdsConfig: &envoy_core_v3.ConfigSource{ + ResourceApiVersion: envoy_core_v3.ApiVersion_V3, + ConfigSourceSpecifier: &envoy_core_v3.ConfigSource_Ads{}, + }, + }, + }, + }) + } + res := &envoy_bootstrap_v3.Bootstrap{ Node: &envoy_core_v3.Node{ Id: parameters.Id, @@ -69,18 +95,7 @@ func genConfig(parameters configParameters, useTokenPath bool) (*envoy_bootstrap }), }, LayeredRuntime: &envoy_bootstrap_v3.LayeredRuntime{ - Layers: []*envoy_bootstrap_v3.RuntimeLayer{ - { - Name: "kuma", - LayerSpecifier: &envoy_bootstrap_v3.RuntimeLayer_StaticLayer{ - StaticLayer: util_proto.MustStruct(map[string]interface{}{ - "envoy.restart_features.use_apple_api_for_dns_lookups": false, - "re2.max_program_size.error_level": 4294967295, - "re2.max_program_size.warn_level": 1000, - }), - }, - }, - }, + Layers: runtimeLayers, }, StatsConfig: &envoy_metrics_v3.StatsConfig{ StatsTags: []*envoy_metrics_v3.TagSpecifier{ From 8002cc0e661b4fef24b1d763787fd46bdb5bd0c1 Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Wed, 3 Aug 2022 14:59:36 +0200 Subject: [PATCH 02/11] test(gateway): update golden files after change Signed-off-by: Mike Beaumont --- .../runtime/gateway/testdata/http/01-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/02-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/03-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/04-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/05-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/06-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/07-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/08-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/09-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/10-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/11-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/12-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/13-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/14-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/15-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/16-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/17-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/18-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/19-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/20-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/21-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/22-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/23-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/24-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/25-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/26-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/http/cross-mesh-gateway.yaml | 5 ++++- .../http/external-service-with-timeout-no-egress.yaml | 5 ++++- pkg/plugins/runtime/gateway/testdata/http/no-timeout.yaml | 5 ++++- .../runtime/gateway/testdata/https/01-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/02-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/03-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/04-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/05-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/06-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/07-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/08-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/09-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/10-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/11-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/12-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/13-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/14-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/15-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/16-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/17-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/18-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/19-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/20-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/21-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/22-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/23-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/24-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/25-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/26-gateway-route.yaml | 5 ++++- .../runtime/gateway/testdata/https/cross-mesh-gateway.yaml | 5 ++++- .../https/external-service-with-timeout-no-egress.yaml | 5 ++++- pkg/plugins/runtime/gateway/testdata/https/no-timeout.yaml | 5 ++++- .../runtime/gateway/testdata/tcp/tcp-route-no-egress.yaml | 5 ++++- pkg/plugins/runtime/gateway/testdata/tcp/tcp-route.yaml | 5 ++++- pkg/xds/bootstrap/testdata/bootstrap.gateway.golden.yaml | 6 ++++++ 61 files changed, 246 insertions(+), 60 deletions(-) diff --git a/pkg/plugins/runtime/gateway/testdata/http/01-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/01-gateway-route.yaml index 373d2afc3f2a..82cb6da5587f 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/01-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/01-gateway-route.yaml @@ -197,6 +197,9 @@ Routes: match: prefix: / Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/02-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/02-gateway-route.yaml index 9c4d47254739..5841247ec1c5 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/02-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/02-gateway-route.yaml @@ -162,6 +162,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/03-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/03-gateway-route.yaml index 418c667a5ede..31ff0d33f197 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/03-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/03-gateway-route.yaml @@ -138,6 +138,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/04-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/04-gateway-route.yaml index 9befabceba40..9e56fec4fd42 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/04-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/04-gateway-route.yaml @@ -174,6 +174,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/05-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/05-gateway-route.yaml index 9061a31ff723..29b3c650a9f4 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/05-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/05-gateway-route.yaml @@ -81,6 +81,9 @@ Routes: schemeRedirect: https stripQuery: true Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/06-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/06-gateway-route.yaml index 32a2ca9e529b..e8bbf1cd03ad 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/06-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/06-gateway-route.yaml @@ -193,6 +193,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/07-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/07-gateway-route.yaml index 0046593d9149..2604c2faafbb 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/07-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/07-gateway-route.yaml @@ -158,6 +158,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/08-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/08-gateway-route.yaml index 7d6ed0c11fa9..e3a4d5a4c34f 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/08-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/08-gateway-route.yaml @@ -202,6 +202,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/09-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/09-gateway-route.yaml index 54a23b490add..8e3e5ca023bb 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/09-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/09-gateway-route.yaml @@ -140,6 +140,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/10-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/10-gateway-route.yaml index 031f9ef8d4ac..6fd7bdf22da5 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/10-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/10-gateway-route.yaml @@ -237,6 +237,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/11-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/11-gateway-route.yaml index 66ef4ac0595f..6ee487d31fe0 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/11-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/11-gateway-route.yaml @@ -241,6 +241,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/12-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/12-gateway-route.yaml index af5663f628b8..9a5d37313919 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/12-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/12-gateway-route.yaml @@ -193,6 +193,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/13-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/13-gateway-route.yaml index 657fcf0fc915..5c3351b6e55f 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/13-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/13-gateway-route.yaml @@ -288,6 +288,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/14-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/14-gateway-route.yaml index efbd4dfe155e..4c34b50d5f25 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/14-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/14-gateway-route.yaml @@ -142,6 +142,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/15-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/15-gateway-route.yaml index b713e6ca301a..740399d91459 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/15-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/15-gateway-route.yaml @@ -271,6 +271,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/16-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/16-gateway-route.yaml index 0e9d958e62eb..c784c7319dd6 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/16-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/16-gateway-route.yaml @@ -268,6 +268,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/17-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/17-gateway-route.yaml index c25e7733f12c..3afcb9d1ba97 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/17-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/17-gateway-route.yaml @@ -289,6 +289,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/18-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/18-gateway-route.yaml index 1563a02ac263..db97902fe1c2 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/18-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/18-gateway-route.yaml @@ -131,6 +131,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/19-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/19-gateway-route.yaml index 8bb4cd92d968..537f46dca883 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/19-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/19-gateway-route.yaml @@ -143,6 +143,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/20-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/20-gateway-route.yaml index 380418ac0e96..7aeb8be975b8 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/20-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/20-gateway-route.yaml @@ -274,6 +274,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/21-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/21-gateway-route.yaml index 6e4fd40d7a1f..89dc7c46638e 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/21-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/21-gateway-route.yaml @@ -319,6 +319,9 @@ Routes: maxTokens: 1 tokensPerFill: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/22-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/22-gateway-route.yaml index 8f1c98de1165..d655cb32fa56 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/22-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/22-gateway-route.yaml @@ -213,6 +213,9 @@ Routes: match: prefix: / Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/23-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/23-gateway-route.yaml index 0c2d711cf44e..274110b36827 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/23-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/23-gateway-route.yaml @@ -281,6 +281,9 @@ Routes: match: prefix: / Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/24-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/24-gateway-route.yaml index 49df01053bda..fc0fad75f582 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/24-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/24-gateway-route.yaml @@ -237,6 +237,9 @@ Routes: match: prefix: / Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/25-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/25-gateway-route.yaml index 23cb6e6713fe..96cc2672c8dc 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/25-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/25-gateway-route.yaml @@ -160,7 +160,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: identity_cert:secret:default: diff --git a/pkg/plugins/runtime/gateway/testdata/http/26-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/http/26-gateway-route.yaml index 963d293913c5..370693b993d0 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/26-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/26-gateway-route.yaml @@ -146,7 +146,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: identity_cert:secret:default: diff --git a/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml b/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml index e075700181fa..6a59319d03df 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml @@ -293,7 +293,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: identity_cert:secret:default: diff --git a/pkg/plugins/runtime/gateway/testdata/http/external-service-with-timeout-no-egress.yaml b/pkg/plugins/runtime/gateway/testdata/http/external-service-with-timeout-no-egress.yaml index 2ece21dc71e6..17ad3359c3ed 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/external-service-with-timeout-no-egress.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/external-service-with-timeout-no-egress.yaml @@ -160,6 +160,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/http/no-timeout.yaml b/pkg/plugins/runtime/gateway/testdata/http/no-timeout.yaml index 32eaf3d08999..03d7d2b0edef 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/no-timeout.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/no-timeout.yaml @@ -137,6 +137,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/https/01-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/01-gateway-route.yaml index 373d2afc3f2a..82cb6da5587f 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/01-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/01-gateway-route.yaml @@ -197,6 +197,9 @@ Routes: match: prefix: / Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/https/02-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/02-gateway-route.yaml index 9c4d47254739..5841247ec1c5 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/02-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/02-gateway-route.yaml @@ -162,6 +162,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/https/03-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/03-gateway-route.yaml index e7d8ff65d094..02973a31943d 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/03-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/03-gateway-route.yaml @@ -164,7 +164,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/https/04-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/04-gateway-route.yaml index 638c3e51143c..adfcaf6059a8 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/04-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/04-gateway-route.yaml @@ -200,7 +200,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/https/05-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/05-gateway-route.yaml index 26201e72938a..fc967d1e9dd4 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/05-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/05-gateway-route.yaml @@ -107,7 +107,10 @@ Routes: schemeRedirect: https stripQuery: true Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/https/06-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/06-gateway-route.yaml index 41eca81e54c9..5280e3d8e29e 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/06-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/06-gateway-route.yaml @@ -219,7 +219,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/https/07-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/07-gateway-route.yaml index f305b41b9405..786b766c7d6e 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/07-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/07-gateway-route.yaml @@ -184,7 +184,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/https/08-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/08-gateway-route.yaml index e2e2406a9824..b9dd0122968a 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/08-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/08-gateway-route.yaml @@ -228,7 +228,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/https/09-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/09-gateway-route.yaml index 626fbfe3b6b1..9c4df7d0227b 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/09-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/09-gateway-route.yaml @@ -166,7 +166,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/https/10-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/10-gateway-route.yaml index efdf3d19c00e..e1973c0f39f9 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/10-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/10-gateway-route.yaml @@ -263,7 +263,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/https/11-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/11-gateway-route.yaml index a7c1b022f73c..05dad00f9dc3 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/11-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/11-gateway-route.yaml @@ -267,7 +267,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/https/12-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/12-gateway-route.yaml index d39a8b68f048..df9df3faaf3f 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/12-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/12-gateway-route.yaml @@ -219,7 +219,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/https/13-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/13-gateway-route.yaml index 7a398315fcb3..ed8f61e05f70 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/13-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/13-gateway-route.yaml @@ -314,7 +314,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/https/14-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/14-gateway-route.yaml index 5295c230475b..29af0d88142f 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/14-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/14-gateway-route.yaml @@ -168,7 +168,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/https/15-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/15-gateway-route.yaml index 6f1df35f41e3..1c114723ec71 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/15-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/15-gateway-route.yaml @@ -297,7 +297,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/https/16-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/16-gateway-route.yaml index 03e6f42d1358..7ab6d738528b 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/16-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/16-gateway-route.yaml @@ -294,7 +294,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/https/17-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/17-gateway-route.yaml index 4eac3a088d6e..9b1c522e04c8 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/17-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/17-gateway-route.yaml @@ -315,7 +315,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/https/18-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/18-gateway-route.yaml index ca9f5daa1bd4..8bc874bca968 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/18-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/18-gateway-route.yaml @@ -157,7 +157,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/https/19-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/19-gateway-route.yaml index 69ab89cff16b..4ba525f76f73 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/19-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/19-gateway-route.yaml @@ -169,7 +169,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/https/20-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/20-gateway-route.yaml index 44a8e84b8448..392c9b15ac3c 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/20-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/20-gateway-route.yaml @@ -438,7 +438,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/https/21-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/21-gateway-route.yaml index 91fdb90aed85..cd6c7f0869df 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/21-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/21-gateway-route.yaml @@ -345,7 +345,10 @@ Routes: maxTokens: 1 tokensPerFill: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/https/22-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/22-gateway-route.yaml index 8f1c98de1165..d655cb32fa56 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/22-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/22-gateway-route.yaml @@ -213,6 +213,9 @@ Routes: match: prefix: / Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/https/23-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/23-gateway-route.yaml index 0c2d711cf44e..274110b36827 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/23-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/23-gateway-route.yaml @@ -281,6 +281,9 @@ Routes: match: prefix: / Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/https/24-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/24-gateway-route.yaml index 49df01053bda..fc0fad75f582 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/24-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/24-gateway-route.yaml @@ -237,6 +237,9 @@ Routes: match: prefix: / Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/https/25-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/25-gateway-route.yaml index 38710b547588..78fc5faa38f4 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/25-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/25-gateway-route.yaml @@ -186,7 +186,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/https/26-gateway-route.yaml b/pkg/plugins/runtime/gateway/testdata/https/26-gateway-route.yaml index bbd24676806a..c56ea3820e41 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/26-gateway-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/26-gateway-route.yaml @@ -172,7 +172,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml b/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml index e075700181fa..6a59319d03df 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml @@ -293,7 +293,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: identity_cert:secret:default: diff --git a/pkg/plugins/runtime/gateway/testdata/https/external-service-with-timeout-no-egress.yaml b/pkg/plugins/runtime/gateway/testdata/https/external-service-with-timeout-no-egress.yaml index 2ece21dc71e6..17ad3359c3ed 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/external-service-with-timeout-no-egress.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/external-service-with-timeout-no-egress.yaml @@ -160,6 +160,9 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/https/no-timeout.yaml b/pkg/plugins/runtime/gateway/testdata/https/no-timeout.yaml index 5fa159f5e32f..8a43c9985ec2 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/no-timeout.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/no-timeout.yaml @@ -163,7 +163,10 @@ Routes: weight: 1 totalWeight: 1 Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: cert.rsa:secret:echo-example-com-server-cert: diff --git a/pkg/plugins/runtime/gateway/testdata/tcp/tcp-route-no-egress.yaml b/pkg/plugins/runtime/gateway/testdata/tcp/tcp-route-no-egress.yaml index 88aea7623ec8..300281689fe0 100644 --- a/pkg/plugins/runtime/gateway/testdata/tcp/tcp-route-no-egress.yaml +++ b/pkg/plugins/runtime/gateway/testdata/tcp/tcp-route-no-egress.yaml @@ -71,6 +71,9 @@ Listeners: Routes: Resources: {} Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/tcp/tcp-route.yaml b/pkg/plugins/runtime/gateway/testdata/tcp/tcp-route.yaml index b493ae916634..e136fd35a75a 100644 --- a/pkg/plugins/runtime/gateway/testdata/tcp/tcp-route.yaml +++ b/pkg/plugins/runtime/gateway/testdata/tcp/tcp-route.yaml @@ -195,7 +195,10 @@ Listeners: Routes: Resources: {} Runtimes: - Resources: {} + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners Secrets: Resources: identity_cert:secret:default: diff --git a/pkg/xds/bootstrap/testdata/bootstrap.gateway.golden.yaml b/pkg/xds/bootstrap/testdata/bootstrap.gateway.golden.yaml index b6873bf40ba5..7c8f522ee333 100644 --- a/pkg/xds/bootstrap/testdata/bootstrap.gateway.golden.yaml +++ b/pkg/xds/bootstrap/testdata/bootstrap.gateway.golden.yaml @@ -32,6 +32,12 @@ layeredRuntime: envoy.restart_features.use_apple_api_for_dns_lookups: false re2.max_program_size.error_level: 4294967295 re2.max_program_size.warn_level: 1000 + - name: gateway.listeners + rtdsLayer: + name: gateway.listeners + rtdsConfig: + ads: {} + resourceApiVersion: V3 node: cluster: gateway id: default.gateway-1.default From 3aa5cd1570dfec121d6187df415c0624739a8ab2 Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Wed, 3 Aug 2022 15:00:16 +0200 Subject: [PATCH 03/11] test(gateway): add test for connection limit and include more in golden output Signed-off-by: Mike Beaumont --- .../gateway/listener_generator_test.go | 20 +- .../gateway/testdata/01-gateway-listener.yaml | 145 ++-- .../gateway/testdata/02-gateway-listener.yaml | 274 +++++--- .../gateway/testdata/03-gateway-listener.yaml | 182 +++-- .../gateway/testdata/04-gateway-listener.yaml | 163 +++-- .../gateway/testdata/05-gateway-listener.yaml | 656 +++++++++++------- .../testdata/connection-limited-listener.yaml | 31 + .../gateway/testdata/tcp-listener.yaml | 46 +- 8 files changed, 938 insertions(+), 579 deletions(-) create mode 100644 pkg/plugins/runtime/gateway/testdata/connection-limited-listener.yaml diff --git a/pkg/plugins/runtime/gateway/listener_generator_test.go b/pkg/plugins/runtime/gateway/listener_generator_test.go index b5e0aa60179b..8a72ae73cb37 100644 --- a/pkg/plugins/runtime/gateway/listener_generator_test.go +++ b/pkg/plugins/runtime/gateway/listener_generator_test.go @@ -3,7 +3,6 @@ package gateway_test import ( "path" - envoy_types "github.com/envoyproxy/go-control-plane/pkg/cache/types" "github.com/envoyproxy/go-control-plane/pkg/cache/v3" "github.com/ghodss/yaml" . "github.com/onsi/ginkgo/v2" @@ -84,7 +83,7 @@ data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBM3ZWM1cvNX snap, err := Do(gateway) Expect(err).To(Succeed()) - out, err := yaml.Marshal(MakeProtoResource(snap.Resources[envoy_types.Listener])) + out, err := yaml.Marshal(MakeProtoSnapshot(snap)) Expect(err).To(Succeed()) Expect(out).To(matchers.MatchGoldenYAML(path.Join("testdata", golden))) @@ -218,6 +217,23 @@ conf: tags: name: example.com `), + + Entry("should add connection limits", + "connection-limited-listener.yaml", ` +type: MeshGateway +mesh: default +name: default-gateway +selectors: +- match: + kuma.io/service: gateway-default +conf: + listeners: + - port: 443 + protocol: TCP + hostname: bar.example.com + resources: + connectionLimit: 10000 +`), ) DescribeTable("fail to generate xDS resources", diff --git a/pkg/plugins/runtime/gateway/testdata/01-gateway-listener.yaml b/pkg/plugins/runtime/gateway/testdata/01-gateway-listener.yaml index ed5341b12eb1..7d16f28001f7 100644 --- a/pkg/plugins/runtime/gateway/testdata/01-gateway-listener.yaml +++ b/pkg/plugins/runtime/gateway/testdata/01-gateway-listener.yaml @@ -1,58 +1,89 @@ -Resources: - edge-gateway:HTTP:8080: - address: - socketAddress: - address: 192.168.1.1 - portValue: 8080 - enableReusePort: true - filterChains: - - filters: - - name: envoy.filters.network.http_connection_manager +Clusters: + Resources: {} +Endpoints: + Resources: {} +Listeners: + Resources: + edge-gateway:HTTP:8080: + address: + socketAddress: + address: 192.168.1.1 + portValue: 8080 + enableReusePort: true + filterChains: + - filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: edge-gateway:HTTP:8080 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + stripAnyHostPort: true + useRemoteAddress: true + listenerFilters: + - name: envoy.filters.listener.tls_inspector typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - commonHttpProtocolOptions: - headersWithUnderscoresAction: REJECT_REQUEST - idleTimeout: 300s - http2ProtocolOptions: - allowConnect: true - initialConnectionWindowSize: 1048576 - initialStreamWindowSize: 65536 - maxConcurrentStreams: 100 - httpFilters: - - name: envoy.filters.http.local_ratelimit - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit - statPrefix: rate_limit - - name: gzip-compress - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor - compressorLibrary: - name: gzip - typedConfig: - '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip - responseDirectionConfig: - disableOnEtagHeader: true - - name: envoy.filters.http.router - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - mergeSlashes: true - normalizePath: true - pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT - rds: - configSource: - ads: {} - resourceApiVersion: V3 - routeConfigName: edge-gateway:HTTP:8080 - requestHeadersTimeout: 0.500s - serverName: Kuma Gateway - statPrefix: gateway-default - streamIdleTimeout: 5s - stripAnyHostPort: true - useRemoteAddress: true - listenerFilters: - - name: envoy.filters.listener.tls_inspector - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector - name: edge-gateway:HTTP:8080 - perConnectionBufferLimitBytes: 32768 - trafficDirection: INBOUND + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: edge-gateway:HTTP:8080 + perConnectionBufferLimitBytes: 32768 + trafficDirection: INBOUND +Routes: + Resources: + edge-gateway:HTTP:8080: + name: edge-gateway:HTTP:8080 + requestHeadersToRemove: + - x-kuma-tags + validateClusters: false + virtualHosts: + - domains: + - '*' + name: '*' + routes: + - directResponse: + body: + inlineString: | + This is a Kuma MeshGateway. No routes match this MeshGateway! + status: 404 + match: + prefix: / +Runtimes: + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners +Secrets: + Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/02-gateway-listener.yaml b/pkg/plugins/runtime/gateway/testdata/02-gateway-listener.yaml index 236cbfdaf6f7..b7eefb603838 100644 --- a/pkg/plugins/runtime/gateway/testdata/02-gateway-listener.yaml +++ b/pkg/plugins/runtime/gateway/testdata/02-gateway-listener.yaml @@ -1,115 +1,163 @@ -Resources: - edge-gateway:HTTP:8080: - address: - socketAddress: - address: 192.168.1.1 - portValue: 8080 - enableReusePort: true - filterChains: - - filters: - - name: envoy.filters.network.http_connection_manager +Clusters: + Resources: {} +Endpoints: + Resources: {} +Listeners: + Resources: + edge-gateway:HTTP:8080: + address: + socketAddress: + address: 192.168.1.1 + portValue: 8080 + enableReusePort: true + filterChains: + - filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: edge-gateway:HTTP:8080 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + stripAnyHostPort: true + useRemoteAddress: true + listenerFilters: + - name: envoy.filters.listener.tls_inspector typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - commonHttpProtocolOptions: - headersWithUnderscoresAction: REJECT_REQUEST - idleTimeout: 300s - http2ProtocolOptions: - allowConnect: true - initialConnectionWindowSize: 1048576 - initialStreamWindowSize: 65536 - maxConcurrentStreams: 100 - httpFilters: - - name: envoy.filters.http.local_ratelimit - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit - statPrefix: rate_limit - - name: gzip-compress - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor - compressorLibrary: - name: gzip - typedConfig: - '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip - responseDirectionConfig: - disableOnEtagHeader: true - - name: envoy.filters.http.router - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - mergeSlashes: true - normalizePath: true - pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT - rds: - configSource: - ads: {} - resourceApiVersion: V3 - routeConfigName: edge-gateway:HTTP:8080 - requestHeadersTimeout: 0.500s - serverName: Kuma Gateway - statPrefix: gateway-default - streamIdleTimeout: 5s - stripAnyHostPort: true - useRemoteAddress: true - listenerFilters: - - name: envoy.filters.listener.tls_inspector - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector - name: edge-gateway:HTTP:8080 - perConnectionBufferLimitBytes: 32768 - trafficDirection: INBOUND - edge-gateway:HTTP:9090: - address: - socketAddress: - address: 192.168.1.1 - portValue: 9090 - enableReusePort: true - filterChains: - - filters: - - name: envoy.filters.network.http_connection_manager + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: edge-gateway:HTTP:8080 + perConnectionBufferLimitBytes: 32768 + trafficDirection: INBOUND + edge-gateway:HTTP:9090: + address: + socketAddress: + address: 192.168.1.1 + portValue: 9090 + enableReusePort: true + filterChains: + - filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: edge-gateway:HTTP:9090 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + stripAnyHostPort: true + useRemoteAddress: true + listenerFilters: + - name: envoy.filters.listener.tls_inspector typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - commonHttpProtocolOptions: - headersWithUnderscoresAction: REJECT_REQUEST - idleTimeout: 300s - http2ProtocolOptions: - allowConnect: true - initialConnectionWindowSize: 1048576 - initialStreamWindowSize: 65536 - maxConcurrentStreams: 100 - httpFilters: - - name: envoy.filters.http.local_ratelimit - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit - statPrefix: rate_limit - - name: gzip-compress - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor - compressorLibrary: - name: gzip - typedConfig: - '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip - responseDirectionConfig: - disableOnEtagHeader: true - - name: envoy.filters.http.router - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - mergeSlashes: true - normalizePath: true - pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT - rds: - configSource: - ads: {} - resourceApiVersion: V3 - routeConfigName: edge-gateway:HTTP:9090 - requestHeadersTimeout: 0.500s - serverName: Kuma Gateway - statPrefix: gateway-default - streamIdleTimeout: 5s - stripAnyHostPort: true - useRemoteAddress: true - listenerFilters: - - name: envoy.filters.listener.tls_inspector - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector - name: edge-gateway:HTTP:9090 - perConnectionBufferLimitBytes: 32768 - trafficDirection: INBOUND + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: edge-gateway:HTTP:9090 + perConnectionBufferLimitBytes: 32768 + trafficDirection: INBOUND +Routes: + Resources: + edge-gateway:HTTP:8080: + name: edge-gateway:HTTP:8080 + requestHeadersToRemove: + - x-kuma-tags + validateClusters: false + virtualHosts: + - domains: + - '*' + name: '*' + routes: + - directResponse: + body: + inlineString: | + This is a Kuma MeshGateway. No routes match this MeshGateway! + status: 404 + match: + prefix: / + edge-gateway:HTTP:9090: + name: edge-gateway:HTTP:9090 + requestHeadersToRemove: + - x-kuma-tags + validateClusters: false + virtualHosts: + - domains: + - '*' + name: '*' + routes: + - directResponse: + body: + inlineString: | + This is a Kuma MeshGateway. No routes match this MeshGateway! + status: 404 + match: + prefix: / +Runtimes: + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners +Secrets: + Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/03-gateway-listener.yaml b/pkg/plugins/runtime/gateway/testdata/03-gateway-listener.yaml index 1c6115a4aa3f..acbe84b34871 100644 --- a/pkg/plugins/runtime/gateway/testdata/03-gateway-listener.yaml +++ b/pkg/plugins/runtime/gateway/testdata/03-gateway-listener.yaml @@ -1,69 +1,115 @@ -Resources: - tracing-gateway:HTTP:8080: - address: - socketAddress: - address: 192.168.1.1 - portValue: 8080 - enableReusePort: true - filterChains: - - filters: - - name: envoy.filters.network.http_connection_manager - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - commonHttpProtocolOptions: - headersWithUnderscoresAction: REJECT_REQUEST - idleTimeout: 300s - http2ProtocolOptions: - allowConnect: true - initialConnectionWindowSize: 1048576 - initialStreamWindowSize: 65536 - maxConcurrentStreams: 100 - httpFilters: - - name: envoy.filters.http.local_ratelimit - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit - statPrefix: rate_limit - - name: gzip-compress - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor - compressorLibrary: - name: gzip - typedConfig: - '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip - responseDirectionConfig: - disableOnEtagHeader: true - - name: envoy.filters.http.router - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - mergeSlashes: true - normalizePath: true - pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT - rds: - configSource: - ads: {} - resourceApiVersion: V3 - routeConfigName: tracing-gateway:HTTP:8080 - requestHeadersTimeout: 0.500s - serverName: Kuma Gateway - statPrefix: gateway-default - streamIdleTimeout: 5s - stripAnyHostPort: true - tracing: - overallSampling: - value: 100 - provider: - name: envoy.zipkin +Clusters: + Resources: + tracing:jaeger-collector: + altStatName: tracing_jaeger-collector + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + loadAssignment: + clusterName: tracing:jaeger-collector + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: jaeger-collector.kuma-tracing + portValue: 9411 + name: tracing:jaeger-collector + type: STRICT_DNS +Endpoints: + Resources: {} +Listeners: + Resources: + tracing-gateway:HTTP:8080: + address: + socketAddress: + address: 192.168.1.1 + portValue: 8080 + enableReusePort: true + filterChains: + - filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress typedConfig: - '@type': type.googleapis.com/envoy.config.trace.v3.ZipkinConfig - collectorCluster: tracing:jaeger-collector - collectorEndpoint: /api/v2/spans - collectorEndpointVersion: HTTP_JSON - collectorHostname: jaeger-collector.kuma-tracing:9411 - useRemoteAddress: true - listenerFilters: - - name: envoy.filters.listener.tls_inspector - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector - name: tracing-gateway:HTTP:8080 - perConnectionBufferLimitBytes: 32768 - trafficDirection: INBOUND + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: tracing-gateway:HTTP:8080 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + stripAnyHostPort: true + tracing: + overallSampling: + value: 100 + provider: + name: envoy.zipkin + typedConfig: + '@type': type.googleapis.com/envoy.config.trace.v3.ZipkinConfig + collectorCluster: tracing:jaeger-collector + collectorEndpoint: /api/v2/spans + collectorEndpointVersion: HTTP_JSON + collectorHostname: jaeger-collector.kuma-tracing:9411 + useRemoteAddress: true + listenerFilters: + - name: envoy.filters.listener.tls_inspector + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: tracing-gateway:HTTP:8080 + perConnectionBufferLimitBytes: 32768 + trafficDirection: INBOUND +Routes: + Resources: + tracing-gateway:HTTP:8080: + name: tracing-gateway:HTTP:8080 + requestHeadersToRemove: + - x-kuma-tags + validateClusters: false + virtualHosts: + - domains: + - '*' + name: '*' + routes: + - directResponse: + body: + inlineString: | + This is a Kuma MeshGateway. No routes match this MeshGateway! + status: 404 + match: + prefix: / +Runtimes: + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners +Secrets: + Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/04-gateway-listener.yaml b/pkg/plugins/runtime/gateway/testdata/04-gateway-listener.yaml index 5256331ee942..df8668d97621 100644 --- a/pkg/plugins/runtime/gateway/testdata/04-gateway-listener.yaml +++ b/pkg/plugins/runtime/gateway/testdata/04-gateway-listener.yaml @@ -1,67 +1,98 @@ -Resources: - logging-gateway:HTTP:8080: - address: - socketAddress: - address: 192.168.1.1 - portValue: 8080 - enableReusePort: true - filterChains: - - filters: - - name: envoy.filters.network.http_connection_manager +Clusters: + Resources: {} +Endpoints: + Resources: {} +Listeners: + Resources: + logging-gateway:HTTP:8080: + address: + socketAddress: + address: 192.168.1.1 + portValue: 8080 + enableReusePort: true + filterChains: + - filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + accessLog: + - name: envoy.access_loggers.file + typedConfig: + '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + logFormat: + textFormatSource: + inlineString: | + [%START_TIME%] logging "%REQ(:method)% %REQ(x-envoy-original-path?:path)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(x-envoy-upstream-service-time)% "%REQ(x-forwarded-for)%" "%REQ(user-agent)%" "%REQ(x-b3-traceid?x-datadog-traceid)%" "%REQ(x-request-id)%" "%REQ(:authority)%" "gateway-default" "*" "192.168.1.1" "%UPSTREAM_HOST%" + path: /tmp/access.log + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: logging-gateway:HTTP:8080 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + stripAnyHostPort: true + useRemoteAddress: true + listenerFilters: + - name: envoy.filters.listener.tls_inspector typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - accessLog: - - name: envoy.access_loggers.file - typedConfig: - '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog - logFormat: - textFormatSource: - inlineString: | - [%START_TIME%] logging "%REQ(:method)% %REQ(x-envoy-original-path?:path)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(x-envoy-upstream-service-time)% "%REQ(x-forwarded-for)%" "%REQ(user-agent)%" "%REQ(x-b3-traceid?x-datadog-traceid)%" "%REQ(x-request-id)%" "%REQ(:authority)%" "gateway-default" "*" "192.168.1.1" "%UPSTREAM_HOST%" - path: /tmp/access.log - commonHttpProtocolOptions: - headersWithUnderscoresAction: REJECT_REQUEST - idleTimeout: 300s - http2ProtocolOptions: - allowConnect: true - initialConnectionWindowSize: 1048576 - initialStreamWindowSize: 65536 - maxConcurrentStreams: 100 - httpFilters: - - name: envoy.filters.http.local_ratelimit - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit - statPrefix: rate_limit - - name: gzip-compress - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor - compressorLibrary: - name: gzip - typedConfig: - '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip - responseDirectionConfig: - disableOnEtagHeader: true - - name: envoy.filters.http.router - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - mergeSlashes: true - normalizePath: true - pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT - rds: - configSource: - ads: {} - resourceApiVersion: V3 - routeConfigName: logging-gateway:HTTP:8080 - requestHeadersTimeout: 0.500s - serverName: Kuma Gateway - statPrefix: gateway-default - streamIdleTimeout: 5s - stripAnyHostPort: true - useRemoteAddress: true - listenerFilters: - - name: envoy.filters.listener.tls_inspector - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector - name: logging-gateway:HTTP:8080 - perConnectionBufferLimitBytes: 32768 - trafficDirection: INBOUND + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: logging-gateway:HTTP:8080 + perConnectionBufferLimitBytes: 32768 + trafficDirection: INBOUND +Routes: + Resources: + logging-gateway:HTTP:8080: + name: logging-gateway:HTTP:8080 + requestHeadersToRemove: + - x-kuma-tags + validateClusters: false + virtualHosts: + - domains: + - '*' + name: '*' + routes: + - directResponse: + body: + inlineString: | + This is a Kuma MeshGateway. No routes match this MeshGateway! + status: 404 + match: + prefix: / +Runtimes: + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners +Secrets: + Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/05-gateway-listener.yaml b/pkg/plugins/runtime/gateway/testdata/05-gateway-listener.yaml index f0900b3c3fb6..2f707135587c 100644 --- a/pkg/plugins/runtime/gateway/testdata/05-gateway-listener.yaml +++ b/pkg/plugins/runtime/gateway/testdata/05-gateway-listener.yaml @@ -1,265 +1,407 @@ -Resources: - default-gateway:HTTPS:443: - address: - socketAddress: - address: 192.168.1.1 - portValue: 443 - enableReusePort: true - filterChains: - - filterChainMatch: - serverNames: - - foo.example.com - transportProtocol: tls - filters: - - name: envoy.filters.network.http_connection_manager - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - commonHttpProtocolOptions: - headersWithUnderscoresAction: REJECT_REQUEST - idleTimeout: 300s - http2ProtocolOptions: - allowConnect: true - initialConnectionWindowSize: 1048576 - initialStreamWindowSize: 65536 - maxConcurrentStreams: 100 - httpFilters: - - name: envoy.filters.http.local_ratelimit - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit - statPrefix: rate_limit - - name: gzip-compress - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor - compressorLibrary: - name: gzip - typedConfig: - '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip - responseDirectionConfig: - disableOnEtagHeader: true - - name: envoy.filters.http.router - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - mergeSlashes: true - normalizePath: true - pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT - rds: - configSource: - ads: {} - resourceApiVersion: V3 - routeConfigName: default-gateway:HTTPS:443 - requestHeadersTimeout: 0.500s - serverName: Kuma Gateway - statPrefix: gateway-default - streamIdleTimeout: 5s - stripAnyHostPort: true - useRemoteAddress: true - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - commonTlsContext: - alpnProtocols: - - h2 - - http/1.1 - tlsCertificateSdsSecretConfigs: - - name: cert.rsa:secret:server-certificate - sdsConfig: +Clusters: + Resources: {} +Endpoints: + Resources: {} +Listeners: + Resources: + default-gateway:HTTPS:443: + address: + socketAddress: + address: 192.168.1.1 + portValue: 443 + enableReusePort: true + filterChains: + - filterChainMatch: + serverNames: + - foo.example.com + transportProtocol: tls + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: ads: {} resourceApiVersion: V3 - tlsParams: - tlsMinimumProtocolVersion: TLSv1_2 - requireClientCertificate: false - - filterChainMatch: - serverNames: - - bar.example.com - transportProtocol: tls - filters: - - name: envoy.filters.network.http_connection_manager - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - commonHttpProtocolOptions: - headersWithUnderscoresAction: REJECT_REQUEST - idleTimeout: 300s - http2ProtocolOptions: - allowConnect: true - initialConnectionWindowSize: 1048576 - initialStreamWindowSize: 65536 - maxConcurrentStreams: 100 - httpFilters: - - name: envoy.filters.http.local_ratelimit - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit - statPrefix: rate_limit - - name: gzip-compress - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor - compressorLibrary: - name: gzip - typedConfig: - '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip - responseDirectionConfig: - disableOnEtagHeader: true - - name: envoy.filters.http.router - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - mergeSlashes: true - normalizePath: true - pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT - rds: - configSource: - ads: {} - resourceApiVersion: V3 - routeConfigName: default-gateway:HTTPS:443 - requestHeadersTimeout: 0.500s - serverName: Kuma Gateway - statPrefix: gateway-default - streamIdleTimeout: 5s - stripAnyHostPort: true - useRemoteAddress: true - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - commonTlsContext: - alpnProtocols: - - h2 - - http/1.1 - tlsCertificateSdsSecretConfigs: - - name: cert.rsa:secret:server-certificate - sdsConfig: + routeConfigName: default-gateway:HTTPS:443 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + stripAnyHostPort: true + useRemoteAddress: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + alpnProtocols: + - h2 + - http/1.1 + tlsCertificateSdsSecretConfigs: + - name: cert.rsa:secret:server-certificate + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsParams: + tlsMinimumProtocolVersion: TLSv1_2 + requireClientCertificate: false + - filterChainMatch: + serverNames: + - bar.example.com + transportProtocol: tls + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: ads: {} resourceApiVersion: V3 - tlsParams: - tlsMinimumProtocolVersion: TLSv1_2 - requireClientCertificate: false - - filterChainMatch: - serverNames: - - '*.example.com' - transportProtocol: tls - filters: - - name: envoy.filters.network.http_connection_manager - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - commonHttpProtocolOptions: - headersWithUnderscoresAction: REJECT_REQUEST - idleTimeout: 300s - http2ProtocolOptions: - allowConnect: true - initialConnectionWindowSize: 1048576 - initialStreamWindowSize: 65536 - maxConcurrentStreams: 100 - httpFilters: - - name: envoy.filters.http.local_ratelimit - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit - statPrefix: rate_limit - - name: gzip-compress - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor - compressorLibrary: - name: gzip - typedConfig: - '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip - responseDirectionConfig: - disableOnEtagHeader: true - - name: envoy.filters.http.router - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - mergeSlashes: true - normalizePath: true - pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT - rds: - configSource: - ads: {} - resourceApiVersion: V3 - routeConfigName: default-gateway:HTTPS:443 - requestHeadersTimeout: 0.500s - serverName: Kuma Gateway - statPrefix: gateway-default - streamIdleTimeout: 5s - stripAnyHostPort: true - useRemoteAddress: true - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - commonTlsContext: - alpnProtocols: - - h2 - - http/1.1 - tlsCertificateSdsSecretConfigs: - - name: cert.rsa:secret:server-certificate - sdsConfig: + routeConfigName: default-gateway:HTTPS:443 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + stripAnyHostPort: true + useRemoteAddress: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + alpnProtocols: + - h2 + - http/1.1 + tlsCertificateSdsSecretConfigs: + - name: cert.rsa:secret:server-certificate + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsParams: + tlsMinimumProtocolVersion: TLSv1_2 + requireClientCertificate: false + - filterChainMatch: + serverNames: + - '*.example.com' + transportProtocol: tls + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: ads: {} resourceApiVersion: V3 - tlsParams: - tlsMinimumProtocolVersion: TLSv1_2 - requireClientCertificate: false - - filterChainMatch: - transportProtocol: tls - filters: - - name: envoy.filters.network.http_connection_manager - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - commonHttpProtocolOptions: - headersWithUnderscoresAction: REJECT_REQUEST - idleTimeout: 300s - http2ProtocolOptions: - allowConnect: true - initialConnectionWindowSize: 1048576 - initialStreamWindowSize: 65536 - maxConcurrentStreams: 100 - httpFilters: - - name: envoy.filters.http.local_ratelimit - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit - statPrefix: rate_limit - - name: gzip-compress - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor - compressorLibrary: - name: gzip - typedConfig: - '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip - responseDirectionConfig: - disableOnEtagHeader: true - - name: envoy.filters.http.router - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - mergeSlashes: true - normalizePath: true - pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT - rds: - configSource: - ads: {} - resourceApiVersion: V3 - routeConfigName: default-gateway:HTTPS:443 - requestHeadersTimeout: 0.500s - serverName: Kuma Gateway - statPrefix: gateway-default - streamIdleTimeout: 5s - stripAnyHostPort: true - useRemoteAddress: true - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - commonTlsContext: - alpnProtocols: - - h2 - - http/1.1 - tlsCertificateSdsSecretConfigs: - - name: cert.rsa:secret:server-certificate - sdsConfig: + routeConfigName: default-gateway:HTTPS:443 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + stripAnyHostPort: true + useRemoteAddress: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + alpnProtocols: + - h2 + - http/1.1 + tlsCertificateSdsSecretConfigs: + - name: cert.rsa:secret:server-certificate + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsParams: + tlsMinimumProtocolVersion: TLSv1_2 + requireClientCertificate: false + - filterChainMatch: + transportProtocol: tls + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: ads: {} resourceApiVersion: V3 - tlsParams: - tlsMinimumProtocolVersion: TLSv1_2 - requireClientCertificate: false - listenerFilters: - - name: envoy.filters.listener.tls_inspector - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector - name: default-gateway:HTTPS:443 - perConnectionBufferLimitBytes: 32768 - trafficDirection: INBOUND + routeConfigName: default-gateway:HTTPS:443 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + stripAnyHostPort: true + useRemoteAddress: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + alpnProtocols: + - h2 + - http/1.1 + tlsCertificateSdsSecretConfigs: + - name: cert.rsa:secret:server-certificate + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsParams: + tlsMinimumProtocolVersion: TLSv1_2 + requireClientCertificate: false + listenerFilters: + - name: envoy.filters.listener.tls_inspector + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: default-gateway:HTTPS:443 + perConnectionBufferLimitBytes: 32768 + trafficDirection: INBOUND +Routes: + Resources: + default-gateway:HTTPS:443: + name: default-gateway:HTTPS:443 + requestHeadersToRemove: + - x-kuma-tags + validateClusters: false + virtualHosts: + - domains: + - foo.example.com + name: foo.example.com + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - directResponse: + body: + inlineString: | + This is a Kuma MeshGateway. No routes match this MeshGateway! + status: 404 + match: + prefix: / + - domains: + - bar.example.com + name: bar.example.com + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - directResponse: + body: + inlineString: | + This is a Kuma MeshGateway. No routes match this MeshGateway! + status: 404 + match: + prefix: / + - domains: + - '*.example.com' + name: '*.example.com' + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - directResponse: + body: + inlineString: | + This is a Kuma MeshGateway. No routes match this MeshGateway! + status: 404 + match: + prefix: / + - domains: + - '*' + name: '*' + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - directResponse: + body: + inlineString: | + This is a Kuma MeshGateway. No routes match this MeshGateway! + status: 404 + match: + prefix: / +Runtimes: + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners +Secrets: + Resources: + cert.rsa:secret:server-certificate: + name: cert.rsa:secret:server-certificate + tlsCertificate: + certificateChain: + inlineString: |+ + -----BEGIN CERTIFICATE----- + MIIDJjCCAg6gAwIBAgIRAI+Hqx9HaFRq8yilXfKkQRIwDQYJKoZIhvcNAQELBQAw + FjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMjExMTAzMDQzMDE3WhcNMzExMTAx + MDQzMDE3WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBAN71d1v+a5nPV/3JaGL6QIKB6tJxWOlSHWUhAsli+s5D + 5yuMTtWQ98SMzzOjg4dW9SA9RxqJFzTzppVbeb1+Gse4RjlOY+DuqUTB4BTEp9bp + FmtW/zbB+y2Afy8qCzSQVcLufHStKbNNJafQ+m0aKw/iCjv5FR8gxqDqp1BGyvZr + s4K+rX6mIGmBadI82ExawYzy2uFR5jcvtUHRjbLJjtMuZI/Gbh27aicnv1gLC5TT + MwHrWkJG3A6eMdgP3nf4C/Z1Em40gKdwOU3/TNK3lb+UALhuQwH+B+QXhllCEmQE + HA4yF6Cta1P4SbBOsec/kqpL5wP5wGs/N5rfXgaD2msCAwEAAaNvMG0wDgYDVR0P + AQH/BAQDAgKkMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8w + HQYDVR0OBBYEFIsc2IMeCIormB/p5zUdBvd5qUGdMBYGA1UdEQQPMA2CC2V4YW1w + bGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQA6e8eJHZRhDGiNG9oIkcdirvdW4t7G + ApaWAInXJ5lbp0GOFCPtKSsIBsqyNqcYhGwz69UT/0l72+m/NCktBZzCvR0jiFYU + ssnZX3q4BYnme20Ff7o8k1SH4XQ3iIMeQIpOiEmoiHpaBmDs81TjrOvhI2WxO7Kt + nViTfVKeyrQYJtj+pdV2JxRqzbGb893l3UtEnUIbVkSjShzOQI9+PnDN4e+KPFCe + oviSBYMV8TQHNHlo5qvgdSEe68BGEAuL9dFG6KBffgBO8t3U/UaH4giaIG7N6FwJ + ZMSGbXcnLNWJOWRMoymSpk8a9/hXXKVYHppbkAeFGRwhm7XDXsCwq5Wd + -----END CERTIFICATE----- + + privateKey: + inlineString: | + -----BEGIN RSA PRIVATE KEY----- + MIIEowIBAAKCAQEA3vV3W/5rmc9X/cloYvpAgoHq0nFY6VIdZSECyWL6zkPnK4xO + 1ZD3xIzPM6ODh1b1ID1HGokXNPOmlVt5vX4ax7hGOU5j4O6pRMHgFMSn1ukWa1b/ + NsH7LYB/LyoLNJBVwu58dK0ps00lp9D6bRorD+IKO/kVHyDGoOqnUEbK9muzgr6t + fqYgaYFp0jzYTFrBjPLa4VHmNy+1QdGNssmO0y5kj8ZuHbtqJye/WAsLlNMzAeta + QkbcDp4x2A/ed/gL9nUSbjSAp3A5Tf9M0reVv5QAuG5DAf4H5BeGWUISZAQcDjIX + oK1rU/hJsE6x5z+SqkvnA/nAaz83mt9eBoPaawIDAQABAoIBAAmy/f1HhSDMz1Qg + BeWAY3wJ8NA01BxaUSMMG5XtM2HzvEO9t9Q8mTq4sW7apyclFkbPw58Y5aSNEOsg + bpxatwmHL67ghSHM4Bo4oOnmYDLOMwZ6Y2HbcHTbSS0hFBm2SbTQMSPWQKEnMwMo + 6SwD3mmzeKSBQnT3NQzdCGhKnBu6IOMY8FBcFaIrsOFAUEeSnVrn6E9Epb3qbJ8K + RUI18mPgGyWtyes1NG2elm3h4Wu+67cswuMNqG64luItpz6FLLfKlHS5u5wDlm2H + KKhYiMmtzoHFt9RteBwAodFDp9x6/i6/gtThSKqg9DO4UePu8j+L4zEhJ6jMcao0 + fqEqGLkCgYEA4PlvwFPv6z+EN60IejyOPKD9pdxV6BYSi7CmLMm9ZHuneluI0MTh + XkVH6VZnKXgwaB9YpeB3nsUmuZRaJS01dBDS2Zdm/DKaCwk4pKyT7qNcyJAC5pdF + 4wcTOS+k8Pm4zo0xdmE0AMKIJKeLwfU59dizaSRLIUsd4ZbJZKSWR4cCgYEA/bTf + osqY740uZd8PDj7zIwAjQGhMoD67D2VFNk4i1D8PCgKXQ6TlNqO8c//+/vgPOJqE + JxB/daSay0EOwrRosGnfQlRoBWwE7FmlJblh9QgMdhAnsVkX0K9V2YS2FOv36k5M + AQWjHvhf/0K4jmhLRpK6dPuTnOKF3NOsTXWeBv0CgYAYAIS7sDjYkF460mslH3DN + Zx+oomlH6ZLw9FfGT3+1SLwFgd6G53pj5GBXtLAs7HW9php/GAOrHL2U7w7vCHO7 + flAAhval0YA9zS4N45ukyikL/NFSaLE8F3UllL+0NfBRmR690oEJ07dSsc1nVBJq + +EOr5ANf+fOmLcAuzKB74QKBgG+TWj7nxrajamJW5PIo8RjVeKtcs0ZOEEpHCVdG + qb6aNOz8ErYnEL8k5z5EuUo8ocUM/02GzedZCtKUu/8ZBGmBRjSPlme8B7ZB/oVG + sDPo5EIP/MTcH8MhOSo+WS1+UTt0T6yrY/+8z8sc9rl6WJCi+ulzsolufdyOItq1 + /VepAoGBAKVmWp9NA/Q/keC7iBQlyCjUHEFdpdYxjNLobW/r21oTmbcUDrBkMuk+ + ho85r4ks3t1kODZ2oi6ACVC8BaH1ihQ29+VqADqGrO2TWwKmHJRhoTrazyud9TVH + SK4u80+3Mzg9poUv80lwtuJ8xDWpQcRIp1CfqwkvIA393JCw7VCK + -----END RSA PRIVATE KEY----- diff --git a/pkg/plugins/runtime/gateway/testdata/connection-limited-listener.yaml b/pkg/plugins/runtime/gateway/testdata/connection-limited-listener.yaml new file mode 100644 index 000000000000..578b066f7bb6 --- /dev/null +++ b/pkg/plugins/runtime/gateway/testdata/connection-limited-listener.yaml @@ -0,0 +1,31 @@ +Clusters: + Resources: {} +Endpoints: + Resources: {} +Listeners: + Resources: + default-gateway:TCP:443: + address: + socketAddress: + address: 192.168.1.1 + portValue: 443 + enableReusePort: true + filterChains: + - {} + listenerFilters: + - name: envoy.filters.listener.tls_inspector + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: default-gateway:TCP:443 + perConnectionBufferLimitBytes: 32768 + trafficDirection: INBOUND +Routes: + Resources: {} +Runtimes: + Resources: + gateway.listeners: + layer: + envoy.resource_limits.listener.default-gateway:TCP:443.connection_limit: 10000 + name: gateway.listeners +Secrets: + Resources: {} diff --git a/pkg/plugins/runtime/gateway/testdata/tcp-listener.yaml b/pkg/plugins/runtime/gateway/testdata/tcp-listener.yaml index d990ba5c4269..1cc9468bc50c 100644 --- a/pkg/plugins/runtime/gateway/testdata/tcp-listener.yaml +++ b/pkg/plugins/runtime/gateway/testdata/tcp-listener.yaml @@ -1,16 +1,30 @@ -Resources: - default-gateway:TCP:443: - address: - socketAddress: - address: 192.168.1.1 - portValue: 443 - enableReusePort: true - filterChains: - - {} - listenerFilters: - - name: envoy.filters.listener.tls_inspector - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector - name: default-gateway:TCP:443 - perConnectionBufferLimitBytes: 32768 - trafficDirection: INBOUND +Clusters: + Resources: {} +Endpoints: + Resources: {} +Listeners: + Resources: + default-gateway:TCP:443: + address: + socketAddress: + address: 192.168.1.1 + portValue: 443 + enableReusePort: true + filterChains: + - {} + listenerFilters: + - name: envoy.filters.listener.tls_inspector + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: default-gateway:TCP:443 + perConnectionBufferLimitBytes: 32768 + trafficDirection: INBOUND +Routes: + Resources: {} +Runtimes: + Resources: + gateway.listeners: + layer: {} + name: gateway.listeners +Secrets: + Resources: {} From 28e84be4e70e624f886a18a0416f237cca4507fe Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Wed, 3 Aug 2022 15:14:01 +0200 Subject: [PATCH 04/11] docs(generated): update with MeshGateway change Signed-off-by: Mike Beaumont --- docs/generated/resources/policy_meshgateway.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/generated/resources/policy_meshgateway.md b/docs/generated/resources/policy_meshgateway.md index b6cec2d9b08a..46bed932c8b4 100644 --- a/docs/generated/resources/policy_meshgateway.md +++ b/docs/generated/resources/policy_meshgateway.md @@ -103,5 +103,9 @@ - `crossmesh` (optional) CrossMesh enables traffic to flow to this listener only from other - meshes. + meshes. + + - `resources` (optional) + + - `connectionlimit` (optional) From df9c5345c51aef7199f010515ec2a6593b3e26af Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Thu, 4 Aug 2022 13:04:13 +0200 Subject: [PATCH 05/11] docs(gateway): add field comment Signed-off-by: Mike Beaumont --- api/mesh/v1alpha1/gateway.pb.go | 75 ++++++++++--------- api/mesh/v1alpha1/gateway.proto | 3 +- .../generated/resources/policy_meshgateway.md | 6 +- 3 files changed, 44 insertions(+), 40 deletions(-) diff --git a/api/mesh/v1alpha1/gateway.pb.go b/api/mesh/v1alpha1/gateway.pb.go index 7c51283aa7a3..bee6c952eb86 100644 --- a/api/mesh/v1alpha1/gateway.pb.go +++ b/api/mesh/v1alpha1/gateway.pb.go @@ -286,7 +286,8 @@ type MeshGateway_Listener struct { Tags map[string]string `protobuf:"bytes,5,rep,name=tags,proto3" json:"tags,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` // CrossMesh enables traffic to flow to this listener only from other // meshes. - CrossMesh bool `protobuf:"varint,6,opt,name=crossMesh,proto3" json:"crossMesh,omitempty"` + CrossMesh bool `protobuf:"varint,6,opt,name=crossMesh,proto3" json:"crossMesh,omitempty"` + // Resources is used to specify listener-specific resource settings. Resources *MeshGateway_Listener_Resources `protobuf:"bytes,7,opt,name=resources,proto3" json:"resources,omitempty"` } @@ -546,7 +547,7 @@ type MeshGateway_Listener_Resources struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - ConnectionLimit uint32 `protobuf:"varint,1,opt,name=connectionLimit,proto3" json:"connectionLimit,omitempty"` + ConnectionLimit uint32 `protobuf:"varint,1,opt,name=connection_limit,json=connectionLimit,proto3" json:"connection_limit,omitempty"` } func (x *MeshGateway_Listener_Resources) Reset() { @@ -601,7 +602,7 @@ var file_mesh_v1alpha1_gateway_proto_rawDesc = []byte{ 0x6f, 0x1a, 0x20, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x64, 0x61, 0x74, 0x61, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x17, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2f, 0x76, 0x61, - 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x9f, 0x0a, 0x0a, + 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xa0, 0x0a, 0x0a, 0x0b, 0x4d, 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x12, 0x44, 0x0a, 0x09, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x6b, 0x75, 0x6d, 0x61, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, @@ -633,7 +634,7 @@ var file_mesh_v1alpha1_gateway_proto_rawDesc = []byte{ 0x07, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x30, 0x0a, 0x04, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x08, 0x0a, 0x04, 0x4e, 0x4f, 0x4e, 0x45, 0x10, 0x00, 0x12, 0x0d, 0x0a, 0x09, 0x54, 0x45, 0x52, 0x4d, 0x49, 0x4e, 0x41, 0x54, 0x45, 0x10, 0x01, 0x12, 0x0f, 0x0a, 0x0b, 0x50, 0x41, 0x53, - 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55, 0x47, 0x48, 0x10, 0x02, 0x1a, 0xb3, 0x04, 0x0a, 0x08, 0x4c, + 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55, 0x47, 0x48, 0x10, 0x02, 0x1a, 0xb4, 0x04, 0x0a, 0x08, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, @@ -657,39 +658,39 @@ var file_mesh_v1alpha1_gateway_proto_rawDesc = []byte{ 0x6d, 0x61, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, - 0x09, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x1a, 0x35, 0x0a, 0x09, 0x52, 0x65, - 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x12, 0x28, 0x0a, 0x0f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, - 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, - 0x52, 0x0f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4c, 0x69, 0x6d, 0x69, - 0x74, 0x1a, 0x37, 0x0a, 0x09, 0x54, 0x61, 0x67, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, - 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, - 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x44, 0x0a, 0x08, 0x50, 0x72, - 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x08, 0x0a, 0x04, 0x4e, 0x4f, 0x4e, 0x45, 0x10, 0x00, - 0x12, 0x07, 0x0a, 0x03, 0x54, 0x43, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x55, 0x44, 0x50, - 0x10, 0x02, 0x12, 0x07, 0x0a, 0x03, 0x54, 0x4c, 0x53, 0x10, 0x03, 0x12, 0x08, 0x0a, 0x04, 0x48, - 0x54, 0x54, 0x50, 0x10, 0x04, 0x12, 0x09, 0x0a, 0x05, 0x48, 0x54, 0x54, 0x50, 0x53, 0x10, 0x05, - 0x1a, 0x58, 0x0a, 0x04, 0x43, 0x6f, 0x6e, 0x66, 0x12, 0x50, 0x0a, 0x09, 0x6c, 0x69, 0x73, 0x74, - 0x65, 0x6e, 0x65, 0x72, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x6b, 0x75, - 0x6d, 0x61, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, - 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x2e, 0x4c, 0x69, 0x73, - 0x74, 0x65, 0x6e, 0x65, 0x72, 0x42, 0x08, 0xfa, 0x42, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, - 0x09, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x73, 0x1a, 0x37, 0x0a, 0x09, 0x54, 0x61, - 0x67, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, - 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, - 0x02, 0x38, 0x01, 0x3a, 0x59, 0xaa, 0x8c, 0x89, 0xa6, 0x01, 0x15, 0x0a, 0x13, 0x4d, 0x65, 0x73, - 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, - 0xaa, 0x8c, 0x89, 0xa6, 0x01, 0x0d, 0x12, 0x0b, 0x4d, 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, - 0x77, 0x61, 0x79, 0xaa, 0x8c, 0x89, 0xa6, 0x01, 0x06, 0x22, 0x04, 0x6d, 0x65, 0x73, 0x68, 0xaa, - 0x8c, 0x89, 0xa6, 0x01, 0x04, 0x52, 0x02, 0x10, 0x01, 0xaa, 0x8c, 0x89, 0xa6, 0x01, 0x0f, 0x3a, - 0x0d, 0x0a, 0x0b, 0x6d, 0x65, 0x73, 0x68, 0x67, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x42, 0x4c, - 0x5a, 0x28, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6b, 0x75, 0x6d, - 0x61, 0x68, 0x71, 0x2f, 0x6b, 0x75, 0x6d, 0x61, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6d, 0x65, 0x73, - 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x8a, 0xb5, 0x18, 0x1e, 0x50, 0x01, - 0xa2, 0x01, 0x0b, 0x4d, 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0xf2, 0x01, - 0x0b, 0x6d, 0x65, 0x73, 0x68, 0x67, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x62, 0x06, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x33, + 0x09, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x1a, 0x36, 0x0a, 0x09, 0x52, 0x65, + 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x12, 0x29, 0x0a, 0x10, 0x63, 0x6f, 0x6e, 0x6e, 0x65, + 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x0d, 0x52, 0x0f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4c, 0x69, 0x6d, + 0x69, 0x74, 0x1a, 0x37, 0x0a, 0x09, 0x54, 0x61, 0x67, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, + 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, + 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x44, 0x0a, 0x08, 0x50, + 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x08, 0x0a, 0x04, 0x4e, 0x4f, 0x4e, 0x45, 0x10, + 0x00, 0x12, 0x07, 0x0a, 0x03, 0x54, 0x43, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x55, 0x44, + 0x50, 0x10, 0x02, 0x12, 0x07, 0x0a, 0x03, 0x54, 0x4c, 0x53, 0x10, 0x03, 0x12, 0x08, 0x0a, 0x04, + 0x48, 0x54, 0x54, 0x50, 0x10, 0x04, 0x12, 0x09, 0x0a, 0x05, 0x48, 0x54, 0x54, 0x50, 0x53, 0x10, + 0x05, 0x1a, 0x58, 0x0a, 0x04, 0x43, 0x6f, 0x6e, 0x66, 0x12, 0x50, 0x0a, 0x09, 0x6c, 0x69, 0x73, + 0x74, 0x65, 0x6e, 0x65, 0x72, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x6b, + 0x75, 0x6d, 0x61, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, + 0x31, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x2e, 0x4c, 0x69, + 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x42, 0x08, 0xfa, 0x42, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, + 0x52, 0x09, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x73, 0x1a, 0x37, 0x0a, 0x09, 0x54, + 0x61, 0x67, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, + 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, + 0x3a, 0x02, 0x38, 0x01, 0x3a, 0x59, 0xaa, 0x8c, 0x89, 0xa6, 0x01, 0x15, 0x0a, 0x13, 0x4d, 0x65, + 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, + 0x65, 0xaa, 0x8c, 0x89, 0xa6, 0x01, 0x0d, 0x12, 0x0b, 0x4d, 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, + 0x65, 0x77, 0x61, 0x79, 0xaa, 0x8c, 0x89, 0xa6, 0x01, 0x06, 0x22, 0x04, 0x6d, 0x65, 0x73, 0x68, + 0xaa, 0x8c, 0x89, 0xa6, 0x01, 0x04, 0x52, 0x02, 0x10, 0x01, 0xaa, 0x8c, 0x89, 0xa6, 0x01, 0x0f, + 0x3a, 0x0d, 0x0a, 0x0b, 0x6d, 0x65, 0x73, 0x68, 0x67, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x42, + 0x4c, 0x5a, 0x28, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6b, 0x75, + 0x6d, 0x61, 0x68, 0x71, 0x2f, 0x6b, 0x75, 0x6d, 0x61, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6d, 0x65, + 0x73, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x8a, 0xb5, 0x18, 0x1e, 0x50, + 0x01, 0xa2, 0x01, 0x0b, 0x4d, 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0xf2, + 0x01, 0x0b, 0x6d, 0x65, 0x73, 0x68, 0x67, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x62, 0x06, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/api/mesh/v1alpha1/gateway.proto b/api/mesh/v1alpha1/gateway.proto index 354a2e8c3e85..f82dbdce14b7 100644 --- a/api/mesh/v1alpha1/gateway.proto +++ b/api/mesh/v1alpha1/gateway.proto @@ -82,7 +82,7 @@ message MeshGateway { } message Listener { - message Resources { uint32 connectionLimit = 1; } + message Resources { uint32 connection_limit = 1; } enum Protocol { NONE = 0; @@ -124,6 +124,7 @@ message MeshGateway { // meshes. bool crossMesh = 6; + // Resources is used to specify listener-specific resource settings. Resources resources = 7; } diff --git a/docs/generated/resources/policy_meshgateway.md b/docs/generated/resources/policy_meshgateway.md index 46bed932c8b4..7fd657692dac 100644 --- a/docs/generated/resources/policy_meshgateway.md +++ b/docs/generated/resources/policy_meshgateway.md @@ -105,7 +105,9 @@ CrossMesh enables traffic to flow to this listener only from other meshes. - - `resources` (optional) + - `resources` (optional) + + Resources is used to specify listener-specific resource settings. - - `connectionlimit` (optional) + - `connectionLimit` (optional) From 7fb5e29616027392cc4ad26e99001e9dc372bc07 Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Fri, 5 Aug 2022 16:18:06 +0200 Subject: [PATCH 06/11] test(e2e): add MeshGateway connection limit e2e test Signed-off-by: Mike Beaumont --- test/e2e_env/kubernetes/gateway/resources.go | 127 ++++++++++++++++++ .../kubernetes/kubernetes_suite_test.go | 1 + 2 files changed, 128 insertions(+) create mode 100644 test/e2e_env/kubernetes/gateway/resources.go diff --git a/test/e2e_env/kubernetes/gateway/resources.go b/test/e2e_env/kubernetes/gateway/resources.go new file mode 100644 index 000000000000..3b0cd2a421da --- /dev/null +++ b/test/e2e_env/kubernetes/gateway/resources.go @@ -0,0 +1,127 @@ +package gateway + +import ( + "fmt" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + + "github.com/kumahq/kuma/test/e2e_env/kubernetes/env" + . "github.com/kumahq/kuma/test/framework" + "github.com/kumahq/kuma/test/framework/client" + "github.com/kumahq/kuma/test/framework/deployments/testserver" +) + +func Resources() { + meshName := "gateway-resources" + gatewayName := "resources-edge-gateway" + namespace := "gateway-resources" + waitingClientNamespace := "gateway-resources-client-wait" + curlingClientNamespace := "gateway-resources-client-curl" + + meshGateway := fmt.Sprintf(` +apiVersion: kuma.io/v1alpha1 +kind: MeshGateway +metadata: + name: %s +mesh: %s +spec: + selectors: + - match: + kuma.io/service: %s + conf: + listeners: + - port: 8080 + protocol: TCP +`, gatewayName, meshName, gatewayName) + + serverSvc := fmt.Sprintf("test-server-%s_svc_80", namespace) + + tcpRoute := fmt.Sprintf(` +apiVersion: kuma.io/v1alpha1 +kind: MeshGatewayRoute +metadata: + name: %s +mesh: %s +spec: + selectors: + - match: + kuma.io/service: %s + protocol: http + conf: + tcp: + rules: + - backends: + - destination: + kuma.io/service: %s +`, gatewayName, meshName, gatewayName, serverSvc) + + BeforeAll(func() { + err := NewClusterSetup(). + Install(MTLSMeshKubernetes(meshName)). + Install(NamespaceWithSidecarInjection(namespace)). + Install(Namespace(waitingClientNamespace)). + Install(Namespace(curlingClientNamespace)). + Install(DemoClientK8s(meshName, waitingClientNamespace)). + Install(DemoClientK8s(meshName, curlingClientNamespace)). + Install(YamlK8s(meshGateway)). + Install(YamlK8s(MkGatewayInstance(gatewayName, namespace, meshName))). + Install(YamlK8s(tcpRoute)). + Install(testserver.Install( + testserver.WithMesh(meshName), + testserver.WithNamespace(namespace), + testserver.WithName("test-server"), + testserver.WithEchoArgs("echo", "--instance", "kubernetes"), + )). + Setup(env.Cluster) + Expect(err).ToNot(HaveOccurred()) + }) + + E2EAfterAll(func() { + Expect(env.Cluster.TriggerDeleteNamespace(namespace)).To(Succeed()) + Expect(env.Cluster.TriggerDeleteNamespace(waitingClientNamespace)).To(Succeed()) + Expect(env.Cluster.TriggerDeleteNamespace(curlingClientNamespace)).To(Succeed()) + Expect(env.Cluster.DeleteMesh(meshName)).To(Succeed()) + }) + + Context("connection limit", func() { + gatewayHost := fmt.Sprintf("%s.%s", gatewayName, namespace) + target := fmt.Sprintf("http://%s:8080", gatewayHost) + + It("should allow 1 connection", func() { + Eventually(func(g Gomega) { + response, err := client.CollectResponse( + env.Cluster, "demo-client", target, + client.FromKubernetesPod(curlingClientNamespace, "demo-client"), + ) + + g.Expect(err).ToNot(HaveOccurred()) + g.Expect(response.Instance).To(Equal("kubernetes")) + }) + }) + + It("should not allow more than 1 connection", func() { + // Open a long-living TCP connection to the gateway + go func() { + defer GinkgoRecover() + + demoClientPod, err := PodNameOfApp(env.Cluster, "demo-client", waitingClientNamespace) + Expect(err).ToNot(HaveOccurred()) + + // this pod will be killed when we delete the namespace + cmd := []string{"nc", "-w", "30", gatewayHost, "8080"} + _, _, _ = env.Cluster.Exec(waitingClientNamespace, demoClientPod, "demo-client", cmd...) + }() + + Eventually(func(g Gomega) { + response, err := client.CollectFailure( + env.Cluster, "demo-client", target, + client.FromKubernetesPod(curlingClientNamespace, "demo-client"), + ) + + g.Expect(err).ToNot(HaveOccurred()) + g.Expect(response.Exitcode).To(Equal(56)) + }, "20s", "1s").Should(Succeed()) + }) + }) +} diff --git a/test/e2e_env/kubernetes/kubernetes_suite_test.go b/test/e2e_env/kubernetes/kubernetes_suite_test.go index a49d8e2aa32e..cfb6478143f9 100644 --- a/test/e2e_env/kubernetes/kubernetes_suite_test.go +++ b/test/e2e_env/kubernetes/kubernetes_suite_test.go @@ -75,6 +75,7 @@ var _ = SynchronizedAfterSuite(func() {}, func() {}) var _ = Describe("Virtual Probes", healthcheck.VirtualProbes, Ordered) var _ = Describe("Gateway mTLS", gateway.Mtls, Ordered) var _ = Describe("Cross-mesh Gateways", gateway.CrossMeshGatewayOnKubernetes, Ordered) +var _ = Describe("Gateways Resources", gateway.Resources, Ordered) var _ = Describe("Graceful", graceful.Graceful, Ordered) var _ = Describe("Jobs", jobs.Jobs) var _ = Describe("Membership", membership.Membership, Ordered) From a78c8a18d432e0d9d696fcccaf84f13137d7ff23 Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Fri, 5 Aug 2022 16:33:55 +0200 Subject: [PATCH 07/11] feat(gateway): validate resources.connectionLimit for collapsibility Signed-off-by: Mike Beaumont --- .../resources/apis/mesh/gateway_validator.go | 28 +++++++++++++++ .../apis/mesh/gateway_validator_test.go | 35 ++++++++++++++++++- 2 files changed, 62 insertions(+), 1 deletion(-) diff --git a/pkg/core/resources/apis/mesh/gateway_validator.go b/pkg/core/resources/apis/mesh/gateway_validator.go index 3fb247a4f46e..416ac4ac59ae 100644 --- a/pkg/core/resources/apis/mesh/gateway_validator.go +++ b/pkg/core/resources/apis/mesh/gateway_validator.go @@ -49,9 +49,15 @@ func (g *MeshGatewayResource) Validate() error { return err.OrNil() } +type resourceLimits struct { + connectionLimits map[uint32]struct{} + listeners []int +} + func validateListenerCompatibility(path validators.PathBuilder, listeners []*mesh_proto.MeshGateway_Listener) validators.ValidationError { protocolsForPort := map[uint32]map[string][]int{} hostnamesForPort := map[uint32]map[string][]int{} + limitedListenersForPort := map[uint32]resourceLimits{} for i, ep := range listeners { protocols, ok := protocolsForPort[ep.GetPort()] @@ -64,6 +70,13 @@ func validateListenerCompatibility(path validators.PathBuilder, listeners []*mes hostnames = map[string][]int{} } + limitedListeners, ok := limitedListenersForPort[ep.GetPort()] + if !ok { + limitedListeners = resourceLimits{ + connectionLimits: map[uint32]struct{}{}, + } + } + protocols[ep.GetProtocol().String()] = append(protocols[ep.GetProtocol().String()], i) // An empty hostname is the same as "*", i.e. matches all hosts. @@ -74,8 +87,14 @@ func validateListenerCompatibility(path validators.PathBuilder, listeners []*mes hostnames[hostname] = append(hostnames[hostname], i) + if l := ep.GetResources().GetConnectionLimit(); l != 0 { + limitedListeners.listeners = append(limitedListeners.listeners, i) + limitedListeners.connectionLimits[l] = struct{}{} + } + hostnamesForPort[ep.GetPort()] = hostnames protocolsForPort[ep.GetPort()] = protocols + limitedListenersForPort[ep.GetPort()] = limitedListeners } err := validators.ValidationError{} @@ -104,6 +123,15 @@ func validateListenerCompatibility(path validators.PathBuilder, listeners []*mes } } + for _, listeners := range limitedListenersForPort { + if len(listeners.connectionLimits) <= 1 { + continue + } + for _, index := range listeners.listeners { + err.AddViolationAt(path.Index(index).Field("resources").Field("connectionLimit"), "conflicting values for this port") + } + } + return err } diff --git a/pkg/core/resources/apis/mesh/gateway_validator_test.go b/pkg/core/resources/apis/mesh/gateway_validator_test.go index fb3dad45c122..6e5c7358a839 100644 --- a/pkg/core/resources/apis/mesh/gateway_validator_test.go +++ b/pkg/core/resources/apis/mesh/gateway_validator_test.go @@ -86,6 +86,29 @@ conf: tags: name: http`, ), + Entry("listeners with connectionLimits", ` +type: MeshGateway +name: gateway +mesh: default +selectors: + - match: + kuma.io/service: gateway +tags: + product: edge +conf: + listeners: + - protocol: HTTP + hostname: one.com + port: 99 + resources: + connectionLimit: 2 + - protocol: HTTP + hostname: two.com + port: 99 + resources: + connectionLimit: 2 +`, + ), ) DescribeErrorCases( @@ -398,7 +421,7 @@ conf: protocol: TCP `), - ErrorCases("hostname and protocol conflict", + ErrorCases("hostname, protocol and resource conflict", []validators.Violation{{ Field: "conf.listeners[0]", Message: "protocol conflicts with other listeners on this port", @@ -411,6 +434,12 @@ conf: }, { Field: "conf.listeners[1]", Message: "multiple listeners for hostname on this port", + }, { + Field: "conf.listeners[0].resources.connectionLimit", + Message: "conflicting values for this port", + }, { + Field: "conf.listeners[1].resources.connectionLimit", + Message: "conflicting values for this port", }}, ` type: MeshGateway name: gateway @@ -423,11 +452,15 @@ conf: - hostname: www-1.example.com port: 443 protocol: TCP + resources: + connectionLimit: 2 - hostname: www-1.example.com port: 443 protocol: HTTPS tls: mode: PASSTHROUGH + resources: + connectionLimit: 1 `), ) }) From adb94295000f5a735bba2b703f6b68d980179617 Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Fri, 5 Aug 2022 16:34:16 +0200 Subject: [PATCH 08/11] refactor(gateway): function and variable names Signed-off-by: Mike Beaumont --- .../resources/apis/mesh/gateway_validator.go | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/pkg/core/resources/apis/mesh/gateway_validator.go b/pkg/core/resources/apis/mesh/gateway_validator.go index 416ac4ac59ae..2c56638466c9 100644 --- a/pkg/core/resources/apis/mesh/gateway_validator.go +++ b/pkg/core/resources/apis/mesh/gateway_validator.go @@ -54,47 +54,47 @@ type resourceLimits struct { listeners []int } -func validateListenerCompatibility(path validators.PathBuilder, listeners []*mesh_proto.MeshGateway_Listener) validators.ValidationError { +func validateListenerCollapsibility(path validators.PathBuilder, listeners []*mesh_proto.MeshGateway_Listener) validators.ValidationError { protocolsForPort := map[uint32]map[string][]int{} hostnamesForPort := map[uint32]map[string][]int{} limitedListenersForPort := map[uint32]resourceLimits{} - for i, ep := range listeners { - protocols, ok := protocolsForPort[ep.GetPort()] + for i, listener := range listeners { + protocols, ok := protocolsForPort[listener.GetPort()] if !ok { protocols = map[string][]int{} } - hostnames, ok := hostnamesForPort[ep.GetPort()] + hostnames, ok := hostnamesForPort[listener.GetPort()] if !ok { hostnames = map[string][]int{} } - limitedListeners, ok := limitedListenersForPort[ep.GetPort()] + limitedListeners, ok := limitedListenersForPort[listener.GetPort()] if !ok { limitedListeners = resourceLimits{ connectionLimits: map[uint32]struct{}{}, } } - protocols[ep.GetProtocol().String()] = append(protocols[ep.GetProtocol().String()], i) + protocols[listener.GetProtocol().String()] = append(protocols[listener.GetProtocol().String()], i) // An empty hostname is the same as "*", i.e. matches all hosts. - hostname := ep.GetHostname() + hostname := listener.GetHostname() if hostname == "" { hostname = mesh_proto.WildcardHostname } hostnames[hostname] = append(hostnames[hostname], i) - if l := ep.GetResources().GetConnectionLimit(); l != 0 { + if l := listener.GetResources().GetConnectionLimit(); l != 0 { limitedListeners.listeners = append(limitedListeners.listeners, i) limitedListeners.connectionLimits[l] = struct{}{} } - hostnamesForPort[ep.GetPort()] = hostnames - protocolsForPort[ep.GetPort()] = protocols - limitedListenersForPort[ep.GetPort()] = limitedListeners + hostnamesForPort[listener.GetPort()] = hostnames + protocolsForPort[listener.GetPort()] = protocols + limitedListenersForPort[listener.GetPort()] = limitedListeners } err := validators.ValidationError{} @@ -226,7 +226,7 @@ func validateMeshGatewayConf(path validators.PathBuilder, conf *mesh_proto.MeshG })) } - err.Add(validateListenerCompatibility(path, conf.GetListeners())) + err.Add(validateListenerCollapsibility(path, conf.GetListeners())) return err } From 1952ce2ccb0bcf4aa47591d8ce2146b6dc300d85 Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Fri, 5 Aug 2022 20:15:21 +0200 Subject: [PATCH 09/11] test(e2e): fix gateway resources test Signed-off-by: Mike Beaumont --- test/dockerfiles/Dockerfile.universal | 1 + test/e2e_env/kubernetes/gateway/resources.go | 105 +++++++++++-------- test/framework/exec_util.go | 16 ++- 3 files changed, 77 insertions(+), 45 deletions(-) diff --git a/test/dockerfiles/Dockerfile.universal b/test/dockerfiles/Dockerfile.universal index 3f56945516c3..c2b37554156a 100644 --- a/test/dockerfiles/Dockerfile.universal +++ b/test/dockerfiles/Dockerfile.universal @@ -18,6 +18,7 @@ RUN apt update \ rsync \ strace \ tcpdump \ + telnet \ tmux \ tzdata \ vim \ diff --git a/test/e2e_env/kubernetes/gateway/resources.go b/test/e2e_env/kubernetes/gateway/resources.go index 3b0cd2a421da..8267bbaa7469 100644 --- a/test/e2e_env/kubernetes/gateway/resources.go +++ b/test/e2e_env/kubernetes/gateway/resources.go @@ -19,7 +19,7 @@ func Resources() { waitingClientNamespace := "gateway-resources-client-wait" curlingClientNamespace := "gateway-resources-client-curl" - meshGateway := fmt.Sprintf(` + meshGatewayWithLimit := fmt.Sprintf(` apiVersion: kuma.io/v1alpha1 kind: MeshGateway metadata: @@ -32,12 +32,14 @@ spec: conf: listeners: - port: 8080 - protocol: TCP + protocol: HTTP + resources: + connectionLimit: 1 `, gatewayName, meshName, gatewayName) - serverSvc := fmt.Sprintf("test-server-%s_svc_80", namespace) + serverSvc := fmt.Sprintf("test-server_%s_svc_80", namespace) - tcpRoute := fmt.Sprintf(` + httpRoute := fmt.Sprintf(` apiVersion: kuma.io/v1alpha1 kind: MeshGatewayRoute metadata: @@ -47,11 +49,14 @@ spec: selectors: - match: kuma.io/service: %s - protocol: http conf: - tcp: + http: rules: - - backends: + - matches: + - path: + match: PREFIX + value: / + backends: - destination: kuma.io/service: %s `, gatewayName, meshName, gatewayName, serverSvc) @@ -64,9 +69,9 @@ spec: Install(Namespace(curlingClientNamespace)). Install(DemoClientK8s(meshName, waitingClientNamespace)). Install(DemoClientK8s(meshName, curlingClientNamespace)). - Install(YamlK8s(meshGateway)). + Install(YamlK8s(meshGatewayWithLimit)). Install(YamlK8s(MkGatewayInstance(gatewayName, namespace, meshName))). - Install(YamlK8s(tcpRoute)). + Install(YamlK8s(httpRoute)). Install(testserver.Install( testserver.WithMesh(meshName), testserver.WithNamespace(namespace), @@ -84,44 +89,56 @@ spec: Expect(env.Cluster.DeleteMesh(meshName)).To(Succeed()) }) - Context("connection limit", func() { + Specify("connection limit is respected", func() { gatewayHost := fmt.Sprintf("%s.%s", gatewayName, namespace) target := fmt.Sprintf("http://%s:8080", gatewayHost) - It("should allow 1 connection", func() { - Eventually(func(g Gomega) { - response, err := client.CollectResponse( - env.Cluster, "demo-client", target, - client.FromKubernetesPod(curlingClientNamespace, "demo-client"), - ) - - g.Expect(err).ToNot(HaveOccurred()) - g.Expect(response.Instance).To(Equal("kubernetes")) + By("allowing 1 connection") + + Eventually(func(g Gomega) { + response, err := client.CollectResponse( + env.Cluster, "demo-client", target, + client.FromKubernetesPod(curlingClientNamespace, "demo-client"), + ) + + g.Expect(err).ToNot(HaveOccurred()) + g.Expect(response.Instance).To(Equal("kubernetes")) + }, "20s", "1s") + + By("not allowing more than 1 connection") + + // Open TCP connections to the gateway + go func() { + defer GinkgoRecover() + + demoClientPod, err := PodNameOfApp(env.Cluster, "demo-client", waitingClientNamespace) + Expect(err).ToNot(HaveOccurred()) + + cmd := []string{"telnet", gatewayHost, "8080"} + // We pass in a stdin that blocks so that telnet will keep the + // connection open + _, _, _ = env.Cluster.ExecWithOptions(ExecOptions{ + Command: cmd, + Namespace: waitingClientNamespace, + PodName: demoClientPod, + ContainerName: "demo-client", + Stdin: &BlockingReader{}, + CaptureStdout: true, + CaptureStderr: true, + PreserveWhitespace: false, + Retries: DefaultRetries, + Timeout: DefaultTimeout, }) - }) - - It("should not allow more than 1 connection", func() { - // Open a long-living TCP connection to the gateway - go func() { - defer GinkgoRecover() - - demoClientPod, err := PodNameOfApp(env.Cluster, "demo-client", waitingClientNamespace) - Expect(err).ToNot(HaveOccurred()) - - // this pod will be killed when we delete the namespace - cmd := []string{"nc", "-w", "30", gatewayHost, "8080"} - _, _, _ = env.Cluster.Exec(waitingClientNamespace, demoClientPod, "demo-client", cmd...) - }() - - Eventually(func(g Gomega) { - response, err := client.CollectFailure( - env.Cluster, "demo-client", target, - client.FromKubernetesPod(curlingClientNamespace, "demo-client"), - ) - - g.Expect(err).ToNot(HaveOccurred()) - g.Expect(response.Exitcode).To(Equal(56)) - }, "20s", "1s").Should(Succeed()) - }) + }() + + Eventually(func(g Gomega) { + response, err := client.CollectFailure( + env.Cluster, "demo-client", target, + client.FromKubernetesPod(curlingClientNamespace, "demo-client"), + ) + + g.Expect(err).ToNot(HaveOccurred()) + g.Expect(response.Exitcode).To(Or(Equal(52), Equal(56))) + }, "20s", "1s").Should(Succeed()) }) } diff --git a/test/framework/exec_util.go b/test/framework/exec_util.go index 18157f4fc142..3e36cc2bcabf 100644 --- a/test/framework/exec_util.go +++ b/test/framework/exec_util.go @@ -28,6 +28,7 @@ type ExecOptions struct { PodName string ContainerName string + Stdin io.Reader CaptureStdout bool CaptureStderr bool // If false, whitespace in std{err,out} will be removed. @@ -63,7 +64,13 @@ func (c *K8sCluster) execOnce(options ExecOptions) (string, string, error) { }, scheme.ParameterCodec) var stdout, stderr bytes.Buffer - err = executeK8s("POST", req.URL(), config, strings.NewReader(""), &stdout, &stderr, tty) + + stdin := options.Stdin + if stdin == nil { + stdin = strings.NewReader("") + } + + err = executeK8s("POST", req.URL(), config, stdin, &stdout, &stderr, tty) if options.PreserveWhitespace { return stdout.String(), stderr.String(), err @@ -125,6 +132,13 @@ func (c *K8sCluster) Exec(namespace, podName, containerName string, cmd ...strin return stdout, stderr, err } +type BlockingReader struct { +} + +func (*BlockingReader) Read([]byte) (int, error) { + select {} +} + // ExecWithRetries executes a command in the specified container and // return stdout, stderr and error. It retries a default number of times // if the command fails. From f4598aebb789c1676b263c91d1346f89197a40c6 Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Sat, 6 Aug 2022 05:51:03 +0200 Subject: [PATCH 10/11] test(e2e): increase resources timeout Signed-off-by: Mike Beaumont --- test/e2e_env/kubernetes/gateway/resources.go | 2 +- test/e2e_env/kubernetes/kubernetes_suite_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/e2e_env/kubernetes/gateway/resources.go b/test/e2e_env/kubernetes/gateway/resources.go index 8267bbaa7469..993e4fe5a999 100644 --- a/test/e2e_env/kubernetes/gateway/resources.go +++ b/test/e2e_env/kubernetes/gateway/resources.go @@ -139,6 +139,6 @@ spec: g.Expect(err).ToNot(HaveOccurred()) g.Expect(response.Exitcode).To(Or(Equal(52), Equal(56))) - }, "20s", "1s").Should(Succeed()) + }, "40s", "1s").Should(Succeed()) }) } diff --git a/test/e2e_env/kubernetes/kubernetes_suite_test.go b/test/e2e_env/kubernetes/kubernetes_suite_test.go index e760abae7e5f..b17d47dcc527 100644 --- a/test/e2e_env/kubernetes/kubernetes_suite_test.go +++ b/test/e2e_env/kubernetes/kubernetes_suite_test.go @@ -76,7 +76,7 @@ var _ = Describe("Virtual Probes", healthcheck.VirtualProbes, Ordered) var _ = Describe("Gateway", gateway.Gateway, Ordered) var _ = Describe("Gateway - mTLS", gateway.Mtls, Ordered) var _ = Describe("Gateway - Cross-mesh", gateway.CrossMeshGatewayOnKubernetes, Ordered) -var _ = Describe("Gateways- Resources", gateway.Resources, Ordered) +var _ = Describe("Gateway - Resources", gateway.Resources, Ordered) var _ = Describe("Graceful", graceful.Graceful, Ordered) var _ = Describe("Jobs", jobs.Jobs) var _ = Describe("Membership", membership.Membership, Ordered) From 11389f9b5c5577af9b441d2cb83b86a1529e4015 Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Mon, 8 Aug 2022 02:36:25 +0200 Subject: [PATCH 11/11] test(e2e): test multiple connections both with and without limit Signed-off-by: Mike Beaumont --- test/e2e_env/kubernetes/gateway/resources.go | 94 ++++++++++++++------ test/framework/k8s_cluster.go | 13 +++ 2 files changed, 78 insertions(+), 29 deletions(-) diff --git a/test/e2e_env/kubernetes/gateway/resources.go b/test/e2e_env/kubernetes/gateway/resources.go index 993e4fe5a999..c59363ab31ce 100644 --- a/test/e2e_env/kubernetes/gateway/resources.go +++ b/test/e2e_env/kubernetes/gateway/resources.go @@ -19,6 +19,22 @@ func Resources() { waitingClientNamespace := "gateway-resources-client-wait" curlingClientNamespace := "gateway-resources-client-curl" + meshGatewayWithoutLimit := fmt.Sprintf(` +apiVersion: kuma.io/v1alpha1 +kind: MeshGateway +metadata: + name: %s +mesh: %s +spec: + selectors: + - match: + kuma.io/service: %s + conf: + listeners: + - port: 8080 + protocol: HTTP +`, gatewayName, meshName, gatewayName) + meshGatewayWithLimit := fmt.Sprintf(` apiVersion: kuma.io/v1alpha1 kind: MeshGateway @@ -69,7 +85,7 @@ spec: Install(Namespace(curlingClientNamespace)). Install(DemoClientK8s(meshName, waitingClientNamespace)). Install(DemoClientK8s(meshName, curlingClientNamespace)). - Install(YamlK8s(meshGatewayWithLimit)). + Install(YamlK8s(meshGatewayWithoutLimit)). Install(YamlK8s(MkGatewayInstance(gatewayName, namespace, meshName))). Install(YamlK8s(httpRoute)). Install(testserver.Install( @@ -89,11 +105,35 @@ spec: Expect(env.Cluster.DeleteMesh(meshName)).To(Succeed()) }) - Specify("connection limit is respected", func() { - gatewayHost := fmt.Sprintf("%s.%s", gatewayName, namespace) - target := fmt.Sprintf("http://%s:8080", gatewayHost) + gatewayHost := fmt.Sprintf("%s.%s", gatewayName, namespace) + target := fmt.Sprintf("http://%s:8080", gatewayHost) + + keepConnectionOpen := func() { + // Open TCP connections to the gateway + defer GinkgoRecover() - By("allowing 1 connection") + demoClientPod, err := PodNameOfApp(env.Cluster, "demo-client", waitingClientNamespace) + Expect(err).ToNot(HaveOccurred()) + + cmd := []string{"telnet", gatewayHost, "8080"} + // We pass in a stdin that blocks so that telnet will keep the + // connection open + _, _, _ = env.Cluster.ExecWithOptions(ExecOptions{ + Command: cmd, + Namespace: waitingClientNamespace, + PodName: demoClientPod, + ContainerName: "demo-client", + Stdin: &BlockingReader{}, + CaptureStdout: true, + CaptureStderr: true, + PreserveWhitespace: false, + Retries: DefaultRetries, + Timeout: DefaultTimeout, + }) + } + + Specify("connection limit is respected", func() { + By("allowing connections without a limit") Eventually(func(g Gomega) { response, err := client.CollectResponse( @@ -105,31 +145,27 @@ spec: g.Expect(response.Instance).To(Equal("kubernetes")) }, "20s", "1s") - By("not allowing more than 1 connection") + By("allowing more than 1 connection without a limit") - // Open TCP connections to the gateway - go func() { - defer GinkgoRecover() - - demoClientPod, err := PodNameOfApp(env.Cluster, "demo-client", waitingClientNamespace) - Expect(err).ToNot(HaveOccurred()) - - cmd := []string{"telnet", gatewayHost, "8080"} - // We pass in a stdin that blocks so that telnet will keep the - // connection open - _, _, _ = env.Cluster.ExecWithOptions(ExecOptions{ - Command: cmd, - Namespace: waitingClientNamespace, - PodName: demoClientPod, - ContainerName: "demo-client", - Stdin: &BlockingReader{}, - CaptureStdout: true, - CaptureStderr: true, - PreserveWhitespace: false, - Retries: DefaultRetries, - Timeout: DefaultTimeout, - }) - }() + go keepConnectionOpen() + + Consistently(func(g Gomega) { + response, err := client.CollectResponse( + env.Cluster, "demo-client", target, + client.FromKubernetesPod(curlingClientNamespace, "demo-client"), + ) + + g.Expect(err).ToNot(HaveOccurred()) + g.Expect(response.Instance).To(Equal("kubernetes")) + }, "40s", "1s").Should(Succeed()) + + By("not allowing more than 1 connection with a limit of 1") + + Expect(env.Cluster.Install(YamlK8s(meshGatewayWithLimit))).To(Succeed()) + + Expect(env.Cluster.KillAppPod("demo-client", waitingClientNamespace)).To(Succeed()) + + go keepConnectionOpen() Eventually(func(g Gomega) { response, err := client.CollectFailure( diff --git a/test/framework/k8s_cluster.go b/test/framework/k8s_cluster.go index 6a6fdadf255d..8a4110ccc3e7 100644 --- a/test/framework/k8s_cluster.go +++ b/test/framework/k8s_cluster.go @@ -1206,3 +1206,16 @@ func (c *K8sCluster) DeleteNodeViaApi(node string) error { foreground := metav1.DeletePropagationForeground return clientset.CoreV1().Nodes().Delete(context.Background(), node, metav1.DeleteOptions{PropagationPolicy: &foreground}) } + +func (c *K8sCluster) KillAppPod(app, namespace string) error { + pod, err := PodNameOfApp(c, app, namespace) + if err != nil { + return err + } + + if err := k8s.RunKubectlE(c.GetTesting(), c.GetKubectlOptions(namespace), "delete", "pod", pod); err != nil { + return err + } + + return c.WaitApp(app, namespace, 1) +}