Skip to content

Commit

Permalink
xds: add http filters to FilterChain matching (#4595)
Browse files Browse the repository at this point in the history
* Add HTTP Filters to FilterChain
  • Loading branch information
zasweq authored Jul 22, 2021
1 parent 0a8c637 commit a0bed72
Show file tree
Hide file tree
Showing 6 changed files with 538 additions and 117 deletions.
9 changes: 9 additions & 0 deletions xds/internal/server/listener_wrapper_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ import (

v3corepb "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
v3listenerpb "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
v3httppb "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
v3tlspb "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
wrapperspb "github.com/golang/protobuf/ptypes/wrappers"
"google.golang.org/grpc/internal/grpctest"
Expand Down Expand Up @@ -82,6 +83,14 @@ var listenerWithFilterChains = &v3listenerpb.Listener{
}),
},
},
Filters: []*v3listenerpb.Filter{
{
Name: "filter-1",
ConfigType: &v3listenerpb.Filter_TypedConfig{
TypedConfig: testutils.MarshalAny(&v3httppb.HttpConnectionManager{}),
},
},
},
},
},
}
Expand Down
21 changes: 11 additions & 10 deletions xds/internal/xdsclient/filter_chain.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ import (
v3listenerpb "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
v3tlspb "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
"github.com/golang/protobuf/proto"

"google.golang.org/grpc/xds/internal/version"
)

Expand All @@ -50,14 +49,11 @@ const (

// FilterChain captures information from within a FilterChain message in a
// Listener resource.
//
// Currently, this simply contains the security configuration found in the
// 'transport_socket' field of the filter chain. The actual set of filters
// associated with this filter chain are not captured here, since we do not
// support these filters on the server-side yet.
type FilterChain struct {
// SecurityCfg contains transport socket security configuration.
SecurityCfg *SecurityConfig
// HTTPFilters represent the HTTP Filters that comprise this FilterChain.
HTTPFilters []HTTPFilter
}

// SourceType specifies the connection source IP match type.
Expand Down Expand Up @@ -395,16 +391,20 @@ func (fci *FilterChainManager) addFilterChainsForSourcePorts(srcEntry *sourcePre
}

// filterChainFromProto extracts the relevant information from the FilterChain
// proto and stores it in our internal representation. Currently, we only
// process the security configuration stored in the transport_socket field.
// proto and stores it in our internal representation.
func filterChainFromProto(fc *v3listenerpb.FilterChain) (*FilterChain, error) {
httpFilters, err := processNetworkFilters(fc.GetFilters())
if err != nil {
return nil, err
}
filterChain := &FilterChain{HTTPFilters: httpFilters}
// If the transport_socket field is not specified, it means that the control
// plane has not sent us any security config. This is fine and the server
// will use the fallback credentials configured as part of the
// xdsCredentials.
ts := fc.GetTransportSocket()
if ts == nil {
return &FilterChain{}, nil
return filterChain, nil
}
if name := ts.GetName(); name != transportSocketName {
return nil, fmt.Errorf("transport_socket field has unexpected name: %s", name)
Expand All @@ -431,7 +431,8 @@ func filterChainFromProto(fc *v3listenerpb.FilterChain) (*FilterChain, error) {
if sc.RequireClientCert && sc.RootInstanceName == "" {
return nil, errors.New("security configuration on the server-side does not contain root certificate provider instance name, but require_client_cert field is set")
}
return &FilterChain{SecurityCfg: sc}, nil
filterChain.SecurityCfg = sc
return filterChain, nil
}

// FilterChainLookupParams wraps parameters to be passed to Lookup.
Expand Down
Loading

0 comments on commit a0bed72

Please sign in to comment.