-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
listeners: add unified matcher for filter chains #20110
listeners: add unified matcher for filter chains #20110
Conversation
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not familiar enough with Envoy internals to review the code, but I imported this to our control plane and played around with it for a few hours, works really well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm api
docs/root/intro/arch_overview/advanced/matching/_include/listener_complicated.yaml
Show resolved
Hide resolved
@snowp might make sense for you to take a look from generic matcher perspective as well. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/retest |
Retrying Azure Pipelines: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall this LGTM, just a few comments
Super cool to see this land!
const auto& match_result = Matcher::evaluateMatch<Network::MatchingData>(*matcher_, data); | ||
ASSERT(match_result.match_state_ == Matcher::MatchState::MatchComplete, | ||
"Matching must complete for network streams."); | ||
if (match_result.result_) { | ||
const auto result = match_result.result_(); | ||
return result->getTyped<FilterChainNameAction>().chain_.get(); | ||
} | ||
return default_filter_chain_.get(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe add a trace/debug log here per @howardjohn's point on debugging?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a debug log when matcher refers to a missing chain. I think that's the confusing state that @howardjohn referred to.
// network properties. This matcher is used as a replacement for the filter chain match condition | ||
// :ref:`filter_chain_match | ||
// <envoy_v3_api_field_config.listener.v3.FilterChain.filter_chain_match>`. If specified, all | ||
// :ref:`filter_chains <envoy_v3_api_field_config.listener.v3.Listener.filter_chains>` must have a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens if both are defined?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The filter chain match is ignored when listener matcher is defined. I added a debug log to warn on listener construction.
The matcher API replaces the existing filter :ref:`filter_chain_match | ||
<envoy_v3_api_field_config.listener.v3.FilterChain.filter_chain_match>` field. When using the matcher API, the filter | ||
chain match field is ignored and should not be set. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be exposed to the user in some way? ie fail the config or at the very least log something?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a debug log. Failing might complicate migration IMHO, so just ignoring the field seems reasonable as it is an opt-in feature.
original destination port. The matcher in the listener selects one of the three filter chains ``http``, ``internal``, | ||
and ``tls`` as follows: | ||
|
||
* If the destination port is ``80``, then the filter chain ``http`` accepts the connection. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
extraneous space after http
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, fixed.
Signed-off-by: Kuat Yessenov <kuat@google.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
@kyessenov I think we forget a release note for this. Do you mind doing a follow up PR to add a release note so that we can have that be part of the next release? Thank you. |
Add unified matcher for network streams, as a replacement for filter chain match. See previous discussion in envoyproxy#18871 Signed-off-by: Kuat Yessenov <kuat@google.com> Signed-off-by: Andre Vehreschild <vehre@x41-dsec.de>
Add unified matcher for network streams, as a replacement for filter chain match. See previous discussion in envoyproxy#18871 Signed-off-by: Kuat Yessenov <kuat@google.com>
Commit Message: Add unified matcher for network streams, as a replacement for filter chain match. See previous discussion in #18871
Risk Level: low (requires opt-in)
Testing: unit, integration
Docs Changes: yes
Release Notes: yes
Fixes: #3411 #18685