Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

listeners: add unified matcher for filter chains #20110

Merged
merged 58 commits into from
Apr 12, 2022

Conversation

kyessenov
Copy link
Contributor

Commit Message: Add unified matcher for network streams, as a replacement for filter chain match. See previous discussion in #18871
Risk Level: low (requires opt-in)
Testing: unit, integration
Docs Changes: yes
Release Notes: yes
Fixes: #3411 #18685

Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
howardjohn
howardjohn previously approved these changes Mar 31, 2022
Copy link
Contributor

@howardjohn howardjohn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not familiar enough with Envoy internals to review the code, but I imported this to our control plane and played around with it for a few hours, works really well

Copy link
Member

@htuch htuch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm api

@htuch
Copy link
Member

htuch commented Apr 1, 2022

@snowp might make sense for you to take a look from generic matcher perspective as well.

phlax
phlax previously approved these changes Apr 5, 2022
Copy link
Member

@phlax phlax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm from docs pov - thanks @kyessenov

@snowp do you want to give this a final pass

/wait-any

Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
@kyessenov kyessenov dismissed stale reviews from phlax and howardjohn via e436cdf April 11, 2022 04:11
@kyessenov
Copy link
Contributor Author

/retest

@repokitteh-read-only
Copy link

Retrying Azure Pipelines:
Check envoy-presubmit didn't fail.

🐱

Caused by: a #20110 (comment) was created by @kyessenov.

see: more, trace.

Copy link
Contributor

@snowp snowp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this LGTM, just a few comments

Super cool to see this land!

Comment on lines +577 to +584
const auto& match_result = Matcher::evaluateMatch<Network::MatchingData>(*matcher_, data);
ASSERT(match_result.match_state_ == Matcher::MatchState::MatchComplete,
"Matching must complete for network streams.");
if (match_result.result_) {
const auto result = match_result.result_();
return result->getTyped<FilterChainNameAction>().chain_.get();
}
return default_filter_chain_.get();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe add a trace/debug log here per @howardjohn's point on debugging?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a debug log when matcher refers to a missing chain. I think that's the confusing state that @howardjohn referred to.

Comment on lines +126 to +129
// network properties. This matcher is used as a replacement for the filter chain match condition
// :ref:`filter_chain_match
// <envoy_v3_api_field_config.listener.v3.FilterChain.filter_chain_match>`. If specified, all
// :ref:`filter_chains <envoy_v3_api_field_config.listener.v3.Listener.filter_chains>` must have a
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens if both are defined?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The filter chain match is ignored when listener matcher is defined. I added a debug log to warn on listener construction.

Comment on lines +16 to +18
The matcher API replaces the existing filter :ref:`filter_chain_match
<envoy_v3_api_field_config.listener.v3.FilterChain.filter_chain_match>` field. When using the matcher API, the filter
chain match field is ignored and should not be set.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be exposed to the user in some way? ie fail the config or at the very least log something?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a debug log. Failing might complicate migration IMHO, so just ignoring the field seems reasonable as it is an opt-in feature.

original destination port. The matcher in the listener selects one of the three filter chains ``http``, ``internal``,
and ``tls`` as follows:

* If the destination port is ``80``, then the filter chain ``http`` accepts the connection.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

extraneous space after http

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, fixed.

Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Kuat Yessenov <kuat@google.com>
Copy link
Contributor

@snowp snowp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@snowp snowp merged commit 7eb3a87 into envoyproxy:main Apr 12, 2022
@mattklein123
Copy link
Member

@kyessenov I think we forget a release note for this. Do you mind doing a follow up PR to add a release note so that we can have that be part of the next release? Thank you.

vehre-x41 pushed a commit to vehre-x41/envoy that referenced this pull request Apr 19, 2022
Add unified matcher for network streams, as a replacement for filter chain match. 

See previous discussion in envoyproxy#18871

Signed-off-by: Kuat Yessenov <kuat@google.com>
Signed-off-by: Andre Vehreschild <vehre@x41-dsec.de>
ravenblackx pushed a commit to ravenblackx/envoy that referenced this pull request Jun 8, 2022
Add unified matcher for network streams, as a replacement for filter chain match. 

See previous discussion in envoyproxy#18871

Signed-off-by: Kuat Yessenov <kuat@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add support for configurable precedence of FilterChainMatch rules.
9 participants