xds: add http filters to FilterChain matching (#4595)

* Add HTTP Filters to FilterChain
grpc · Jul 22, 2021 · a0bed72 · a0bed72
1 parent 0a8c637
commit a0bed72
Show file tree

Hide file tree

Showing 6 changed files with 538 additions and 117 deletions.
diff --git a/xds/internal/server/listener_wrapper_test.go b/xds/internal/server/listener_wrapper_test.go
@@ -30,6 +30,7 @@ import (
 
  v3corepb "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
  v3listenerpb "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
+ v3httppb "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
  v3tlspb "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
  wrapperspb "github.com/golang/protobuf/ptypes/wrappers"
  "google.golang.org/grpc/internal/grpctest"
@@ -82,6 +83,14 @@ var listenerWithFilterChains = &v3listenerpb.Listener{
  }),
  },
  },
+ Filters: []*v3listenerpb.Filter{
+ {
+ Name: "filter-1",
+ ConfigType: &v3listenerpb.Filter_TypedConfig{
+ TypedConfig: testutils.MarshalAny(&v3httppb.HttpConnectionManager{}),
+ },
+ },
+ },
  },
  },
 }

diff --git a/xds/internal/xdsclient/filter_chain.go b/xds/internal/xdsclient/filter_chain.go
@@ -26,7 +26,6 @@ import (
  v3listenerpb "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
  v3tlspb "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
  "github.com/golang/protobuf/proto"
-
  "google.golang.org/grpc/xds/internal/version"
 )
 
@@ -50,14 +49,11 @@ const (
 
 // FilterChain captures information from within a FilterChain message in a
 // Listener resource.
-//
-// Currently, this simply contains the security configuration found in the
-// 'transport_socket' field of the filter chain. The actual set of filters
-// associated with this filter chain are not captured here, since we do not
-// support these filters on the server-side yet.
 type FilterChain struct {
  // SecurityCfg contains transport socket security configuration.
  SecurityCfg *SecurityConfig
+ // HTTPFilters represent the HTTP Filters that comprise this FilterChain.
+ HTTPFilters []HTTPFilter
 }
 
 // SourceType specifies the connection source IP match type.
@@ -395,16 +391,20 @@ func (fci *FilterChainManager) addFilterChainsForSourcePorts(srcEntry *sourcePre
 }
 
 // filterChainFromProto extracts the relevant information from the FilterChain
-// proto and stores it in our internal representation. Currently, we only
-// process the security configuration stored in the transport_socket field.
+// proto and stores it in our internal representation.
 func filterChainFromProto(fc *v3listenerpb.FilterChain) (*FilterChain, error) {
+ httpFilters, err := processNetworkFilters(fc.GetFilters())
+ if err != nil {
+ return nil, err
+ }
+ filterChain := &FilterChain{HTTPFilters: httpFilters}
  // If the transport_socket field is not specified, it means that the control
  // plane has not sent us any security config. This is fine and the server
  // will use the fallback credentials configured as part of the
  // xdsCredentials.
  ts := fc.GetTransportSocket()
  if ts == nil {
- return &FilterChain{}, nil
+ return filterChain, nil
  }
  if name := ts.GetName(); name != transportSocketName {
  return nil, fmt.Errorf("transport_socket field has unexpected name: %s", name)
@@ -431,7 +431,8 @@ func filterChainFromProto(fc *v3listenerpb.FilterChain) (*FilterChain, error) {
  if sc.RequireClientCert && sc.RootInstanceName == "" {
  return nil, errors.New("security configuration on the server-side does not contain root certificate provider instance name, but require_client_cert field is set")
  }
- return &FilterChain{SecurityCfg: sc}, nil
+ filterChain.SecurityCfg = sc
+ return filterChain, nil
 }
 
 // FilterChainLookupParams wraps parameters to be passed to Lookup.