From 3898e771fe95300c9cb195d582ef6a6b26ef7b6c Mon Sep 17 00:00:00 2001 From: Tim Treptow Date: Fri, 20 Oct 2023 06:30:00 -0700 Subject: [PATCH] Ensure that duplicate listeners are not added when crossMesh is enabled on a listener and Routes specify hostnames In the cross-mesh case, the SNI string will be a kuma SNI string for the gateway service (e.g. edge-gateway{mesh=default,port=tcp-8080}). Thus it is not possible to distinguish hosts at the listener level and no filter chain sni matchers are added. This can lead to a duplicate listener filter chain being added if there are multiple hostnames to route. Thus we truncate the gatewayHosts array to size 1 before creating the listener blocks. --- .../gateway/gateway_route_generator_test.go | 89 ++++ pkg/plugins/runtime/gateway/generator.go | 9 +- .../testdata/http/cross-mesh-gateway.yaml | 447 ++++++++++++++++++ .../testdata/https/cross-mesh-gateway.yaml | 447 ++++++++++++++++++ 4 files changed, 991 insertions(+), 1 deletion(-) diff --git a/pkg/plugins/runtime/gateway/gateway_route_generator_test.go b/pkg/plugins/runtime/gateway/gateway_route_generator_test.go index c12e758eedca..727f772204be 100644 --- a/pkg/plugins/runtime/gateway/gateway_route_generator_test.go +++ b/pkg/plugins/runtime/gateway/gateway_route_generator_test.go @@ -1440,6 +1440,12 @@ conf: - port: 8080 protocol: HTTP crossMesh: true + - port: 8081 + protocol: HTTP + crossMesh: true + hostname: internal-cross-mesh.mesh + tags: + hostname: internal-cross-mesh.mesh `, ` type: MeshGatewayRoute mesh: default @@ -1467,6 +1473,89 @@ conf: backends: - destination: kuma.io/service: echo-service +`, ` +type: MeshGatewayRoute +mesh: default +name: echo-service-with-hostname +selectors: +- match: + kuma.io/service: gateway-default +selectors: +- match: + kuma.io/service: gateway-default +conf: + http: + hostnames: + - cross-mesh.mesh + rules: + - matches: + - path: + match: PREFIX + value: "/hostname-ext" + backends: + - destination: + kuma.io/service: external-httpbin + - matches: + - path: + match: PREFIX + value: "/hostname-echo" + backends: + - destination: + kuma.io/service: echo-service +`, ` +type: MeshGatewayRoute +mesh: default +name: echo-service-with-hostname-and-hostname-on-listener +selectors: +- match: + kuma.io/service: gateway-default + hostname: internal-cross-mesh.mesh +conf: + http: + hostnames: + - cross-mesh.mesh + rules: + - matches: + - path: + match: PREFIX + value: "/hostname-and-hostname-on-listener-no-match-ext" + backends: + - destination: + kuma.io/service: external-httpbin + - matches: + - path: + match: PREFIX + value: "/hostname-and-hostname-on-listener-eno-match-cho" + backends: + - destination: + kuma.io/service: echo-service +`, ` +type: MeshGatewayRoute +mesh: default +name: echo-service-with-hostname-and-hostname-on-listener +selectors: +- match: + kuma.io/service: gateway-default + hostname: internal-cross-mesh.mesh +conf: + http: + hostnames: + - internal-cross-mesh.mesh + rules: + - matches: + - path: + match: PREFIX + value: "/hostname-and-hostname-on-listener-match-ext" + backends: + - destination: + kuma.io/service: external-httpbin + - matches: + - path: + match: PREFIX + value: "/hostname-and-hostname-on-listener-match-echo" + backends: + - destination: + kuma.io/service: echo-service `, ), diff --git a/pkg/plugins/runtime/gateway/generator.go b/pkg/plugins/runtime/gateway/generator.go index a7a334db2bf0..ff47090af4e0 100644 --- a/pkg/plugins/runtime/gateway/generator.go +++ b/pkg/plugins/runtime/gateway/generator.go @@ -261,6 +261,10 @@ func (g Generator) generateLDS(ctx xds_context.Context, info GatewayListenerInfo for _, hostInfo := range hostInfos { gatewayHosts = append(gatewayHosts, hostInfo.Host) } + if info.Listener.CrossMesh { + //for cross-mesh, we can only add one listener filter chain as there will not be any (usable) SNI available for filter chain matching + gatewayHosts = gatewayHosts[:1] + } protocol := info.Listener.Protocol if info.Listener.CrossMesh { @@ -394,7 +398,10 @@ func MakeGatewayListener( hosts = append(hosts, host) } - hosts = RedistributeWildcardRoutes(hosts) + // We ignore route hostnames with cross mesh + if !listener.CrossMesh { + hosts = RedistributeWildcardRoutes(hosts) + } // Sort by reverse hostname, so that fully qualified hostnames sort // before wildcard domains, and "*" is last. diff --git a/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml b/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml index 4c0895c681fa..c31a9f5985b8 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml @@ -1,5 +1,57 @@ Clusters: Resources: + echo-service-0ec9724567ed6087: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + name: echo-service-0ec9724567ed6087 + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + alpnProtocols: + - kuma + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: spiffe://default/echo-service + sanType: URI + validationContextSdsSecretConfig: + name: mesh_ca:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: echo-service{mesh=default} + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + httpProtocolOptions: {} echo-service-bfae5b64a0fe8b74: circuitBreakers: thresholds: @@ -107,8 +159,79 @@ Clusters: http2ProtocolOptions: initialConnectionWindowSize: 1048576 initialStreamWindowSize: 65536 + external-httpbin-eda12214e05805ce: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + dnsLookupFamily: V4_ONLY + loadAssignment: + clusterName: external-httpbin + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: httpbin.com + portValue: 443 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + envoy.transport_socket_match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: external-httpbin-eda12214e05805ce + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocketMatches: + - match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: httpbin.com + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: httpbin.com + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 Endpoints: Resources: + echo-service-0ec9724567ed6087: + clusterName: echo-service-0ec9724567ed6087 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 192.168.1.6 + portValue: 20006 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/protocol: http + envoy.transport_socket_match: + kuma.io/protocol: http echo-service-bfae5b64a0fe8b74: clusterName: echo-service-bfae5b64a0fe8b74 endpoints: @@ -206,6 +329,85 @@ Listeners: name: edge-gateway:HTTP:8080 perConnectionBufferLimitBytes: 32768 trafficDirection: INBOUND + edge-gateway:HTTP:8081: + address: + socketAddress: + address: 192.168.1.1 + portValue: 8081 + enableReusePort: true + filterChains: + - filterChainMatch: + applicationProtocols: + - kuma + transportProtocol: tls + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + startChildSpan: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: edge-gateway:HTTP:8081 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + useRemoteAddress: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: {} + validationContextSdsSecretConfig: + name: mesh_ca:secret:all + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + requireClientCertificate: true + listenerFilters: + - name: envoy.filters.listener.tls_inspector + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: edge-gateway:HTTP:8081 + perConnectionBufferLimitBytes: 32768 + trafficDirection: INBOUND Routes: Resources: edge-gateway:HTTP:8080: @@ -225,6 +427,44 @@ Routes: key: Strict-Transport-Security value: max-age=31536000; includeSubDomains routes: + - match: + path: /hostname-echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-bfae5b64a0fe8b74 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /hostname-ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-823fa8131cdd67fa + weight: 1 - match: path: /echo route: @@ -263,6 +503,44 @@ Routes: clusters: - name: external-httpbin-823fa8131cdd67fa weight: 1 + - match: + prefix: /hostname-echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-bfae5b64a0fe8b74 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /hostname-ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-823fa8131cdd67fa + weight: 1 - match: prefix: /echo/ route: @@ -301,6 +579,175 @@ Routes: clusters: - name: external-httpbin-823fa8131cdd67fa weight: 1 + edge-gateway:HTTP:8081: + ignorePortInHostMatching: true + name: edge-gateway:HTTP:8081 + requestHeadersToRemove: + - x-kuma-tags + validateClusters: false + virtualHosts: + - domains: + - internal-cross-mesh.mesh + name: internal-cross-mesh.mesh + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /hostname-and-hostname-on-listener-match-echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /hostname-and-hostname-on-listener-match-ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 + - match: + path: /echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 + - match: + prefix: /hostname-and-hostname-on-listener-match-echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /hostname-and-hostname-on-listener-match-ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 + - match: + prefix: /echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 Runtimes: Resources: gateway.listeners: diff --git a/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml b/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml index 4c0895c681fa..c31a9f5985b8 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml @@ -1,5 +1,57 @@ Clusters: Resources: + echo-service-0ec9724567ed6087: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + name: echo-service-0ec9724567ed6087 + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + alpnProtocols: + - kuma + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: spiffe://default/echo-service + sanType: URI + validationContextSdsSecretConfig: + name: mesh_ca:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: echo-service{mesh=default} + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + httpProtocolOptions: {} echo-service-bfae5b64a0fe8b74: circuitBreakers: thresholds: @@ -107,8 +159,79 @@ Clusters: http2ProtocolOptions: initialConnectionWindowSize: 1048576 initialStreamWindowSize: 65536 + external-httpbin-eda12214e05805ce: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + dnsLookupFamily: V4_ONLY + loadAssignment: + clusterName: external-httpbin + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: httpbin.com + portValue: 443 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + envoy.transport_socket_match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: external-httpbin-eda12214e05805ce + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocketMatches: + - match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: httpbin.com + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: httpbin.com + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 Endpoints: Resources: + echo-service-0ec9724567ed6087: + clusterName: echo-service-0ec9724567ed6087 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 192.168.1.6 + portValue: 20006 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/protocol: http + envoy.transport_socket_match: + kuma.io/protocol: http echo-service-bfae5b64a0fe8b74: clusterName: echo-service-bfae5b64a0fe8b74 endpoints: @@ -206,6 +329,85 @@ Listeners: name: edge-gateway:HTTP:8080 perConnectionBufferLimitBytes: 32768 trafficDirection: INBOUND + edge-gateway:HTTP:8081: + address: + socketAddress: + address: 192.168.1.1 + portValue: 8081 + enableReusePort: true + filterChains: + - filterChainMatch: + applicationProtocols: + - kuma + transportProtocol: tls + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + startChildSpan: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: edge-gateway:HTTP:8081 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + useRemoteAddress: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: {} + validationContextSdsSecretConfig: + name: mesh_ca:secret:all + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + requireClientCertificate: true + listenerFilters: + - name: envoy.filters.listener.tls_inspector + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: edge-gateway:HTTP:8081 + perConnectionBufferLimitBytes: 32768 + trafficDirection: INBOUND Routes: Resources: edge-gateway:HTTP:8080: @@ -225,6 +427,44 @@ Routes: key: Strict-Transport-Security value: max-age=31536000; includeSubDomains routes: + - match: + path: /hostname-echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-bfae5b64a0fe8b74 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /hostname-ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-823fa8131cdd67fa + weight: 1 - match: path: /echo route: @@ -263,6 +503,44 @@ Routes: clusters: - name: external-httpbin-823fa8131cdd67fa weight: 1 + - match: + prefix: /hostname-echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-bfae5b64a0fe8b74 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /hostname-ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-823fa8131cdd67fa + weight: 1 - match: prefix: /echo/ route: @@ -301,6 +579,175 @@ Routes: clusters: - name: external-httpbin-823fa8131cdd67fa weight: 1 + edge-gateway:HTTP:8081: + ignorePortInHostMatching: true + name: edge-gateway:HTTP:8081 + requestHeadersToRemove: + - x-kuma-tags + validateClusters: false + virtualHosts: + - domains: + - internal-cross-mesh.mesh + name: internal-cross-mesh.mesh + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /hostname-and-hostname-on-listener-match-echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /hostname-and-hostname-on-listener-match-ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 + - match: + path: /echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 + - match: + prefix: /hostname-and-hostname-on-listener-match-echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /hostname-and-hostname-on-listener-match-ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 + - match: + prefix: /echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 Runtimes: Resources: gateway.listeners: