diff --git a/pkg/plugins/runtime/gateway/gateway_route_generator_test.go b/pkg/plugins/runtime/gateway/gateway_route_generator_test.go index c12e758eedca..3100aab24a30 100644 --- a/pkg/plugins/runtime/gateway/gateway_route_generator_test.go +++ b/pkg/plugins/runtime/gateway/gateway_route_generator_test.go @@ -1440,30 +1440,123 @@ conf: - port: 8080 protocol: HTTP crossMesh: true + tags: + hostname: route-only + - port: 8081 + protocol: HTTP + crossMesh: true + hostname: internal-cross-mesh.mesh + tags: + hostname: internal-cross-mesh.mesh + - port: 8082 + protocol: HTTP + crossMesh: true + tags: + hostname: default `, ` type: MeshGatewayRoute mesh: default -name: echo-service +name: echo-service-default selectors: - match: kuma.io/service: gateway-default + hostname: default +conf: + http: + rules: + - matches: + - path: + match: PREFIX + value: "/ext" + backends: + - destination: + kuma.io/service: external-httpbin + - matches: + - path: + match: PREFIX + value: "/echo" + backends: + - destination: + kuma.io/service: echo-service +`, ` +type: MeshGatewayRoute +mesh: default +name: echo-service-with-hostname selectors: - match: kuma.io/service: gateway-default + hostname: route-only conf: http: + hostnames: + - cross-mesh.mesh + - cross-mesh2.mesh rules: - matches: - path: match: PREFIX - value: "/ext" + value: "/hostname-ext" backends: - destination: kuma.io/service: external-httpbin - matches: - path: match: PREFIX - value: "/echo" + value: "/hostname-echo" + backends: + - destination: + kuma.io/service: echo-service +`, ` +type: MeshGatewayRoute +mesh: default +name: echo-service-with-hostname-and-hostname-on-listener +selectors: +- match: + kuma.io/service: gateway-default + hostname: internal-cross-mesh.mesh +conf: + http: + hostnames: + - cross-mesh.mesh + rules: + - matches: + - path: + match: PREFIX + value: "/hostname-and-hostname-on-listener-no-match-ext" + backends: + - destination: + kuma.io/service: external-httpbin + - matches: + - path: + match: PREFIX + value: "/hostname-and-hostname-on-listener-no-match-echo" + backends: + - destination: + kuma.io/service: echo-service +`, ` +type: MeshGatewayRoute +mesh: default +name: echo-service-with-hostname-and-different-hostname-on-listener +selectors: +- match: + kuma.io/service: gateway-default + hostname: internal-cross-mesh.mesh +conf: + http: + hostnames: + - internal-cross-mesh.mesh + rules: + - matches: + - path: + match: PREFIX + value: "/hostname-and-hostname-on-listener-match-ext" + backends: + - destination: + kuma.io/service: external-httpbin + - matches: + - path: + match: PREFIX + value: "/hostname-and-hostname-on-listener-match-echo" backends: - destination: kuma.io/service: echo-service diff --git a/pkg/plugins/runtime/gateway/generator.go b/pkg/plugins/runtime/gateway/generator.go index 7c3c01dacd85..1804b034eeeb 100644 --- a/pkg/plugins/runtime/gateway/generator.go +++ b/pkg/plugins/runtime/gateway/generator.go @@ -256,6 +256,10 @@ func (g Generator) generateLDS(ctx xds_context.Context, info GatewayListenerInfo for _, hostInfo := range hostInfos { gatewayHosts = append(gatewayHosts, hostInfo.Host) } + if info.Listener.CrossMesh { + //for cross-mesh, we can only add one listener filter chain as there will not be any (usable) SNI available for filter chain matching + gatewayHosts = gatewayHosts[:1] + } protocol := info.Listener.Protocol if info.Listener.CrossMesh { diff --git a/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml b/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml index 4c0895c681fa..f9adb5957e09 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml @@ -1,6 +1,6 @@ Clusters: Resources: - echo-service-bfae5b64a0fe8b74: + echo-service-0ec9724567ed6087: circuitBreakers: thresholds: - maxConnections: 1024 @@ -12,7 +12,7 @@ Clusters: edsConfig: ads: {} resourceApiVersion: V3 - name: echo-service-bfae5b64a0fe8b74 + name: echo-service-0ec9724567ed6087 outlierDetection: enforcingConsecutive5xx: 0 enforcingConsecutiveGatewayFailure: 0 @@ -52,7 +52,221 @@ Clusters: idleTimeout: 3600s explicitHttpConfig: httpProtocolOptions: {} - external-httpbin-823fa8131cdd67fa: + echo-service-8acee1c4ccf209c2: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + name: echo-service-8acee1c4ccf209c2 + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + alpnProtocols: + - kuma + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: spiffe://default/echo-service + sanType: URI + validationContextSdsSecretConfig: + name: mesh_ca:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: echo-service{mesh=default} + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + httpProtocolOptions: {} + echo-service-9974f10fae8a656c: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + name: echo-service-9974f10fae8a656c + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + alpnProtocols: + - kuma + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: spiffe://default/echo-service + sanType: URI + validationContextSdsSecretConfig: + name: mesh_ca:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: echo-service{mesh=default} + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + httpProtocolOptions: {} + external-httpbin-7a2f998ac9979f97: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + dnsLookupFamily: V4_ONLY + loadAssignment: + clusterName: external-httpbin + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: httpbin.com + portValue: 443 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + envoy.transport_socket_match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: external-httpbin-7a2f998ac9979f97 + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocketMatches: + - match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: httpbin.com + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: httpbin.com + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + external-httpbin-4000f9250e560106: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + dnsLookupFamily: V4_ONLY + loadAssignment: + clusterName: external-httpbin + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: httpbin.com + portValue: 443 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + envoy.transport_socket_match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: external-httpbin-4000f9250e560106 + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocketMatches: + - match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: httpbin.com + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: httpbin.com + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + external-httpbin-eda12214e05805ce: circuitBreakers: thresholds: - maxConnections: 1024 @@ -79,7 +293,7 @@ Clusters: envoy.transport_socket_match: kuma.io/external-service-name: external-httpbin kuma.io/protocol: http2 - name: external-httpbin-823fa8131cdd67fa + name: external-httpbin-eda12214e05805ce outlierDetection: enforcingConsecutive5xx: 0 enforcingConsecutiveGatewayFailure: 0 @@ -109,8 +323,40 @@ Clusters: initialStreamWindowSize: 65536 Endpoints: Resources: - echo-service-bfae5b64a0fe8b74: - clusterName: echo-service-bfae5b64a0fe8b74 + echo-service-0ec9724567ed6087: + clusterName: echo-service-0ec9724567ed6087 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 192.168.1.6 + portValue: 20006 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/protocol: http + envoy.transport_socket_match: + kuma.io/protocol: http + echo-service-8acee1c4ccf209c2: + clusterName: echo-service-8acee1c4ccf209c2 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 192.168.1.6 + portValue: 20006 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/protocol: http + envoy.transport_socket_match: + kuma.io/protocol: http + echo-service-9974f10fae8a656c: + clusterName: echo-service-9974f10fae8a656c endpoints: - lbEndpoints: - endpoint: @@ -206,11 +452,458 @@ Listeners: name: edge-gateway:HTTP:8080 perConnectionBufferLimitBytes: 32768 trafficDirection: INBOUND -Routes: - Resources: - edge-gateway:HTTP:8080: - ignorePortInHostMatching: true - name: edge-gateway:HTTP:8080 + edge-gateway:HTTP:8081: + address: + socketAddress: + address: 192.168.1.1 + portValue: 8081 + enableReusePort: true + filterChains: + - filterChainMatch: + applicationProtocols: + - kuma + transportProtocol: tls + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + startChildSpan: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: edge-gateway:HTTP:8081 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + useRemoteAddress: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: {} + validationContextSdsSecretConfig: + name: mesh_ca:secret:all + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + requireClientCertificate: true + listenerFilters: + - name: envoy.filters.listener.tls_inspector + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: edge-gateway:HTTP:8081 + perConnectionBufferLimitBytes: 32768 + trafficDirection: INBOUND + edge-gateway:HTTP:8082: + address: + socketAddress: + address: 192.168.1.1 + portValue: 8082 + enableReusePort: true + filterChains: + - filterChainMatch: + applicationProtocols: + - kuma + transportProtocol: tls + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + startChildSpan: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: edge-gateway:HTTP:8082 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + useRemoteAddress: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: {} + validationContextSdsSecretConfig: + name: mesh_ca:secret:all + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + requireClientCertificate: true + listenerFilters: + - name: envoy.filters.listener.tls_inspector + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: edge-gateway:HTTP:8082 + perConnectionBufferLimitBytes: 32768 + trafficDirection: INBOUND +Routes: + Resources: + edge-gateway:HTTP:8080: + ignorePortInHostMatching: true + name: edge-gateway:HTTP:8080 + requestHeadersToRemove: + - x-kuma-tags + validateClusters: false + virtualHosts: + - domains: + - cross-mesh2.mesh + name: cross-mesh2.mesh + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /hostname-echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-8acee1c4ccf209c2 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /hostname-ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-7a2f998ac9979f97 + weight: 1 + - match: + prefix: /hostname-echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-8acee1c4ccf209c2 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /hostname-ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-7a2f998ac9979f97 + weight: 1 + - domains: + - cross-mesh.mesh + name: cross-mesh.mesh + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /hostname-echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-8acee1c4ccf209c2 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /hostname-ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-7a2f998ac9979f97 + weight: 1 + - match: + prefix: /hostname-echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-8acee1c4ccf209c2 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /hostname-ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-7a2f998ac9979f97 + weight: 1 + - domains: + - '*' + name: '*' + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - directResponse: + body: + inlineString: | + This is a Kuma MeshGateway. No routes match this MeshGateway! + status: 404 + match: + prefix: / + edge-gateway:HTTP:8081: + ignorePortInHostMatching: true + name: edge-gateway:HTTP:8081 + requestHeadersToRemove: + - x-kuma-tags + validateClusters: false + virtualHosts: + - domains: + - internal-cross-mesh.mesh + name: internal-cross-mesh.mesh + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /hostname-and-hostname-on-listener-match-echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /hostname-and-hostname-on-listener-match-ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 + - match: + prefix: /hostname-and-hostname-on-listener-match-echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /hostname-and-hostname-on-listener-match-ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 + edge-gateway:HTTP:8082: + ignorePortInHostMatching: true + name: edge-gateway:HTTP:8082 requestHeadersToRemove: - x-kuma-tags validateClusters: false @@ -240,7 +933,7 @@ Routes: timeout: 15s weightedClusters: clusters: - - name: echo-service-bfae5b64a0fe8b74 + - name: echo-service-9974f10fae8a656c requestHeadersToAdd: - header: key: x-kuma-tags @@ -261,7 +954,7 @@ Routes: timeout: 15s weightedClusters: clusters: - - name: external-httpbin-823fa8131cdd67fa + - name: external-httpbin-4000f9250e560106 weight: 1 - match: prefix: /echo/ @@ -278,7 +971,7 @@ Routes: timeout: 15s weightedClusters: clusters: - - name: echo-service-bfae5b64a0fe8b74 + - name: echo-service-9974f10fae8a656c requestHeadersToAdd: - header: key: x-kuma-tags @@ -299,7 +992,7 @@ Routes: timeout: 15s weightedClusters: clusters: - - name: external-httpbin-823fa8131cdd67fa + - name: external-httpbin-4000f9250e560106 weight: 1 Runtimes: Resources: diff --git a/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml b/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml index 4c0895c681fa..f9adb5957e09 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml @@ -1,6 +1,6 @@ Clusters: Resources: - echo-service-bfae5b64a0fe8b74: + echo-service-0ec9724567ed6087: circuitBreakers: thresholds: - maxConnections: 1024 @@ -12,7 +12,7 @@ Clusters: edsConfig: ads: {} resourceApiVersion: V3 - name: echo-service-bfae5b64a0fe8b74 + name: echo-service-0ec9724567ed6087 outlierDetection: enforcingConsecutive5xx: 0 enforcingConsecutiveGatewayFailure: 0 @@ -52,7 +52,221 @@ Clusters: idleTimeout: 3600s explicitHttpConfig: httpProtocolOptions: {} - external-httpbin-823fa8131cdd67fa: + echo-service-8acee1c4ccf209c2: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + name: echo-service-8acee1c4ccf209c2 + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + alpnProtocols: + - kuma + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: spiffe://default/echo-service + sanType: URI + validationContextSdsSecretConfig: + name: mesh_ca:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: echo-service{mesh=default} + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + httpProtocolOptions: {} + echo-service-9974f10fae8a656c: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + name: echo-service-9974f10fae8a656c + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + alpnProtocols: + - kuma + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: spiffe://default/echo-service + sanType: URI + validationContextSdsSecretConfig: + name: mesh_ca:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: echo-service{mesh=default} + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + httpProtocolOptions: {} + external-httpbin-7a2f998ac9979f97: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + dnsLookupFamily: V4_ONLY + loadAssignment: + clusterName: external-httpbin + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: httpbin.com + portValue: 443 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + envoy.transport_socket_match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: external-httpbin-7a2f998ac9979f97 + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocketMatches: + - match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: httpbin.com + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: httpbin.com + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + external-httpbin-4000f9250e560106: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + dnsLookupFamily: V4_ONLY + loadAssignment: + clusterName: external-httpbin + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: httpbin.com + portValue: 443 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + envoy.transport_socket_match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: external-httpbin-4000f9250e560106 + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocketMatches: + - match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: httpbin.com + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: httpbin.com + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + external-httpbin-eda12214e05805ce: circuitBreakers: thresholds: - maxConnections: 1024 @@ -79,7 +293,7 @@ Clusters: envoy.transport_socket_match: kuma.io/external-service-name: external-httpbin kuma.io/protocol: http2 - name: external-httpbin-823fa8131cdd67fa + name: external-httpbin-eda12214e05805ce outlierDetection: enforcingConsecutive5xx: 0 enforcingConsecutiveGatewayFailure: 0 @@ -109,8 +323,40 @@ Clusters: initialStreamWindowSize: 65536 Endpoints: Resources: - echo-service-bfae5b64a0fe8b74: - clusterName: echo-service-bfae5b64a0fe8b74 + echo-service-0ec9724567ed6087: + clusterName: echo-service-0ec9724567ed6087 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 192.168.1.6 + portValue: 20006 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/protocol: http + envoy.transport_socket_match: + kuma.io/protocol: http + echo-service-8acee1c4ccf209c2: + clusterName: echo-service-8acee1c4ccf209c2 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 192.168.1.6 + portValue: 20006 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/protocol: http + envoy.transport_socket_match: + kuma.io/protocol: http + echo-service-9974f10fae8a656c: + clusterName: echo-service-9974f10fae8a656c endpoints: - lbEndpoints: - endpoint: @@ -206,11 +452,458 @@ Listeners: name: edge-gateway:HTTP:8080 perConnectionBufferLimitBytes: 32768 trafficDirection: INBOUND -Routes: - Resources: - edge-gateway:HTTP:8080: - ignorePortInHostMatching: true - name: edge-gateway:HTTP:8080 + edge-gateway:HTTP:8081: + address: + socketAddress: + address: 192.168.1.1 + portValue: 8081 + enableReusePort: true + filterChains: + - filterChainMatch: + applicationProtocols: + - kuma + transportProtocol: tls + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + startChildSpan: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: edge-gateway:HTTP:8081 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + useRemoteAddress: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: {} + validationContextSdsSecretConfig: + name: mesh_ca:secret:all + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + requireClientCertificate: true + listenerFilters: + - name: envoy.filters.listener.tls_inspector + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: edge-gateway:HTTP:8081 + perConnectionBufferLimitBytes: 32768 + trafficDirection: INBOUND + edge-gateway:HTTP:8082: + address: + socketAddress: + address: 192.168.1.1 + portValue: 8082 + enableReusePort: true + filterChains: + - filterChainMatch: + applicationProtocols: + - kuma + transportProtocol: tls + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + startChildSpan: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: edge-gateway:HTTP:8082 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + useRemoteAddress: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: {} + validationContextSdsSecretConfig: + name: mesh_ca:secret:all + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + requireClientCertificate: true + listenerFilters: + - name: envoy.filters.listener.tls_inspector + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: edge-gateway:HTTP:8082 + perConnectionBufferLimitBytes: 32768 + trafficDirection: INBOUND +Routes: + Resources: + edge-gateway:HTTP:8080: + ignorePortInHostMatching: true + name: edge-gateway:HTTP:8080 + requestHeadersToRemove: + - x-kuma-tags + validateClusters: false + virtualHosts: + - domains: + - cross-mesh2.mesh + name: cross-mesh2.mesh + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /hostname-echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-8acee1c4ccf209c2 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /hostname-ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-7a2f998ac9979f97 + weight: 1 + - match: + prefix: /hostname-echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-8acee1c4ccf209c2 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /hostname-ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-7a2f998ac9979f97 + weight: 1 + - domains: + - cross-mesh.mesh + name: cross-mesh.mesh + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /hostname-echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-8acee1c4ccf209c2 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /hostname-ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-7a2f998ac9979f97 + weight: 1 + - match: + prefix: /hostname-echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-8acee1c4ccf209c2 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /hostname-ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-7a2f998ac9979f97 + weight: 1 + - domains: + - '*' + name: '*' + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - directResponse: + body: + inlineString: | + This is a Kuma MeshGateway. No routes match this MeshGateway! + status: 404 + match: + prefix: / + edge-gateway:HTTP:8081: + ignorePortInHostMatching: true + name: edge-gateway:HTTP:8081 + requestHeadersToRemove: + - x-kuma-tags + validateClusters: false + virtualHosts: + - domains: + - internal-cross-mesh.mesh + name: internal-cross-mesh.mesh + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /hostname-and-hostname-on-listener-match-echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /hostname-and-hostname-on-listener-match-ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 + - match: + prefix: /hostname-and-hostname-on-listener-match-echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /hostname-and-hostname-on-listener-match-ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 + edge-gateway:HTTP:8082: + ignorePortInHostMatching: true + name: edge-gateway:HTTP:8082 requestHeadersToRemove: - x-kuma-tags validateClusters: false @@ -240,7 +933,7 @@ Routes: timeout: 15s weightedClusters: clusters: - - name: echo-service-bfae5b64a0fe8b74 + - name: echo-service-9974f10fae8a656c requestHeadersToAdd: - header: key: x-kuma-tags @@ -261,7 +954,7 @@ Routes: timeout: 15s weightedClusters: clusters: - - name: external-httpbin-823fa8131cdd67fa + - name: external-httpbin-4000f9250e560106 weight: 1 - match: prefix: /echo/ @@ -278,7 +971,7 @@ Routes: timeout: 15s weightedClusters: clusters: - - name: echo-service-bfae5b64a0fe8b74 + - name: echo-service-9974f10fae8a656c requestHeadersToAdd: - header: key: x-kuma-tags @@ -299,7 +992,7 @@ Routes: timeout: 15s weightedClusters: clusters: - - name: external-httpbin-823fa8131cdd67fa + - name: external-httpbin-4000f9250e560106 weight: 1 Runtimes: Resources: