From 5cd2e4f258e3ed66314b70220f54d4ec4984727e Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Mon, 23 Oct 2023 15:03:15 +0200 Subject: [PATCH 1/4] test(MeshGateway): add case with invalid config Signed-off-by: Mike Beaumont --- .../gateway/gateway_route_generator_test.go | 29 ++++ .../testdata/http/cross-mesh-gateway.yaml | 151 ++++++++++++++++++ .../testdata/https/cross-mesh-gateway.yaml | 151 ++++++++++++++++++ 3 files changed, 331 insertions(+) diff --git a/pkg/plugins/runtime/gateway/gateway_route_generator_test.go b/pkg/plugins/runtime/gateway/gateway_route_generator_test.go index c12e758eedca..d549d2afe15a 100644 --- a/pkg/plugins/runtime/gateway/gateway_route_generator_test.go +++ b/pkg/plugins/runtime/gateway/gateway_route_generator_test.go @@ -1467,6 +1467,35 @@ conf: backends: - destination: kuma.io/service: echo-service +`, ` +type: MeshGatewayRoute +mesh: default +name: echo-service-with-hostname +selectors: +- match: + kuma.io/service: gateway-default +selectors: +- match: + kuma.io/service: gateway-default +conf: + http: + hostnames: + - cross-mesh.mesh + rules: + - matches: + - path: + match: PREFIX + value: "/hostname-ext" + backends: + - destination: + kuma.io/service: external-httpbin + - matches: + - path: + match: PREFIX + value: "/hostname-echo" + backends: + - destination: + kuma.io/service: echo-service `, ), diff --git a/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml b/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml index 4c0895c681fa..391bba809a23 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml @@ -134,6 +134,71 @@ Listeners: portValue: 8080 enableReusePort: true filterChains: + - filterChainMatch: + applicationProtocols: + - kuma + transportProtocol: tls + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + startChildSpan: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: edge-gateway:HTTP:8080 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + useRemoteAddress: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: {} + validationContextSdsSecretConfig: + name: mesh_ca:secret:all + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + requireClientCertificate: true - filterChainMatch: applicationProtocols: - kuma @@ -215,6 +280,92 @@ Routes: - x-kuma-tags validateClusters: false virtualHosts: + - domains: + - cross-mesh.mesh + name: cross-mesh.mesh + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /hostname-echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-bfae5b64a0fe8b74 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /hostname-ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-823fa8131cdd67fa + weight: 1 + - match: + prefix: /hostname-echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-bfae5b64a0fe8b74 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /hostname-ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-823fa8131cdd67fa + weight: 1 - domains: - '*' name: '*' diff --git a/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml b/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml index 4c0895c681fa..391bba809a23 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml @@ -134,6 +134,71 @@ Listeners: portValue: 8080 enableReusePort: true filterChains: + - filterChainMatch: + applicationProtocols: + - kuma + transportProtocol: tls + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + startChildSpan: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: edge-gateway:HTTP:8080 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + useRemoteAddress: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: {} + validationContextSdsSecretConfig: + name: mesh_ca:secret:all + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + requireClientCertificate: true - filterChainMatch: applicationProtocols: - kuma @@ -215,6 +280,92 @@ Routes: - x-kuma-tags validateClusters: false virtualHosts: + - domains: + - cross-mesh.mesh + name: cross-mesh.mesh + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /hostname-echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-bfae5b64a0fe8b74 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /hostname-ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-823fa8131cdd67fa + weight: 1 + - match: + prefix: /hostname-echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-bfae5b64a0fe8b74 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /hostname-ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-823fa8131cdd67fa + weight: 1 - domains: - '*' name: '*' From 226b7e14a9b2dce3bd57048455a1ba31ed539d8f Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Mon, 23 Oct 2023 15:22:18 +0200 Subject: [PATCH 2/4] fix(MeshGateway): ignore route hostnames on cross mesh listeners Signed-off-by: Mike Beaumont --- pkg/plugins/runtime/gateway/generator.go | 5 +- .../testdata/http/cross-mesh-gateway.yaml | 87 ++----------------- .../testdata/https/cross-mesh-gateway.yaml | 87 ++----------------- 3 files changed, 16 insertions(+), 163 deletions(-) diff --git a/pkg/plugins/runtime/gateway/generator.go b/pkg/plugins/runtime/gateway/generator.go index c0af93cd5656..bedbc620b27a 100644 --- a/pkg/plugins/runtime/gateway/generator.go +++ b/pkg/plugins/runtime/gateway/generator.go @@ -400,7 +400,10 @@ func MakeGatewayListener( hosts = append(hosts, host) } - hosts = RedistributeWildcardRoutes(hosts) + // We ignore route hostnames with cross mesh + if !listener.CrossMesh { + hosts = RedistributeWildcardRoutes(hosts) + } // Sort by reverse hostname, so that fully qualified hostnames sort // before wildcard domains, and "*" is last. diff --git a/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml b/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml index 391bba809a23..30c6934f8f85 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml @@ -134,71 +134,6 @@ Listeners: portValue: 8080 enableReusePort: true filterChains: - - filterChainMatch: - applicationProtocols: - - kuma - transportProtocol: tls - filters: - - name: envoy.filters.network.http_connection_manager - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - commonHttpProtocolOptions: - headersWithUnderscoresAction: REJECT_REQUEST - idleTimeout: 300s - http2ProtocolOptions: - allowConnect: true - initialConnectionWindowSize: 1048576 - initialStreamWindowSize: 65536 - maxConcurrentStreams: 100 - httpFilters: - - name: envoy.filters.http.local_ratelimit - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit - statPrefix: rate_limit - - name: gzip-compress - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor - compressorLibrary: - name: gzip - typedConfig: - '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip - responseDirectionConfig: - disableOnEtagHeader: true - - name: envoy.filters.http.router - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - startChildSpan: true - mergeSlashes: true - normalizePath: true - pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT - rds: - configSource: - ads: {} - resourceApiVersion: V3 - routeConfigName: edge-gateway:HTTP:8080 - requestHeadersTimeout: 0.500s - serverName: Kuma Gateway - statPrefix: gateway-default - streamIdleTimeout: 5s - useRemoteAddress: true - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - commonTlsContext: - combinedValidationContext: - defaultValidationContext: {} - validationContextSdsSecretConfig: - name: mesh_ca:secret:all - sdsConfig: - ads: {} - resourceApiVersion: V3 - tlsCertificateSdsSecretConfigs: - - name: identity_cert:secret:default - sdsConfig: - ads: {} - resourceApiVersion: V3 - requireClientCertificate: true - filterChainMatch: applicationProtocols: - kuma @@ -281,8 +216,8 @@ Routes: validateClusters: false virtualHosts: - domains: - - cross-mesh.mesh - name: cross-mesh.mesh + - '*' + name: '*' requireTls: ALL responseHeadersToAdd: - append: false @@ -329,7 +264,7 @@ Routes: - name: external-httpbin-823fa8131cdd67fa weight: 1 - match: - prefix: /hostname-echo/ + path: /echo route: clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR idleTimeout: 5s @@ -350,7 +285,7 @@ Routes: value: '&kuma.io/service=gateway-default&' weight: 1 - match: - prefix: /hostname-ext/ + path: /ext route: clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR idleTimeout: 5s @@ -366,18 +301,8 @@ Routes: clusters: - name: external-httpbin-823fa8131cdd67fa weight: 1 - - domains: - - '*' - name: '*' - requireTls: ALL - responseHeadersToAdd: - - append: false - header: - key: Strict-Transport-Security - value: max-age=31536000; includeSubDomains - routes: - match: - path: /echo + prefix: /hostname-echo/ route: clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR idleTimeout: 5s @@ -398,7 +323,7 @@ Routes: value: '&kuma.io/service=gateway-default&' weight: 1 - match: - path: /ext + prefix: /hostname-ext/ route: clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR idleTimeout: 5s diff --git a/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml b/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml index 391bba809a23..30c6934f8f85 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml @@ -134,71 +134,6 @@ Listeners: portValue: 8080 enableReusePort: true filterChains: - - filterChainMatch: - applicationProtocols: - - kuma - transportProtocol: tls - filters: - - name: envoy.filters.network.http_connection_manager - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - commonHttpProtocolOptions: - headersWithUnderscoresAction: REJECT_REQUEST - idleTimeout: 300s - http2ProtocolOptions: - allowConnect: true - initialConnectionWindowSize: 1048576 - initialStreamWindowSize: 65536 - maxConcurrentStreams: 100 - httpFilters: - - name: envoy.filters.http.local_ratelimit - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit - statPrefix: rate_limit - - name: gzip-compress - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor - compressorLibrary: - name: gzip - typedConfig: - '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip - responseDirectionConfig: - disableOnEtagHeader: true - - name: envoy.filters.http.router - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - startChildSpan: true - mergeSlashes: true - normalizePath: true - pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT - rds: - configSource: - ads: {} - resourceApiVersion: V3 - routeConfigName: edge-gateway:HTTP:8080 - requestHeadersTimeout: 0.500s - serverName: Kuma Gateway - statPrefix: gateway-default - streamIdleTimeout: 5s - useRemoteAddress: true - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - commonTlsContext: - combinedValidationContext: - defaultValidationContext: {} - validationContextSdsSecretConfig: - name: mesh_ca:secret:all - sdsConfig: - ads: {} - resourceApiVersion: V3 - tlsCertificateSdsSecretConfigs: - - name: identity_cert:secret:default - sdsConfig: - ads: {} - resourceApiVersion: V3 - requireClientCertificate: true - filterChainMatch: applicationProtocols: - kuma @@ -281,8 +216,8 @@ Routes: validateClusters: false virtualHosts: - domains: - - cross-mesh.mesh - name: cross-mesh.mesh + - '*' + name: '*' requireTls: ALL responseHeadersToAdd: - append: false @@ -329,7 +264,7 @@ Routes: - name: external-httpbin-823fa8131cdd67fa weight: 1 - match: - prefix: /hostname-echo/ + path: /echo route: clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR idleTimeout: 5s @@ -350,7 +285,7 @@ Routes: value: '&kuma.io/service=gateway-default&' weight: 1 - match: - prefix: /hostname-ext/ + path: /ext route: clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR idleTimeout: 5s @@ -366,18 +301,8 @@ Routes: clusters: - name: external-httpbin-823fa8131cdd67fa weight: 1 - - domains: - - '*' - name: '*' - requireTls: ALL - responseHeadersToAdd: - - append: false - header: - key: Strict-Transport-Security - value: max-age=31536000; includeSubDomains - routes: - match: - path: /echo + prefix: /hostname-echo/ route: clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR idleTimeout: 5s @@ -398,7 +323,7 @@ Routes: value: '&kuma.io/service=gateway-default&' weight: 1 - match: - path: /ext + prefix: /hostname-ext/ route: clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR idleTimeout: 5s From c4100380fed109c1f310345476b73216107c47bf Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Mon, 23 Oct 2023 15:55:52 +0200 Subject: [PATCH 3/4] test(MeshGateway): add case with hostname specified cross mesh listener Both routes attach because we ignore `hostnames` on them. Signed-off-by: Mike Beaumont --- .../gateway/gateway_route_generator_test.go | 6 + .../testdata/http/cross-mesh-gateway.yaml | 295 ++++++++++++++++++ .../testdata/https/cross-mesh-gateway.yaml | 295 ++++++++++++++++++ 3 files changed, 596 insertions(+) diff --git a/pkg/plugins/runtime/gateway/gateway_route_generator_test.go b/pkg/plugins/runtime/gateway/gateway_route_generator_test.go index d549d2afe15a..a78de30acc8d 100644 --- a/pkg/plugins/runtime/gateway/gateway_route_generator_test.go +++ b/pkg/plugins/runtime/gateway/gateway_route_generator_test.go @@ -1440,6 +1440,12 @@ conf: - port: 8080 protocol: HTTP crossMesh: true + - port: 8081 + protocol: HTTP + crossMesh: true + hostname: internal-cross-mesh.mesh + tags: + hostname: internal-cross-mesh.mesh `, ` type: MeshGatewayRoute mesh: default diff --git a/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml b/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml index 30c6934f8f85..49951ba9c876 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml @@ -1,5 +1,57 @@ Clusters: Resources: + echo-service-0ec9724567ed6087: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + name: echo-service-0ec9724567ed6087 + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + alpnProtocols: + - kuma + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: spiffe://default/echo-service + sanType: URI + validationContextSdsSecretConfig: + name: mesh_ca:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: echo-service{mesh=default} + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + httpProtocolOptions: {} echo-service-bfae5b64a0fe8b74: circuitBreakers: thresholds: @@ -107,8 +159,79 @@ Clusters: http2ProtocolOptions: initialConnectionWindowSize: 1048576 initialStreamWindowSize: 65536 + external-httpbin-eda12214e05805ce: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + dnsLookupFamily: V4_ONLY + loadAssignment: + clusterName: external-httpbin + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: httpbin.com + portValue: 443 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + envoy.transport_socket_match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: external-httpbin-eda12214e05805ce + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocketMatches: + - match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: httpbin.com + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: httpbin.com + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 Endpoints: Resources: + echo-service-0ec9724567ed6087: + clusterName: echo-service-0ec9724567ed6087 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 192.168.1.6 + portValue: 20006 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/protocol: http + envoy.transport_socket_match: + kuma.io/protocol: http echo-service-bfae5b64a0fe8b74: clusterName: echo-service-bfae5b64a0fe8b74 endpoints: @@ -206,6 +329,85 @@ Listeners: name: edge-gateway:HTTP:8080 perConnectionBufferLimitBytes: 32768 trafficDirection: INBOUND + edge-gateway:HTTP:8081: + address: + socketAddress: + address: 192.168.1.1 + portValue: 8081 + enableReusePort: true + filterChains: + - filterChainMatch: + applicationProtocols: + - kuma + transportProtocol: tls + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + startChildSpan: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: edge-gateway:HTTP:8081 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + useRemoteAddress: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: {} + validationContextSdsSecretConfig: + name: mesh_ca:secret:all + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + requireClientCertificate: true + listenerFilters: + - name: envoy.filters.listener.tls_inspector + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: edge-gateway:HTTP:8081 + perConnectionBufferLimitBytes: 32768 + trafficDirection: INBOUND Routes: Resources: edge-gateway:HTTP:8080: @@ -377,6 +579,99 @@ Routes: clusters: - name: external-httpbin-823fa8131cdd67fa weight: 1 + edge-gateway:HTTP:8081: + ignorePortInHostMatching: true + name: edge-gateway:HTTP:8081 + requestHeadersToRemove: + - x-kuma-tags + validateClusters: false + virtualHosts: + - domains: + - internal-cross-mesh.mesh + name: internal-cross-mesh.mesh + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 + - match: + prefix: /echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 Runtimes: Resources: gateway.listeners: diff --git a/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml b/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml index 30c6934f8f85..49951ba9c876 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml @@ -1,5 +1,57 @@ Clusters: Resources: + echo-service-0ec9724567ed6087: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + name: echo-service-0ec9724567ed6087 + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + alpnProtocols: + - kuma + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: spiffe://default/echo-service + sanType: URI + validationContextSdsSecretConfig: + name: mesh_ca:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: echo-service{mesh=default} + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + httpProtocolOptions: {} echo-service-bfae5b64a0fe8b74: circuitBreakers: thresholds: @@ -107,8 +159,79 @@ Clusters: http2ProtocolOptions: initialConnectionWindowSize: 1048576 initialStreamWindowSize: 65536 + external-httpbin-eda12214e05805ce: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + dnsLookupFamily: V4_ONLY + loadAssignment: + clusterName: external-httpbin + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: httpbin.com + portValue: 443 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + envoy.transport_socket_match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: external-httpbin-eda12214e05805ce + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocketMatches: + - match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: httpbin.com + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: httpbin.com + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 Endpoints: Resources: + echo-service-0ec9724567ed6087: + clusterName: echo-service-0ec9724567ed6087 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 192.168.1.6 + portValue: 20006 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/protocol: http + envoy.transport_socket_match: + kuma.io/protocol: http echo-service-bfae5b64a0fe8b74: clusterName: echo-service-bfae5b64a0fe8b74 endpoints: @@ -206,6 +329,85 @@ Listeners: name: edge-gateway:HTTP:8080 perConnectionBufferLimitBytes: 32768 trafficDirection: INBOUND + edge-gateway:HTTP:8081: + address: + socketAddress: + address: 192.168.1.1 + portValue: 8081 + enableReusePort: true + filterChains: + - filterChainMatch: + applicationProtocols: + - kuma + transportProtocol: tls + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + startChildSpan: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: edge-gateway:HTTP:8081 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + useRemoteAddress: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: {} + validationContextSdsSecretConfig: + name: mesh_ca:secret:all + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + requireClientCertificate: true + listenerFilters: + - name: envoy.filters.listener.tls_inspector + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: edge-gateway:HTTP:8081 + perConnectionBufferLimitBytes: 32768 + trafficDirection: INBOUND Routes: Resources: edge-gateway:HTTP:8080: @@ -377,6 +579,99 @@ Routes: clusters: - name: external-httpbin-823fa8131cdd67fa weight: 1 + edge-gateway:HTTP:8081: + ignorePortInHostMatching: true + name: edge-gateway:HTTP:8081 + requestHeadersToRemove: + - x-kuma-tags + validateClusters: false + virtualHosts: + - domains: + - internal-cross-mesh.mesh + name: internal-cross-mesh.mesh + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 + - match: + prefix: /echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 Runtimes: Resources: gateway.listeners: From 88b66718f7cac97d28f04f37bf00459637ba776a Mon Sep 17 00:00:00 2001 From: Mike Beaumont Date: Mon, 23 Oct 2023 15:57:51 +0200 Subject: [PATCH 4/4] test(MeshGateway): add route with hostname attached to listener with hostname The route with no hostname overlap should be ignored and the matching should only attach to the tagged listener. Signed-off-by: Mike Beaumont --- .../gateway/gateway_route_generator_test.go | 54 +++++++++++++ .../testdata/http/cross-mesh-gateway.yaml | 76 +++++++++++++++++++ .../testdata/https/cross-mesh-gateway.yaml | 76 +++++++++++++++++++ 3 files changed, 206 insertions(+) diff --git a/pkg/plugins/runtime/gateway/gateway_route_generator_test.go b/pkg/plugins/runtime/gateway/gateway_route_generator_test.go index a78de30acc8d..727f772204be 100644 --- a/pkg/plugins/runtime/gateway/gateway_route_generator_test.go +++ b/pkg/plugins/runtime/gateway/gateway_route_generator_test.go @@ -1502,6 +1502,60 @@ conf: backends: - destination: kuma.io/service: echo-service +`, ` +type: MeshGatewayRoute +mesh: default +name: echo-service-with-hostname-and-hostname-on-listener +selectors: +- match: + kuma.io/service: gateway-default + hostname: internal-cross-mesh.mesh +conf: + http: + hostnames: + - cross-mesh.mesh + rules: + - matches: + - path: + match: PREFIX + value: "/hostname-and-hostname-on-listener-no-match-ext" + backends: + - destination: + kuma.io/service: external-httpbin + - matches: + - path: + match: PREFIX + value: "/hostname-and-hostname-on-listener-eno-match-cho" + backends: + - destination: + kuma.io/service: echo-service +`, ` +type: MeshGatewayRoute +mesh: default +name: echo-service-with-hostname-and-hostname-on-listener +selectors: +- match: + kuma.io/service: gateway-default + hostname: internal-cross-mesh.mesh +conf: + http: + hostnames: + - internal-cross-mesh.mesh + rules: + - matches: + - path: + match: PREFIX + value: "/hostname-and-hostname-on-listener-match-ext" + backends: + - destination: + kuma.io/service: external-httpbin + - matches: + - path: + match: PREFIX + value: "/hostname-and-hostname-on-listener-match-echo" + backends: + - destination: + kuma.io/service: echo-service `, ), diff --git a/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml b/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml index 49951ba9c876..c31a9f5985b8 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml @@ -596,6 +596,44 @@ Routes: key: Strict-Transport-Security value: max-age=31536000; includeSubDomains routes: + - match: + path: /hostname-and-hostname-on-listener-match-echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /hostname-and-hostname-on-listener-match-ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 - match: path: /echo route: @@ -634,6 +672,44 @@ Routes: clusters: - name: external-httpbin-eda12214e05805ce weight: 1 + - match: + prefix: /hostname-and-hostname-on-listener-match-echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /hostname-and-hostname-on-listener-match-ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 - match: prefix: /echo/ route: diff --git a/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml b/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml index 49951ba9c876..c31a9f5985b8 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml @@ -596,6 +596,44 @@ Routes: key: Strict-Transport-Security value: max-age=31536000; includeSubDomains routes: + - match: + path: /hostname-and-hostname-on-listener-match-echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /hostname-and-hostname-on-listener-match-ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 - match: path: /echo route: @@ -634,6 +672,44 @@ Routes: clusters: - name: external-httpbin-eda12214e05805ce weight: 1 + - match: + prefix: /hostname-and-hostname-on-listener-match-echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /hostname-and-hostname-on-listener-match-ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 - match: prefix: /echo/ route: