Introducing per-service filtering (#1725)

Introducing per-service filtering Introduces per-destination filter-chain matching on outbound. This change will allow setting specific L4 or L7 filtering, precursor for TCP routing. - Since we are filtering all permitted traffic, we can generalize the remaining traffic and simplify Egress, which will not require a CIDR anymore. (TODO: cleanup CIDR flags/code) - Since we can match all destination traffic, Permissive mode can potentially use TCP proxy if we want (instead of wildcarded RDS) to allow also L4 protocols between services. - Additional work that might benefit from it: per-service route table on RDS, TCP routing, .... Additionally: - Fixing the listener tests required adding the long-awaited catalog mock. Will add more tests in subsequent commits.
openservicemesh · Sep 25, 2020 · dac3552 · dac3552
1 parent 0d05587
commit dac3552
Show file tree

Hide file tree

Showing 10 changed files with 499 additions and 162 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -128,7 +128,7 @@ jobs:
         env:
           CERT_MANAGER: "tresor"
           BOOKSTORE_SVC: "bookstore"
-          BOOKTHIEF_EXPECTED_RESPONSE_CODE: "404"
+          BOOKTHIEF_EXPECTED_RESPONSE_CODE: "0"
           ENABLE_EGRESS: "false"
           DEPLOY_TRAFFIC_SPLIT: "true"
           CTR_TAG: ${{ github.sha }}
@@ -217,7 +217,7 @@ jobs:
         env:
           CERT_MANAGER: "cert-manager" # enables jetstack/cert-manager integration
           BOOKSTORE_SVC: "bookstore-v1"
-          BOOKTHIEF_EXPECTED_RESPONSE_CODE: "404"
+          BOOKTHIEF_EXPECTED_RESPONSE_CODE: "0"
           ENABLE_EGRESS: "false"
           DEPLOY_TRAFFIC_SPLIT: "false"
           DEPLOY_WITH_SAME_SA: "true"

diff --git a/demo/cmd/bookthief/bookthief.go b/demo/cmd/bookthief/bookthief.go
@@ -95,7 +95,7 @@ func main() {
 	// the HTTP response status code will differ for in-mesh requests.
 	//
 	// Expected response code when bookthief tries to buy books from the bookstore:
-	// 1. With SMI policies: 404
+	// 1. With SMI policies: 0
 	// 2. With permissive traffic policy: 200
 	//
 	// When it tries to make an egress request, we expect a 200 response with egress enabled and a 404 response with egress disabled.

diff --git a/demo/deploy-bookthief.sh b/demo/deploy-bookthief.sh
@@ -6,7 +6,7 @@ set -aueo pipefail
 source .env
 
 BOOKSTORE_SVC="${BOOKSTORE_SVC:-bookstore}"
-BOOKTHIEF_EXPECTED_RESPONSE_CODE="${BOOKTHIEF_EXPECTED_RESPONSE_CODE:-404}"
+BOOKTHIEF_EXPECTED_RESPONSE_CODE="${BOOKTHIEF_EXPECTED_RESPONSE_CODE:-0}"
 CI_MAX_ITERATIONS_THRESHOLD="${CI_MAX_ITERATIONS_THRESHOLD:-0}"
 CI_CLIENT_CONCURRENT_CONNECTIONS="${CI_CLIENT_CONCURRENT_CONNECTIONS:-1}"
 ENABLE_EGRESS="${ENABLE_EGRESS:-false}"

diff --git a/go.mod b/go.mod
@@ -37,6 +37,7 @@ require (
 	golang.org/x/lint v0.0.0-20200302205851-738671d3881b // indirect
 	golang.org/x/tools v0.0.0-20200911183043-b43031a33b24 // indirect
 	google.golang.org/grpc v1.27.0
+	google.golang.org/protobuf v1.23.0
 	gopkg.in/yaml.v2 v2.3.0
 	helm.sh/helm/v3 v3.2.0
 	k8s.io/api v0.18.5

diff --git a/pkg/catalog/mock_catalog.go b/pkg/catalog/mock_catalog.go
diff --git a/pkg/envoy/ads/response_test.go b/pkg/envoy/ads/response_test.go
@@ -116,6 +116,7 @@ var _ = Describe("Test ADS response functions", func() {
 		mockConfigurator.EXPECT().IsEgressEnabled().Return(false).AnyTimes()
 		mockConfigurator.EXPECT().IsPrometheusScrapingEnabled().Return(false).AnyTimes()
 		mockConfigurator.EXPECT().IsTracingEnabled().Return(false).AnyTimes()
+		mockConfigurator.EXPECT().IsPermissiveTrafficPolicyMode().Return(false).AnyTimes()
 
 		It("returns Aggregated Discovery Service response", func() {
 			s := NewADSServer(mc, true, tests.Namespace, mockConfigurator)

diff --git a/pkg/envoy/lds/errors.go b/pkg/envoy/lds/errors.go
@@ -3,5 +3,5 @@ package lds
 import "github.com/pkg/errors"
 
 var (
-	errInvalidCIDRRange = errors.New("invalid CIDR range")
+	errNoValidTargetEndpoints = errors.New("No valid resolvable addresses")
 )