projectcontour · sunjayBhatia · Jan 29, 2024 · Jan 26, 2024 · Jan 26, 2024 · skriss
@@ -0,0 +1 @@
+Updates HTTP filter names to match between the HTTP connection manager and per-filter config on virtual hosts/routes, and to use canonical names.
@@ -153,6 +153,19 @@ func Listener(name, address string, port int, perConnectionBufferLimitBytes *uin
 	return l
 }
 
+const (
+	CORSFilterName            string = "envoy.filters.http.cors"
+	LocalRateLimitFilterName  string = "envoy.filters.http.local_ratelimit"
+	GlobalRateLimitFilterName string = "envoy.filters.http.ratelimit"
+	RBACFilterName            string = "envoy.filters.http.rbac"
+	ExtAuthzFilterName        string = "envoy.filters.http.ext_authz"
+	JWTAuthnFilterName        string = "envoy.filters.http.jwt_authn"
+	LuaFilterName             string = "envoy.filters.http.lua"
+	CompressorFilterName      string = "envoy.filters.http.compressor"
+	GRPCWebFilterName         string = "envoy.filters.http.grpc_web"
+	GRPCStatsFilterName       string = "envoy.filters.http.grpc_stats"
+)
+
 type httpConnectionManagerBuilder struct {
 	routeConfigName               string
 	metricsPrefix                 string
@@ -296,7 +309,7 @@ func (b *httpConnectionManagerBuilder) DefaultFilters() *httpConnectionManagerBu
 	// identified by the TypeURL of each filter.
 	b.filters = append(b.filters,
 		&http.HttpFilter{
-			Name: "compressor",
+			Name: CompressorFilterName,
 			ConfigType: &http.HttpFilter_TypedConfig{
 				TypedConfig: protobuf.MustMarshalAny(&envoy_compressor_v3.Compressor{
 					CompressorLibrary: &envoy_core_v3.TypedExtensionConfig{
@@ -323,13 +336,13 @@ func (b *httpConnectionManagerBuilder) DefaultFilters() *httpConnectionManagerBu
 			},
 		},
 		&http.HttpFilter{
-			Name: "grpcweb",
+			Name: GRPCWebFilterName,
 			ConfigType: &http.HttpFilter_TypedConfig{
 				TypedConfig: protobuf.MustMarshalAny(&envoy_grpc_web_v3.GrpcWeb{}),
 			},
 		},
 		&http.HttpFilter{
-			Name: "grpc_stats",
+			Name: GRPCStatsFilterName,
 			ConfigType: &http.HttpFilter_TypedConfig{
 				TypedConfig: protobuf.MustMarshalAny(
 					&envoy_config_filter_http_grpc_stats_v3.FilterConfig{
@@ -340,13 +353,13 @@ func (b *httpConnectionManagerBuilder) DefaultFilters() *httpConnectionManagerBu
 			},
 		},
 		&http.HttpFilter{
-			Name: "cors",
+			Name: CORSFilterName,
 			ConfigType: &http.HttpFilter_TypedConfig{
 				TypedConfig: protobuf.MustMarshalAny(&envoy_cors_v3.Cors{}),
 			},
 		},
 		&http.HttpFilter{
-			Name: "local_ratelimit",
+			Name: LocalRateLimitFilterName,
 			ConfigType: &http.HttpFilter_TypedConfig{
 				TypedConfig: protobuf.MustMarshalAny(
 					&envoy_config_filter_http_local_ratelimit_v3.LocalRateLimit{
@@ -358,7 +371,7 @@ func (b *httpConnectionManagerBuilder) DefaultFilters() *httpConnectionManagerBu
 			},
 		},
 		&http.HttpFilter{
-			Name: "envoy.filters.http.lua",
+			Name: LuaFilterName,
 			ConfigType: &http.HttpFilter_TypedConfig{
 				TypedConfig: protobuf.MustMarshalAny(&lua.Lua{
 					DefaultSourceCode: &envoy_core_v3.DataSource{
@@ -370,7 +383,7 @@ func (b *httpConnectionManagerBuilder) DefaultFilters() *httpConnectionManagerBu
 			},
 		},
 		&http.HttpFilter{
-			Name: "envoy.filters.http.rbac",
+			Name: RBACFilterName,
 			ConfigType: &http.HttpFilter_TypedConfig{
 				TypedConfig: protobuf.MustMarshalAny(&envoy_rbac_v3.RBAC{}),
 			},
@@ -761,7 +774,7 @@ end
 	`
 
 	return &http.HttpFilter{
-		Name: "envoy.filters.http.lua",
+		Name: LuaFilterName,
 		ConfigType: &http.HttpFilter_TypedConfig{
 			TypedConfig: protobuf.MustMarshalAny(&lua.Lua{
 				DefaultSourceCode: &envoy_core_v3.DataSource{
@@ -805,7 +818,7 @@ func FilterExternalAuthz(externalAuthorization *dag.ExternalAuthorization) *http
 	}
 
 	return &http.HttpFilter{
-		Name: "envoy.filters.http.ext_authz",
+		Name: ExtAuthzFilterName,
 		ConfigType: &http.HttpFilter_TypedConfig{
 			TypedConfig: protobuf.MustMarshalAny(&authConfig),
 		},
@@ -863,7 +876,7 @@ func FilterJWTAuthN(jwtProviders []dag.JWTProvider) *http.HttpFilter {
 	}
 
 	return &http.HttpFilter{
-		Name: "envoy.filters.http.jwt_authn",
+		Name: JWTAuthnFilterName,
 		ConfigType: &http.HttpFilter_TypedConfig{
 			TypedConfig: protobuf.MustMarshalAny(&jwtConfig),
 		},

@@ -567,7 +567,7 @@ func TestDownstreamTLSContext(t *testing.T) {
 func TestHTTPConnectionManager(t *testing.T) {
 	defaultHTTPFilters := []*http.HttpFilter{
 		{
-			Name: "compressor",
+			Name: CompressorFilterName,
 			ConfigType: &http.HttpFilter_TypedConfig{
 				TypedConfig: protobuf.MustMarshalAny(&envoy_compressor_v3.Compressor{
 					CompressorLibrary: &envoy_core_v3.TypedExtensionConfig{
@@ -584,12 +584,12 @@ func TestHTTPConnectionManager(t *testing.T) {
 				}),
 			},
 		}, {
-			Name: "grpcweb",
+			Name: GRPCWebFilterName,
 			ConfigType: &http.HttpFilter_TypedConfig{
 				TypedConfig: protobuf.MustMarshalAny(&envoy_grpc_web_v3.GrpcWeb{}),
 			},
 		}, {
-			Name: "grpc_stats",
+			Name: GRPCStatsFilterName,
 			ConfigType: &http.HttpFilter_TypedConfig{
 				TypedConfig: protobuf.MustMarshalAny(
 					&envoy_config_filter_http_grpc_stats_v3.FilterConfig{
@@ -599,12 +599,12 @@ func TestHTTPConnectionManager(t *testing.T) {
 				),
 			},
 		}, {
-			Name: "cors",
+			Name: CORSFilterName,
 			ConfigType: &http.HttpFilter_TypedConfig{
 				TypedConfig: protobuf.MustMarshalAny(&envoy_cors_v3.Cors{}),
 			},
 		}, {
-			Name: "local_ratelimit",
+			Name: LocalRateLimitFilterName,
 			ConfigType: &http.HttpFilter_TypedConfig{
 				TypedConfig: protobuf.MustMarshalAny(
 					&envoy_config_filter_http_local_ratelimit_v3.LocalRateLimit{
@@ -613,7 +613,7 @@ func TestHTTPConnectionManager(t *testing.T) {
 				),
 			},
 		}, {
-			Name: "envoy.filters.http.lua",
+			Name: LuaFilterName,
 			ConfigType: &http.HttpFilter_TypedConfig{
 				TypedConfig: protobuf.MustMarshalAny(&lua.Lua{
 					DefaultSourceCode: &envoy_core_v3.DataSource{
@@ -624,7 +624,7 @@ func TestHTTPConnectionManager(t *testing.T) {
 				}),
 			},
 		}, {
-			Name: "envoy.filters.http.rbac",
+			Name: RBACFilterName,
 			ConfigType: &http.HttpFilter_TypedConfig{
 				TypedConfig: protobuf.MustMarshalAny(&envoy_rbac_v3.RBAC{}),
 			},
@@ -1744,20 +1744,20 @@ func TestAddFilter(t *testing.T) {
 		},
 	}
 	grpcWebFilter := &http.HttpFilter{
-		Name: "grpcweb",
+		Name: GRPCWebFilterName,
 		ConfigType: &http.HttpFilter_TypedConfig{
 			TypedConfig: protobuf.MustMarshalAny(&envoy_grpc_web_v3.GrpcWeb{}),
 		},
 	}
 	corsFilter := &http.HttpFilter{
-		Name: "cors",
+		Name: CORSFilterName,
 		ConfigType: &http.HttpFilter_TypedConfig{
 			TypedConfig: protobuf.MustMarshalAny(&envoy_cors_v3.Cors{}),
 		},
 	}
 
 	grpcStatsFilter := &http.HttpFilter{
-		Name: "grpc_stats",
+		Name: GRPCStatsFilterName,
 		ConfigType: &http.HttpFilter_TypedConfig{
 			TypedConfig: protobuf.MustMarshalAny(
 				&envoy_config_filter_http_grpc_stats_v3.FilterConfig{
@@ -1768,7 +1768,7 @@ func TestAddFilter(t *testing.T) {
 		},
 	}
 	luaFilter := &http.HttpFilter{
-		Name: "envoy.filters.http.lua",
+		Name: LuaFilterName,
 		ConfigType: &http.HttpFilter_TypedConfig{
 			TypedConfig: protobuf.MustMarshalAny(&lua.Lua{
 				DefaultSourceCode: &envoy_core_v3.DataSource{
@@ -1780,14 +1780,14 @@ func TestAddFilter(t *testing.T) {
 		},
 	}
 	rbacFilter := &http.HttpFilter{
-		Name: "envoy.filters.http.rbac",
+		Name: RBACFilterName,
 		ConfigType: &http.HttpFilter_TypedConfig{
 			TypedConfig: protobuf.MustMarshalAny(&envoy_rbac_v3.RBAC{}),
 		},
 	}
 
 	localRateLimitFilter := &http.HttpFilter{
-		Name: "local_ratelimit",
+		Name: LocalRateLimitFilterName,
 		ConfigType: &http.HttpFilter_TypedConfig{
 			TypedConfig: protobuf.MustMarshalAny(
 				&envoy_config_filter_http_local_ratelimit_v3.LocalRateLimit{
@@ -1798,7 +1798,7 @@ func TestAddFilter(t *testing.T) {
 	}
 
 	compressFilter := &http.HttpFilter{
-		Name: "compressor",
+		Name: CompressorFilterName,
 		ConfigType: &http.HttpFilter_TypedConfig{
 			TypedConfig: protobuf.MustMarshalAny(&envoy_compressor_v3.Compressor{
 				CompressorLibrary: &envoy_core_v3.TypedExtensionConfig{

@@ -57,13 +57,13 @@
 		if evh.TypedPerFilterConfig == nil {
 			evh.TypedPerFilterConfig = map[string]*anypb.Any{}
 		}
-		evh.TypedPerFilterConfig["envoy.filters.http.cors"] = protobuf.MustMarshalAny(corsPolicy(vh.CORSPolicy))
+		evh.TypedPerFilterConfig[CORSFilterName] = protobuf.MustMarshalAny(corsPolicy(vh.CORSPolicy))
 	}
 	if vh.RateLimitPolicy != nil && vh.RateLimitPolicy.Local != nil {
 		if evh.TypedPerFilterConfig == nil {
 			evh.TypedPerFilterConfig = map[string]*anypb.Any{}
 		}
-		evh.TypedPerFilterConfig["envoy.filters.http.local_ratelimit"] = LocalRateLimitConfig(vh.RateLimitPolicy.Local, "vhost."+vh.Name)
+		evh.TypedPerFilterConfig[LocalRateLimitFilterName] = LocalRateLimitConfig(vh.RateLimitPolicy.Local, "vhost."+vh.Name)
 	}
 
 	if vh.RateLimitPolicy != nil && vh.RateLimitPolicy.Global != nil {
@@ -74,7 +74,7 @@
 		if evh.TypedPerFilterConfig == nil {
 			evh.TypedPerFilterConfig = map[string]*anypb.Any{}
 		}
-		evh.TypedPerFilterConfig["envoy.filters.http.rbac"] = protobuf.MustMarshalAny(
+		evh.TypedPerFilterConfig[RBACFilterName] = protobuf.MustMarshalAny(
 			ipFilterConfig(vh.IPFilterAllow, vh.IPFilterRules),
 		)
 	}
@@ -142,32 +142,32 @@
 
 		// Apply per-route local rate limit policy.
 		if dagRoute.RateLimitPolicy != nil && dagRoute.RateLimitPolicy.Local != nil {
-			route.TypedPerFilterConfig["envoy.filters.http.local_ratelimit"] = LocalRateLimitConfig(dagRoute.RateLimitPolicy.Local, "vhost."+vhostName)
+			route.TypedPerFilterConfig[LocalRateLimitFilterName] = LocalRateLimitConfig(dagRoute.RateLimitPolicy.Local, "vhost."+vhostName)
 		}
 
 		if dagRoute.RateLimitPerRoute != nil {
-			route.TypedPerFilterConfig["envoy.filters.http.ratelimit"] = rateLimitPerRoute(dagRoute.RateLimitPerRoute)
+			route.TypedPerFilterConfig[GlobalRateLimitFilterName] = rateLimitPerRoute(dagRoute.RateLimitPerRoute)
 		}
 
 		// Apply per-route authorization policy modifications.
 		if dagRoute.AuthDisabled {
-			route.TypedPerFilterConfig["envoy.filters.http.ext_authz"] = routeAuthzDisabled()
+			route.TypedPerFilterConfig[ExtAuthzFilterName] = routeAuthzDisabled()
 		} else if len(dagRoute.AuthContext) > 0 {
-			route.TypedPerFilterConfig["envoy.filters.http.ext_authz"] = routeAuthzContext(dagRoute.AuthContext)
+			route.TypedPerFilterConfig[ExtAuthzFilterName] = routeAuthzContext(dagRoute.AuthContext)
 		}
 
 		// If JWT verification is enabled, add per-route filter
 		// config referencing a requirement in the main filter
 		// config.
 		if len(dagRoute.JWTProvider) > 0 {
-			route.TypedPerFilterConfig["envoy.filters.http.jwt_authn"] = protobuf.MustMarshalAny(&envoy_jwt_v3.PerRouteConfig{
+			route.TypedPerFilterConfig[JWTAuthnFilterName] = protobuf.MustMarshalAny(&envoy_jwt_v3.PerRouteConfig{
 				RequirementSpecifier: &envoy_jwt_v3.PerRouteConfig_RequirementName{RequirementName: dagRoute.JWTProvider},
 			})
 		}
 
 		// If IP filtering is enabled, add per-route filtering
 		if len(dagRoute.IPFilterRules) > 0 {
-			route.TypedPerFilterConfig["envoy.filters.http.rbac"] = protobuf.MustMarshalAny(
+			route.TypedPerFilterConfig[RBACFilterName] = protobuf.MustMarshalAny(
 				ipFilterConfig(dagRoute.IPFilterAllow, dagRoute.IPFilterRules),
 			)
 		}
@@ -638,7 +638,7 @@
 			if c.TypedPerFilterConfig == nil {
 				c.TypedPerFilterConfig = map[string]*anypb.Any{}
 			}
-			c.TypedPerFilterConfig["envoy.filters.http.lua"] = cookieRewriteConfig(route.CookieRewritePolicies, cluster.CookieRewritePolicies)
+			c.TypedPerFilterConfig[LuaFilterName] = cookieRewriteConfig(route.CookieRewritePolicies, cluster.CookieRewritePolicies)
 		}
 		wc.Clusters = append(wc.Clusters, c)
 	}
@@ -667,7 +667,7 @@
 	vh := VirtualHost(hostname, routes...)
 	if corspolicy != nil {
 		vh.TypedPerFilterConfig = map[string]*anypb.Any{
-			"envoy.filters.http.cors": protobuf.MustMarshalAny(corspolicy),
+			CORSFilterName: protobuf.MustMarshalAny(corspolicy),
 		}
 	}
 	return vh

@@ -1254,7 +1254,7 @@ func TestCORSVirtualHost(t *testing.T) {
 				Name:    "www.example.com",
 				Domains: []string{"www.example.com"},
 				TypedPerFilterConfig: map[string]*anypb.Any{
-					"envoy.filters.http.cors": protobuf.MustMarshalAny(&envoy_cors_v3.CorsPolicy{
+					CORSFilterName: protobuf.MustMarshalAny(&envoy_cors_v3.CorsPolicy{
 						AllowOriginStringMatch: []*matcher.StringMatcher{
 							{
 								MatchPattern: &matcher.StringMatcher_Exact{

@@ -266,7 +266,7 @@ func authzOverrideDisabled(t *testing.T, rh ResourceEventHandlerWrapper, c *Cont
 	// same authorization enablement as the root proxy, and
 	// the other path should have the opposite enablement.
 
-	disabledConfig := withFilterConfig("envoy.filters.http.ext_authz",
+	disabledConfig := withFilterConfig(envoy_v3.ExtAuthzFilterName,
 		&envoy_config_filter_http_ext_authz_v3.ExtAuthzPerRoute{
 			Override: &envoy_config_filter_http_ext_authz_v3.ExtAuthzPerRoute_Disabled{
 				Disabled: true,
@@ -390,7 +390,7 @@ func authzMergeRouteContext(t *testing.T, rh ResourceEventHandlerWrapper, c *Con
 					&envoy_route_v3.Route{
 						Match:  routePrefix("/"),
 						Action: routeCluster("default/app-server/80/da39a3ee5e"),
-						TypedPerFilterConfig: withFilterConfig("envoy.filters.http.ext_authz",
+						TypedPerFilterConfig: withFilterConfig(envoy_v3.ExtAuthzFilterName,
 							&envoy_config_filter_http_ext_authz_v3.ExtAuthzPerRoute{
 								Override: &envoy_config_filter_http_ext_authz_v3.ExtAuthzPerRoute_CheckSettings{
 									CheckSettings: &envoy_config_filter_http_ext_authz_v3.CheckSettings{

@@ -514,7 +514,7 @@ func authzFilterFor(
 		AddFilter(envoy_v3.FilterMisdirectedRequests(vhost)).
 		DefaultFilters().
 		AddFilter(&http.HttpFilter{
-			Name: "envoy.filters.http.ext_authz",
+			Name: envoy_v3.ExtAuthzFilterName,
 			ConfigType: &http.HttpFilter_TypedConfig{
 				TypedConfig: protobuf.MustMarshalAny(authz),
 			},
@@ -533,7 +533,7 @@ func jwtAuthnFilterFor(
 		AddFilter(envoy_v3.FilterMisdirectedRequests(vhost)).
 		DefaultFilters().
 		AddFilter(&http.HttpFilter{
-			Name: "envoy.filters.http.jwt_authn",
+			Name: envoy_v3.JWTAuthnFilterName,
 			ConfigType: &http.HttpFilter_TypedConfig{
 				TypedConfig: protobuf.MustMarshalAny(jwt),
 			},

@@ -254,7 +254,7 @@ func globalExternalAuthorizationWithMergedAuthPolicy(t *testing.T, rh ResourceEv
 						Match:  routePrefix("/"),
 						Action: routeCluster("default/s1/80/da39a3ee5e"),
 						TypedPerFilterConfig: map[string]*anypb.Any{
-							"envoy.filters.http.ext_authz": protobuf.MustMarshalAny(
+							envoy_v3.ExtAuthzFilterName: protobuf.MustMarshalAny(
 								&envoy_config_filter_http_ext_authz_v3.ExtAuthzPerRoute{
 									Override: &envoy_config_filter_http_ext_authz_v3.ExtAuthzPerRoute_CheckSettings{
 										CheckSettings: &envoy_config_filter_http_ext_authz_v3.CheckSettings{
@@ -355,7 +355,7 @@ func globalExternalAuthorizationWithMergedAuthPolicyTLS(t *testing.T, rh Resourc
 						Match:  routePrefix("/"),
 						Action: routeCluster("default/s1/80/da39a3ee5e"),
 						TypedPerFilterConfig: map[string]*anypb.Any{
-							"envoy.filters.http.ext_authz": protobuf.MustMarshalAny(
+							envoy_v3.ExtAuthzFilterName: protobuf.MustMarshalAny(
 								&envoy_config_filter_http_ext_authz_v3.ExtAuthzPerRoute{
 									Override: &envoy_config_filter_http_ext_authz_v3.ExtAuthzPerRoute_CheckSettings{
 										CheckSettings: &envoy_config_filter_http_ext_authz_v3.CheckSettings{

@@ -69,7 +69,7 @@ func TestIPFilterPolicy(t *testing.T) {
 					Match:  routePrefix("/"),
 					Action: routeCluster("default/backend/80/da39a3ee5e"),
 				},
-			), withFilterConfig("envoy.filters.http.rbac", &envoy_rbac_v3.RBACPerRoute{Rbac: &envoy_rbac_v3.RBAC{
+			), withFilterConfig(envoy_v3.RBACFilterName, &envoy_rbac_v3.RBACPerRoute{Rbac: &envoy_rbac_v3.RBAC{
 				Rules: &envoy_config_rbac_v3.RBAC{
 					Action: envoy_config_rbac_v3.RBAC_ALLOW,
 					Policies: map[string]*envoy_config_rbac_v3.Policy{
@@ -131,7 +131,7 @@ func TestIPFilterPolicy(t *testing.T) {
 				&envoy_route_v3.Route{
 					Match:  routePrefix("/"),
 					Action: routeCluster("default/backend/80/da39a3ee5e"),
-					TypedPerFilterConfig: withFilterConfig("envoy.filters.http.rbac", &envoy_rbac_v3.RBACPerRoute{
+					TypedPerFilterConfig: withFilterConfig(envoy_v3.RBACFilterName, &envoy_rbac_v3.RBACPerRoute{
 						Rbac: &envoy_rbac_v3.RBAC{
 							Rules: &envoy_config_rbac_v3.RBAC{
 								Action: envoy_config_rbac_v3.RBAC_DENY,
@@ -156,7 +156,7 @@ func TestIPFilterPolicy(t *testing.T) {
 						},
 					}),
 				},
-			), withFilterConfig("envoy.filters.http.rbac", &envoy_rbac_v3.RBACPerRoute{Rbac: &envoy_rbac_v3.RBAC{
+			), withFilterConfig(envoy_v3.RBACFilterName, &envoy_rbac_v3.RBACPerRoute{Rbac: &envoy_rbac_v3.RBAC{
 				Rules: &envoy_config_rbac_v3.RBAC{
 					Action: envoy_config_rbac_v3.RBAC_ALLOW,
 					Policies: map[string]*envoy_config_rbac_v3.Policy{
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Updates HTTP filter names to match between the HTTP connection manager and per-filter config on virtual hosts/routes, and to use canonical names.