Merge branch 'izturn-feat/extproc' into sesame-main

Makefile

@@ -53,7 +53,8 @@ BUILD_CGO_ENABLED ?= 0
 BUILD_GOPRIVATE ?= ""
 
 # Go module mirror to use.
-BUILD_GOPROXY ?= https://proxy.golang.org
+#BUILD_GOPROXY ?= https://proxy.golang.org
+BUILD_GOPROXY ?= https://goproxy.cn
 
 # Checksum db to use.
 BUILD_GOSUMDB ?= sum.golang.org
@@ -124,9 +125,8 @@ race:
 download: ## Download Go modules
 	go mod download
 
-multiarch-build: ## Build and optionally push a multi-arch Contour container image to the Docker registry
-	@mkdir -p $(shell pwd)/image
-	docker buildx build $(IMAGE_RESULT_FLAG) \
+multiarch-build:
+	docker buildx build \
 		--platform $(IMAGE_PLATFORMS) \
 		--build-arg "BUILD_GOPRIVATE=$(BUILD_GOPRIVATE)" \
 		--build-arg "BUILD_GOPROXY=$(BUILD_GOPROXY)" \
@@ -138,9 +138,11 @@ multiarch-build: ## Build and optionally push a multi-arch Contour container ima
 		--build-arg "BUILD_CGO_ENABLED=$(BUILD_CGO_ENABLED)" \
 		--build-arg "BUILD_EXTRA_GO_LDFLAGS=$(BUILD_EXTRA_GO_LDFLAGS)" \
 		--build-arg "BUILD_GOEXPERIMENT=$(BUILD_GOEXPERIMENT)" \
+		--label "commit.sync.upstream=23a029" \
 		$(DOCKER_BUILD_LABELS) \
-		$(IMAGE_TAGS) \
-		$(shell pwd)
+		-t release-ci.daocloud.io/skoala/contour:v1.28.1-23a029  \
+		$(shell pwd) \
+		--push
 
 container: ## Build the Contour container image
 	docker build \

apis/projectcontour/v1/helpers.go

@@ -53,16 +53,17 @@ func (v *VirtualHost) AuthorizationContext() map[string]string {
 // ExtProcConfigured returns whether external processing are
 // configured on this virtual host.
 func (v *VirtualHost) ExtProcConfigured() bool {
-	if v.ExternalProcessor == nil {
-		return false
-	}
+	return v.ExtProc.Processor != nil
+}
 
-	for _, proc := range v.ExternalProcessor.Processors {
-		if !proc.Disabled {
-			return true
-		}
+// ExtProcDisabled returns true if this virtual host disables
+// external processing explicit. If an external processor is present, the default
+// policy is to not disable.
+func (v *VirtualHost) ExtProcDisabled() bool {
+	if v.ExtProc == nil {
+		return false
 	}
-	return false
+	return v.ExtProc.Disabled
 }
 
 // GetPrefixReplacements returns replacement prefixes from the path

apis/projectcontour/v1/httpproxy.go

@@ -472,54 +472,10 @@ type GRPCService struct {
 	FailOpen bool `json:"failOpen,omitempty"`
 }
 
-// ProcessingPhase define the phase in the filter chain where the external processing filter will be injected
-type ProcessingPhase string
-
-const (
-	// DefaultPhase decides insert the external processing service at the end of the filter chain, right before the Router.
-	//
-	// **NOTE: if not specify, default to DefaultPhase
-	DefaultPhase ProcessingPhase = "DefaultPhase"
-
-	// Insert before contour authentication filter(s).
-	AuthN ProcessingPhase = "AuthN"
-
-	// Insert  before contour authorization filter(s) and after the authentication filter(s).
-	AuthZ ProcessingPhase = "AuthZ"
-
-	// Insert  before contour CORS filter(s).
-	CORS ProcessingPhase = "CORS"
-
-	// Insert  before contour RateLimit.
-	RateLimit ProcessingPhase = "RateLimit"
-)
-
 // ExtProc defines the envoy External Processing filter which allows an external service to act on HTTP traffic in a flexible way
 // The external server must implement the v3 Envoy external processing GRPC protocol
 // (https://www.envoyproxy.io/docs/envoy/v1.27.0/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto).
 type ExtProc struct {
-	// Unique name for the external processor.
-	// +kubebuilder:validation:Required
-	// +kubebuilder:validation:MinLength=1
-	Name string `json:"name"`
-
-	// When true, this external processor will not be added to the listener's filter chain
-	//
-	// +optional
-	Disabled bool `json:"disabled,omitempty"`
-
-	// Phase determines where in the filter chain this extProc is to be injected.
-	//
-	// +optional
-	Phase ProcessingPhase `json:"phase,omitempty"`
-
-	// Priority determines ordering of processing filters in the same phase. When multiple extProc are applied to the same workload in the same phase,
-	// they will be applied by priority, in descending order, If priority is not set or two extProc exist with the same value,
-	// they will follow the order in which extProc(s) are added, Defaults to 0.
-	//
-	// +optional
-	Priority int32 `json:"priority,omitempty"`
-
 	// GRPCService configure the gRPC service that the filter will communicate with.
 	//
 	// +optional
@@ -555,24 +511,29 @@ type ExtProcOverride struct {
 
 // ExternalProcessor defines a processing filter list and the policy for fine-grained at VirutalHost and/or Route level.
 type ExternalProcessor struct {
-	// Processors defines a processing filter list,and each filter in the list
+	// Processor defines a processing filter list,and each filter in the list
 	// will be added to the corresponding processing Priority in ascending order of it's Priority within the same phase.
 	// If no phase is specified, it will be added before the Router.
 	// If no Priority is specified, the filters will be added in the order they appear in the list.
 	//
 	// +optional
-	Processors []ExtProc `json:"processors,omitempty"`
+	Processor *ExtProc `json:"processor,omitempty"`
+
+	// When true, this field disables the external processor: (neither global nor virtualHost)
+	// for the scope of the policy.
+	//
+	// if both Disabled and Processor are set. use disabled.
+	//
+	// it just work for virtualhost
+	// +optional
+	Disabled bool `json:"disabled,omitempty"`
 }
 
 // ExtProcPolicy modifies how requests/responses are operated.
 type ExtProcPolicy struct {
-	// The name of the external processor being overrided.
-	// +kubebuilder:validation:Required
-	// +kubebuilder:validation:MinLength=1
-	Name string `json:"name"`
-
 	// When true, this field disables the specific client request external processor
 	// for the scope of the policy.
+	//
 	// if both disabled and overrides are set. use disabled.
 	//
 	// +optional
@@ -632,11 +593,11 @@ type VirtualHost struct {
 	// The rules defined here may be overridden in a Route.
 	IPDenyFilterPolicy []IPFilterPolicy `json:"ipDenyPolicy,omitempty"`
 
-	// ExternalProcessor contains a list of external processors which allow to act on HTTP traffic in a flexible way
+	// ExtProc which allow to act on HTTP traffic in a flexible way
 	// and the policy for fine-grained at VirtualHost level.
 	//
 	// +optional
-	ExternalProcessor *ExternalProcessor `json:"extProc,omitempty"`
+	ExtProc *ExternalProcessor `json:"extProc,omitempty"`
 }
 
 // JWTProvider defines how to verify JWTs on requests.
@@ -905,11 +866,11 @@ type Route struct {
 	// The rules defined here override any rules set on the root HTTPProxy.
 	IPDenyFilterPolicy []IPFilterPolicy `json:"ipDenyPolicy,omitempty"`
 
-	// ExtProcPolicies updates the external processing policy/policies that were set
+	// ExtProcPolicy updates the external processing policy that were set
 	// on the root HTTPProxy object for client requests/responses
 	//
 	// +optional
-	ExtProcPolicies []ExtProcPolicy `json:"extProcPolicies,omitempty"`
+	ExtProcPolicy *ExtProcPolicy `json:"extProcPolicy,omitempty"`
 }
 
 type JWTVerificationPolicy struct {

apis/projectcontour/v1alpha1/contourconfig.go

@@ -96,6 +96,10 @@ type ContourConfigurationSpec struct {
 	// If defined, this will be used as the default for all services.
 	// +optional
 	GlobalOutlierDetection *contour_v1.OutlierDetection `json:"outlierDetection,omitempty"`
+	// GlobalExtProc allows envoys external processing filter
+	// to be enabled for all virtual hosts.
+	// +optional
+	GlobalExtProc *contour_v1.ExternalProcessor `json:"globalExtProc,omitempty"`
 }
 
 // FeatureFlags defines the set of feature flags

cmd/contour/serve.go

@@ -482,6 +482,10 @@ func (s *Server) doServe() error {
 		return err
 	}
 
+	if listenerConfig.GlobalExtProcConfig, err = s.setupGlobalExtProc(contourConfiguration); err != nil {
+		return err
+	}
+
 	contourMetrics := metrics.NewMetrics(s.registry)
 
 	// Endpoints updates are handled directly by the EndpointsTranslator/EndpointSliceTranslator due to the high update volume.
@@ -572,6 +576,7 @@ func (s *Server) doServe() error {
 		globalRateLimitService:             contourConfiguration.RateLimitService,
 		maxRequestsPerConnection:           contourConfiguration.Envoy.Cluster.MaxRequestsPerConnection,
 		perConnectionBufferLimitBytes:      contourConfiguration.Envoy.Cluster.PerConnectionBufferLimitBytes,
+		globalExtProc:                      contourConfiguration.GlobalExtProc,
 		globalCircuitBreakerDefaults:       contourConfiguration.Envoy.Cluster.GlobalCircuitBreakerDefaults,
 		upstreamTLS: &dag.UpstreamTLS{
 			MinimumProtocolVersion: annotation.TLSVersion(contourConfiguration.Envoy.Cluster.UpstreamTLS.MinimumProtocolVersion, "1.2"),
@@ -886,6 +891,26 @@ func (s *Server) setupGlobalExternalAuthentication(contourConfiguration contour_
 	return globalExternalAuthConfig, nil
 }
 
+func (s *Server) setupGlobalExtProc(contourCfg contour_v1alpha1.ContourConfigurationSpec) (*xdscache_v3.GlobalExtProcConfig, error) {
+	if contourCfg.GlobalExtProc == nil || contourCfg.GlobalExtProc.Processor == nil || contourCfg.GlobalExtProc.Processor.GRPCService == nil {
+		return nil, nil
+	}
+
+	grpcSvc := contourCfg.GlobalExtProc.Processor.GRPCService
+
+	// ensure the specified ExtensionService exists
+	extSvcCfg, err := s.getExtensionSvcConfig(grpcSvc.ExtensionServiceRef.Name, grpcSvc.ExtensionServiceRef.Namespace)
+	if err != nil {
+		return nil, err
+	}
+	return &xdscache_v3.GlobalExtProcConfig{
+		ExtensionServiceConfig: extSvcCfg,
+		FailOpen:               grpcSvc.FailOpen,
+		ProcessingMode:         contourCfg.GlobalExtProc.Processor.ProcessingMode,
+		MutationRules:          contourCfg.GlobalExtProc.Processor.MutationRules,
+	}, nil
+}
+
 func (s *Server) setupDebugService(debugConfig contour_v1alpha1.DebugConfig, builder *dag.Builder) error {
 	debugsvc := &debug.Service{
 		Service: httpsvc.Service{
@@ -1065,6 +1090,7 @@ type dagBuilderConfig struct {
 	maxRequestsPerConnection           *uint32
 	perConnectionBufferLimitBytes      *uint32
 	globalRateLimitService             *contour_v1alpha1.RateLimitServiceConfig
+	globalExtProc                      *contour_v1.ExternalProcessor
 	globalCircuitBreakerDefaults       *contour_v1alpha1.GlobalCircuitBreakerDefaults
 	upstreamTLS                        *dag.UpstreamTLS
 	enableStatPrefix                   bool
@@ -1164,6 +1190,7 @@ func (s *Server) getDAGBuilder(dbc dagBuilderConfig) *dag.Builder {
 			GlobalRateLimitService:        dbc.globalRateLimitService,
 			PerConnectionBufferLimitBytes: dbc.perConnectionBufferLimitBytes,
 			SetSourceMetadataOnRoutes:     true,
+			GlobalExtProc:                 dbc.globalExtProc,
 			GlobalCircuitBreakerDefaults:  dbc.globalCircuitBreakerDefaults,
 			UpstreamTLS:                   dbc.upstreamTLS,
 			EnableStatPrefix:              dbc.enableStatPrefix,