Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(meshpassthrough): generate separate filter chain when ip/cidr fo… #12054

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

fix(meshpassthrough): generate separate filter chain when ip/cidr fo… #12054

wants to merge 11 commits into from
+1,982 −556

Conversation

lukidzi
Copy link
Contributor

@lukidzi lukidzi commented Nov 14, 2024
edited
Loading

Motivation

While testing the policy, we noticed some unexpected behavior:

  • When a CIDR and protocol HTTP were defined, proper outbounds were not generated.
  • When the protocol was HTTP, the matcher was missing the port.
  • Ordering was incorrect when protocols within the same group (HTTP/HTTP2/gRPC) were used.

Implementation information

  • Updated the logic to create individual FilterChainMatch structures, aligning with Envoy's filter chain matcher parameters.
  • Added routes exclusively for HTTP matching with domains, as they need to be placed in virtual hosts.
  • Resolved the issue where the port matcher was missing for HTTP.
  • Fixed the problem where the combination of protocol HTTP and CIDR did not generate correct routes.
  • Corrected the ordering by introducing an order map for protocols, ensuring that more specific routes are not placed at the end for HTTP/HTTP2/gRPC protocols.

Supporting documentation

Fix #12052

@lukidzi lukidzi requested a review from a team as a code owner November 14, 2024 20:35
@lukidzi lukidzi requested review from michaelbeaumont and Icarus9913 and removed request for a team November 14, 2024 20:35
@lukidzi lukidzi marked this pull request as draft November 14, 2024 20:36
@lukidzi lukidzi marked this pull request as ready for review November 15, 2024 15:47
@lukidzi lukidzi requested review from a team, michaelbeaumont and Icarus9913 and removed request for a team November 15, 2024 17:21
@jakubdyszkiewicz
Copy link
Contributor

You mentioned 3 issues being solved by this PR, but I don't see any new tests, only updates to existing golden files and output changes. Are those issues covered by existing tests?
If so, how did we not catch it before? (no blaming here) Were golden files too complex to analyze?

@jakubdyszkiewicz
Copy link
Contributor

as for backporting. It's a significant change, but it's scoped to MeshPasshtrough so I'm ok with backporting it.

@lukidzi
Copy link
Contributor Author

lukidzi commented Nov 25, 2024

You mentioned 3 issues being solved by this PR, but I don't see any new tests, only updates to existing golden files and output changes. Are those issues covered by existing tests? If so, how did we not catch it before? (no blaming here) Were golden files too complex to analyze?

I think 2 main things

  • complex dump
  • not enough edge cases

The problem is that if the configuration is small we cannot hit some route aggregation/protocol ordering, but when is too big we might miss something. Maybe more targeted test cases could help here

@lukidzi
review
95a7155 
Signed-off-by: Lukasz Dziedziak <[email protected]>
@Icarus9913
Copy link
Contributor

Another edge case, in which network request to 10.42.0.7:80 was captured by the MeshPassthough policy one:

apiVersion: kuma.io/v1alpha1
kind: MeshPassthrough
metadata:
  name: one
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
  default:
    passthroughMode: Matched
    appendMatch:
      - port: 80
        protocol: http
        type: Domain
        value: "www.gmail.com"
---
apiVersion: kuma.io/v1alpha1
kind: MeshPassthrough
metadata:
  name: two
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
    proxyTypes:
      - Sidecar
  default:
    passthroughMode: Matched
    appendMatch:
      - protocol: http
        type: IP
        value: "10.42.0.8"

@Icarus9913 Icarus9913 mentioned this pull request Nov 27, 2024
Open
@lukidzi
small order fix
3accf4e 
Signed-off-by: Lukasz Dziedziak <[email protected]>
@lukidzi
fix
b810b88 
Signed-off-by: Lukasz Dziedziak <[email protected]>
@lahabana
Copy link
Contributor

lahabana commented Nov 28, 2024
edited
Loading

Do we have a test case that covers the case: #12054 (comment) ?

@lukidzi
Copy link
Contributor Author

lukidzi commented Nov 28, 2024

Do we have a test case that covers the case: #12054 (comment) ?

Yes, I split the big test case into smaller ones for readability

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelbeaumont michaelbeaumont Awaiting requested review from michaelbeaumont michaelbeaumont is a code owner automatically assigned from kumahq/kuma-maintainers

@jakubdyszkiewicz jakubdyszkiewicz Awaiting requested review from jakubdyszkiewicz

@Icarus9913 Icarus9913 Awaiting requested review from Icarus9913

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

MeshPassthrough doesnt work correctly when CIDR and protocol HTTP
4 participants
@lukidzi @jakubdyszkiewicz @Icarus9913 @lahabana