fix auto http config with proxy protocol (#7439)

* don't set TypedExtensionProtocolOptions when ProxyProtocol enabled

Signed-off-by: zirain <[email protected]>

* update test

Signed-off-by: zirain <[email protected]>

* enable auto ALPN for proxy protocol

Signed-off-by: zirain <[email protected]>

* add e2e

Signed-off-by: zirain <[email protected]>

* update

Signed-off-by: zirain <[email protected]>

---------

Signed-off-by: zirain <[email protected]>

Author: zirain

internal/xds/translator/cluster.go

@@ -203,13 +203,6 @@ func buildXdsCluster(args *xdsClusterArgs) (*buildClusterResult, error) {
 		}
 	}
 
-	// Set Proxy Protocol
-	if args.proxyProtocol != nil {
-		cluster.TransportSocket = buildProxyProtocolSocket(args.proxyProtocol, args.tSocket)
-	} else if args.tSocket != nil {
-		cluster.TransportSocket = args.tSocket
-	}
-
 	// scan through settings to determine cluster-level configuration options, as some of them
 	// influence transport socket specific settings
 	requiresAutoHTTPConfig := false
@@ -235,15 +228,23 @@ func buildXdsCluster(args *xdsClusterArgs) (*buildClusterResult, error) {
 	// only enable auto sni if TLS is configured
 	requiresAutoSNI := !hasLiteralSNI && requiresAutoHTTPConfig
 
+	// Set Proxy Protocol
+	proxyProtocolEnabled := args.proxyProtocol != nil
+	if proxyProtocolEnabled {
+		cluster.TransportSocket = buildProxyProtocolSocket(args.proxyProtocol, args.tSocket, requiresAutoHTTPConfig)
+	} else if args.tSocket != nil {
+		cluster.TransportSocket = args.tSocket
+	}
+
 	for i, ds := range args.settings {
 		if ds.TLS != nil {
 			socket, err := buildXdsUpstreamTLSSocketWthCert(ds.TLS, requiresAutoSNI, args.endpointType)
 			if err != nil {
 				// TODO: Log something here
 				return nil, err
 			}
-			if args.proxyProtocol != nil {
-				socket = buildProxyProtocolSocket(args.proxyProtocol, socket)
+			if proxyProtocolEnabled {
+				socket = buildProxyProtocolSocket(args.proxyProtocol, socket, requiresAutoHTTPConfig)
 			}
 			matchName := fmt.Sprintf("%s/tls/%d", args.name, i)
 
@@ -265,7 +266,7 @@ func buildXdsCluster(args *xdsClusterArgs) (*buildClusterResult, error) {
 	}
 
 	// TransportSocket is required for auto HTTP config
-	if requiresAutoHTTPConfig && cluster.TransportSocket == nil {
+	if requiresAutoHTTPConfig && cluster.TransportSocket == nil && !proxyProtocolEnabled {
 		// we need a dummy transport socket to pass the validation
 		cluster.TransportSocket = dummyTransportSocket
 	}
@@ -275,7 +276,8 @@ func buildXdsCluster(args *xdsClusterArgs) (*buildClusterResult, error) {
 	if err != nil {
 		return nil, err
 	}
-	if epo != nil {
+	// Set TypedExtensionProtocolOptions if not using Proxy Protocol
+	if !proxyProtocolEnabled && epo != nil {
 		cluster.TypedExtensionProtocolOptions = epo
 	}
 
@@ -1006,7 +1008,7 @@ func buildUpstreamCodecFilter() (*hcmv3.HttpFilter, error) {
 }
 
 // buildProxyProtocolSocket builds the ProxyProtocol transport socket.
-func buildProxyProtocolSocket(proxyProtocol *ir.ProxyProtocol, tSocket *corev3.TransportSocket) *corev3.TransportSocket {
+func buildProxyProtocolSocket(proxyProtocol *ir.ProxyProtocol, tSocket *corev3.TransportSocket, requiresAutoHTTPConfig bool) *corev3.TransportSocket {
 	if proxyProtocol == nil {
 		return nil
 	}
@@ -1026,18 +1028,22 @@ func buildProxyProtocolSocket(proxyProtocol *ir.ProxyProtocol, tSocket *corev3.T
 
 	// If existing transport socket does not exist wrap around raw buffer
 	if tSocket == nil {
-		rawCtx := &rawbufferv3.RawBuffer{}
-		rawCtxAny, err := proto.ToAnyWithValidation(rawCtx)
-		if err != nil {
-			return nil
-		}
-		rawSocket := &corev3.TransportSocket{
-			Name: wellknown.TransportSocketRawBuffer,
-			ConfigType: &corev3.TransportSocket_TypedConfig{
-				TypedConfig: rawCtxAny,
-			},
+		if requiresAutoHTTPConfig {
+			ppCtx.TransportSocket = dummyTransportSocket
+		} else {
+			rawCtx := &rawbufferv3.RawBuffer{}
+			rawCtxAny, err := proto.ToAnyWithValidation(rawCtx)
+			if err != nil {
+				return nil
+			}
+			rawSocket := &corev3.TransportSocket{
+				Name: wellknown.TransportSocketRawBuffer,
+				ConfigType: &corev3.TransportSocket_TypedConfig{
+					TypedConfig: rawCtxAny,
+				},
+			}
+			ppCtx.TransportSocket = rawSocket
 		}
-		ppCtx.TransportSocket = rawSocket
 	} else {
 		ppCtx.TransportSocket = tSocket
 	}

internal/xds/translator/testdata/in/xds-ir/accesslog-als-tcp.yaml

@@ -32,8 +32,6 @@ accesslog:
           interval: 5s
           maxEjectionPercent: 10
           splitExternalLocalOriginErrors: false
-      proxyProtocol:
-        version: V2
       tcpKeepalive:
         probes: 7
       timeout:

internal/xds/translator/testdata/in/xds-ir/ext-proc-with-retries.yaml

@@ -102,8 +102,6 @@ http:
             roundRobin:
               slowStart:
                 window: 5s
-          proxyProtocol:
-            version: V2
           tcpKeepalive:
             probes: 7
           timeout:

internal/xds/translator/testdata/in/xds-ir/ext-proc-with-traffic-settings.yaml

@@ -89,8 +89,6 @@ http:
             roundRobin:
               slowStart:
                 window: 5s
-          proxyProtocol:
-            version: V2
           tcpKeepalive:
             probes: 7
           timeout:

internal/xds/translator/testdata/in/xds-ir/tracing.yaml

@@ -41,8 +41,6 @@ tracing:
         interval: 5s
         maxEjectionPercent: 10
         splitExternalLocalOriginErrors: false
-    proxyProtocol:
-      version: V2
     tcpKeepalive:
       probes: 7
     timeout:

internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml

@@ -30,16 +30,6 @@
     interval: 5s
     maxEjectionPercent: 10
   perConnectionBufferLimitBytes: 20971520
-  transportSocket:
-    name: envoy.transport_sockets.upstream_proxy_protocol
-    typedConfig:
-      '@type': type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport
-      config:
-        version: V2
-      transportSocket:
-        name: envoy.transport_sockets.raw_buffer
-        typedConfig:
-          '@type': type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer
   type: EDS
   typedExtensionProtocolOptions:
     envoy.extensions.upstreams.http.v3.HttpProtocolOptions:

internal/xds/translator/testdata/out/xds-ir/ext-proc-with-retries.clusters.yaml

@@ -80,68 +80,51 @@
     maxEjectionPercent: 10
   perConnectionBufferLimitBytes: 20971520
   transportSocket:
-    name: envoy.transport_sockets.upstream_proxy_protocol
+    name: dummy.transport_socket
     typedConfig:
-      '@type': type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport
-      config:
-        version: V2
-      transportSocket:
-        name: envoy.transport_sockets.raw_buffer
-        typedConfig:
-          '@type': type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer
+      '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+      commonTlsContext: {}
   transportSocketMatches:
   - match:
       name: envoyextensionpolicy/default/policy-for-http-route/0/tls/0
     name: envoyextensionpolicy/default/policy-for-http-route/0/tls/0
     transportSocket:
-      name: envoy.transport_sockets.upstream_proxy_protocol
+      name: envoy.transport_sockets.tls
       typedConfig:
-        '@type': type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport
-        config:
-          version: V2
-        transportSocket:
-          name: envoy.transport_sockets.tls
-          typedConfig:
-            '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
-            commonTlsContext:
-              combinedValidationContext:
-                defaultValidationContext:
-                  matchTypedSubjectAltNames:
-                  - matcher:
-                      exact: grpc-backend
-                    sanType: DNS
-                validationContextSdsSecretConfig:
-                  name: policy-btls-grpc/envoy-gateway-ca
-                  sdsConfig:
-                    ads: {}
-                    resourceApiVersion: V3
-            sni: grpc-backend
+        '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+        commonTlsContext:
+          combinedValidationContext:
+            defaultValidationContext:
+              matchTypedSubjectAltNames:
+              - matcher:
+                  exact: grpc-backend
+                sanType: DNS
+            validationContextSdsSecretConfig:
+              name: policy-btls-grpc/envoy-gateway-ca
+              sdsConfig:
+                ads: {}
+                resourceApiVersion: V3
+        sni: grpc-backend
   - match:
       name: envoyextensionpolicy/default/policy-for-http-route/0/tls/3
     name: envoyextensionpolicy/default/policy-for-http-route/0/tls/3
     transportSocket:
-      name: envoy.transport_sockets.upstream_proxy_protocol
+      name: envoy.transport_sockets.tls
       typedConfig:
-        '@type': type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport
-        config:
-          version: V2
-        transportSocket:
-          name: envoy.transport_sockets.tls
-          typedConfig:
-            '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
-            commonTlsContext:
-              combinedValidationContext:
-                defaultValidationContext:
-                  matchTypedSubjectAltNames:
-                  - matcher:
-                      exact: ip-backend
-                    sanType: DNS
-                validationContextSdsSecretConfig:
-                  name: policy-btls-backend-ip/envoy-gateway-ca
-                  sdsConfig:
-                    ads: {}
-                    resourceApiVersion: V3
-            sni: ip-backend
+        '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+        commonTlsContext:
+          combinedValidationContext:
+            defaultValidationContext:
+              matchTypedSubjectAltNames:
+              - matcher:
+                  exact: ip-backend
+                sanType: DNS
+            validationContextSdsSecretConfig:
+              name: policy-btls-backend-ip/envoy-gateway-ca
+              sdsConfig:
+                ads: {}
+                resourceApiVersion: V3
+        sni: ip-backend
   type: EDS
   typedExtensionProtocolOptions:
     envoy.extensions.upstreams.http.v3.HttpProtocolOptions:

internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml

@@ -80,68 +80,51 @@
     maxEjectionPercent: 10
   perConnectionBufferLimitBytes: 20971520
   transportSocket:
-    name: envoy.transport_sockets.upstream_proxy_protocol
+    name: dummy.transport_socket
     typedConfig:
-      '@type': type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport
-      config:
-        version: V2
-      transportSocket:
-        name: envoy.transport_sockets.raw_buffer
-        typedConfig:
-          '@type': type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer
+      '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+      commonTlsContext: {}
   transportSocketMatches:
   - match:
       name: envoyextensionpolicy/default/policy-for-http-route/0/tls/0
     name: envoyextensionpolicy/default/policy-for-http-route/0/tls/0
     transportSocket:
-      name: envoy.transport_sockets.upstream_proxy_protocol
+      name: envoy.transport_sockets.tls
       typedConfig:
-        '@type': type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport
-        config:
-          version: V2
-        transportSocket:
-          name: envoy.transport_sockets.tls
-          typedConfig:
-            '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
-            commonTlsContext:
-              combinedValidationContext:
-                defaultValidationContext:
-                  matchTypedSubjectAltNames:
-                  - matcher:
-                      exact: grpc-backend
-                    sanType: DNS
-                validationContextSdsSecretConfig:
-                  name: policy-btls-grpc/envoy-gateway-ca
-                  sdsConfig:
-                    ads: {}
-                    resourceApiVersion: V3
-            sni: grpc-backend
+        '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+        commonTlsContext:
+          combinedValidationContext:
+            defaultValidationContext:
+              matchTypedSubjectAltNames:
+              - matcher:
+                  exact: grpc-backend
+                sanType: DNS
+            validationContextSdsSecretConfig:
+              name: policy-btls-grpc/envoy-gateway-ca
+              sdsConfig:
+                ads: {}
+                resourceApiVersion: V3
+        sni: grpc-backend
   - match:
       name: envoyextensionpolicy/default/policy-for-http-route/0/tls/3
     name: envoyextensionpolicy/default/policy-for-http-route/0/tls/3
     transportSocket:
-      name: envoy.transport_sockets.upstream_proxy_protocol
+      name: envoy.transport_sockets.tls
       typedConfig:
-        '@type': type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport
-        config:
-          version: V2
-        transportSocket:
-          name: envoy.transport_sockets.tls
-          typedConfig:
-            '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
-            commonTlsContext:
-              combinedValidationContext:
-                defaultValidationContext:
-                  matchTypedSubjectAltNames:
-                  - matcher:
-                      exact: ip-backend
-                    sanType: DNS
-                validationContextSdsSecretConfig:
-                  name: policy-btls-backend-ip/envoy-gateway-ca
-                  sdsConfig:
-                    ads: {}
-                    resourceApiVersion: V3
-            sni: ip-backend
+        '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+        commonTlsContext:
+          combinedValidationContext:
+            defaultValidationContext:
+              matchTypedSubjectAltNames:
+              - matcher:
+                  exact: ip-backend
+                sanType: DNS
+            validationContextSdsSecretConfig:
+              name: policy-btls-backend-ip/envoy-gateway-ca
+              sdsConfig:
+                ads: {}
+                resourceApiVersion: V3
+        sni: ip-backend
   type: EDS
   typedExtensionProtocolOptions:
     envoy.extensions.upstreams.http.v3.HttpProtocolOptions:

internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml

@@ -106,9 +106,10 @@
       config:
         version: V2
       transportSocket:
-        name: envoy.transport_sockets.raw_buffer
+        name: dummy.transport_socket
         typedConfig:
-          '@type': type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer
+          '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+          commonTlsContext: {}
   transportSocketMatches:
   - match:
       name: httproute/envoy-gateway/httproute-btls-2/rule/0/tls/1
@@ -137,11 +138,3 @@
                     resourceApiVersion: V3
             sni: example.com
   type: EDS
-  typedExtensionProtocolOptions:
-    envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
-      '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
-      autoConfig:
-        http2ProtocolOptions:
-          initialConnectionWindowSize: 1048576
-          initialStreamWindowSize: 65536
-        httpProtocolOptions: {}