LDSv2 fixes for sidecar (istio#4492)

mixer/pkg/runtime2/validator/validator.go

@@ -20,7 +20,7 @@ import (
 	"time"
 
 	"github.com/gogo/protobuf/proto"
-	"github.com/hashicorp/go-multierror"
+	multierror "github.com/hashicorp/go-multierror"
 
 	cpb "istio.io/api/policy/v1beta1"
 	"istio.io/istio/mixer/pkg/adapter"

pilot/pkg/networking/deprecated/config.go

@@ -41,11 +41,6 @@ import (
 )
 
 const (
-	// names for filters taken from envoy v2 API.
-	filterNameRouter            = util.Router
-	filterNameCors              = util.CORS
-	filterHTTPConnectionManager = util.HTTPConnectionManager
-
 	// TODO: move to go-control-plane
 	fileAccessLog = "envoy.file_access_log"
 
@@ -142,14 +137,32 @@ func buildSidecarListenersClusters(
 			clusters = append(clusters, c)
 		}
 
-		// BindToPort is deprecated in v2, always true.
+		// set bind to port values for port redirection
+		for _, listener := range listeners {
+			listener.DeprecatedV1 = &xdsapi.Listener_DeprecatedV1{
+				BindToPort: &google_protobuf.BoolValue{false},
+			}
+		}
 
+		tc := &tcp_proxy.TcpProxy{
+			Cluster:    "orig-dst-cluster-tcp",
+			StatPrefix: "tcp",
+		}
 		// add an extra listener that binds to the port that is the recipient of the iptables redirect
 		listeners = append(listeners, &xdsapi.Listener{
 			Name:           v1.VirtualListenerName,
 			Address:        buildAddress(v1.WildcardAddress, uint32(mesh.ProxyListenPort)),
 			UseOriginalDst: &google_protobuf.BoolValue{true},
-			FilterChains:   make([]listener.FilterChain, 0),
+			FilterChains: []listener.FilterChain{
+				{
+					Filters: []listener.Filter{
+						{
+							Name:   util.TCPProxy,
+							Config: messageToStruct(tc),
+						},
+					},
+				},
+			},
 		})
 	}
 
@@ -209,11 +222,11 @@ type buildHTTPListenerOpts struct { // nolint: maligned
 func buildHTTPConnectionManager(opts buildHTTPListenerOpts) *http_conn.HttpConnectionManager {
 	filters := []*http_conn.HttpFilter{}
 	filters = append(filters, &http_conn.HttpFilter{
-		Name: filterNameCors,
+		Name: util.CORS,
 	})
 	filters = append(filters, buildFaultFilters(opts.config, opts.env, opts.proxy)...)
 	filters = append(filters, &http_conn.HttpFilter{
-		Name: filterNameRouter,
+		Name: util.Router,
 	})
 
 	/*	TODO(mostrowski): need to port internal build functions for mixer.
@@ -236,7 +249,8 @@ func buildHTTPConnectionManager(opts buildHTTPListenerOpts) *http_conn.HttpConne
 				ConfigSource: core.ConfigSource{
 					ConfigSourceSpecifier: &core.ConfigSource_ApiConfigSource{
 						ApiConfigSource: &core.ApiConfigSource{
-							ApiType:      core.ApiConfigSource_GRPC,
+							// TODO(mostrowski): change this when RDS is ready.
+							ApiType:      core.ApiConfigSource_REST_LEGACY,
 							ClusterNames: []string{v1.RDSName},
 							RefreshDelay: &refresh,
 						},
@@ -294,11 +308,14 @@ func buildHTTPListener(opts buildHTTPListenerOpts) *xdsapi.Listener {
 	return &xdsapi.Listener{
 		Address: buildAddress(opts.ip, uint32(opts.port)),
 		Name:    fmt.Sprintf("http_%s_%d", opts.ip, opts.port),
+		DeprecatedV1: &xdsapi.Listener_DeprecatedV1{
+			BindToPort: &google_protobuf.BoolValue{true},
+		},
 		FilterChains: []listener.FilterChain{
 			{
 				Filters: []listener.Filter{
 					{
-						Name:   filterHTTPConnectionManager,
+						Name:   util.HTTPConnectionManager,
 						Config: messageToStruct(manager),
 					},
 				},
@@ -339,13 +356,13 @@ func mayApplyInboundAuth(listener *xdsapi.Listener, mesh *meshconfig.MeshConfig,
 // in addition, it enables mongo proxy filter based on the protocol
 // TODO: The TCP listeners setup so far will not work as we are not setting up tcp routes properly
 func buildTCPListener(tcpConfig *v1.TCPRouteConfig, ip string, port uint32, protocol model.Protocol) *xdsapi.Listener {
-	config := tcp_proxy.TcpProxy{
+	config := &tcp_proxy.TcpProxy{
 		StatPrefix: "tcp",
 		// TODO: add tcp routes using deprecated v1 config as filter chain match is incomplete
 	}
 	baseTCPProxy := listener.Filter{
-		Name:   v1.TCPProxyFilter,
-		Config: buildProtoStruct(v1.TCPProxyFilter, config.String()),
+		Name:   util.TCPProxy,
+		Config: messageToStruct(config),
 	}
 
 	// Use Envoy's TCP proxy for TCP and Redis protocols. Currently, Envoy does not support CDS clusters
@@ -369,8 +386,8 @@ func buildTCPListener(tcpConfig *v1.TCPRouteConfig, ip string, port uint32, prot
 				{
 					Filters: []listener.Filter{
 						{
-							Name:   v1.MongoProxyFilter,
-							Config: buildProtoStruct(v1.MongoProxyFilter, config.String()),
+							Name:   util.MongoProxy,
+							Config: messageToStruct(config),
 						},
 						baseTCPProxy,
 					},
@@ -403,8 +420,8 @@ func buildTCPListener(tcpConfig *v1.TCPRouteConfig, ip string, port uint32, prot
 					{
 						Filters: []listener.Filter{
 							{
-								Name:   v1.RedisProxyFilter,
-								Config: buildProtoStruct(v1.RedisProxyFilter, config.String()),
+								Name:   util.RedisProxy,
+								Config: messageToStruct(config),
 							},
 							baseTCPProxy,
 						},

pilot/pkg/networking/deprecated/ingress.go

@@ -21,6 +21,7 @@ import (
 	envoy_api_v2_auth "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth"
 	"github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
 	http_conn "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/http_connection_manager/v2"
+	"github.com/envoyproxy/go-control-plane/pkg/util"
 
 	"github.com/envoyproxy/go-control-plane/envoy/api/v2/listener"
 
@@ -50,7 +51,7 @@ func buildIngressListeners(mesh *meshconfig.MeshConfig, proxyInstances []*model.
 	}
 
 	manager := buildHTTPConnectionManager(opts)
-	l := newHTTPListener(opts.ip, opts.port, filterHTTPConnectionManager, messageToStruct(manager))
+	l := newHTTPListener(opts.ip, opts.port, util.HTTPConnectionManager, messageToStruct(manager))
 
 	listeners := []*xdsapi.Listener{l}
 
@@ -61,7 +62,7 @@ func buildIngressListeners(mesh *meshconfig.MeshConfig, proxyInstances []*model.
 		opts.port = 443
 		opts.rds = "443"
 		manager := buildHTTPConnectionManager(opts)
-		l := newHTTPListener(opts.ip, opts.port, filterHTTPConnectionManager, messageToStruct(manager))
+		l := newHTTPListener(opts.ip, opts.port, util.HTTPConnectionManager, messageToStruct(manager))
 
 		l.FilterChains = []listener.FilterChain{
 			{
@@ -86,7 +87,7 @@ func buildIngressListeners(mesh *meshconfig.MeshConfig, proxyInstances []*model.
 				},
 				Filters: []listener.Filter{
 					{
-						Name:   filterHTTPConnectionManager,
+						Name:   util.HTTPConnectionManager,
 						Config: messageToStruct(manager),
 					},
 				},

pilot/pkg/networking/deprecated/listener.go

@@ -19,6 +19,7 @@ import (
 
 	xdsapi "github.com/envoyproxy/go-control-plane/envoy/api/v2"
 	"github.com/envoyproxy/go-control-plane/envoy/api/v2/listener"
+	"github.com/envoyproxy/go-control-plane/pkg/util"
 	"github.com/gogo/protobuf/types"
 
 	"strings"
@@ -72,7 +73,7 @@ func newHTTPListener(ip string, port int, name string, config *types.Struct) *xd
 			{
 				Filters: []listener.Filter{
 					{
-						Name:   filterHTTPConnectionManager,
+						Name:   util.HTTPConnectionManager,
 						Config: config,
 					},
 				},

pilot/pkg/networking/v1alpha3/config.go

@@ -42,11 +42,6 @@ import (
 )
 
 const (
-	// names for filters taken from envoy v2 API.
-	filterNameRouter            = util.Router
-	filterNameCors              = util.CORS
-	filterHTTPConnectionManager = util.HTTPConnectionManager
-
 	// TODO: move to go-control-plane
 	fileAccessLog = "envoy.file_access_log"
 )
@@ -112,14 +107,32 @@ func buildSidecarListeners(
 			listeners = append(listeners, m)
 		}
 
-		// BindToPort is deprecated in v2, always true.
+		// set bind to port values for port redirection
+		for _, listener := range listeners {
+			listener.DeprecatedV1 = &xdsapi.Listener_DeprecatedV1{
+				BindToPort: &google_protobuf.BoolValue{false},
+			}
+		}
 
+		tc := &tcp_proxy.TcpProxy{
+			Cluster:    "orig-dst-cluster-tcp",
+			StatPrefix: "tcp",
+		}
 		// add an extra listener that binds to the port that is the recipient of the iptables redirect
 		listeners = append(listeners, &xdsapi.Listener{
 			Name:           v1.VirtualListenerName,
 			Address:        buildAddress(v1.WildcardAddress, uint32(mesh.ProxyListenPort)),
 			UseOriginalDst: &google_protobuf.BoolValue{true},
-			FilterChains:   make([]listener.FilterChain, 0),
+			FilterChains: []listener.FilterChain{
+				{
+					Filters: []listener.Filter{
+						{
+							Name:   util.TCPProxy,
+							Config: messageToStruct(tc),
+						},
+					},
+				},
+			},
 		})
 	}
 
@@ -158,12 +171,12 @@ func buildSidecarListeners(
 func buildHTTPConnectionManager(opts buildHTTPListenerOpts) *http_conn.HttpConnectionManager {
 	filters := []*http_conn.HttpFilter{}
 	filters = append(filters, &http_conn.HttpFilter{
-		Name: filterNameCors,
+		Name: util.CORS,
 	})
 	// TODO: need alphav3 fault filters.
 	// filters = append(filters, buildFaultFilters(opts.config, opts.env, opts.proxy)...)
 	filters = append(filters, &http_conn.HttpFilter{
-		Name: filterNameRouter,
+		Name: util.Router,
 	})
 
 	/*	TODO(mostrowski): need to port internal build functions for mixer.
@@ -190,7 +203,8 @@ func buildHTTPConnectionManager(opts buildHTTPListenerOpts) *http_conn.HttpConne
 				ConfigSource: core.ConfigSource{
 					ConfigSourceSpecifier: &core.ConfigSource_ApiConfigSource{
 						ApiConfigSource: &core.ApiConfigSource{
-							ApiType:      core.ApiConfigSource_GRPC,
+							// TODO(mostrowski): change this when RDS is ready.
+							ApiType:      core.ApiConfigSource_REST_LEGACY,
 							ClusterNames: []string{v1.RDSName},
 							RefreshDelay: &refresh,
 						},
@@ -248,11 +262,14 @@ func buildHTTPListener(opts buildHTTPListenerOpts) *xdsapi.Listener {
 	return &xdsapi.Listener{
 		Address: buildAddress(opts.ip, uint32(opts.port)),
 		Name:    fmt.Sprintf("http_%s_%d", opts.ip, opts.port),
+		DeprecatedV1: &xdsapi.Listener_DeprecatedV1{
+			BindToPort: &google_protobuf.BoolValue{true},
+		},
 		FilterChains: []listener.FilterChain{
 			{
 				Filters: []listener.Filter{
 					{
-						Name:   filterHTTPConnectionManager,
+						Name:   util.HTTPConnectionManager,
 						Config: messageToStruct(manager),
 					},
 				},
@@ -303,7 +320,7 @@ func buildTCPListener(tcpConfig *v1.TCPRouteConfig, ip string, port uint32, prot
 				{
 					Filters: []listener.Filter{
 						{
-							Name:   v1.MongoProxyFilter,
+							Name:   util.MongoProxy,
 							Config: messageToStruct(config),
 						},
 						baseTCPProxy,
@@ -337,7 +354,7 @@ func buildTCPListener(tcpConfig *v1.TCPRouteConfig, ip string, port uint32, prot
 					{
 						Filters: []listener.Filter{
 							{
-								Name:   v1.RedisProxyFilter,
+								Name:   util.RedisProxy,
 								Config: messageToStruct(config),
 							},
 							baseTCPProxy,
@@ -548,13 +565,22 @@ func buildOutboundTCPListeners(mesh *meshconfig.MeshConfig, node model.Proxy,
 					config := &v1.TCPRouteConfig{Routes: []*v1.TCPRoute{route}}
 					listener := buildTCPListener(
 						config, v1.WildcardAddress, uint32(servicePort.Port), servicePort.Protocol)
+					// bind defaults to true in envoy v2 API
+					if node.Type != model.Router {
+						listener.DeprecatedV1 = &xdsapi.Listener_DeprecatedV1{
+							BindToPort: &google_protobuf.BoolValue{false},
+						}
+					}
 					tcpListeners = append(tcpListeners, listener)
 				} else {
 					cluster := v1.BuildOutboundCluster(service.Hostname, servicePort, nil, service.External())
 					route := v1.BuildTCPRoute(cluster, []string{service.Address})
 					config := &v1.TCPRouteConfig{Routes: []*v1.TCPRoute{route}}
 					listener := buildTCPListener(
 						config, service.Address, uint32(servicePort.Port), servicePort.Protocol)
+					listener.DeprecatedV1 = &xdsapi.Listener_DeprecatedV1{
+						BindToPort: &google_protobuf.BoolValue{false},
+					}
 					tcpListeners = append(tcpListeners, listener)
 				}
 			}
@@ -689,7 +715,6 @@ func buildInboundListeners(mesh *meshconfig.MeshConfig, node model.Proxy,
 			listeners = append(listeners, l)
 		}
 	}
-
 	return listeners
 }