transport sockets: expose proxy protocol socket#12762
transport sockets: expose proxy protocol socket#12762mattklein123 merged 27 commits intoenvoyproxy:masterfrom wez470:master
Conversation
Signed-off-by: Weston Carlson <[email protected]>
Signed-off-by: Weston Carlson <[email protected]>
Signed-off-by: Weston Carlson <[email protected]>
Signed-off-by: Weston Carlson <[email protected]>
Signed-off-by: Weston Carlson <[email protected]>
Signed-off-by: Weston Carlson <[email protected]>
Signed-off-by: Weston Carlson <[email protected]>
Signed-off-by: Weston Carlson <[email protected]>
Signed-off-by: Weston Carlson <[email protected]>
Signed-off-by: Weston Carlson <[email protected]>
Signed-off-by: Weston Carlson <[email protected]>
Signed-off-by: Weston Carlson <[email protected]>
Signed-off-by: Weston Carlson <[email protected]>
Signed-off-by: Weston Carlson <[email protected]>
Signed-off-by: Weston Carlson <[email protected]>
|
@antoniovicente would you be up for taking first pass? |
|
/assign @antoniovicente |
Signed-off-by: Weston Carlson <[email protected]>
| :ref:`Original Src Listener Filter <arch_overview_ip_transparency_original_src_listener>`. | ||
| :ref:`Original Src Listener Filter <arch_overview_ip_transparency_original_src_listener>`. Finally, | ||
| Envoy supports generating this header using the :ref:`Proxy Protocol Transport Socket <extension_envoy.transport_sockets.upstream_proxy_protocol>` | ||
| transport socket. |
There was a problem hiding this comment.
Can we have a full example config here?
There was a problem hiding this comment.
Yeah, I was thinking about that, but was unsure where to add. We don't really have a designated socket spot for config examples. At one point I thought we could maybe add a sockets section here https://www.envoyproxy.io/docs/envoy/latest/configuration/configuration? wdyt? I'm fine with just adding in this file too.
There was a problem hiding this comment.
The envoy.transport_sockets.tls example in docs/root/start/start.rst could be a source of inspiration.
antoniovicente
left a comment
antoniovicente
left a comment
There was a problem hiding this comment.
Thanks for implementing this. Looks pretty good. Sorry for the delays in code review.
test/extensions/transport_sockets/proxy_protocol/proxy_protocol_integration_test.cc
Outdated
Show resolved
Hide resolved
source/extensions/transport_sockets/proxy_protocol/proxy_protocol.cc
Outdated
Show resolved
Hide resolved
|
Thank you for adding this. Testing it locally works great 👍 |
|
Thanks for trying it out! I actually was seeing some issues with health checks when I was going through functional tests again the other day. For some reason was null. I'm trying to figure out what's going on there. This is also probably an indicator that we need an integration test to cover this. |
Signed-off-by: Weston Carlson <[email protected]>
|
@alyssawilk I think things are ready for another look 🙂 |
alyssawilk
left a comment
alyssawilk
left a comment
There was a problem hiding this comment.
Looking great! I think once we get the last tests sorted you're good to go.
| } | ||
|
|
||
| // Test header is sent unencrypted using a TLS inner socket | ||
| TEST_P(ProxyProtocolIntegrationTest, TestTLSSocket) { |
There was a problem hiding this comment.
Try an -l trace and see where it hangs? Maybe it's hitting a timeout somewhere? If this is all raw TCP I think half close semantics apply, so if you close the client the connection may persist until the idle timeout kicks in.
if
ASSERT_TRUE(fake_upstream_connection->close());
ASSERT_TRUE(fake_upstream_connection->waitForDisconnect());
tcp_client->waitForHalfClose();
tcp_client->close();
fixes, that's the problem, though I'm surprised there wouldn't be the same stall in other tests
| "envoy.transport_sockets.raw_buffer"); | ||
| initialize(); | ||
|
|
||
| ASSERT_TRUE(fake_upstreams_[0]->waitForRawConnection(fake_upstream_connection_)); |
There was a problem hiding this comment.
again maybe -l trace or cerr logging? It may be easier to snag values from other health checking tests in tcp_proxy_integration_test.cc
Signed-off-by: Weston Carlson <[email protected]>
Signed-off-by: Weston Carlson <[email protected]>
|
LGTM modulo clang tidy fix :-) |
Signed-off-by: Weston Carlson <[email protected]>
|
@lizan can you take a look both as secondary reviewer and API shepherd? |
|
This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
stale
bot
added
the
stale
|
@lizan ping? Alternately @mattklein123 could do second and Api pass? |
stale
bot
removed
the
stale
|
I can take a look. |
mattklein123
left a comment
mattklein123
left a comment
There was a problem hiding this comment.
Exciting to see this land. One small question. Also, can you merge main just to make sure we aren't too out of date? Thanks.
/wait-any
| if (!read_callbacks_->connection() | ||
| .streamInfo() | ||
| .filterState() | ||
| ->hasData<Network::ProxyProtocolFilterState>( | ||
| Network::ProxyProtocolFilterState::key())) { | ||
| read_callbacks_->connection().streamInfo().filterState()->setData( | ||
| Network::ProxyProtocolFilterState::key(), | ||
| std::make_unique<Network::ProxyProtocolFilterState>(Network::ProxyProtocolData{ | ||
| downstreamConnection()->remoteAddress(), downstreamConnection()->localAddress()}), | ||
| StreamInfo::FilterState::StateType::ReadOnly, | ||
| StreamInfo::FilterState::LifeSpan::Connection); | ||
| } |
There was a problem hiding this comment.
It seems odd to me that we jam this data into filter state only to read it back in the next function call. What is the use case for nested states here? Could we just pass the addresses directly into the fromFilterState() function?
There was a problem hiding this comment.
It was like this at one point and changed from feedback #11584 (comment). I'm fine either way
There was a problem hiding this comment.
If this has already been discussed it's fine with me. We can revisit later if needed.
Signed-off-by: Weston Carlson <[email protected]>
|
Thanks all! 🎉 |
|
Doing some more testing on this, there is a common case where it's not behaving as expected from what I can tell. Rough steps to reproduce: The expectation here and what the logs show is 20 connections each from the 3 separate addresses above. What the proxy protocol sends, ends up being a random mix. Any ideas? |
|
I wonder if this comment, suggesting existence of connection reuse scenarios, is relevant: Edit: filed this issue here: #13659 |
|
Sadly it's not that simple but I've confirmed there's definitely a bug here. I'll pick up fixing. |
7 participants
Exposes proxy proto socket
Commit Message: Expose proxy protocol socket publicly.
Additional Description: Finishes off work for upstream proxy protocol header generation (possible performance pass still to come). Previous work so far includes #10548 (util funcs to generate header), #10845 (config api message), and #11584 (non-exposed transport socket). This PR hooks up tcp proxy, adds config factories to the socket, adds integration tests, and adds docs.
Risk Level: Medium
Testing: Unit + Integration + Functional
Docs Changes: IP transparency - Added to proxy protocol section to mention this socket for upstream generation, API docs
generated from proto
Release Notes: https://github.com/envoyproxy/envoy/pull/12762/files#diff-0ec5c857b4b6fbbb72b2ffc5275b15efR64
Fixes #1031