include envoy's proto specs into config.proto (#1817)

.gitignore

@@ -87,3 +87,5 @@ docs/.vuepress/dist/
 !.pre-commit-config.yaml
 
 .service-accounts
+
+/bazel-*

.golangci.yml

@@ -162,7 +162,10 @@ issues:
         - scopelint
         - gosec
         - gosimple
-
+    # Exclude lll issues for long lines with go:generate
+    - linters:
+        - lll
+      source: "^//go:generate "
     # erroneously thinks google api url is a cred
     - path: internal/identity/google.go
       text: "Potential hardcoded credentials"

config/policy.go

@@ -166,8 +166,6 @@ type PolicyRedirect struct {
 	StripQuery     *bool   `mapstructure:"strip_query" yaml:"strip_query,omitempty" json:"strip_query,omitempty"`
 }
 
-type PolicyOutlierDetection envoy_config_cluster_v3.OutlierDetection
-
 // NewPolicyFromProto creates a new Policy from a protobuf policy config route.
 func NewPolicyFromProto(pb *configpb.Route) (*Policy, error) {
 	timeout, _ := ptypes.Duration(pb.GetTimeout())
@@ -217,6 +215,8 @@ func NewPolicyFromProto(pb *configpb.Route) (*Policy, error) {
 		}
 	}
 
+	p.EnvoyOpts = pb.EnvoyOpts
+
 	for _, sp := range pb.GetPolicies() {
 		p.SubPolicies = append(p.SubPolicies, SubPolicy{
 			ID:               sp.GetId(),

docs/.vuepress/config.js

@@ -125,6 +125,7 @@ module.exports = {
             "topics/programmatic-access",
             "topics/tcp-support",
             "topics/single-sign-out",
+            "topics/load-balancing",
           ],
         },
         {

docs/docs/topics/load-balancing.md

@@ -21,7 +21,9 @@ policy:
 ```
 
 ::: tip
-    In presence of multiple upstreams, make sure to specify either an active or passive health check, or both, to avoid requests served to unhealthy backend.
+
+In the presence of multiple upstreams, make sure to specify either an active or passive health check, or both, to avoid requests being served to an unhealthy backend.
+
 :::
 
 ### Active Health Checks
@@ -43,14 +45,24 @@ policy:
         http_health_check:
           path: "/"
 ```
+
 ### Passive Health Checks
 
 Passive health check tries to deduce upstream server health based on recent observed responses.
-See [Outlier Detection](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/outlier) for a comprehensive overview.
+See [Outlier Detection](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/outlier) for comprehensive overview.
+
+```yaml
+policy:
+  - from: https://myapp.localhost.pomerium.io
+    to:
+      - http://myapp-srv-1:8080
+      - http://myapp-srv-2:8080
+    outlier_detection: {}
+```
 
 ## Load Balancing Method
 
-`lb_policy` should be set to one of the values:
+`lb_policy` should be set to [one of the values](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers):
 
 - [`ROUND_ROBIN`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#weighted-round-robin) (default)
 - [`LEAST_REQUEST`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#weighted-least-request) and may be further configured using [``](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-msg-config-cluster-v3-cluster-leastrequestlbconfig)
@@ -58,3 +70,6 @@ See [Outlier Detection](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_o
 - [`RANDOM`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#random)
 - [`MAGLEV`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#maglev) and may be further configured using [`maglev_lb_config`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-msg-config-cluster-v3-cluster-maglevlbconfig) option
 
+## Further reading
+
+- [Introduction to modern network load balancing and proxying](https://blog.envoyproxy.io/introduction-to-modern-network-load-balancing-and-proxying-a57f6ff80236)

go.sum

@@ -752,6 +752,7 @@ golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4Iltr
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20210113205817-d3ed898aa8a3 h1:BaN3BAqnopnKjvl+15DYP6LLrbBHfbfmlFYzmFj/Q9Q=
 golang.org/x/oauth2 v0.0.0-20210113205817-d3ed898aa8a3/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -963,6 +964,7 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa
 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.35.0 h1:TwIQcH3es+MojMVojxxfQ3l3OF2KzlRxML2xZq0kRo8=
 google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=

pkg/grpc/config/config.proto

@@ -5,7 +5,8 @@ option go_package = "github.com/pomerium/pomerium/pkg/grpc/config";
 
 import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
-import "google/protobuf/wrappers.proto";
+
+import "envoy/config/cluster/v3/cluster.proto";
 
 message Config {
   string name = 1;
@@ -24,29 +25,6 @@ message RouteRedirect {
   optional bool strip_query = 8;
 }
 
-message OutlierDetection {
-  google.protobuf.UInt32Value consecutive_5xx = 1;
-  google.protobuf.Duration interval = 2;
-  google.protobuf.Duration base_ejection_time = 3;
-  google.protobuf.UInt32Value max_ejection_percent = 4;
-  google.protobuf.UInt32Value enforcing_consecutive_5xx = 5;
-  google.protobuf.UInt32Value enforcing_success_rate = 6;
-  google.protobuf.UInt32Value success_rate_minimum_hosts = 7;
-  google.protobuf.UInt32Value success_rate_request_volume = 8;
-  google.protobuf.UInt32Value success_rate_stdev_factor = 9;
-  google.protobuf.UInt32Value consecutive_gateway_failure = 10;
-  google.protobuf.UInt32Value enforcing_consecutive_gateway_failure = 11;
-  bool split_external_local_origin_errors = 12;
-  google.protobuf.UInt32Value consecutive_local_origin_failure = 13;
-  google.protobuf.UInt32Value enforcing_consecutive_local_origin_failure = 14;
-  google.protobuf.UInt32Value enforcing_local_origin_success_rate = 15;
-  google.protobuf.UInt32Value failure_percentage_threshold = 16;
-  google.protobuf.UInt32Value enforcing_failure_percentage = 17;
-  google.protobuf.UInt32Value enforcing_failure_percentage_local_origin = 18;
-  google.protobuf.UInt32Value failure_percentage_minimum_hosts = 19;
-  google.protobuf.UInt32Value failure_percentage_request_volume = 20;
-}
-
 message Route {
   string name = 1;
 
@@ -93,7 +71,7 @@ message Route {
 
   string kubernetes_service_account_token = 26;
 
-  OutlierDetection outlier_detection = 35;
+  envoy.config.cluster.v3.Cluster envoy_opts = 36;
 
   repeated Policy policies = 27;
   string id = 28;

pkg/grpc/grpc.go

@@ -5,4 +5,4 @@ package grpc
 //go:generate ../../scripts/protoc -I ./databroker/ --go_out=plugins=grpc,paths=source_relative:./databroker/. ./databroker/databroker.proto
 //go:generate ../../scripts/protoc -I ./directory/ --go_out=plugins=grpc,paths=source_relative:./directory/. ./directory/directory.proto
 //go:generate ../../scripts/protoc -I ./audit/ --go_out=plugins=grpc,paths=source_relative:./audit/. ./audit/audit.proto
-//go:generate ../../scripts/protoc -I ./config/ --go_out=plugins=grpc,paths=source_relative:./config/. ./config/config.proto
+//go:generate ../../scripts/protoc -I ./config/ --go_out=M"envoy/config/cluster/v3/cluster.proto"="github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3",plugins=grpc,paths=source_relative:./config/. ./config/config.proto

scripts/protoc

@@ -5,12 +5,34 @@ _dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)"
 _protoc_version="4.0.0-rc2"
 _protoc_version_filename="4.0.0-rc-2"
 _protoc_path="/tmp/pomerium-protoc/protoc-$_protoc_version"
+_protoc_3pp_path="/tmp/pomerium-protoc-3pp"
 _os="linux"
 if [ "$(uname -s)" == "Darwin" ]; then
   _os="osx"
 fi
 
-mkdir -p "$_protoc_path"
+
+# fetch_zip dir name url
+download() {
+  local dst=$1/$2
+  if [ -d $dst ]; then
+    return
+  fi
+
+  echo downloading $2
+  local archive=`mktemp`
+  curl -L -o $archive $3
+  mkdir -p $dst
+  tar xzf $archive -C $dst --strip-components=1
+  rm ${archive}
+}
+
+download $_protoc_3pp_path protoc-gen-validate https://github.com/envoyproxy/protoc-gen-validate/tarball/v0.4.1
+download $_protoc_3pp_path data-plane-api https://github.com/envoyproxy/data-plane-api/tarball/main
+download $_protoc_3pp_path udpa https://github.com/cncf/udpa/tarball/cc1b757b3eddccaaaf0743cbb107742bb7e3ee4f
+download $_protoc_3pp_path googleapis https://github.com/googleapis/googleapis/tarball/82944da21578a53b74e547774cf62ed31a05b841
+
+mkdir -p "$_protoc_path" "$_protoc_3pp_path"
 if [ ! -f "$_protoc_path/bin/protoc" ]; then
   echo "downloading protoc"
   curl -L \
@@ -19,7 +41,12 @@ if [ ! -f "$_protoc_path/bin/protoc" ]; then
   unzip -o -d "$_protoc_path" protoc.zip
   rm protoc.zip
 fi
+
 exec "$_protoc_path/bin/protoc" \
+  -I "$_protoc_3pp_path/data-plane-api" \
+  -I "$_protoc_3pp_path/udpa" \
+  -I "$_protoc_3pp_path/protoc-gen-validate" \
+  -I "$_protoc_3pp_path/googleapis" \
   --experimental_allow_proto3_optional \
   --plugin="protoc-gen-go=$_dir/protoc-gen-go" \
   --plugin="protoc-gen-grpc-web=$_dir/protoc-gen-grpc-web" \