enable upgrades, remove dedicated filter chain

2025-04-28 09:56:31 +02:00 · 2025-02-12 12:00:35 -08:00 · 2025-02-12 12:00:35 -08:00 · 6346cde901
commit 6346cde901
parent 24995b1806
4 changed files with 63 additions and 25 deletions
--- a/config/envoyconfig/clusters.go
+++ b/config/envoyconfig/clusters.go
@ -120,7 +120,7 @@ func (b *Builder) BuildClusters(ctx context.Context, cfg *config.Config) ([]*env
 		}

 		// XXX
-		clusters = append(clusters, b.forwardProxyCluster())
+		clusters = append(clusters, b.forwardProxyCluster(cfg))
 	}

 	if err = validateClusters(clusters); err != nil {
@ -547,10 +547,12 @@ func getClusterDiscoveryType(lbEndpoints []*envoy_config_endpoint_v3.LbEndpoint)
 	return &envoy_config_cluster_v3.Cluster_Type{Type: envoy_config_cluster_v3.Cluster_STRICT_DNS}
 }

-func (b *Builder) forwardProxyCluster() *envoy_config_cluster_v3.Cluster {
+func (b *Builder) forwardProxyCluster(
+	cfg *config.Config,
+) *envoy_config_cluster_v3.Cluster {
 	clusterConfig := protoutil.NewAny(&envoy_extensions_clusters_dynamic_forward_proxy_v3.ClusterConfig{
 		ClusterImplementationSpecifier: &envoy_extensions_clusters_dynamic_forward_proxy_v3.ClusterConfig_DnsCacheConfig{
-			DnsCacheConfig: b.forwardProxyDNSCacheConfig(),
+			DnsCacheConfig: b.forwardProxyDNSCacheConfig(cfg),
 		},
 	})
 	return &envoy_config_cluster_v3.Cluster{
@ -565,7 +567,9 @@ func (b *Builder) forwardProxyCluster() *envoy_config_cluster_v3.Cluster {
 	}
 }

-func (b *Builder) forwardProxyDNSCacheConfig() *envoy_extensions_common_dynamic_forward_proxy_v3.DnsCacheConfig {
+func (b *Builder) forwardProxyDNSCacheConfig(
+	cfg *config.Config,
+) *envoy_extensions_common_dynamic_forward_proxy_v3.DnsCacheConfig {
 	resolverConfig := protoutil.NewAny(&envoy_extensions_network_dns_resolver_cares_v3.CaresDnsResolverConfig{
 		Resolvers: []*envoy_config_core_v3.Address{{
 			Address: &envoy_config_core_v3.Address_SocketAddress{
@ -583,8 +587,9 @@ func (b *Builder) forwardProxyDNSCacheConfig() *envoy_extensions_common_dynamic_
 		},
 	})
 	return &envoy_extensions_common_dynamic_forward_proxy_v3.DnsCacheConfig{
-		Name:            "dynamic_forward_proxy_cache_config",
-		DnsLookupFamily: envoy_config_cluster_v3.Cluster_AUTO,
+		Name: "dynamic_forward_proxy_cache_config",
+		// XXX: this should probably pull from the main config option
+		DnsLookupFamily: config.GetEnvoyDNSLookupFamily(cfg.Options.DNSLookupFamily),
 		TypedDnsResolverConfig: &envoy_config_core_v3.TypedExtensionConfig{
 			Name:        "envoy.network.dns_resolver.cares",
 			TypedConfig: resolverConfig,
--- a/config/envoyconfig/listeners_main.go
+++ b/config/envoyconfig/listeners_main.go
@ -126,9 +126,9 @@ func (b *Builder) buildMainTLSListener(
 	}
 	li.FilterChains = append(li.FilterChains, filterChain)

-	fp := b.buildForwardProxyFilterChain(ctx, cfg)
+	/*fp := b.buildForwardProxyFilterChain(ctx, cfg)
 	fp.TransportSocket = transportSocket
-	li.FilterChains = append(li.FilterChains, fp)
+	li.FilterChains = append(li.FilterChains, fp)*/

 	return li, nil
 }
@ -175,7 +175,7 @@ func (b *Builder) buildMainHTTPConnectionManagerFilter(
 	if !useQUIC && cfg.Options.CodecType == config.CodecTypeHTTP3 {
 		filters = append(filters, newQUICAltSvcHeaderFilter(cfg))
 	}
-	filters = append(filters, DynamicForwardProxyFilter(b.forwardProxyDNSCacheConfig()))
+	filters = append(filters, DynamicForwardProxyFilter(b.forwardProxyDNSCacheConfig(cfg)))
 	filters = append(filters, HTTPRouterFilter())

 	var maxStreamDuration *durationpb.Duration
@ -309,7 +309,7 @@ func (b *Builder) buildForwardProxyFilterChain(
 	})
 	return &envoy_config_listener_v3.FilterChain{
 		FilterChainMatch: &envoy_config_listener_v3.FilterChainMatch{
-			ServerNames: []string{"relay.ken.sandbox.pomerium.io"}, // XXX
+			ServerNames: []string{"relay.ken.sandbox.pomerium.io", "relay.localhost.pomerium.io"}, // XXX
 		},
 		Filters: []*envoy_config_listener_v3.Filter{filter},
 	}
--- a/config/envoyconfig/route_configurations.go
+++ b/config/envoyconfig/route_configurations.go
@ -100,7 +100,7 @@ func (b *Builder) buildMainRouteConfiguration(
 		vh.Routes = append(vh.Routes, rs...)

 		// XXX
-		vh.Routes = append(vh.Routes, b.buildDynamicForwardProxyRoute(cfg))
+		vh.Routes = append(vh.Routes, b.buildDynamicForwardProxyRoutes(cfg)...)
 	}

 	virtualHosts = append(virtualHosts, vh)
--- a/config/envoyconfig/routes.go
+++ b/config/envoyconfig/routes.go
@ -355,23 +355,56 @@ func (b *Builder) buildRouteForPolicyAndMatch(
 	return route, nil
 }

-func (b *Builder) buildDynamicForwardProxyRoute(cfg *config.Config) *envoy_config_route_v3.Route {
-	return &envoy_config_route_v3.Route{
-		Name: "dynamic",
-		Match: &envoy_config_route_v3.RouteMatch{
-			PathSpecifier: &envoy_config_route_v3.RouteMatch_Prefix{
-				Prefix: "/",
-			},
-		},
-		Action: &envoy_config_route_v3.Route_Route{
-			Route: &envoy_config_route_v3.RouteAction{
-				ClusterSpecifier: &envoy_config_route_v3.RouteAction_Cluster{
-					Cluster: "dynamic-forward-proxy-cluster",
+func (b *Builder) buildDynamicForwardProxyRoutes(cfg *config.Config) []*envoy_config_route_v3.Route {
+	return []*envoy_config_route_v3.Route{
+		{
+			Name: "dynamic-upstream",
+			Match: &envoy_config_route_v3.RouteMatch{
+				PathSpecifier: &envoy_config_route_v3.RouteMatch_Prefix{
+					Prefix: "/",
 				},
 			},
+			Action: &envoy_config_route_v3.Route_Route{
+				Route: &envoy_config_route_v3.RouteAction{
+					ClusterSpecifier: &envoy_config_route_v3.RouteAction_Cluster{
+						Cluster: "dynamic-forward-proxy-cluster",
+					},
+				},
+			},
+			TypedPerFilterConfig: map[string]*anypb.Any{
+				PerFilterConfigExtAuthzName: PerFilterConfigExtAuthzDisabled(),
+			},
 		},
-		// XXX: does this need any RequestHeadersToRemove?
-		// XXX: does this need a Decorator?
+		{
+			Name: "dynamic-proxy",
+			Match: &envoy_config_route_v3.RouteMatch{
+				PathSpecifier: &envoy_config_route_v3.RouteMatch_ConnectMatcher_{
+					ConnectMatcher: &envoy_config_route_v3.RouteMatch_ConnectMatcher{},
+				},
+			},
+			Action: &envoy_config_route_v3.Route_Route{
+				Route: &envoy_config_route_v3.RouteAction{
+					ClusterSpecifier: &envoy_config_route_v3.RouteAction_Cluster{
+						Cluster: "dynamic-forward-proxy-cluster",
+					},
+					UpgradeConfigs: []*envoy_config_route_v3.RouteAction_UpgradeConfig{
+						{
+							UpgradeType:   "CONNECT",
+							ConnectConfig: &envoy_config_route_v3.RouteAction_UpgradeConfig_ConnectConfig{},
+						},
+						{
+							UpgradeType:   "CONNECT-UDP",
+							ConnectConfig: &envoy_config_route_v3.RouteAction_UpgradeConfig_ConnectConfig{},
+						},
+					},
+				},
+			},
+			TypedPerFilterConfig: map[string]*anypb.Any{
+				PerFilterConfigExtAuthzName: PerFilterConfigExtAuthzDisabled(),
+			},
+		},
+		// XXX: do these need any RequestHeadersToRemove?
+		// XXX: do these need a Decorator?
 	}
 }