From 6346cde90138a6c9bd65ff57a33c32c690955a88 Mon Sep 17 00:00:00 2001
From: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
Date: Wed, 12 Feb 2025 12:00:35 -0800
Subject: [PATCH] enable upgrades, remove dedicated filter chain

---
 config/envoyconfig/clusters.go             | 17 +++---
 config/envoyconfig/listeners_main.go       |  8 +--
 config/envoyconfig/route_configurations.go |  2 +-
 config/envoyconfig/routes.go               | 61 +++++++++++++++++-----
 4 files changed, 63 insertions(+), 25 deletions(-)

diff --git a/config/envoyconfig/clusters.go b/config/envoyconfig/clusters.go
index 3a8a254e7..887b7ee1f 100644
--- a/config/envoyconfig/clusters.go
+++ b/config/envoyconfig/clusters.go
@@ -120,7 +120,7 @@ func (b *Builder) BuildClusters(ctx context.Context, cfg *config.Config) ([]*env
 		}
 
 		// XXX
-		clusters = append(clusters, b.forwardProxyCluster())
+		clusters = append(clusters, b.forwardProxyCluster(cfg))
 	}
 
 	if err = validateClusters(clusters); err != nil {
@@ -547,10 +547,12 @@ func getClusterDiscoveryType(lbEndpoints []*envoy_config_endpoint_v3.LbEndpoint)
 	return &envoy_config_cluster_v3.Cluster_Type{Type: envoy_config_cluster_v3.Cluster_STRICT_DNS}
 }
 
-func (b *Builder) forwardProxyCluster() *envoy_config_cluster_v3.Cluster {
+func (b *Builder) forwardProxyCluster(
+	cfg *config.Config,
+) *envoy_config_cluster_v3.Cluster {
 	clusterConfig := protoutil.NewAny(&envoy_extensions_clusters_dynamic_forward_proxy_v3.ClusterConfig{
 		ClusterImplementationSpecifier: &envoy_extensions_clusters_dynamic_forward_proxy_v3.ClusterConfig_DnsCacheConfig{
-			DnsCacheConfig: b.forwardProxyDNSCacheConfig(),
+			DnsCacheConfig: b.forwardProxyDNSCacheConfig(cfg),
 		},
 	})
 	return &envoy_config_cluster_v3.Cluster{
@@ -565,7 +567,9 @@ func (b *Builder) forwardProxyCluster() *envoy_config_cluster_v3.Cluster {
 	}
 }
 
-func (b *Builder) forwardProxyDNSCacheConfig() *envoy_extensions_common_dynamic_forward_proxy_v3.DnsCacheConfig {
+func (b *Builder) forwardProxyDNSCacheConfig(
+	cfg *config.Config,
+) *envoy_extensions_common_dynamic_forward_proxy_v3.DnsCacheConfig {
 	resolverConfig := protoutil.NewAny(&envoy_extensions_network_dns_resolver_cares_v3.CaresDnsResolverConfig{
 		Resolvers: []*envoy_config_core_v3.Address{{
 			Address: &envoy_config_core_v3.Address_SocketAddress{
@@ -583,8 +587,9 @@ func (b *Builder) forwardProxyDNSCacheConfig() *envoy_extensions_common_dynamic_
 		},
 	})
 	return &envoy_extensions_common_dynamic_forward_proxy_v3.DnsCacheConfig{
-		Name:            "dynamic_forward_proxy_cache_config",
-		DnsLookupFamily: envoy_config_cluster_v3.Cluster_AUTO,
+		Name: "dynamic_forward_proxy_cache_config",
+		// XXX: this should probably pull from the main config option
+		DnsLookupFamily: config.GetEnvoyDNSLookupFamily(cfg.Options.DNSLookupFamily),
 		TypedDnsResolverConfig: &envoy_config_core_v3.TypedExtensionConfig{
 			Name:        "envoy.network.dns_resolver.cares",
 			TypedConfig: resolverConfig,
diff --git a/config/envoyconfig/listeners_main.go b/config/envoyconfig/listeners_main.go
index 83e8a7823..eccb8fa85 100644
--- a/config/envoyconfig/listeners_main.go
+++ b/config/envoyconfig/listeners_main.go
@@ -126,9 +126,9 @@ func (b *Builder) buildMainTLSListener(
 	}
 	li.FilterChains = append(li.FilterChains, filterChain)
 
-	fp := b.buildForwardProxyFilterChain(ctx, cfg)
+	/*fp := b.buildForwardProxyFilterChain(ctx, cfg)
 	fp.TransportSocket = transportSocket
-	li.FilterChains = append(li.FilterChains, fp)
+	li.FilterChains = append(li.FilterChains, fp)*/
 
 	return li, nil
 }
@@ -175,7 +175,7 @@ func (b *Builder) buildMainHTTPConnectionManagerFilter(
 	if !useQUIC && cfg.Options.CodecType == config.CodecTypeHTTP3 {
 		filters = append(filters, newQUICAltSvcHeaderFilter(cfg))
 	}
-	filters = append(filters, DynamicForwardProxyFilter(b.forwardProxyDNSCacheConfig()))
+	filters = append(filters, DynamicForwardProxyFilter(b.forwardProxyDNSCacheConfig(cfg)))
 	filters = append(filters, HTTPRouterFilter())
 
 	var maxStreamDuration *durationpb.Duration
@@ -309,7 +309,7 @@ func (b *Builder) buildForwardProxyFilterChain(
 	})
 	return &envoy_config_listener_v3.FilterChain{
 		FilterChainMatch: &envoy_config_listener_v3.FilterChainMatch{
-			ServerNames: []string{"relay.ken.sandbox.pomerium.io"}, // XXX
+			ServerNames: []string{"relay.ken.sandbox.pomerium.io", "relay.localhost.pomerium.io"}, // XXX
 		},
 		Filters: []*envoy_config_listener_v3.Filter{filter},
 	}
diff --git a/config/envoyconfig/route_configurations.go b/config/envoyconfig/route_configurations.go
index 1249663e4..a341db0d2 100644
--- a/config/envoyconfig/route_configurations.go
+++ b/config/envoyconfig/route_configurations.go
@@ -100,7 +100,7 @@ func (b *Builder) buildMainRouteConfiguration(
 		vh.Routes = append(vh.Routes, rs...)
 
 		// XXX
-		vh.Routes = append(vh.Routes, b.buildDynamicForwardProxyRoute(cfg))
+		vh.Routes = append(vh.Routes, b.buildDynamicForwardProxyRoutes(cfg)...)
 	}
 
 	virtualHosts = append(virtualHosts, vh)
diff --git a/config/envoyconfig/routes.go b/config/envoyconfig/routes.go
index 058c7d474..b30a7d236 100644
--- a/config/envoyconfig/routes.go
+++ b/config/envoyconfig/routes.go
@@ -355,23 +355,56 @@ func (b *Builder) buildRouteForPolicyAndMatch(
 	return route, nil
 }
 
-func (b *Builder) buildDynamicForwardProxyRoute(cfg *config.Config) *envoy_config_route_v3.Route {
-	return &envoy_config_route_v3.Route{
-		Name: "dynamic",
-		Match: &envoy_config_route_v3.RouteMatch{
-			PathSpecifier: &envoy_config_route_v3.RouteMatch_Prefix{
-				Prefix: "/",
-			},
-		},
-		Action: &envoy_config_route_v3.Route_Route{
-			Route: &envoy_config_route_v3.RouteAction{
-				ClusterSpecifier: &envoy_config_route_v3.RouteAction_Cluster{
-					Cluster: "dynamic-forward-proxy-cluster",
+func (b *Builder) buildDynamicForwardProxyRoutes(cfg *config.Config) []*envoy_config_route_v3.Route {
+	return []*envoy_config_route_v3.Route{
+		{
+			Name: "dynamic-upstream",
+			Match: &envoy_config_route_v3.RouteMatch{
+				PathSpecifier: &envoy_config_route_v3.RouteMatch_Prefix{
+					Prefix: "/",
 				},
 			},
+			Action: &envoy_config_route_v3.Route_Route{
+				Route: &envoy_config_route_v3.RouteAction{
+					ClusterSpecifier: &envoy_config_route_v3.RouteAction_Cluster{
+						Cluster: "dynamic-forward-proxy-cluster",
+					},
+				},
+			},
+			TypedPerFilterConfig: map[string]*anypb.Any{
+				PerFilterConfigExtAuthzName: PerFilterConfigExtAuthzDisabled(),
+			},
 		},
-		// XXX: does this need any RequestHeadersToRemove?
-		// XXX: does this need a Decorator?
+		{
+			Name: "dynamic-proxy",
+			Match: &envoy_config_route_v3.RouteMatch{
+				PathSpecifier: &envoy_config_route_v3.RouteMatch_ConnectMatcher_{
+					ConnectMatcher: &envoy_config_route_v3.RouteMatch_ConnectMatcher{},
+				},
+			},
+			Action: &envoy_config_route_v3.Route_Route{
+				Route: &envoy_config_route_v3.RouteAction{
+					ClusterSpecifier: &envoy_config_route_v3.RouteAction_Cluster{
+						Cluster: "dynamic-forward-proxy-cluster",
+					},
+					UpgradeConfigs: []*envoy_config_route_v3.RouteAction_UpgradeConfig{
+						{
+							UpgradeType:   "CONNECT",
+							ConnectConfig: &envoy_config_route_v3.RouteAction_UpgradeConfig_ConnectConfig{},
+						},
+						{
+							UpgradeType:   "CONNECT-UDP",
+							ConnectConfig: &envoy_config_route_v3.RouteAction_UpgradeConfig_ConnectConfig{},
+						},
+					},
+				},
+			},
+			TypedPerFilterConfig: map[string]*anypb.Any{
+				PerFilterConfigExtAuthzName: PerFilterConfigExtAuthzDisabled(),
+			},
+		},
+		// XXX: do these need any RequestHeadersToRemove?
+		// XXX: do these need a Decorator?
 	}
 }