diff --git a/internal/controlplane/xds_cluster_test.go b/internal/controlplane/xds_cluster_test.go index 6b3d24757..1553b59aa 100644 --- a/internal/controlplane/xds_cluster_test.go +++ b/internal/controlplane/xds_cluster_test.go @@ -204,22 +204,12 @@ func Test_buildCluster(t *testing.T) { testutil.AssertProtoJSONEqual(t, ` { "name": "example", - "perConnectionBufferLimitBytes": 32768, "type": "STRICT_DNS", - "typedExtensionProtocolOptions": { - "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", - "explicitHttpConfig": { - "http2ProtocolOptions": { - "allowConnect": true, - "initialStreamWindowSize": 65536, - "initialConnectionWindowSize": 1048576 - } - } - } - }, "connectTimeout": "10s", "respectDnsTtl": true, + "http2ProtocolOptions": { + "allowConnect": true + }, "dnsLookupFamily": "V4_ONLY", "loadAssignment": { "clusterName": "example", @@ -249,20 +239,7 @@ func Test_buildCluster(t *testing.T) { testutil.AssertProtoJSONEqual(t, ` { "name": "example", - "perConnectionBufferLimitBytes": 32768, "type": "STRICT_DNS", - "typedExtensionProtocolOptions": { - "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", - "explicitHttpConfig": { - "http2ProtocolOptions": { - "allowConnect": true, - "initialStreamWindowSize": 65536, - "initialConnectionWindowSize": 1048576 - } - } - } - }, "connectTimeout": "10s", "respectDnsTtl": true, "transportSocket": { @@ -291,6 +268,9 @@ func Test_buildCluster(t *testing.T) { "sni": "example.com" } }, + "http2ProtocolOptions": { + "allowConnect": true + }, "loadAssignment": { "clusterName": "example", "endpoints": [{ @@ -315,22 +295,12 @@ func Test_buildCluster(t *testing.T) { testutil.AssertProtoJSONEqual(t, ` { "name": "example", - "perConnectionBufferLimitBytes": 32768, "type": "STATIC", - "typedExtensionProtocolOptions": { - "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", - "explicitHttpConfig": { - "http2ProtocolOptions": { - "allowConnect": true, - "initialStreamWindowSize": 65536, - "initialConnectionWindowSize": 1048576 - } - } - } - }, "connectTimeout": "10s", "respectDnsTtl": true, + "http2ProtocolOptions": { + "allowConnect": true + }, "loadAssignment": { "clusterName": "example", "endpoints": [{ @@ -355,22 +325,12 @@ func Test_buildCluster(t *testing.T) { testutil.AssertProtoJSONEqual(t, ` { "name": "example", - "perConnectionBufferLimitBytes": 32768, "type": "STATIC", - "typedExtensionProtocolOptions": { - "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { - "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", - "explicitHttpConfig": { - "http2ProtocolOptions": { - "allowConnect": true, - "initialStreamWindowSize": 65536, - "initialConnectionWindowSize": 1048576 - } - } - } - }, "connectTimeout": "10s", "respectDnsTtl": true, + "http2ProtocolOptions": { + "allowConnect": true + }, "loadAssignment": { "clusterName": "example", "endpoints": [{ diff --git a/internal/controlplane/xds_clusters.go b/internal/controlplane/xds_clusters.go index 9579646a5..066c42c7c 100644 --- a/internal/controlplane/xds_clusters.go +++ b/internal/controlplane/xds_clusters.go @@ -11,25 +11,14 @@ import ( envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" envoy_config_endpoint_v3 "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3" envoy_extensions_transport_sockets_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" - envoy_extensions_upstreams_http_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/v3" envoy_type_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" "github.com/golang/protobuf/ptypes" - "google.golang.org/protobuf/types/known/anypb" - "google.golang.org/protobuf/types/known/wrapperspb" "github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/internal/log" "github.com/pomerium/pomerium/internal/urlutil" ) -// recommended defaults: https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge -const ( - connectionBufferLimit uint32 = 32 * 1024 - maxConcurrentStreams uint32 = 100 - initialStreamWindowSizeLimit uint32 = 64 * 1024 - initialConnectionWindowSizeLimit uint32 = 1 * 1024 * 1024 -) - func (srv *Server) buildClusters(options *config.Options) []*envoy_config_cluster_v3.Cluster { grpcURL := &url.URL{ Scheme: "http", @@ -234,28 +223,14 @@ func buildCluster( }}, }}, }, - RespectDnsTtl: true, - TransportSocket: transportSocket, - DnsLookupFamily: dnsLookupFamily, - PerConnectionBufferLimitBytes: wrapperspb.UInt32(connectionBufferLimit), + RespectDnsTtl: true, + TransportSocket: transportSocket, + DnsLookupFamily: dnsLookupFamily, } if forceHTTP2 { - any, _ := anypb.New(&envoy_extensions_upstreams_http_v3.HttpProtocolOptions{ - UpstreamProtocolOptions: &envoy_extensions_upstreams_http_v3.HttpProtocolOptions_ExplicitHttpConfig_{ - ExplicitHttpConfig: &envoy_extensions_upstreams_http_v3.HttpProtocolOptions_ExplicitHttpConfig{ - ProtocolConfig: &envoy_extensions_upstreams_http_v3.HttpProtocolOptions_ExplicitHttpConfig_Http2ProtocolOptions{ - Http2ProtocolOptions: &envoy_config_core_v3.Http2ProtocolOptions{ - AllowConnect: true, - InitialStreamWindowSize: wrapperspb.UInt32(initialStreamWindowSizeLimit), - InitialConnectionWindowSize: wrapperspb.UInt32(initialConnectionWindowSizeLimit), - }, - }, - }, - }, - }) - cluster.TypedExtensionProtocolOptions = map[string]*anypb.Any{ - "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": any, + cluster.Http2ProtocolOptions = &envoy_config_core_v3.Http2ProtocolOptions{ + AllowConnect: true, } } diff --git a/internal/controlplane/xds_listeners.go b/internal/controlplane/xds_listeners.go index f9de5382f..83c9464b5 100644 --- a/internal/controlplane/xds_listeners.go +++ b/internal/controlplane/xds_listeners.go @@ -20,7 +20,6 @@ import ( "github.com/golang/protobuf/ptypes/wrappers" "google.golang.org/protobuf/types/known/durationpb" "google.golang.org/protobuf/types/known/emptypb" - "google.golang.org/protobuf/types/known/wrapperspb" "github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/internal/log" @@ -28,8 +27,6 @@ import ( "github.com/pomerium/pomerium/pkg/cryptutil" ) -const listenerBufferLimit uint32 = 32 * 1024 - var disableExtAuthz *any.Any func init() { @@ -67,7 +64,6 @@ func buildMainListener(options *config.Options) *envoy_config_listener_v3.Listen filter, }, }}, - PerConnectionBufferLimitBytes: wrapperspb.UInt32(listenerBufferLimit), } } @@ -104,7 +100,6 @@ func buildMainListener(options *config.Options) *envoy_config_listener_v3.Listen } return filterChain }), - PerConnectionBufferLimitBytes: wrapperspb.UInt32(listenerBufferLimit), } return li } @@ -161,9 +156,9 @@ func buildMainHTTPConnectionManagerFilter(options *config.Options, domains []str var grpcClientTimeout *durationpb.Duration if options.GRPCClientTimeout != 0 { - grpcClientTimeout = durationpb.New(options.GRPCClientTimeout) + grpcClientTimeout = ptypes.DurationProto(options.GRPCClientTimeout) } else { - grpcClientTimeout = durationpb.New(30 * time.Second) + grpcClientTimeout = ptypes.DurationProto(30 * time.Second) } extAuthZ, _ := ptypes.MarshalAny(&envoy_extensions_filters_http_ext_authz_v3.ExtAuthz{ @@ -195,7 +190,7 @@ func buildMainHTTPConnectionManagerFilter(options *config.Options, domains []str var maxStreamDuration *durationpb.Duration if options.WriteTimeout > 0 { - maxStreamDuration = durationpb.New(options.WriteTimeout) + maxStreamDuration = ptypes.DurationProto(options.WriteTimeout) } tc, _ := ptypes.MarshalAny(&envoy_http_connection_manager.HttpConnectionManager{ @@ -235,15 +230,10 @@ func buildMainHTTPConnectionManagerFilter(options *config.Options, domains []str }, AccessLog: buildAccessLogs(options), CommonHttpProtocolOptions: &envoy_config_core_v3.HttpProtocolOptions{ - IdleTimeout: durationpb.New(options.IdleTimeout), + IdleTimeout: ptypes.DurationProto(options.IdleTimeout), MaxStreamDuration: maxStreamDuration, }, - Http2ProtocolOptions: &envoy_config_core_v3.Http2ProtocolOptions{ - MaxConcurrentStreams: wrapperspb.UInt32(maxConcurrentStreams), - InitialStreamWindowSize: wrapperspb.UInt32(initialStreamWindowSizeLimit), - InitialConnectionWindowSize: wrapperspb.UInt32(initialConnectionWindowSizeLimit), - }, - RequestTimeout: durationpb.New(options.ReadTimeout), + RequestTimeout: ptypes.DurationProto(options.ReadTimeout), Tracing: &envoy_http_connection_manager.HttpConnectionManager_Tracing{ RandomSampling: &envoy_type_v3.Percent{Value: options.TracingSampleRate * 100}, }, @@ -272,7 +262,6 @@ func buildGRPCListener(options *config.Options) *envoy_config_listener_v3.Listen filter, }, }}, - PerConnectionBufferLimitBytes: wrapperspb.UInt32(listenerBufferLimit), } } @@ -308,7 +297,6 @@ func buildGRPCListener(options *config.Options) *envoy_config_listener_v3.Listen } return filterChain }), - PerConnectionBufferLimitBytes: wrapperspb.UInt32(listenerBufferLimit), } return li } diff --git a/internal/controlplane/xds_listeners_test.go b/internal/controlplane/xds_listeners_test.go index 46317d900..d070de34e 100644 --- a/internal/controlplane/xds_listeners_test.go +++ b/internal/controlplane/xds_listeners_test.go @@ -43,11 +43,6 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) { "commonHttpProtocolOptions": { "idleTimeout": "300s" }, - "http2ProtocolOptions": { - "initialConnectionWindowSize": 1048576, - "initialStreamWindowSize": 65536, - "maxConcurrentStreams": 100 - }, "httpFilters": [ { "name": "envoy.filters.http.lua",