3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-17 00:36:09 +02:00
Code Issues Projects Releases Packages Wiki Activity

Revert "set recommended defaults (#1734)" (#1735)

Browse source 
This reverts commit cd2a86afc4.
This commit is contained in:
Caleb Doxsey 2021-01-05 10:01:42 -07:00 committed by GitHub
parent cd2a86afc4
commit a07d85b174
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 22 additions and 104 deletions
Download patch file Download diff file Expand all files Collapse all files

64
internal/controlplane/xds_cluster_test.go
View file

@ -204,22 +204,12 @@ func Test_buildCluster(t *testing.T) {
testutil.AssertProtoJSONEqual(t, ` testutil.AssertProtoJSONEqual(t, `
{ {
"name": "example", "name": "example",
"perConnectionBufferLimitBytes": 32768,
"type": "STRICT_DNS", "type": "STRICT_DNS",
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
"explicitHttpConfig": {
"http2ProtocolOptions": {
"allowConnect": true,
"initialStreamWindowSize": 65536,
"initialConnectionWindowSize": 1048576
}
}
}
},
"connectTimeout": "10s", "connectTimeout": "10s",
"respectDnsTtl": true, "respectDnsTtl": true,
"http2ProtocolOptions": {
"allowConnect": true
},
"dnsLookupFamily": "V4_ONLY", "dnsLookupFamily": "V4_ONLY",
"loadAssignment": { "loadAssignment": {
"clusterName": "example", "clusterName": "example",
@ -249,20 +239,7 @@ func Test_buildCluster(t *testing.T) {
testutil.AssertProtoJSONEqual(t, ` testutil.AssertProtoJSONEqual(t, `
{ {
"name": "example", "name": "example",
"perConnectionBufferLimitBytes": 32768,
"type": "STRICT_DNS", "type": "STRICT_DNS",
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
"explicitHttpConfig": {
"http2ProtocolOptions": {
"allowConnect": true,
"initialStreamWindowSize": 65536,
"initialConnectionWindowSize": 1048576
}
}
}
},
"connectTimeout": "10s", "connectTimeout": "10s",
"respectDnsTtl": true, "respectDnsTtl": true,
"transportSocket": { "transportSocket": {
@ -291,6 +268,9 @@ func Test_buildCluster(t *testing.T) {
"sni": "example.com" "sni": "example.com"
} }
}, },
"http2ProtocolOptions": {
"allowConnect": true
},
"loadAssignment": { "loadAssignment": {
"clusterName": "example", "clusterName": "example",
"endpoints": [{ "endpoints": [{
@ -315,22 +295,12 @@ func Test_buildCluster(t *testing.T) {
testutil.AssertProtoJSONEqual(t, ` testutil.AssertProtoJSONEqual(t, `
{ {
"name": "example", "name": "example",
"perConnectionBufferLimitBytes": 32768,
"type": "STATIC", "type": "STATIC",
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
"explicitHttpConfig": {
"http2ProtocolOptions": {
"allowConnect": true,
"initialStreamWindowSize": 65536,
"initialConnectionWindowSize": 1048576
}
}
}
},
"connectTimeout": "10s", "connectTimeout": "10s",
"respectDnsTtl": true, "respectDnsTtl": true,
"http2ProtocolOptions": {
"allowConnect": true
},
"loadAssignment": { "loadAssignment": {
"clusterName": "example", "clusterName": "example",
"endpoints": [{ "endpoints": [{
@ -355,22 +325,12 @@ func Test_buildCluster(t *testing.T) {
testutil.AssertProtoJSONEqual(t, ` testutil.AssertProtoJSONEqual(t, `
{ {
"name": "example", "name": "example",
"perConnectionBufferLimitBytes": 32768,
"type": "STATIC", "type": "STATIC",
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
"explicitHttpConfig": {
"http2ProtocolOptions": {
"allowConnect": true,
"initialStreamWindowSize": 65536,
"initialConnectionWindowSize": 1048576
}
}
}
},
"connectTimeout": "10s", "connectTimeout": "10s",
"respectDnsTtl": true, "respectDnsTtl": true,
"http2ProtocolOptions": {
"allowConnect": true
},
"loadAssignment": { "loadAssignment": {
"clusterName": "example", "clusterName": "example",
"endpoints": [{ "endpoints": [{

35
internal/controlplane/xds_clusters.go
View file

@ -11,25 +11,14 @@ import (
envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
envoy_config_endpoint_v3 "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3" envoy_config_endpoint_v3 "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3"
envoy_extensions_transport_sockets_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" envoy_extensions_transport_sockets_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
envoy_extensions_upstreams_http_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/v3"
envoy_type_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" envoy_type_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
"github.com/golang/protobuf/ptypes" "github.com/golang/protobuf/ptypes"
"google.golang.org/protobuf/types/known/anypb"
"google.golang.org/protobuf/types/known/wrapperspb"
"github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/log" "github.com/pomerium/pomerium/internal/log"
"github.com/pomerium/pomerium/internal/urlutil" "github.com/pomerium/pomerium/internal/urlutil"
) )
// recommended defaults: https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge
const (
connectionBufferLimit uint32 = 32 * 1024
maxConcurrentStreams uint32 = 100
initialStreamWindowSizeLimit uint32 = 64 * 1024
initialConnectionWindowSizeLimit uint32 = 1 * 1024 * 1024
)
func (srv *Server) buildClusters(options *config.Options) []*envoy_config_cluster_v3.Cluster { func (srv *Server) buildClusters(options *config.Options) []*envoy_config_cluster_v3.Cluster {
grpcURL := &url.URL{ grpcURL := &url.URL{
Scheme: "http", Scheme: "http",
@ -234,28 +223,14 @@ func buildCluster(
}}, }},
}}, }},
}, },
RespectDnsTtl: true, RespectDnsTtl: true,
TransportSocket: transportSocket, TransportSocket: transportSocket,
DnsLookupFamily: dnsLookupFamily, DnsLookupFamily: dnsLookupFamily,
PerConnectionBufferLimitBytes: wrapperspb.UInt32(connectionBufferLimit),
} }
if forceHTTP2 { if forceHTTP2 {
any, _ := anypb.New(&envoy_extensions_upstreams_http_v3.HttpProtocolOptions{ cluster.Http2ProtocolOptions = &envoy_config_core_v3.Http2ProtocolOptions{
UpstreamProtocolOptions: &envoy_extensions_upstreams_http_v3.HttpProtocolOptions_ExplicitHttpConfig_{ AllowConnect: true,
ExplicitHttpConfig: &envoy_extensions_upstreams_http_v3.HttpProtocolOptions_ExplicitHttpConfig{
ProtocolConfig: &envoy_extensions_upstreams_http_v3.HttpProtocolOptions_ExplicitHttpConfig_Http2ProtocolOptions{
Http2ProtocolOptions: &envoy_config_core_v3.Http2ProtocolOptions{
AllowConnect: true,
InitialStreamWindowSize: wrapperspb.UInt32(initialStreamWindowSizeLimit),
InitialConnectionWindowSize: wrapperspb.UInt32(initialConnectionWindowSizeLimit),
},
},
},
},
})
cluster.TypedExtensionProtocolOptions = map[string]*anypb.Any{
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": any,
} }
} }

22
internal/controlplane/xds_listeners.go
View file

@ -20,7 +20,6 @@ import (
"github.com/golang/protobuf/ptypes/wrappers" "github.com/golang/protobuf/ptypes/wrappers"
"google.golang.org/protobuf/types/known/durationpb" "google.golang.org/protobuf/types/known/durationpb"
"google.golang.org/protobuf/types/known/emptypb" "google.golang.org/protobuf/types/known/emptypb"
"google.golang.org/protobuf/types/known/wrapperspb"
"github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/log" "github.com/pomerium/pomerium/internal/log"
@ -28,8 +27,6 @@ import (
"github.com/pomerium/pomerium/pkg/cryptutil" "github.com/pomerium/pomerium/pkg/cryptutil"
) )
const listenerBufferLimit uint32 = 32 * 1024
var disableExtAuthz *any.Any var disableExtAuthz *any.Any
func init() { func init() {
@ -67,7 +64,6 @@ func buildMainListener(options *config.Options) *envoy_config_listener_v3.Listen
filter, filter,
}, },
}}, }},
PerConnectionBufferLimitBytes: wrapperspb.UInt32(listenerBufferLimit),
} }
} }
@ -104,7 +100,6 @@ func buildMainListener(options *config.Options) *envoy_config_listener_v3.Listen
} }
return filterChain return filterChain
}), }),
PerConnectionBufferLimitBytes: wrapperspb.UInt32(listenerBufferLimit),
} }
return li return li
} }
@ -161,9 +156,9 @@ func buildMainHTTPConnectionManagerFilter(options *config.Options, domains []str
var grpcClientTimeout *durationpb.Duration var grpcClientTimeout *durationpb.Duration
if options.GRPCClientTimeout != 0 { if options.GRPCClientTimeout != 0 {
grpcClientTimeout = durationpb.New(options.GRPCClientTimeout) grpcClientTimeout = ptypes.DurationProto(options.GRPCClientTimeout)
} else { } else {
grpcClientTimeout = durationpb.New(30 * time.Second) grpcClientTimeout = ptypes.DurationProto(30 * time.Second)
} }
extAuthZ, _ := ptypes.MarshalAny(&envoy_extensions_filters_http_ext_authz_v3.ExtAuthz{ extAuthZ, _ := ptypes.MarshalAny(&envoy_extensions_filters_http_ext_authz_v3.ExtAuthz{
@ -195,7 +190,7 @@ func buildMainHTTPConnectionManagerFilter(options *config.Options, domains []str
var maxStreamDuration *durationpb.Duration var maxStreamDuration *durationpb.Duration
if options.WriteTimeout > 0 { if options.WriteTimeout > 0 {
maxStreamDuration = durationpb.New(options.WriteTimeout) maxStreamDuration = ptypes.DurationProto(options.WriteTimeout)
} }
tc, _ := ptypes.MarshalAny(&envoy_http_connection_manager.HttpConnectionManager{ tc, _ := ptypes.MarshalAny(&envoy_http_connection_manager.HttpConnectionManager{
@ -235,15 +230,10 @@ func buildMainHTTPConnectionManagerFilter(options *config.Options, domains []str
}, },
AccessLog: buildAccessLogs(options), AccessLog: buildAccessLogs(options),
CommonHttpProtocolOptions: &envoy_config_core_v3.HttpProtocolOptions{ CommonHttpProtocolOptions: &envoy_config_core_v3.HttpProtocolOptions{
IdleTimeout: durationpb.New(options.IdleTimeout), IdleTimeout: ptypes.DurationProto(options.IdleTimeout),
MaxStreamDuration: maxStreamDuration, MaxStreamDuration: maxStreamDuration,
}, },
Http2ProtocolOptions: &envoy_config_core_v3.Http2ProtocolOptions{ RequestTimeout: ptypes.DurationProto(options.ReadTimeout),
MaxConcurrentStreams: wrapperspb.UInt32(maxConcurrentStreams),
InitialStreamWindowSize: wrapperspb.UInt32(initialStreamWindowSizeLimit),
InitialConnectionWindowSize: wrapperspb.UInt32(initialConnectionWindowSizeLimit),
},
RequestTimeout: durationpb.New(options.ReadTimeout),
Tracing: &envoy_http_connection_manager.HttpConnectionManager_Tracing{ Tracing: &envoy_http_connection_manager.HttpConnectionManager_Tracing{
RandomSampling: &envoy_type_v3.Percent{Value: options.TracingSampleRate * 100}, RandomSampling: &envoy_type_v3.Percent{Value: options.TracingSampleRate * 100},
}, },
@ -272,7 +262,6 @@ func buildGRPCListener(options *config.Options) *envoy_config_listener_v3.Listen
filter, filter,
}, },
}}, }},
PerConnectionBufferLimitBytes: wrapperspb.UInt32(listenerBufferLimit),
} }
} }
@ -308,7 +297,6 @@ func buildGRPCListener(options *config.Options) *envoy_config_listener_v3.Listen
} }
return filterChain return filterChain
}), }),
PerConnectionBufferLimitBytes: wrapperspb.UInt32(listenerBufferLimit),
} }
return li return li
} }

5
internal/controlplane/xds_listeners_test.go
View file

@ -43,11 +43,6 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
"commonHttpProtocolOptions": { "commonHttpProtocolOptions": {
"idleTimeout": "300s" "idleTimeout": "300s"
}, },
"http2ProtocolOptions": {
"initialConnectionWindowSize": 1048576,
"initialStreamWindowSize": 65536,
"maxConcurrentStreams": 100
},
"httpFilters": [ "httpFilters": [
{ {
"name": "envoy.filters.http.lua", "name": "envoy.filters.http.lua",