Revert "set recommended defaults (#1734)" (#1735)

This reverts commit cd2a86afc4.
2025-07-17 08:38:15 +02:00 · 2021-01-05 10:01:42 -07:00 · 2021-01-05 10:01:42 -07:00 · a07d85b174
commit a07d85b174
parent cd2a86afc4
4 changed files with 22 additions and 104 deletions
--- a/internal/controlplane/xds_cluster_test.go
+++ b/internal/controlplane/xds_cluster_test.go
@ -204,22 +204,12 @@ func Test_buildCluster(t *testing.T) {
 		testutil.AssertProtoJSONEqual(t, `
 			{
 				"name": "example",
-				"perConnectionBufferLimitBytes": 32768,
 				"type": "STRICT_DNS",
-				"typedExtensionProtocolOptions": {
-					"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
-						"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
-						"explicitHttpConfig": {
-							"http2ProtocolOptions": {
-								"allowConnect": true,
-								"initialStreamWindowSize": 65536,
-								"initialConnectionWindowSize": 1048576
-							}
-						}
-					}
-				},
 				"connectTimeout": "10s",
 				"respectDnsTtl": true,
+				"http2ProtocolOptions": {
+					"allowConnect": true
+				},
 				"dnsLookupFamily": "V4_ONLY",
 				"loadAssignment": {
 					"clusterName": "example",
@ -249,20 +239,7 @@ func Test_buildCluster(t *testing.T) {
 		testutil.AssertProtoJSONEqual(t, `
 			{
 				"name": "example",
-				"perConnectionBufferLimitBytes": 32768,
 				"type": "STRICT_DNS",
-				"typedExtensionProtocolOptions": {
-					"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
-						"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
-						"explicitHttpConfig": {
-							"http2ProtocolOptions": {
-								"allowConnect": true,
-								"initialStreamWindowSize": 65536,
-								"initialConnectionWindowSize": 1048576
-							}
-						}
-					}
-				},
 				"connectTimeout": "10s",
 				"respectDnsTtl": true,
 				"transportSocket": {
@ -291,6 +268,9 @@ func Test_buildCluster(t *testing.T) {
 						"sni": "example.com"
 					}
 				},
+				"http2ProtocolOptions": {
+					"allowConnect": true
+				},
 				"loadAssignment": {
 					"clusterName": "example",
 					"endpoints": [{
@ -315,22 +295,12 @@ func Test_buildCluster(t *testing.T) {
 		testutil.AssertProtoJSONEqual(t, `
 			{
 				"name": "example",
-				"perConnectionBufferLimitBytes": 32768,
 				"type": "STATIC",
-				"typedExtensionProtocolOptions": {
-					"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
-						"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
-						"explicitHttpConfig": {
-							"http2ProtocolOptions": {
-								"allowConnect": true,
-								"initialStreamWindowSize": 65536,
-								"initialConnectionWindowSize": 1048576
-							}
-						}
-					}
-				},
 				"connectTimeout": "10s",
 				"respectDnsTtl": true,
+				"http2ProtocolOptions": {
+					"allowConnect": true
+				},
 				"loadAssignment": {
 					"clusterName": "example",
 					"endpoints": [{
@ -355,22 +325,12 @@ func Test_buildCluster(t *testing.T) {
 		testutil.AssertProtoJSONEqual(t, `
 			{
 				"name": "example",
-				"perConnectionBufferLimitBytes": 32768,
 				"type": "STATIC",
-				"typedExtensionProtocolOptions": {
-					"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
-						"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
-						"explicitHttpConfig": {
-							"http2ProtocolOptions": {
-								"allowConnect": true,
-								"initialStreamWindowSize": 65536,
-								"initialConnectionWindowSize": 1048576
-							}
-						}
-					}
-				},
 				"connectTimeout": "10s",
 				"respectDnsTtl": true,
+				"http2ProtocolOptions": {
+					"allowConnect": true
+				},
 				"loadAssignment": {
 					"clusterName": "example",
 					"endpoints": [{
--- a/internal/controlplane/xds_clusters.go
+++ b/internal/controlplane/xds_clusters.go
@ -11,25 +11,14 @@ import (
 	envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	envoy_config_endpoint_v3 "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3"
 	envoy_extensions_transport_sockets_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
-	envoy_extensions_upstreams_http_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/v3"
 	envoy_type_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
 	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/types/known/anypb"
-	"google.golang.org/protobuf/types/known/wrapperspb"

 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/urlutil"
 )

-// recommended defaults: https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge
-const (
-	connectionBufferLimit            uint32 = 32 * 1024
-	maxConcurrentStreams             uint32 = 100
-	initialStreamWindowSizeLimit     uint32 = 64 * 1024
-	initialConnectionWindowSizeLimit uint32 = 1 * 1024 * 1024
-)
-
 func (srv *Server) buildClusters(options *config.Options) []*envoy_config_cluster_v3.Cluster {
 	grpcURL := &url.URL{
 		Scheme: "http",
@ -237,25 +226,11 @@ func buildCluster(
 		RespectDnsTtl:   true,
 		TransportSocket: transportSocket,
 		DnsLookupFamily: dnsLookupFamily,
-		PerConnectionBufferLimitBytes: wrapperspb.UInt32(connectionBufferLimit),
 	}

 	if forceHTTP2 {
-		any, _ := anypb.New(&envoy_extensions_upstreams_http_v3.HttpProtocolOptions{
-			UpstreamProtocolOptions: &envoy_extensions_upstreams_http_v3.HttpProtocolOptions_ExplicitHttpConfig_{
-				ExplicitHttpConfig: &envoy_extensions_upstreams_http_v3.HttpProtocolOptions_ExplicitHttpConfig{
-					ProtocolConfig: &envoy_extensions_upstreams_http_v3.HttpProtocolOptions_ExplicitHttpConfig_Http2ProtocolOptions{
-						Http2ProtocolOptions: &envoy_config_core_v3.Http2ProtocolOptions{
+		cluster.Http2ProtocolOptions = &envoy_config_core_v3.Http2ProtocolOptions{
 			AllowConnect: true,
-							InitialStreamWindowSize:     wrapperspb.UInt32(initialStreamWindowSizeLimit),
-							InitialConnectionWindowSize: wrapperspb.UInt32(initialConnectionWindowSizeLimit),
-						},
-					},
-				},
-			},
-		})
-		cluster.TypedExtensionProtocolOptions = map[string]*anypb.Any{
-			"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": any,
 		}
 	}

--- a/internal/controlplane/xds_listeners.go
+++ b/internal/controlplane/xds_listeners.go
@ -20,7 +20,6 @@ import (
 	"github.com/golang/protobuf/ptypes/wrappers"
 	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/emptypb"
-	"google.golang.org/protobuf/types/known/wrapperspb"

 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/log"
@ -28,8 +27,6 @@ import (
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 )

-const listenerBufferLimit uint32 = 32 * 1024
-
 var disableExtAuthz *any.Any

 func init() {
@ -67,7 +64,6 @@ func buildMainListener(options *config.Options) *envoy_config_listener_v3.Listen
 					filter,
 				},
 			}},
-			PerConnectionBufferLimitBytes: wrapperspb.UInt32(listenerBufferLimit),
 		}
 	}

@ -104,7 +100,6 @@ func buildMainListener(options *config.Options) *envoy_config_listener_v3.Listen
 				}
 				return filterChain
 			}),
-		PerConnectionBufferLimitBytes: wrapperspb.UInt32(listenerBufferLimit),
 	}
 	return li
 }
@ -161,9 +156,9 @@ func buildMainHTTPConnectionManagerFilter(options *config.Options, domains []str

 	var grpcClientTimeout *durationpb.Duration
 	if options.GRPCClientTimeout != 0 {
-		grpcClientTimeout = durationpb.New(options.GRPCClientTimeout)
+		grpcClientTimeout = ptypes.DurationProto(options.GRPCClientTimeout)
 	} else {
-		grpcClientTimeout = durationpb.New(30 * time.Second)
+		grpcClientTimeout = ptypes.DurationProto(30 * time.Second)
 	}

 	extAuthZ, _ := ptypes.MarshalAny(&envoy_extensions_filters_http_ext_authz_v3.ExtAuthz{
@ -195,7 +190,7 @@ func buildMainHTTPConnectionManagerFilter(options *config.Options, domains []str

 	var maxStreamDuration *durationpb.Duration
 	if options.WriteTimeout > 0 {
-		maxStreamDuration = durationpb.New(options.WriteTimeout)
+		maxStreamDuration = ptypes.DurationProto(options.WriteTimeout)
 	}

 	tc, _ := ptypes.MarshalAny(&envoy_http_connection_manager.HttpConnectionManager{
@ -235,15 +230,10 @@ func buildMainHTTPConnectionManagerFilter(options *config.Options, domains []str
 		},
 		AccessLog: buildAccessLogs(options),
 		CommonHttpProtocolOptions: &envoy_config_core_v3.HttpProtocolOptions{
-			IdleTimeout:       durationpb.New(options.IdleTimeout),
+			IdleTimeout:       ptypes.DurationProto(options.IdleTimeout),
 			MaxStreamDuration: maxStreamDuration,
 		},
-		Http2ProtocolOptions: &envoy_config_core_v3.Http2ProtocolOptions{
-			MaxConcurrentStreams:        wrapperspb.UInt32(maxConcurrentStreams),
-			InitialStreamWindowSize:     wrapperspb.UInt32(initialStreamWindowSizeLimit),
-			InitialConnectionWindowSize: wrapperspb.UInt32(initialConnectionWindowSizeLimit),
-		},
-		RequestTimeout: durationpb.New(options.ReadTimeout),
+		RequestTimeout: ptypes.DurationProto(options.ReadTimeout),
 		Tracing: &envoy_http_connection_manager.HttpConnectionManager_Tracing{
 			RandomSampling: &envoy_type_v3.Percent{Value: options.TracingSampleRate * 100},
 		},
@ -272,7 +262,6 @@ func buildGRPCListener(options *config.Options) *envoy_config_listener_v3.Listen
 					filter,
 				},
 			}},
-			PerConnectionBufferLimitBytes: wrapperspb.UInt32(listenerBufferLimit),
 		}
 	}

@ -308,7 +297,6 @@ func buildGRPCListener(options *config.Options) *envoy_config_listener_v3.Listen
 				}
 				return filterChain
 			}),
-		PerConnectionBufferLimitBytes: wrapperspb.UInt32(listenerBufferLimit),
 	}
 	return li
 }
--- a/internal/controlplane/xds_listeners_test.go
+++ b/internal/controlplane/xds_listeners_test.go
@ -43,11 +43,6 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
 			"commonHttpProtocolOptions": {
 				"idleTimeout": "300s"
 			},
-			"http2ProtocolOptions": {
-				"initialConnectionWindowSize": 1048576,
-				"initialStreamWindowSize": 65536,
-				"maxConcurrentStreams": 100
-			},
 			"httpFilters": [
 				{
 					"name": "envoy.filters.http.lua",