mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-03 00:40:25 +02:00
config: add runtime flags (#5050)
This commit is contained in:
Denis Mishin
GitHub
parent
be9bfd9c3f
commit
e7b3d3b6e9
11 changed files with 372 additions and 214 deletions
|
|
@ -219,7 +219,7 @@ func (b *Builder) BuildBootstrapStaticResources(
|
|||
},
|
||||
},
|
||||
},
|
||||
TypedExtensionProtocolOptions: buildTypedExtensionProtocolOptions(nil, upstreamProtocolHTTP2),
|
||||
TypedExtensionProtocolOptions: buildTypedExtensionProtocolOptions(nil, upstreamProtocolHTTP2, Keepalive(false)),
|
||||
}
|
||||
|
||||
staticResources.Clusters = append(staticResources.Clusters, controlPlaneCluster)
|
||||
|
|
|
|||
|
|
@ -55,22 +55,22 @@ func (b *Builder) BuildClusters(ctx context.Context, cfg *config.Config) ([]*env
|
|||
}
|
||||
}
|
||||
|
||||
controlGRPC, err := b.buildInternalCluster(ctx, cfg, "pomerium-control-plane-grpc", grpcURLs, upstreamProtocolHTTP2)
|
||||
controlGRPC, err := b.buildInternalCluster(ctx, cfg, "pomerium-control-plane-grpc", grpcURLs, upstreamProtocolHTTP2, Keepalive(false))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
controlHTTP, err := b.buildInternalCluster(ctx, cfg, "pomerium-control-plane-http", []*url.URL{httpURL}, upstreamProtocolAuto)
|
||||
controlHTTP, err := b.buildInternalCluster(ctx, cfg, "pomerium-control-plane-http", []*url.URL{httpURL}, upstreamProtocolAuto, Keepalive(false))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
controlMetrics, err := b.buildInternalCluster(ctx, cfg, "pomerium-control-plane-metrics", []*url.URL{metricsURL}, upstreamProtocolAuto)
|
||||
controlMetrics, err := b.buildInternalCluster(ctx, cfg, "pomerium-control-plane-metrics", []*url.URL{metricsURL}, upstreamProtocolAuto, Keepalive(false))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
authorizeCluster, err := b.buildInternalCluster(ctx, cfg, "pomerium-authorize", authorizeURLs, upstreamProtocolHTTP2)
|
||||
authorizeCluster, err := b.buildInternalCluster(ctx, cfg, "pomerium-authorize", authorizeURLs, upstreamProtocolHTTP2, Keepalive(false))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -79,7 +79,8 @@ func (b *Builder) BuildClusters(ctx context.Context, cfg *config.Config) ([]*env
|
|||
authorizeCluster.OutlierDetection = grpcOutlierDetection()
|
||||
}
|
||||
|
||||
databrokerCluster, err := b.buildInternalCluster(ctx, cfg, "pomerium-databroker", databrokerURLs, upstreamProtocolHTTP2)
|
||||
databrokerKeepalive := Keepalive(cfg.Options.IsRuntimeFlagSet(config.RuntimeFlagGRPCDatabrokerKeepalive))
|
||||
databrokerCluster, err := b.buildInternalCluster(ctx, cfg, "pomerium-databroker", databrokerURLs, upstreamProtocolHTTP2, databrokerKeepalive)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -139,6 +140,7 @@ func (b *Builder) buildInternalCluster(
|
|||
name string,
|
||||
dsts []*url.URL,
|
||||
upstreamProtocol upstreamProtocolConfig,
|
||||
keepalive Keepalive,
|
||||
) (*envoy_config_cluster_v3.Cluster, error) {
|
||||
cluster := newDefaultEnvoyClusterConfig()
|
||||
cluster.DnsLookupFamily = config.GetEnvoyDNSLookupFamily(cfg.Options.DNSLookupFamily)
|
||||
|
|
@ -158,7 +160,7 @@ func (b *Builder) buildInternalCluster(
|
|||
}
|
||||
endpoints = append(endpoints, NewEndpoint(dst, ts, 1))
|
||||
}
|
||||
if err := b.buildCluster(cluster, name, endpoints, upstreamProtocol); err != nil {
|
||||
if err := b.buildCluster(cluster, name, endpoints, upstreamProtocol, keepalive); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
|
|
@ -207,7 +209,7 @@ func (b *Builder) buildPolicyCluster(ctx context.Context, cfg *config.Config, po
|
|||
cluster.DnsLookupFamily = envoy_config_cluster_v3.Cluster_V4_ONLY
|
||||
}
|
||||
|
||||
if err := b.buildCluster(cluster, name, endpoints, upstreamProtocol); err != nil {
|
||||
if err := b.buildCluster(cluster, name, endpoints, upstreamProtocol, Keepalive(false)); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
|
|
@ -388,6 +390,7 @@ func (b *Builder) buildCluster(
|
|||
name string,
|
||||
endpoints []Endpoint,
|
||||
upstreamProtocol upstreamProtocolConfig,
|
||||
keepalive Keepalive,
|
||||
) error {
|
||||
if len(endpoints) == 0 {
|
||||
return errNoEndpoints
|
||||
|
|
@ -418,7 +421,7 @@ func (b *Builder) buildCluster(
|
|||
cluster.TransportSocket = cluster.TransportSocketMatches[0].TransportSocket
|
||||
}
|
||||
|
||||
cluster.TypedExtensionProtocolOptions = buildTypedExtensionProtocolOptions(endpoints, upstreamProtocol)
|
||||
cluster.TypedExtensionProtocolOptions = buildTypedExtensionProtocolOptions(endpoints, upstreamProtocol, keepalive)
|
||||
cluster.ClusterDiscoveryType = getClusterDiscoveryType(lbEndpoints)
|
||||
|
||||
return cluster.Validate()
|
||||
|
|
|
|||
|
|
@ -516,7 +516,7 @@ func Test_buildCluster(t *testing.T) {
|
|||
require.NoError(t, err)
|
||||
cluster := newDefaultEnvoyClusterConfig()
|
||||
cluster.DnsLookupFamily = envoy_config_cluster_v3.Cluster_V4_ONLY
|
||||
err = b.buildCluster(cluster, "example", endpoints, upstreamProtocolHTTP2)
|
||||
err = b.buildCluster(cluster, "example", endpoints, upstreamProtocolHTTP2, Keepalive(false))
|
||||
require.NoErrorf(t, err, "cluster %+v", cluster)
|
||||
testutil.AssertProtoJSONEqual(t, `
|
||||
{
|
||||
|
|
@ -577,7 +577,7 @@ func Test_buildCluster(t *testing.T) {
|
|||
})
|
||||
require.NoError(t, err)
|
||||
cluster := newDefaultEnvoyClusterConfig()
|
||||
err = b.buildCluster(cluster, "example", endpoints, upstreamProtocolHTTP2)
|
||||
err = b.buildCluster(cluster, "example", endpoints, upstreamProtocolHTTP2, Keepalive(true))
|
||||
require.NoErrorf(t, err, "cluster %+v", cluster)
|
||||
testutil.AssertProtoJSONEqual(t, `
|
||||
{
|
||||
|
|
@ -690,7 +690,15 @@ func Test_buildCluster(t *testing.T) {
|
|||
"allowConnect": true,
|
||||
"initialConnectionWindowSize": 1048576,
|
||||
"initialStreamWindowSize": 65536,
|
||||
"maxConcurrentStreams": 100
|
||||
"maxConcurrentStreams": 100,
|
||||
"connectionKeepalive": {
|
||||
"connectionIdleInterval": "300s",
|
||||
"interval": "60s",
|
||||
"intervalJitter": {
|
||||
"value": 15
|
||||
},
|
||||
"timeout": "60s"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -745,7 +753,7 @@ func Test_buildCluster(t *testing.T) {
|
|||
})
|
||||
require.NoError(t, err)
|
||||
cluster := newDefaultEnvoyClusterConfig()
|
||||
err = b.buildCluster(cluster, "example", endpoints, upstreamProtocolHTTP2)
|
||||
err = b.buildCluster(cluster, "example", endpoints, upstreamProtocolHTTP2, Keepalive(false))
|
||||
require.NoErrorf(t, err, "cluster %+v", cluster)
|
||||
testutil.AssertProtoJSONEqual(t, `
|
||||
{
|
||||
|
|
@ -803,7 +811,7 @@ func Test_buildCluster(t *testing.T) {
|
|||
})
|
||||
require.NoError(t, err)
|
||||
cluster := newDefaultEnvoyClusterConfig()
|
||||
err = b.buildCluster(cluster, "example", endpoints, upstreamProtocolHTTP2)
|
||||
err = b.buildCluster(cluster, "example", endpoints, upstreamProtocolHTTP2, Keepalive(false))
|
||||
require.NoErrorf(t, err, "cluster %+v", cluster)
|
||||
testutil.AssertProtoJSONEqual(t, `
|
||||
{
|
||||
|
|
@ -863,7 +871,7 @@ func Test_buildCluster(t *testing.T) {
|
|||
})
|
||||
require.NoError(t, err)
|
||||
cluster := newDefaultEnvoyClusterConfig()
|
||||
err = b.buildCluster(cluster, "example", endpoints, upstreamProtocolHTTP2)
|
||||
err = b.buildCluster(cluster, "example", endpoints, upstreamProtocolHTTP2, Keepalive(false))
|
||||
require.NoErrorf(t, err, "cluster %+v", cluster)
|
||||
testutil.AssertProtoJSONEqual(t, `
|
||||
{
|
||||
|
|
@ -916,7 +924,7 @@ func Test_buildCluster(t *testing.T) {
|
|||
EnforcingConsecutive_5Xx: wrapperspb.UInt32(17),
|
||||
SplitExternalLocalOriginErrors: true,
|
||||
}
|
||||
err = b.buildCluster(cluster, "example", endpoints, upstreamProtocolHTTP2)
|
||||
err = b.buildCluster(cluster, "example", endpoints, upstreamProtocolHTTP2, Keepalive(false))
|
||||
require.NoErrorf(t, err, "cluster %+v", cluster)
|
||||
testutil.AssertProtoJSONEqual(t, `
|
||||
{
|
||||
|
|
|
|||
|
|
@ -2,11 +2,15 @@ package envoyconfig
|
|||
|
||||
import (
|
||||
"context"
|
||||
"time"
|
||||
|
||||
envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
|
||||
envoy_extensions_http_header_formatters_preserve_case_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/http/header_formatters/preserve_case/v3"
|
||||
envoy_extensions_upstreams_http_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/v3"
|
||||
typev3 "github.com/envoyproxy/go-control-plane/envoy/type/v3"
|
||||
"google.golang.org/protobuf/proto"
|
||||
"google.golang.org/protobuf/types/known/anypb"
|
||||
"google.golang.org/protobuf/types/known/durationpb"
|
||||
"google.golang.org/protobuf/types/known/wrapperspb"
|
||||
|
||||
"github.com/pomerium/pomerium/config"
|
||||
|
|
@ -41,6 +45,9 @@ var http1ProtocolOptions = &envoy_config_core_v3.Http1ProtocolOptions{
|
|||
},
|
||||
}
|
||||
|
||||
// Keepalive is a type to enable or disable keepalive
|
||||
type Keepalive bool
|
||||
|
||||
var http2ProtocolOptions = &envoy_config_core_v3.Http2ProtocolOptions{
|
||||
AllowConnect: true,
|
||||
MaxConcurrentStreams: wrapperspb.UInt32(maxConcurrentStreams),
|
||||
|
|
@ -48,27 +55,44 @@ var http2ProtocolOptions = &envoy_config_core_v3.Http2ProtocolOptions{
|
|||
InitialConnectionWindowSize: wrapperspb.UInt32(initialConnectionWindowSizeLimit),
|
||||
}
|
||||
|
||||
func WithKeepalive(src *envoy_config_core_v3.Http2ProtocolOptions) *envoy_config_core_v3.Http2ProtocolOptions {
|
||||
dst := proto.Clone(src).(*envoy_config_core_v3.Http2ProtocolOptions)
|
||||
dst.ConnectionKeepalive = &envoy_config_core_v3.KeepaliveSettings{
|
||||
Interval: durationpb.New(time.Minute),
|
||||
Timeout: durationpb.New(time.Minute),
|
||||
IntervalJitter: &typev3.Percent{Value: 15}, // envoy's default
|
||||
ConnectionIdleInterval: durationpb.New(5 * time.Minute),
|
||||
}
|
||||
return dst
|
||||
}
|
||||
|
||||
func buildTypedExtensionProtocolOptions(
|
||||
endpoints []Endpoint,
|
||||
upstreamProtocol upstreamProtocolConfig,
|
||||
keepalive Keepalive,
|
||||
) map[string]*anypb.Any {
|
||||
return map[string]*anypb.Any{
|
||||
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": marshalAny(buildUpstreamProtocolOptions(endpoints, upstreamProtocol)),
|
||||
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": marshalAny(buildUpstreamProtocolOptions(endpoints, upstreamProtocol, keepalive)),
|
||||
}
|
||||
}
|
||||
|
||||
func buildUpstreamProtocolOptions(
|
||||
endpoints []Endpoint,
|
||||
upstreamProtocol upstreamProtocolConfig,
|
||||
keepalive Keepalive,
|
||||
) *envoy_extensions_upstreams_http_v3.HttpProtocolOptions {
|
||||
switch upstreamProtocol {
|
||||
case upstreamProtocolHTTP2:
|
||||
h2opt := http2ProtocolOptions
|
||||
if keepalive {
|
||||
h2opt = WithKeepalive(http2ProtocolOptions)
|
||||
}
|
||||
// when explicitly configured, force HTTP/2
|
||||
return &envoy_extensions_upstreams_http_v3.HttpProtocolOptions{
|
||||
UpstreamProtocolOptions: &envoy_extensions_upstreams_http_v3.HttpProtocolOptions_ExplicitHttpConfig_{
|
||||
ExplicitHttpConfig: &envoy_extensions_upstreams_http_v3.HttpProtocolOptions_ExplicitHttpConfig{
|
||||
ProtocolConfig: &envoy_extensions_upstreams_http_v3.HttpProtocolOptions_ExplicitHttpConfig_Http2ProtocolOptions{
|
||||
Http2ProtocolOptions: http2ProtocolOptions,
|
||||
Http2ProtocolOptions: h2opt,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
|
|||
|
|
@ -32,5 +32,5 @@ func Test_buildUpstreamProtocolOptions(t *testing.T) {
|
|||
},
|
||||
},
|
||||
},
|
||||
}, buildUpstreamProtocolOptions(nil, upstreamProtocolHTTP1), protocmp.Transform()))
|
||||
}, buildUpstreamProtocolOptions(nil, upstreamProtocolHTTP1, Keepalive(false)), protocmp.Transform()))
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue