config: add runtime flags (#5050)

2025-07-29 22:48:15 +02:00 · 2024-04-04 17:51:04 -04:00 · 2024-04-04 17:51:04 -04:00 · e7b3d3b6e9
commit e7b3d3b6e9
parent be9bfd9c3f
11 changed files with 372 additions and 214 deletions
--- a/config/envoyconfig/protocols.go
+++ b/config/envoyconfig/protocols.go
@ -2,11 +2,15 @@ package envoyconfig

 import (
 	"context"
+	"time"

 	envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	envoy_extensions_http_header_formatters_preserve_case_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/http/header_formatters/preserve_case/v3"
 	envoy_extensions_upstreams_http_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/v3"
+	typev3 "github.com/envoyproxy/go-control-plane/envoy/type/v3"
+	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/anypb"
+	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/wrapperspb"

 	"github.com/pomerium/pomerium/config"
@ -41,6 +45,9 @@ var http1ProtocolOptions = &envoy_config_core_v3.Http1ProtocolOptions{
 	},
 }

+// Keepalive is a type to enable or disable keepalive
+type Keepalive bool
+
 var http2ProtocolOptions = &envoy_config_core_v3.Http2ProtocolOptions{
 	AllowConnect:                true,
 	MaxConcurrentStreams:        wrapperspb.UInt32(maxConcurrentStreams),
@ -48,27 +55,44 @@ var http2ProtocolOptions = &envoy_config_core_v3.Http2ProtocolOptions{
 	InitialConnectionWindowSize: wrapperspb.UInt32(initialConnectionWindowSizeLimit),
 }

+func WithKeepalive(src *envoy_config_core_v3.Http2ProtocolOptions) *envoy_config_core_v3.Http2ProtocolOptions {
+	dst := proto.Clone(src).(*envoy_config_core_v3.Http2ProtocolOptions)
+	dst.ConnectionKeepalive = &envoy_config_core_v3.KeepaliveSettings{
+		Interval:               durationpb.New(time.Minute),
+		Timeout:                durationpb.New(time.Minute),
+		IntervalJitter:         &typev3.Percent{Value: 15}, // envoy's default
+		ConnectionIdleInterval: durationpb.New(5 * time.Minute),
+	}
+	return dst
+}
+
 func buildTypedExtensionProtocolOptions(
 	endpoints []Endpoint,
 	upstreamProtocol upstreamProtocolConfig,
+	keepalive Keepalive,
 ) map[string]*anypb.Any {
 	return map[string]*anypb.Any{
-		"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": marshalAny(buildUpstreamProtocolOptions(endpoints, upstreamProtocol)),
+		"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": marshalAny(buildUpstreamProtocolOptions(endpoints, upstreamProtocol, keepalive)),
 	}
 }

 func buildUpstreamProtocolOptions(
 	endpoints []Endpoint,
 	upstreamProtocol upstreamProtocolConfig,
+	keepalive Keepalive,
 ) *envoy_extensions_upstreams_http_v3.HttpProtocolOptions {
 	switch upstreamProtocol {
 	case upstreamProtocolHTTP2:
+		h2opt := http2ProtocolOptions
+		if keepalive {
+			h2opt = WithKeepalive(http2ProtocolOptions)
+		}
 		// when explicitly configured, force HTTP/2
 		return &envoy_extensions_upstreams_http_v3.HttpProtocolOptions{
 			UpstreamProtocolOptions: &envoy_extensions_upstreams_http_v3.HttpProtocolOptions_ExplicitHttpConfig_{
 				ExplicitHttpConfig: &envoy_extensions_upstreams_http_v3.HttpProtocolOptions_ExplicitHttpConfig{
 					ProtocolConfig: &envoy_extensions_upstreams_http_v3.HttpProtocolOptions_ExplicitHttpConfig_Http2ProtocolOptions{
-						Http2ProtocolOptions: http2ProtocolOptions,
+						Http2ProtocolOptions: h2opt,
 					},
 				},
 			},