envoy
envoy copied to clipboard
envoyproxy
Feature : Filter Chain Discovery Service
Commit Message: Feature: Filter Chain Discovery Service (SoTW) Additional Description: Representing tenants as filter-chains in envoy, its essential to be able to dynamically and independently load the tenant (filter chain) configs. To achieve that, this feature introduces anothe xDS called Filter Chain Discovery Service, which allows the filter chains inside a listener to be discovered dynamically.
This allows a tenant config to be added, deleted and modified on the fly, without impacting other tenant configs.
This is also an Implementation for the ask here: (https://github.com/envoyproxy/envoy/issues/4540) This feature would allow dynamic config update of filter chains.
Main envoy config yaml:
admin:
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 9090
node:
id: envoy_01
cluster: talon_01
static_resources:
listeners:
- name: https_listener
address:
socket_address:
address: 0.0.0.0
port_value: 9443
listener_filters:
- name: envoy.filters.listener.original_dst
- name: envoy.filters.listener.tls_inspector
- name: envoy.filters.listener.tenant_inspector
fcds:
fcds_name: "filter_chains_config_01"
config_source:
path: ./fcds.yaml
clusters:
- name: dynamic_forward_proxy_cluster
connect_timeout: 1s
lb_policy: CLUSTER_PROVIDED
cluster_type:
name: envoy.clusters.dynamic_forward_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
dns_cache_config:
name: dynamic_forward_proxy_cache_config
dns_lookup_family: V4_ONLY
fcds (dynamic) config yaml:
---
version_info: "0"
resources:
- "@type": type.googleapis.com/envoy.config.listener.v3.FilterChain
name: "tenant_id_01"
filter_chain_match:
tenant_id: "tenant_id_01"
filters:
- name: envoy.filters.network.sni_filter
<custom filter logic goes here>
- name: envoy.filters.network.sni_dynamic_forward_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.sni_dynamic_forward_proxy.v3.FilterConfig
port_value: 443
dns_cache_config:
name: dynamic_forward_proxy_cache_config
dns_lookup_family: V4_ONLY
- name: envoy.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: tcp
cluster: dynamic_forward_proxy_cluster
- "@type": type.googleapis.com/envoy.config.listener.v3.FilterChain
name: "tenant_id_02"
filter_chain_match:
tenant_id: "tenant_id_02"
filters:
- name: envoy.filters.network.sni_filter
<custom filter config goes here>
- name: envoy.filters.network.sni_dynamic_forward_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.sni_dynamic_forward_proxy.v3.FilterConfig
port_value: 443
dns_cache_config:
name: dynamic_forward_proxy_cache_config
dns_lookup_family: V4_ONLY
- name: envoy.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: tcp
cluster: dynamic_forward_proxy_cluster
Risk Level: High
Testing: Locally tested with Inotify-based config updates.
Pending work: Test and implement filter-chain level draining
Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional API Considerations:]
Hi @rakeshdatta, welcome and thank you for your contribution.
We will try to review your Pull Request as quickly as possible.
In the meantime, please take a look at the contribution guidelines if you have not done so already.
:cat:
Caused by: https://github.com/envoyproxy/envoy/pull/23096 was opened by rakeshdatta.
![repokitteh-read-only[bot] avatar](https://avatars.githubusercontent.com/in/16729?v=4 "Published by a pub.dev verified publisher"){kind=small}
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @mattklein123
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).
:cat:
Caused by: https://github.com/envoyproxy/envoy/pull/23096 was opened by rakeshdatta.
Assigning over to @htuch @adisuissa for first pass on API and general feature overview. Thank you!
/wait
I am working on the comments plus the draining logic. Will be back shortly. Thanks for reviewing the PR.
@rakeshdatta thanks for all this. Can you take a look at https://github.com/envoyproxy/envoy/blob/main/CONTRIBUTING.md and in particular the stanza starting with "Once your PR is under review, please do not rebase it. "
Thank you!
Looks like CI is not healthy right now.
/wait
Hi @jmarantz, Thank you for sharing! I am aware of the rebasing requirement; however, I was actually trying to fix the DCO in the very first commit by rebasing the technique. That is not helping though. In case there is an easier way to the fix the DCO if the very first commit, could u plz suggest? Thanks again!
I know that it's possible to "repair" a PR with git magic (and losing PR comments in the process). But usually I find it easiest to simply open a new PR, and reference the old one from it. That way any comments in the old PR are not lost.
Maybe the most important thing, though, as you start to contribute to Envoy, is to set up a github hook to automatically add the signed-by line. There are instructions in https://github.com/envoyproxy/envoy/blob/main/DEVELOPER.md
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This pull request has been automatically closed because it has not had activity in the last 37 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!