Update proxycfg state management and xDS generation for transparent proxy #9894

freddygv · 2021-03-17T19:42:41Z

This PR makes a few changes:

Adds a cache-type for watches to the new Internal.IntentionUpstreams endpoint
Updates proxycfg watches to account for transparent proxy mode. In this mode we now need to watch our upstream services with the IntentionUpstreams endpoint, and then fire off additional discovery chain watches for those.
Updates xDS generation so that in transparent proxy mode we have a single listener with filter chains that correspond to each upstream service. These filter chains match on the original destination address so that Envoy can know which logical cluster to route to.

By accepting a name the function can be used for other inbound listeners, like the one for TransparentProxy.

agent/xds/endpoints.go

… chain loop

freddygv · 2021-03-17T21:21:35Z

agent/xds/routes.go

 		}

-		if chain == nil || chain.IsDefault() {
-			// TODO(rb): make this do the old school stuff too


What old stuff was this?

rboyer · 2021-03-17T21:26:02Z

agent/proxycfg/state.go

+		if u.CentrallyConfigured {
+			continue
+		}
+		snap.ConnectProxy.UpstreamConfig[u.Identifier()] = &u


Note you are taking the address of the loop variable here, not the spot in the slice.

I think now you're taking the address of a copy of the slice item.

I think the fix would be = &s.proxyCfg.Upstreams[i]

agent/proxycfg/state.go

…yConfigured

agent/xds/listeners.go

rboyer · 2021-03-17T21:38:39Z

agent/xds/listeners.go

@@ -54,35 +58,225 @@ func (s *Server) listenersFromSnapshot(cInfo connectionInfo, cfgSnap *proxycfg.C

 // listenersFromSnapshotConnectProxy returns the "listeners" for a connect proxy service
 func (s *Server) listenersFromSnapshotConnectProxy(cInfo connectionInfo, cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message, error) {
-	// One listener for each upstream plus the public one
-	resources := make([]proto.Message, len(cfgSnap.Proxy.Upstreams)+1)
+	resources := make([]proto.Message, 1)


Is there a better guesstimate that we can use here now?

There isn't a great one. If in TProxy mode there might only be 2 listeners, since it relies on per-upstream filter chains rather than per-upstream listeners. Outside of TProxy mode it could be the size of the DiscoverChain map.

Not sure if it's worth doing having a variable starting capacity based on whether TProxy is on or not.

agent/xds/listeners.go

rboyer · 2021-03-17T22:17:34Z

agent/xds/listeners.go

+	cfgSnap *proxycfg.ConfigSnapshot,
+	tlsContext *envoy_tls_v3.DownstreamTlsContext,
+) (*envoy_listener_v3.FilterChain, error) {
+	// TODO (freddy) Make this actually legible


I feel like there's some work we could do during ConfigSnapshot construction to alleviate some of this pain down here in the xDS code.

agent/xds/listeners.go

rboyer · 2021-03-17T22:19:49Z

agent/xds/listeners.go

+
+	// Only create the outbound listener when there are upstreams and filter chains are present
+	if outboundListener != nil && hasChains {
+		// Filter chains are stable sorted to avoid draining if the list is provided out of order


rboyer

Left more comments, but LGTM for the alpha.

hashicorp-ci · 2021-03-18T04:29:43Z

🍒 If backport labels were added before merging, cherry-picking will start automatically.

To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/339575.

freddygv added 5 commits March 16, 2021 11:06

Add cache-type for Internal.IntentionUpstreams

7892964

Refactor makePublicListener

3f2489c

By accepting a name the function can be used for other inbound listeners, like the one for TransparentProxy.

Do not include consul as upstream or downstream

37f6846

Update proxycfg for transparent proxy

a54d6a9

Update xds for transparent proxy

ce964f8

freddygv requested a review from a team March 17, 2021 19:42

github-actions bot added the theme/envoy/xds Related to Envoy support label Mar 17, 2021