Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

original_dst listener filter for internal listeners #29652

Closed
kyessenov opened this issue Sep 15, 2023 · 0 comments
Closed

original_dst listener filter for internal listeners #29652

kyessenov opened this issue Sep 15, 2023 · 0 comments
Labels
area/listener enhancement Feature requests. Not bugs or questions.

Comments

@kyessenov
Copy link
Contributor

Using internal listeners requires effective source/destination IPs to be set instead of the internal envoy addresses. This is needed to de-tunnel the inner traffic and apply traffic policies without refactoring policies in terms of the internal addresses.

Original_dst listener filter seems like the perfect fit for this use case. The feature is to add support for programming source/destination address via this filter on the internal listeners.
@kyessenov kyessenov added enhancement Feature requests. Not bugs or questions. triage Issue requires triage area/listener and removed triage Issue requires triage labels Sep 15, 2023
@kyessenov kyessenov mentioned this issue Sep 15, 2023
Merged
htuch pushed a commit that referenced this issue Sep 21, 2023
@kyessenov
original_dst listener filter: implement internal listener support (#2…
287a42f 
…9655)

Adds support for recovery of the local and the remote addresses in the internal connections using the original_dst listener filter. This supports two use cases:

- cluster endpoint tunneling: an endpoint host metadata is passed through to the internal listener to set the IP destination, example:
name: internal_outbound
load_assignment:
  cluster_name: internal_outbound
  endpoints:
  - lb_endpoints:
    - endpoint:
        address:
          envoy_internal_address:
            server_listener_name: internal_outbound
      metadata:
        filter_metadata:
          envoy.filters.listener.original_dst:
            local: 127.0.0.1:8080 # Actual network destination
transport_socket:
  name: envoy.transport_sockets.internal_upstream
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.transport_sockets.internal_upstream.v3.InternalUpstreamTransport
    passthrough_metadata:
    - name: envoy.filters.listener.original_dst
      kind: { host: {}}
    transport_socket:
      name: envoy.transport_sockets.raw_buffer
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer

- de-tunneling, a CONNECT stream saves the host as the destination address, which is then passed through to the internal listener upstream. This requires a custom filter that sets a filter state object and marks it as shared with the upstream connection. Example implementation: https://github.com/istio/proxy/blob/master/source/extensions/filters/http/connect_authority/filter.cc

Risk Level: low, new feature
Testing: added
Docs Changes: yes
Release Notes: yes

Issue: #29652
issue: #29681

Signed-off-by: Kuat Yessenov <kuat@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/listener enhancement Feature requests. Not bugs or questions.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kyessenov