feat: support custom HTTP filter ordering

api/v1alpha1/envoyextensionypolicy_types.go

@@ -48,12 +48,14 @@ type EnvoyExtensionPolicySpec struct {
 	// Order matters, as the extensions will be loaded in the order they are
 	// defined in this list.
 	//
+	// +kubebuilder:validation:MaxItems=16
 	// +optional
 	Wasm []Wasm `json:"wasm,omitempty"`
 
 	// ExtProc is an ordered list of external processing filters
 	// that should added to the envoy filter chain
 	//
+	// +kubebuilder:validation:MaxItems=16
 	// +optional
 	ExtProc []ExtProc `json:"extProc,omitempty"`
 }

api/v1alpha1/envoyproxy_types.go

@@ -89,6 +89,7 @@ type EnvoyProxySpec struct {
 	Shutdown *ShutdownConfig `json:"shutdown,omitempty"`
 
 	// FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
+	// The FilterPosition in the list will be applied in the order they are defined.
 	// If unspecified, the default filter order is applied.
 	// Default filter order is:
 	//
@@ -138,7 +139,7 @@ type BackendTLSConfig struct {
 // +kubebuilder:validation:XValidation:rule="(has(self.before) && !has(self.after)) || (!has(self.before) && has(self.after))",message="only one of before or after can be specified"
 type FilterPosition struct {
 	// Name of the filter.
-	Name EnvoyFilter `json:"filter"`
+	Name EnvoyFilter `json:"name"`
 
 	// Before defines the filter that should come before the filter.
 	// Only one of Before or After must be set.

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml

@@ -189,6 +189,7 @@ spec:
                   required:
                   - backendRefs
                   type: object
+                maxItems: 16
                 type: array
               targetRef:
                 description: |-
@@ -398,6 +399,7 @@ spec:
                   - code
                   - name
                   type: object
+                maxItems: 16
                 type: array
             required:
             - targetRef

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml

@@ -224,6 +224,7 @@ spec:
               filterOrder:
                 description: |-
                   FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
+                  The FilterPosition in the list will be applied in the order they are defined.
                   If unspecified, the default filter order is applied.
                   Default filter order is:
 
@@ -295,7 +296,7 @@ spec:
                       - envoy.filters.http.wasm
                       - envoy.filters.http.ext_proc
                       type: string
-                    filter:
+                    name:
                       description: Name of the filter.
                       enum:
                       - envoy.filters.http.cors
@@ -310,7 +311,7 @@ spec:
                       - envoy.filters.http.ext_proc
                       type: string
                   required:
-                  - filter
+                  - name
                   type: object
                   x-kubernetes-validations:
                   - message: one of before or after must be specified

internal/cmd/egctl/translate.go

@@ -362,6 +362,9 @@ func translateGatewayAPIToXds(dnsDomain string, resourceType string, resources *
 				ServiceURL: ratelimit.GetServiceURL("envoy-gateway", dnsDomain),
 			},
 		}
+		if resources.EnvoyProxy != nil {
+			xTranslator.FilterOrder = resources.EnvoyProxy.Spec.FilterOrder
+		}
 		xRes, err := xTranslator.Translate(val)
 		if err != nil {
 			return nil, fmt.Errorf("failed to translate xds ir for key %s value %+v, error:%w", key, val, err)

internal/gatewayapi/testdata/custom-filter-order.in.yaml

@@ -0,0 +1,130 @@
+secrets:
+  - apiVersion: v1
+    kind: Secret
+    metadata:
+      namespace: envoy-gateway
+      name: users-secret1
+    data:
+      .htpasswd: "dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo="
+envoyproxy:
+  apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: EnvoyProxy
+  metadata:
+    name: custom-proxy-config
+    namespace: envoy-gateway-system
+  spec:
+    filterOrder:
+      - name: envoy.filters.http.wasm
+        before: envoy.filters.http.jwt_authn
+      - name: envoy.filters.http.cors
+        after: envoy.filters.http.basic_authn
+gateways:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: Gateway
+    metadata:
+      namespace: envoy-gateway
+      name: gateway-1
+    spec:
+      gatewayClassName: envoy-gateway-class
+      listeners:
+        - name: http
+          protocol: HTTP
+          port: 80
+          allowedRoutes:
+            namespaces:
+              from: All
+httpRoutes:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      namespace: envoy-gateway
+      name: httproute-1
+    spec:
+      hostnames:
+        - www.example.com
+      parentRefs:
+        - namespace: envoy-gateway
+          name: gateway-1
+          sectionName: http
+      rules:
+        - matches:
+            - path:
+                value: "/foo"
+          backendRefs:
+            - name: service-1
+              port: 8080
+securityPolicies:
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: SecurityPolicy
+    metadata:
+      namespace: envoy-gateway
+      name: policy-for-gateway
+    spec:
+      targetRef:
+        group: gateway.networking.k8s.io
+        kind: Gateway
+        name: gateway-1
+        namespace: envoy-gateway
+      cors:
+        allowOrigins:
+          - "https://*.test.com:8080"
+          - "https://www.test.org:8080"
+        allowMethods:
+          - GET
+          - POST
+      basicAuth:
+        users:
+          name: "users-secret1"
+      jwt:
+        providers:
+          - name: example1
+            issuer: https://one.example.com
+            audiences:
+              - one.foo.com
+            remoteJWKS:
+              uri: https://one.example.com/jwt/public-key/jwks.json
+            claimToHeaders:
+              - header: one-route-example-key
+                claim: claim1
+          - name: example2
+            issuer: http://two.example.com
+            audiences:
+              - two.foo.com
+            remoteJWKS:
+              uri: http://two.example.com/jwt/public-key/jwks.json
+            claimToHeaders:
+              - header: two-route-example-key
+                claim: claim2
+envoyextensionpolicies:
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: EnvoyExtensionPolicy
+    metadata:
+      namespace: envoy-gateway
+      name: policy-for-gateway  # This policy should attach httproute-2
+    spec:
+      targetRef:
+        group: gateway.networking.k8s.io
+        kind: Gateway
+        name: gateway-1
+        namespace: envoy-gateway
+      wasm:
+        - name: wasm-filter-1
+          code:
+            type: HTTP
+            http:
+              url: https://www.example.com/wasm-filter-1.wasm
+            sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5
+          config:
+            parameter1:
+              key1: value1
+              key2: value2
+            parameter2: value3
+        - name: wasm-filter-2
+          code:
+            type: HTTP
+            http:
+              url: https://www.example.com/wasm-filter-2.wasm
+            sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980
+          config:
+            parameter1: value1
+            parameter2: value2