feat(translator): Envoy Extension Policy and ExtProc (envoyproxy#2991)

* start eep Signed-off-by: Guy Daich <guy.daich@sap.com> * fixes Signed-off-by: Guy Daich <guy.daich@sap.com> * tests Signed-off-by: Guy Daich <guy.daich@sap.com> * ext-proc xds Signed-off-by: Guy Daich <guy.daich@sap.com> * impl envoygateway config, remove priority, change backendref Signed-off-by: Guy Daich <guy.daich@sap.com> * fix cel Signed-off-by: Guy Daich <guy.daich@sap.com> * enable by default Signed-off-by: Guy Daich <guy.daich@sap.com> * fix nit Signed-off-by: Guy Daich <guy.daich@sap.com> * revert generated metrics data Signed-off-by: Guy Daich <guy.daich@sap.com> * fix review comments Signed-off-by: Guy Daich <guy.daich@sap.com> * nit: remove unused struct Signed-off-by: Guy Daich <guy.daich@sap.com> --------- Signed-off-by: Guy Daich <guy.daich@sap.com>
guydc · Apr 3, 2024 · 0f87fcb · 0f87fcb
1 parent 9416798
commit 0f87fcb
Show file tree

Hide file tree

Showing 55 changed files with 4,919 additions and 158 deletions.
diff --git a/api/v1alpha1/envoyextensionypolicy_types.go b/api/v1alpha1/envoyextensionypolicy_types.go
@@ -46,22 +46,16 @@ type EnvoyExtensionPolicySpec struct {
 	// TargetRef
 	TargetRef gwapiv1a2.PolicyTargetReferenceWithSectionName `json:"targetRef"`
 
-	// Priority of the EnvoyExtensionPolicy.
-	// If multiple EnvoyExtensionPolices are applied to the same
-	// TargetRef, extensions will execute in the ascending order of
-	// the priority i.e. int32.min has the highest priority and
-	// int32.max has the lowest priority.
-	// Defaults to 0.
-	//
-	// +optional
-	Priority int32 `json:"priority,omitempty"`
-
 	// WASM is a list of Wasm extensions to be loaded by the Gateway.
 	// Order matters, as the extensions will be loaded in the order they are
 	// defined in this list.
 	//
 	// +optional
 	WASM []Wasm `json:"wasm,omitempty"`
+
+	// ExtProc is an ordered list of external processing filters
+	// that should added to the envoy filter chain
+	ExtProc []ExtProc `json:"extProc,omitempty"`
 }
 
 //+kubebuilder:object:root=true

diff --git a/api/v1alpha1/envoygateway_types.go b/api/v1alpha1/envoygateway_types.go
@@ -151,10 +151,6 @@ type ExtensionAPISettings struct {
 	// EnableEnvoyPatchPolicy enables Envoy Gateway to
 	// reconcile and implement the EnvoyPatchPolicy resources.
 	EnableEnvoyPatchPolicy bool `json:"enableEnvoyPatchPolicy"`
-
-	// EnableEnvoyExtensionPolicy enables Envoy Gateway to
-	// reconcile and implement the EnvoyExtensionPolicy resources.
-	EnableEnvoyExtensionPolicy bool `json:"enableEnvoyExtensionPolicy"`
 }
 
 // EnvoyGatewayProvider defines the desired configuration of a provider.

diff --git a/api/v1alpha1/ext_proc_types.go b/api/v1alpha1/ext_proc_types.go
@@ -0,0 +1,29 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package v1alpha1
+
+import (
+	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+// +kubebuilder:validation:XValidation:rule="has(self.backendRef) ? (!has(self.backendRef.group) || self.backendRef.group == \"\") : true", message="group is invalid, only the core API group (specified by omitting the group field or setting it to an empty string) is supported"
+// +kubebuilder:validation:XValidation:rule="has(self.backendRef) ? (!has(self.backendRef.kind) || self.backendRef.kind == 'Service') : true", message="kind is invalid, only Service (specified by omitting the kind field or setting it to 'Service') is supported"
+//
+// ExtProc defines the configuration for External Processing filter.
+type ExtProc struct {
+	// Service defines the configuration of the external processing service
+	BackendRef ExtProcBackendRef `json:"backendRef"`
+}
+
+// ExtProcService defines the gRPC External Processing service using the envoy grpc client
+// The processing request and response messages are defined in
+// https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/ext_proc/v3/external_processor.proto
+type ExtProcBackendRef struct {
+	// BackendObjectReference references a Kubernetes object that represents the
+	// backend server to which the processing requests will be sent.
+	// Only service Kind is supported for now.
+	gwapiv1.BackendObjectReference `json:",inline"`
+}
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
@@ -49,16 +49,105 @@ spec:
           spec:
             description: Spec defines the desired state of EnvoyExtensionPolicy.
             properties:
-              priority:
+              extProc:
                 description: |-
-                  Priority of the EnvoyExtensionPolicy.
-                  If multiple EnvoyExtensionPolices are applied to the same
-                  TargetRef, extensions will execute in the ascending order of
-                  the priority i.e. int32.min has the highest priority and
-                  int32.max has the lowest priority.
-                  Defaults to 0.
-                format: int32
-                type: integer
+                  ExtProc is an ordered list of external processing filters
+                  that should added to the envoy filter chain
+                items:
+                  description: ExtProc defines the configuration for External Processing
+                    filter.
+                  properties:
+                    backendRef:
+                      description: Service defines the configuration of the external
+                        processing service
+                      properties:
+                        group:
+                          default: ""
+                          description: |-
+                            Group is the group of the referent. For example, "gateway.networking.k8s.io".
+                            When unspecified or empty string, core API group is inferred.
+                          maxLength: 253
+                          pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                          type: string
+                        kind:
+                          default: Service
+                          description: |-
+                            Kind is the Kubernetes resource kind of the referent. For example
+                            "Service".
+
+
+                            Defaults to "Service" when not specified.
+
+
+                            ExternalName services can refer to CNAME DNS records that may live
+                            outside of the cluster and as such are difficult to reason about in
+                            terms of conformance. They also may not be safe to forward to (see
+                            CVE-2021-25740 for more information). Implementations SHOULD NOT
+                            support ExternalName Services.
+
+
+                            Support: Core (Services with a type other than ExternalName)
+
+
+                            Support: Implementation-specific (Services with type ExternalName)
+                          maxLength: 63
+                          minLength: 1
+                          pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                          type: string
+                        name:
+                          description: Name is the name of the referent.
+                          maxLength: 253
+                          minLength: 1
+                          type: string
+                        namespace:
+                          description: |-
+                            Namespace is the namespace of the backend. When unspecified, the local
+                            namespace is inferred.
+
+
+                            Note that when a namespace different than the local namespace is specified,
+                            a ReferenceGrant object is required in the referent namespace to allow that
+                            namespace's owner to accept the reference. See the ReferenceGrant
+                            documentation for details.
+
+
+                            Support: Core
+                          maxLength: 63
+                          minLength: 1
+                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                          type: string
+                        port:
+                          description: |-
+                            Port specifies the destination port number to use for this resource.
+                            Port is required when the referent is a Kubernetes Service. In this
+                            case, the port number is the service port number, not the target port.
+                            For other resources, destination port might be derived from the referent
+                            resource or this field.
+                          format: int32
+                          maximum: 65535
+                          minimum: 1
+                          type: integer
+                      required:
+                      - name
+                      type: object
+                      x-kubernetes-validations:
+                      - message: Must have port for Service reference
+                        rule: '(size(self.group) == 0 && self.kind == ''Service'')
+                          ? has(self.port) : true'
+                  required:
+                  - backendRef
+                  type: object
+                  x-kubernetes-validations:
+                  - message: group is invalid, only the core API group (specified
+                      by omitting the group field or setting it to an empty string)
+                      is supported
+                    rule: 'has(self.backendRef) ? (!has(self.backendRef.group) ||
+                      self.backendRef.group == "") : true'
+                  - message: kind is invalid, only Service (specified by omitting
+                      the kind field or setting it to 'Service') is supported
+                    rule: 'has(self.backendRef) ? (!has(self.backendRef.kind) || self.backendRef.kind
+                      == ''Service'') : true'
+                type: array
               targetRef:
                 description: |-
                   TargetRef is the name of the Gateway resource this policy

diff --git a/charts/gateway-helm/templates/_rbac.tpl b/charts/gateway-helm/templates/_rbac.tpl
@@ -69,6 +69,7 @@ resources:
 - clienttrafficpolicies
 - backendtrafficpolicies
 - securitypolicies
+- envoyextensionpolicies
 verbs:
 - get
 - list
@@ -83,6 +84,7 @@ resources:
 - clienttrafficpolicies/status
 - backendtrafficpolicies/status
 - securitypolicies/status
+- envoyextensionpolicies/status
 verbs:
 - update
 {{- end }}