PROM-5262 | x-service-tag-preference (#450)

Author: MarcinFalkowski

CHANGELOG.md

@@ -3,6 +3,12 @@
 Lists all changes with user impact.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
+## [0.22.12]
+### Changed
+- add service tag preference routing
+- optimize auto service tag routing (don't send config to envoys if disabled, reduce number of metadata ser per route)
+- fix and refactor e2e tests
+
 ## [0.22.11]
 ### Changed
 - Implemented handling of initialResourcesVersions in DeltaRequest for ADS

docs/configuration.md

@@ -148,7 +148,12 @@ Property
  **envoy-control.envoy.snapshot.routing.service-tags.enabled**                                          | If set to true, service tags routing will be enabled                                                                                                                              | false                    
  **envoy-control.envoy.snapshot.routing.service-tags.metadata-key**                                     | What key to use in endpoint metadata to store its service tags                                                                                                                    | tag                      
  **envoy-control.envoy.snapshot.routing.service-tags.header**                                           | What header to use in service tag rules                                                                                                                                           | x-service-tag            
- **envoy-control.envoy.snapshot.routing.service-tags.preference-header**                                | What header to use for service tag preference list. Used for sending info to upstream if 'auto service tags' is in force. In the future also read from downstream request.        | x-service-tag-preference 
+ **envoy-control.envoy.snapshot.routing.service-tags.preference-routing.header**                        | What header to use for service tag preference list. Used for sending info to upstream if 'auto service tags' is enabled and for routing if preference routing is enabled.         | x-service-tag-preference 
+ **envoy-control.envoy.snapshot.routing.service-tags.preference-routing.enable-for-all**                | enable preference routing for all services (services can still be excluded by `disable-for-services` property)                                                                    | false 
+ **envoy-control.envoy.snapshot.routing.service-tags.preference-routing.enable-for-services**           | enable preference routing for selected services                                                                                                                                   | [] 
+ **envoy-control.envoy.snapshot.routing.service-tags.preference-routing.disable-for-services**          | disable preference routing for selected services                                                                                                                                  | []
+ **envoy-control.envoy.snapshot.routing.service-tags.preference-routing.default-preference-env**        | environment variable which default service tag preference for an envoy will be taken from                                                                                         | DEFAULT_SERVICE_TAG_PREFERENCE
+ **envoy-control.envoy.snapshot.routing.service-tags.preference-routing.default-preference-fallback**   | default service tag preference for an envoy if env set in `default-preference-env` is absent                                                                                      | global
  **envoy-control.envoy.snapshot.routing.service-tags.routing-excluded-tags**                            | List of tags predicates that cannot be used for routing. This supports an exact matching (just "string" - EXACT matching) prefixes (PREFIX matching) and regexes (REGEX matching) | empty list               
  **envoy-control.envoy.snapshot.routing.service-tags.allowed-tags-combinations**                        | List of rules, which tags can be conbined together and requested together. Details below                                                                                          | empty list               
  **(...).allowed-tags-combinations[].service-name**                                                     | The rule will apply only for this service                                                                                                                                         | ""                       

envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/MetadataNodeGroup.kt

@@ -9,8 +9,6 @@ import pl.allegro.tech.servicemesh.envoycontrol.logger
 import pl.allegro.tech.servicemesh.envoycontrol.snapshot.SnapshotProperties
 import io.envoyproxy.envoy.config.core.v3.Node as NodeV3
 
-@Suppress("MagicNumber")
-val MIN_ENVOY_VERSION_SUPPORTING_UPSTREAM_METADATA = envoyVersion(1, 24)
 @Suppress("MagicNumber")
 val MIN_ENVOY_VERSION_SUPPORTING_JWT_FAILURE_STATUS = envoyVersion(1, 26)
 

envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt

@@ -275,14 +275,39 @@ class ServiceTagsProperties {
     var enabled = false
     var metadataKey = "tag"
     var header = "x-service-tag"
-    var preferenceHeader = "x-service-tag-preference"
+    var preferenceRouting = ServiceTagPreferenceProperties()
     var routingExcludedTags: MutableList<StringMatcher> = mutableListOf()
+    // TODO[PROM-6067]: remove service tag combinations feature
     var allowedTagsCombinations: MutableList<ServiceTagsCombinationsProperties> = mutableListOf()
     var autoServiceTagEnabled = false
     var rejectRequestsWithDuplicatedAutoServiceTag = true
     var addUpstreamServiceTagsHeader: Boolean = false
 
+    // TODO[PROM-6055]: Ultimately, autoServiceTag feature should be removed, when preference routing
+    //  will handle all cases
     fun isAutoServiceTagEffectivelyEnabled() = enabled && autoServiceTagEnabled
+    fun shouldRejectRequestsWithDuplicatedAutoServiceTag() =
+        isAutoServiceTagEffectivelyEnabled() && rejectRequestsWithDuplicatedAutoServiceTag
+}
+
+class ServiceTagPreferenceProperties {
+    var enableForAll = false
+    // TODO(PROM-6088): remove this option: ultimately all services should use it
+    var enableForServices: List<String> = emptyList()
+    var disableForServices: List<String> = emptyList()
+    var header = "x-service-tag-preference"
+    var defaultPreferenceEnv = "DEFAULT_SERVICE_TAG_PREFERENCE"
+    var defaultPreferenceFallback = "global"
+
+    fun isEnabledFor(service: String): Boolean {
+        val enabled = enableForAll || enableForServices.contains(service)
+        if (!enabled) {
+            return false
+        }
+        val disabled = disableForServices.contains(service)
+        return !disabled
+    }
+    fun isEnabledForSome() = enableForAll || enableForServices.isNotEmpty()
 }
 
 class StringMatcher {

envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/clusters/EnvoyClustersFactory.kt

@@ -497,6 +497,7 @@ class EnvoyClustersFactory(
     private fun Cluster.Builder.configureLbSubsets(): Cluster.Builder {
         val canaryEnabled = properties.loadBalancing.canary.enabled
         val tagsEnabled = properties.routing.serviceTags.enabled
+        val tagPreferenceEnabled = properties.routing.serviceTags.preferenceRouting.isEnabledForSome()
 
         if (!canaryEnabled && !tagsEnabled) {
             return this
@@ -533,6 +534,9 @@ class EnvoyClustersFactory(
                 if (tagsEnabled && canaryEnabled) {
                     addTagsAndCanarySelector()
                 }
+                if (tagPreferenceEnabled) {
+                    setMetadataFallbackPolicy(Cluster.LbSubsetConfig.LbSubsetMetadataFallbackPolicy.FALLBACK_LIST)
+                }
             }
         )
     }

envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/EnvoyDefaultFilters.kt

@@ -7,6 +7,7 @@ import io.envoyproxy.envoy.extensions.filters.network.http_connection_manager.v3
 import pl.allegro.tech.servicemesh.envoycontrol.groups.Group
 import pl.allegro.tech.servicemesh.envoycontrol.snapshot.GlobalSnapshot
 import pl.allegro.tech.servicemesh.envoycontrol.snapshot.SnapshotProperties
+import pl.allegro.tech.servicemesh.envoycontrol.snapshot.resource.listeners.HttpFilterFactory
 
 class EnvoyDefaultFilters(
     private val snapshotProperties: SnapshotProperties,
@@ -34,7 +35,7 @@ class EnvoyDefaultFilters(
     private val defaultHeaderToMetadataConfig = headerToMetadataConfig(defaultServiceTagHeaderToMetadataFilterRules)
     private val headerToMetadataHttpFilter = headerToMetadataHttpFilter(defaultHeaderToMetadataConfig)
     private val defaultHeaderToMetadataFilter = { _: Group, _: GlobalSnapshot -> headerToMetadataHttpFilter }
-    private val defaultServiceTagFilter = { _: Group, _: GlobalSnapshot -> serviceTagFilterFactory.luaEgressFilter() }
+    private val defaultServiceTagFilters = serviceTagFilterFactory.egressFilters()
     private val envoyRouterHttpFilter = envoyRouterHttpFilter()
 
     /**
@@ -73,9 +74,9 @@ class EnvoyDefaultFilters(
         compressionFilterFactory.brotliCompressionFilter(group)
     }
 
-    val defaultEgressFilters = listOf(
+    val defaultEgressFilters: List<HttpFilterFactory> = listOf(
         defaultHeaderToMetadataFilter,
-        defaultServiceTagFilter,
+        *defaultServiceTagFilters,
         defaultGzipCompressionFilter,
         defaultBrotliCompressionFilter,
         defaultEnvoyRouterHttpFilter,

envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/LuaFilterFactory.kt

@@ -4,6 +4,7 @@ import com.google.protobuf.Any
 import com.google.protobuf.ListValue
 import com.google.protobuf.Struct
 import com.google.protobuf.Value
+import io.envoyproxy.envoy.config.core.v3.DataSource
 import io.envoyproxy.envoy.config.core.v3.Metadata
 import io.envoyproxy.envoy.extensions.filters.http.lua.v3.Lua
 import io.envoyproxy.envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter
@@ -15,14 +16,8 @@ import pl.allegro.tech.servicemesh.envoycontrol.snapshot.resource.listeners.filt
 
 class LuaFilterFactory(private val snapshotProperties: SnapshotProperties) {
 
-    private val ingressRbacLoggingScript: String = this::class.java.classLoader
-        .getResource("lua/ingress_rbac_logging.lua")!!.readText()
-
     private val ingressRbacLoggingFilter: HttpFilter? = if (snapshotProperties.incomingPermissions.enabled) {
-        HttpFilter.newBuilder()
-            .setName("envoy.lua")
-            .setTypedConfig(Any.pack(Lua.newBuilder().setInlineCode(ingressRbacLoggingScript).build()))
-            .build()
+        createLuaFilter(luaFile = "lua/ingress_rbac_logging.lua", filterName = "envoy.lua")
     } else {
         null
     }
@@ -32,28 +27,15 @@ class LuaFilterFactory(private val snapshotProperties: SnapshotProperties) {
     fun ingressRbacLoggingFilter(group: Group): HttpFilter? =
         ingressRbacLoggingFilter.takeIf { group.proxySettings.incoming.permissionsEnabled }
 
-    private val ingressClientNameHeaderScript: String = this::class.java.classLoader
-        .getResource("lua/ingress_client_name_header.lua")!!.readText()
-
     private val ingressClientNameHeaderFilter: HttpFilter =
-        HttpFilter.newBuilder()
-            .setName("ingress.client.lua")
-            .setTypedConfig(Any.pack(Lua.newBuilder().setInlineCode(ingressClientNameHeaderScript).build()))
-            .build()
-
-    private val ingressCurrentZoneHeaderScript: String = this::class.java.classLoader
-        .getResource("lua/ingress_current_zone_header.lua")!!.readText()
+        createLuaFilter(luaFile = "lua/ingress_client_name_header.lua", filterName = "ingress.client.lua")
 
     private val ingressCurrentZoneHeaderFilter: HttpFilter =
-        HttpFilter.newBuilder()
-            .setName("ingress.zone.lua")
-            .setTypedConfig(Any.pack(Lua.newBuilder().setInlineCode(ingressCurrentZoneHeaderScript).build()))
-            .build()
+        createLuaFilter(luaFile = "lua/ingress_current_zone_header.lua", filterName = "ingress.zone.lua")
 
-    private val sanUriWildcardRegexForLua = SanUriMatcherFactory(
-        snapshotProperties.incomingPermissions.tlsAuthentication
-    )
-        .sanUriWildcardRegexForLua
+    private val sanUriWildcardRegexForLua =
+        SanUriMatcherFactory(snapshotProperties.incomingPermissions.tlsAuthentication)
+            .sanUriWildcardRegexForLua
 
     fun ingressScriptsMetadata(
         group: Group,
@@ -97,6 +79,38 @@ class LuaFilterFactory(private val snapshotProperties: SnapshotProperties) {
         ingressClientNameHeaderFilter.takeIf { trustedClientIdentityHeader.isNotEmpty() }
 
     fun ingressCurrentZoneHeaderFilter(): HttpFilter = ingressCurrentZoneHeaderFilter
+
+    companion object {
+        private val placeholderFormat = "\"%([0-9a-z_]+)%\"".toRegex(RegexOption.IGNORE_CASE)
+        private val replacementFormat = "[a-z0-9_-]+".toRegex(RegexOption.IGNORE_CASE)
+
+        fun createLuaFilter(
+            luaFile: String,
+            filterName: String,
+            variables: Map<String, String> = emptyMap()
+        ): HttpFilter {
+            val scriptTemplate = this::class.java.classLoader.getResource(luaFile)!!.readText()
+
+            val script = scriptTemplate.replace(placeholderFormat) { match ->
+                val key = match.groupValues[1]
+                val replacement = variables[key]
+                    ?: throw IllegalArgumentException("Missing replacement for placeholder: $key")
+                require(replacement.matches(replacementFormat)) { "invalid replacement format: '$replacement'" }
+                "\"${replacement}\""
+            }
+
+            return HttpFilter.newBuilder()
+                .setName(filterName)
+                .setTypedConfig(
+                    Any.pack(
+                        Lua.newBuilder().setDefaultSourceCode(
+                            DataSource.newBuilder()
+                                .setInlineString(script)
+                        ).build()
+                    )
+                ).build()
+        }
+    }
 }
 
 sealed class LuaMetadataProperty<T>(open val value: T) {
@@ -157,7 +171,8 @@ sealed class LuaMetadataProperty<T>(open val value: T) {
 
         override fun toValue(): Value {
             return Value.newBuilder()
-                .setStructValue(Struct.newBuilder()
+                .setStructValue(
+                    Struct.newBuilder()
                     .apply {
                         value.forEach {
                             putFields(

envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/ServiceTagFilterFactory.kt

@@ -1,22 +1,18 @@
 package pl.allegro.tech.servicemesh.envoycontrol.snapshot.resource.listeners.filters
 
-import com.google.protobuf.Any
 import io.envoyproxy.envoy.extensions.filters.http.header_to_metadata.v3.Config
-import io.envoyproxy.envoy.extensions.filters.http.lua.v3.Lua
 import io.envoyproxy.envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter
+import pl.allegro.tech.servicemesh.envoycontrol.groups.Group
 import pl.allegro.tech.servicemesh.envoycontrol.snapshot.ServiceTagsProperties
+import pl.allegro.tech.servicemesh.envoycontrol.snapshot.resource.listeners.HttpFilterFactory
+import pl.allegro.tech.servicemesh.envoycontrol.snapshot.resource.listeners.filters.LuaFilterFactory.Companion.createLuaFilter
 
 class ServiceTagFilterFactory(private val properties: ServiceTagsProperties) {
 
     companion object {
         const val AUTO_SERVICE_TAG_PREFERENCE_METADATA = "auto_service_tag_preference"
-        const val SERVICE_TAG_METADATA_KEY_METADATA = "service_tag_metadata_key"
-        const val REJECT_REQUEST_SERVICE_TAG_DUPLICATE = "reject_request_service_tag_duplicate"
     }
 
-    private val luaEgressScript: String = this::class.java.classLoader
-        .getResource("lua/egress_service_tags.lua")!!.readText()
-
     fun headerToMetadataFilterRules(): List<Config.Rule> {
         return listOf(
             Config.Rule.newBuilder()
@@ -33,13 +29,40 @@ class ServiceTagFilterFactory(private val properties: ServiceTagsProperties) {
         )
     }
 
-    fun luaEgressFilter(): HttpFilter = HttpFilter.newBuilder()
-        .setName("envoy.lua.servicetags")
-        .setTypedConfig(
-            Any.pack(
-                Lua.newBuilder()
-                    .setInlineCode(luaEgressScript)
-                    .build()
+    fun egressFilters(): Array<HttpFilterFactory> = arrayOf(
+        { group: Group, _ -> luaEgressServiceTagPreferenceFilter(group) },
+        { _, _ -> luaEgressAutoServiceTagsFilter }
+    )
+
+    private fun luaEgressServiceTagPreferenceFilter(group: Group): HttpFilter? =
+        if (properties.preferenceRouting.isEnabledFor(group.serviceName)) {
+            luaEgressServiceTagPreferenceFilter
+        } else {
+            null
+        }
+
+    private val luaEgressAutoServiceTagsFilter: HttpFilter? =
+        if (properties.shouldRejectRequestsWithDuplicatedAutoServiceTag()) {
+            createLuaFilter(
+                luaFile = "lua/egress_auto_service_tags.lua",
+                filterName = "envoy.lua.auto_service_tags",
+                variables = mapOf(
+                    "SERVICE_TAG_METADATA_KEY" to properties.metadataKey,
+                )
             )
-        ).build()
+        } else {
+            null
+        }
+
+    private val luaEgressServiceTagPreferenceFilter: HttpFilter = createLuaFilter(
+        luaFile = "lua/egress_service_tag_preference.lua",
+        filterName = "envoy.lua.service_tag_preference",
+        variables = mapOf(
+            "SERVICE_TAG_METADATA_KEY" to properties.metadataKey,
+            "SERVICE_TAG_HEADER" to properties.header,
+            "SERVICE_TAG_PREFERENCE_HEADER" to properties.preferenceRouting.header,
+            "DEFAULT_SERVICE_TAG_PREFERENCE_ENV" to properties.preferenceRouting.defaultPreferenceEnv,
+            "DEFAULT_SERVICE_TAG_PREFERENCE_FALLBACK" to properties.preferenceRouting.defaultPreferenceFallback,
+        )
+    )
 }