PROM-6104 | establish x-service-tag-preference on ingress (#454)

Author: MarcinFalkowski

CHANGELOG.md

@@ -3,6 +3,10 @@
 Lists all changes with user impact.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
+## [0.22.13]
+### Changed
+- establish x-service-tag-preference on ingress: use the default one if it's more specific, otherwise the request one
+
 ## [0.22.12]
 ### Changed
 - add service tag preference routing 

envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/EnvoyDefaultFilters.kt

@@ -35,7 +35,6 @@ class EnvoyDefaultFilters(
     private val defaultHeaderToMetadataConfig = headerToMetadataConfig(defaultServiceTagHeaderToMetadataFilterRules)
     private val headerToMetadataHttpFilter = headerToMetadataHttpFilter(defaultHeaderToMetadataConfig)
     private val defaultHeaderToMetadataFilter = { _: Group, _: GlobalSnapshot -> headerToMetadataHttpFilter }
-    private val defaultServiceTagFilters = serviceTagFilterFactory.egressFilters()
     private val envoyRouterHttpFilter = envoyRouterHttpFilter()
 
     /**
@@ -74,6 +73,9 @@ class EnvoyDefaultFilters(
         compressionFilterFactory.brotliCompressionFilter(group)
     }
 
+    val defaultServiceTagFilters = serviceTagFilterFactory.egressFilters()
+    val defaultIngressServiceTagFilters = serviceTagFilterFactory.ingressFilters()
+
     val defaultEgressFilters: List<HttpFilterFactory> = listOf(
         defaultHeaderToMetadataFilter,
         *defaultServiceTagFilters,
@@ -87,32 +89,16 @@ class EnvoyDefaultFilters(
     }
 
     /**
+     * Creates a list of http filters with provided user filters. It respects order for crucial default filters.
+     * This function is a recommended way to create list of ingress filters.
+     *
      * Order matters:
      * * defaultClientNameHeaderFilter has to be before defaultRbacLoggingFilter, because the latter consumes results of
      *   the former
      * * defaultRbacLoggingFilter has to be before defaultRbacFilter, otherwise unauthorised requests will not be
      *   logged, because the RBAC filter will stop filter chain execution and subsequent filters will not process
      *   the request
      * * defaultEnvoyRouterHttpFilter - router filter should be always the last filter.
-     *
-     *  Instead of it, use:
-     *  @see ingressFilters()
-     */
-    @Deprecated("It becomes deprecated, because user has no option to add new filters.")
-    val defaultIngressFilters = listOf(
-        defaultClientNameHeaderFilter,
-        defaultAuthorizationHeaderFilter,
-        defaultJwtHttpFilter,
-        defaultRbacLoggingFilter,
-        defaultRbacFilter,
-        defaultRateLimitLuaFilter,
-        defaultRateLimitFilter,
-        defaultEnvoyRouterHttpFilter
-    )
-
-    /**
-     * Creates a list of http filters with provided user filters. It respects order for crucial default filters.
-     * This function is a recommended way to create list of ingress filters.
      */
     fun ingressFilters(vararg filters: (Group, GlobalSnapshot) -> HttpFilter?):
         List<(Group, GlobalSnapshot) -> HttpFilter?> {
@@ -127,6 +113,7 @@ class EnvoyDefaultFilters(
             defaultRbacFilter,
             defaultRateLimitLuaFilter,
             defaultRateLimitFilter,
+            *defaultIngressServiceTagFilters,
             defaultEnvoyRouterHttpFilter
         )
         return preFilters + filters.toList() + postFilters

envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/ServiceTagFilterFactory.kt

@@ -34,13 +34,24 @@ class ServiceTagFilterFactory(private val properties: ServiceTagsProperties) {
         { _, _ -> luaEgressAutoServiceTagsFilter }
     )
 
+    fun ingressFilters(): Array<HttpFilterFactory> = arrayOf(
+        { group: Group, _ -> luaIngressServiceTagPreferenceFilter(group) },
+    )
+
     private fun luaEgressServiceTagPreferenceFilter(group: Group): HttpFilter? =
         if (properties.preferenceRouting.isEnabledFor(group.serviceName)) {
             luaEgressServiceTagPreferenceFilter
         } else {
             null
         }
 
+    private fun luaIngressServiceTagPreferenceFilter(group: Group): HttpFilter? =
+        if (properties.preferenceRouting.isEnabledFor(group.serviceName)) {
+            luaIngressServiceTagPreferenceFilter
+        } else {
+            null
+        }
+
     private val luaEgressAutoServiceTagsFilter: HttpFilter? =
         if (properties.shouldRejectRequestsWithDuplicatedAutoServiceTag()) {
             createLuaFilter(
@@ -67,4 +78,14 @@ class ServiceTagFilterFactory(private val properties: ServiceTagsProperties) {
                 (properties.preferenceRouting.fallbackToAny.enableForServicesWithDefaultPreferenceEqualTo ?: "")
         )
     )
+
+    private val luaIngressServiceTagPreferenceFilter: HttpFilter = createLuaFilter(
+        luaFile = "lua/ingress_service_tag_preference.lua",
+        filterName = "ingress.lua.service_tag_preference",
+        variables = mapOf(
+            "SERVICE_TAG_PREFERENCE_HEADER" to properties.preferenceRouting.header,
+            "DEFAULT_SERVICE_TAG_PREFERENCE_ENV" to properties.preferenceRouting.defaultPreferenceEnv,
+            "DEFAULT_SERVICE_TAG_PREFERENCE_FALLBACK" to properties.preferenceRouting.defaultPreferenceFallback
+        )
+    )
 }

envoy-control-core/src/main/resources/lua/egress_service_tag_preference.lua

@@ -9,7 +9,7 @@ if fallbackToAnyIfDefaultPreferenceEqualTo ~= "" then
     end
 end
 
-function parseServiceTagPreferenceToFallbackList(preferenceString)
+local parseServiceTagPreferenceToFallbackList = function(preferenceString)
     local fallbackList = {}
     local i = 1
     for tag in string.gmatch(preferenceString, "[^|]+") do

envoy-control-core/src/main/resources/lua/ingress_service_tag_preference.lua

@@ -0,0 +1,21 @@
+local defaultServiceTagPreference = os.getenv("%DEFAULT_SERVICE_TAG_PREFERENCE_ENV%") or "%DEFAULT_SERVICE_TAG_PREFERENCE_FALLBACK%"
+local defaultServiceTagPreferenceLength = #defaultServiceTagPreference
+
+local isSuffixOfDefaultPreference = function(requestPreference)
+    local requestPreferenceLength = #requestPreference
+    if requestPreferenceLength >= defaultServiceTagPreferenceLength then
+        return false
+    end
+    return string.sub(defaultServiceTagPreference, -requestPreferenceLength - 1) == "|" .. requestPreference
+end
+
+function envoy_on_request(handle)
+    local requestPreference = handle:headers():getAtIndex("%SERVICE_TAG_PREFERENCE_HEADER%", 0)
+    if not requestPreference then
+        handle:headers():add("%SERVICE_TAG_PREFERENCE_HEADER%", defaultServiceTagPreference)
+        return
+    end
+    if isSuffixOfDefaultPreference(requestPreference) then
+        handle:headers():replace("%SERVICE_TAG_PREFERENCE_HEADER%", defaultServiceTagPreference)
+    end
+end

envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/EnvoyDefaultFiltersTest.kt

@@ -28,6 +28,7 @@ class EnvoyDefaultFiltersTest {
             defaultFilters.defaultRbacFilter,
             defaultFilters.defaultRateLimitLuaFilter,
             defaultFilters.defaultRateLimitFilter,
+            *defaultFilters.defaultIngressServiceTagFilters,
             defaultFilters.defaultEnvoyRouterHttpFilter
         )
 
@@ -57,6 +58,7 @@ class EnvoyDefaultFiltersTest {
             defaultFilters.defaultRbacFilter,
             defaultFilters.defaultRateLimitLuaFilter,
             defaultFilters.defaultRateLimitFilter,
+            *defaultFilters.defaultIngressServiceTagFilters,
             defaultFilters.defaultEnvoyRouterHttpFilter
         )
 

envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/routing/ServiceTagPreferenceIngressTest.kt

@@ -0,0 +1,69 @@
+package pl.allegro.tech.servicemesh.envoycontrol.routing
+
+import okhttp3.Headers.Companion.headersOf
+import okhttp3.Headers.Companion.toHeaders
+import org.assertj.core.api.Assertions.assertThat
+import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.extension.RegisterExtension
+import pl.allegro.tech.servicemesh.envoycontrol.config.consul.ConsulExtension
+import pl.allegro.tech.servicemesh.envoycontrol.config.envoy.EnvoyExtension
+import pl.allegro.tech.servicemesh.envoycontrol.config.envoycontrol.EnvoyControlExtension
+import pl.allegro.tech.servicemesh.envoycontrol.config.service.HttpsEchoExtension
+import pl.allegro.tech.servicemesh.envoycontrol.config.service.asHttpsEchoResponse
+
+class ServiceTagPreferenceIngressTest {
+
+    companion object {
+        @RegisterExtension
+        val consul = ConsulExtension()
+
+        @RegisterExtension
+        val envoyControl = EnvoyControlExtension(
+            consul = consul, mapOf(
+                "envoy-control.envoy.snapshot.routing.service-tags.enabled" to true,
+                "envoy-control.envoy.snapshot.routing.service-tags.preference-routing.header" to "x-service-tag-preference",
+                "envoy-control.envoy.snapshot.routing.service-tags.preference-routing.default-preference-env" to "DEFAULT_SERVICE_TAG_PREFERENCE",
+                "envoy-control.envoy.snapshot.routing.service-tags.preference-routing.default-preference-fallback" to "global",
+                "envoy-control.envoy.snapshot.routing.service-tags.preference-routing.enable-for-all" to true,
+            )
+        )
+
+        @RegisterExtension
+        val localService = HttpsEchoExtension()
+
+        @RegisterExtension
+        val envoyVte22 = EnvoyExtension(envoyControl = envoyControl, localService = localService).also {
+            it.container.withEnv("DEFAULT_SERVICE_TAG_PREFERENCE", "vte22|global")
+        }
+    }
+
+    @Test
+    fun `should pass request x-service-tag-preference if it's more specific`() {
+        envoyVte22.ingressOperations.callLocalService(
+            endpoint = "/",
+            headers = mapOf("x-service-tag-preference" to "lvte-1|vte22|global").toHeaders()
+        ).asHttpsEchoResponse().let {
+            assertThat(it.requestHeaders).containsEntry("x-service-tag-preference", "lvte-1|vte22|global")
+        }
+    }
+
+    @Test
+    fun `should pass default service tag preference if it's more specific than the request one`() {
+        envoyVte22.ingressOperations.callLocalService(
+            endpoint = "/",
+            headers = mapOf("x-service-tag-preference" to "global").toHeaders()
+        ).asHttpsEchoResponse().let {
+            assertThat(it.requestHeaders).containsEntry("x-service-tag-preference", "vte22|global")
+        }
+    }
+
+    @Test
+    fun `should pass default service tag preference if request preference is absent`() {
+        envoyVte22.ingressOperations.callLocalService(
+            endpoint = "/",
+            headers = headersOf()
+        ).asHttpsEchoResponse().let {
+            assertThat(it.requestHeaders).containsEntry("x-service-tag-preference", "vte22|global")
+        }
+    }
+}