Backport of feature: add LUA script Envoy extension support for API gateway into release/1.20.x (#22333)

backport of commit c130367

Co-authored-by: Vikramarjuna <[email protected]>

Author: hc-github-team-consul-core

agent/envoyextensions/builtin/lua/lua.go

@@ -6,16 +6,18 @@ package lua
 import (
 	"errors"
 	"fmt"
+
 	envoy_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 
 	envoy_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
 	envoy_lua_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/lua/v3"
 	envoy_http_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
 	envoy_resource_v3 "github.com/envoyproxy/go-control-plane/pkg/resource/v3"
-	"github.com/hashicorp/consul/api"
-	"github.com/hashicorp/consul/envoyextensions/extensioncommon"
 	"github.com/hashicorp/go-multierror"
 	"github.com/mitchellh/mapstructure"
+
+	"github.com/hashicorp/consul/api"
+	"github.com/hashicorp/consul/envoyextensions/extensioncommon"
 )
 
 var _ extensioncommon.BasicExtension = (*lua)(nil)
@@ -57,7 +59,7 @@ func (l *lua) validate() error {
 	if l.Script == "" {
 		resultErr = multierror.Append(resultErr, fmt.Errorf("missing Script value"))
 	}
-	if l.ProxyType != string(api.ServiceKindConnectProxy) {
+	if l.ProxyType != string(api.ServiceKindConnectProxy) && l.ProxyType != string(api.ServiceKindAPIGateway) {
 		resultErr = multierror.Append(resultErr, fmt.Errorf("unexpected ProxyType %q", l.ProxyType))
 	}
 	if l.Listener != "inbound" && l.Listener != "outbound" {

agent/envoyextensions/builtin/lua/lua_test.go

@@ -6,7 +6,13 @@ package lua
 import (
 	"testing"
 
+	envoy_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+	envoy_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
+	envoy_lua_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/lua/v3"
+	envoy_http_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
 	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/proto"
+	"google.golang.org/protobuf/types/known/anypb"
 
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/consul/envoyextensions/extensioncommon"
@@ -17,17 +23,15 @@ func TestConstructor(t *testing.T) {
 		m := map[string]interface{}{
 			"ProxyType": "connect-proxy",
 			"Listener":  "inbound",
-			"Script":    "lua-script",
+			"Script":    "function envoy_on_request(request_handle) request_handle:headers():add('test', 'test') end",
 		}
-
 		for k, v := range overrides {
 			m[k] = v
 		}
-
 		return m
 	}
 
-	cases := map[string]struct {
+	tests := map[string]struct {
 		extensionName string
 		arguments     map[string]interface{}
 		expected      lua
@@ -59,7 +63,16 @@ func TestConstructor(t *testing.T) {
 			expected: lua{
 				ProxyType: "connect-proxy",
 				Listener:  "inbound",
-				Script:    "lua-script",
+				Script:    "function envoy_on_request(request_handle) request_handle:headers():add('test', 'test') end",
+			},
+			ok: true,
+		},
+		"api gateway proxy type": {
+			arguments: makeArguments(map[string]interface{}{"ProxyType": "api-gateway"}),
+			expected: lua{
+				ProxyType: "api-gateway",
+				Listener:  "inbound",
+				Script:    "function envoy_on_request(request_handle) request_handle:headers():add('test', 'test') end",
 			},
 			ok: true,
 		},
@@ -68,23 +81,21 @@ func TestConstructor(t *testing.T) {
 			expected: lua{
 				ProxyType: "connect-proxy",
 				Listener:  "inbound",
-				Script:    "lua-script",
+				Script:    "function envoy_on_request(request_handle) request_handle:headers():add('test', 'test') end",
 			},
 			ok: true,
 		},
 	}
 
-	for n, tc := range cases {
-		t.Run(n, func(t *testing.T) {
-
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
 			extensionName := api.BuiltinLuaExtension
 			if tc.extensionName != "" {
 				extensionName = tc.extensionName
 			}
 
-			svc := api.CompoundServiceName{Name: "svc"}
 			ext := extensioncommon.RuntimeConfig{
-				ServiceName: svc,
+				ServiceName: api.CompoundServiceName{Name: "svc"},
 				EnvoyExtension: api.EnvoyExtension{
 					Name:      extensionName,
 					Arguments: tc.arguments,
@@ -102,3 +113,161 @@ func TestConstructor(t *testing.T) {
 		})
 	}
 }
+
+func TestLuaExtension_PatchFilter(t *testing.T) {
+	makeFilter := func(filters []*envoy_http_v3.HttpFilter) *envoy_listener_v3.Filter {
+		hcm := &envoy_http_v3.HttpConnectionManager{
+			HttpFilters: filters,
+		}
+		any, err := anypb.New(hcm)
+		require.NoError(t, err)
+		return &envoy_listener_v3.Filter{
+			Name: "envoy.filters.network.http_connection_manager",
+			ConfigType: &envoy_listener_v3.Filter_TypedConfig{
+				TypedConfig: any,
+			},
+		}
+	}
+
+	makeLuaFilter := func(script string) *envoy_http_v3.HttpFilter {
+		luaConfig := &envoy_lua_v3.Lua{
+			DefaultSourceCode: &envoy_core_v3.DataSource{
+				Specifier: &envoy_core_v3.DataSource_InlineString{
+					InlineString: script,
+				},
+			},
+		}
+		return &envoy_http_v3.HttpFilter{
+			Name: "envoy.filters.http.lua",
+			ConfigType: &envoy_http_v3.HttpFilter_TypedConfig{
+				TypedConfig: mustMarshalAny(luaConfig),
+			},
+		}
+	}
+
+	tests := map[string]struct {
+		extension      *lua
+		filter         *envoy_listener_v3.Filter
+		isInbound      bool
+		expectedFilter *envoy_listener_v3.Filter
+		expectPatched  bool
+		expectError    string
+	}{
+		"non-http filter is ignored": {
+			extension: &lua{
+				ProxyType: "connect-proxy",
+				Listener:  "inbound",
+				Script:    "function envoy_on_request(request_handle) end",
+			},
+			filter: &envoy_listener_v3.Filter{
+				Name: "envoy.filters.network.tcp_proxy",
+			},
+			expectedFilter: &envoy_listener_v3.Filter{
+				Name: "envoy.filters.network.tcp_proxy",
+			},
+			expectPatched: false,
+		},
+		"listener direction mismatch": {
+			extension: &lua{
+				ProxyType: "connect-proxy",
+				Listener:  "inbound",
+				Script:    "function envoy_on_request(request_handle) end",
+			},
+			filter: makeFilter([]*envoy_http_v3.HttpFilter{
+				{Name: "envoy.filters.http.router"},
+			}),
+			isInbound:      false,
+			expectedFilter: makeFilter([]*envoy_http_v3.HttpFilter{{Name: "envoy.filters.http.router"}}),
+			expectPatched:  false,
+		},
+		"successful patch with router filter": {
+			extension: &lua{
+				ProxyType: "connect-proxy",
+				Listener:  "inbound",
+				Script:    "function envoy_on_request(request_handle) end",
+			},
+			filter: makeFilter([]*envoy_http_v3.HttpFilter{
+				{Name: "envoy.filters.http.router"},
+			}),
+			isInbound: true,
+			expectedFilter: makeFilter([]*envoy_http_v3.HttpFilter{
+				makeLuaFilter("function envoy_on_request(request_handle) end"),
+				{Name: "envoy.filters.http.router"},
+			}),
+			expectPatched: true,
+		},
+		"successful patch with multiple filters": {
+			extension: &lua{
+				ProxyType: "connect-proxy",
+				Listener:  "inbound",
+				Script:    "function envoy_on_request(request_handle) end",
+			},
+			filter: makeFilter([]*envoy_http_v3.HttpFilter{
+				{Name: "envoy.filters.http.other1"},
+				{Name: "envoy.filters.http.router"},
+				{Name: "envoy.filters.http.other2"},
+			}),
+			isInbound: true,
+			expectedFilter: makeFilter([]*envoy_http_v3.HttpFilter{
+				{Name: "envoy.filters.http.other1"},
+				makeLuaFilter("function envoy_on_request(request_handle) end"),
+				{Name: "envoy.filters.http.router"},
+				{Name: "envoy.filters.http.other2"},
+			}),
+			expectPatched: true,
+		},
+		"invalid filter config": {
+			extension: &lua{
+				ProxyType: "connect-proxy",
+				Listener:  "inbound",
+				Script:    "function envoy_on_request(request_handle) end",
+			},
+			filter: &envoy_listener_v3.Filter{
+				Name: "envoy.filters.network.http_connection_manager",
+				ConfigType: &envoy_listener_v3.Filter_TypedConfig{
+					TypedConfig: &anypb.Any{},
+				},
+			},
+			isInbound:      true,
+			expectedFilter: nil,
+			expectPatched:  false,
+			expectError:    "error unmarshalling filter",
+		},
+	}
+
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			direction := extensioncommon.TrafficDirectionOutbound
+			if tc.isInbound {
+				direction = extensioncommon.TrafficDirectionInbound
+			}
+
+			payload := extensioncommon.FilterPayload{
+				Message:          tc.filter,
+				TrafficDirection: direction,
+			}
+
+			filter, patched, err := tc.extension.PatchFilter(payload)
+
+			if tc.expectError != "" {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), tc.expectError)
+				return
+			}
+
+			require.NoError(t, err)
+			require.Equal(t, tc.expectPatched, patched)
+			if tc.expectedFilter != nil {
+				require.Equal(t, tc.expectedFilter, filter)
+			}
+		})
+	}
+}
+
+func mustMarshalAny(m proto.Message) *anypb.Any {
+	a, err := anypb.New(m)
+	if err != nil {
+		panic(err)
+	}
+	return a
+}

agent/xds/extensionruntime/runtime_config.go

@@ -128,7 +128,29 @@ func GetRuntimeConfigurations(cfgSnap *proxycfg.ConfigSnapshot) map[api.Compound
 				EnvoyID:           envoyID.EnvoyID(),
 				OutgoingProxyKind: api.ServiceKindTerminatingGateway,
 			}
+		}
+	case structs.ServiceKindAPIGateway:
+		kind = api.ServiceKindAPIGateway
+		// For API Gateway, we need to handle the gateway itself
+		localSvc := api.CompoundServiceName{
+			Name:      cfgSnap.Service,
+			Namespace: cfgSnap.ProxyID.NamespaceOrDefault(),
+			Partition: cfgSnap.ProxyID.PartitionOrEmpty(),
+		}
 
+		// Handle extensions for the API Gateway itself
+		extensionConfigurationsMap[localSvc] = []extensioncommon.RuntimeConfig{}
+		cfgSnapExts := convertEnvoyExtensions(cfgSnap.Proxy.EnvoyExtensions)
+		for _, ext := range cfgSnapExts {
+			extCfg := extensioncommon.RuntimeConfig{
+				EnvoyExtension:        ext,
+				ServiceName:           localSvc,
+				IsSourcedFromUpstream: false,
+				Upstreams:             upstreamMap,
+				Kind:                  kind,
+				Protocol:              proxyConfigProtocol(cfgSnap.Proxy.Config),
+			}
+			extensionConfigurationsMap[localSvc] = append(extensionConfigurationsMap[localSvc], extCfg)
 		}
 	}
 

agent/xds/extensionruntime/runtime_config_test.go

@@ -0,0 +1,94 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package extensionruntime
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/hashicorp/consul/agent/proxycfg"
+	"github.com/hashicorp/consul/agent/structs"
+	"github.com/hashicorp/consul/api"
+	"github.com/hashicorp/consul/envoyextensions/extensioncommon"
+)
+
+func TestGetRuntimeConfigurations_APIGateway(t *testing.T) {
+	tests := []struct {
+		name           string
+		cfgSnap        *proxycfg.ConfigSnapshot
+		expectedConfig map[api.CompoundServiceName][]extensioncommon.RuntimeConfig
+	}{
+		{
+			name: "API Gateway with no extensions",
+			cfgSnap: &proxycfg.ConfigSnapshot{
+				Kind:    structs.ServiceKindAPIGateway,
+				Proxy:   structs.ConnectProxyConfig{},
+				Service: "api-gateway",
+				ProxyID: proxycfg.ProxyID{
+					ServiceID: structs.ServiceID{
+						ID: "api-gateway",
+					},
+				},
+			},
+			expectedConfig: map[api.CompoundServiceName][]extensioncommon.RuntimeConfig{
+				{
+					Name:      "api-gateway",
+					Namespace: "default",
+				}: {},
+			},
+		},
+		{
+			name: "API Gateway with extensions",
+			cfgSnap: &proxycfg.ConfigSnapshot{
+				Kind: structs.ServiceKindAPIGateway,
+				Proxy: structs.ConnectProxyConfig{
+					EnvoyExtensions: []structs.EnvoyExtension{
+						{
+							Name: "builtin/lua",
+							Arguments: map[string]interface{}{
+								"Script": "function envoy_on_response(response_handle) response_handle:headers():add('x-test', 'test') end",
+							},
+						},
+					},
+				},
+				Service: "api-gateway",
+				ProxyID: proxycfg.ProxyID{
+					ServiceID: structs.ServiceID{
+						ID: "api-gateway",
+					},
+				},
+			},
+			expectedConfig: map[api.CompoundServiceName][]extensioncommon.RuntimeConfig{
+				{
+					Name:      "api-gateway",
+					Namespace: "default",
+				}: {
+					{
+						EnvoyExtension: api.EnvoyExtension{
+							Name: "builtin/lua",
+							Arguments: map[string]interface{}{
+								"Script": "function envoy_on_response(response_handle) response_handle:headers():add('x-test', 'test') end",
+							},
+						},
+						ServiceName: api.CompoundServiceName{
+							Name:      "api-gateway",
+							Namespace: "default",
+						},
+						Upstreams:             map[api.CompoundServiceName]*extensioncommon.UpstreamData{},
+						IsSourcedFromUpstream: false,
+						Kind:                  api.ServiceKindAPIGateway,
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			config := GetRuntimeConfigurations(tt.cfgSnap)
+			require.Equal(t, tt.expectedConfig, config)
+		})
+	}
+}