allegro
diff --git a/‎CHANGELOG.md‎
Lines changed: 34 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎docs/configuration.md‎
Lines changed: 7 additions & 1 deletion b/‎docs/configuration.md‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/MetadataNodeGroup.kt‎
Lines changed: 4 additions & 2 deletions b/‎envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/MetadataNodeGroup.kt‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/NodeMetadata.kt‎
Lines changed: 13 additions & 12 deletions b/‎envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/NodeMetadata.kt‎
Lines changed: 13 additions & 12 deletions
diff --git a/‎envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt‎
Lines changed: 11 additions & 1 deletion b/‎envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/clusters/EnvoyClustersFactory.kt‎
Lines changed: 71 additions & 36 deletions b/‎envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/clusters/EnvoyClustersFactory.kt‎
Lines changed: 71 additions & 36 deletions
@@ -5,10 +5,44 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
 ## [Unreleased]
 
+### Changed
+
+## [0.19.19]
+
+### Changed
+- Add default access log filter configuration
+
+## [0.19.18]
+
+### Changed
+- Log authority and lua authority in lua filters
+
+## [0.19.17]
+
+### Changed
+- Added debug endpoint
+
+## [0.19.16]
+
+### Changed
+- Added tcp dumps for downstream
+
+## [0.19.15]
+
 ### Changed
 - Added flags for lua filters
 - Added support for Delta XDS
 
+## [0.19.14]
+
+### Changed
+- Update java-control-plane - remove api v2
+
+## [0.19.13]
+
+### Changed
+- readiness metric
+
 ## [0.19.12]
 
 ### Changed
 
@@ -25,11 +25,17 @@ Property
 Property                                                                                                     | Description                                                                                                                                                                                                           | Default value
 -------------------------------------------------------------------------------------------------------------| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------
 **envoy-control.envoy.snapshot.dynamic-listeners.enabled**                                                   | Enable or disable creating listeners using dynamic configuration                                                                                                                                                      | true
+**envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.enabled**                           | Enable or disable access logs                                                                                                                                                                                         | false
 **envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.time-format**                       | Time format for access logs                                                                                                                                                                                           | "%START_TIME(%FT%T.%3fZ)%"
 **envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.message-format**                    | Message format for access logs                                                                                                                                                                                        | "%PROTOCOL% %REQ(:METHOD)% %REQ(:authority)% %REQ(:PATH)% %DOWNSTREAM_REMOTE_ADDRESS% -> %UPSTREAM_HOST%"
 **envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.level**                             | Logging level for access logs                                                                                                                                                                                         | "TRACE"
 **envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.logger**                            | Logger name for access logs                                                                                                                                                                                           | "envoy.AccessLog"
-**envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.custom-fields**                     | Custom fields, which should be included in  access logs                                                                                                                                                          | "empty map()"
+**envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.custom-fields**                     | Custom fields, which should be included in  access logs                                                                                                                                                               | null
+**envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.filters.status-code**               | Default status code filter for access logs                                                                                                                                                                            | null
+**envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.filters.duration**                  | Default duration filter for access logs                                                                                                                                                                               | null
+**envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.filters.not-health-check**          | Disable health checks filter for access logs                                                                                                                                                                          | true
+**envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.filters.response-flag**             | Default response flag filter for access logs                                                                                                                                                                          | null
+**envoy-control.envoy.snapshot.dynamic-listeners.http-filters.access-log.filters.header**                    | Default header filter for access logs                                                                                                                                                                                 | null
 **envoy-control.envoy.snapshot.dynamic-listeners.http-filters.ingress-xff-num-trusted-hops**                 | Number of trusted hops for ingress filter (refer to [envoy docs](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers.html?highlight=xff_num_trusted_hops#x-forwarded-for))           | 1
 **envoy-control.envoy.snapshot.dynamic-listeners.local-reply-mapper.enabled**                                | Enable or disable creating local reply mapper configuration (refer to [envoy docs](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/local_reply))                                         | false
 **envoy-control.envoy.snapshot.dynamic-listeners.local-reply-mapper.response-format.text-format**            | Text message format with placeholders (refer to [envoy docs](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators))                                             | ""
 
@@ -73,8 +73,10 @@ class MetadataNodeGroup(
         val ingressPortValue = metadata.fieldsMap["ingress_port"]
         val egressHostValue = metadata.fieldsMap["egress_host"]
         val egressPortValue = metadata.fieldsMap["egress_port"]
+        val accessLogProperties = properties.dynamicListeners.httpFilters.accessLog
         val accessLogFilterSettings = AccessLogFilterSettings(
-            metadata.fieldsMap["access_log_filter"]
+            metadata.fieldsMap["access_log_filter"],
+            accessLogProperties.filters
         )
 
         val listenersHostPort = metadataToListenersHostPort(
@@ -96,7 +98,7 @@ class MetadataNodeGroup(
         val preserveExternalRequestId = metadata.fieldsMap["preserve_external_request_id"]?.boolValue
             ?: ListenersConfig.defaultPreserveExternalRequestId
         val accessLogEnabled = metadata.fieldsMap["access_log_enabled"]?.boolValue
-            ?: ListenersConfig.defaultAccessLogEnabled
+            ?: accessLogProperties.enabled
         val enableLuaScript = metadata.fieldsMap["enable_lua_script"]?.boolValue
             ?: ListenersConfig.defaultEnableLuaScript
         val accessLogPath = metadata.fieldsMap["access_log_path"]?.stringValue
 
@@ -6,6 +6,7 @@ import com.google.protobuf.Value
 import com.google.protobuf.util.Durations
 import io.envoyproxy.controlplane.server.exception.RequestException
 import io.grpc.Status
+import pl.allegro.tech.servicemesh.envoycontrol.snapshot.AccessLogFiltersProperties
 import pl.allegro.tech.servicemesh.envoycontrol.snapshot.SnapshotProperties
 import pl.allegro.tech.servicemesh.envoycontrol.utils.AccessLogFilterParser
 import pl.allegro.tech.servicemesh.envoycontrol.utils.ComparisonFilterSettings
@@ -32,16 +33,16 @@ class NodeMetadata(metadata: Struct, properties: SnapshotProperties) {
     val proxySettings: ProxySettings = ProxySettings(metadata.fieldsMap["proxy_settings"], properties)
 }
 
-data class AccessLogFilterSettings(val proto: Value?) {
+data class AccessLogFilterSettings(val proto: Value?, val properties: AccessLogFiltersProperties) {
     val statusCodeFilterSettings: ComparisonFilterSettings? = proto?.field("status_code_filter")
-        .toComparisonFilter()
+        .toComparisonFilter(properties.statusCode)
     val durationFilterSettings: ComparisonFilterSettings? = proto?.field("duration_filter")
-        .toComparisonFilter()
-    val notHealthCheckFilter: Boolean? = proto?.field("not_health_check_filter")?.boolValue
+        .toComparisonFilter(properties.duration)
+    val notHealthCheckFilter: Boolean? = proto?.field("not_health_check_filter")?.boolValue ?: properties.notHealthCheck
     val responseFlagFilter: Iterable<String>? = proto?.field("response_flag_filter")
-        .toResponseFlagFilter()
+        .toResponseFlagFilter(properties.responseFlag)
     val headerFilter: HeaderFilterSettings? = proto?.field("header_filter")
-        .toHeaderFilter()
+        .toHeaderFilter(properties.header)
 }
 
 data class ProxySettings(
@@ -73,20 +74,20 @@ private fun getCommunicationMode(proto: Value?): CommunicationMode {
     }
 }
 
-fun Value?.toComparisonFilter(): ComparisonFilterSettings? {
-    return this?.stringValue?.let {
+fun Value?.toComparisonFilter(default: String? = null): ComparisonFilterSettings? {
+    return (this?.stringValue ?: default)?.let {
         AccessLogFilterParser.parseComparisonFilter(it.uppercase())
     }
 }
 
-fun Value?.toResponseFlagFilter(): Iterable<String>? {
-    return this?.stringValue?.let {
+fun Value?.toResponseFlagFilter(default: String? = null): Iterable<String>? {
+    return (this?.stringValue ?: default)?.let {
         AccessLogFilterParser.parseResponseFlagFilter(it.uppercase())
     }
 }
 
-fun Value?.toHeaderFilter(): HeaderFilterSettings? {
-    return this?.stringValue?.let {
+fun Value?.toHeaderFilter(default: String? = null): HeaderFilterSettings? {
+    return (this?.stringValue ?: default)?.let {
         AccessLogFilterParser.parseHeaderFilter(it)
     }
 }
 
@@ -35,7 +35,7 @@ class SnapshotProperties {
     var rateLimit = RateLimitProperties()
     var deltaXdsEnabled = false
     var retryPolicy = RetryPolicyProperties()
-    var shouldAuditGlobalSnapshot = false
+    var tcpDumpsEnabled: Boolean = true
 }
 
 class MetricsProperties {
@@ -54,12 +54,22 @@ class HttpFiltersProperties {
 }
 
 class AccessLogProperties {
+    var enabled = false
     var timeFormat = "%START_TIME(%FT%T.%3fZ)%"
     var messageFormat = "%PROTOCOL% %REQ(:METHOD)% %REQ(:authority)% %REQ(:PATH)% " +
             "%DOWNSTREAM_REMOTE_ADDRESS% -> %UPSTREAM_HOST%"
     var level = "TRACE"
     var logger = "envoy.AccessLog"
     var customFields = mapOf<String, String>()
+    var filters = AccessLogFiltersProperties()
+}
+
+class AccessLogFiltersProperties {
+    var statusCode: String? = null
+    var duration: String? = null
+    var notHealthCheck: Boolean? = true
+    var responseFlag: String? = null
+    var header: String? = null
 }
 
 class OutgoingPermissionsProperties {
 
@@ -27,6 +27,9 @@ import io.envoyproxy.envoy.config.endpoint.v3.LbEndpoint
 import io.envoyproxy.envoy.config.endpoint.v3.LocalityLbEndpoints
 import io.envoyproxy.envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
 import io.envoyproxy.envoy.extensions.common.dynamic_forward_proxy.v3.DnsCacheConfig
+import io.envoyproxy.envoy.extensions.common.tap.v3.AdminConfig
+import io.envoyproxy.envoy.extensions.common.tap.v3.CommonExtensionConfig
+import io.envoyproxy.envoy.extensions.transport_sockets.tap.v3.Tap
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig
@@ -61,12 +64,6 @@ class EnvoyClustersFactory(
     private val allThresholds = CircuitBreakers.newBuilder().addAllThresholds(thresholds).build()
     private val tlsProperties = properties.incomingPermissions.tlsAuthentication
     private val sanUriMatcher = SanUriMatcherFactory(tlsProperties)
-    private val matchPlaintextContext = Cluster.TransportSocketMatch.newBuilder()
-        .setName("plaintext_match")
-        .setTransportSocket(
-            TransportSocket.newBuilder().setName("envoy.transport_sockets.raw_buffer").build()
-        )
-        .build()
 
     private val tlsContextMatch = Struct.newBuilder()
         .putFields(tlsProperties.tlsContextMetadataMatchKey, Value.newBuilder().setBoolValue(true).build())
@@ -94,14 +91,20 @@ class EnvoyClustersFactory(
             val matchTlsContext = Cluster.TransportSocketMatch.newBuilder()
                 .setName("mtls_match")
                 .setMatch(tlsContextMatch)
-                .setTransportSocket(
+                .setTransportSocket(wrapTransportSocket(cluster.name) {
                     TransportSocket.newBuilder()
                         .setName("envoy.transport_sockets.tls")
                         .setTypedConfig(Any.pack(upstreamTlsContext))
-                )
+                        .build()
+                })
                 .build()
 
-            secureCluster.addAllTransportSocketMatches(listOf(matchTlsContext, matchPlaintextContext))
+            secureCluster.addAllTransportSocketMatches(
+                listOf(
+                    matchTlsContext,
+                    createMatchPlainText("plaintext_${cluster.name}")
+                )
+            )
                 .build()
         }
     }
@@ -135,7 +138,7 @@ class EnvoyClustersFactory(
                 )
 
             if (provider.jwksUri.scheme == "https") {
-                cluster.setTransportSocket(
+                cluster.transportSocket = wrapTransportSocket(cluster.name) {
                     TransportSocket.newBuilder()
                         .setName("envoy.transport_sockets.tls")
                         .setTypedConfig(
@@ -151,8 +154,8 @@ class EnvoyClustersFactory(
                                             )
                                     ).build()
                             )
-                        )
-                )
+                        ).build()
+                }
             } else {
                 logger.warn("Jwks url [${provider.jwksUri}] is not using HTTPS scheme.")
             }
@@ -170,7 +173,8 @@ class EnvoyClustersFactory(
                 return listOf(Cluster.newBuilder(cluster).build())
             }
 
-            logger.warn("ratelimit service [{}] cluster required for service [{}] has not been found.",
+            logger.warn(
+                "ratelimit service [{}] cluster required for service [{}] has not been found.",
                 properties.rateLimit.serviceName,
                 group.serviceName
             )
@@ -320,13 +324,15 @@ class EnvoyClustersFactory(
                 ).build()
 
             val upstreamTlsContext = UpstreamTlsContext.newBuilder().setCommonTlsContext(commonTlsContext).build()
-            val transportSocket = TransportSocket.newBuilder()
-                .setTypedConfig(
-                    Any.pack(
-                        upstreamTlsContext
+            val transportSocket = wrapTransportSocket(domainDependency.getClusterName()) {
+                TransportSocket.newBuilder()
+                    .setTypedConfig(
+                        Any.pack(
+                            upstreamTlsContext
+                        )
                     )
-                )
-                .setName("envoy.transport_sockets.tls").build()
+                    .setName("envoy.transport_sockets.tls").build()
+            }
 
             clusterBuilder
                 .setTransportSocket(transportSocket)
@@ -560,23 +566,52 @@ class EnvoyClustersFactory(
                     )
             )
             .setTransportSocket(
-                TransportSocket.newBuilder()
-                    .setName("envoy.transport_sockets.tls")
-                    .setTypedConfig(
-                        Any.pack(
-                            UpstreamTlsContext.newBuilder()
-                                .setCommonTlsContext(
-                                    CommonTlsContext.newBuilder()
-                                        .setValidationContext(
-                                            CertificateValidationContext.newBuilder()
-                                                .setTrustedCa(
-                                                    DataSource.newBuilder().setFilename(properties.trustedCaFile)
-                                                        .build()
-                                                )
-                                        )
-                                ).build()
-                        )
-                    )
+                wrapTransportSocket(properties.dynamicForwardProxy.clusterName) {
+                    TransportSocket.newBuilder()
+                        .setName("envoy.transport_sockets.tls")
+                        .setTypedConfig(
+                            Any.pack(
+                                UpstreamTlsContext.newBuilder()
+                                    .setCommonTlsContext(
+                                        CommonTlsContext.newBuilder()
+                                            .setValidationContext(
+                                                CertificateValidationContext.newBuilder()
+                                                    .setTrustedCa(
+                                                        DataSource.newBuilder().setFilename(properties.trustedCaFile)
+                                                            .build()
+                                                    )
+                                            )
+                                    ).build()
+                            )
+                        ).build()
+                }
             ).build()
     }
+
+    private fun wrapTransportSocket(clusterName: String, supplier: () -> TransportSocket): TransportSocket {
+        return if (properties.tcpDumpsEnabled) {
+            TransportSocket.newBuilder()
+                .setName("envoy.transport_sockets.tap")
+                .setTypedConfig(
+                    Any.pack(
+                        Tap.newBuilder().setCommonConfig(
+                            CommonExtensionConfig.newBuilder().setAdminConfig(
+                                AdminConfig.newBuilder().setConfigId("${clusterName}_tap")
+                            )
+                        ).setTransportSocket(supplier()).build()
+                    )
+                ).build()
+        } else {
+            supplier()
+        }
+    }
+
+    private fun createMatchPlainText(clusterName: String) = Cluster.TransportSocketMatch.newBuilder()
+        .setName("plaintext_match")
+        .setTransportSocket(
+            wrapTransportSocket(clusterName) {
+                TransportSocket.newBuilder().setName("envoy.transport_sockets.raw_buffer").build()
+            }
+        )
+        .build()
 }
Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ import com.google.protobuf.Value`
`6`	`6`	`import com.google.protobuf.util.Durations`
`7`	`7`	`import io.envoyproxy.controlplane.server.exception.RequestException`
`8`	`8`	`import io.grpc.Status`
	`9`	`+import pl.allegro.tech.servicemesh.envoycontrol.snapshot.AccessLogFiltersProperties`
`9`	`10`	`import pl.allegro.tech.servicemesh.envoycontrol.snapshot.SnapshotProperties`
`10`	`11`	`import pl.allegro.tech.servicemesh.envoycontrol.utils.AccessLogFilterParser`
`11`	`12`	`import pl.allegro.tech.servicemesh.envoycontrol.utils.ComparisonFilterSettings`
`@@ -32,16 +33,16 @@ class NodeMetadata(metadata: Struct, properties: SnapshotProperties) {`
`32`	`33`	`val proxySettings: ProxySettings = ProxySettings(metadata.fieldsMap["proxy_settings"], properties)`
`33`	`34`	`}`
`34`	`35`
`35`		`-data class AccessLogFilterSettings(val proto: Value?) {`
	`36`	`+data class AccessLogFilterSettings(val proto: Value?, val properties: AccessLogFiltersProperties) {`
`36`	`37`	`val statusCodeFilterSettings: ComparisonFilterSettings? = proto?.field("status_code_filter")`
`37`		`- .toComparisonFilter()`
	`38`	`+ .toComparisonFilter(properties.statusCode)`
`38`	`39`	`val durationFilterSettings: ComparisonFilterSettings? = proto?.field("duration_filter")`
`39`		`- .toComparisonFilter()`
`40`		`- val notHealthCheckFilter: Boolean? = proto?.field("not_health_check_filter")?.boolValue`
	`40`	`+ .toComparisonFilter(properties.duration)`
	`41`	`+ val notHealthCheckFilter: Boolean? = proto?.field("not_health_check_filter")?.boolValue ?: properties.notHealthCheck`
`41`	`42`	`val responseFlagFilter: Iterable<String>? = proto?.field("response_flag_filter")`
`42`		`- .toResponseFlagFilter()`
	`43`	`+ .toResponseFlagFilter(properties.responseFlag)`
`43`	`44`	`val headerFilter: HeaderFilterSettings? = proto?.field("header_filter")`
`44`		`- .toHeaderFilter()`
	`45`	`+ .toHeaderFilter(properties.header)`
`45`	`46`	`}`
`46`	`47`
`47`	`48`	`data class ProxySettings(`
`@@ -73,20 +74,20 @@ private fun getCommunicationMode(proto: Value?): CommunicationMode {`
`73`	`74`	`}`
`74`	`75`	`}`
`75`	`76`
`76`		`-fun Value?.toComparisonFilter(): ComparisonFilterSettings? {`
`77`		`- return this?.stringValue?.let {`
	`77`	`+fun Value?.toComparisonFilter(default: String? = null): ComparisonFilterSettings? {`
	`78`	`+ return (this?.stringValue ?: default)?.let {`
`78`	`79`	`AccessLogFilterParser.parseComparisonFilter(it.uppercase())`
`79`	`80`	`}`
`80`	`81`	`}`
`81`	`82`
`82`		`-fun Value?.toResponseFlagFilter(): Iterable<String>? {`
`83`		`- return this?.stringValue?.let {`
	`83`	`+fun Value?.toResponseFlagFilter(default: String? = null): Iterable<String>? {`
	`84`	`+ return (this?.stringValue ?: default)?.let {`
`84`	`85`	`AccessLogFilterParser.parseResponseFlagFilter(it.uppercase())`
`85`	`86`	`}`
`86`	`87`	`}`
`87`	`88`
`88`		`-fun Value?.toHeaderFilter(): HeaderFilterSettings? {`
`89`		`- return this?.stringValue?.let {`
	`89`	`+fun Value?.toHeaderFilter(default: String? = null): HeaderFilterSettings? {`
	`90`	`+ return (this?.stringValue ?: default)?.let {`
`90`	`91`	`AccessLogFilterParser.parseHeaderFilter(it)`
`91`	`92`	`}`
`92`	`93`	`}`