fix(kuma-cp) probes without inbound (#1199)

Do `redirect` for probes that don't have inbound Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
kumahq · Nov 23, 2020 · f458cf0 · f458cf0
1 parent 304f36b
commit f458cf0
Show file tree

Hide file tree

Showing 5 changed files with 119 additions and 2 deletions.
diff --git a/pkg/xds/envoy/routes/redirect_configurer.go b/pkg/xds/envoy/routes/redirect_configurer.go
@@ -0,0 +1,55 @@
+package routes
+
+import (
+	envoy_route "github.com/envoyproxy/go-control-plane/envoy/api/v2/route"
+)
+
+// Redirect for paths that match to matchPath returns 301 status code with new port and path
+func Redirect(matchPath, newPath string, allowGetOnly bool, port uint32) VirtualHostBuilderOpt {
+	return VirtualHostBuilderOptFunc(func(config *VirtualHostBuilderConfig) {
+		config.Add(&RedirectConfigurer{
+			matchPath:    matchPath,
+			newPath:      newPath,
+			port:         port,
+			allowGetOnly: allowGetOnly,
+		})
+	})
+}
+
+type RedirectConfigurer struct {
+	matchPath    string
+	newPath      string
+	port         uint32
+	allowGetOnly bool
+}
+
+func (c RedirectConfigurer) Configure(virtualHost *envoy_route.VirtualHost) error {
+	var headersMatcher []*envoy_route.HeaderMatcher
+	if c.allowGetOnly {
+		headersMatcher = []*envoy_route.HeaderMatcher{
+			{
+				Name: ":method",
+				HeaderMatchSpecifier: &envoy_route.HeaderMatcher_ExactMatch{
+					ExactMatch: "GET",
+				},
+			},
+		}
+	}
+	virtualHost.Routes = append(virtualHost.Routes, &envoy_route.Route{
+		Match: &envoy_route.RouteMatch{
+			PathSpecifier: &envoy_route.RouteMatch_Path{
+				Path: c.matchPath,
+			},
+			Headers: headersMatcher,
+		},
+		Action: &envoy_route.Route_Redirect{
+			Redirect: &envoy_route.RedirectAction{
+				PortRedirect: c.port,
+				PathRewriteSpecifier: &envoy_route.RedirectAction_PathRedirect{
+					PathRedirect: c.newPath,
+				},
+			},
+		},
+	})
+	return nil
+}
diff --git a/pkg/xds/envoy/routes/routes_configurer.go → pkg/xds/envoy/routes/route_configurer.go b/pkg/xds/envoy/routes/routes_configurer.go → pkg/xds/envoy/routes/route_configurer.go
diff --git a/pkg/xds/generator/probe_generator.go b/pkg/xds/generator/probe_generator.go
@@ -27,9 +27,23 @@ func (g ProbeProxyGenerator) Generate(ctx xds_context.Context, proxy *model.Prox
 
 	virtualHostBuilder := envoy_routes.NewVirtualHostBuilder().
 		Configure(envoy_routes.CommonVirtualHost("probe"))
+
+	portSet := map[uint32]bool{}
+	for _, inbound := range proxy.Dataplane.Spec.Networking.Inbound {
+		portSet[proxy.Dataplane.Spec.Networking.ToInboundInterface(inbound).WorkloadPort] = true
+	}
 	for _, endpoint := range probes.Endpoints {
-		virtualHostBuilder.Configure(
-			envoy_routes.Route(endpoint.Path, endpoint.InboundPath, names.GetLocalClusterName(endpoint.InboundPort), true))
+		if portSet[endpoint.InboundPort] {
+			virtualHostBuilder.Configure(
+				envoy_routes.Route(endpoint.Path, endpoint.InboundPath, names.GetLocalClusterName(endpoint.InboundPort), true))
+		} else {
+			// On Kubernetes we are overriding probes for every container, but there is no guarantee that given
+			// probe will have an equivalent in inbound interface (ex. sidecar that is not selected by any service).
+			// In this situation there is no local cluster therefore we are sending redirect to a real destination.
+			// System responsible for using virtual probes needs to support redirect (kubelet on K8S supports it).
+			virtualHostBuilder.Configure(
+				envoy_routes.Redirect(endpoint.Path, endpoint.InboundPath, true, endpoint.InboundPort))
+		}
 	}
 
 	probeListener, err := envoy_listeners.NewListenerBuilder().

diff --git a/pkg/xds/generator/probe_generator_test.go b/pkg/xds/generator/probe_generator_test.go
@@ -59,6 +59,9 @@ var _ = Describe("ProbeGenerator", func() {
 		},
 		Entry("base probes", testCase{
 			dataplane: `
+            networking:
+              inbound:
+              - port: 8080
             probes:
               port: 9000
               endpoints:
@@ -72,5 +75,19 @@ var _ = Describe("ProbeGenerator", func() {
 			dataplane: ``,
 			expected:  "02.envoy.golden.yaml",
 		}),
+		Entry("no inbound for probe", testCase{
+			dataplane: `
+            networking:
+              inbound:
+              - port: 1010
+            probes:
+              port: 9000
+              endpoints:
+              - inboundPort: 8080
+                inboundPath: /healthz/probe
+                path: /8080/healthz/probe
+`,
+			expected: "03.envoy.golden.yaml",
+		}),
 	)
 })
diff --git a/pkg/xds/generator/testdata/probe/03.envoy.golden.yaml b/pkg/xds/generator/testdata/probe/03.envoy.golden.yaml
@@ -0,0 +1,31 @@
+resources:
+  - name: probe:listener
+    resource:
+      '@type': type.googleapis.com/envoy.api.v2.Listener
+      address:
+        socketAddress:
+          portValue: 9000
+      filterChains:
+        - filters:
+            - name: envoy.filters.network.http_connection_manager
+              typedConfig:
+                '@type': type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
+                httpFilters:
+                  - name: envoy.filters.http.router
+                routeConfig:
+                  virtualHosts:
+                    - domains:
+                        - '*'
+                      name: probe
+                      routes:
+                        - match:
+                            headers:
+                              - exactMatch: GET
+                                name: :method
+                            path: /8080/healthz/probe
+                          redirect:
+                            pathRedirect: /healthz/probe
+                            portRedirect: 8080
+                statPrefix: probe_listener
+      name: probe:listener
+      trafficDirection: INBOUND