| // Copyright Istio Authors |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| package filters |
| |
| import ( |
| cluster "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3" |
| core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" |
| listener "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3" |
| route "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" |
| cors "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/cors/v3" |
| fault "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/fault/v3" |
| grpcstats "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_stats/v3" |
| grpcweb "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_web/v3" |
| router "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/router/v3" |
| httpwasm "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/wasm/v3" |
| httpinspector "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/http_inspector/v3" |
| originaldst "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/original_dst/v3" |
| originalsrc "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/original_src/v3" |
| tlsinspector "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/tls_inspector/v3" |
| hcm "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" |
| previoushost "github.com/envoyproxy/go-control-plane/envoy/extensions/retry/host/previous_hosts/v3" |
| rawbuffer "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/raw_buffer/v3" |
| wasm "github.com/envoyproxy/go-control-plane/envoy/extensions/wasm/v3" |
| "github.com/envoyproxy/go-control-plane/pkg/wellknown" |
| "google.golang.org/protobuf/types/known/wrapperspb" |
| alpn "istio.io/api/envoy/config/filter/http/alpn/v2alpha1" |
| "istio.io/api/envoy/config/filter/network/metadata_exchange" |
| ) |
| |
| import ( |
| "github.com/apache/dubbo-go-pixiu/pilot/pkg/model" |
| "github.com/apache/dubbo-go-pixiu/pilot/pkg/networking/util" |
| ) |
| |
| const ( |
| // Alpn HTTP filter name which will override the ALPN for upstream TLS connection. |
| AlpnFilterName = "istio.alpn" |
| |
| TLSTransportProtocol = "tls" |
| RawBufferTransportProtocol = "raw_buffer" |
| |
| MxFilterName = "istio.metadata_exchange" |
| ) |
| |
| // Define static filters to be reused across the codebase. This avoids duplicate marshaling/unmarshaling |
| // This should not be used for filters that will be mutated |
| var ( |
| RetryPreviousHosts = &route.RetryPolicy_RetryHostPredicate{ |
| Name: "envoy.retry_host_predicates.previous_hosts", |
| ConfigType: &route.RetryPolicy_RetryHostPredicate_TypedConfig{ |
| TypedConfig: util.MessageToAny(&previoushost.PreviousHostsPredicate{}), |
| }, |
| } |
| RawBufferTransportSocket = &core.TransportSocket{ |
| Name: util.EnvoyRawBufferSocketName, |
| ConfigType: &core.TransportSocket_TypedConfig{ |
| TypedConfig: util.MessageToAny(&rawbuffer.RawBuffer{}), |
| }, |
| } |
| Cors = &hcm.HttpFilter{ |
| Name: wellknown.CORS, |
| ConfigType: &hcm.HttpFilter_TypedConfig{ |
| TypedConfig: util.MessageToAny(&cors.Cors{}), |
| }, |
| } |
| Fault = &hcm.HttpFilter{ |
| Name: wellknown.Fault, |
| ConfigType: &hcm.HttpFilter_TypedConfig{ |
| TypedConfig: util.MessageToAny(&fault.HTTPFault{}), |
| }, |
| } |
| Router = &hcm.HttpFilter{ |
| Name: wellknown.Router, |
| ConfigType: &hcm.HttpFilter_TypedConfig{ |
| TypedConfig: util.MessageToAny(&router.Router{}), |
| }, |
| } |
| GrpcWeb = &hcm.HttpFilter{ |
| Name: wellknown.GRPCWeb, |
| ConfigType: &hcm.HttpFilter_TypedConfig{ |
| TypedConfig: util.MessageToAny(&grpcweb.GrpcWeb{}), |
| }, |
| } |
| GrpcStats = &hcm.HttpFilter{ |
| Name: wellknown.HTTPGRPCStats, |
| ConfigType: &hcm.HttpFilter_TypedConfig{ |
| TypedConfig: util.MessageToAny(&grpcstats.FilterConfig{ |
| EmitFilterState: true, |
| PerMethodStatSpecifier: &grpcstats.FilterConfig_StatsForAllMethods{ |
| StatsForAllMethods: &wrapperspb.BoolValue{Value: false}, |
| }, |
| }), |
| }, |
| } |
| TLSInspector = &listener.ListenerFilter{ |
| Name: wellknown.TlsInspector, |
| ConfigType: &listener.ListenerFilter_TypedConfig{ |
| TypedConfig: util.MessageToAny(&tlsinspector.TlsInspector{}), |
| }, |
| } |
| HTTPInspector = &listener.ListenerFilter{ |
| Name: wellknown.HttpInspector, |
| ConfigType: &listener.ListenerFilter_TypedConfig{ |
| TypedConfig: util.MessageToAny(&httpinspector.HttpInspector{}), |
| }, |
| } |
| OriginalDestination = &listener.ListenerFilter{ |
| Name: wellknown.OriginalDestination, |
| ConfigType: &listener.ListenerFilter_TypedConfig{ |
| TypedConfig: util.MessageToAny(&originaldst.OriginalDst{}), |
| }, |
| } |
| OriginalSrc = &listener.ListenerFilter{ |
| Name: wellknown.OriginalSource, |
| ConfigType: &listener.ListenerFilter_TypedConfig{ |
| TypedConfig: util.MessageToAny(&originalsrc.OriginalSrc{ |
| Mark: 1337, |
| }), |
| }, |
| } |
| Alpn = &hcm.HttpFilter{ |
| Name: AlpnFilterName, |
| ConfigType: &hcm.HttpFilter_TypedConfig{ |
| TypedConfig: util.MessageToAny(&alpn.FilterConfig{ |
| AlpnOverride: []*alpn.FilterConfig_AlpnOverride{ |
| { |
| UpstreamProtocol: alpn.FilterConfig_HTTP10, |
| AlpnOverride: mtlsHTTP10ALPN, |
| }, |
| { |
| UpstreamProtocol: alpn.FilterConfig_HTTP11, |
| AlpnOverride: mtlsHTTP11ALPN, |
| }, |
| { |
| UpstreamProtocol: alpn.FilterConfig_HTTP2, |
| AlpnOverride: mtlsHTTP2ALPN, |
| }, |
| }, |
| }), |
| }, |
| } |
| |
| tcpMx = util.MessageToAny(&metadata_exchange.MetadataExchange{Protocol: "istio-peer-exchange"}) |
| |
| TCPListenerMx = &listener.Filter{ |
| Name: MxFilterName, |
| ConfigType: &listener.Filter_TypedConfig{TypedConfig: tcpMx}, |
| } |
| |
| TCPClusterMx = &cluster.Filter{ |
| Name: MxFilterName, |
| TypedConfig: tcpMx, |
| } |
| |
| HTTPMx = buildHTTPMxFilter() |
| ) |
| |
| func BuildRouterFilter(ctx *RouterFilterContext) *hcm.HttpFilter { |
| if ctx == nil { |
| return Router |
| } |
| |
| return &hcm.HttpFilter{ |
| Name: wellknown.Router, |
| ConfigType: &hcm.HttpFilter_TypedConfig{ |
| TypedConfig: util.MessageToAny(&router.Router{ |
| StartChildSpan: ctx.StartChildSpan, |
| }), |
| }, |
| } |
| } |
| |
| var ( |
| // These ALPNs are injected in the client side by the ALPN filter. |
| // "istio" is added for each upstream protocol in order to make it |
| // backward compatible. e.g., 1.4 proxy -> 1.3 proxy. |
| // Non istio-* variants are added to ensure that traffic sent out of the mesh has a valid ALPN; |
| // ideally this would not be added, but because the override filter is in the HCM, rather than cluster, |
| // we do not yet know the upstream so we cannot determine if its in or out of the mesh |
| mtlsHTTP10ALPN = []string{"istio-http/1.0", "istio", "http/1.0"} |
| mtlsHTTP11ALPN = []string{"istio-http/1.1", "istio", "http/1.1"} |
| mtlsHTTP2ALPN = []string{"istio-h2", "istio", "h2"} |
| ) |
| |
| func buildHTTPMxFilter() *hcm.HttpFilter { |
| httpMxConfigProto := &httpwasm.Wasm{ |
| Config: &wasm.PluginConfig{ |
| Vm: model.ConstructVMConfig("/etc/istio/extensions/metadata-exchange-filter.compiled.wasm", "envoy.wasm.metadata_exchange"), |
| Configuration: util.MessageToAny(&metadata_exchange.MetadataExchange{}), |
| }, |
| } |
| return &hcm.HttpFilter{ |
| Name: MxFilterName, |
| ConfigType: &hcm.HttpFilter_TypedConfig{TypedConfig: util.MessageToAny(httpMxConfigProto)}, |
| } |
| } |