fix: create a cluster per destination setting for backends with filte…

…rs (#5269) * fix: create a cluster per destination setting for backends with filters * create a unique name by adding a new destination setting field * create a unique cluster per dest setting if the setting contains filters * reuse that for locality region name as well Signed-off-by: Arko Dasgupta <arko@tetrate.io>
envoyproxy · Feb 26, 2025 · 664fa04 · 664fa04
1 parent a41e992
commit 664fa04
Show file tree

Hide file tree

Showing 404 changed files with 1,048 additions and 110 deletions.
diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json
@@ -394,7 +394,7 @@
                       ],
                       "loadBalancingWeight": 1,
                       "locality": {
-                        "region": "raw_githubusercontent_com_443/backend/0"
+                        "region": "raw_githubusercontent_com_443/backend/-1"
                       }
                     }
                   ]

diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml
@@ -226,7 +226,7 @@ xds:
                 loadBalancingWeight: 1
               loadBalancingWeight: 1
               locality:
-                region: raw_githubusercontent_com_443/backend/0
+                region: raw_githubusercontent_com_443/backend/-1
           name: raw_githubusercontent_com_443
           perConnectionBufferLimitBytes: 32768
           respectDnsTtl: true

diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml
@@ -44,7 +44,7 @@ xds:
               loadBalancingWeight: 1
             loadBalancingWeight: 1
             locality:
-              region: raw_githubusercontent_com_443/backend/0
+              region: raw_githubusercontent_com_443/backend/-1
         name: raw_githubusercontent_com_443
         perConnectionBufferLimitBytes: 32768
         respectDnsTtl: true

diff --git a/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml b/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml
@@ -123,6 +123,7 @@ xdsIR:
           - endpoints:
             - host: 7.7.7.7
               port: 3000
+            name: httproute/envoy-gateway-system/backend/rule/0/backend/0
             protocol: HTTP
             weight: 1
         hostname: www.example.com

diff --git a/internal/gatewayapi/ext_service.go b/internal/gatewayapi/ext_service.go
@@ -43,7 +43,8 @@ func (t *Translator) translateExtServiceBackendRefs(
 	}
 
 	pnn := utils.NamespacedName(policy)
-	for _, backendRef := range backendRefs {
+	destName := irIndexedExtServiceDestinationName(pnn, policy.GetObjectKind().GroupVersionKind().Kind, configType, index)
+	for i, backendRef := range backendRefs {
 		if err = t.validateExtServiceBackendReference(
 			&backendRef.BackendObjectReference,
 			policy.GetNamespace(),
@@ -52,8 +53,10 @@ func (t *Translator) translateExtServiceBackendRefs(
 			return nil, err
 		}
 
+		settingName := irDestinationSettingName(destName, i)
 		var extServiceDest *ir.DestinationSetting
 		if extServiceDest, err = t.processExtServiceDestination(
+			settingName,
 			&backendRef,
 			pnn,
 			policy.GetObjectKind().GroupVersionKind().Kind,
@@ -67,13 +70,14 @@ func (t *Translator) translateExtServiceBackendRefs(
 	}
 
 	rs = &ir.RouteDestination{
-		Name:     irIndexedExtServiceDestinationName(pnn, policy.GetObjectKind().GroupVersionKind().Kind, configType, index),
+		Name:     destName,
 		Settings: ds,
 	}
 	return rs, nil
 }
 
 func (t *Translator) processExtServiceDestination(
+	settingName string,
 	backendRef *egv1a1.BackendRef,
 	policyNamespacedName types.NamespacedName,
 	policyKind string,
@@ -90,12 +94,12 @@ func (t *Translator) processExtServiceDestination(
 
 	switch KindDerefOr(backendRef.Kind, resource.KindService) {
 	case resource.KindService:
-		ds = t.processServiceDestinationSetting(backendRef.BackendObjectReference, backendNamespace, protocol, resources, envoyProxy)
+		ds = t.processServiceDestinationSetting(settingName, backendRef.BackendObjectReference, backendNamespace, protocol, resources, envoyProxy)
 	case egv1a1.KindBackend:
 		if !t.BackendEnabled {
 			return nil, fmt.Errorf("resource %s of type Backend cannot be used since Backend is disabled in Envoy Gateway configuration", string(backendRef.Name))
 		}
-		ds = t.processBackendDestinationSetting(backendRef.BackendObjectReference, backendNamespace, protocol, resources)
+		ds = t.processBackendDestinationSetting(settingName, backendRef.BackendObjectReference, backendNamespace, protocol, resources)
 	}
 
 	if ds == nil {

diff --git a/internal/gatewayapi/filters.go b/internal/gatewayapi/filters.go
@@ -998,13 +998,15 @@ func (t *Translator) processRequestMirrorFilter(
 		return err
 	}
 
-	ds, err := t.processDestination(mirrorBackendRef, filterContext.ParentRef, filterContext.Route, resources)
+	destName := fmt.Sprintf("%s-mirror-%d", irRouteDestinationName(filterContext.Route, filterContext.RuleIdx), filterIdx)
+	settingName := irDestinationSettingName(destName, -1 /*unused*/)
+	ds, err := t.processDestination(settingName, mirrorBackendRef, filterContext.ParentRef, filterContext.Route, resources)
 	if err != nil {
 		return err
 	}
 
 	routeDst := &ir.RouteDestination{
-		Name:     fmt.Sprintf("%s-mirror-%d", irRouteDestinationName(filterContext.Route, filterContext.RuleIdx), filterIdx),
+		Name:     destName,
 		Settings: []*ir.DestinationSetting{ds},
 	}
 

diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go
@@ -403,6 +403,10 @@ func irRouteDestinationName(route RouteContext, ruleIdx int) string {
 	return fmt.Sprintf("%srule/%d", irRoutePrefix(route), ruleIdx)
 }
 
+func irDestinationSettingName(destName string, backendIdx int) string {
+	return fmt.Sprintf("%s/backend/%d", destName, backendIdx)
+}
+
 // irTLSConfigs produces a defaulted IR TLSConfig
 func irTLSConfigs(tlsSecrets ...*corev1.Secret) *ir.TLSConfig {
 	if len(tlsSecrets) == 0 {

diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go
@@ -370,17 +370,19 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources *
 					logName = fmt.Sprintf("%s/%s", envoyproxy.Namespace, envoyproxy.Name)
 				}
 
+				// TODO: rename this, so that we can share backend with tracing?
+				destName := fmt.Sprintf("accesslog_als_%d_%d", i, j)
+				settingName := irDestinationSettingName(destName, -1)
 				// TODO: how to get authority from the backendRefs?
-				ds, traffic, err := t.processBackendRefs(sink.ALS.BackendCluster, envoyproxy.Namespace, resources, envoyproxy)
+				ds, traffic, err := t.processBackendRefs(settingName, sink.ALS.BackendCluster, envoyproxy.Namespace, resources, envoyproxy)
 				if err != nil {
 					return nil, err
 				}
 
 				al := &ir.ALSAccessLog{
 					LogName: logName,
 					Destination: ir.RouteDestination{
-						// TODO: rename this, so that we can share backend with tracing?
-						Name:     fmt.Sprintf("accesslog_als_%d_%d", i, j),
+						Name:     destName,
 						Settings: ds,
 					},
 					Traffic:    traffic,
@@ -410,8 +412,11 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources *
 					continue
 				}
 
+				// TODO: rename this, so that we can share backend with tracing?
+				destName := fmt.Sprintf("accesslog_otel_%d_%d", i, j)
+				settingName := irDestinationSettingName(destName, -1)
 				// TODO: how to get authority from the backendRefs?
-				ds, traffic, err := t.processBackendRefs(sink.OpenTelemetry.BackendCluster, envoyproxy.Namespace, resources, envoyproxy)
+				ds, traffic, err := t.processBackendRefs(settingName, sink.OpenTelemetry.BackendCluster, envoyproxy.Namespace, resources, envoyproxy)
 				if err != nil {
 					return nil, err
 				}
@@ -420,8 +425,7 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources *
 					CELMatches: validExprs,
 					Resources:  sink.OpenTelemetry.Resources,
 					Destination: ir.RouteDestination{
-						// TODO: rename this, so that we can share backend with tracing?
-						Name:     fmt.Sprintf("accesslog_otel_%d_%d", i, j),
+						Name:     destName,
 						Settings: ds,
 					},
 					Traffic: traffic,
@@ -435,7 +439,7 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources *
 					if sink.OpenTelemetry.Host != nil {
 						host, port = *sink.OpenTelemetry.Host, uint32(sink.OpenTelemetry.Port)
 					}
-					al.Destination.Settings = destinationSettingFromHostAndPort(host, port)
+					al.Destination.Settings = destinationSettingFromHostAndPort(settingName, host, port)
 					al.Authority = host
 				}
 
@@ -463,8 +467,11 @@ func (t *Translator) processTracing(gw *gwapiv1.Gateway, envoyproxy *egv1a1.Envo
 	}
 	tracing := envoyproxy.Spec.Telemetry.Tracing
 
+	// TODO: rename this, so that we can share backend with accesslog?
+	destName := "tracing"
+	settingName := irDestinationSettingName(destName, -1)
 	// TODO: how to get authority from the backendRefs?
-	ds, traffic, err := t.processBackendRefs(tracing.Provider.BackendCluster, envoyproxy.Namespace, resources, envoyproxy)
+	ds, traffic, err := t.processBackendRefs(settingName, tracing.Provider.BackendCluster, envoyproxy.Namespace, resources, envoyproxy)
 	if err != nil {
 		return nil, err
 	}
@@ -479,7 +486,7 @@ func (t *Translator) processTracing(gw *gwapiv1.Gateway, envoyproxy *egv1a1.Envo
 		if tracing.Provider.Host != nil {
 			host, port = *tracing.Provider.Host, uint32(tracing.Provider.Port)
 		}
-		ds = destinationSettingFromHostAndPort(host, port)
+		ds = destinationSettingFromHostAndPort(settingName, host, port)
 		authority = host
 	}
 
@@ -494,8 +501,7 @@ func (t *Translator) processTracing(gw *gwapiv1.Gateway, envoyproxy *egv1a1.Envo
 		SamplingRate: proxySamplingRate(tracing),
 		CustomTags:   tracing.CustomTags,
 		Destination: ir.RouteDestination{
-			// TODO: rename this, so that we can share backend with accesslog?
-			Name:     "tracing",
+			Name:     destName,
 			Settings: ds,
 		},
 		Provider: tracing.Provider,
@@ -534,7 +540,7 @@ func (t *Translator) processMetrics(envoyproxy *egv1a1.EnvoyProxy, resources *re
 			continue
 		}
 
-		_, _, err := t.processBackendRefs(sink.OpenTelemetry.BackendCluster, envoyproxy.Namespace, resources, envoyproxy)
+		_, _, err := t.processBackendRefs("", sink.OpenTelemetry.BackendCluster, envoyproxy.Namespace, resources, envoyproxy)
 		if err != nil {
 			return nil, err
 		}
@@ -547,7 +553,7 @@ func (t *Translator) processMetrics(envoyproxy *egv1a1.EnvoyProxy, resources *re
 	}, nil
 }
 
-func (t *Translator) processBackendRefs(backendCluster egv1a1.BackendCluster, namespace string,
+func (t *Translator) processBackendRefs(name string, backendCluster egv1a1.BackendCluster, namespace string,
 	resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy,
 ) ([]*ir.DestinationSetting, *ir.TrafficFeatures, error) {
 	traffic, err := translateTrafficFeatures(backendCluster.BackendSettings)
@@ -565,7 +571,7 @@ func (t *Translator) processBackendRefs(backendCluster egv1a1.BackendCluster, na
 			return nil, nil, err
 		}
 
-		ds := t.processServiceDestinationSetting(ref.BackendObjectReference, ns, ir.TCP, resources, envoyProxy)
+		ds := t.processServiceDestinationSetting(name, ref.BackendObjectReference, ns, ir.TCP, resources, envoyProxy)
 		result = append(result, ds)
 	}
 	if len(result) == 0 {
@@ -574,9 +580,10 @@ func (t *Translator) processBackendRefs(backendCluster egv1a1.BackendCluster, na
 	return result, traffic, nil
 }
 
-func destinationSettingFromHostAndPort(host string, port uint32) []*ir.DestinationSetting {
+func destinationSettingFromHostAndPort(name, host string, port uint32) []*ir.DestinationSetting {
 	return []*ir.DestinationSetting{
 		{
+			Name:      name,
 			Weight:    ptr.To[uint32](1),
 			Protocol:  ir.GRPC,
 			Endpoints: []*ir.DestinationEndpoint{ir.NewDestEndpoint(host, port, false)},