sort httpFilters on name if priority order is same (envoyproxy#6600)

* sort httpFilters on name if priority order is same

ensures stability across translations, mitigating listener drains
https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/listeners/listener_filters#filter-chain-only-update

Signed-off-by: Arko Dasgupta <arko@tetrate.io>

Author: arkodg

internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml

@@ -1176,14 +1176,14 @@ xds:
                     initialStreamWindowSize: 65536
                     maxConcurrentStreams: 100
                   httpFilters:
-                  - name: envoy.filters.http.grpc_web
-                    typedConfig:
-                      '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
                   - name: envoy.filters.http.grpc_stats
                     typedConfig:
                       '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig
                       emitFilterState: true
                       statsForAllMethods: true
+                  - name: envoy.filters.http.grpc_web
+                    typedConfig:
+                      '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
                   - name: envoy.filters.http.router
                     typedConfig:
                       '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json

@@ -953,12 +953,6 @@
                             "maxConcurrentStreams": 100
                           },
                           "httpFilters": [
-                            {
-                              "name": "envoy.filters.http.grpc_web",
-                              "typedConfig": {
-                                "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb"
-                              }
-                            },
                             {
                               "name": "envoy.filters.http.grpc_stats",
                               "typedConfig": {
@@ -967,6 +961,12 @@
                                 "statsForAllMethods": true
                               }
                             },
+                            {
+                              "name": "envoy.filters.http.grpc_web",
+                              "typedConfig": {
+                                "@type": "type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb"
+                              }
+                            },
                             {
                               "name": "envoy.filters.http.router",
                               "typedConfig": {

internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml

@@ -593,14 +593,14 @@ xds:
                     initialStreamWindowSize: 65536
                     maxConcurrentStreams: 100
                   httpFilters:
-                  - name: envoy.filters.http.grpc_web
-                    typedConfig:
-                      '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
                   - name: envoy.filters.http.grpc_stats
                     typedConfig:
                       '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig
                       emitFilterState: true
                       statsForAllMethods: true
+                  - name: envoy.filters.http.grpc_web
+                    typedConfig:
+                      '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
                   - name: envoy.filters.http.router
                     typedConfig:
                       '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml

@@ -229,14 +229,14 @@ xds:
                   initialStreamWindowSize: 65536
                   maxConcurrentStreams: 100
                 httpFilters:
-                - name: envoy.filters.http.grpc_web
-                  typedConfig:
-                    '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
                 - name: envoy.filters.http.grpc_stats
                   typedConfig:
                     '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig
                     emitFilterState: true
                     statsForAllMethods: true
+                - name: envoy.filters.http.grpc_web
+                  typedConfig:
+                    '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
                 - name: envoy.filters.http.router
                   typedConfig:
                     '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

internal/xds/translator/httpfilters.go

@@ -153,6 +153,14 @@ func (o OrderedHTTPFilters) Len() int {
 }
 
 func (o OrderedHTTPFilters) Less(i, j int) bool {
+	// Sort on name if the order is equal
+	// to keep the order stable and avoiding
+	// listener drains
+	if o[i].order == o[j].order {
+		return o[i].filter.Name < o[j].filter.Name
+	}
+
+	// Sort on order
 	return o[i].order < o[j].order
 }
 
@@ -171,6 +179,7 @@ func sortHTTPFilters(filters []*hcmv3.HttpFilter, filterOrder []egv1a1.FilterPos
 	for i := 0; i < len(filters); i++ {
 		orderedFilters[i] = newOrderedHTTPFilter(filters[i])
 	}
+
 	sort.Sort(orderedFilters)
 
 	// Use a linked list to sort the filters in the custom order.

internal/xds/translator/testdata/out/xds-ir/basic-auth-username-header.listeners.yaml

@@ -15,19 +15,19 @@
           maxConcurrentStreams: 100
         httpFilters:
         - disabled: true
-          name: envoy.filters.http.basic_auth/securitypolicy/default/policy-for-http-route-1
+          name: envoy.filters.http.basic_auth/securitypolicy/default/policy-for-gateway-1
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.basic_auth.v3.BasicAuth
-            forwardUsernameHeader: x-username
+            forwardUsernameHeader: x-user-id
             users:
-              inlineBytes: dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo=
+              inlineBytes: Zm9vOntTSEF9WXMyM0FnLzVJT1dxWkN3OVFHYVZEZEh3SDAwPQpmb28xOntTSEF9ZGpaMTFxSFkwS09pamV5bUs3YUt2WXV2aHZNPQo=
         - disabled: true
-          name: envoy.filters.http.basic_auth/securitypolicy/default/policy-for-gateway-1
+          name: envoy.filters.http.basic_auth/securitypolicy/default/policy-for-http-route-1
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.basic_auth.v3.BasicAuth
-            forwardUsernameHeader: x-user-id
+            forwardUsernameHeader: x-username
             users:
-              inlineBytes: Zm9vOntTSEF9WXMyM0FnLzVJT1dxWkN3OVFHYVZEZEh3SDAwPQpmb28xOntTSEF9ZGpaMTFxSFkwS09pamV5bUs3YUt2WXV2aHZNPQo=
+              inlineBytes: dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo=
         - name: envoy.filters.http.router
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

internal/xds/translator/testdata/out/xds-ir/basic-auth.listeners.yaml

@@ -15,17 +15,17 @@
           maxConcurrentStreams: 100
         httpFilters:
         - disabled: true
-          name: envoy.filters.http.basic_auth/securitypolicy/default/policy-for-http-route-1
+          name: envoy.filters.http.basic_auth/securitypolicy/default/policy-for-gateway-1
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.basic_auth.v3.BasicAuth
             users:
-              inlineBytes: dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo=
+              inlineBytes: Zm9vOntTSEF9WXMyM0FnLzVJT1dxWkN3OVFHYVZEZEh3SDAwPQpmb28xOntTSEF9ZGpaMTFxSFkwS09pamV5bUs3YUt2WXV2aHZNPQo=
         - disabled: true
-          name: envoy.filters.http.basic_auth/securitypolicy/default/policy-for-gateway-1
+          name: envoy.filters.http.basic_auth/securitypolicy/default/policy-for-http-route-1
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.basic_auth.v3.BasicAuth
             users:
-              inlineBytes: Zm9vOntTSEF9WXMyM0FnLzVJT1dxWkN3OVFHYVZEZEh3SDAwPQpmb28xOntTSEF9ZGpaMTFxSFkwS09pamV5bUs3YUt2WXV2aHZNPQo=
+              inlineBytes: dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo=
         - name: envoy.filters.http.router
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

internal/xds/translator/testdata/out/xds-ir/dns-lookup-family.listeners.yaml

@@ -138,14 +138,14 @@
             transportApiVersion: V3
             withRequestBody:
               maxRequestBytes: 8192
-        - name: envoy.filters.http.grpc_web
-          typedConfig:
-            '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
         - name: envoy.filters.http.grpc_stats
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_stats.v3.FilterConfig
             emitFilterState: true
             statsForAllMethods: true
+        - name: envoy.filters.http.grpc_web
+          typedConfig:
+            '@type': type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
         - disabled: true
           name: envoy.filters.http.ext_proc/envoyextensionpolicy/default/policy-for-httproute/extproc/0
           typedConfig:

internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.listeners.yaml

@@ -14,22 +14,6 @@
           initialStreamWindowSize: 65536
           maxConcurrentStreams: 100
         httpFilters:
-        - disabled: true
-          name: envoy.filters.http.ext_authz/securitypolicy/default/policy-for-http-route-1
-          typedConfig:
-            '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
-            allowedHeaders:
-              patterns:
-              - exact: header1
-                ignoreCase: true
-              - exact: header2
-                ignoreCase: true
-            grpcService:
-              envoyGrpc:
-                authority: primary.foo.com
-                clusterName: securitypolicy/default/policy-for-http-route-1/default/grpc-backend
-              timeout: 10s
-            transportApiVersion: V3
         - disabled: true
           name: envoy.filters.http.ext_authz/securitypolicy/default/policy-for-gateway-1
           typedConfig:
@@ -49,6 +33,22 @@
                 timeout: 10s
                 uri: http://primary.foo.com/auth
             transportApiVersion: V3
+        - disabled: true
+          name: envoy.filters.http.ext_authz/securitypolicy/default/policy-for-http-route-1
+          typedConfig:
+            '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
+            allowedHeaders:
+              patterns:
+              - exact: header1
+                ignoreCase: true
+              - exact: header2
+                ignoreCase: true
+            grpcService:
+              envoyGrpc:
+                authority: primary.foo.com
+                clusterName: securitypolicy/default/policy-for-http-route-1/default/grpc-backend
+              timeout: 10s
+            transportApiVersion: V3
         - name: envoy.filters.http.router
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml

@@ -14,22 +14,6 @@
           initialStreamWindowSize: 65536
           maxConcurrentStreams: 100
         httpFilters:
-        - disabled: true
-          name: envoy.filters.http.ext_authz/securitypolicy/default/policy-for-http-route-1
-          typedConfig:
-            '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
-            allowedHeaders:
-              patterns:
-              - exact: header1
-                ignoreCase: true
-              - exact: header2
-                ignoreCase: true
-            grpcService:
-              envoyGrpc:
-                authority: primary.foo.com
-                clusterName: securitypolicy/default/policy-for-http-route-1/default/grpc-backend
-              timeout: 10s
-            transportApiVersion: V3
         - disabled: true
           name: envoy.filters.http.ext_authz/securitypolicy/default/policy-for-gateway-1
           typedConfig:
@@ -51,6 +35,22 @@
             transportApiVersion: V3
             withRequestBody:
               maxRequestBytes: 32768
+        - disabled: true
+          name: envoy.filters.http.ext_authz/securitypolicy/default/policy-for-http-route-1
+          typedConfig:
+            '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
+            allowedHeaders:
+              patterns:
+              - exact: header1
+                ignoreCase: true
+              - exact: header2
+                ignoreCase: true
+            grpcService:
+              envoyGrpc:
+                authority: primary.foo.com
+                clusterName: securitypolicy/default/policy-for-http-route-1/default/grpc-backend
+              timeout: 10s
+            transportApiVersion: V3
         - name: envoy.filters.http.router
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router