reverse connection: code changes for reverse conn http filter

api/BUILD

@@ -78,6 +78,7 @@ proto_library(
         "//contrib/envoy/extensions/filters/http/dynamo/v3:pkg",
         "//contrib/envoy/extensions/filters/http/golang/v3alpha:pkg",
         "//contrib/envoy/extensions/filters/http/language/v3alpha:pkg",
+        "//contrib/envoy/extensions/filters/http/reverse_conn/v3alpha:pkg",
         "//contrib/envoy/extensions/filters/http/squash/v3:pkg",
         "//contrib/envoy/extensions/filters/http/sxg/v3alpha:pkg",
         "//contrib/envoy/extensions/filters/network/client_ssl_auth/v3:pkg",

api/contrib/envoy/extensions/filters/http/reverse_conn/v3alpha/BUILD

@@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_xds//udpa/annotations:pkg"],
+)

api/contrib/envoy/extensions/filters/http/reverse_conn/v3alpha/reverse_conn.proto

@@ -0,0 +1,55 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.http.reverse_conn.v3alpha;
+
+import "google/protobuf/wrappers.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.http.reverse_conn.v3alpha";
+option java_outer_classname = "ReverseConnProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/reverse_conn/v3alpha";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: ReverseConn]
+// ReverseConn :ref:`configuration overview <config_http_filters_reverse_conn>`.
+// [#extension: envoy.filters.http.reverse_conn]
+
+message ReverseConn {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.reverse_conn.v2.ReverseConn";
+
+  google.protobuf.UInt32Value ping_interval = 1;
+}
+
+// Config sent by the local cluster as part of the Initiation workflow.
+// This message combined with message 'ReverseConnHandshakeRet' which is
+// sent as a response can be used to transfer/negotiate parameter between the
+// two envoys.
+message ReverseConnHandshakeArg {
+  // Tenant UUID of the local cluster.
+  string tenant_uuid = 1;
+
+  // Cluster UUID of the local cluster.
+  string cluster_uuid = 2;
+
+  // Node UUID of the local cluster.
+  string node_uuid = 3;
+}
+
+// Config used by the remote cluser in response to the above 'ReverseConnHandshakeArg'.
+message ReverseConnHandshakeRet {
+  enum ConnectionStatus {
+    ACCEPTED = 0;
+    REJECTED = 1;
+  }
+
+  // Tracks the status of the reverse connection initiation workflow.
+  ConnectionStatus status = 1;
+
+  // This field can be used to transmit success/warning/error messages
+  // describing the status of the reverse connection, if needed.
+  string status_message = 2;
+}

api/versioning/BUILD

@@ -16,6 +16,7 @@ proto_library(
         "//contrib/envoy/extensions/filters/http/dynamo/v3:pkg",
         "//contrib/envoy/extensions/filters/http/golang/v3alpha:pkg",
         "//contrib/envoy/extensions/filters/http/language/v3alpha:pkg",
+        "//contrib/envoy/extensions/filters/http/reverse_conn/v3alpha:pkg",
         "//contrib/envoy/extensions/filters/http/squash/v3:pkg",
         "//contrib/envoy/extensions/filters/http/sxg/v3alpha:pkg",
         "//contrib/envoy/extensions/filters/network/client_ssl_auth/v3:pkg",

contrib/contrib_build_config.bzl

@@ -14,6 +14,7 @@ CONTRIB_EXTENSIONS = {
     "envoy.filters.http.dynamo":                                "//contrib/dynamo/filters/http/source:config",
     "envoy.filters.http.golang":                                "//contrib/golang/filters/http/source:config",
     "envoy.filters.http.language":                              "//contrib/language/filters/http/source:config_lib",
+    "envoy.filters.http.reverse_conn":                          "//contrib/reverse_connection/filters/http/source:config",
     "envoy.filters.http.squash":                                "//contrib/squash/filters/http/source:config",
     "envoy.filters.http.sxg":                                   "//contrib/sxg/filters/http/source:config",
 

contrib/extensions_metadata.yaml

@@ -23,6 +23,13 @@ envoy.compression.qatzstd.compressor:
   - envoy.compression.compressor
   security_posture: robust_to_untrusted_downstream_and_upstream
   status: alpha
+envoy.filters.http.reverse_conn:
+  categories:
+  - envoy.filters.http
+  security_posture: robust_to_untrusted_downstream
+  status: alpha
+  type_urls:
+  - envoy.extensions.filters.http.reverse_conn.v3alpha.ReverseConn
 envoy.filters.http.squash:
   categories:
   - envoy.filters.http

contrib/reverse_connection/filters/http/source/BUILD

@@ -0,0 +1,56 @@
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_extension",
+    "envoy_cc_library",
+    "envoy_extension_package",
+)
+
+licenses(["notice"])  # Apache 2
+
+# L7 HTTP filter that implements the reverse_conn microservice debugger
+# Public docs: docs/root/configuration/http_filters/reverse_conn_filter.rst
+
+envoy_extension_package()
+
+envoy_cc_library(
+    name = "reverse_conn_filter_lib",
+    srcs = ["reverse_conn_filter.cc"],
+    hdrs = ["reverse_conn_filter.h"],
+    deps = [
+        "//envoy/event:timer_interface",
+        "//envoy/http:codes_interface",
+        "//envoy/http:filter_interface",
+        "//envoy/http:header_map_interface",
+        "//envoy/upstream:cluster_manager_interface",
+        "//source/common/common:empty_string",
+        "//source/common/common:enum_to_int",
+        "//source/common/http:headers_lib",
+        "//source/common/http:message_lib",
+        "//source/common/http:utility_lib",
+        "//source/common/http/http1:codec_lib",
+        "//source/common/json:json_loader_lib",
+        "//source/common/network:filter_lib",
+        "//source/common/protobuf:utility_lib",
+        "//contrib/reverse_connection/bootstrap/source:reverse_conn_global_registry",
+        "@envoy_api//contrib/envoy/extensions/filters/http/reverse_conn/v3alpha:pkg_cc_proto",
+    ],
+)
+
+envoy_cc_extension(
+    name = "config",
+    srcs = ["config.cc"],
+    hdrs = ["config.h"],
+    # category = "envoy.filters.http",
+    # TODO move integration test to extensions.
+    extra_visibility = [
+        "//test/integration:__subpackages__",
+    ],
+    # security_posture = "robust_to_untrusted_downstream",
+    deps = [
+        ":reverse_conn_filter_lib",
+        "//envoy/registry",
+        "//source/common/protobuf:utility_lib",
+        "//source/extensions/filters/http:well_known_names",
+        "//source/extensions/filters/http/common:factory_base_lib",
+    ],
+)

contrib/reverse_connection/filters/http/source/config.cc

@@ -0,0 +1,45 @@
+#include "contrib/reverse_connection/filters/http/source/config.h"
+#include "contrib/reverse_connection/filters/http/source/reverse_conn_filter.h"
+#include "envoy/registry/registry.h"
+
+#include "source/common/protobuf/protobuf.h"
+#include "source/common/protobuf/utility.h"
+
+
+namespace Envoy {
+namespace Extensions {
+namespace HttpFilters {
+namespace ReverseConn {
+
+Http::FilterFactoryCb ReverseConnFilterConfigFactory::createFilterFactoryFromProtoTyped(
+    const envoy::extensions::filters::http::reverse_conn::v3alpha::ReverseConn& proto_config,
+    const std::string&, Server::Configuration::FactoryContext& context) {
+  ReverseConnFilterConfigSharedPtr config =
+      std::make_shared<ReverseConnFilterConfig>(ReverseConnFilterConfig(proto_config));
+
+  // Retrieve the ReverseConnRegistry singleton and access the thread local slot
+  std::shared_ptr<ReverseConnection::ReverseConnRegistry> reverse_conn_registry =
+        context.serverFactoryContext().singletonManager().getTyped<ReverseConnection::ReverseConnRegistry>("reverse_conn_registry_singleton");
+  if (reverse_conn_registry == nullptr) {
+    throw EnvoyException(
+      "Cannot create reverse conn http filter. Reverse connection registry not found");
+  }
+
+  // The ReverseConnFilter is initialized before the workers are created and therefore only the
+  // reverse conn global registry is available.
+  return [config, reverse_conn_registry](Http::FilterChainFactoryCallbacks& callbacks) -> void {
+    callbacks.addStreamDecoderFilter(std::make_shared<ReverseConnFilter>(config, reverse_conn_registry));
+  };
+}
+
+/**
+ * Static registration for the reverse_conn filter. @see RegisterFactory.
+ */
+static Envoy::Registry::RegisterFactory<ReverseConnFilterConfigFactory,
+                                        Server::Configuration::NamedHttpFilterConfigFactory>
+    register_;
+
+} // namespace ReverseConn
+} // namespace HttpFilters
+} // namespace Extensions
+} // namespace Envoy

contrib/reverse_connection/filters/http/source/config.h

@@ -0,0 +1,30 @@
+#pragma once
+
+#include "contrib/envoy/extensions/filters/http/reverse_conn/v3alpha/reverse_conn.pb.h"
+#include "contrib/envoy/extensions/filters/http/reverse_conn/v3alpha/reverse_conn.pb.validate.h"
+#include "source/extensions/filters/http/common/factory_base.h"
+#include "source/extensions/filters/http/well_known_names.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace HttpFilters {
+namespace ReverseConn {
+
+/**
+ * Config registration for the reverse_conn filter. @see NamedHttpFilterConfigFactory.
+ */
+class ReverseConnFilterConfigFactory
+    : public Common::FactoryBase<envoy::extensions::filters::http::reverse_conn::v3alpha::ReverseConn> {
+public:
+  ReverseConnFilterConfigFactory() : FactoryBase("reverse_conn") {}
+
+private:
+  Http::FilterFactoryCb createFilterFactoryFromProtoTyped(
+      const envoy::extensions::filters::http::reverse_conn::v3alpha::ReverseConn& proto_config,
+      const std::string& stats_prefix, Server::Configuration::FactoryContext& context) override;
+};
+
+} // namespace ReverseConn
+} // namespace HttpFilters
+} // namespace Extensions
+} // namespace Envoy