Support HTTP tunneling on all Upstreams (#10712)

Co-authored-by: changelog-bot <changelog-bot>

Author: ryanrolds

.github/workflows/pr-kubernetes-tests.yaml

@@ -57,42 +57,49 @@ jobs:
         test:
         # 2024-12-04: 22m
         # 2025-02-13: 29m3s
+        # 2025-03-24: 23m7s
         - cluster-name: 'cluster-one'
           go-test-args: '-v -timeout=25m'
-          go-test-run-regex: '^TestK8sGateway$$/^RouteDelegation$$|^TestGlooctlGlooGatewayEdgeGateway$$|^TestGlooctlK8sGateway$$'
+          go-test-run-regex: '^TestK8sGateway$$/^RouteDelegation$$|^TestGlooctlGlooGatewayEdgeGateway$$|^TestGlooctlK8sGateway$$|^TestK8sGateway$$/^HTTPTunnel$$'
 
         # 2024-12-04: 23m
         # 2025-02-13: 30m30s
+        # 2025-03-24: 27m42s
         - cluster-name: 'cluster-two'
           go-test-args: '-v -timeout=25m'
           go-test-run-regex: '^TestK8sGatewayIstioRevision$$|^TestRevisionIstioRegression$$|^TestK8sGateway$$/^Deployer$$|^TestK8sGateway$$/^RouteOptions$$|^TestK8sGateway$$/^VirtualHostOptions$$|^TestK8sGateway$$/^Upstreams$$|^TestK8sGateway$$/^HeadlessSvc$$|^TestK8sGateway$$/^PortRouting$$|^TestK8sGatewayMinimalDefaultGatewayParameters$$|^TestK8sGateway$$/^DirectResponse$$|^TestK8sGateway$$/^HttpListenerOptions$$|^TestK8sGateway$$/^ListenerOptions$$|^TestK8sGateway$$/^GlooAdminServer$$'
 
         # 2024-12-04: 24m
         # 2025-02-13: 31m49s
+        # 2025-03-24: 30m26s
         - cluster-name: 'cluster-three'
           go-test-args: '-v -timeout=30m'
           go-test-run-regex: '(^TestK8sGatewayIstioAutoMtls$$|^TestAutomtlsIstioEdgeApisGateway$$|^TestIstioEdgeApiGateway$$|^TestIstioRegression$$)'
 
         # 2024-12-04: 21m
         # 2025-02-13: 28m3s
+        # 2025-03-24: 29m15s
         - cluster-name: 'cluster-four'
           go-test-args: '-v -timeout=30m'
           go-test-run-regex: '(^TestK8sGatewayIstio$$|^TestGlooGatewayEdgeGateway$$|^TestGlooctlIstioInjectEdgeApiGateway$$)'
 
         # 2024-12-04: 24m
         # 2025-02-13: 35m21s
+        # 2025-03-24: 33m39s
         - cluster-name: 'cluster-five'
           go-test-args: '-v -timeout=30m'
           go-test-run-regex: '^TestFullEnvoyValidation$$|^TestValidationStrict$$|^TestValidationAlwaysAccept$$|^TestTransformationValidationDisabled$$'
 
         # 2024-12-04: 26m
         # 2025-02-13: 33m19s
+        # 2025-03-24: 31m38s
         - cluster-name: 'cluster-six'
           go-test-args: '-v -timeout=30m'
           go-test-run-regex: '^TestDiscoveryWatchlabels$$|^TestK8sGatewayNoValidation$$|^TestHelm$$|^TestHelmSettings$$|^TestK8sGatewayAws$$|^TestK8sGateway$$/^HTTPRouteServices$$|^TestK8sGateway$$/^TCPRouteServices$$'
 
         # 2024-12-04: 16m
         # 2025-02-13: 26m29s
+        # 2025-03-24: 29m9s
         - cluster-name: 'cluster-seven'
           go-test-args: '-v -timeout=25m'
           go-test-run-regex: '^TestK8sGateway$$/^CRDCategories$$|^TestK8sGateway$$/^Metrics$$|^TestGloomtlsGatewayEdgeGateway$$|^TestGloomtlsGatewayK8sGateway$$|^TestGlooGatewayEdgeGatewayClearMetrics$$|^TestWatchNamespaceSelector$$|^TestK8sGateway$$/^TLSRouteServices$$'

.github/workflows/pr-unit-tests.yaml

@@ -19,7 +19,7 @@ jobs:
   kube_gateway_project:
     name: projects/gateway2
     runs-on: ubuntu-22.04
-    timeout-minutes: 10
+    timeout-minutes: 15
     # Other unit tests are run by our CloudBuild runner
     # These tests do run on Draft PRs, and so we maintain that consistency and run this job on Draft PRs as well
     steps:

changelog/v1.19.0-beta16/tunneling-for-all-upstreams.yaml

@@ -0,0 +1,14 @@
+changelog: 
+- type: FIX
+  description: |
+    Updated HTTP tunneling plugin to support HTTP CONNECT tunneling on all Upstreams, not just
+    those bound to a Route. This allows Upstreams referenced by various settings (e.g. remote JWKS, 
+    tracing, and more) to use a forward proxy without creating a Route for each Upstream.
+
+    To address clusters having their own lifecycle that differs from listeners in 
+    gateway2 causing issues with the HTTP tunneling configuration, a new plugin interface
+    for creating additional clusters and listeners from Upstreams has been added.
+    The additional clusters and listeners are added to the snapshot near the 
+    end of the gateway2 translations process.
+  resolvesIssue: false
+  issueLink: https://github.com/solo-io/solo-projects/issues/7497

projects/gateway2/proxy_syncer/perclient.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 
 	envoy_config_cluster_v3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"
+	envoy_config_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
 	"github.com/solo-io/gloo/projects/gateway2/krtcollections"
 	ggv2utils "github.com/solo-io/gloo/projects/gateway2/utils"
 	"github.com/solo-io/gloo/projects/gloo/pkg/xds"
@@ -42,31 +43,42 @@ func snapshotPerClient(l *zap.Logger, dbg *krt.DebugHandler, uccCol krt.Collecti
 			return nil
 		}
 
+		listenersProto := make([]envoycache.Resource, 0)
 		clustersProto := make([]envoycache.Resource, 0, len(clustersForUcc))
+
 		var clustersHash uint64
+		var listenersHash uint64
+
+		// add the clusters and the additional resources created for them
 		for _, ep := range clustersForUcc {
 			clustersProto = append(clustersProto, ep.Cluster)
-			clustersHash ^= ep.ClusterVersion
-		}
-		clustersVersion := fmt.Sprintf("%d", clustersHash)
 
-		endpointsForUcc := endpoints.FetchEndpointsForClient(kctx, ucc)
-		endpointsProto := make([]envoycache.Resource, 0, len(endpointsForUcc))
-		var endpointsHash uint64
-		for _, ep := range endpointsForUcc {
-			endpointsProto = append(endpointsProto, ep.Endpoints)
-			endpointsHash ^= ep.EndpointsHash
+			// add additional clusters
+			for _, additionalCluster := range ep.AdditionalClusters {
+				clustersProto = append(clustersProto, additionalCluster)
+			}
+
+			// add additional listeners
+			for _, additionalListener := range ep.AdditionalListeners {
+				listenersProto = append(listenersProto, additionalListener)
+			}
+
+			clustersHash ^= ep.ClusterVersion
+			clustersHash ^= ep.AdditionalClustersHash
+			listenersHash ^= ep.AdditionalListenersHash
 		}
 
-		mostlySnap := *maybeMostlySnap
+		clusterResources := envoycache.NewResources(fmt.Sprintf("%d", clustersHash), clustersProto)
 
-		clusterResources := envoycache.NewResources(clustersVersion, clustersProto)
 		// add missing generated resource from GeneratedResources plugins.
 		// To be able to do individual upstream translation, We need to redo the GeneratedResources,
 		// so they don't take as input the entire xds snapshot. the main offender is the tunneling plugin.
 		//
 		// for now, a manual audit showed that these only add clusters and listeners. As we don't touch the listeners,
 		// we just need to account for potentially missing clusters.
+		//
+		// This can be removed once we have moved off GeneratedResources in favor of
+		// UpstreamGeneratedResources which is krt-safe
 		for name, cluster := range genericSnap.Clusters.Items {
 			// only copy clusters that don't exist. as we do cluster translation per client,
 			// our clusters might be slightly different.
@@ -77,13 +89,37 @@ func snapshotPerClient(l *zap.Logger, dbg *krt.DebugHandler, uccCol krt.Collecti
 		}
 		clusterResources.Version = fmt.Sprintf("%d", clustersHash)
 
+		listenerResources := envoycache.NewResources(fmt.Sprintf("%d", listenersHash), listenersProto)
+
+		// add the snapshot listeners
+		for name, listener := range genericSnap.Listeners.Items {
+			// only copy listeners that don't exist. as we do cluster translation per client,
+			// our clusters might be slightly different.
+			if _, ok := listenerResources.Items[name]; !ok {
+				listenerResources.Items[name] = listener
+				listenersHash ^= ggv2utils.HashProto(listener.ResourceProto().(*envoy_config_listener_v3.Listener))
+			}
+		}
+		listenerResources.Version = fmt.Sprintf("%d", listenersHash)
+
+		endpointsForUcc := endpoints.FetchEndpointsForClient(kctx, ucc)
+		endpointsProto := make([]envoycache.Resource, 0, len(endpointsForUcc))
+		var endpointsHash uint64
+		for _, ep := range endpointsForUcc {
+			endpointsProto = append(endpointsProto, ep.Endpoints)
+			endpointsHash ^= ep.EndpointsHash
+		}
+		endpointResources := envoycache.NewResources(fmt.Sprintf("%d-%d", clustersHash, endpointsHash), endpointsProto)
+
+		mostlySnap := *maybeMostlySnap
 		mostlySnap.proxyKey = ucc.ResourceName()
 		mostlySnap.snap = &xds.EnvoySnapshot{
 			Clusters:  clusterResources,
-			Endpoints: envoycache.NewResources(fmt.Sprintf("%s-%d", clustersVersion, endpointsHash), endpointsProto),
+			Listeners: listenerResources,
+			Endpoints: endpointResources,
 			Routes:    genericSnap.Routes,
-			Listeners: genericSnap.Listeners,
 		}
+
 		l.Debug("snapshotPerClient", zap.String("proxyKey", mostlySnap.proxyKey),
 			zap.Stringer("Listeners", resourcesStringer(mostlySnap.snap.Listeners)),
 			zap.Stringer("Clusters", resourcesStringer(mostlySnap.snap.Clusters)),

projects/gateway2/proxy_syncer/upstreams.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 
-	envoy_config_cluster_v3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"
 	"github.com/solo-io/gloo/pkg/utils/settingsutil"
 	"github.com/solo-io/gloo/projects/gateway2/krtcollections"
 	ggv2utils "github.com/solo-io/gloo/projects/gateway2/utils"
@@ -14,6 +13,7 @@ import (
 	glookubev1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1/kube/apis/gloo.solo.io/v1"
 	"github.com/solo-io/gloo/projects/gloo/pkg/plugins"
 	"github.com/solo-io/gloo/projects/gloo/pkg/syncer/setup"
+	"github.com/solo-io/gloo/projects/gloo/pkg/translator"
 	"github.com/solo-io/go-utils/contextutils"
 	envoycache "github.com/solo-io/solo-kit/pkg/api/v1/control-plane/cache"
 	"github.com/solo-io/solo-kit/pkg/api/v1/control-plane/resource"
@@ -25,10 +25,15 @@ import (
 )
 
 type uccWithCluster struct {
-	Client         krtcollections.UniqlyConnectedClient
-	Cluster        envoycache.Resource
-	ClusterVersion uint64
-	upstreamName   string
+	Client                  krtcollections.UniqlyConnectedClient
+	Cluster                 envoycache.Resource
+	ClusterVersion          uint64
+	AdditionalClusters      []envoycache.Resource
+	AdditionalClustersHash  uint64
+	AdditionalListeners     []envoycache.Resource
+	AdditionalListenersHash uint64
+
+	upstreamName string
 }
 
 func (c uccWithCluster) ResourceName() string {
@@ -91,19 +96,40 @@ func NewPerClientEnvoyClusters(
 				latestSnap.Secrets = append(latestSnap.Secrets, s.Inner)
 			}
 
-			c, version := translate(ctx, settings, translator, latestSnap, upstream)
-			if c == nil {
+			// TODO make sure that translate returns a nil result if cluster would have been nil previously
+			clusterResult, version := translate(ctx, settings, translator, latestSnap, upstream)
+			if clusterResult == nil {
 				continue
 			}
+
+			c := clusterResult.Cluster
 			if name != "" && c.GetEdsClusterConfig() != nil {
 				c.GetEdsClusterConfig().ServiceName = name
 			}
 
+			additionalClusters := make([]envoycache.Resource, 0, len(clusterResult.AdditionalClusters))
+			additionalClustersHash := uint64(0)
+			for _, additionalCluster := range clusterResult.AdditionalClusters {
+				additionalClusters = append(additionalClusters, resource.NewEnvoyResource(additionalCluster))
+				additionalClustersHash ^= ggv2utils.HashProto(additionalCluster)
+			}
+
+			additionalListeners := make([]envoycache.Resource, 0, len(clusterResult.AdditionalListeners))
+			additionalListenersHash := uint64(0)
+			for _, additionalListener := range clusterResult.AdditionalListeners {
+				additionalListeners = append(additionalListeners, resource.NewEnvoyResource(additionalListener))
+				additionalListenersHash ^= ggv2utils.HashProto(additionalListener)
+			}
+
 			uccWithClusterRet = append(uccWithClusterRet, uccWithCluster{
-				Client:         ucc,
-				Cluster:        resource.NewEnvoyResource(c),
-				ClusterVersion: version,
-				upstreamName:   up.ResourceName(),
+				Client:                  ucc,
+				Cluster:                 resource.NewEnvoyResource(c),
+				ClusterVersion:          version,
+				upstreamName:            up.ResourceName(),
+				AdditionalClusters:      additionalClusters,
+				AdditionalClustersHash:  additionalClustersHash,
+				AdditionalListeners:     additionalListeners,
+				AdditionalListenersHash: additionalListenersHash,
 			})
 		}
 		return uccWithClusterRet
@@ -118,7 +144,12 @@ func NewPerClientEnvoyClusters(
 	}
 }
 
-func translate(ctx context.Context, settings *gloov1.Settings, translator setup.TranslatorFactory, snap *gloosnapshot.ApiSnapshot, up *gloov1.Upstream) (*envoy_config_cluster_v3.Cluster, uint64) {
+func translate(
+	ctx context.Context, settings *gloov1.Settings,
+	translator setup.TranslatorFactory,
+	snap *gloosnapshot.ApiSnapshot,
+	up *gloov1.Upstream,
+) (*translator.ClusterResult, uint64) {
 	ctx = settingsutil.WithSettings(ctx, settings)
 
 	params := plugins.Params{
@@ -129,12 +160,15 @@ func translate(ctx context.Context, settings *gloov1.Settings, translator setup.
 	}
 
 	// false here should be ok - plugins should set eds on eds clusters.
-	cluster, _ := translator.NewClusterTranslator(ctx, settings).TranslateCluster(params, up)
-	if cluster == nil {
+	clusterResult, _ := translator.NewClusterTranslator(ctx, settings).TranslateCluster(params, up)
+	if clusterResult == nil {
+		// TODO: handle the reports coming from the translator
+		// this is a loose end that likely will not need to be resolved before the kgateway rebase
+		// as the Gloo translator is still used and remitting the reports
 		return nil, 0
 	}
 
-	return cluster, ggv2utils.HashProto(cluster)
+	return clusterResult, ggv2utils.HashProto(clusterResult.Cluster)
 }
 
 func ApplyDestRulesForUpstream(destrule *DestinationRuleWrapper, u *gloov1.Upstream) (*gloov1.Upstream, string) {

projects/gateway2/setup/ggv2setup_test.go

@@ -410,9 +410,12 @@ func (x xdsDumper) Dump(t *testing.T, ctx context.Context) xdsDump {
 	var clusters []*envoycluster.Cluster
 	var listeners []*envoylistener.Listener
 
-	// run this in parallel with a 5s timeout
+	// run this in parallel with a 15s timeout
 	done := make(chan struct{})
 	go func() {
+		// give some time to process to reduce flakiness
+		time.Sleep(5 * time.Second)
+
 		defer close(done)
 		sent := 2
 		for i := 0; i < sent; i++ {
@@ -432,14 +435,21 @@ func (x xdsDumper) Dump(t *testing.T, ctx context.Context) xdsDump {
 				}
 			} else if dresp.GetTypeUrl() == "type.googleapis.com/envoy.config.listener.v3.Listener" {
 				needMoreListerners := false
+
 				for _, anyListener := range dresp.GetResources() {
 					var listener envoylistener.Listener
 					if err := anyListener.UnmarshalTo(&listener); err != nil {
 						t.Errorf("failed to unmarshal listener: %v", err)
 					}
 					listeners = append(listeners, &listener)
-					needMoreListerners = needMoreListerners || (len(getroutesnames(&listener)) == 0)
+					// ROLDS: Disabling this, it didn't like the pipe listener
+					// from the upstream-tunneling.yaml test as it expects routes on all listeners.
+					// It looks like this was put in place to deflake. I've run the tests
+					// in a loop on my workstation and they consistently passed.
+					// for i in {1..30}; do go clean -testcache; go test ./projects/gateway2/setup/...; done
+					//needMoreListerners = needMoreListerners || (len(getRouteNames(&listener)) == 0)
 				}
+
 				if len(listeners) == 0 {
 					needMoreListerners = true
 				}
@@ -460,7 +470,7 @@ func (x xdsDumper) Dump(t *testing.T, ctx context.Context) xdsDump {
 	}()
 	select {
 	case <-done:
-	case <-time.After(5 * time.Second):
+	case <-time.After(15 * time.Second):
 		// don't fatal yet as we want to dump the state while still connected
 		t.Error("timed out waiting for listener/cluster xds dump")
 		return xdsDump{}
@@ -484,7 +494,7 @@ func (x xdsDumper) Dump(t *testing.T, ctx context.Context) xdsDump {
 
 	var routenames []string
 	for _, l := range listeners {
-		routenames = append(routenames, getroutesnames(l)...)
+		routenames = append(routenames, getRouteNames(l)...)
 	}
 
 	dr = proto.Clone(x.dr).(*discovery_v3.DiscoveryRequest)
@@ -790,10 +800,13 @@ func protoJsonRoundTrip(c proto.Message) (any, error) {
 	return roundtrip, nil
 }
 
-func getroutesnames(l *envoylistener.Listener) []string {
+func getRouteNames(l *envoylistener.Listener) []string {
 	var routes []string
 	for _, fc := range l.GetFilterChains() {
 		for _, filter := range fc.GetFilters() {
+			fmt.Printf("filter: %s\n", filter.GetName())
+
+			// check if the filter is a http connection manager
 			suffix := string((&envoyhttp.HttpConnectionManager{}).ProtoReflect().Descriptor().FullName())
 			if strings.HasSuffix(filter.GetTypedConfig().GetTypeUrl(), suffix) {
 				var hcm envoyhttp.HttpConnectionManager