policy: Add ParserTypeCRD

Add a sticky parser type for CiliumEnvoyConfig CRDs. This will be used for policy based redirect to custom Envoy listeners. While CRD parser type will be redirected to Envoy, it is generally handled by a custom Listener, which may not perform HTTP policy enforcement. Thus this parser type is incompatible with HTTP rules. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
cilium · Dec 13, 2022 · 38589e7 · 38589e7
1 parent 9eb0bfb
commit 38589e7
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 5 deletions.
diff --git a/pkg/policy/l4.go b/pkg/policy/l4.go
@@ -286,9 +286,13 @@ func (l7 L7ParserType) String() string {
 const (
 	// ParserTypeNone represents the case where no parser type is provided.
 	ParserTypeNone L7ParserType = ""
-	// ParserTypeTLS is used when TLS origination, termination, or SNI filtering is used
-	// without any L7 parsing. If TLS policies are used with HTTP, ParserTypeHTTP is used.
+	// ParserTypeTLS is used for TLS origination, termination, or SNI filtering without any L7
+	// parsing. If TLS policies are used with HTTP rules, ParserTypeHTTP is used instead.
 	ParserTypeTLS L7ParserType = "tls"
+	// ParserTypeCRD is used with a custom CiliumEnvoyConfig redirection. Incompatible with any
+	// parser type with L7 enforcement (HTTP, Kafka, proxylib), as the custom Listener generally
+	// does not support them.
+	ParserTypeCRD L7ParserType = "crd"
 	// ParserTypeHTTP specifies a HTTP parser type
 	ParserTypeHTTP L7ParserType = "http"
 	// ParserTypeKafka specifies a Kafka parser type
@@ -319,9 +323,9 @@ func (from L7ParserType) canPromoteTo(to L7ParserType) bool {
 		// ParserTypeNone can be promoted to any other type
 		return true
 	case ParserTypeTLS:
-		// ParserTypeTLS can be promoted to any other type, except for DNS,
+		// ParserTypeTLS can be promoted to any other type, except for DNS or CRD,
 		// but ParserTypeTLS can not be demoted to ParserTypeNone
-		if to != ParserTypeNone && to != ParserTypeDNS {
+		if to != ParserTypeNone && to != ParserTypeDNS && to != ParserTypeCRD {
 			return true
 		}
 	}
@@ -694,6 +698,7 @@ func createL4Filter(policyCtx PolicyContext, peerEndpoints api.EndpointSelectorS
 		if err != nil {
 			return nil, err
 		}
+
 		// Set parser type to TLS, if TLS. This will be overridden by L7 below, if rules
 		// exists.
 		if terminatingTLS != nil || originatingTLS != nil || len(pr.ServerNames) > 0 {
@@ -814,7 +819,7 @@ func (l4 *L4Filter) redirectType() redirectTypes {
 		return redirectTypeNone
 	case ParserTypeDNS:
 		return redirectTypeDNS
-	case ParserTypeHTTP, ParserTypeTLS:
+	case ParserTypeHTTP, ParserTypeTLS, ParserTypeCRD:
 		return redirectTypeEnvoy
 	default:
 		// all other (non-empty) values are used for proxylib redirects

diff --git a/pkg/policy/l4_test.go b/pkg/policy/l4_test.go
@@ -6,6 +6,7 @@ package policy
 import (
 	"bytes"
 	"encoding/json"
+	"fmt"
 	"sort"
 
 	"github.com/kr/pretty"
@@ -54,6 +55,23 @@ func (s *PolicyTestSuite) TestParserTypeMerge(c *C) {
 		{ParserTypeNone, ParserTypeTLS, ParserTypeTLS, true},
 		{ParserTypeTLS, ParserTypeNone, ParserTypeTLS, true},
 
+		{ParserTypeNone, ParserTypeCRD, ParserTypeCRD, true},
+		{ParserTypeCRD, ParserTypeNone, ParserTypeCRD, true},
+
+		// None of the actual parser types can be promoted to CRD
+
+		{ParserTypeHTTP, ParserTypeCRD, ParserTypeNone, false},
+		{ParserTypeCRD, ParserTypeHTTP, ParserTypeNone, false},
+
+		{ParserTypeTLS, ParserTypeCRD, ParserTypeNone, false},
+		{ParserTypeCRD, ParserTypeTLS, ParserTypeNone, false},
+
+		{ParserTypeKafka, ParserTypeCRD, ParserTypeNone, false},
+		{ParserTypeCRD, ParserTypeKafka, ParserTypeNone, false},
+
+		{L7ParserType("foo"), ParserTypeCRD, ParserTypeNone, false},
+		{ParserTypeCRD, L7ParserType("foo"), ParserTypeNone, false},
+
 		// TLS can also be promoted to any other type except for DNS (but not demoted to
 		// None)
 
@@ -68,6 +86,9 @@ func (s *PolicyTestSuite) TestParserTypeMerge(c *C) {
 
 		// DNS does not merge with anything else
 
+		{ParserTypeCRD, ParserTypeDNS, ParserTypeNone, false},
+		{ParserTypeDNS, ParserTypeCRD, ParserTypeNone, false},
+
 		{ParserTypeTLS, ParserTypeDNS, ParserTypeNone, false},
 		{ParserTypeDNS, ParserTypeTLS, ParserTypeNone, false},
 
@@ -97,6 +118,9 @@ func (s *PolicyTestSuite) TestParserTypeMerge(c *C) {
 		} else {
 			c.Assert(err, Not(Equals), nil)
 		}
+		if res != t.c {
+			fmt.Printf("Merge %s with %s, expecting %s\n", t.a, t.b, t.c)
+		}
 		c.Assert(res, Equals, t.c)
 	}
 }