EnvoyFilter: proxy metadata match (#15931)

Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
istio · Jul 30, 2019 · bc43260 · bc43260
1 parent cbd2f70
commit bc43260
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 30 deletions.
diff --git a/pilot/pkg/networking/core/v1alpha3/envoyfilter/cluster_patch.go b/pilot/pkg/networking/core/v1alpha3/envoyfilter/cluster_patch.go
@@ -41,7 +41,7 @@ func ApplyClusterPatches(patchContext networking.EnvoyFilter_PatchContext, proxy
 					continue
 				}
 
-				if patchContextMatch(patchContext, cp) && clusterMatch(clusters[i], cp) {
+				if commonConditionMatch(proxy, patchContext, cp) && clusterMatch(clusters[i], cp) {
 					if cp.Operation == networking.EnvoyFilter_Patch_REMOVE {
 						clusters[i] = nil
 						clustersRemoved = true
@@ -55,7 +55,7 @@ func ApplyClusterPatches(patchContext networking.EnvoyFilter_PatchContext, proxy
 		// Add cluster if the operation is add, and patch context matches
 		for _, cp := range efw.Patches[networking.EnvoyFilter_CLUSTER] {
 			if cp.Operation == networking.EnvoyFilter_Patch_ADD {
-				if patchContextMatch(patchContext, cp) {
+				if commonConditionMatch(proxy, patchContext, cp) {
 					clusters = append(clusters, cp.Value.(*xdsapi.Cluster))
 				}
 			}

diff --git a/pilot/pkg/networking/core/v1alpha3/envoyfilter/listener_patch.go b/pilot/pkg/networking/core/v1alpha3/envoyfilter/listener_patch.go
@@ -32,10 +32,10 @@ func ApplyListenerPatches(patchContext networking.EnvoyFilter_PatchContext,
 	proxy *model.Proxy, push *model.PushContext, listeners []*xdsapi.Listener, skipAdds bool) []*xdsapi.Listener {
 
 	envoyFilterWrappers := push.EnvoyFilters(proxy)
-	return doListenerListOperation(patchContext, envoyFilterWrappers, listeners, skipAdds)
+	return doListenerListOperation(proxy, patchContext, envoyFilterWrappers, listeners, skipAdds)
 }
 
-func doListenerListOperation(patchContext networking.EnvoyFilter_PatchContext,
+func doListenerListOperation(proxy *model.Proxy, patchContext networking.EnvoyFilter_PatchContext,
 	envoyFilterWrappers []*model.EnvoyFilterWrapper,
 	listeners []*xdsapi.Listener, skipAdds bool) []*xdsapi.Listener {
 	listenersRemoved := false
@@ -49,15 +49,15 @@ func doListenerListOperation(patchContext networking.EnvoyFilter_PatchContext,
 				// removed by another op
 				continue
 			}
-			doListenerOperation(patchContext, efw.Patches, listener, &listenersRemoved)
+			doListenerOperation(proxy, patchContext, efw.Patches, listener, &listenersRemoved)
 		}
 		// adds at listener level if enabled
 		if skipAdds {
 			continue
 		}
 		for _, cp := range efw.Patches[networking.EnvoyFilter_LISTENER] {
 			if cp.Operation == networking.EnvoyFilter_Patch_ADD {
-				if !patchContextMatch(patchContext, cp) {
+				if !commonConditionMatch(proxy, patchContext, cp) {
 					continue
 				}
 
@@ -77,11 +77,11 @@ func doListenerListOperation(patchContext networking.EnvoyFilter_PatchContext,
 	return listeners
 }
 
-func doListenerOperation(patchContext networking.EnvoyFilter_PatchContext,
+func doListenerOperation(proxy *model.Proxy, patchContext networking.EnvoyFilter_PatchContext,
 	patches map[networking.EnvoyFilter_ApplyTo][]*model.EnvoyFilterConfigPatchWrapper,
 	listener *xdsapi.Listener, listenersRemoved *bool) {
 	for _, cp := range patches[networking.EnvoyFilter_LISTENER] {
-		if !patchContextMatch(patchContext, cp) ||
+		if !commonConditionMatch(proxy, patchContext, cp) ||
 			!listenerMatch(listener, cp) {
 			continue
 		}
@@ -96,22 +96,22 @@ func doListenerOperation(patchContext networking.EnvoyFilter_PatchContext,
 		}
 	}
 
-	doFilterChainListOperation(patchContext, patches, listener)
+	doFilterChainListOperation(proxy, patchContext, patches, listener)
 }
 
-func doFilterChainListOperation(patchContext networking.EnvoyFilter_PatchContext,
+func doFilterChainListOperation(proxy *model.Proxy, patchContext networking.EnvoyFilter_PatchContext,
 	patches map[networking.EnvoyFilter_ApplyTo][]*model.EnvoyFilterConfigPatchWrapper,
 	listener *xdsapi.Listener) {
 	filterChainsRemoved := false
 	for i, fc := range listener.FilterChains {
 		if fc.Filters == nil {
 			continue
 		}
-		doFilterChainOperation(patchContext, patches, listener, &listener.FilterChains[i], &filterChainsRemoved)
+		doFilterChainOperation(proxy, patchContext, patches, listener, &listener.FilterChains[i], &filterChainsRemoved)
 	}
 	for _, cp := range patches[networking.EnvoyFilter_FILTER_CHAIN] {
 		if cp.Operation == networking.EnvoyFilter_Patch_ADD {
-			if !patchContextMatch(patchContext, cp) ||
+			if !commonConditionMatch(proxy, patchContext, cp) ||
 				!listenerMatch(listener, cp) {
 				continue
 			}
@@ -129,12 +129,12 @@ func doFilterChainListOperation(patchContext networking.EnvoyFilter_PatchContext
 	}
 }
 
-func doFilterChainOperation(patchContext networking.EnvoyFilter_PatchContext,
+func doFilterChainOperation(proxy *model.Proxy, patchContext networking.EnvoyFilter_PatchContext,
 	patches map[networking.EnvoyFilter_ApplyTo][]*model.EnvoyFilterConfigPatchWrapper,
 	listener *xdsapi.Listener,
 	fc *xdslistener.FilterChain, filterChainRemoved *bool) {
 	for _, cp := range patches[networking.EnvoyFilter_FILTER_CHAIN] {
-		if !patchContextMatch(patchContext, cp) ||
+		if !commonConditionMatch(proxy, patchContext, cp) ||
 			!listenerMatch(listener, cp) ||
 			!filterChainMatch(fc, cp) {
 			continue
@@ -148,21 +148,21 @@ func doFilterChainOperation(patchContext networking.EnvoyFilter_PatchContext,
 			proto.Merge(fc, cp.Value)
 		}
 	}
-	doNetworkFilterListOperation(patchContext, patches, listener, fc)
+	doNetworkFilterListOperation(proxy, patchContext, patches, listener, fc)
 }
 
-func doNetworkFilterListOperation(patchContext networking.EnvoyFilter_PatchContext,
+func doNetworkFilterListOperation(proxy *model.Proxy, patchContext networking.EnvoyFilter_PatchContext,
 	patches map[networking.EnvoyFilter_ApplyTo][]*model.EnvoyFilterConfigPatchWrapper,
 	listener *xdsapi.Listener, fc *xdslistener.FilterChain) {
 	networkFiltersRemoved := false
 	for i, filter := range fc.Filters {
 		if filter.Name == "" {
 			continue
 		}
-		doNetworkFilterOperation(patchContext, patches, listener, fc, &fc.Filters[i], &networkFiltersRemoved)
+		doNetworkFilterOperation(proxy, patchContext, patches, listener, fc, &fc.Filters[i], &networkFiltersRemoved)
 	}
 	for _, cp := range patches[networking.EnvoyFilter_NETWORK_FILTER] {
-		if !patchContextMatch(patchContext, cp) ||
+		if !commonConditionMatch(proxy, patchContext, cp) ||
 			!listenerMatch(listener, cp) ||
 			!filterChainMatch(fc, cp) {
 			continue
@@ -228,12 +228,12 @@ func doNetworkFilterListOperation(patchContext networking.EnvoyFilter_PatchConte
 	}
 }
 
-func doNetworkFilterOperation(patchContext networking.EnvoyFilter_PatchContext,
+func doNetworkFilterOperation(proxy *model.Proxy, patchContext networking.EnvoyFilter_PatchContext,
 	patches map[networking.EnvoyFilter_ApplyTo][]*model.EnvoyFilterConfigPatchWrapper,
 	listener *xdsapi.Listener, fc *xdslistener.FilterChain,
 	filter *xdslistener.Filter, networkFilterRemoved *bool) {
 	for _, cp := range patches[networking.EnvoyFilter_NETWORK_FILTER] {
-		if !patchContextMatch(patchContext, cp) ||
+		if !commonConditionMatch(proxy, patchContext, cp) ||
 			!listenerMatch(listener, cp) ||
 			!filterChainMatch(fc, cp) ||
 			!networkFilterMatch(filter, cp) {
@@ -249,11 +249,11 @@ func doNetworkFilterOperation(patchContext networking.EnvoyFilter_PatchContext,
 		}
 	}
 	if filter.Name == xdsutil.HTTPConnectionManager {
-		doHTTPFilterListOperation(patchContext, patches, listener, fc, filter)
+		doHTTPFilterListOperation(proxy, patchContext, patches, listener, fc, filter)
 	}
 }
 
-func doHTTPFilterListOperation(patchContext networking.EnvoyFilter_PatchContext,
+func doHTTPFilterListOperation(proxy *model.Proxy, patchContext networking.EnvoyFilter_PatchContext,
 	patches map[networking.EnvoyFilter_ApplyTo][]*model.EnvoyFilterConfigPatchWrapper,
 	listener *xdsapi.Listener, fc *xdslistener.FilterChain, filter *xdslistener.Filter) {
 	hcm := &http_conn.HttpConnectionManager{}
@@ -273,10 +273,10 @@ func doHTTPFilterListOperation(patchContext networking.EnvoyFilter_PatchContext,
 		if httpFilter.Name == "" {
 			continue
 		}
-		doHTTPFilterOperation(patchContext, patches, listener, fc, filter, httpFilter, &httpFiltersRemoved)
+		doHTTPFilterOperation(proxy, patchContext, patches, listener, fc, filter, httpFilter, &httpFiltersRemoved)
 	}
 	for _, cp := range patches[networking.EnvoyFilter_HTTP_FILTER] {
-		if !patchContextMatch(patchContext, cp) ||
+		if !commonConditionMatch(proxy, patchContext, cp) ||
 			!listenerMatch(listener, cp) ||
 			!filterChainMatch(fc, cp) ||
 			!networkFilterMatch(filter, cp) {
@@ -351,12 +351,12 @@ func doHTTPFilterListOperation(patchContext networking.EnvoyFilter_PatchContext,
 	}
 }
 
-func doHTTPFilterOperation(patchContext networking.EnvoyFilter_PatchContext,
+func doHTTPFilterOperation(proxy *model.Proxy, patchContext networking.EnvoyFilter_PatchContext,
 	patches map[networking.EnvoyFilter_ApplyTo][]*model.EnvoyFilterConfigPatchWrapper,
 	listener *xdsapi.Listener, fc *xdslistener.FilterChain, filter *xdslistener.Filter,
 	httpFilter *http_conn.HttpFilter, httpFilterRemoved *bool) {
 	for _, cp := range patches[networking.EnvoyFilter_HTTP_FILTER] {
-		if !patchContextMatch(patchContext, cp) ||
+		if !commonConditionMatch(proxy, patchContext, cp) ||
 			!listenerMatch(listener, cp) ||
 			!filterChainMatch(fc, cp) ||
 			!networkFilterMatch(filter, cp) ||
@@ -478,3 +478,33 @@ func patchContextMatch(patchContext networking.EnvoyFilter_PatchContext,
 	cp *model.EnvoyFilterConfigPatchWrapper) bool {
 	return cp.Match.Context == patchContext || cp.Match.Context == networking.EnvoyFilter_ANY
 }
+
+func proxyMatch(proxy *model.Proxy, cp *model.EnvoyFilterConfigPatchWrapper) bool {
+	if cp.Match.Proxy == nil {
+		return true
+	}
+
+	ver, _ := proxy.GetIstioVersion()
+	if cp.Match.Proxy.GetVersionEq() != "" {
+		if cp.Match.Proxy.GetVersionEq() != ver {
+			return false
+		}
+	} else if cp.Match.Proxy.GetVersionGe() != "" {
+		// this is very unreliable.
+		if ver < cp.Match.Proxy.GetVersionGe() {
+			return false
+		}
+	}
+
+	for k, v := range cp.Match.Proxy.Metadata {
+		if proxy.Metadata[k] != v {
+			return false
+		}
+	}
+	return true
+}
+
+func commonConditionMatch(proxy *model.Proxy, patchContext networking.EnvoyFilter_PatchContext,
+	cp *model.EnvoyFilterConfigPatchWrapper) bool {
+	return patchContextMatch(patchContext, cp) && proxyMatch(proxy, cp)
+}
diff --git a/pilot/pkg/networking/core/v1alpha3/envoyfilter/listener_patch_test.go b/pilot/pkg/networking/core/v1alpha3/envoyfilter/listener_patch_test.go
@@ -94,6 +94,9 @@ func TestApplyListenerPatches(t *testing.T) {
 			ApplyTo: networking.EnvoyFilter_LISTENER,
 			Match: &networking.EnvoyFilter_EnvoyConfigObjectMatch{
 				Context: networking.EnvoyFilter_SIDECAR_OUTBOUND,
+				Proxy: &networking.EnvoyFilter_ProxyMatch{
+					Metadata: map[string]string{"foo": "sidecar"},
+				},
 			},
 			Patch: &networking.EnvoyFilter_Patch{
 				Operation: networking.EnvoyFilter_Patch_ADD,
@@ -559,7 +562,8 @@ func TestApplyListenerPatches(t *testing.T) {
 		},
 	}
 
-	sidecarProxy := &model.Proxy{Type: model.SidecarProxy, ConfigNamespace: "not-default"}
+	sidecarProxy := &model.Proxy{Type: model.SidecarProxy, ConfigNamespace: "not-default",
+		Metadata: map[string]string{"foo": "sidecar", "bar": "proxy"}}
 	gatewayProxy := &model.Proxy{Type: model.Router, ConfigNamespace: "not-default"}
 	serviceDiscovery := &fakes.ServiceDiscovery{}
 	env := newTestEnvironment(serviceDiscovery, testMesh, buildEnvoyFilterConfigStore(configPatches))

diff --git a/pilot/pkg/networking/core/v1alpha3/envoyfilter/rc_patch.go b/pilot/pkg/networking/core/v1alpha3/envoyfilter/rc_patch.go
@@ -35,7 +35,7 @@ func ApplyRouteConfigurationPatches(patchContext networking.EnvoyFilter_PatchCon
 	for _, efw := range envoyFilterWrappers {
 		// only merge is applicable for route configuration. Validation checks for the same.
 		for _, cp := range efw.Patches[networking.EnvoyFilter_ROUTE_CONFIGURATION] {
-			if patchContextMatch(patchContext, cp) &&
+			if commonConditionMatch(proxy, patchContext, cp) &&
 				routeConfigurationMatch(patchContext, routeConfiguration, cp) {
 				proto.Merge(routeConfiguration, cp.Value)
 			}
@@ -50,7 +50,7 @@ func ApplyRouteConfigurationPatches(patchContext networking.EnvoyFilter_PatchCon
 				continue
 			}
 
-			if !patchContextMatch(patchContext, cp) ||
+			if !commonConditionMatch(proxy, patchContext, cp) ||
 				!routeConfigurationMatch(patchContext, routeConfiguration, cp) {
 				continue
 			}
@@ -79,7 +79,7 @@ func ApplyRouteConfigurationPatches(patchContext networking.EnvoyFilter_PatchCon
 				continue
 			}
 
-			if patchContextMatch(patchContext, cp) &&
+			if commonConditionMatch(proxy, patchContext, cp) &&
 				routeConfigurationMatch(patchContext, routeConfiguration, cp) {
 				routeConfiguration.VirtualHosts = append(routeConfiguration.VirtualHosts, *cp.Value.(*route.VirtualHost))
 			}