kumahq · michaelbeaumont · Aug 8, 2022 · Aug 3, 2022 · Aug 3, 2022 · Aug 3, 2022
@@ -82,6 +82,8 @@ message MeshGateway {
   }
 
   message Listener {
+    message Resources { uint32 connectionLimit = 1; }
+
     enum Protocol {
       NONE = 0;
       TCP = 1;
@@ -121,6 +123,8 @@ message MeshGateway {
     // CrossMesh enables traffic to flow to this listener only from other
     // meshes.
     bool crossMesh = 6;
+
+    Resources resources = 7;
   }
 
   // Conf defines the desired state of MeshGateway.

@@ -103,5 +103,9 @@
         - `crossmesh` (optional)
 
             CrossMesh enables traffic to flow to this listener only from other
-            meshes.
+            meshes.    
+
+        - `resources` (optional)    
+
+            - `connectionlimit` (optional)
 
@@ -5,6 +5,7 @@ import (
 	"sort"
 	"strings"
 
+	envoy_service_runtime_v3 "github.com/envoyproxy/go-control-plane/envoy/service/runtime/v3"
 	"github.com/pkg/errors"
 
 	mesh_proto "github.com/kumahq/kuma/api/mesh/v1alpha1"
@@ -15,6 +16,7 @@ import (
 	"github.com/kumahq/kuma/pkg/plugins/runtime/gateway/match"
 	"github.com/kumahq/kuma/pkg/plugins/runtime/gateway/merge"
 	"github.com/kumahq/kuma/pkg/plugins/runtime/gateway/route"
+	util_proto "github.com/kumahq/kuma/pkg/util/proto"
 	xds_context "github.com/kumahq/kuma/pkg/xds/context"
 	envoy_listeners "github.com/kumahq/kuma/pkg/xds/envoy/listeners"
 	envoy_names "github.com/kumahq/kuma/pkg/xds/envoy/names"
@@ -62,6 +64,7 @@ type GatewayListener struct {
 	// CrossMesh is important because for generation we need to treat such a
 	// listener as if we have HTTPS with the Mesh cert for this Dataplane
 	CrossMesh bool
+	Resources *mesh_proto.MeshGateway_Listener_Resources // TODO verify these don't conflict when merging
 }
 
 // GatewayListenerInfo holds everything needed to generate resources for a
@@ -211,6 +214,8 @@ func (g Generator) Generate(ctx xds_context.Context, proxy *core_xds.Proxy) (*co
 		return nil, errors.Wrap(err, "error generating listener info from Proxy")
 	}
 
+	var limits []RuntimeResoureLimitListener
+
 	for _, info := range listenerInfos {
 		// This is checked by the gateway validator
 		if !SupportsProtocol(info.Listener.Protocol) {
@@ -223,25 +228,50 @@ func (g Generator) Generate(ctx xds_context.Context, proxy *core_xds.Proxy) (*co
 		}
 		resources.AddSet(cdsResources)
 
-		ldsResources, err := g.generateLDS(ctx, info, info.HostInfos)
+		ldsResources, limit, err := g.generateLDS(ctx, info, info.HostInfos)
 		if err != nil {
 			return nil, err
 		}
 		resources.AddSet(ldsResources)
 
+		if limit != nil {
+			limits = append(limits, *limit)
+		}
+
 		rdsResources, err := g.generateRDS(ctx, info, info.HostInfos)
 		if err != nil {
 			return nil, err
 		}
 		resources.AddSet(rdsResources)
 	}
 
+	resources.Add(g.generateRTDS(limits))
+
 	return resources, nil
 }
 
-func (g Generator) generateLDS(ctx xds_context.Context, info GatewayListenerInfo, hostInfos []GatewayHostInfo) (*core_xds.ResourceSet, error) {
+func (g Generator) generateRTDS(limits []RuntimeResoureLimitListener) *core_xds.Resource {
+	layer := map[string]interface{}{}
+	for _, limit := range limits {
+		layer[fmt.Sprintf("envoy.resource_limits.listener.%s.connection_limit", limit.Name)] = limit.ConnectionLimit
+	}
+
+	res := &core_xds.Resource{
+		Name:   "gateway.listeners",
+		Origin: OriginGateway,
+		Resource: &envoy_service_runtime_v3.Runtime{
+			Name:  "gateway.listeners",
+			Layer: util_proto.MustStruct(layer),
+		},
+	}
+
+	return res
+}
+
+func (g Generator) generateLDS(ctx xds_context.Context, info GatewayListenerInfo, hostInfos []GatewayHostInfo) (*core_xds.ResourceSet, *RuntimeResoureLimitListener, error) {
 	resources := core_xds.NewResourceSet()
-	listenerBuilder := GenerateListener(info)
+
+	listenerBuilder, limit := GenerateListener(info)
 
 	var gatewayHosts []GatewayHost
 	for _, hostInfo := range hostInfos {
@@ -254,7 +284,7 @@ func (g Generator) generateLDS(ctx xds_context.Context, info GatewayListenerInfo
 	}
 	res, filterChainBuilders, err := g.FilterChainGenerators.FilterChainGenerators[protocol].Generate(ctx, info, gatewayHosts)
 	if err != nil {
-		return nil, err
+		return nil, limit, err
 	}
 	resources.AddSet(res)
 
@@ -264,11 +294,11 @@ func (g Generator) generateLDS(ctx xds_context.Context, info GatewayListenerInfo
 
 	res, err = BuildResourceSet(listenerBuilder)
 	if err != nil {
-		return nil, errors.Wrapf(err, "failed to build listener resource")
+		return nil, limit, errors.Wrapf(err, "failed to build listener resource")
 	}
 	resources.AddSet(res)
 
-	return resources, nil
+	return resources, limit, nil
 }
 
 func (g Generator) generateCDS(ctx xds_context.Context, info GatewayListenerInfo, hostInfos []GatewayHostInfo) (*core_xds.ResourceSet, error) {
@@ -335,6 +365,7 @@ func MakeGatewayListener(
 			listeners[0].GetPort(),
 		),
 		CrossMesh: listeners[0].CrossMesh,
+		Resources: listeners[0].GetResources(),
 	}
 
 	// Hostnames must be unique to a listener to remove ambiguity

@@ -27,7 +27,12 @@ func SupportsProtocol(p mesh_proto.MeshGateway_Listener_Protocol) bool {
 	}
 }
 
-func GenerateListener(info GatewayListenerInfo) *envoy_listeners.ListenerBuilder {
+type RuntimeResoureLimitListener struct {
+	Name            string
+	ConnectionLimit uint32
+}
+
+func GenerateListener(info GatewayListenerInfo) (*envoy_listeners.ListenerBuilder, *RuntimeResoureLimitListener) {
 	// TODO(jpeach) what we really need to do here is to
 	// generate a HTTP filter chain for each
 	// host on the same HTTPConnectionManager. Each HTTP filter
@@ -48,18 +53,29 @@ func GenerateListener(info GatewayListenerInfo) *envoy_listeners.ListenerBuilder
 		"protocol", protocol,
 	)
 
-	// TODO(jpeach) if proxy protocol is enabled, add the proxy protocol listener filter.
+	name := envoy_names.GetGatewayListenerName(info.Gateway.Meta.GetName(), protocol.String(), port)
 
+	var limits *RuntimeResoureLimitListener
+	if resources := info.Listener.Resources; resources != nil {
+		if resources.ConnectionLimit > 0 {
+			limits = &RuntimeResoureLimitListener{
+				Name:            name,
+				ConnectionLimit: resources.ConnectionLimit,
+			}
+		}
+	}
+
+	// TODO(jpeach) if proxy protocol is enabled, add the proxy protocol listener filter.
 	return envoy_listeners.NewListenerBuilder(info.Proxy.APIVersion).
 		Configure(
 			envoy_listeners.InboundListener(
-				envoy_names.GetGatewayListenerName(info.Gateway.Meta.GetName(), protocol.String(), port),
+				name,
 				address, port, core_xds.SocketAddressProtocolTCP),
 			// Limit default buffering for edge connections.
 			envoy_listeners.ConnectionBufferLimit(DefaultConnectionBuffer),
 			// Roughly balance incoming connections.
 			envoy_listeners.EnableReusePort(true),
 			// Always sniff for TLS.
 			envoy_listeners.TLSInspector(),
-		)
+		), limits
 }
@@ -3,7 +3,6 @@ package gateway_test
 import (
 	"path"
 
-	envoy_types "github.com/envoyproxy/go-control-plane/pkg/cache/types"
 	"github.com/envoyproxy/go-control-plane/pkg/cache/v3"
 	"github.com/ghodss/yaml"
 	. "github.com/onsi/ginkgo/v2"
@@ -84,7 +83,7 @@ data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBM3ZWM1cvNX
 			snap, err := Do(gateway)
 			Expect(err).To(Succeed())
 
-			out, err := yaml.Marshal(MakeProtoResource(snap.Resources[envoy_types.Listener]))
+			out, err := yaml.Marshal(MakeProtoSnapshot(snap))
 			Expect(err).To(Succeed())
 
 			Expect(out).To(matchers.MatchGoldenYAML(path.Join("testdata", golden)))
@@ -218,6 +217,23 @@ conf:
     tags:
       name: example.com
 `),
+
+		Entry("should add connection limits",
+			"connection-limited-listener.yaml", `
+type: MeshGateway
+mesh: default
+name: default-gateway
+selectors:
+- match:
+    kuma.io/service: gateway-default
+conf:
+  listeners:
+  - port: 443
+    protocol: TCP
+    hostname: bar.example.com
+    resources:
+      connectionLimit: 10000
+`),
 	)
 
 	DescribeTable("fail to generate xDS resources",

@@ -1,58 +1,89 @@
-Resources:
-  edge-gateway:HTTP:8080:
-    address:
-      socketAddress:
-        address: 192.168.1.1
-        portValue: 8080
-    enableReusePort: true
-    filterChains:
-    - filters:
-      - name: envoy.filters.network.http_connection_manager
+Clusters:
+  Resources: {}
+Endpoints:
+  Resources: {}
+Listeners:
+  Resources:
+    edge-gateway:HTTP:8080:
+      address:
+        socketAddress:
+          address: 192.168.1.1
+          portValue: 8080
+      enableReusePort: true
+      filterChains:
+      - filters:
+        - name: envoy.filters.network.http_connection_manager
+          typedConfig:
+            '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+            commonHttpProtocolOptions:
+              headersWithUnderscoresAction: REJECT_REQUEST
+              idleTimeout: 300s
+            http2ProtocolOptions:
+              allowConnect: true
+              initialConnectionWindowSize: 1048576
+              initialStreamWindowSize: 65536
+              maxConcurrentStreams: 100
+            httpFilters:
+            - name: envoy.filters.http.local_ratelimit
+              typedConfig:
+                '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
+                statPrefix: rate_limit
+            - name: gzip-compress
+              typedConfig:
+                '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor
+                compressorLibrary:
+                  name: gzip
+                  typedConfig:
+                    '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip
+                responseDirectionConfig:
+                  disableOnEtagHeader: true
+            - name: envoy.filters.http.router
+              typedConfig:
+                '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+            mergeSlashes: true
+            normalizePath: true
+            pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
+            rds:
+              configSource:
+                ads: {}
+                resourceApiVersion: V3
+              routeConfigName: edge-gateway:HTTP:8080
+            requestHeadersTimeout: 0.500s
+            serverName: Kuma Gateway
+            statPrefix: gateway-default
+            streamIdleTimeout: 5s
+            stripAnyHostPort: true
+            useRemoteAddress: true
+      listenerFilters:
+      - name: envoy.filters.listener.tls_inspector
         typedConfig:
-          '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
-          commonHttpProtocolOptions:
-            headersWithUnderscoresAction: REJECT_REQUEST
-            idleTimeout: 300s
-          http2ProtocolOptions:
-            allowConnect: true
-            initialConnectionWindowSize: 1048576
-            initialStreamWindowSize: 65536
-            maxConcurrentStreams: 100
-          httpFilters:
-          - name: envoy.filters.http.local_ratelimit
-            typedConfig:
-              '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
-              statPrefix: rate_limit
-          - name: gzip-compress
-            typedConfig:
-              '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor
-              compressorLibrary:
-                name: gzip
-                typedConfig:
-                  '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip
-              responseDirectionConfig:
-                disableOnEtagHeader: true
-          - name: envoy.filters.http.router
-            typedConfig:
-              '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
-          mergeSlashes: true
-          normalizePath: true
-          pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
-          rds:
-            configSource:
-              ads: {}
-              resourceApiVersion: V3
-            routeConfigName: edge-gateway:HTTP:8080
-          requestHeadersTimeout: 0.500s
-          serverName: Kuma Gateway
-          statPrefix: gateway-default
-          streamIdleTimeout: 5s
-          stripAnyHostPort: true
-          useRemoteAddress: true
-    listenerFilters:
-    - name: envoy.filters.listener.tls_inspector
-      typedConfig:
-        '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
-    name: edge-gateway:HTTP:8080
-    perConnectionBufferLimitBytes: 32768
-    trafficDirection: INBOUND
+          '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
+      name: edge-gateway:HTTP:8080
+      perConnectionBufferLimitBytes: 32768
+      trafficDirection: INBOUND
+Routes:
+  Resources:
+    edge-gateway:HTTP:8080:
+      name: edge-gateway:HTTP:8080
+      requestHeadersToRemove:
+      - x-kuma-tags
+      validateClusters: false
+      virtualHosts:
+      - domains:
+        - '*'
+        name: '*'
+        routes:
+        - directResponse:
+            body:
+              inlineString: |
+                This is a Kuma MeshGateway. No routes match this MeshGateway!
+            status: 404
+          match:
+            prefix: /
+Runtimes:
+  Resources:
+    gateway.listeners:
+      layer: {}
+      name: gateway.listeners
+Secrets:
+  Resources: {}