feat(kuma-cp) envoy configs for fault injections

[lobkovilya]

Summary

Final major part for implementing Fault Injections. Add configurers to envoy configuration.
Based on: https://github.com/Kong/kuma/pull/647

[jakubdyszkiewicz]

This function works only for Fault Injection (envoy_filter_fault.FaultRateLimit_FixedLimit_) so it's not util in any way. It should be placed in fault configurer.

[jakubdyszkiewicz]

If you use the code from other PR, please open a PR against that PR. It makes the code review easier because I don't have to reread the code.

So this PR should not be to master but to feat/header-with-tags, then when feat/header-with-tags is merged to master you can rebase and change the target of this PR to master

[jakubdyszkiewicz]

I think there is one more edge case with this solution.

Let's assume there is dataplane with 2 inbounds

inbounds:
- port: 8080
  tags:
    service: web
- port: 8081
  tags:
    service: web-api

and we've got such policy

sources:
- service: edge
destinations:
- service: web
conf:
...

I think this will be applied on both edge->web and edge->web-api and not only on edge->web-api.

The logic the matching logic should be exactly the same with TrafficPermission as with FaultInjection.
You should run the matching logic for every inbound interface. Keep in mind that TrafficPermission seems to work with addition (apply all that matches), not the best match right now (it was the first policy, I think we had a different concept in mind then and it's not unified).

[jakubdyszkiewicz]

why there are double & now?

[lobkovilya]

With regex we have to care about 2 important things:

• we don't match the suffix of the Key
• we don't match the prefix of the Value

The first condition is covered by & before each Key. The second one is covered by [,&] after each Value.
So in the case of a single ampersand, we might match it with the end of the Value and we have nothing to match with the beginning of the next Key.

Also, that could be solved by an additional comma after the last value - &tag1=value1,value2,&tag2=value1&. Probably additional comma will be more understandable, what do you think?

[jakubdyszkiewicz]

This is clever solution, but can we take a step back?

The solution with reusing DataplanePolicy for matching ConnectionPolicy with adapter is DRY, but I must say this is a little bit hard to follow. This is one of the most important logic in our code, so I want it to be as understandable as possible.

I'd rather have simple understandable interfaces with clear input. I prefer to have a little bit of copying instead of using wrong abstraction (https://www.sandimetz.com/blog/2016/1/20/the-wrong-abstraction)

Additionally, the code from FaultInjectionMatcher should be in policy since it will be soon used for TrafficPermission and also sooner or later on TrafficLogs, so FaultInjectionMatcher should be as thin as possible.

I experimented on branch and here is the result https://github.com/Kong/kuma/commit/bc37646d9a9943f0ec9e870267c5142c99d18c64
we don't need te full logic from DataplaneMatcher because with ConnectionPolicies we enforce that there are sources and destinations.

What do you think?

[jakubdyszkiewicz]

can we change this to value2 just to see if we match later tag from MultiValuteTagSet?

[jakubdyszkiewicz]

I can't see the change

[lobkovilya]

I added a new test case lower:

Entry("match the latter valuer", testCase{
	serviceTags: mesh_proto.MultiValueTagSet{
		"tag1": {"value1": true, "value2": true},
	},
	selector: mesh_proto.SingleValueTagSet{
		"tag1": "value2",
	},
	expected: true,
}),

[jakubdyszkiewicz]

Please remind me. Why can't we generate separate envoy_api_v2_route.HeaderMatcher for every selector.Match from FaultInjection? This would simplify the logic of constructing gigantic regex with ORs to construct regex for every selector.Match

[lobkovilya]

I discovered that HeaderMatcher (at least with the same header's name) works as AND. We also have an option to generate separate fault filters, but that's probably bulkier solution

[jakubdyszkiewicz]

Thanks, you are right
"A match will happen if all the headers in the config are present in the request with the same values (or based on presence if the value field is not in the config)."
https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/filter/http/fault/v2/fault.proto

I'd lean towards picking a solution with generating many fault filters just to avoid crazy long regexes (btw. is 500 the limit of chars in regex?) and also for easier migration to x-kuma-tag-* in the future, but we can stick to or regex solution as well for now.

[lobkovilya]

This is not exactly chars in regex:

This field controls the RE2 “program size” which is a rough estimate of how complex a compiled regex is to evaluate. A regex that has a program size greater than the configured value will fail to compile. In this case, the configured max program size can be increased or the regex can be simplified. If not specified, the default is 100.

But there is a linear dependency between the size in chars and "program size".
In both cases (many filters or complex regex) we will be limited by that "program size" and limited with number of tags/selectors in the policy.

I'd stay with long regex for this PR and later we can compare which approach is faster - e.g. 10 filter faults with program size 500 or one filter fault with program size 5000

[lobkovilya]

Oh and also we probably can calculate "program size" on the fly

[jakubdyszkiewicz]

some minors + please add CHANGELOG.md and it's ready to merge.

[jakubdyszkiewicz]

Comment should be reverted

[jakubdyszkiewicz]

I can't see the change

[jakubdyszkiewicz]

I think this should be in a group with other kuma imports. This goimport linter is not ideal unfortunately :(