Implement UDP traffic type

cmd/configuration.go

@@ -16,8 +16,9 @@ type MaeshConfiguration struct {
 	IgnoreNamespaces []string `description:"The namespace that maesh should be ignoring." export:"true"`
 	APIPort          int32    `description:"API port for the controller." export:"true"`
 	APIHost          string   `description:"API host for the controller to bind to." export:"true"`
-	LimitTCPPort     int32    `description:"Number of TCP ports allocated." export:"true"`
 	LimitHTTPPort    int32    `description:"Number of HTTP ports allocated." export:"true"`
+	LimitTCPPort     int32    `description:"Number of TCP ports allocated." export:"true"`
+	LimitUDPPort     int32    `description:"Number of UDP ports allocated." export:"true"`
 }
 
 // NewMaeshConfiguration creates a MaeshConfiguration with default values.
@@ -32,8 +33,9 @@ func NewMaeshConfiguration() *MaeshConfiguration {
 		Namespace:     "maesh",
 		APIPort:       9000,
 		APIHost:       "",
-		LimitTCPPort:  25,
 		LimitHTTPPort: 10,
+		LimitTCPPort:  25,
+		LimitUDPPort:  25,
 	}
 }
 

cmd/maesh/maesh.go

@@ -83,6 +83,7 @@ func maeshCommand(iConfig *cmd.MaeshConfiguration) error {
 
 	minHTTPPort := int32(5000)
 	minTCPPort := int32(10000)
+	minUDPPort := int32(15000)
 
 	if iConfig.SMI {
 		log.Warnf("SMI mode is deprecated, please consider using --acl instead")
@@ -102,10 +103,12 @@ func maeshCommand(iConfig *cmd.MaeshConfiguration) error {
 		IgnoreNamespaces: iConfig.IgnoreNamespaces,
 		APIPort:          iConfig.APIPort,
 		APIHost:          iConfig.APIHost,
-		MinTCPPort:       minTCPPort,
-		MaxTCPPort:       minTCPPort + iConfig.LimitTCPPort,
 		MinHTTPPort:      minHTTPPort,
 		MaxHTTPPort:      minHTTPPort + iConfig.LimitHTTPPort,
+		MinTCPPort:       minTCPPort,
+		MaxTCPPort:       minTCPPort + iConfig.LimitTCPPort,
+		MinUDPPort:       minUDPPort,
+		MaxUDPPort:       minUDPPort + iConfig.LimitUDPPort,
 	}, log)
 	if err != nil {
 		return fmt.Errorf("unable to create controller: %w", err)

docs/content/configuration.md

@@ -45,9 +45,14 @@ The traffic type can be configured by using the following annotation:
 maesh.containo.us/traffic-type: "http"
 ```
 
-This annotation can be set to either `http` or `tcp`, and will specify the mode for that service operation.
+This annotation can be set to either `http`, `tcp` or `udp` and will specifies the mode for that service operation.
 If this annotation is not present, the mesh service will operate in the default mode specified in the static configuration.
 
+!!! Info
+    For now, the `udp` traffic type does not work when ACL mode is enabled. In ACL mode, all traffic is forbidden unless it
+    is explicitly allowed with a [TrafficTarget](https://github.com/servicemeshinterface/smi-spec/blob/master/traffic-access-control.md) and
+    unfortunately the SMI specification does not yet define a [Traffic Spec](https://github.com/servicemeshinterface/smi-spec/blob/master/traffic-specs.md) for `UDP`.
+
 #### Scheme
 
 The scheme used to define custom scheme for request:

helm/chart/maesh/templates/controller/controller-configmap.yaml

@@ -1,6 +1,6 @@
 ---
-apiVersion: v1 
-kind: ConfigMap 
+apiVersion: v1
+kind: ConfigMap
 metadata:
   name: tcp-state-table
   namespace: {{ .Release.Namespace }}
@@ -11,3 +11,16 @@ metadata:
     heritage: {{ .Release.Service | quote }}
 data:
   key: value
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: udp-state-table
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Release.Name | quote}}
+    chart: {{ include "maesh.chartLabel" . | quote}}
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+data:
+  key: value

helm/chart/maesh/templates/mesh/mesh-daemonset.yaml

@@ -73,6 +73,9 @@ spec:
             - {{ printf "\"--entryPoints.tcp-%d.address=:%d\"" $port $port }}
             - {{ printf "\"--entryPoints.tcp-%d.forwardedHeaders.insecure=true\"" $port }}
             {{- end }}
+            {{- range $i, $port := untilStep 15000 ((add (.Values.limits.udp|int) 15000)|int) 1 }}
+            - {{ printf "\"--entryPoints.udp-%d.address=:%d/udp\"" $port $port }}
+            {{- end }}
             - "--providers.rest"
             - "--providers.rest.insecure"
             {{- if .Values.tracing.jaeger.enabled }}

helm/chart/maesh/values.yaml

@@ -148,3 +148,4 @@ smi:
 limits:
   http: 10
   tcp: 25
+  udp: 25

integration/acl_disabled_test.go

@@ -13,12 +13,13 @@ func (s *ACLDisabledSuite) SetUpSuite(c *check.C) {
 	requiredImages := []string{
 		"containous/maesh:latest",
 		"containous/whoami:v1.0.1",
-		"containous/whoamitcp",
+		"containous/whoamitcp:v0.0.2",
+		"containous/whoamiudp:v0.0.1",
 		"coredns/coredns:1.6.3",
 	}
 	s.startk3s(c, requiredImages)
 	s.startAndWaitForCoreDNS(c)
-	s.createResources(c, "resources/tcp-state-table/")
+	s.createResources(c, "resources/state-table/")
 	s.createResources(c, "resources/smi/crds/")
 }
 
@@ -71,6 +72,28 @@ func (s *ACLDisabledSuite) TestTCPService(c *check.C) {
 	s.checkTCPServiceLoadBalancer(c, config, serverSvc, []*corev1.Pod{serverPod})
 }
 
+func (s *ACLDisabledSuite) TestUDPService(c *check.C) {
+	s.createResources(c, "resources/acl/disabled/udp")
+	defer s.deleteResources(c, "resources/acl/disabled/udp")
+	defer s.deleteShadowServices(c)
+
+	s.waitForPods(c, []string{"server"})
+
+	cmd := s.startMaeshBinaryCmd(c, false, false)
+	err := cmd.Start()
+
+	c.Assert(err, checker.IsNil)
+	defer s.stopMaeshBinary(c, cmd.Process)
+
+	config := s.testConfigurationWithReturn(c, "resources/acl/disabled/udp.json")
+
+	serverSvc := s.getService(c, "server")
+	serverPod := s.getPod(c, "server")
+
+	s.checkHTTPReadinessService(c, config)
+	s.checkUDPServiceLoadBalancer(c, config, serverSvc, []*corev1.Pod{serverPod})
+}
+
 func (s *ACLDisabledSuite) TestSplitTraffic(c *check.C) {
 	s.createResources(c, "resources/acl/disabled/traffic-split")
 	defer s.deleteResources(c, "resources/acl/disabled/traffic-split")

integration/acl_enabled_test.go

@@ -13,7 +13,7 @@ func (s *ACLEnabledSuite) SetUpSuite(c *check.C) {
 	requiredImages := []string{
 		"containous/maesh:latest",
 		"containous/whoami:v1.0.1",
-		"containous/whoamitcp",
+		"containous/whoamitcp:v0.0.2",
 		"coredns/coredns:1.6.3",
 		"giantswarm/tiny-tools:3.9",
 	}

integration/coredns_test.go

@@ -23,7 +23,7 @@ func (s *CoreDNSSuite) SetUpSuite(c *check.C) {
 	s.startk3s(c, requiredImages)
 	s.startWhoami(c)
 	s.installTinyToolsMaesh(c)
-	s.createResources(c, "resources/tcp-state-table/")
+	s.createResources(c, "resources/state-table/")
 	s.createResources(c, "resources/smi/crds/")
 }
 

integration/integration_test.go

@@ -62,7 +62,8 @@ func Test(t *testing.T) {
 
 	images = append(images, image{"containous/maesh:latest", false})
 	images = append(images, image{"containous/whoami:v1.0.1", true})
-	images = append(images, image{"containous/whoamitcp", true})
+	images = append(images, image{"containous/whoamitcp:v0.0.2", true})
+	images = append(images, image{"containous/whoamiudp:v0.0.1", true})
 	images = append(images, image{"coredns/coredns:1.2.6", true})
 	images = append(images, image{"coredns/coredns:1.3.1", true})
 	images = append(images, image{"coredns/coredns:1.4.0", true})
@@ -624,6 +625,33 @@ func (s *BaseSuite) checkTCPServiceLoadBalancer(c *check.C, config *dynamic.Conf
 	}
 }
 
+func (s *BaseSuite) checkUDPServiceLoadBalancer(c *check.C, config *dynamic.Configuration, svc *corev1.Service, pods []*corev1.Pod) {
+	for _, port := range svc.Spec.Ports {
+		svcKey := fmt.Sprintf("%s-%s-%d", svc.Namespace, svc.Name, port.Port)
+
+		service := config.UDP.Services[svcKey]
+		c.Assert(service, checker.NotNil)
+
+		c.Assert(service.LoadBalancer.Servers, checker.HasLen, len(pods))
+
+		for _, pod := range pods {
+			wantURL := fmt.Sprintf("%s:%d", pod.Status.PodIP, port.TargetPort.IntVal)
+			c.Logf("Checking if UDP service %q loadbalancer contains an URL for pod %q: %s", svcKey, pod.Name, wantURL)
+
+			var found bool
+
+			for _, server := range service.LoadBalancer.Servers {
+				if wantURL == server.Address {
+					found = true
+					break
+				}
+			}
+
+			c.Assert(found, checker.True)
+		}
+	}
+}
+
 func (s *BaseSuite) checkTrafficTargetLoadBalancer(c *check.C, config *dynamic.Configuration, tt *access.TrafficTarget, svc *corev1.Service, pods []*corev1.Pod) {
 	for _, port := range svc.Spec.Ports {
 		svcKey := fmt.Sprintf("%s-%s-%s-%d-traffic-target", svc.Namespace, svc.Name, tt.Name, port.Port)

integration/resources/acl/disabled/http.json

@@ -54,5 +54,6 @@
       }
     }
   },
-  "tcp": {}
+  "tcp": {},
+  "udp": {}
 }

integration/resources/acl/disabled/tcp.json

@@ -57,5 +57,6 @@
         }
       }
     }
-  }
+  },
+  "udp": {}
 }

integration/resources/acl/disabled/tcp/1.server.yaml

@@ -8,7 +8,7 @@ metadata:
 spec:
   containers:
   - name: server
-    image: containous/whoamitcp
+    image: containous/whoamitcp:v0.0.2
     imagePullPolicy: Always
 
 ---

integration/resources/acl/disabled/traffic-split.json

@@ -127,5 +127,6 @@
       }
     }
   },
-  "tcp": {}
+  "tcp": {},
+  "udp": {}
 }

integration/resources/acl/disabled/udp.json

@@ -0,0 +1,61 @@
+{
+  "http": {
+    "routers": {
+      "readiness": {
+        "entryPoints": [
+          "readiness"
+        ],
+        "service": "readiness",
+        "rule": "Path(`/ping`)"
+      }
+    },
+    "services": {
+      "block-all-service": {
+        "loadBalancer": {
+          "passHostHeader": null
+        }
+      },
+      "readiness": {
+        "loadBalancer": {
+          "servers": [
+            {
+              "url": "http://127.0.0.1:8080"
+            }
+          ],
+          "passHostHeader": true
+        }
+      }
+    },
+    "middlewares": {
+      "block-all-middleware": {
+        "ipWhiteList": {
+          "sourceRange": [
+            "255.255.255.255"
+          ]
+        }
+      }
+    }
+  },
+  "tcp": {},
+  "udp": {
+    "routers": {
+      "test-server-8080": {
+        "entryPoints": [
+          "udp-15000"
+        ],
+        "service": "test-server-8080"
+      }
+    },
+    "services": {
+      "test-server-8080": {
+        "loadBalancer": {
+          "servers": [
+            {
+              "address": "10.42.1.5:8080"
+            }
+          ]
+        }
+      }
+    }
+  }
+}

integration/resources/acl/disabled/udp/1.server.yaml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: server
+  namespace: test
+  labels:
+    app: server
+spec:
+  containers:
+    - name: server
+      image: containous/whoamiudp:v0.0.1
+      imagePullPolicy: Always
+      ports:
+        - name: udp
+          protocol: UDP
+          containerPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: server
+  namespace: test
+  labels:
+    app: server
+    plop: cool
+  annotations:
+    maesh.containo.us/traffic-type: udp
+spec:
+  type: ClusterIP
+  ports:
+    - name: server
+      protocol: UDP
+      port: 8080
+  selector:
+    app: server

integration/resources/acl/enabled/traffic-split.json

@@ -219,5 +219,6 @@
       }
     }
   },
-  "tcp": {}
+  "tcp": {},
+  "udp": {}
 }

integration/resources/acl/enabled/traffic-target.json

@@ -75,5 +75,6 @@
       }
     }
   },
-  "tcp": {}
+  "tcp": {},
+  "udp": {}
 }

integration/resources/state-table/udp-configmap.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: udp-state-table
+  namespace: maesh
+  labels:
+    app: maesh
+    release: maesh
+data:
+  key: value