From 6dd05f1096171ce8489c88fe4b64aaf7ddd47846 Mon Sep 17 00:00:00 2001 From: Tim Treptow Date: Fri, 20 Oct 2023 06:30:00 -0700 Subject: [PATCH] Ensure that duplicate listeners are not added when crossMesh is enabled on a listener and Routes specify hostnames In the cross-mesh case, the SNI string will be a kuma SNI string for the gateway service (e.g. edge-gateway{mesh=default,port=tcp-8080}). Thus it is not possible to distinguish hosts at the listener level and no filter chain sni matchers are added. This can lead to a duplicate listener filter chain being added if there are multiple hostnames to route. Thus we truncate the gatewayHosts array to size 1 before creating the listener blocks. Signed-off-by: Tim Treptow --- .../runtime/gateway/filter_chain_generator.go | 4 + .../gateway/gateway_route_generator_test.go | 96 +- .../testdata/http/cross-mesh-gateway.yaml | 882 +++++++++++++++++- .../testdata/https/cross-mesh-gateway.yaml | 882 +++++++++++++++++- 4 files changed, 1817 insertions(+), 47 deletions(-) diff --git a/pkg/plugins/runtime/gateway/filter_chain_generator.go b/pkg/plugins/runtime/gateway/filter_chain_generator.go index 3acb6f848787..9f6d1921b3ae 100644 --- a/pkg/plugins/runtime/gateway/filter_chain_generator.go +++ b/pkg/plugins/runtime/gateway/filter_chain_generator.go @@ -93,6 +93,10 @@ func (g *HTTPSFilterChainGenerator) Generate( var filterChainBuilders []*envoy_listeners.FilterChainBuilder + if info.Listener.CrossMesh { + // For cross-mesh, we can only add one listener filter chain as there will not be any (usable) SNI available for filter chain matching + hosts = hosts[:1] + } for _, host := range hosts { log.V(1).Info("generating filter chain", "hostname", host.Hostname) diff --git a/pkg/plugins/runtime/gateway/gateway_route_generator_test.go b/pkg/plugins/runtime/gateway/gateway_route_generator_test.go index c12e758eedca..b2b20ca1c988 100644 --- a/pkg/plugins/runtime/gateway/gateway_route_generator_test.go +++ b/pkg/plugins/runtime/gateway/gateway_route_generator_test.go @@ -1440,30 +1440,120 @@ conf: - port: 8080 protocol: HTTP crossMesh: true + - port: 8081 + protocol: HTTP + crossMesh: true + hostname: internal-cross-mesh.mesh + tags: + hostname: internal-cross-mesh.mesh + - port: 8082 + protocol: HTTP + crossMesh: true + tags: + hostname: route-only `, ` type: MeshGatewayRoute mesh: default -name: echo-service +name: echo-service-default selectors: - match: kuma.io/service: gateway-default +conf: + http: + rules: + - matches: + - path: + match: PREFIX + value: "/ext" + backends: + - destination: + kuma.io/service: external-httpbin + - matches: + - path: + match: PREFIX + value: "/echo" + backends: + - destination: + kuma.io/service: echo-service +`, ` +type: MeshGatewayRoute +mesh: default +name: echo-service-with-hostname selectors: - match: kuma.io/service: gateway-default + hostname: route-only conf: http: + hostnames: + - cross-mesh.mesh + - cross-mesh2.mesh rules: - matches: - path: match: PREFIX - value: "/ext" + value: "/hostname-ext" backends: - destination: kuma.io/service: external-httpbin - matches: - path: match: PREFIX - value: "/echo" + value: "/hostname-echo" + backends: + - destination: + kuma.io/service: echo-service +`, ` +type: MeshGatewayRoute +mesh: default +name: echo-service-with-hostname-and-hostname-on-listener +selectors: +- match: + kuma.io/service: gateway-default + hostname: internal-cross-mesh.mesh +conf: + http: + hostnames: + - cross-mesh.mesh + rules: + - matches: + - path: + match: PREFIX + value: "/hostname-and-hostname-on-listener-no-match-ext" + backends: + - destination: + kuma.io/service: external-httpbin + - matches: + - path: + match: PREFIX + value: "/hostname-and-hostname-on-listener-no-match-echo" + backends: + - destination: + kuma.io/service: echo-service +`, ` +type: MeshGatewayRoute +mesh: default +name: echo-service-with-hostname-and-different-hostname-on-listener +selectors: +- match: + kuma.io/service: gateway-default + hostname: internal-cross-mesh.mesh +conf: + http: + hostnames: + - internal-cross-mesh.mesh + rules: + - matches: + - path: + match: PREFIX + value: "/hostname-and-hostname-on-listener-match-ext" + backends: + - destination: + kuma.io/service: external-httpbin + - matches: + - path: + match: PREFIX + value: "/hostname-and-hostname-on-listener-match-echo" backends: - destination: kuma.io/service: echo-service diff --git a/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml b/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml index 4c0895c681fa..3d1726907ace 100644 --- a/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml +++ b/pkg/plugins/runtime/gateway/testdata/http/cross-mesh-gateway.yaml @@ -1,5 +1,109 @@ Clusters: Resources: + echo-service-0ec9724567ed6087: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + name: echo-service-0ec9724567ed6087 + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + alpnProtocols: + - kuma + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: spiffe://default/echo-service + sanType: URI + validationContextSdsSecretConfig: + name: mesh_ca:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: echo-service{mesh=default} + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + httpProtocolOptions: {} + echo-service-8acee1c4ccf209c2: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + name: echo-service-8acee1c4ccf209c2 + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + alpnProtocols: + - kuma + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: spiffe://default/echo-service + sanType: URI + validationContextSdsSecretConfig: + name: mesh_ca:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: echo-service{mesh=default} + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + httpProtocolOptions: {} echo-service-bfae5b64a0fe8b74: circuitBreakers: thresholds: @@ -52,6 +156,61 @@ Clusters: idleTimeout: 3600s explicitHttpConfig: httpProtocolOptions: {} + external-httpbin-7a2f998ac9979f97: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + dnsLookupFamily: V4_ONLY + loadAssignment: + clusterName: external-httpbin + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: httpbin.com + portValue: 443 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + envoy.transport_socket_match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: external-httpbin-7a2f998ac9979f97 + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocketMatches: + - match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: httpbin.com + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: httpbin.com + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 external-httpbin-823fa8131cdd67fa: circuitBreakers: thresholds: @@ -107,8 +266,95 @@ Clusters: http2ProtocolOptions: initialConnectionWindowSize: 1048576 initialStreamWindowSize: 65536 + external-httpbin-eda12214e05805ce: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + dnsLookupFamily: V4_ONLY + loadAssignment: + clusterName: external-httpbin + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: httpbin.com + portValue: 443 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + envoy.transport_socket_match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: external-httpbin-eda12214e05805ce + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocketMatches: + - match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: httpbin.com + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: httpbin.com + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 Endpoints: Resources: + echo-service-0ec9724567ed6087: + clusterName: echo-service-0ec9724567ed6087 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 192.168.1.6 + portValue: 20006 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/protocol: http + envoy.transport_socket_match: + kuma.io/protocol: http + echo-service-8acee1c4ccf209c2: + clusterName: echo-service-8acee1c4ccf209c2 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 192.168.1.6 + portValue: 20006 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/protocol: http + envoy.transport_socket_match: + kuma.io/protocol: http echo-service-bfae5b64a0fe8b74: clusterName: echo-service-bfae5b64a0fe8b74 endpoints: @@ -206,28 +452,186 @@ Listeners: name: edge-gateway:HTTP:8080 perConnectionBufferLimitBytes: 32768 trafficDirection: INBOUND -Routes: - Resources: - edge-gateway:HTTP:8080: - ignorePortInHostMatching: true - name: edge-gateway:HTTP:8080 - requestHeadersToRemove: - - x-kuma-tags - validateClusters: false - virtualHosts: - - domains: - - '*' - name: '*' - requireTls: ALL - responseHeadersToAdd: - - append: false - header: - key: Strict-Transport-Security - value: max-age=31536000; includeSubDomains - routes: - - match: - path: /echo - route: + edge-gateway:HTTP:8081: + address: + socketAddress: + address: 192.168.1.1 + portValue: 8081 + enableReusePort: true + filterChains: + - filterChainMatch: + applicationProtocols: + - kuma + transportProtocol: tls + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + startChildSpan: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: edge-gateway:HTTP:8081 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + useRemoteAddress: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: {} + validationContextSdsSecretConfig: + name: mesh_ca:secret:all + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + requireClientCertificate: true + listenerFilters: + - name: envoy.filters.listener.tls_inspector + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: edge-gateway:HTTP:8081 + perConnectionBufferLimitBytes: 32768 + trafficDirection: INBOUND + edge-gateway:HTTP:8082: + address: + socketAddress: + address: 192.168.1.1 + portValue: 8082 + enableReusePort: true + filterChains: + - filterChainMatch: + applicationProtocols: + - kuma + transportProtocol: tls + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + startChildSpan: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: edge-gateway:HTTP:8082 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + useRemoteAddress: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: {} + validationContextSdsSecretConfig: + name: mesh_ca:secret:all + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + requireClientCertificate: true + listenerFilters: + - name: envoy.filters.listener.tls_inspector + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: edge-gateway:HTTP:8082 + perConnectionBufferLimitBytes: 32768 + trafficDirection: INBOUND +Routes: + Resources: + edge-gateway:HTTP:8080: + ignorePortInHostMatching: true + name: edge-gateway:HTTP:8080 + requestHeadersToRemove: + - x-kuma-tags + validateClusters: false + virtualHosts: + - domains: + - '*' + name: '*' + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /echo + route: clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR idleTimeout: 5s retryPolicy: @@ -301,6 +705,440 @@ Routes: clusters: - name: external-httpbin-823fa8131cdd67fa weight: 1 + edge-gateway:HTTP:8081: + ignorePortInHostMatching: true + name: edge-gateway:HTTP:8081 + requestHeadersToRemove: + - x-kuma-tags + validateClusters: false + virtualHosts: + - domains: + - internal-cross-mesh.mesh + name: internal-cross-mesh.mesh + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /hostname-and-hostname-on-listener-match-echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /hostname-and-hostname-on-listener-match-ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 + - match: + path: /echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 + - match: + prefix: /hostname-and-hostname-on-listener-match-echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /hostname-and-hostname-on-listener-match-ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 + - match: + prefix: /echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 + edge-gateway:HTTP:8082: + ignorePortInHostMatching: true + name: edge-gateway:HTTP:8082 + requestHeadersToRemove: + - x-kuma-tags + validateClusters: false + virtualHosts: + - domains: + - cross-mesh2.mesh + name: cross-mesh2.mesh + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /hostname-echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-8acee1c4ccf209c2 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /hostname-ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-7a2f998ac9979f97 + weight: 1 + - match: + prefix: /hostname-echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-8acee1c4ccf209c2 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /hostname-ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-7a2f998ac9979f97 + weight: 1 + - domains: + - cross-mesh.mesh + name: cross-mesh.mesh + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /hostname-echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-8acee1c4ccf209c2 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /hostname-ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-7a2f998ac9979f97 + weight: 1 + - match: + prefix: /hostname-echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-8acee1c4ccf209c2 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /hostname-ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-7a2f998ac9979f97 + weight: 1 + - domains: + - '*' + name: '*' + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-8acee1c4ccf209c2 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-7a2f998ac9979f97 + weight: 1 + - match: + prefix: /echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-8acee1c4ccf209c2 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-7a2f998ac9979f97 + weight: 1 Runtimes: Resources: gateway.listeners: diff --git a/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml b/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml index 4c0895c681fa..3d1726907ace 100644 --- a/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml +++ b/pkg/plugins/runtime/gateway/testdata/https/cross-mesh-gateway.yaml @@ -1,5 +1,109 @@ Clusters: Resources: + echo-service-0ec9724567ed6087: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + name: echo-service-0ec9724567ed6087 + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + alpnProtocols: + - kuma + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: spiffe://default/echo-service + sanType: URI + validationContextSdsSecretConfig: + name: mesh_ca:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: echo-service{mesh=default} + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + httpProtocolOptions: {} + echo-service-8acee1c4ccf209c2: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + name: echo-service-8acee1c4ccf209c2 + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + alpnProtocols: + - kuma + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: spiffe://default/echo-service + sanType: URI + validationContextSdsSecretConfig: + name: mesh_ca:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: echo-service{mesh=default} + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + httpProtocolOptions: {} echo-service-bfae5b64a0fe8b74: circuitBreakers: thresholds: @@ -52,6 +156,61 @@ Clusters: idleTimeout: 3600s explicitHttpConfig: httpProtocolOptions: {} + external-httpbin-7a2f998ac9979f97: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + dnsLookupFamily: V4_ONLY + loadAssignment: + clusterName: external-httpbin + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: httpbin.com + portValue: 443 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + envoy.transport_socket_match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: external-httpbin-7a2f998ac9979f97 + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocketMatches: + - match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: httpbin.com + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: httpbin.com + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 external-httpbin-823fa8131cdd67fa: circuitBreakers: thresholds: @@ -107,8 +266,95 @@ Clusters: http2ProtocolOptions: initialConnectionWindowSize: 1048576 initialStreamWindowSize: 65536 + external-httpbin-eda12214e05805ce: + circuitBreakers: + thresholds: + - maxConnections: 1024 + maxPendingRequests: 1024 + maxRequests: 1024 + maxRetries: 3 + connectTimeout: 5s + dnsLookupFamily: V4_ONLY + loadAssignment: + clusterName: external-httpbin + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: httpbin.com + portValue: 443 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + envoy.transport_socket_match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: external-httpbin-eda12214e05805ce + outlierDetection: + enforcingConsecutive5xx: 0 + enforcingConsecutiveGatewayFailure: 0 + enforcingConsecutiveLocalOriginFailure: 0 + enforcingFailurePercentage: 0 + enforcingSuccessRate: 0 + perConnectionBufferLimitBytes: 32768 + transportSocketMatches: + - match: + kuma.io/external-service-name: external-httpbin + kuma.io/protocol: http2 + name: httpbin.com + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: httpbin.com + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + commonHttpProtocolOptions: + idleTimeout: 3600s + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 Endpoints: Resources: + echo-service-0ec9724567ed6087: + clusterName: echo-service-0ec9724567ed6087 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 192.168.1.6 + portValue: 20006 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/protocol: http + envoy.transport_socket_match: + kuma.io/protocol: http + echo-service-8acee1c4ccf209c2: + clusterName: echo-service-8acee1c4ccf209c2 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 192.168.1.6 + portValue: 20006 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/protocol: http + envoy.transport_socket_match: + kuma.io/protocol: http echo-service-bfae5b64a0fe8b74: clusterName: echo-service-bfae5b64a0fe8b74 endpoints: @@ -206,28 +452,186 @@ Listeners: name: edge-gateway:HTTP:8080 perConnectionBufferLimitBytes: 32768 trafficDirection: INBOUND -Routes: - Resources: - edge-gateway:HTTP:8080: - ignorePortInHostMatching: true - name: edge-gateway:HTTP:8080 - requestHeadersToRemove: - - x-kuma-tags - validateClusters: false - virtualHosts: - - domains: - - '*' - name: '*' - requireTls: ALL - responseHeadersToAdd: - - append: false - header: - key: Strict-Transport-Security - value: max-age=31536000; includeSubDomains - routes: - - match: - path: /echo - route: + edge-gateway:HTTP:8081: + address: + socketAddress: + address: 192.168.1.1 + portValue: 8081 + enableReusePort: true + filterChains: + - filterChainMatch: + applicationProtocols: + - kuma + transportProtocol: tls + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + startChildSpan: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: edge-gateway:HTTP:8081 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + useRemoteAddress: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: {} + validationContextSdsSecretConfig: + name: mesh_ca:secret:all + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + requireClientCertificate: true + listenerFilters: + - name: envoy.filters.listener.tls_inspector + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: edge-gateway:HTTP:8081 + perConnectionBufferLimitBytes: 32768 + trafficDirection: INBOUND + edge-gateway:HTTP:8082: + address: + socketAddress: + address: 192.168.1.1 + portValue: 8082 + enableReusePort: true + filterChains: + - filterChainMatch: + applicationProtocols: + - kuma + transportProtocol: tls + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + idleTimeout: 300s + http2ProtocolOptions: + allowConnect: true + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.local_ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit + statPrefix: rate_limit + - name: gzip-compress + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor + compressorLibrary: + name: gzip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip + responseDirectionConfig: + disableOnEtagHeader: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + startChildSpan: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: edge-gateway:HTTP:8082 + requestHeadersTimeout: 0.500s + serverName: Kuma Gateway + statPrefix: gateway-default + streamIdleTimeout: 5s + useRemoteAddress: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: {} + validationContextSdsSecretConfig: + name: mesh_ca:secret:all + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:default + sdsConfig: + ads: {} + resourceApiVersion: V3 + requireClientCertificate: true + listenerFilters: + - name: envoy.filters.listener.tls_inspector + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: edge-gateway:HTTP:8082 + perConnectionBufferLimitBytes: 32768 + trafficDirection: INBOUND +Routes: + Resources: + edge-gateway:HTTP:8080: + ignorePortInHostMatching: true + name: edge-gateway:HTTP:8080 + requestHeadersToRemove: + - x-kuma-tags + validateClusters: false + virtualHosts: + - domains: + - '*' + name: '*' + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /echo + route: clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR idleTimeout: 5s retryPolicy: @@ -301,6 +705,440 @@ Routes: clusters: - name: external-httpbin-823fa8131cdd67fa weight: 1 + edge-gateway:HTTP:8081: + ignorePortInHostMatching: true + name: edge-gateway:HTTP:8081 + requestHeadersToRemove: + - x-kuma-tags + validateClusters: false + virtualHosts: + - domains: + - internal-cross-mesh.mesh + name: internal-cross-mesh.mesh + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /hostname-and-hostname-on-listener-match-echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /hostname-and-hostname-on-listener-match-ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 + - match: + path: /echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 + - match: + prefix: /hostname-and-hostname-on-listener-match-echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /hostname-and-hostname-on-listener-match-ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 + - match: + prefix: /echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-0ec9724567ed6087 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-eda12214e05805ce + weight: 1 + edge-gateway:HTTP:8082: + ignorePortInHostMatching: true + name: edge-gateway:HTTP:8082 + requestHeadersToRemove: + - x-kuma-tags + validateClusters: false + virtualHosts: + - domains: + - cross-mesh2.mesh + name: cross-mesh2.mesh + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /hostname-echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-8acee1c4ccf209c2 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /hostname-ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-7a2f998ac9979f97 + weight: 1 + - match: + prefix: /hostname-echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-8acee1c4ccf209c2 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /hostname-ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-7a2f998ac9979f97 + weight: 1 + - domains: + - cross-mesh.mesh + name: cross-mesh.mesh + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /hostname-echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-8acee1c4ccf209c2 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /hostname-ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-7a2f998ac9979f97 + weight: 1 + - match: + prefix: /hostname-echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-8acee1c4ccf209c2 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /hostname-ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-7a2f998ac9979f97 + weight: 1 + - domains: + - '*' + name: '*' + requireTls: ALL + responseHeadersToAdd: + - append: false + header: + key: Strict-Transport-Security + value: max-age=31536000; includeSubDomains + routes: + - match: + path: /echo + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-8acee1c4ccf209c2 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + path: /ext + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-7a2f998ac9979f97 + weight: 1 + - match: + prefix: /echo/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: echo-service-8acee1c4ccf209c2 + requestHeadersToAdd: + - header: + key: x-kuma-tags + value: '&kuma.io/service=gateway-default&' + weight: 1 + - match: + prefix: /ext/ + route: + clusterNotFoundResponseCode: INTERNAL_SERVER_ERROR + idleTimeout: 5s + retryPolicy: + numRetries: 5 + perTryTimeout: 16s + retryBackOff: + baseInterval: 0.025s + maxInterval: 0.250s + retryOn: gateway-error,connect-failure,refused-stream + timeout: 15s + weightedClusters: + clusters: + - name: external-httpbin-7a2f998ac9979f97 + weight: 1 Runtimes: Resources: gateway.listeners: