apply plugin network filters to TCP filter chains (#10822)

Signed-off-by: Steven Landow <[email protected]>

Author: stevenctl

internal/kgateway/translator/irtranslator/fc.go

@@ -94,6 +94,7 @@ func (h *filterChainTranslator) initFilterChain(ctx context.Context, fcc ir.Filt
 
 	return fc
 }
+
 func (h *filterChainTranslator) computeHttpFilters(ctx context.Context, l ir.HttpFilterChainIR, reporter reports.ListenerReporter) []*envoy_config_listener_v3.Filter {
 	log := contextutils.LoggerFrom(ctx).Desugar()
 
@@ -118,7 +119,7 @@ func (n *filterChainTranslator) computeNetworkFiltersForHttp(ctx context.Context
 		reporter:        reporter,
 		gateway:         n.gateway, // corresponds to Gateway API listener
 	}
-	networkFilters := sortNetworkFilters(n.computePreHCMFilters(ctx, l, reporter))
+	networkFilters := sortNetworkFilters(n.computeCustomFilters(ctx, l.CustomNetworkFilters, reporter))
 	networkFilter, err := hcm.computeNetworkFilters(ctx, l)
 	if err != nil {
 		return nil, err
@@ -127,7 +128,14 @@ func (n *filterChainTranslator) computeNetworkFiltersForHttp(ctx context.Context
 	return networkFilters, nil
 }
 
-func (n *filterChainTranslator) computePreHCMFilters(ctx context.Context, l ir.HttpFilterChainIR, reporter reports.ListenerReporter) []plugins.StagedNetworkFilter {
+// computeCustomFilters computes all custom filters, first from plugins, second
+// from embedded filters on the FilterChain itself.
+// For HTTP FilterChains these must be added before HCM.
+func (n *filterChainTranslator) computeCustomFilters(
+	ctx context.Context,
+	customNetworkFilters []ir.CustomEnvoyFilter,
+	reporter reports.ListenerReporter,
+) []plugins.StagedNetworkFilter {
 	var networkFilters []plugins.StagedNetworkFilter
 	// Process the network filters.
 	for _, plug := range n.PluginPass {
@@ -149,7 +157,7 @@ func (n *filterChainTranslator) computePreHCMFilters(ctx context.Context, l ir.H
 			networkFilters = append(networkFilters, nf)
 		}
 	}
-	networkFilters = append(networkFilters, convertCustomNetworkFilters(l.CustomNetworkFilters)...)
+	networkFilters = append(networkFilters, convertCustomNetworkFilters(customNetworkFilters)...)
 	return networkFilters
 }
 
@@ -341,7 +349,7 @@ func sortHttpFilters(filters plugins.StagedHttpFilterList) []*envoyhttp.HttpFilt
 }
 
 func (h *filterChainTranslator) computeTcpFilters(ctx context.Context, l ir.TcpIR, reporter reports.ListenerReporter) []*envoy_config_listener_v3.Filter {
-	networkFilters := sortNetworkFilters(h.computeNetworkFiltersForTcp(l))
+	networkFilters := sortNetworkFilters(h.computeCustomFilters(ctx, l.CustomNetworkFilters, reporter))
 
 	cfg := &envoytcp.TcpProxy{
 		StatPrefix: l.FilterChainName,
@@ -372,28 +380,6 @@ func (h *filterChainTranslator) computeTcpFilters(ctx context.Context, l ir.TcpI
 	return append(networkFilters, tcpFilter)
 }
 
-func (t *filterChainTranslator) computeNetworkFiltersForTcp(l ir.TcpIR) []plugins.StagedNetworkFilter {
-	var networkFilters []plugins.StagedNetworkFilter
-	// Process the network filters.
-	//for _, plug := range t.networkPlugins {
-	//	stagedFilters, err := plug.NetworkFiltersTCP(params, t.listener)
-	//	if err != nil {
-	//		validation.AppendTCPListenerError(t.report, validationapi.TcpListenerReport_Error_ProcessingError, err.Error())
-	//	}
-	//
-	//	for _, nf := range stagedFilters {
-	//		if nf.Filter == nil {
-	//			log.Warnf("plugin %v implements NetworkFilters() but returned nil", plug.Name())
-	//			continue
-	//		}
-	//		networkFilters = append(networkFilters, nf)
-	//	}
-	//}
-
-	networkFilters = append(networkFilters, convertCustomNetworkFilters(l.CustomNetworkFilters)...)
-	return networkFilters
-}
-
 func NewFilterWithTypedConfig(name string, config proto.Message) (*envoy_config_listener_v3.Filter, error) {
 	s := &envoy_config_listener_v3.Filter{
 		Name: name,
@@ -488,6 +474,7 @@ func (info *FilterChainInfo) toTransportSocket() *envoy_config_core_v3.Transport
 		ConfigType: &envoy_config_core_v3.TransportSocket_TypedConfig{TypedConfig: typedConfig},
 	}
 }
+
 func bytesDataSource(s []byte) *envoy_config_core_v3.DataSource {
 	return &envoy_config_core_v3.DataSource{
 		Specifier: &envoy_config_core_v3.DataSource_InlineBytes{

internal/kgateway/translator/irtranslator/fc_test.go

@@ -0,0 +1,118 @@
+package irtranslator_test
+
+import (
+	"context"
+	"testing"
+
+	listenerv3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
+
+	extensionsplug "github.com/kgateway-dev/kgateway/v2/internal/kgateway/extensions2/plugin"
+	"github.com/kgateway-dev/kgateway/v2/internal/kgateway/ir"
+	"github.com/kgateway-dev/kgateway/v2/internal/kgateway/plugins"
+	"github.com/kgateway-dev/kgateway/v2/internal/kgateway/reports"
+	"github.com/kgateway-dev/kgateway/v2/internal/kgateway/translator/irtranslator"
+
+	"istio.io/istio/pkg/ptr"
+	"istio.io/istio/pkg/slices"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+const (
+	testPluginFilterName = "filter-from-plugin"
+	testCustomFilterName = "filter-from-fc-field"
+)
+
+var addFiltersGK = schema.GroupKind{
+	Group: "test.kgateway.dev",
+	Kind:  "AddFilterForTest",
+}
+
+// addFilters implements a test translation pass that adds network filters
+type addFilters struct {
+	ir.UnimplementedProxyTranslationPass
+}
+
+func (a addFilters) NetworkFilters(ctx context.Context) ([]plugins.StagedNetworkFilter, error) {
+	return []plugins.StagedNetworkFilter{
+		{
+			Filter: &listenerv3.Filter{Name: testPluginFilterName},
+			Stage:  plugins.BeforeStage(plugins.AuthZStage),
+		},
+	}, nil
+}
+
+func TestFilterChains(t *testing.T) {
+	ctx := context.Background()
+
+	translator := irtranslator.Translator{
+		// not used by the test today, but if we refactor to call newPass in the test
+		// it will be necessary; leaving it here to save time debugging after a refactor
+		ContributedPolicies: map[schema.GroupKind]extensionsplug.PolicyPlugin{
+			addFiltersGK: {
+				NewGatewayTranslationPass: func(ctx context.Context, tctx ir.GwTranslationCtx) ir.ProxyTranslationPass {
+					return addFilters{}
+				},
+			},
+		},
+	}
+
+	// Create test gateway and listener IR
+	gateway := ir.GatewayIR{SourceObject: &gwv1.Gateway{}}
+	listener := ir.ListenerIR{
+		HttpFilterChain: []ir.HttpFilterChainIR{{
+			FilterChainCommon: ir.FilterChainCommon{
+				FilterChainName: "httpchain",
+				CustomNetworkFilters: []ir.CustomEnvoyFilter{{
+					Name:        testCustomFilterName,
+					FilterStage: plugins.BeforeStage(plugins.AuthZStage),
+				}},
+			},
+		}},
+		TcpFilterChain: []ir.TcpIR{{
+			FilterChainCommon: ir.FilterChainCommon{
+				FilterChainName: "tcpchain",
+				CustomNetworkFilters: []ir.CustomEnvoyFilter{{
+					Name:        testCustomFilterName,
+					FilterStage: plugins.BeforeStage(plugins.AuthZStage),
+				}},
+			},
+		}},
+	}
+
+	// fake
+	reportMap := reports.NewReportMap()
+	reporter := reports.NewReporter(&reportMap)
+
+	// method under test
+	envoyListener, _ := translator.ComputeListener(
+		ctx,
+		irtranslator.TranslationPassPlugins{
+			addFiltersGK: &irtranslator.TranslationPass{ProxyTranslationPass: addFilters{}},
+		},
+		gateway,
+		listener,
+		reporter,
+	)
+
+	expectedChainCount := len(listener.HttpFilterChain) + len(listener.TcpFilterChain)
+	if len(envoyListener.FilterChains) != expectedChainCount {
+		t.Fatal("got", len(envoyListener.FilterChains), "Envoy filter chains, but wanted", expectedChainCount)
+	}
+
+	expectedFilters := []string{testPluginFilterName, testCustomFilterName}
+	for _, filterChain := range envoyListener.FilterChains {
+		for _, expectedFilterName := range expectedFilters {
+			filter := ptr.Flatten(slices.FindFunc(filterChain.Filters, func(filter *listenerv3.Filter) bool {
+				return filter.Name == expectedFilterName
+			}))
+
+			if filter == nil {
+				t.Errorf("filter chain %q missing expected filter %q",
+					filterChain.Name, expectedFilterName)
+			}
+		}
+	}
+}