feat(kuma-cp) enable forwarding XFCC header (#1941)

Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com>

pkg/xds/envoy/listeners/configurers.go

@@ -96,13 +96,15 @@ func ServerSideMTLS(ctx xds_context.Context, metadata *core_xds.DataplaneMetadat
 	})
 }
 
-func HttpConnectionManager(statsName string) FilterChainBuilderOpt {
+func HttpConnectionManager(statsName string, forwardClientCertDetails bool) FilterChainBuilderOpt {
 	return FilterChainBuilderOptFunc(func(config *FilterChainBuilderConfig) {
 		config.AddV2(&v2.HttpConnectionManagerConfigurer{
-			StatsName: statsName,
+			StatsName:                statsName,
+			ForwardClientCertDetails: forwardClientCertDetails,
 		})
 		config.AddV3(&v3.HttpConnectionManagerConfigurer{
-			StatsName: statsName,
+			StatsName:                statsName,
+			ForwardClientCertDetails: forwardClientCertDetails,
 		})
 	})
 }

pkg/xds/envoy/listeners/v2/fault_injection_configurer_test.go

@@ -22,7 +22,7 @@ var _ = Describe("FaultInjectionConfigurer", func() {
 		func(given testCase) {
 			// when
 			filterChain, err := NewFilterChainBuilder(envoy.APIV2).
-				Configure(HttpConnectionManager("stats")).
+				Configure(HttpConnectionManager("stats", false)).
 				Configure(FaultInjection(given.input)).
 				Build()
 			// then

pkg/xds/envoy/listeners/v2/grpc_stats_configurer_test.go

@@ -18,7 +18,7 @@ var _ = Describe("gRPCStatsConfigurer", func() {
 		func(given testCase) {
 			// when
 			filterChain, err := NewFilterChainBuilder(envoy.APIV2).
-				Configure(HttpConnectionManager("stats")).
+				Configure(HttpConnectionManager("stats", false)).
 				Configure(GrpcStats()).
 				Build()
 			// then

pkg/xds/envoy/listeners/v2/http_access_log_configurer_test.go

@@ -63,7 +63,7 @@ var _ = Describe("HttpAccessLogConfigurer", func() {
 			listener, err := NewListenerBuilder(envoy.APIV2).
 				Configure(OutboundListener(given.listenerName, given.listenerAddress, given.listenerPort, given.listenerProtocol)).
 				Configure(FilterChain(NewFilterChainBuilder(envoy.APIV2).
-					Configure(HttpConnectionManager(given.statsName)).
+					Configure(HttpConnectionManager(given.statsName, false)).
 					Configure(HttpAccessLog(mesh, envoy.TrafficDirectionOutbound, sourceService, destinationService, given.backend, proxy)))).
 				Build()
 			// then

pkg/xds/envoy/listeners/v2/http_connection_manager_configurer.go

@@ -9,7 +9,8 @@ import (
 )
 
 type HttpConnectionManagerConfigurer struct {
-	StatsName string
+	StatsName                string
+	ForwardClientCertDetails bool
 }
 
 func (c *HttpConnectionManagerConfigurer) Configure(filterChain *envoy_listener.FilterChain) error {
@@ -22,6 +23,13 @@ func (c *HttpConnectionManagerConfigurer) Configure(filterChain *envoy_listener.
 		// notice that route configuration is left up to other configurers
 	}
 
+	if c.ForwardClientCertDetails {
+		config.ForwardClientCertDetails = envoy_hcm.HttpConnectionManager_SANITIZE_SET
+		config.SetCurrentClientCertDetails = &envoy_hcm.HttpConnectionManager_SetCurrentClientCertDetails{
+			Uri: true,
+		}
+	}
+
 	pbst, err := util_proto.MarshalAnyDeterministic(config)
 	if err != nil {
 		return err

pkg/xds/envoy/listeners/v2/http_connection_manager_configurer_test.go

@@ -30,7 +30,7 @@ var _ = Describe("HttpConnectionManagerConfigurer", func() {
 			listener, err := NewListenerBuilder(envoy.APIV2).
 				Configure(InboundListener(given.listenerName, given.listenerAddress, given.listenerPort, given.listenerProtocol)).
 				Configure(FilterChain(NewFilterChainBuilder(envoy.APIV2).
-					Configure(HttpConnectionManager(given.statsName)))).
+					Configure(HttpConnectionManager(given.statsName, true)))).
 				Build()
 			// then
 			Expect(err).ToNot(HaveOccurred())
@@ -58,6 +58,9 @@ var _ = Describe("HttpConnectionManagerConfigurer", func() {
               - name: envoy.filters.network.http_connection_manager
                 typedConfig:
                   '@type': type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
+                  forwardClientCertDetails: SANITIZE_SET
+                  setCurrentClientCertDetails:
+                    uri: true
                   statPrefix: localhost_8080
                   httpFilters:
                   - name: envoy.filters.http.router

pkg/xds/envoy/listeners/v2/http_inbound_route_configurer_test.go

@@ -32,7 +32,7 @@ var _ = Describe("HttpInboundRouteConfigurer", func() {
 			listener, err := NewListenerBuilder(envoy_common.APIV2).
 				Configure(InboundListener(given.listenerName, given.listenerAddress, given.listenerPort, given.listenerProtocol)).
 				Configure(FilterChain(NewFilterChainBuilder(envoy_common.APIV2).
-					Configure(HttpConnectionManager(given.statsName)).
+					Configure(HttpConnectionManager(given.statsName, true)).
 					Configure(HttpInboundRoute(given.service, given.cluster)))).
 				Build()
 			// then
@@ -63,6 +63,9 @@ var _ = Describe("HttpInboundRouteConfigurer", func() {
               - name: envoy.filters.network.http_connection_manager
                 typedConfig:
                   '@type': type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
+                  forwardClientCertDetails: SANITIZE_SET
+                  setCurrentClientCertDetails:
+                    uri: true
                   httpFilters:
                   - name: envoy.filters.http.router
                   routeConfig:

pkg/xds/envoy/listeners/v2/http_outbound_route_configurer_test.go

@@ -34,7 +34,7 @@ var _ = Describe("HttpOutboundRouteConfigurer", func() {
 			listener, err := NewListenerBuilder(envoy_common.APIV2).
 				Configure(OutboundListener(given.listenerName, given.listenerAddress, given.listenerPort, given.listenerProtocol)).
 				Configure(FilterChain(NewFilterChainBuilder(envoy_common.APIV2).
-					Configure(HttpConnectionManager(given.statsName)).
+					Configure(HttpConnectionManager(given.statsName, false)).
 					Configure(HttpOutboundRoute(given.service, given.subsets, given.dpTags)))).
 				Build()
 			// then

pkg/xds/envoy/listeners/v2/retry_configurer_test.go

@@ -37,7 +37,7 @@ var _ = Describe("RetryConfigurer", func() {
 			listener, err := NewListenerBuilder(envoy_common.APIV2).
 				Configure(OutboundListener(given.listenerName, given.listenerAddress, given.listenerPort, given.listenerProtocol)).
 				Configure(FilterChain(NewFilterChainBuilder(envoy_common.APIV2).
-					Configure(HttpConnectionManager(given.statsName)).
+					Configure(HttpConnectionManager(given.statsName, false)).
 					Configure(HttpOutboundRoute(
 						given.service,
 						given.subsets,

pkg/xds/envoy/listeners/v2/tracing_configurer_test.go

@@ -28,7 +28,7 @@ var _ = Describe("TracingConfigurer", func() {
 			listener, err := NewListenerBuilder(envoy.APIV2).
 				Configure(InboundListener("inbound:192.168.0.1:8080", "192.168.0.1", 8080, xds.SocketAddressProtocolTCP)).
 				Configure(FilterChain(NewFilterChainBuilder(envoy.APIV2).
-					Configure(HttpConnectionManager("localhost:8080")).
+					Configure(HttpConnectionManager("localhost:8080", false)).
 					Configure(Tracing(given.backend)))).
 				Build()
 			// then

pkg/xds/envoy/listeners/v3/fault_injection_configurer_test.go

@@ -22,7 +22,7 @@ var _ = Describe("FaultInjectionConfigurer", func() {
 		func(given testCase) {
 			// when
 			filterChain, err := NewFilterChainBuilder(envoy.APIV3).
-				Configure(HttpConnectionManager("stats")).
+				Configure(HttpConnectionManager("stats", false)).
 				Configure(FaultInjection(given.input)).
 				Build()
 			// then

pkg/xds/envoy/listeners/v3/grpc_stats_configurer_test.go

@@ -18,7 +18,7 @@ var _ = Describe("gRPCStatsConfigurer", func() {
 		func(given testCase) {
 			// when
 			filterChain, err := NewFilterChainBuilder(envoy.APIV3).
-				Configure(HttpConnectionManager("stats")).
+				Configure(HttpConnectionManager("stats", false)).
 				Configure(GrpcStats()).
 				Build()
 			// then

pkg/xds/envoy/listeners/v3/http_access_log_configurer_test.go

@@ -63,7 +63,7 @@ var _ = Describe("HttpAccessLogConfigurer", func() {
 			listener, err := NewListenerBuilder(envoy.APIV3).
 				Configure(OutboundListener(given.listenerName, given.listenerAddress, given.listenerPort, given.listenerProtocol)).
 				Configure(FilterChain(NewFilterChainBuilder(envoy.APIV3).
-					Configure(HttpConnectionManager(given.statsName)).
+					Configure(HttpConnectionManager(given.statsName, false)).
 					Configure(HttpAccessLog(mesh, envoy.TrafficDirectionOutbound, sourceService, destinationService, given.backend, proxy)))).
 				Build()
 			// then

pkg/xds/envoy/listeners/v3/http_connection_manager_configurer.go

@@ -9,7 +9,8 @@ import (
 )
 
 type HttpConnectionManagerConfigurer struct {
-	StatsName string
+	StatsName                string
+	ForwardClientCertDetails bool
 }
 
 func (c *HttpConnectionManagerConfigurer) Configure(filterChain *envoy_listener.FilterChain) error {
@@ -22,6 +23,13 @@ func (c *HttpConnectionManagerConfigurer) Configure(filterChain *envoy_listener.
 		// notice that route configuration is left up to other configurers
 	}
 
+	if c.ForwardClientCertDetails {
+		config.ForwardClientCertDetails = envoy_hcm.HttpConnectionManager_SANITIZE_SET
+		config.SetCurrentClientCertDetails = &envoy_hcm.HttpConnectionManager_SetCurrentClientCertDetails{
+			Uri: true,
+		}
+	}
+
 	pbst, err := util_proto.MarshalAnyDeterministic(config)
 	if err != nil {
 		return err

pkg/xds/envoy/listeners/v3/http_connection_manager_configurer_test.go

@@ -30,7 +30,7 @@ var _ = Describe("HttpConnectionManagerConfigurer", func() {
 			listener, err := NewListenerBuilder(envoy.APIV3).
 				Configure(InboundListener(given.listenerName, given.listenerAddress, given.listenerPort, given.listenerProtocol)).
 				Configure(FilterChain(NewFilterChainBuilder(envoy.APIV3).
-					Configure(HttpConnectionManager(given.statsName)))).
+					Configure(HttpConnectionManager(given.statsName, true)))).
 				Build()
 			// then
 			Expect(err).ToNot(HaveOccurred())
@@ -58,6 +58,9 @@ var _ = Describe("HttpConnectionManagerConfigurer", func() {
               - name: envoy.filters.network.http_connection_manager
                 typedConfig:
                   '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                  forwardClientCertDetails: SANITIZE_SET
+                  setCurrentClientCertDetails:
+                    uri: true
                   statPrefix: localhost_8080
                   httpFilters:
                   - name: envoy.filters.http.router

pkg/xds/envoy/listeners/v3/http_inbound_route_configurer_test.go

@@ -32,7 +32,7 @@ var _ = Describe("HttpInboundRouteConfigurer", func() {
 			listener, err := NewListenerBuilder(envoy_common.APIV3).
 				Configure(InboundListener(given.listenerName, given.listenerAddress, given.listenerPort, given.listenerProtocol)).
 				Configure(FilterChain(NewFilterChainBuilder(envoy_common.APIV3).
-					Configure(HttpConnectionManager(given.statsName)).
+					Configure(HttpConnectionManager(given.statsName, true)).
 					Configure(HttpInboundRoute(given.service, given.cluster)))).
 				Build()
 			// then
@@ -63,6 +63,9 @@ var _ = Describe("HttpInboundRouteConfigurer", func() {
               - name: envoy.filters.network.http_connection_manager
                 typedConfig:
                   '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                  forwardClientCertDetails: SANITIZE_SET
+                  setCurrentClientCertDetails:
+                    uri: true
                   httpFilters:
                   - name: envoy.filters.http.router
                   routeConfig:

pkg/xds/envoy/listeners/v3/http_outbound_route_configurer_test.go

@@ -34,7 +34,7 @@ var _ = Describe("HttpOutboundRouteConfigurer", func() {
 			listener, err := NewListenerBuilder(envoy_common.APIV3).
 				Configure(OutboundListener(given.listenerName, given.listenerAddress, given.listenerPort, given.listenerProtocol)).
 				Configure(FilterChain(NewFilterChainBuilder(envoy_common.APIV3).
-					Configure(HttpConnectionManager(given.statsName)).
+					Configure(HttpConnectionManager(given.statsName, false)).
 					Configure(HttpOutboundRoute(given.service, given.subsets, given.dpTags)))).
 				Build()
 			// then

pkg/xds/envoy/listeners/v3/retry_configurer_test.go

@@ -37,7 +37,7 @@ var _ = Describe("RetryConfigurer", func() {
 			listener, err := NewListenerBuilder(envoy_common.APIV3).
 				Configure(OutboundListener(given.listenerName, given.listenerAddress, given.listenerPort, given.listenerProtocol)).
 				Configure(FilterChain(NewFilterChainBuilder(envoy_common.APIV3).
-					Configure(HttpConnectionManager(given.statsName)).
+					Configure(HttpConnectionManager(given.statsName, false)).
 					Configure(HttpOutboundRoute(
 						given.service,
 						given.subsets,

pkg/xds/envoy/listeners/v3/tracing_configurer_test.go

@@ -28,7 +28,7 @@ var _ = Describe("TracingConfigurer", func() {
 			listener, err := NewListenerBuilder(envoy.APIV3).
 				Configure(InboundListener("inbound:192.168.0.1:8080", "192.168.0.1", 8080, xds.SocketAddressProtocolTCP)).
 				Configure(FilterChain(NewFilterChainBuilder(envoy.APIV3).
-					Configure(HttpConnectionManager("localhost:8080")).
+					Configure(HttpConnectionManager("localhost:8080", false)).
 					Configure(Tracing(given.backend)))).
 				Build()
 			// then

pkg/xds/generator/inbound_proxy_generator.go

@@ -62,13 +62,13 @@ func (g InboundProxyGenerator) Generate(ctx xds_context.Context, proxy *model.Pr
 			// configuration for HTTP case
 			case mesh_core.ProtocolHTTP, mesh_core.ProtocolHTTP2:
 				filterChainBuilder.
-					Configure(envoy_listeners.HttpConnectionManager(localClusterName)).
+					Configure(envoy_listeners.HttpConnectionManager(localClusterName, true)).
 					Configure(envoy_listeners.FaultInjection(proxy.Policies.FaultInjections[endpoint])).
 					Configure(envoy_listeners.Tracing(proxy.Policies.TracingBackend)).
 					Configure(envoy_listeners.HttpInboundRoute(service, envoy_common.ClusterSubset{ClusterName: localClusterName}))
 			case mesh_core.ProtocolGRPC:
 				filterChainBuilder.
-					Configure(envoy_listeners.HttpConnectionManager(localClusterName)).
+					Configure(envoy_listeners.HttpConnectionManager(localClusterName, true)).
 					Configure(envoy_listeners.GrpcStats()).
 					Configure(envoy_listeners.FaultInjection(proxy.Policies.FaultInjections[endpoint])).
 					Configure(envoy_listeners.Tracing(proxy.Policies.TracingBackend)).

pkg/xds/generator/outbound_proxy_generator.go

@@ -90,15 +90,15 @@ func (_ OutboundProxyGenerator) generateLDS(proxy *model.Proxy, subsets []envoy_
 		switch protocol {
 		case mesh_core.ProtocolGRPC:
 			filterChainBuilder.
-				Configure(envoy_listeners.HttpConnectionManager(serviceName)).
+				Configure(envoy_listeners.HttpConnectionManager(serviceName, false)).
 				Configure(envoy_listeners.Tracing(proxy.Policies.TracingBackend)).
 				Configure(envoy_listeners.HttpAccessLog(meshName, envoy_common.TrafficDirectionOutbound, sourceService, serviceName, proxy.Policies.Logs[serviceName], proxy)).
 				Configure(envoy_listeners.HttpOutboundRoute(serviceName, subsets, proxy.Dataplane.Spec.TagSet())).
 				Configure(envoy_listeners.Retry(retryPolicy, protocol)).
 				Configure(envoy_listeners.GrpcStats())
 		case mesh_core.ProtocolHTTP, mesh_core.ProtocolHTTP2:
 			filterChainBuilder.
-				Configure(envoy_listeners.HttpConnectionManager(serviceName)).
+				Configure(envoy_listeners.HttpConnectionManager(serviceName, false)).
 				Configure(envoy_listeners.Tracing(proxy.Policies.TracingBackend)).
 				Configure(envoy_listeners.HttpAccessLog(
 					meshName,

pkg/xds/generator/probe_generator.go

@@ -49,7 +49,7 @@ func (g ProbeProxyGenerator) Generate(ctx xds_context.Context, proxy *model.Prox
 	probeListener, err := envoy_listeners.NewListenerBuilder(proxy.APIVersion).
 		Configure(envoy_listeners.InboundListener(listenerName, proxy.Dataplane.Spec.GetNetworking().GetAddress(), probes.Port, model.SocketAddressProtocolTCP)).
 		Configure(envoy_listeners.FilterChain(envoy_listeners.NewFilterChainBuilder(proxy.APIVersion).
-			Configure(envoy_listeners.HttpConnectionManager(listenerName)).
+			Configure(envoy_listeners.HttpConnectionManager(listenerName, false)).
 			Configure(envoy_listeners.HttpStaticRoute(envoy_routes.NewRouteConfigurationBuilder(proxy.APIVersion).
 				Configure(envoy_routes.VirtualHost(virtualHostBuilder)))))).
 		Configure(envoy_listeners.TransparentProxying(proxy.Dataplane.Spec.Networking.GetTransparentProxying())).

pkg/xds/generator/testdata/inbound-proxy/3-envoy-config.golden.yaml

@@ -112,6 +112,7 @@ resources:
       - name: envoy.filters.network.http_connection_manager
         typedConfig:
           '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          forwardClientCertDetails: SANITIZE_SET
           httpFilters:
           - name: envoy.filters.http.fault
             typedConfig:
@@ -141,6 +142,8 @@ resources:
                 route:
                   cluster: localhost:8080
                   timeout: 0s
+          setCurrentClientCertDetails:
+            uri: true
           statPrefix: localhost_8080
       transportSocket:
         name: envoy.transport_sockets.tls
@@ -242,6 +245,7 @@ resources:
       - name: envoy.filters.network.http_connection_manager
         typedConfig:
           '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          forwardClientCertDetails: SANITIZE_SET
           httpFilters:
           - name: envoy.filters.http.router
           routeConfig:
@@ -259,6 +263,8 @@ resources:
                 route:
                   cluster: localhost:8080
                   timeout: 0s
+          setCurrentClientCertDetails:
+            uri: true
           statPrefix: localhost_8080
       transportSocket:
         name: envoy.transport_sockets.tls

pkg/xds/generator/testdata/inbound-proxy/4-envoy-config.golden.yaml

@@ -114,6 +114,7 @@ resources:
       - name: envoy.filters.network.http_connection_manager
         typedConfig:
           '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          forwardClientCertDetails: SANITIZE_SET
           httpFilters:
           - name: envoy.filters.http.fault
             typedConfig:
@@ -143,6 +144,8 @@ resources:
                 route:
                   cluster: localhost:8080
                   timeout: 0s
+          setCurrentClientCertDetails:
+            uri: true
           statPrefix: localhost_8080
       transportSocket:
         name: envoy.transport_sockets.tls
@@ -246,6 +249,7 @@ resources:
       - name: envoy.filters.network.http_connection_manager
         typedConfig:
           '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          forwardClientCertDetails: SANITIZE_SET
           httpFilters:
           - name: envoy.filters.http.router
           routeConfig:
@@ -263,6 +267,8 @@ resources:
                 route:
                   cluster: localhost:8080
                   timeout: 0s
+          setCurrentClientCertDetails:
+            uri: true
           statPrefix: localhost_8080
       transportSocket:
         name: envoy.transport_sockets.tls

pkg/xds/generator/testdata/profile-source/3-envoy-config.golden.yaml

@@ -181,6 +181,7 @@ resources:
       - name: envoy.filters.network.http_connection_manager
         typedConfig:
           '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          forwardClientCertDetails: SANITIZE_SET
           httpFilters:
           - name: envoy.filters.http.router
           routeConfig:
@@ -198,6 +199,8 @@ resources:
                 route:
                   cluster: localhost:8080
                   timeout: 0s
+          setCurrentClientCertDetails:
+            uri: true
           statPrefix: localhost_8080
       transportSocket:
         name: envoy.transport_sockets.tls

pkg/xds/generator/testdata/profile-source/4-envoy-config.golden.yaml

@@ -202,6 +202,7 @@ resources:
       - name: envoy.filters.network.http_connection_manager
         typedConfig:
           '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          forwardClientCertDetails: SANITIZE_SET
           httpFilters:
           - name: envoy.filters.http.router
           routeConfig:
@@ -219,6 +220,8 @@ resources:
                 route:
                   cluster: localhost:8080
                   timeout: 0s
+          setCurrentClientCertDetails:
+            uri: true
           statPrefix: localhost_8080
       transportSocket:
         name: envoy.transport_sockets.tls