feat(kuma-cp): implement MeshTimeout policy

docs/guides/e2e-test-tips.md

@@ -97,6 +97,20 @@ Running `make test/e2e/debug` can intentionally leave resources if test fails. C
 make k3d/stop/all && docker stop $(docker ps -aq) # omit $ for fish
 ```
 
+### Tests failing because of disk pressure
+
+From time to time when running tests your docker environment can run out of space. You will see k8s events like this:
+```
+Warning  FailedScheduling  63s (x1 over 2m15s)  default-scheduler  0/1 nodes are available: 
+1 node(s) had taint {node.kubernetes.io/disk-pressure:}, that the pod didn't tolerate.
+```
+
+To fix this issue you need to clean up your docker environment:
+
+```bash
+docker system prune --volumes --all
+```
+
 ### Integration with direnv
 
 [direnv](https://direnv.net/) is a useful tool that can populate environment variables in your shell as you change directories.

docs/madr/decisions/010-timeout-policy.md

@@ -100,11 +100,12 @@ In this policy same limitations applies as in `MeshAccessLog` [policy](https://g
 ```yaml
 from:
   - targetRef:
-      kind: Mesh|MeshSubset|MeshService|MeshServiceSubset
+      kind: Mesh
       name: ...
 ```
 
-Matching on MeshGatewayRoute and MeshHTTPRoute does not make sense (there is no route that a request originates from).
+Since timeouts are mostly configured on clusters and listeners there and we have single inbound in most cases we can only
+configure `Mesh` kind in from section.
 
 #### To level
 
@@ -239,11 +240,10 @@ spec:
   targetRef:
     kind: MeshGatewayRoute
     name: default-gateway-route
-  from:
+  to:
     - targetRef:
         kind: MeshService
         name: backend
-        mesh: consume
       default:
         idleTimeout: 30m
         http:

pkg/plugins/policies/meshtimeout/api/v1alpha1/validator.go

@@ -37,9 +37,6 @@ func validateFrom(from []From) validators.ValidationError {
 		verr.AddErrorAt(path.Field("targetRef"), matcher_validators.ValidateTargetRef(fromItem.GetTargetRef(), &matcher_validators.ValidateTargetRefOpts{
 			SupportedKinds: []common_api.TargetRefKind{
 				common_api.Mesh,
-				common_api.MeshSubset,
-				common_api.MeshService,
-				common_api.MeshServiceSubset,
 			},
 		}))
 
@@ -57,6 +54,7 @@ func validateTo(to []To) validators.ValidationError {
 			SupportedKinds: []common_api.TargetRefKind{
 				common_api.Mesh,
 				common_api.MeshService,
+				common_api.MeshGatewayRoute,
 			},
 		}))
 

pkg/plugins/policies/meshtimeout/plugin/testdata/basic_inbound_cluster.golden.yaml

@@ -0,0 +1,9 @@
+connectTimeout: 10s
+name: localhost:8080
+typedExtensionProtocolOptions:
+  envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+    '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+    commonHttpProtocolOptions:
+      idleTimeout: 3600s
+      maxConnectionDuration: 600s
+      maxStreamDuration: 600s

pkg/plugins/policies/meshtimeout/plugin/testdata/basic_inbound_listener.golden.yaml

@@ -0,0 +1,33 @@
+address:
+  socketAddress:
+    address: 127.0.0.1
+    portValue: 80
+enableReusePort: false
+filterChains:
+- filters:
+  - name: envoy.filters.network.http_connection_manager
+    typedConfig:
+      '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+      httpFilters:
+      - name: envoy.filters.http.router
+        typedConfig:
+          '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+      routeConfig:
+        name: inbound:backend
+        requestHeadersToRemove:
+        - x-kuma-tags
+        validateClusters: false
+        virtualHosts:
+        - domains:
+          - '*'
+          name: backend
+          routes:
+          - match:
+              prefix: /
+            route:
+              cluster: backend
+              timeout: 5s
+      statPrefix: "inbound_127_0_0_1_80"
+      streamIdleTimeout: 1s
+name: inbound:127.0.0.1:80
+trafficDirection: INBOUND

pkg/plugins/policies/meshtimeout/plugin/testdata/basic_tcp_cluster.golden.yaml

@@ -0,0 +1,2 @@
+connectTimeout: 10s
+name: second-service

pkg/plugins/policies/meshtimeout/plugin/testdata/basic_tcp_listener.golden.yaml

@@ -0,0 +1,14 @@
+address:
+  socketAddress:
+    address: 127.0.0.1
+    portValue: 10002
+filterChains:
+- filters:
+  - name: envoy.filters.network.tcp_proxy
+    typedConfig:
+      '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+      cluster: backend
+      idleTimeout: 30s
+      statPrefix: "127_0_0_1_10002"
+name: outbound:127.0.0.1:10002
+trafficDirection: OUTBOUND

pkg/plugins/policies/meshtimeout/plugin/testdata/gateway_cluster.golden.yaml

@@ -0,0 +1,17 @@
+connectTimeout: 10s
+edsClusterConfig:
+  edsConfig:
+    ads: {}
+    resourceApiVersion: V3
+name: backend-26cb64fa4e85e7b7
+perConnectionBufferLimitBytes: 32768
+type: EDS
+typedExtensionProtocolOptions:
+  envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+    '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+    commonHttpProtocolOptions:
+      idleTimeout: 3600s
+      maxConnectionDuration: 600s
+      maxStreamDuration: 600s
+    explicitHttpConfig:
+      httpProtocolOptions: {}

pkg/plugins/policies/meshtimeout/plugin/testdata/gateway_listener.golden.yaml

@@ -0,0 +1,56 @@
+address:
+  socketAddress:
+    address: 192.168.0.1
+    portValue: 8080
+enableReusePort: true
+filterChains:
+  - filters:
+      - name: envoy.filters.network.http_connection_manager
+        typedConfig:
+          '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          commonHttpProtocolOptions:
+            headersWithUnderscoresAction: REJECT_REQUEST
+            idleTimeout: 300s
+          http2ProtocolOptions:
+            allowConnect: true
+            initialConnectionWindowSize: 1048576
+            initialStreamWindowSize: 65536
+            maxConcurrentStreams: 100
+          httpFilters:
+            - name: envoy.filters.http.local_ratelimit
+              typedConfig:
+                '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
+                statPrefix: rate_limit
+            - name: gzip-compress
+              typedConfig:
+                '@type': type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor
+                compressorLibrary:
+                  name: gzip
+                  typedConfig:
+                    '@type': type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip
+                responseDirectionConfig:
+                  disableOnEtagHeader: true
+            - name: envoy.filters.http.router
+              typedConfig:
+                '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+          mergeSlashes: true
+          normalizePath: true
+          pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
+          rds:
+            configSource:
+              ads: {}
+              resourceApiVersion: V3
+            routeConfigName: sample-gateway:HTTP:8080
+          requestHeadersTimeout: 0.500s
+          serverName: Kuma Gateway
+          statPrefix: sample-gateway
+          streamIdleTimeout: 1s
+          stripAnyHostPort: true
+          useRemoteAddress: true
+listenerFilters:
+  - name: envoy.filters.listener.tls_inspector
+    typedConfig:
+      '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
+name: sample-gateway:HTTP:8080
+perConnectionBufferLimitBytes: 32768
+trafficDirection: INBOUND

pkg/plugins/policies/meshtimeout/plugin/testdata/gateway_route.golden.yaml

@@ -0,0 +1,22 @@
+name: sample-gateway:HTTP:8080
+requestHeadersToRemove:
+  - x-kuma-tags
+validateClusters: false
+virtualHosts:
+  - domains:
+      - '*'
+    name: '*'
+    routes:
+      - match:
+          path: /
+        route:
+          timeout: 5s
+          weightedClusters:
+            clusters:
+              - name: backend-26cb64fa4e85e7b7
+                requestHeadersToAdd:
+                  - header:
+                      key: x-kuma-tags
+                      value: '&kuma.io/service=sample-gateway&'
+                weight: 1
+            totalWeight: 1

pkg/plugins/policies/meshtimeout/plugin/testdata/http_outbound_cluster.golden.yaml

@@ -0,0 +1,9 @@
+connectTimeout: 10s
+name: other-service
+typedExtensionProtocolOptions:
+  envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+    '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+    commonHttpProtocolOptions:
+      idleTimeout: 3600s
+      maxConnectionDuration: 600s
+      maxStreamDuration: 600s

pkg/plugins/policies/meshtimeout/plugin/testdata/http_outbound_listener.golden.yaml

@@ -0,0 +1,34 @@
+address:
+  socketAddress:
+    address: 127.0.0.1
+    portValue: 10001
+filterChains:
+- filters:
+  - name: envoy.filters.network.http_connection_manager
+    typedConfig:
+      '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+      httpFilters:
+      - name: envoy.filters.http.router
+        typedConfig:
+          '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+      routeConfig:
+        name: outbound:backend
+        requestHeadersToAdd:
+        - header:
+            key: x-kuma-tags
+            value: '&kuma.io/service=web&'
+        validateClusters: false
+        virtualHosts:
+        - domains:
+          - '*'
+          name: backend
+          routes:
+          - match:
+              prefix: /
+            route:
+              cluster: backend
+              timeout: 5s
+      statPrefix: "outbound_127_0_0_1_10001"
+      streamIdleTimeout: 1s
+name: outbound:127.0.0.1:10001
+trafficDirection: OUTBOUND

pkg/plugins/policies/meshtimeout/plugin/testdata/outbound_with_defaults_cluster.golden.yaml

@@ -0,0 +1,9 @@
+connectTimeout: 10s
+name: other-service
+typedExtensionProtocolOptions:
+  envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+    '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+    commonHttpProtocolOptions:
+      idleTimeout: 3600s
+      maxConnectionDuration: 0s
+      maxStreamDuration: 0s

pkg/plugins/policies/meshtimeout/plugin/testdata/outbound_with_defaults_listener.golden.yaml

@@ -0,0 +1,34 @@
+address:
+  socketAddress:
+    address: 127.0.0.1
+    portValue: 10001
+filterChains:
+- filters:
+  - name: envoy.filters.network.http_connection_manager
+    typedConfig:
+      '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+      httpFilters:
+      - name: envoy.filters.http.router
+        typedConfig:
+          '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+      routeConfig:
+        name: outbound:backend
+        requestHeadersToAdd:
+        - header:
+            key: x-kuma-tags
+            value: '&kuma.io/service=web&'
+        validateClusters: false
+        virtualHosts:
+        - domains:
+          - '*'
+          name: backend
+          routes:
+          - match:
+              prefix: /
+            route:
+              cluster: backend
+              timeout: 15s
+      statPrefix: "outbound_127_0_0_1_10001"
+      streamIdleTimeout: 1800s
+name: outbound:127.0.0.1:10001
+trafficDirection: OUTBOUND