Added config for socket options for listeners

[tsaarni]

This PR adds new optional config field to support DSCP marking for outbound IP packets, for both IPv4 (TOS field) and IPv6 (Traffic Class field).

Fixes #4605

Signed-off-by: Tero Saarni [email protected]

Detailed description

The new configuration is added to existing listener stanza:

Example config file:

listener:
  socket-options:
   tos: 64
   traffic-class: 64

Example ContourConfiguration CR

apiVersion: projectcontour.io/v1alpha1
kind: ContourConfiguration
metadata:
  name: contour
  namespace: projectcontour
spec:
  envoy:
   listener:
    socketOptions:
     tos: 64
     trafficClass: 64

The DSCP field is the 6 most significant bits of the exposed fields. However, the PR proposes exposing the socket options as they are exposed in Envoy and the socket API (complete TOS and TrafficClass bytes). For example, to set DSCP value 16 user needs to bit shift the value to 6 most significant bits of the byte and set the tos and/or trafficClass to value 64.

The PR proposes moving the existing TCP keepalive options into a generic socket option file. If more socket options are added in the future, the new file would be the place to add them - regardless of being TCP or IP level options.

Limitations

Since the two new socket options depend on IP version, the user needs to know in advance which one they want to set.

For example, if the worker nodes where Envoy runs have IPv6 support enabled in the kernel, and Envoy was configured to listen to IPv6 address, then traffic-class can be set. If not, setting traffic-class will cause failure to configure listeners to Envoy. Envoy will call setsockopt() to set IPv6 socket option on a socket that does not support IPv6, the syscall returns error and Envoy rejects the whole listener configuration. Contour cannot validate in advance if this syscall will succeed on the nodes where Envoy runs, so unfortunately it will be runtime failure.

The documentation for the config has a note about this limitation.

[codecov]

Codecov Report

Merging #5352 (f616af2) into main (aa18b98) will increase coverage by 0.03%.
The diff coverage is 94.11%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5352      +/-   ##
==========================================
+ Coverage   78.56%   78.59%   +0.03%     
==========================================
  Files         138      138              
  Lines       19101    19150      +49     
==========================================
+ Hits        15006    15051      +45     
- Misses       3809     3812       +3     
- Partials      286      287       +1     

Files Changed	Coverage Δ
cmd/contour/serve.go	20.26% <0.00%> (-0.03%)	⬇️
pkg/config/parameters.go	85.80% <72.72%> (-0.46%)	⬇️
cmd/contour/servecontext.go	83.55% <100.00%> (+0.14%)	⬆️
internal/envoy/v3/listener.go	98.48% <100.00%> (ø)
internal/envoy/v3/socket_options.go	100.00% <100.00%> (ø)
internal/envoy/v3/stats.go	100.00% <100.00%> (ø)
internal/featuretests/v3/envoy.go	99.06% <100.00%> (ø)
internal/xdscache/v3/listener.go	92.05% <100.00%> (+0.15%)	⬆️

[github-actions]

The Contour project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 14d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, the PR is closed

You can:

• Mark this PR as fresh by commenting or pushing a commit
• Close this PR
• Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

[github-actions]

The Contour project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 14d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, the PR is closed

You can:

• Mark this PR as fresh by commenting or pushing a commit
• Close this PR
• Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

[github-actions]

The Contour project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 14d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, the PR is closed

You can:

• Mark this PR as fresh by commenting or pushing a commit
• Close this PR
• Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

[tsaarni]

I've now resolved merge conflicts that had appeared during recent changes in main. The PR is now again ready for review.

[github-actions]

The Contour project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 14d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, the PR is closed

You can:

• Mark this PR as fresh by commenting or pushing a commit
• Close this PR
• Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

[github-actions]

The Contour project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 14d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, the PR is closed

You can:

• Mark this PR as fresh by commenting or pushing a commit
• Close this PR
• Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

[tsaarni]

Catching up with some more merge conflicts. These changes seem to be on a path that is bit prone to merge conflicts over the time, so reviews would be appreciated! 😄 🙏

[sunjayBhatia]

overall looks correct from a quick pass over the code, seems straightforward enough to set some socket options on the Envoy Listeners

should maybe add a featuretest in lieu of an e2e test to make sure config gets plumbed all the way through correctly

this looks like it will intersect a bit with #5523 but I can sort that out if this merges first 👍🏽

[sunjayBhatia]

(w/o knowing the details of TOS vs. Traffic Class) is it valid to auto detect the Listener ip family to be able to collapse these two into one field?

[tsaarni]

Reliably auto-detecting could be challenging when listener address is set as ::. We use Ipv4Compat: true so Envoy accepts also IPv4 clients - unless IPv4 is disabled on the host where Envoy is running, I think.

[sunjayBhatia]

ah fair point, if we wanted to be clever could we maybe do something like "only have one new API field and if listen address == :: then set the ipv4 and ipv6 option with that value, otherwise set the appropriate option for the address family"?

[sunjayBhatia]

if in practice users may want to set different values between ipv4 and ipv6 seems more correct to keep these options/configurable values separate

[tsaarni]

Thank You for review @sunjayBhatia!

should maybe add a featuretest in lieu of an e2e test to make sure config gets plumbed all the way through correctly

So far, I've checked the values manually from IP header using Wireshark. It would be great to have e2e test, but I think it would require a test client that processes HTTP responses at IP packet level. Normally the values are processed only by the routers & host IP stacks, but the receiving application is unaware of the values.

Did you have some other approach in mind for e2e?

[sunjayBhatia]

Thank You for review @sunjayBhatia!

should maybe add a featuretest in lieu of an e2e test to make sure config gets plumbed all the way through correctly

So far, I've checked the values manually from IP header using Wireshark. It would be great to have e2e test, but I think it would require a test client that processes HTTP responses at IP packet level. Normally the values are processed only by the routers & host IP stacks, but the receiving application is unaware of the values.
Did you have some other approach in mind for e2e?

yeah totally agree, I think just an additional explicit test in internal/featuretest (unless I missed it is already there) for the new socket options added in this PR to make sure the config is generated properly when all the different internal components are hooked up should be sufficient on top of that validation you've done

[tsaarni]

Sorry @sunjayBhatia, somehow, I've accidentally managed to edit your reply instead of replying to you. Maybe I picked "edit" inadvertently, instead of "quote reply" 😵‍💫

Well, regardless of that confusion, I've now added test in internal/featuretests/ to validate the new socket options. I still left also internal/envoy/v3/socket_options_test.go, although it is bit redundant now.

[sunjayBhatia]

Looks like some conflicts to resolve and just to close out this thread #5352 (comment)

Otherwise 👍🏽