From f239572084eb4275933ec415c69898086e0656f3 Mon Sep 17 00:00:00 2001
From: Tero Saarni
Date: Fri, 4 Aug 2023 17:08:01 +0300
Subject: [PATCH 1/2] Added config for socket options for listeners
New config field was added to support DSCP marking for outbound traffic,
for both IPv4 (TOS field) and IPv6 (Traffic Class field).
Signed-off-by: Tero Saarni
---
apis/projectcontour/v1alpha1/contourconfig.go | 24 +++
.../v1alpha1/zz_generated.deepcopy.go | 20 ++
changelogs/unreleased/5352-tsaarni-small.md | 1 +
cmd/contour/serve.go | 1 +
cmd/contour/servecontext.go | 4 +
cmd/contour/servecontext_test.go | 4 +
examples/contour/01-contour-config.yaml | 6 +
examples/contour/01-crds.yaml | 53 +++++
examples/render/contour-deployment.yaml | 59 +++++
.../render/contour-gateway-provisioner.yaml | 53 +++++
examples/render/contour-gateway.yaml | 59 +++++
examples/render/contour.yaml | 59 +++++
.../{tcp_keepalive.go => socket_options.go} | 14 +-
internal/envoy/v3/listener.go | 4 +-
internal/envoy/v3/listener_test.go | 14 +-
.../{tcp_keepalive.go => socket_options.go} | 58 ++++-
internal/envoy/v3/socket_options_test.go | 61 ++++++
internal/envoy/v3/stats.go | 12 +-
internal/envoy/v3/stats_test.go | 14 +-
.../featuretests/v3/authorization_test.go | 8 +-
.../v3/downstreamvalidation_test.go | 16 +-
internal/featuretests/v3/envoy.go | 2 +-
internal/featuretests/v3/fallbackcert_test.go | 8 +-
.../v3/global_authorization_test.go | 8 +-
internal/featuretests/v3/httproute_test.go | 2 +-
.../featuretests/v3/jwtverification_test.go | 28 +--
internal/featuretests/v3/listeners_test.go | 32 +--
internal/featuretests/v3/routeweight_test.go | 12 +-
internal/featuretests/v3/tcpproxy_test.go | 16 +-
internal/featuretests/v3/tcproute_test.go | 8 +-
.../v3/tlscertificatedelegation_test.go | 2 +-
.../v3/tlsprotocolversion_test.go | 4 +-
internal/featuretests/v3/tlsroute_test.go | 10 +-
internal/featuretests/v3/wildcardhost_test.go | 2 +-
internal/xdscache/v3/listener.go | 11 +
internal/xdscache/v3/listener_test.go | 203 +++++++++++-------
pkg/config/parameters.go | 34 +++
pkg/config/parameters_test.go | 15 ++
.../docs/main/config/api-reference.html | 65 ++++++
site/content/docs/main/configuration.md | 14 ++
40 files changed, 829 insertions(+), 191 deletions(-)
create mode 100644 changelogs/unreleased/5352-tsaarni-small.md
rename internal/envoy/{tcp_keepalive.go => socket_options.go} (65%)
rename internal/envoy/v3/{tcp_keepalive.go => socket_options.go} (59%)
create mode 100644 internal/envoy/v3/socket_options_test.go
diff --git a/apis/projectcontour/v1alpha1/contourconfig.go b/apis/projectcontour/v1alpha1/contourconfig.go
index 68d8f8c377a..5699d5e1f30 100644
--- a/apis/projectcontour/v1alpha1/contourconfig.go
+++ b/apis/projectcontour/v1alpha1/contourconfig.go
@@ -386,6 +386,30 @@ type EnvoyListenerConfig struct {
// TLS holds various configurable Envoy TLS listener values.
// +optional
TLS *EnvoyTLS `json:"tls,omitempty"`
+
+ // SocketOptions defines configurable socket options for the listeners.
+ // Single set of options are applied to all listeners.
+ // +optional
+ SocketOptions *SocketOptions `json:"socketOptions,omitempty"`
+}
+
+// SocketOptions defines configurable socket options for Envoy listeners.
+type SocketOptions struct {
+ // Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners.
+ // Single value is applied to all listeners.
+ // If listeners are bound to IPv6-only addresses, setting this option will cause an error.
+ // +kubebuilder:validation:Minimum=0
+ // +kubebuilder:validation:Maximum=255
+ // +optional
+ TOS int32 `json:"tos,omitempty"`
+
+ // Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners.
+ // Single value is applied to all listeners.
+ // If listeners are bound to IPv4-only addresses, setting this option will cause an error.
+ // +kubebuilder:validation:Minimum=0
+ // +kubebuilder:validation:Maximum=255
+ // +optional
+ TrafficClass int32 `json:"trafficClass,omitempty"`
}
// EnvoyTLS describes tls parameters for Envoy listneners.
diff --git a/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go b/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go
index a0180e31da0..be84902ad84 100644
--- a/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go
@@ -578,6 +578,11 @@ func (in *EnvoyListenerConfig) DeepCopyInto(out *EnvoyListenerConfig) {
*out = new(EnvoyTLS)
(*in).DeepCopyInto(*out)
}
+ if in.SocketOptions != nil {
+ in, out := &in.SocketOptions, &out.SocketOptions
+ *out = new(SocketOptions)
+ **out = **in
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnvoyListenerConfig.
@@ -1127,6 +1132,21 @@ func (in *RateLimitServiceConfig) DeepCopy() *RateLimitServiceConfig {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SocketOptions) DeepCopyInto(out *SocketOptions) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SocketOptions.
+func (in *SocketOptions) DeepCopy() *SocketOptions {
+ if in == nil {
+ return nil
+ }
+ out := new(SocketOptions)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLS) DeepCopyInto(out *TLS) {
*out = *in
diff --git a/changelogs/unreleased/5352-tsaarni-small.md b/changelogs/unreleased/5352-tsaarni-small.md
new file mode 100644
index 00000000000..b9b971c7e94
--- /dev/null
+++ b/changelogs/unreleased/5352-tsaarni-small.md
@@ -0,0 +1 @@
+Add configuration for socket options to support DSCP marking for outbound IP packets, for both IPv4 (TOS field) and IPv6 (Traffic Class field).
diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go
index 4a5e6108fb6..273834e5a6f 100644
--- a/cmd/contour/serve.go
+++ b/cmd/contour/serve.go
@@ -423,6 +423,7 @@ func (s *Server) doServe() error {
ConnectionBalancer: contourConfiguration.Envoy.Listener.ConnectionBalancer,
MaxRequestsPerConnection: contourConfiguration.Envoy.Listener.MaxRequestsPerConnection,
PerConnectionBufferLimitBytes: contourConfiguration.Envoy.Listener.PerConnectionBufferLimitBytes,
+ SocketOptions: contourConfiguration.Envoy.Listener.SocketOptions,
}
if listenerConfig.TracingConfig, err = s.setupTracingService(contourConfiguration.Tracing); err != nil {
diff --git a/cmd/contour/servecontext.go b/cmd/contour/servecontext.go
index 1ffd9997b88..629ef75280f 100644
--- a/cmd/contour/servecontext.go
+++ b/cmd/contour/servecontext.go
@@ -533,6 +533,10 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha
MaximumProtocolVersion: ctx.Config.TLS.MaximumProtocolVersion,
CipherSuites: cipherSuites,
},
+ SocketOptions: &contour_api_v1alpha1.SocketOptions{
+ TOS: ctx.Config.Listener.SocketOptions.TOS,
+ TrafficClass: ctx.Config.Listener.SocketOptions.TrafficClass,
+ },
},
Service: &contour_api_v1alpha1.NamespacedName{
Name: ctx.Config.EnvoyServiceName,
diff --git a/cmd/contour/servecontext_test.go b/cmd/contour/servecontext_test.go
index cc714e565e5..1e7cc21db2a 100644
--- a/cmd/contour/servecontext_test.go
+++ b/cmd/contour/servecontext_test.go
@@ -413,6 +413,10 @@ func TestConvertServeContext(t *testing.T) {
MinimumProtocolVersion: "",
MaximumProtocolVersion: "",
},
+ SocketOptions: &contour_api_v1alpha1.SocketOptions{
+ TOS: 0,
+ TrafficClass: 0,
+ },
},
HTTPListener: &contour_api_v1alpha1.EnvoyListener{
Address: "0.0.0.0",
diff --git a/examples/contour/01-contour-config.yaml b/examples/contour/01-contour-config.yaml
index 75528cc1bc3..59b89005e15 100644
--- a/examples/contour/01-contour-config.yaml
+++ b/examples/contour/01-contour-config.yaml
@@ -177,3 +177,9 @@ data:
# server-certificate-path: /path/to/server-cert.pem
# server-key-path: /path/to/server-private-key.pem
# ca-certificate-path: /path/to/root-ca-for-client-validation.pem
+ #
+ # listener:
+ # connection-balancer: exact
+ # socket-options:
+ # tos: 64
+ # traffic-class: 64
diff --git a/examples/contour/01-crds.yaml b/examples/contour/01-crds.yaml
index ccb1d01adc4..521849733e1 100644
--- a/examples/contour/01-crds.yaml
+++ b/examples/contour/01-crds.yaml
@@ -224,6 +224,32 @@ spec:
\n Other values will produce an error. Contour's default
is overwrite."
type: string
+ socketOptions:
+ description: SocketOptions defines configurable socket options
+ for the listeners. Single set of options are applied to
+ all listeners.
+ properties:
+ tos:
+ description: Defines the value for IPv4 TOS field (including
+ 6 bit DSCP field) for IP packets originating from Envoy
+ listeners. Single value is applied to all listeners.
+ If listeners are bound to IPv6-only addresses, setting
+ this option will cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ trafficClass:
+ description: Defines the value for IPv6 Traffic Class
+ field (including 6 bit DSCP field) for IP packets originating
+ from the Envoy listeners. Single value is applied to
+ all listeners. If listeners are bound to IPv4-only addresses,
+ setting this option will cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ type: object
tls:
description: TLS holds various configurable Envoy TLS listener
values.
@@ -3621,6 +3647,33 @@ spec:
`pass_through` \n Other values will produce an error.
Contour's default is overwrite."
type: string
+ socketOptions:
+ description: SocketOptions defines configurable socket
+ options for the listeners. Single set of options are
+ applied to all listeners.
+ properties:
+ tos:
+ description: Defines the value for IPv4 TOS field
+ (including 6 bit DSCP field) for IP packets originating
+ from Envoy listeners. Single value is applied to
+ all listeners. If listeners are bound to IPv6-only
+ addresses, setting this option will cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ trafficClass:
+ description: Defines the value for IPv6 Traffic Class
+ field (including 6 bit DSCP field) for IP packets
+ originating from the Envoy listeners. Single value
+ is applied to all listeners. If listeners are bound
+ to IPv4-only addresses, setting this option will
+ cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ type: object
tls:
description: TLS holds various configurable Envoy TLS
listener values.
diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml
index cf1cf5c2886..19c8ec72791 100644
--- a/examples/render/contour-deployment.yaml
+++ b/examples/render/contour-deployment.yaml
@@ -210,6 +210,12 @@ data:
# server-certificate-path: /path/to/server-cert.pem
# server-key-path: /path/to/server-private-key.pem
# ca-certificate-path: /path/to/root-ca-for-client-validation.pem
+ #
+ # listener:
+ # connection-balancer: exact
+ # socket-options:
+ # tos: 64
+ # traffic-class: 64
---
apiVersion: apiextensions.k8s.io/v1
@@ -437,6 +443,32 @@ spec:
\n Other values will produce an error. Contour's default
is overwrite."
type: string
+ socketOptions:
+ description: SocketOptions defines configurable socket options
+ for the listeners. Single set of options are applied to
+ all listeners.
+ properties:
+ tos:
+ description: Defines the value for IPv4 TOS field (including
+ 6 bit DSCP field) for IP packets originating from Envoy
+ listeners. Single value is applied to all listeners.
+ If listeners are bound to IPv6-only addresses, setting
+ this option will cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ trafficClass:
+ description: Defines the value for IPv6 Traffic Class
+ field (including 6 bit DSCP field) for IP packets originating
+ from the Envoy listeners. Single value is applied to
+ all listeners. If listeners are bound to IPv4-only addresses,
+ setting this option will cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ type: object
tls:
description: TLS holds various configurable Envoy TLS listener
values.
@@ -3834,6 +3866,33 @@ spec:
`pass_through` \n Other values will produce an error.
Contour's default is overwrite."
type: string
+ socketOptions:
+ description: SocketOptions defines configurable socket
+ options for the listeners. Single set of options are
+ applied to all listeners.
+ properties:
+ tos:
+ description: Defines the value for IPv4 TOS field
+ (including 6 bit DSCP field) for IP packets originating
+ from Envoy listeners. Single value is applied to
+ all listeners. If listeners are bound to IPv6-only
+ addresses, setting this option will cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ trafficClass:
+ description: Defines the value for IPv6 Traffic Class
+ field (including 6 bit DSCP field) for IP packets
+ originating from the Envoy listeners. Single value
+ is applied to all listeners. If listeners are bound
+ to IPv4-only addresses, setting this option will
+ cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ type: object
tls:
description: TLS holds various configurable Envoy TLS
listener values.
diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml
index 39103148552..9b361149375 100644
--- a/examples/render/contour-gateway-provisioner.yaml
+++ b/examples/render/contour-gateway-provisioner.yaml
@@ -238,6 +238,32 @@ spec:
\n Other values will produce an error. Contour's default
is overwrite."
type: string
+ socketOptions:
+ description: SocketOptions defines configurable socket options
+ for the listeners. Single set of options are applied to
+ all listeners.
+ properties:
+ tos:
+ description: Defines the value for IPv4 TOS field (including
+ 6 bit DSCP field) for IP packets originating from Envoy
+ listeners. Single value is applied to all listeners.
+ If listeners are bound to IPv6-only addresses, setting
+ this option will cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ trafficClass:
+ description: Defines the value for IPv6 Traffic Class
+ field (including 6 bit DSCP field) for IP packets originating
+ from the Envoy listeners. Single value is applied to
+ all listeners. If listeners are bound to IPv4-only addresses,
+ setting this option will cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ type: object
tls:
description: TLS holds various configurable Envoy TLS listener
values.
@@ -3635,6 +3661,33 @@ spec:
`pass_through` \n Other values will produce an error.
Contour's default is overwrite."
type: string
+ socketOptions:
+ description: SocketOptions defines configurable socket
+ options for the listeners. Single set of options are
+ applied to all listeners.
+ properties:
+ tos:
+ description: Defines the value for IPv4 TOS field
+ (including 6 bit DSCP field) for IP packets originating
+ from Envoy listeners. Single value is applied to
+ all listeners. If listeners are bound to IPv6-only
+ addresses, setting this option will cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ trafficClass:
+ description: Defines the value for IPv6 Traffic Class
+ field (including 6 bit DSCP field) for IP packets
+ originating from the Envoy listeners. Single value
+ is applied to all listeners. If listeners are bound
+ to IPv4-only addresses, setting this option will
+ cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ type: object
tls:
description: TLS holds various configurable Envoy TLS
listener values.
diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml
index aa3ee90539d..3314522261e 100644
--- a/examples/render/contour-gateway.yaml
+++ b/examples/render/contour-gateway.yaml
@@ -216,6 +216,12 @@ data:
# server-certificate-path: /path/to/server-cert.pem
# server-key-path: /path/to/server-private-key.pem
# ca-certificate-path: /path/to/root-ca-for-client-validation.pem
+ #
+ # listener:
+ # connection-balancer: exact
+ # socket-options:
+ # tos: 64
+ # traffic-class: 64
---
apiVersion: apiextensions.k8s.io/v1
@@ -443,6 +449,32 @@ spec:
\n Other values will produce an error. Contour's default
is overwrite."
type: string
+ socketOptions:
+ description: SocketOptions defines configurable socket options
+ for the listeners. Single set of options are applied to
+ all listeners.
+ properties:
+ tos:
+ description: Defines the value for IPv4 TOS field (including
+ 6 bit DSCP field) for IP packets originating from Envoy
+ listeners. Single value is applied to all listeners.
+ If listeners are bound to IPv6-only addresses, setting
+ this option will cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ trafficClass:
+ description: Defines the value for IPv6 Traffic Class
+ field (including 6 bit DSCP field) for IP packets originating
+ from the Envoy listeners. Single value is applied to
+ all listeners. If listeners are bound to IPv4-only addresses,
+ setting this option will cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ type: object
tls:
description: TLS holds various configurable Envoy TLS listener
values.
@@ -3840,6 +3872,33 @@ spec:
`pass_through` \n Other values will produce an error.
Contour's default is overwrite."
type: string
+ socketOptions:
+ description: SocketOptions defines configurable socket
+ options for the listeners. Single set of options are
+ applied to all listeners.
+ properties:
+ tos:
+ description: Defines the value for IPv4 TOS field
+ (including 6 bit DSCP field) for IP packets originating
+ from Envoy listeners. Single value is applied to
+ all listeners. If listeners are bound to IPv6-only
+ addresses, setting this option will cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ trafficClass:
+ description: Defines the value for IPv6 Traffic Class
+ field (including 6 bit DSCP field) for IP packets
+ originating from the Envoy listeners. Single value
+ is applied to all listeners. If listeners are bound
+ to IPv4-only addresses, setting this option will
+ cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ type: object
tls:
description: TLS holds various configurable Envoy TLS
listener values.
diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml
index d542a73f2d6..1f9c8f005d8 100644
--- a/examples/render/contour.yaml
+++ b/examples/render/contour.yaml
@@ -210,6 +210,12 @@ data:
# server-certificate-path: /path/to/server-cert.pem
# server-key-path: /path/to/server-private-key.pem
# ca-certificate-path: /path/to/root-ca-for-client-validation.pem
+ #
+ # listener:
+ # connection-balancer: exact
+ # socket-options:
+ # tos: 64
+ # traffic-class: 64
---
apiVersion: apiextensions.k8s.io/v1
@@ -437,6 +443,32 @@ spec:
\n Other values will produce an error. Contour's default
is overwrite."
type: string
+ socketOptions:
+ description: SocketOptions defines configurable socket options
+ for the listeners. Single set of options are applied to
+ all listeners.
+ properties:
+ tos:
+ description: Defines the value for IPv4 TOS field (including
+ 6 bit DSCP field) for IP packets originating from Envoy
+ listeners. Single value is applied to all listeners.
+ If listeners are bound to IPv6-only addresses, setting
+ this option will cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ trafficClass:
+ description: Defines the value for IPv6 Traffic Class
+ field (including 6 bit DSCP field) for IP packets originating
+ from the Envoy listeners. Single value is applied to
+ all listeners. If listeners are bound to IPv4-only addresses,
+ setting this option will cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ type: object
tls:
description: TLS holds various configurable Envoy TLS listener
values.
@@ -3834,6 +3866,33 @@ spec:
`pass_through` \n Other values will produce an error.
Contour's default is overwrite."
type: string
+ socketOptions:
+ description: SocketOptions defines configurable socket
+ options for the listeners. Single set of options are
+ applied to all listeners.
+ properties:
+ tos:
+ description: Defines the value for IPv4 TOS field
+ (including 6 bit DSCP field) for IP packets originating
+ from Envoy listeners. Single value is applied to
+ all listeners. If listeners are bound to IPv6-only
+ addresses, setting this option will cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ trafficClass:
+ description: Defines the value for IPv6 Traffic Class
+ field (including 6 bit DSCP field) for IP packets
+ originating from the Envoy listeners. Single value
+ is applied to all listeners. If listeners are bound
+ to IPv4-only addresses, setting this option will
+ cause an error.
+ format: int32
+ maximum: 255
+ minimum: 0
+ type: integer
+ type: object
tls:
description: TLS holds various configurable Envoy TLS
listener values.
diff --git a/internal/envoy/tcp_keepalive.go b/internal/envoy/socket_options.go
similarity index 65%
rename from internal/envoy/tcp_keepalive.go
rename to internal/envoy/socket_options.go
index 9c1bd3fe867..775d605b1fb 100644
--- a/internal/envoy/tcp_keepalive.go
+++ b/internal/envoy/socket_options.go
@@ -15,20 +15,26 @@ package envoy
import "syscall"
-// We only support Envoy on Linux so always configure Linux TCP keep-alive
-// socket options regardless of the platform that Contour is running on.
// nolint:revive
const (
+ // We only support Envoy on Linux so always configure Linux TCP keep-alive
+ // socket options regardless of the platform that Contour is running on (e.g. Contour on macOS + Envoy on Linux).
TCP_KEEPIDLE = 0x4 // Linux syscall.TCP_KEEPIDLE
TCP_KEEPINTVL = 0x5 // Linux syscall.TCP_KEEPINTVL
TCP_KEEPCNT = 0x6 // Linux syscall.TCP_KEEPCNT
+ // The following are for setting DSCP values on Linux.
+ IP_TOS = 0x1 // Linux syscall.IP_TOS
+ IPV6_TCLASS = 0x43 // Linux syscall.IPV6_TCLASS
+
// The following are Linux syscall constants for all
// architectures except MIPS.
SOL_SOCKET = 0x1
SO_KEEPALIVE = 0x9
- // IPPROTO_TCP has the same value across Go platforms, but
+ // IPPROTO_* has the same value across Go platforms, but
// is defined here for consistency.
- IPPROTO_TCP = syscall.IPPROTO_TCP
+ IPPROTO_IP = syscall.IPPROTO_IP
+ IPPROTO_IPV6 = syscall.IPPROTO_IPV6
+ IPPROTO_TCP = syscall.IPPROTO_TCP
)
diff --git a/internal/envoy/v3/listener.go b/internal/envoy/v3/listener.go
index f24a3a19a17..2707700875a 100644
--- a/internal/envoy/v3/listener.go
+++ b/internal/envoy/v3/listener.go
@@ -130,12 +130,12 @@ func ProxyProtocol() *envoy_listener_v3.ListenerFilter {
}
// Listener returns a new envoy_listener_v3.Listener for the supplied address, port, and filters.
-func Listener(name, address string, port int, perConnectionBufferLimitBytes *uint32, lf []*envoy_listener_v3.ListenerFilter, filters ...*envoy_listener_v3.Filter) *envoy_listener_v3.Listener {
+func Listener(name, address string, port int, perConnectionBufferLimitBytes *uint32, so *SocketOptions, lf []*envoy_listener_v3.ListenerFilter, filters ...*envoy_listener_v3.Filter) *envoy_listener_v3.Listener {
l := &envoy_listener_v3.Listener{
Name: name,
Address: SocketAddress(address, port),
ListenerFilters: lf,
- SocketOptions: TCPKeepaliveSocketOptions(),
+ SocketOptions: so.Build(),
}
if perConnectionBufferLimitBytes != nil {
diff --git a/internal/envoy/v3/listener_test.go b/internal/envoy/v3/listener_test.go
index ece9eb4efc0..4a9d8046e56 100644
--- a/internal/envoy/v3/listener_test.go
+++ b/internal/envoy/v3/listener_test.go
@@ -100,7 +100,7 @@ func TestListener(t *testing.T) {
FilterChains: FilterChains(
HTTPConnectionManager("http", FileAccessLogEnvoy("/dev/null", "", nil, v1alpha1.LogLevelInfo), 0),
),
- SocketOptions: TCPKeepaliveSocketOptions(),
+ SocketOptions: NewSocketOptions().TCPKeepalive().Build(),
},
},
"insecure listener w/ proxy": {
@@ -122,7 +122,7 @@ func TestListener(t *testing.T) {
FilterChains: FilterChains(
HTTPConnectionManager("http-proxy", FileAccessLogEnvoy("/dev/null", "", nil, v1alpha1.LogLevelInfo), 0),
),
- SocketOptions: TCPKeepaliveSocketOptions(),
+ SocketOptions: NewSocketOptions().TCPKeepalive().Build(),
},
},
"secure listener": {
@@ -138,7 +138,7 @@ func TestListener(t *testing.T) {
ListenerFilters: ListenerFilters(
TLSInspector(),
),
- SocketOptions: TCPKeepaliveSocketOptions(),
+ SocketOptions: NewSocketOptions().TCPKeepalive().Build(),
},
},
"secure listener w/ proxy": {
@@ -156,7 +156,7 @@ func TestListener(t *testing.T) {
ProxyProtocol(),
TLSInspector(),
),
- SocketOptions: TCPKeepaliveSocketOptions(),
+ SocketOptions: NewSocketOptions().TCPKeepalive().Build(),
},
},
"listener w/ connection buffer limits": {
@@ -174,7 +174,7 @@ func TestListener(t *testing.T) {
FilterChains: FilterChains(
HTTPConnectionManager("http", FileAccessLogEnvoy("/dev/null", "", nil, v1alpha1.LogLevelInfo), 0),
),
- SocketOptions: TCPKeepaliveSocketOptions(),
+ SocketOptions: NewSocketOptions().TCPKeepalive().Build(),
},
},
"secure listener w/ connection buffer limits": {
@@ -192,14 +192,14 @@ func TestListener(t *testing.T) {
ListenerFilters: ListenerFilters(
TLSInspector(),
),
- SocketOptions: TCPKeepaliveSocketOptions(),
+ SocketOptions: NewSocketOptions().TCPKeepalive().Build(),
},
},
}
for name, tc := range tests {
t.Run(name, func(t *testing.T) {
- got := Listener(tc.name, tc.address, tc.port, tc.perConnectionBufferLimitBytes, tc.lf, tc.f...)
+ got := Listener(tc.name, tc.address, tc.port, tc.perConnectionBufferLimitBytes, NewSocketOptions().TCPKeepalive(), tc.lf, tc.f...)
protobuf.ExpectEqual(t, tc.want, got)
})
}
diff --git a/internal/envoy/v3/tcp_keepalive.go b/internal/envoy/v3/socket_options.go
similarity index 59%
rename from internal/envoy/v3/tcp_keepalive.go
rename to internal/envoy/v3/socket_options.go
index fed30a22cee..a2b583f1070 100644
--- a/internal/envoy/v3/tcp_keepalive.go
+++ b/internal/envoy/v3/socket_options.go
@@ -18,14 +18,18 @@ import (
"github.com/projectcontour/contour/internal/envoy"
)
-func TCPKeepaliveSocketOptions() []*envoy_core_v3.SocketOption {
+type SocketOptions struct {
+ options []*envoy_core_v3.SocketOption
+}
+
+func NewSocketOptions() *SocketOptions {
+ return &SocketOptions{}
+}
- // Note: TCP_KEEPIDLE + (TCP_KEEPINTVL * TCP_KEEPCNT) must be greater than
- // the grpc.KeepaliveParams time + timeout (currently 60 + 20 = 80 seconds)
- // otherwise TestGRPC/StreamClusters fails.
- return []*envoy_core_v3.SocketOption{
+func (so *SocketOptions) TCPKeepalive() *SocketOptions {
+ so.options = append(so.options,
// Enable TCP keep-alive.
- {
+ &envoy_core_v3.SocketOption{
Description: "Enable TCP keep-alive",
Level: envoy.SOL_SOCKET,
Name: envoy.SO_KEEPALIVE,
@@ -34,7 +38,7 @@ func TCPKeepaliveSocketOptions() []*envoy_core_v3.SocketOption {
},
// The time (in seconds) the connection needs to remain idle
// before TCP starts sending keepalive probes.
- {
+ &envoy_core_v3.SocketOption{
Description: "TCP keep-alive initial idle time",
Level: envoy.IPPROTO_TCP,
Name: envoy.TCP_KEEPIDLE,
@@ -42,7 +46,7 @@ func TCPKeepaliveSocketOptions() []*envoy_core_v3.SocketOption {
State: envoy_core_v3.SocketOption_STATE_LISTENING,
},
// The time (in seconds) between individual keepalive probes.
- {
+ &envoy_core_v3.SocketOption{
Description: "TCP keep-alive time between probes",
Level: envoy.IPPROTO_TCP,
Name: envoy.TCP_KEEPINTVL,
@@ -52,12 +56,48 @@ func TCPKeepaliveSocketOptions() []*envoy_core_v3.SocketOption {
// The maximum number of TCP keep-alive probes to send before
// giving up and killing the connection if no response is
// obtained from the other end.
- {
+ &envoy_core_v3.SocketOption{
Description: "TCP keep-alive probe count",
Level: envoy.IPPROTO_TCP,
Name: envoy.TCP_KEEPCNT,
Value: &envoy_core_v3.SocketOption_IntValue{IntValue: 9},
State: envoy_core_v3.SocketOption_STATE_LISTENING,
},
+ )
+
+ return so
+}
+
+// TOS sets the IP_TOS socket option for IPv4 socket.
+func (so *SocketOptions) TOS(value int32) *SocketOptions {
+ if value != 0 {
+ so.options = append(so.options,
+ &envoy_core_v3.SocketOption{
+ Description: "Set IPv4 TOS field",
+ Level: envoy.IPPROTO_IP,
+ Name: envoy.IP_TOS,
+ State: envoy_core_v3.SocketOption_STATE_LISTENING,
+ Value: &envoy_core_v3.SocketOption_IntValue{IntValue: int64(value)},
+ })
}
+ return so
+}
+
+// TrafficClass sets the IPV6_TCLASS socket option for IPv4 socket.
+func (so *SocketOptions) TrafficClass(value int32) *SocketOptions {
+ if value != 0 {
+ so.options = append(so.options,
+ &envoy_core_v3.SocketOption{
+ Description: "Set IPv6 Traffic Class field",
+ Level: envoy.IPPROTO_IPV6,
+ Name: envoy.IPV6_TCLASS,
+ State: envoy_core_v3.SocketOption_STATE_LISTENING,
+ Value: &envoy_core_v3.SocketOption_IntValue{IntValue: int64(value)},
+ })
+ }
+ return so
+}
+
+func (so *SocketOptions) Build() []*envoy_core_v3.SocketOption {
+ return so.options
}
diff --git a/internal/envoy/v3/socket_options_test.go b/internal/envoy/v3/socket_options_test.go
new file mode 100644
index 00000000000..689fe2af015
--- /dev/null
+++ b/internal/envoy/v3/socket_options_test.go
@@ -0,0 +1,61 @@
+// Copyright Project Contour Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v3
+
+import (
+ "testing"
+
+ envoy_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+ "github.com/projectcontour/contour/internal/envoy"
+ "github.com/stretchr/testify/assert"
+)
+
+func TestSocketOptions(t *testing.T) {
+ // No options shall be set when value 0 is set.
+ so := NewSocketOptions().TOS(0).TrafficClass(0)
+ assert.Equal(t, len(so.options), 0)
+
+ so.TOS(64)
+ assert.Equal(t, so.Build(),
+ []*envoy_core_v3.SocketOption{
+ {
+ Description: "Set IPv4 TOS field",
+ Level: envoy.IPPROTO_IP,
+ Name: envoy.IP_TOS,
+ Value: &envoy_core_v3.SocketOption_IntValue{IntValue: 64},
+ State: envoy_core_v3.SocketOption_STATE_LISTENING,
+ },
+ },
+ )
+
+ so.TrafficClass(64)
+ assert.Equal(t, so.Build(),
+ []*envoy_core_v3.SocketOption{
+ {
+ Description: "Set IPv4 TOS field",
+ Level: envoy.IPPROTO_IP,
+ Name: envoy.IP_TOS,
+ Value: &envoy_core_v3.SocketOption_IntValue{IntValue: 64},
+ State: envoy_core_v3.SocketOption_STATE_LISTENING,
+ },
+ {
+ Description: "Set IPv6 Traffic Class field",
+ Level: envoy.IPPROTO_IPV6,
+ Name: envoy.IPV6_TCLASS,
+ Value: &envoy_core_v3.SocketOption_IntValue{IntValue: 64},
+ State: envoy_core_v3.SocketOption_STATE_LISTENING,
+ },
+ },
+ )
+}
diff --git a/internal/envoy/v3/stats.go b/internal/envoy/v3/stats.go
index 179500e9c1d..a6395e82491 100644
--- a/internal/envoy/v3/stats.go
+++ b/internal/envoy/v3/stats.go
@@ -43,14 +43,14 @@ func StatsListeners(metrics contour_api_v1alpha1.MetricsConfig, health contour_a
listeners = []*envoy_listener_v3.Listener{{
Name: "stats",
Address: SocketAddress(metrics.Address, metrics.Port),
- SocketOptions: TCPKeepaliveSocketOptions(),
+ SocketOptions: NewSocketOptions().TCPKeepalive().Build(),
FilterChains: filterChain("stats",
DownstreamTLSTransportSocket(
downstreamTLSContext(metrics.TLS.CAFile != "")), routeForAdminInterface("/stats")),
}, {
Name: "health",
Address: SocketAddress(health.Address, health.Port),
- SocketOptions: TCPKeepaliveSocketOptions(),
+ SocketOptions: NewSocketOptions().TCPKeepalive().Build(),
FilterChains: filterChain("stats", nil, routeForAdminInterface("/ready")),
}}
@@ -60,7 +60,7 @@ func StatsListeners(metrics contour_api_v1alpha1.MetricsConfig, health contour_a
listeners = []*envoy_listener_v3.Listener{{
Name: "stats-health",
Address: SocketAddress(metrics.Address, metrics.Port),
- SocketOptions: TCPKeepaliveSocketOptions(),
+ SocketOptions: NewSocketOptions().TCPKeepalive().Build(),
FilterChains: filterChain("stats", nil, routeForAdminInterface("/ready", "/stats")),
}}
@@ -69,12 +69,12 @@ func StatsListeners(metrics contour_api_v1alpha1.MetricsConfig, health contour_a
listeners = []*envoy_listener_v3.Listener{{
Name: "stats",
Address: SocketAddress(metrics.Address, metrics.Port),
- SocketOptions: TCPKeepaliveSocketOptions(),
+ SocketOptions: NewSocketOptions().TCPKeepalive().Build(),
FilterChains: filterChain("stats", nil, routeForAdminInterface("/stats")),
}, {
Name: "health",
Address: SocketAddress(health.Address, health.Port),
- SocketOptions: TCPKeepaliveSocketOptions(),
+ SocketOptions: NewSocketOptions().TCPKeepalive().Build(),
FilterChains: filterChain("stats", nil, routeForAdminInterface("/ready")),
}}
}
@@ -103,7 +103,7 @@ func AdminListener(port int) *envoy_listener_v3.Listener {
"/stats/recentlookups",
),
),
- SocketOptions: TCPKeepaliveSocketOptions(),
+ SocketOptions: NewSocketOptions().TCPKeepalive().Build(),
}
}
diff --git a/internal/envoy/v3/stats_test.go b/internal/envoy/v3/stats_test.go
index 2ab95c1e42d..9fea6e9f02f 100644
--- a/internal/envoy/v3/stats_test.go
+++ b/internal/envoy/v3/stats_test.go
@@ -106,7 +106,7 @@ func TestStatsListeners(t *testing.T) {
},
},
),
- SocketOptions: TCPKeepaliveSocketOptions(),
+ SocketOptions: NewSocketOptions().TCPKeepalive().Build(),
}}})
run(t, "stats-over-https-and-health-over-http", testcase{
@@ -164,7 +164,7 @@ func TestStatsListeners(t *testing.T) {
},
),
}},
- SocketOptions: TCPKeepaliveSocketOptions(),
+ SocketOptions: NewSocketOptions().TCPKeepalive().Build(),
}, {
Name: "health",
Address: SocketAddress("127.0.0.127", 8124),
@@ -194,7 +194,7 @@ func TestStatsListeners(t *testing.T) {
},
},
),
- SocketOptions: TCPKeepaliveSocketOptions(),
+ SocketOptions: NewSocketOptions().TCPKeepalive().Build(),
}}})
run(t, "stats-over-https-with-client-auth-and-health-over-http", testcase{
@@ -260,7 +260,7 @@ func TestStatsListeners(t *testing.T) {
},
),
}},
- SocketOptions: TCPKeepaliveSocketOptions(),
+ SocketOptions: NewSocketOptions().TCPKeepalive().Build(),
}, {
Name: "health",
Address: SocketAddress("127.0.0.127", 8124),
@@ -290,7 +290,7 @@ func TestStatsListeners(t *testing.T) {
},
},
),
- SocketOptions: TCPKeepaliveSocketOptions(),
+ SocketOptions: NewSocketOptions().TCPKeepalive().Build(),
}}})
run(t, "stats-and-health-over-http-but-different-listeners", testcase{
@@ -330,7 +330,7 @@ func TestStatsListeners(t *testing.T) {
},
},
),
- SocketOptions: TCPKeepaliveSocketOptions(),
+ SocketOptions: NewSocketOptions().TCPKeepalive().Build(),
}, {
Name: "health",
Address: SocketAddress("127.0.0.128", 8124),
@@ -360,7 +360,7 @@ func TestStatsListeners(t *testing.T) {
},
},
),
- SocketOptions: TCPKeepaliveSocketOptions(),
+ SocketOptions: NewSocketOptions().TCPKeepalive().Build(),
}}})
}
diff --git a/internal/featuretests/v3/authorization_test.go b/internal/featuretests/v3/authorization_test.go
index c2ad0124f66..3e51070cba2 100644
--- a/internal/featuretests/v3/authorization_test.go
+++ b/internal/featuretests/v3/authorization_test.go
@@ -106,7 +106,7 @@ func authzResponseTimeout(t *testing.T, rh ResourceEventHandlerWrapper, c *Conto
),
nil, "h2", "http/1.1"),
},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener()),
@@ -193,7 +193,7 @@ func authzFailOpen(t *testing.T, rh ResourceEventHandlerWrapper, c *Contour) {
),
nil, "h2", "http/1.1"),
},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener()),
}).Status(p).IsValid()
@@ -508,7 +508,7 @@ func authzInvalidReference(t *testing.T, rh ResourceEventHandlerWrapper, c *Cont
),
nil, "h2", "http/1.1"),
},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener()),
}).Status(invalid).IsValid()
@@ -577,7 +577,7 @@ func authzWithRequestBodyBufferSettings(t *testing.T, rh ResourceEventHandlerWra
),
nil, "h2", "http/1.1"),
},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener()),
}).Status(p).IsValid()
diff --git a/internal/featuretests/v3/downstreamvalidation_test.go b/internal/featuretests/v3/downstreamvalidation_test.go
index 0499c922253..d82744eca5b 100644
--- a/internal/featuretests/v3/downstreamvalidation_test.go
+++ b/internal/featuretests/v3/downstreamvalidation_test.go
@@ -96,7 +96,7 @@ func TestDownstreamTLSCertificateValidation(t *testing.T) {
"h2", "http/1.1",
),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
c.Request(listenerType).Equals(&envoy_discovery_v3.DiscoveryResponse{
@@ -144,7 +144,7 @@ func TestDownstreamTLSCertificateValidation(t *testing.T) {
"h2", "http/1.1",
),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
c.Request(listenerType).Equals(&envoy_discovery_v3.DiscoveryResponse{
@@ -195,7 +195,7 @@ func TestDownstreamTLSCertificateValidation(t *testing.T) {
"h2", "http/1.1",
),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
c.Request(listenerType).Equals(&envoy_discovery_v3.DiscoveryResponse{
@@ -260,7 +260,7 @@ func TestDownstreamTLSCertificateValidation(t *testing.T) {
"h2", "http/1.1",
),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
c.Request(listenerType).Equals(&envoy_discovery_v3.DiscoveryResponse{
Resources: resources(t,
@@ -313,7 +313,7 @@ func TestDownstreamTLSCertificateValidation(t *testing.T) {
"h2", "http/1.1",
),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
c.Request(listenerType).Equals(&envoy_discovery_v3.DiscoveryResponse{
Resources: resources(t,
@@ -362,7 +362,7 @@ func TestDownstreamTLSCertificateValidation(t *testing.T) {
"h2", "http/1.1",
),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
c.Request(listenerType).Equals(&envoy_discovery_v3.DiscoveryResponse{
Resources: resources(t,
@@ -422,7 +422,7 @@ func TestDownstreamTLSCertificateValidation(t *testing.T) {
"h2", "http/1.1",
),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
c.Request(listenerType).Equals(&envoy_discovery_v3.DiscoveryResponse{
Resources: resources(t,
@@ -476,7 +476,7 @@ func TestDownstreamTLSCertificateValidation(t *testing.T) {
"h2", "http/1.1",
),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
c.Request(listenerType).Equals(&envoy_discovery_v3.DiscoveryResponse{
Resources: resources(t,
diff --git a/internal/featuretests/v3/envoy.go b/internal/featuretests/v3/envoy.go
index ea60b26ef1b..a7f74e08ac2 100644
--- a/internal/featuretests/v3/envoy.go
+++ b/internal/featuretests/v3/envoy.go
@@ -597,6 +597,6 @@ func defaultHTTPListener() *envoy_listener_v3.Listener {
FilterChains: envoy_v3.FilterChains(
envoy_v3.HTTPConnectionManager("ingress_http", envoy_v3.FileAccessLogEnvoy("/dev/stdout", "", nil, contour_api_v1alpha1.LogLevelInfo), 0),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
}
diff --git a/internal/featuretests/v3/fallbackcert_test.go b/internal/featuretests/v3/fallbackcert_test.go
index 07cbfa56571..bcef7c82d56 100644
--- a/internal/featuretests/v3/fallbackcert_test.go
+++ b/internal/featuretests/v3/fallbackcert_test.go
@@ -107,7 +107,7 @@ func TestFallbackCertificate(t *testing.T) {
httpsFilterFor("fallback.example.com"),
nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
})
@@ -170,7 +170,7 @@ func TestFallbackCertificate(t *testing.T) {
nil, "h2", "http/1.1"),
filterchaintlsfallback(fallbackSecret, nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
})
@@ -212,7 +212,7 @@ func TestFallbackCertificate(t *testing.T) {
nil, "h2", "http/1.1"),
filterchaintlsfallback(fallbackSecret, nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
})
@@ -284,7 +284,7 @@ func TestFallbackCertificate(t *testing.T) {
nil, "h2", "http/1.1"),
filterchaintlsfallback(fallbackSecret, nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
})
diff --git a/internal/featuretests/v3/global_authorization_test.go b/internal/featuretests/v3/global_authorization_test.go
index c600464a8de..d928bc2057e 100644
--- a/internal/featuretests/v3/global_authorization_test.go
+++ b/internal/featuretests/v3/global_authorization_test.go
@@ -134,7 +134,7 @@ func globalExternalAuthorizationFilterExistsTLS(t *testing.T, rh ResourceEventHa
),
nil, "h2", "http/1.1"),
},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
c.Request(listenerType).Equals(&envoy_discovery_v3.DiscoveryResponse{
@@ -197,7 +197,7 @@ func globalExternalAuthorizationWithTLSGlobalAuthDisabled(t *testing.T, rh Resou
httpsFilterFor("foo.com"),
nil, "h2", "http/1.1"),
},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
c.Request(listenerType).Equals(&envoy_discovery_v3.DiscoveryResponse{
@@ -346,7 +346,7 @@ func globalExternalAuthorizationWithMergedAuthPolicyTLS(t *testing.T, rh Resourc
),
nil, "h2", "http/1.1"),
},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
c.Request(listenerType).Equals(&envoy_discovery_v3.DiscoveryResponse{
@@ -473,7 +473,7 @@ func globalExternalAuthorizationWithTLSAuthOverride(t *testing.T, rh ResourceEve
),
nil, "h2", "http/1.1"),
},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
c.Request(listenerType).Equals(&envoy_discovery_v3.DiscoveryResponse{
diff --git a/internal/featuretests/v3/httproute_test.go b/internal/featuretests/v3/httproute_test.go
index 35746900060..974660eb8bd 100644
--- a/internal/featuretests/v3/httproute_test.go
+++ b/internal/featuretests/v3/httproute_test.go
@@ -180,7 +180,7 @@ func TestGateway_TLS(t *testing.T) {
httpsFilterForGateway("https-443", "test.projectcontour.io"),
nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
})
diff --git a/internal/featuretests/v3/jwtverification_test.go b/internal/featuretests/v3/jwtverification_test.go
index bc6ee7a0814..c3ba34337b3 100644
--- a/internal/featuretests/v3/jwtverification_test.go
+++ b/internal/featuretests/v3/jwtverification_test.go
@@ -90,7 +90,7 @@ func TestJWTVerification(t *testing.T) {
filterchaintls("jwt.example.com", sec1, httpsFilterFor("jwt.example.com"),
nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
})
@@ -168,7 +168,7 @@ func TestJWTVerification(t *testing.T) {
}),
nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
}).Request(clusterType, "dnsname/https/jwt.example.com").Equals(&envoy_discovery_v3.DiscoveryResponse{
@@ -321,7 +321,7 @@ func TestJWTVerification(t *testing.T) {
}),
nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
}).Request(routeType, "https/jwt.example.com").Equals(&envoy_discovery_v3.DiscoveryResponse{
@@ -429,7 +429,7 @@ func TestJWTVerification(t *testing.T) {
}),
nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
}).Request(routeType, "https/jwt.example.com").Equals(&envoy_discovery_v3.DiscoveryResponse{
@@ -559,7 +559,7 @@ func TestJWTVerification(t *testing.T) {
}),
nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
}).Request(routeType, "https/jwt.example.com").Equals(&envoy_discovery_v3.DiscoveryResponse{
@@ -653,7 +653,7 @@ func TestJWTVerification(t *testing.T) {
}),
nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
}).Request(clusterType, "dnsname/https/jwt.example.com").Equals(&envoy_discovery_v3.DiscoveryResponse{
@@ -807,7 +807,7 @@ func TestJWTVerification(t *testing.T) {
}),
nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
}).Request(clusterType, "dnsname/https/jwt.example.com").Equals(&envoy_discovery_v3.DiscoveryResponse{
@@ -971,7 +971,7 @@ func TestJWTVerification(t *testing.T) {
}),
nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
}).Request(clusterType, "dnsname/https/jwt.example.com").Equals(&envoy_discovery_v3.DiscoveryResponse{
@@ -1117,7 +1117,7 @@ func TestJWTVerification(t *testing.T) {
}),
nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
}).Request(clusterType, "dnsname/https/jwt.example.com").Equals(&envoy_discovery_v3.DiscoveryResponse{
@@ -1250,7 +1250,7 @@ func TestJWTVerification_Inclusion(t *testing.T) {
filterchaintls("jwt.example.com", sec1, httpsFilterFor("jwt.example.com"),
nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
})
@@ -1338,7 +1338,7 @@ func TestJWTVerification_Inclusion(t *testing.T) {
}),
nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
}).Request(clusterType, "dnsname/https/jwt.example.com").Equals(&envoy_discovery_v3.DiscoveryResponse{
@@ -1501,7 +1501,7 @@ func TestJWTVerification_Inclusion(t *testing.T) {
}),
nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
}).Request(routeType, "https/jwt.example.com").Equals(&envoy_discovery_v3.DiscoveryResponse{
@@ -1619,7 +1619,7 @@ func TestJWTVerification_Inclusion(t *testing.T) {
}),
nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
}).Request(routeType, "https/jwt.example.com").Equals(&envoy_discovery_v3.DiscoveryResponse{
@@ -1759,7 +1759,7 @@ func TestJWTVerification_Inclusion(t *testing.T) {
}),
nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
}).Request(routeType, "https/jwt.example.com").Equals(&envoy_discovery_v3.DiscoveryResponse{
diff --git a/internal/featuretests/v3/listeners_test.go b/internal/featuretests/v3/listeners_test.go
index efee21d861a..c3fae12cc50 100644
--- a/internal/featuretests/v3/listeners_test.go
+++ b/internal/featuretests/v3/listeners_test.go
@@ -212,7 +212,7 @@ func TestTLSListener(t *testing.T) {
httpsFilterFor("kuard.example.com"),
nil, "h2", "http/1.1"),
},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener(),
),
@@ -257,7 +257,7 @@ func TestTLSListener(t *testing.T) {
httpsFilterFor("kuard.example.com"),
nil, "h2", "http/1.1"),
},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener(),
),
@@ -367,7 +367,7 @@ func TestHTTPProxyTLSListener(t *testing.T) {
httpsFilterFor("kuard.example.com"),
nil, "h2", "http/1.1"),
},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
// add service
@@ -417,7 +417,7 @@ func TestHTTPProxyTLSListener(t *testing.T) {
envoy_v3.Filters(httpsFilterFor("kuard.example.com")),
),
},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
// add ingress and assert the existence of ingress_http and ingres_https
@@ -500,7 +500,7 @@ func TestTLSListenerCipherSuites(t *testing.T) {
envoy_v3.Filters(httpsFilterFor("kuard.example.com")),
),
},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
// add service
@@ -579,7 +579,7 @@ func TestLDSFilter(t *testing.T) {
httpsFilterFor("kuard.example.com"),
nil, "h2", "http/1.1"),
},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
TypeUrl: listenerType,
@@ -737,7 +737,7 @@ func TestLDSIngressHTTPSUseProxyProtocol(t *testing.T) {
httpsFilterFor("kuard.example.com"),
nil, "h2", "http/1.1"),
},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
c.Request(listenerType).Equals(&envoy_discovery_v3.DiscoveryResponse{
Resources: resources(t,
@@ -833,7 +833,7 @@ func TestLDSCustomAddressAndPort(t *testing.T) {
httpsFilterFor("kuard.example.com"),
nil, "h2", "http/1.1"),
},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
c.Request(listenerType).Equals(&envoy_discovery_v3.DiscoveryResponse{
Resources: resources(t,
@@ -927,7 +927,7 @@ func TestLDSCustomAccessLogPaths(t *testing.T) {
Get(),
nil, "h2", "http/1.1"),
},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
c.Request(listenerType).Equals(&envoy_discovery_v3.DiscoveryResponse{
VersionInfo: "1",
@@ -1013,7 +1013,7 @@ func TestHTTPProxyHTTPS(t *testing.T) {
httpsFilterFor("example.com"),
nil, "h2", "http/1.1"),
},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
c.Request(listenerType).Equals(&envoy_discovery_v3.DiscoveryResponse{
VersionInfo: "1",
@@ -1093,7 +1093,7 @@ func TestHTTPProxyTLSVersion(t *testing.T) {
envoy_v3.Filters(httpsFilterFor("kuard.example.com")),
),
},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
// verify that p1's TLS 1.1 minimum has been upgraded to 1.2
@@ -1151,7 +1151,7 @@ func TestHTTPProxyTLSVersion(t *testing.T) {
envoy_v3.Filters(httpsFilterFor("kuard.example.com")),
),
},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
// verify that p2's TLS 1.3 minimum has NOT been downgraded to 1.2
@@ -1479,7 +1479,7 @@ func TestGatewayListenersSetAddress(t *testing.T) {
Name: "http-80",
Address: envoy_v3.SocketAddress("127.0.0.100", 8080),
FilterChains: envoy_v3.FilterChains(httpFilterForGateway()),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
})
@@ -1499,7 +1499,7 @@ func TestGatewayListenersSetAddress(t *testing.T) {
httpsFilterForGateway("https-443", "test.projectcontour.io"),
nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
})
@@ -1522,7 +1522,7 @@ func TestGatewayListenersSetAddress(t *testing.T) {
tcpproxy("https-8443", "default/svc1/80/da39a3ee5e"),
),
}},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
})
@@ -1538,7 +1538,7 @@ func TestGatewayListenersSetAddress(t *testing.T) {
tcpproxy("tcp-27017", "default/svc1/80/da39a3ee5e"),
),
}},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
TypeUrl: listenerType,
diff --git a/internal/featuretests/v3/routeweight_test.go b/internal/featuretests/v3/routeweight_test.go
index 16770c995ff..b62a9cad300 100644
--- a/internal/featuretests/v3/routeweight_test.go
+++ b/internal/featuretests/v3/routeweight_test.go
@@ -145,7 +145,7 @@ func TestHTTPProxy_TCPProxyWithAServiceWeight(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener(),
),
@@ -201,7 +201,7 @@ func TestHTTPProxy_TCPProxyWithAServiceWeight(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener(),
),
@@ -257,7 +257,7 @@ func TestHTTPProxy_TCPProxyWithAServiceWeight(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener(),
),
@@ -314,7 +314,7 @@ func TestHTTPProxy_TCPProxyWithAServiceWeight(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener(),
),
@@ -531,7 +531,7 @@ func TestTLSRoute_RouteWithAServiceWeight(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener(),
),
@@ -585,7 +585,7 @@ func TestTLSRoute_RouteWithAServiceWeight(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener(),
),
diff --git a/internal/featuretests/v3/tcpproxy_test.go b/internal/featuretests/v3/tcpproxy_test.go
index 624a6b0dcb3..29150fe633b 100644
--- a/internal/featuretests/v3/tcpproxy_test.go
+++ b/internal/featuretests/v3/tcpproxy_test.go
@@ -97,7 +97,7 @@ func TestTCPProxy(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener(),
),
@@ -193,7 +193,7 @@ func TestTCPProxyDelegation(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener(),
),
@@ -277,7 +277,7 @@ func TestTCPProxyTLSPassthrough(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener(),
),
@@ -362,7 +362,7 @@ func TestTCPProxyTLSBackend(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener(),
),
@@ -454,7 +454,7 @@ func TestTCPProxyAndHTTPService(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener(),
),
@@ -544,7 +544,7 @@ func TestTCPProxyAndHTTPServicePermitInsecure(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener(),
),
@@ -632,7 +632,7 @@ func TestTCPProxyTLSPassthroughAndHTTPService(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener(),
),
@@ -721,7 +721,7 @@ func TestTCPProxyTLSPassthroughAndHTTPServicePermitInsecure(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener(),
),
diff --git a/internal/featuretests/v3/tcproute_test.go b/internal/featuretests/v3/tcproute_test.go
index 1519a3d8eb8..58532415269 100644
--- a/internal/featuretests/v3/tcproute_test.go
+++ b/internal/featuretests/v3/tcproute_test.go
@@ -108,7 +108,7 @@ func TestTCPRoute(t *testing.T) {
tcpproxy("tcp-10000", "default/backend-1/80/da39a3ee5e"),
),
}},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
TypeUrl: listenerType,
@@ -159,7 +159,7 @@ func TestTCPRoute(t *testing.T) {
tcpproxy("tcp-10000", "default/backend-1/80/da39a3ee5e"),
),
}},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
&envoy_listener_v3.Listener{
Name: "tcp-10001",
@@ -169,7 +169,7 @@ func TestTCPRoute(t *testing.T) {
tcpproxy("tcp-10001", "default/backend-2/80/da39a3ee5e"),
),
}},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
TypeUrl: listenerType,
@@ -270,7 +270,7 @@ func TestTCPRoute_TLSTermination(t *testing.T) {
FilterChains: appendFilterChains(
filterchaintls("*", sec1, tcpproxy("https-5000", "default/backend-1/80/da39a3ee5e"), nil),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener(),
),
diff --git a/internal/featuretests/v3/tlscertificatedelegation_test.go b/internal/featuretests/v3/tlscertificatedelegation_test.go
index 905fe559632..16aefeb1774 100644
--- a/internal/featuretests/v3/tlscertificatedelegation_test.go
+++ b/internal/featuretests/v3/tlscertificatedelegation_test.go
@@ -111,7 +111,7 @@ func TestTLSCertificateDelegation(t *testing.T) {
httpsFilterFor("example.com"),
nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
c.Request(listenerType).Equals(&envoy_discovery_v3.DiscoveryResponse{
diff --git a/internal/featuretests/v3/tlsprotocolversion_test.go b/internal/featuretests/v3/tlsprotocolversion_test.go
index 2f244e3a5e4..b05334ffb5e 100644
--- a/internal/featuretests/v3/tlsprotocolversion_test.go
+++ b/internal/featuretests/v3/tlsprotocolversion_test.go
@@ -81,7 +81,7 @@ func TestTLSProtocolVersion(t *testing.T) {
httpsFilterFor("kuard.example.com"),
nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
TypeUrl: listenerType,
@@ -142,7 +142,7 @@ func TestTLSProtocolVersion(t *testing.T) {
envoy_v3.Filters(httpsFilterFor("kuard.example.com")),
),
},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}
c.Request(listenerType, "ingress_https").Equals(&envoy_discovery_v3.DiscoveryResponse{
diff --git a/internal/featuretests/v3/tlsroute_test.go b/internal/featuretests/v3/tlsroute_test.go
index 0621ddcd65f..056bfa43003 100644
--- a/internal/featuretests/v3/tlsroute_test.go
+++ b/internal/featuretests/v3/tlsroute_test.go
@@ -114,7 +114,7 @@ func TestTLSRoute_TLSPassthrough(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener(),
),
@@ -157,7 +157,7 @@ func TestTLSRoute_TLSPassthrough(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener(),
),
@@ -224,7 +224,7 @@ func TestTLSRoute_TLSPassthrough(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener(),
),
@@ -328,7 +328,7 @@ func TestTLSRoute_TLSTermination(t *testing.T) {
FilterChains: appendFilterChains(
filterchaintls("test1.projectcontour.io", sec1, tcpproxy("https-5000", "default/svc1/80/da39a3ee5e"), nil),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
})
@@ -366,7 +366,7 @@ func TestTLSRoute_TLSTermination(t *testing.T) {
filterchaintls("test1.projectcontour.io", sec1, tcpproxy("https-5000", "default/svc1/80/da39a3ee5e"), nil),
filterchaintls("test2.projectcontour.io", sec1, tcpproxy("https-5000", "default/svc2/80/da39a3ee5e"), nil),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
),
})
diff --git a/internal/featuretests/v3/wildcardhost_test.go b/internal/featuretests/v3/wildcardhost_test.go
index 53aeae1f079..0d0d575c132 100644
--- a/internal/featuretests/v3/wildcardhost_test.go
+++ b/internal/featuretests/v3/wildcardhost_test.go
@@ -237,7 +237,7 @@ func TestIngressWildcardHostHTTPSWildcardSecret(t *testing.T) {
httpsFilterFor("*.foo-tls.com"),
nil, "h2", "http/1.1"),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
statsListener(),
),
diff --git a/internal/xdscache/v3/listener.go b/internal/xdscache/v3/listener.go
index 08f77fa82e9..c9cf6d04aaf 100644
--- a/internal/xdscache/v3/listener.go
+++ b/internal/xdscache/v3/listener.go
@@ -144,6 +144,9 @@ type ListenerConfig struct {
// TracingConfig optionally configures the tracing collector Service to be
// used.
TracingConfig *TracingConfig
+
+ // SocketOptions configures socket options HTTP and HTTPS listeners.
+ SocketOptions *contour_api_v1alpha1.SocketOptions
}
type ExtensionServiceConfig struct {
@@ -374,6 +377,11 @@ func (c *ListenerCache) OnChange(root *dag.DAG) {
return b
}
+ socketOptions := envoy_v3.NewSocketOptions().TCPKeepalive()
+ if cfg.SocketOptions != nil {
+ socketOptions = socketOptions.TOS(cfg.SocketOptions.TOS).TrafficClass(cfg.SocketOptions.TrafficClass)
+ }
+
for _, listener := range root.Listeners {
// A Listener-level TCPProxy proxies all traffic for
// the Listener port, i.e. no filter chain match.
@@ -383,6 +391,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) {
listener.Address,
listener.Port,
cfg.PerConnectionBufferLimitBytes,
+ socketOptions,
nil,
envoy_v3.TCPProxy(listener.Name, listener.TCPProxy, cfg.newInsecureAccessLog()),
)
@@ -422,6 +431,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) {
listener.Address,
listener.Port,
cfg.PerConnectionBufferLimitBytes,
+ socketOptions,
proxyProtocol(cfg.UseProxyProto),
cm,
)
@@ -436,6 +446,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) {
listener.Address,
listener.Port,
cfg.PerConnectionBufferLimitBytes,
+ socketOptions,
secureProxyProtocol(cfg.UseProxyProto),
)
}
diff --git a/internal/xdscache/v3/listener_test.go b/internal/xdscache/v3/listener_test.go
index e6025561663..280401a7aa2 100644
--- a/internal/xdscache/v3/listener_test.go
+++ b/internal/xdscache/v3/listener_test.go
@@ -58,14 +58,14 @@ func TestListenerCacheContents(t *testing.T) {
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
want: []proto.Message{
&envoy_listener_v3.Listener{
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
},
},
@@ -92,7 +92,7 @@ func TestListenerCacheQuery(t *testing.T) {
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
query: []string{ENVOY_HTTP_LISTENER},
want: []proto.Message{
@@ -100,7 +100,7 @@ func TestListenerCacheQuery(t *testing.T) {
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
},
},
@@ -109,7 +109,7 @@ func TestListenerCacheQuery(t *testing.T) {
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
query: []string{ENVOY_HTTP_LISTENER, "stats-listener"},
want: []proto.Message{
@@ -117,7 +117,7 @@ func TestListenerCacheQuery(t *testing.T) {
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
},
},
},
@@ -126,7 +126,7 @@ func TestListenerCacheQuery(t *testing.T) {
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
query: []string{"stats-listener"},
want: nil,
@@ -201,7 +201,7 @@ func TestListenerVisit(t *testing.T) {
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"one http only httpproxy": {
@@ -244,7 +244,7 @@ func TestListenerVisit(t *testing.T) {
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
@@ -298,7 +298,7 @@ func TestListenerVisit(t *testing.T) {
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -312,7 +312,7 @@ func TestListenerVisit(t *testing.T) {
TransportSocket: transportSocket("secret", envoy_tls_v3.TlsParameters_TLSv1_2, envoy_tls_v3.TlsParameters_TLSv1_3, nil, "h2", "http/1.1"),
Filters: envoy_v3.Filters(httpsFilterFor("whatever.example.com")),
}},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
@@ -388,7 +388,7 @@ func TestListenerVisit(t *testing.T) {
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -408,7 +408,7 @@ func TestListenerVisit(t *testing.T) {
TransportSocket: transportSocket("secret", envoy_tls_v3.TlsParameters_TLSv1_2, envoy_tls_v3.TlsParameters_TLSv1_3, nil, "h2", "http/1.1"),
Filters: envoy_v3.Filters(httpsFilterFor("sortedsecond.example.com")),
}},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
@@ -462,7 +462,7 @@ func TestListenerVisit(t *testing.T) {
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"simple httpproxy with secret": {
@@ -513,7 +513,7 @@ func TestListenerVisit(t *testing.T) {
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -527,7 +527,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
@@ -610,7 +610,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"use proxy proto": {
@@ -669,7 +669,7 @@ func TestListenerVisit(t *testing.T) {
envoy_v3.ProxyProtocol(),
),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -684,7 +684,7 @@ func TestListenerVisit(t *testing.T) {
TransportSocket: transportSocket("secret", envoy_tls_v3.TlsParameters_TLSv1_2, envoy_tls_v3.TlsParameters_TLSv1_3, nil, "h2", "http/1.1"),
Filters: envoy_v3.Filters(httpsFilterFor("whatever.example.com")),
}},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
@@ -742,7 +742,7 @@ func TestListenerVisit(t *testing.T) {
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy("/tmp/http_access.log", "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -762,7 +762,7 @@ func TestListenerVisit(t *testing.T) {
AccessLoggers(envoy_v3.FileAccessLogEnvoy("/tmp/https_access.log", "", nil, v1alpha1.LogLevelInfo)).
Get()),
}},
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
@@ -820,7 +820,7 @@ func TestListenerVisit(t *testing.T) {
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -834,7 +834,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
@@ -896,7 +896,7 @@ func TestListenerVisit(t *testing.T) {
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -910,7 +910,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
@@ -968,7 +968,7 @@ func TestListenerVisit(t *testing.T) {
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -1053,7 +1053,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"tls-cipher-suites from config": {
@@ -1110,7 +1110,7 @@ func TestListenerVisit(t *testing.T) {
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -1124,7 +1124,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
@@ -1205,7 +1205,7 @@ func TestListenerVisit(t *testing.T) {
RequestTimeout(timeout.DurationSetting(90 * time.Second)).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -1241,7 +1241,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
@@ -1322,7 +1322,7 @@ func TestListenerVisit(t *testing.T) {
ConnectionIdleTimeout(timeout.DurationSetting(90 * time.Second)).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -1358,7 +1358,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
@@ -1439,7 +1439,7 @@ func TestListenerVisit(t *testing.T) {
StreamIdleTimeout(timeout.DurationSetting(90 * time.Second)).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -1475,7 +1475,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
@@ -1556,7 +1556,7 @@ func TestListenerVisit(t *testing.T) {
DelayedCloseTimeout(timeout.DurationSetting(90 * time.Second)).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -1592,7 +1592,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
@@ -1673,7 +1673,7 @@ func TestListenerVisit(t *testing.T) {
MaxConnectionDuration(timeout.DurationSetting(90 * time.Second)).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -1709,7 +1709,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
@@ -1790,7 +1790,7 @@ func TestListenerVisit(t *testing.T) {
ConnectionShutdownGracePeriod(timeout.DurationSetting(90 * time.Second)).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -1826,7 +1826,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"httpproxy with fallback certificate": {
@@ -1894,7 +1894,7 @@ func TestListenerVisit(t *testing.T) {
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -1915,7 +1915,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"multiple httpproxies with fallback certificate": {
@@ -2008,7 +2008,7 @@ func TestListenerVisit(t *testing.T) {
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -2038,7 +2038,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"httpproxy with fallback certificate - no cert passed": {
@@ -2154,7 +2154,7 @@ func TestListenerVisit(t *testing.T) {
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -2168,7 +2168,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"httpproxy with connection idle timeout set in listener config": {
@@ -2224,7 +2224,7 @@ func TestListenerVisit(t *testing.T) {
ConnectionIdleTimeout(timeout.DurationSetting(90 * time.Second)).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"httpproxy with stream idle timeout set in listener config": {
@@ -2280,7 +2280,7 @@ func TestListenerVisit(t *testing.T) {
StreamIdleTimeout(timeout.DurationSetting(90 * time.Second)).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"httpproxy with max connection duration set in listener config": {
@@ -2336,7 +2336,7 @@ func TestListenerVisit(t *testing.T) {
MaxConnectionDuration(timeout.DurationSetting(90 * time.Second)).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"httpproxy with delayed close timeout set in listener config": {
@@ -2392,7 +2392,7 @@ func TestListenerVisit(t *testing.T) {
DelayedCloseTimeout(timeout.DurationSetting(90 * time.Second)).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"httpproxy with connection shutdown grace period set in listener config": {
@@ -2448,7 +2448,7 @@ func TestListenerVisit(t *testing.T) {
ConnectionShutdownGracePeriod(timeout.DurationSetting(90 * time.Second)).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
@@ -2512,7 +2512,7 @@ func TestListenerVisit(t *testing.T) {
ConnectionIdleTimeout(timeout.DurationSetting(90 * time.Second)).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -2533,7 +2533,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"httpproxy with allow_chunked_length set in listener config": {
@@ -2587,7 +2587,7 @@ func TestListenerVisit(t *testing.T) {
AllowChunkedLength(true).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"httpproxy with merge_slashes set in listener config": {
@@ -2642,7 +2642,7 @@ func TestListenerVisit(t *testing.T) {
MergeSlashes(true).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"httpproxy with server_header_transformation set to pass through in listener config": {
@@ -2697,7 +2697,7 @@ func TestListenerVisit(t *testing.T) {
ServerHeaderTransformation(v1alpha1.PassThroughServerHeader).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"httpproxy with XffNumTrustedHops set in listener config": {
@@ -2751,7 +2751,7 @@ func TestListenerVisit(t *testing.T) {
NumTrustedHops(1).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"httpsproxy with secret with stream idle timeout set in listener config": {
@@ -2814,7 +2814,7 @@ func TestListenerVisit(t *testing.T) {
StreamIdleTimeout(timeout.DurationSetting(90 * time.Second)).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -2835,7 +2835,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
@@ -2899,7 +2899,7 @@ func TestListenerVisit(t *testing.T) {
MaxConnectionDuration(timeout.DurationSetting(90 * time.Second)).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -2920,7 +2920,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"httpsproxy with secret with delayed close timeout set in listener config": {
@@ -2983,7 +2983,7 @@ func TestListenerVisit(t *testing.T) {
DelayedCloseTimeout(timeout.DurationSetting(90 * time.Second)).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -3004,7 +3004,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"httpsproxy with secret with connection shutdown grace period set in listener config": {
@@ -3067,7 +3067,7 @@ func TestListenerVisit(t *testing.T) {
ConnectionShutdownGracePeriod(timeout.DurationSetting(90 * time.Second)).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -3088,7 +3088,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"insecure httpproxy with rate limit config": {
@@ -3170,7 +3170,7 @@ func TestListenerVisit(t *testing.T) {
}),
},
}).Get()),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
@@ -3264,7 +3264,7 @@ func TestListenerVisit(t *testing.T) {
}).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -3307,7 +3307,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"secure httpproxy using fallback certificate with rate limit config": {
@@ -3416,7 +3416,7 @@ func TestListenerVisit(t *testing.T) {
}).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -3496,7 +3496,56 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
+ }),
+ },
+ "DSCP marking with socket options": {
+ ListenerConfig: ListenerConfig{
+ SocketOptions: &v1alpha1.SocketOptions{
+ TOS: 64,
+ TrafficClass: 64,
+ },
+ },
+ objs: []any{
+ &contour_api_v1.HTTPProxy{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "simple",
+ Namespace: "default",
+ },
+ Spec: contour_api_v1.HTTPProxySpec{
+ VirtualHost: &contour_api_v1.VirtualHost{
+ Fqdn: "www.example.com",
+ },
+ Routes: []contour_api_v1.Route{{
+ Conditions: []contour_api_v1.MatchCondition{{
+ Prefix: "/",
+ }},
+ Services: []contour_api_v1.Service{{
+ Name: "backend",
+ Port: 80,
+ }},
+ }},
+ },
+ },
+ &v1.Service{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "backend",
+ Namespace: "default",
+ },
+ Spec: v1.ServiceSpec{
+ Ports: []v1.ServicePort{{
+ Name: "http",
+ Protocol: "TCP",
+ Port: 80,
+ }},
+ },
+ },
+ },
+ want: listenermap(&envoy_listener_v3.Listener{
+ Name: ENVOY_HTTP_LISTENER,
+ Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
+ FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().TOS(64).TrafficClass(64).Build(),
}),
},
"httpproxy with MaxRequestsPerConnection set in listener config": {
@@ -3550,7 +3599,7 @@ func TestListenerVisit(t *testing.T) {
MaxRequestsPerConnection(ref.To(uint32(1))).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"httpsproxy with MaxRequestsPerConnection set in listener config": {
@@ -3611,7 +3660,7 @@ func TestListenerVisit(t *testing.T) {
MaxRequestsPerConnection(ref.To(uint32(1))).
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -3632,7 +3681,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"httpproxy with PerConnectionBufferLimitBytes set in listener config": {
@@ -3686,7 +3735,7 @@ func TestListenerVisit(t *testing.T) {
DefaultFilters().
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"httpsproxy with PerConnectionBufferLimitBytes set in listener config": {
@@ -3747,7 +3796,7 @@ func TestListenerVisit(t *testing.T) {
DefaultFilters().
Get(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
@@ -3768,7 +3817,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
}
diff --git a/pkg/config/parameters.go b/pkg/config/parameters.go
index 52fb7e0dc5b..462361d226c 100644
--- a/pkg/config/parameters.go
+++ b/pkg/config/parameters.go
@@ -481,6 +481,9 @@ type ListenerParameters struct {
//
// +optional
PerConnectionBufferLimitBytes *uint32 `yaml:"per-connection-buffer-limit-bytes,omitempty"`
+
+ // SocketOptions is used to set socket options for listeners.
+ SocketOptions SocketOptions `yaml:"socket-options"`
}
func (p *ListenerParameters) Validate() error {
@@ -500,6 +503,37 @@ func (p *ListenerParameters) Validate() error {
return fmt.Errorf("invalid per connections buffer limit bytes value %q set on listener, minimum value is 1", *p.PerConnectionBufferLimitBytes)
}
+ return p.SocketOptions.Validate()
+}
+
+// SocketOptions defines configurable socket options for Envoy listeners.
+type SocketOptions struct {
+ // Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners.
+ // Single value is applied to all listeners.
+ // The value must be in the range 0-255, 0 means socket option is not set.
+ // If listeners are bound to IPv6-only addresses, setting this option will cause an error.
+ TOS int32 `yaml:"tos"`
+
+ // Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners.
+ // Single value is applied to all listeners.
+ // The value must be in the range 0-255, 0 means socket option is not set.
+ // If listeners are bound to IPv4-only addresses, setting this option will cause an error.
+ TrafficClass int32 `yaml:"traffic-class"`
+}
+
+func (p *SocketOptions) Validate() error {
+ if p == nil {
+ return nil
+ }
+
+ if p.TOS < 0 || p.TOS > 255 {
+ return fmt.Errorf("invalid listener IPv4 TOS value %d, must be in the range 0-255", p.TOS)
+ }
+
+ if p.TrafficClass < 0 || p.TrafficClass > 255 {
+ return fmt.Errorf("invalid listener IPv6 TrafficClass value %d, must be in the range 0-255", p.TrafficClass)
+ }
+
return nil
}
diff --git a/pkg/config/parameters_test.go b/pkg/config/parameters_test.go
index 819d819b02c..bcd46957a99 100644
--- a/pkg/config/parameters_test.go
+++ b/pkg/config/parameters_test.go
@@ -564,6 +564,21 @@ func TestListenerValidation(t *testing.T) {
PerConnectionBufferLimitBytes: ref.To(uint32(0)),
}
require.Error(t, l.Validate())
+ l = &ListenerParameters{
+ SocketOptions: SocketOptions{
+ TOS: 64,
+ TrafficClass: 64,
+ },
+ }
+ require.NoError(t, l.Validate())
+ l = &ListenerParameters{SocketOptions: SocketOptions{TOS: 256}}
+ require.Error(t, l.Validate())
+ l = &ListenerParameters{SocketOptions: SocketOptions{TrafficClass: 256}}
+ require.Error(t, l.Validate())
+ l = &ListenerParameters{SocketOptions: SocketOptions{TOS: -1}}
+ require.Error(t, l.Validate())
+ l = &ListenerParameters{SocketOptions: SocketOptions{TrafficClass: -1}}
+ require.Error(t, l.Validate())
}
func TestClusterParametersValidation(t *testing.T) {
diff --git a/site/content/docs/main/config/api-reference.html b/site/content/docs/main/config/api-reference.html
index c9f2508f65b..98f35777dd2 100644
--- a/site/content/docs/main/config/api-reference.html
+++ b/site/content/docs/main/config/api-reference.html
@@ -6760,6 +6760,22 @@ EnvoyListenerConfig
TLS holds various configurable Envoy TLS listener values.
+
+
+socketOptions
+
+
+
+SocketOptions
+
+
+ |
+
+(Optional)
+ SocketOptions defines configurable socket options for the listeners.
+Single set of options are applied to all listeners.
+ |
+
EnvoyLogging
@@ -8307,6 +8323,55 @@
+(Appears on:
+EnvoyListenerConfig)
+
+
+
SocketOptions defines configurable socket options for Envoy listeners.
+
+
+
+
+Field |
+Description |
+
+
+
+
+
+tos
+
+
+int32
+
+ |
+
+(Optional)
+ Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners.
+Single value is applied to all listeners.
+If listeners are bound to IPv6-only addresses, setting this option will cause an error.
+ |
+
+
+
+trafficClass
+
+
+int32
+
+ |
+
+(Optional)
+ Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners.
+Single value is applied to all listeners.
+If listeners are bound to IPv4-only addresses, setting this option will cause an error.
+ |
+
+
+
TLS
diff --git a/site/content/docs/main/configuration.md b/site/content/docs/main/configuration.md
index 98e09d2aa18..8867f89d113 100644
--- a/site/content/docs/main/configuration.md
+++ b/site/content/docs/main/configuration.md
@@ -194,6 +194,7 @@ The listener configuration block can be used to configure various parameters for
| connection-balancer | string | `""` | This field specifies the listener connection balancer. If the value is `exact`, the listener will use the exact connection balancer to balance connections between threads in a single Envoy process. See [the Envoy documentation][14] for more information. |
| max-requests-per-connection | int | none | This field specifies the maximum requests for downstream connections. If not specified, there is no limit |
| per-connection-buffer-limit-bytes | int | 1MiB* | This field specifies the soft limit on size of the listener’s new connection read and write buffer. If not specified, Envoy defaults of 1MiB apply |
+| socket-options | SocketOptions | | The [Socket Options](#socket-options) for Envoy listeners. |
_This is Envoy's default setting value and is not explicitly configured by Contour._
@@ -282,6 +283,13 @@ Metrics and health endpoints cannot have the same port number when metrics are s
| server-key-path | string | none | Optional path to the server private key file. |
| ca-certificate-path | string | none | Optional path to the CA certificate file used to verify client certificates. |
+### Socket Options
+
+| Field Name | Type | Default | Description |
+| --------------- | ------ | ------- | ----------------------------------------------------------------------------- |
+| tos | int | 0 | Defines the value for IPv4 TOS field (including 6 bit DSCP field) for IP packets originating from Envoy listeners. Single value is applied to all listeners. The value must be in the range 0-255, 0 means socket option is not set. If listeners are bound to IPv6-only addresses, setting this option will cause an error. |
+| traffic-class | int | 0 | Defines the value for IPv6 Traffic Class field (including 6 bit DSCP field) for IP packets originating from the Envoy listeners. Single value is applied to all listeners. The value must be in the range 0-255, 0 means socket option is not set. If listeners are bound to IPv4-only addresses, setting this option will cause an error. |
+
### Configuration Example
The following is an example ConfigMap with configuration file included:
@@ -452,6 +460,12 @@ data:
# server-certificate-path: /path/to/server-cert.pem
# server-key-path: /path/to/server-private-key.pem
# ca-certificate-path: /path/to/root-ca-for-client-validation.pem
+ #
+ # listener:
+ # connection-balancer: exact
+ # socket-options:
+ # tos: 64
+ # traffic-class: 64
```
_Note:_ The default example `contour` includes this [file][1] for easy deployment of Contour.
From f616af2a0067e28b51188a2866e20786ff92f9f3 Mon Sep 17 00:00:00 2001
From: Tero Saarni
Date: Mon, 7 Aug 2023 15:19:36 +0300
Subject: [PATCH 2/2] Added featuretest for non-default socket opts
Signed-off-by: Tero Saarni
---
internal/featuretests/v3/listeners_test.go | 104 +++++++++++++++++++++
internal/xdscache/v3/listener_test.go | 4 +-
2 files changed, 106 insertions(+), 2 deletions(-)
diff --git a/internal/featuretests/v3/listeners_test.go b/internal/featuretests/v3/listeners_test.go
index c3fae12cc50..fd42dda6788 100644
--- a/internal/featuretests/v3/listeners_test.go
+++ b/internal/featuretests/v3/listeners_test.go
@@ -16,12 +16,14 @@ package v3
import (
"testing"
+ envoy_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
envoy_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
envoy_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
envoy_discovery_v3 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
contour_api_v1 "github.com/projectcontour/contour/apis/projectcontour/v1"
contour_api_v1alpha1 "github.com/projectcontour/contour/apis/projectcontour/v1alpha1"
"github.com/projectcontour/contour/internal/dag"
+ "github.com/projectcontour/contour/internal/envoy"
envoy_v3 "github.com/projectcontour/contour/internal/envoy/v3"
"github.com/projectcontour/contour/internal/featuretests"
"github.com/projectcontour/contour/internal/fixture"
@@ -1544,3 +1546,105 @@ func TestGatewayListenersSetAddress(t *testing.T) {
TypeUrl: listenerType,
})
}
+
+func TestSocketOptions(t *testing.T) {
+ // Configure non-default socket options for HTTP and HTTPS listeners.
+ rh, c, done := setup(t, func(conf *xdscache_v3.ListenerConfig) {
+ conf.SocketOptions = &contour_api_v1alpha1.SocketOptions{
+ TOS: 32,
+ TrafficClass: 64,
+ }
+ })
+ defer done()
+
+ svc1 := fixture.NewService("backend").
+ WithPorts(v1.ServicePort{Name: "http", Port: 80})
+ rh.OnAdd(svc1)
+
+ // secret1 is a tls secret
+ secret1 := &v1.Secret{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "secret",
+ Namespace: "default",
+ },
+ Type: "kubernetes.io/tls",
+ Data: featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY),
+ }
+ rh.OnAdd(secret1)
+
+ // p1 is a tls httpproxy
+ p1 := &contour_api_v1.HTTPProxy{
+ ObjectMeta: fixture.ObjectMeta("simple"),
+ Spec: contour_api_v1.HTTPProxySpec{
+ VirtualHost: &contour_api_v1.VirtualHost{
+ Fqdn: "kuard.example.com",
+ TLS: &contour_api_v1.TLS{
+ SecretName: "secret",
+ },
+ },
+ Routes: []contour_api_v1.Route{{
+ Conditions: []contour_api_v1.MatchCondition{{
+ Prefix: "/",
+ }},
+ Services: []contour_api_v1.Service{{
+ Name: "backend",
+ Port: 80,
+ }},
+ }},
+ },
+ }
+ rh.OnAdd(p1)
+
+ socketOpts := envoy_v3.NewSocketOptions().TCPKeepalive().Build()
+
+ // Verify that the given socket options are set on the HTTP and HTTPS listeners.
+ socketOpts = append(socketOpts, &envoy_core_v3.SocketOption{
+ Description: "Set IPv4 TOS field",
+ Level: envoy.IPPROTO_IP,
+ Name: envoy.IP_TOS,
+ State: envoy_core_v3.SocketOption_STATE_LISTENING,
+ Value: &envoy_core_v3.SocketOption_IntValue{IntValue: int64(32)},
+ }, &envoy_core_v3.SocketOption{
+ Description: "Set IPv6 Traffic Class field",
+ Level: envoy.IPPROTO_IPV6,
+ Name: envoy.IPV6_TCLASS,
+ State: envoy_core_v3.SocketOption_STATE_LISTENING,
+ Value: &envoy_core_v3.SocketOption_IntValue{IntValue: int64(64)},
+ })
+
+ c.Request(listenerType).Equals(&envoy_discovery_v3.DiscoveryResponse{
+ Resources: resources(t,
+ &envoy_listener_v3.Listener{
+ Name: "ingress_http",
+ Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
+ FilterChains: envoy_v3.FilterChains(
+ envoy_v3.HTTPConnectionManager("ingress_http", envoy_v3.FileAccessLogEnvoy("/dev/stdout", "", nil, contour_api_v1alpha1.LogLevelInfo), 0),
+ ),
+ SocketOptions: socketOpts,
+ },
+ &envoy_listener_v3.Listener{
+ Name: "ingress_https",
+ Address: envoy_v3.SocketAddress("0.0.0.0", 8443),
+ ListenerFilters: envoy_v3.ListenerFilters(
+ envoy_v3.TLSInspector(),
+ ),
+ FilterChains: []*envoy_listener_v3.FilterChain{
+ envoy_v3.FilterChainTLS(
+ "kuard.example.com",
+ envoy_v3.DownstreamTLSContext(
+ &dag.Secret{Object: secret1},
+ envoy_tls_v3.TlsParameters_TLSv1_2,
+ envoy_tls_v3.TlsParameters_TLSv1_3,
+ nil,
+ nil,
+ "h2", "http/1.1"),
+ envoy_v3.Filters(httpsFilterFor("kuard.example.com")),
+ ),
+ },
+ SocketOptions: socketOpts,
+ },
+ statsListener(),
+ ),
+ TypeUrl: listenerType,
+ })
+}
diff --git a/internal/xdscache/v3/listener_test.go b/internal/xdscache/v3/listener_test.go
index 280401a7aa2..186215e39c7 100644
--- a/internal/xdscache/v3/listener_test.go
+++ b/internal/xdscache/v3/listener_test.go
@@ -982,7 +982,7 @@ func TestListenerVisit(t *testing.T) {
ListenerFilters: envoy_v3.ListenerFilters(
envoy_v3.TLSInspector(),
),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}),
},
"tls-maximum-protocol-version from config not overridden by httpproxy": {
@@ -1039,7 +1039,7 @@ func TestListenerVisit(t *testing.T) {
Name: ENVOY_HTTP_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8080),
FilterChains: envoy_v3.FilterChains(envoy_v3.HTTPConnectionManager(ENVOY_HTTP_LISTENER, envoy_v3.FileAccessLogEnvoy(DEFAULT_HTTP_ACCESS_LOG, "", nil, v1alpha1.LogLevelInfo), 0)),
- SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
+ SocketOptions: envoy_v3.NewSocketOptions().TCPKeepalive().Build(),
}, &envoy_listener_v3.Listener{
Name: ENVOY_HTTPS_LISTENER,
Address: envoy_v3.SocketAddress("0.0.0.0", 8443),