Support PROXY Protocol listener filter (1.7) (#5119)

* PROXY protocol listener filter
* fix invalid test helper
* Merge refs/heads/v1.7.x into backport/v1.7.x/proxy-protocol-listener-filter

Author: sam-heilbron

changelog/v1.7.17/proxy-protocol-listener-filter.yaml

@@ -0,0 +1,9 @@
+changelog:
+  - type: FIX
+    issueLink: https://github.com/solo-io/gloo/issues/5116
+    resolvesIssue: false
+    description: >
+      Add PROXY protocol as listener filter, instead of relying on the deprecated
+      use_proxy_proto flag that Envoy exposes. We ensure the filter occurs before
+      the TLS inspector filter, to ensure that PROXY protocol and SNI can be used
+      together.

projects/gloo/pkg/plugins/proxyprotocol/plugin.go

@@ -0,0 +1,49 @@
+package proxyprotocol
+
+import (
+	envoy_config_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
+	envoy_listener_proxy_protocol "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/proxy_protocol/v3"
+	"github.com/envoyproxy/go-control-plane/pkg/wellknown"
+	v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1"
+	"github.com/solo-io/gloo/projects/gloo/pkg/plugins"
+	"github.com/solo-io/gloo/projects/gloo/pkg/utils"
+)
+
+func NewPlugin() *plugin {
+	return &plugin{}
+}
+
+// Compile-time assertion
+var (
+	_ plugins.Plugin         = new(plugin)
+	_ plugins.ListenerPlugin = new(plugin)
+)
+
+type plugin struct{}
+
+func (p *plugin) Init(params plugins.InitParams) error {
+	return nil
+}
+
+func (p *plugin) ProcessListener(params plugins.Params, in *v1.Listener, out *envoy_config_listener_v3.Listener) error {
+	if !in.GetUseProxyProto().GetValue() {
+		// If UseProxyProto is not defined on the listener or it is false, do not append the filter
+		return nil
+	}
+
+	envoyProxyProtocol := &envoy_listener_proxy_protocol.ProxyProtocol{}
+	msg, err := utils.MessageToAny(envoyProxyProtocol)
+	if err != nil {
+		return err
+	}
+
+	listenerFilter := &envoy_config_listener_v3.ListenerFilter{
+		Name: wellknown.ProxyProtocol,
+		ConfigType: &envoy_config_listener_v3.ListenerFilter_TypedConfig{
+			TypedConfig: msg,
+		},
+	}
+
+	out.ListenerFilters = append(out.ListenerFilters, listenerFilter)
+	return nil
+}

projects/gloo/pkg/plugins/proxyprotocol/plugin_test.go

@@ -0,0 +1,80 @@
+package proxyprotocol
+
+import (
+	envoy_config_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
+	"github.com/envoyproxy/go-control-plane/pkg/wellknown"
+	"github.com/golang/protobuf/ptypes/wrappers"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1"
+	"github.com/solo-io/gloo/projects/gloo/pkg/plugins"
+)
+
+var _ = Describe("Plugin", func() {
+
+	var (
+		p      *plugin
+		params plugins.Params
+
+		in  *v1.Listener
+		out *envoy_config_listener_v3.Listener
+	)
+
+	BeforeEach(func() {
+		p = NewPlugin()
+
+		err := p.Init(plugins.InitParams{})
+		Expect(err).NotTo(HaveOccurred())
+
+		in = &v1.Listener{}
+		out = &envoy_config_listener_v3.Listener{}
+	})
+
+	When("UseProxyProto=true is defined on the listener", func() {
+
+		BeforeEach(func() {
+			in.UseProxyProto = &wrappers.BoolValue{Value: true}
+		})
+
+		It("appends ProxyProtocol listener filter", func() {
+			err := p.ProcessListener(params, in, out)
+			Expect(err).NotTo(HaveOccurred())
+
+			Expect(out.ListenerFilters).To(HaveLen(1))
+			Expect(out.ListenerFilters).To(HaveLen(1))
+			Expect(out.ListenerFilters[0].GetName()).To(Equal(wellknown.ProxyProtocol))
+		})
+
+	})
+
+	When("UseProxyProto=false is defined on the listener", func() {
+
+		BeforeEach(func() {
+			in.UseProxyProto = &wrappers.BoolValue{Value: false}
+		})
+
+		It("does not append ProxyProtocol listener filter", func() {
+			err := p.ProcessListener(params, in, out)
+			Expect(err).NotTo(HaveOccurred())
+
+			Expect(out.ListenerFilters).To(HaveLen(0))
+		})
+
+	})
+
+	When("UseProxyProto is not defined on the listener", func() {
+
+		BeforeEach(func() {
+			in.UseProxyProto = nil
+		})
+
+		It("does not append ProxyProtocol listener filter", func() {
+			err := p.ProcessListener(params, in, out)
+			Expect(err).NotTo(HaveOccurred())
+
+			Expect(out.ListenerFilters).To(HaveLen(0))
+		})
+
+	})
+
+})

projects/gloo/pkg/plugins/proxyprotocol/proxyprotocol_suite_test.go

@@ -0,0 +1,15 @@
+package proxyprotocol_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo"
+	"github.com/onsi/ginkgo/reporters"
+	. "github.com/onsi/gomega"
+)
+
+func TestProxyProtocol(t *testing.T) {
+	RegisterFailHandler(Fail)
+	junitReporter := reporters.NewJUnitReporter("junit.xml")
+	RunSpecsWithDefaultAndCustomReporters(t, "Proxy Protocol Suite", []Reporter{junitReporter})
+}

projects/gloo/pkg/plugins/registry/registry.go

@@ -28,6 +28,7 @@ import (
 	"github.com/solo-io/gloo/projects/gloo/pkg/plugins/metadata"
 	"github.com/solo-io/gloo/projects/gloo/pkg/plugins/pipe"
 	"github.com/solo-io/gloo/projects/gloo/pkg/plugins/protocoloptions"
+	"github.com/solo-io/gloo/projects/gloo/pkg/plugins/proxyprotocol"
 	"github.com/solo-io/gloo/projects/gloo/pkg/plugins/ratelimit"
 	"github.com/solo-io/gloo/projects/gloo/pkg/plugins/rest"
 	"github.com/solo-io/gloo/projects/gloo/pkg/plugins/shadowing"
@@ -61,6 +62,7 @@ var globalRegistry = func(opts bootstrap.Opts, pluginExtensions ...func() plugin
 		rest.NewPlugin(&transformationPlugin.RequireTransformationFilter),
 		hcmPlugin,
 		als.NewPlugin(),
+		proxyprotocol.NewPlugin(),
 		tls_inspector.NewPlugin(),
 		pipe.NewPlugin(),
 		tcp.NewPlugin(utils.NewSslConfigTranslator()),

projects/gloo/pkg/plugins/tcp/plugin.go

@@ -7,7 +7,6 @@ import (
 	envoyauth "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
 	"github.com/envoyproxy/go-control-plane/pkg/wellknown"
 	"github.com/golang/protobuf/proto"
-	"github.com/golang/protobuf/ptypes/wrappers"
 	"github.com/hashicorp/go-multierror"
 	"github.com/rotisserie/eris"
 	v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1"
@@ -193,26 +192,20 @@ func (p *Plugin) computerTcpFilterChain(
 	sslConfig := host.GetSslConfig()
 	if sslConfig == nil {
 		return &envoy_config_listener_v3.FilterChain{
-			Filters:       listenerFilters,
-			UseProxyProto: listener.GetUseProxyProto(),
+			Filters: listenerFilters,
 		}, nil
 	}
 
 	downstreamConfig, err := p.sslConfigTranslator.ResolveDownstreamSslConfig(snap.Secrets, sslConfig)
 	if err != nil {
 		return nil, InvalidSecretsError(err, listener.GetName())
 	}
-	return p.newSslFilterChain(downstreamConfig,
-		sslConfig.GetSniDomains(),
-		listener.GetUseProxyProto(),
-		listenerFilters,
-	), nil
+	return p.newSslFilterChain(downstreamConfig, sslConfig.GetSniDomains(), listenerFilters), nil
 }
 
 func (p *Plugin) newSslFilterChain(
 	downstreamConfig *envoyauth.DownstreamTlsContext,
 	sniDomains []string,
-	useProxyProto *wrappers.BoolValue,
 	listenerFilters []*envoy_config_listener_v3.Filter,
 ) *envoy_config_listener_v3.FilterChain {
 
@@ -231,7 +224,6 @@ func (p *Plugin) newSslFilterChain(
 			Name:       wellknown.TransportSocketTls,
 			ConfigType: &envoy_config_core_v3.TransportSocket_TypedConfig{TypedConfig: utils.MustMessageToAny(downstreamConfig)},
 		},
-		UseProxyProto: useProxyProto,
 	}
 }
 

projects/gloo/pkg/translator/listener.go

@@ -10,7 +10,6 @@ import (
 	envoyauth "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
 	"github.com/envoyproxy/go-control-plane/pkg/wellknown"
 	"github.com/golang/protobuf/proto"
-	"github.com/golang/protobuf/ptypes/wrappers"
 	validationapi "github.com/solo-io/gloo/projects/gloo/pkg/api/grpc/validation"
 	v1 "github.com/solo-io/gloo/projects/gloo/pkg/api/v1"
 	"github.com/solo-io/gloo/projects/gloo/pkg/plugins"
@@ -151,8 +150,7 @@ func (t *translatorInstance) computeFilterChainsFromSslConfig(
 	// if no ssl config is provided, return a single insecure filter chain
 	if len(listener.SslConfigurations) == 0 {
 		return []*envoy_config_listener_v3.FilterChain{{
-			Filters:       listenerFilters,
-			UseProxyProto: listener.GetUseProxyProto(),
+			Filters: listenerFilters,
 		}}
 	}
 
@@ -166,7 +164,7 @@ func (t *translatorInstance) computeFilterChainsFromSslConfig(
 				validationapi.ListenerReport_Error_SSLConfigError, err.Error())
 			continue
 		}
-		filterChain := newSslFilterChain(downstreamConfig, sslConfig.SniDomains, listener.UseProxyProto, listenerFilters)
+		filterChain := newSslFilterChain(downstreamConfig, sslConfig.GetSniDomains(), listenerFilters)
 
 		secureFilterChains = append(secureFilterChains, filterChain)
 	}
@@ -245,7 +243,6 @@ func validateListenerPorts(proxy *v1.Proxy, listenerReport *validationapi.Listen
 func newSslFilterChain(
 	downstreamConfig *envoyauth.DownstreamTlsContext,
 	sniDomains []string,
-	useProxyProto *wrappers.BoolValue,
 	listenerFilters []*envoy_config_listener_v3.Filter,
 ) *envoy_config_listener_v3.FilterChain {
 
@@ -265,8 +262,6 @@ func newSslFilterChain(
 			Name:       wellknown.TransportSocketTls,
 			ConfigType: &envoy_config_core_v3.TransportSocket_TypedConfig{TypedConfig: utils.MustMessageToAny(downstreamConfig)},
 		},
-
-		UseProxyProto: useProxyProto,
 	}
 }