projectcontour · skriss · Jan 31, 2025 · Jan 20, 2025 · Jan 20, 2025 · Jan 23, 2025
@@ -104,7 +104,10 @@
 		if err := envoy.ValidAdminAddress(bootstrapCtx.AdminAddress); err != nil {
 			log.WithField("flag", "--admin-address").WithError(err).Fatal("failed to parse bootstrap args")
 		}
-		if err := envoy_v3.WriteBootstrap(bootstrapCtx); err != nil {
+		envoyGen := envoy_v3.NewEnvoyGen(envoy_v3.EnvoyGenOpt{
+			XDSClusterName: envoy_v3.DefaultXDSClusterName,
+		})
+		if err := envoyGen.WriteBootstrap(bootstrapCtx); err != nil {
 			log.WithError(err).Fatal("failed to write bootstrap configuration")
 		}
 	case certgenApp.FullCommand():

@@ -493,11 +493,15 @@
 		endpointHandler = xdscache_v3.NewEndpointsTranslator(s.log.WithField("context", "endpointstranslator"))
 	}
 
+	envoyGen := envoy_v3.NewEnvoyGen(envoy_v3.EnvoyGenOpt{
+		XDSClusterName: envoy_v3.DefaultXDSClusterName,
+	})
+
 	resources := []xdscache.ResourceCache{
-		xdscache_v3.NewListenerCache(listenerConfig, *contourConfiguration.Envoy.Metrics, *contourConfiguration.Envoy.Health, *contourConfiguration.Envoy.Network.EnvoyAdminPort),
+		xdscache_v3.NewListenerCache(listenerConfig, *contourConfiguration.Envoy.Metrics, *contourConfiguration.Envoy.Health, *contourConfiguration.Envoy.Network.EnvoyAdminPort, envoyGen),
 		xdscache_v3.NewSecretsCache(envoy_v3.StatsSecrets(contourConfiguration.Envoy.Metrics.TLS)),
 		&xdscache_v3.RouteCache{},
-		&xdscache_v3.ClusterCache{},
+		xdscache_v3.NewClusterCache(envoyGen),
 		endpointHandler,
 		xdscache_v3.NewRuntimeCache(xdscache_v3.ConfigurableRuntimeSettings{
 			MaxRequestsPerIOCycle:     contourConfiguration.Envoy.Listener.MaxRequestsPerIOCycle,

@@ -34,7 +34,7 @@ This document describes a design for performing request authorization for virtua
 A new `ExtensionService` CRD adds a way to represent and track an authorization service.
 This CRD is relatively generic, so that it can be reused for Envoy rate limiting and logging services.
 The core of the `ExtensionService` CRD is subset of the `projectcontour.v1.HTTPProxy` `Service` specification.
-Re-using the `Service` type allows the operator to specify configuration in familiar and consistent terms, especially TLS configuration.
+Reusing the `Service` type allows the operator to specify configuration in familiar and consistent terms, especially TLS configuration.
 
 Note that only the Envoy [GRPC authorization protocol][2] will be supported.
 The GRPC protocol is a superset of the HTTP protocol and requires less configuration.

@@ -26,12 +26,12 @@ import (
 // UpstreamTLSContext creates an envoy_transport_socket_tls_v3.UpstreamTlsContext. By default
 // UpstreamTLSContext returns a HTTP/1.1 TLS enabled context. A list of
 // additional ALPN protocols can be provided.
-func UpstreamTLSContext(peerValidationContext *dag.PeerValidationContext, sni string, clientSecret *dag.Secret, upstreamTLS *dag.UpstreamTLS, alpnProtocols ...string) *envoy_transport_socket_tls_v3.UpstreamTlsContext {
+func (e *EnvoyGen) UpstreamTLSContext(peerValidationContext *dag.PeerValidationContext, sni string, clientSecret *dag.Secret, upstreamTLS *dag.UpstreamTLS, alpnProtocols ...string) *envoy_transport_socket_tls_v3.UpstreamTlsContext {
 	var clientSecretConfigs []*envoy_transport_socket_tls_v3.SdsSecretConfig
 	if clientSecret != nil {
 		clientSecretConfigs = []*envoy_transport_socket_tls_v3.SdsSecretConfig{{
 			Name:      envoy.Secretname(clientSecret),
-			SdsConfig: ConfigSource("contour"),
+			SdsConfig: e.GetConfigSource(),
 		}}
 	}
 
@@ -115,7 +115,7 @@ func validationContext(ca []byte, subjectNames []string, skipVerifyPeerCert bool
 }
 
 // DownstreamTLSContext creates a new DownstreamTlsContext.
-func DownstreamTLSContext(serverSecret *dag.Secret, tlsMinProtoVersion, tlsMaxProtoVersion envoy_transport_socket_tls_v3.TlsParameters_TlsProtocol, cipherSuites []string, peerValidationContext *dag.PeerValidationContext, alpnProtos ...string) *envoy_transport_socket_tls_v3.DownstreamTlsContext {
+func (e *EnvoyGen) DownstreamTLSContext(serverSecret *dag.Secret, tlsMinProtoVersion, tlsMaxProtoVersion envoy_transport_socket_tls_v3.TlsParameters_TlsProtocol, cipherSuites []string, peerValidationContext *dag.PeerValidationContext, alpnProtos ...string) *envoy_transport_socket_tls_v3.DownstreamTlsContext {
 	context := &envoy_transport_socket_tls_v3.DownstreamTlsContext{
 		CommonTlsContext: &envoy_transport_socket_tls_v3.CommonTlsContext{
 			TlsParams: &envoy_transport_socket_tls_v3.TlsParameters{
@@ -125,7 +125,7 @@ func DownstreamTLSContext(serverSecret *dag.Secret, tlsMinProtoVersion, tlsMaxPr
 			},
 			TlsCertificateSdsSecretConfigs: []*envoy_transport_socket_tls_v3.SdsSecretConfig{{
 				Name:      envoy.Secretname(serverSecret),
-				SdsConfig: ConfigSource("contour"),
+				SdsConfig: e.GetConfigSource(),
 			}},
 			AlpnProtocols: alpnProtos,
 		},

@@ -174,7 +174,10 @@ func TestUpstreamTLSContext(t *testing.T) {
 
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
-			got := UpstreamTLSContext(tc.validation, tc.externalName, nil, tc.upstreamTLS, tc.alpnProtocols...)
+			e := NewEnvoyGen(EnvoyGenOpt{
+				XDSClusterName: DefaultXDSClusterName,
+			})
+			got := e.UpstreamTLSContext(tc.validation, tc.externalName, nil, tc.upstreamTLS, tc.alpnProtocols...)
 			protobuf.ExpectEqual(t, tc.want, got)
 		})
 	}

@@ -47,9 +47,9 @@
 )
 
 // WriteBootstrap writes bootstrap configuration to files.
-func WriteBootstrap(c *envoy.BootstrapConfig) error {
+func (e *EnvoyGen) WriteBootstrap(c *envoy.BootstrapConfig) error {
 	// Create Envoy bootstrap config and associated resource files.
-	steps, err := bootstrap(c)
+	steps, err := e.bootstrap(c)
 	if err != nil {
 		return err
 	}
@@ -77,13 +77,13 @@
 type bootstrapf func(*envoy.BootstrapConfig) (string, proto.Message)
 
 // bootstrap creates a new v3 bootstrap configuration and associated resource files.
-func bootstrap(c *envoy.BootstrapConfig) ([]bootstrapf, error) {
+func (e *EnvoyGen) bootstrap(c *envoy.BootstrapConfig) ([]bootstrapf, error) {
 	var steps []bootstrapf
 
 	if c.GrpcClientCert == "" && c.GrpcClientKey == "" && c.GrpcCABundle == "" {
 		steps = append(steps,
 			func(*envoy.BootstrapConfig) (string, proto.Message) {
-				return c.Path, bootstrapConfig(c)
+				return c.Path, e.bootstrapConfig(c)
 			})
 
 		return steps, nil
@@ -122,7 +122,7 @@
 
 		steps = append(steps,
 			func(*envoy.BootstrapConfig) (string, proto.Message) {
-				b := bootstrapConfig(c)
+				b := e.bootstrapConfig(c)
 				b.StaticResources.Clusters[0].TransportSocket = UpstreamTLSTransportSocket(
 					upstreamFileTLSContext(c))
 				return c.Path, b
@@ -150,7 +150,7 @@
 			return sdsValidationContextPath, validationContextSdsSecretConfig(c)
 		},
 		func(*envoy.BootstrapConfig) (string, proto.Message) {
-			b := bootstrapConfig(c)
+			b := e.bootstrapConfig(c)
 			b.StaticResources.Clusters[0].TransportSocket = UpstreamTLSTransportSocket(
 				upstreamSdsTLSContext(sdsTLSCertificatePath, sdsValidationContextPath))
 			return c.Path, b
@@ -160,7 +160,7 @@
 	return steps, nil
 }
 
-func bootstrapConfig(c *envoy.BootstrapConfig) *envoy_config_bootstrap_v3.Bootstrap {
+func (e *EnvoyGen) bootstrapConfig(c *envoy.BootstrapConfig) *envoy_config_bootstrap_v3.Bootstrap {
 	bootstrap := &envoy_config_bootstrap_v3.Bootstrap{
 		LayeredRuntime: &envoy_config_bootstrap_v3.LayeredRuntime{
 			Layers: []*envoy_config_bootstrap_v3.RuntimeLayer{
@@ -169,7 +169,7 @@
 					LayerSpecifier: &envoy_config_bootstrap_v3.RuntimeLayer_RtdsLayer_{
 						RtdsLayer: &envoy_config_bootstrap_v3.RuntimeLayer_RtdsLayer{
 							Name:       DynamicRuntimeLayerName,
-							RtdsConfig: ConfigSource("contour"),
+							RtdsConfig: e.GetConfigSource(),
 						},
 					},
 				},
@@ -187,16 +187,16 @@
 			},
 		},
 		DynamicResources: &envoy_config_bootstrap_v3.Bootstrap_DynamicResources{
-			LdsConfig: ConfigSource("contour"),
-			CdsConfig: ConfigSource("contour"),
+			LdsConfig: e.GetConfigSource(),
+			CdsConfig: e.GetConfigSource(),
 		},
 		StaticResources: &envoy_config_bootstrap_v3.Bootstrap_StaticResources{
 			Clusters: []*envoy_config_cluster_v3.Cluster{{
 				DnsLookupFamily:      parseDNSLookupFamily(c.DNSLookupFamily),
 				Name:                 "contour",
 				AltStatName:          strings.Join([]string{c.Namespace, "contour", strconv.Itoa(c.GetXdsGRPCPort())}, "_"),
 				ConnectTimeout:       durationpb.New(5 * time.Second),
-				ClusterDiscoveryType: ClusterDiscoveryTypeForAddress(c.GetXdsAddress(), envoy_config_cluster_v3.Cluster_STRICT_DNS),
+				ClusterDiscoveryType: clusterDiscoveryTypeForAddress(c.GetXdsAddress(), envoy_config_cluster_v3.Cluster_STRICT_DNS),
 				LbPolicy:             envoy_config_cluster_v3.Cluster_ROUND_ROBIN,
 				LoadAssignment: &envoy_config_endpoint_v3.ClusterLoadAssignment{
 					ClusterName: "contour",
@@ -233,12 +233,12 @@
 				Name:                 "envoy-admin",
 				AltStatName:          strings.Join([]string{c.Namespace, "envoy-admin", strconv.Itoa(c.GetAdminPort())}, "_"),
 				ConnectTimeout:       durationpb.New(250 * time.Millisecond),
-				ClusterDiscoveryType: ClusterDiscoveryTypeForAddress(c.GetAdminAddress(), envoy_config_cluster_v3.Cluster_STATIC),
+				ClusterDiscoveryType: clusterDiscoveryTypeForAddress(c.GetAdminAddress(), envoy_config_cluster_v3.Cluster_STATIC),
 				LbPolicy:             envoy_config_cluster_v3.Cluster_ROUND_ROBIN,
 				LoadAssignment: &envoy_config_endpoint_v3.ClusterLoadAssignment{
 					ClusterName: "envoy-admin",
 					Endpoints: Endpoints(
-						UnixSocketAddress(c.GetAdminAddress()),
+						unixSocketAddress(c.GetAdminAddress()),
 					),
 				},
 			}},
@@ -249,7 +249,7 @@
 		},
 		Admin: &envoy_config_bootstrap_v3.Admin{
 			AccessLog: adminAccessLog(c.GetAdminAccessLogPath()),
-			Address:   UnixSocketAddress(c.GetAdminAddress()),
+			Address:   unixSocketAddress(c.GetAdminAddress()),
 		},
 	}
 	if c.MaximumHeapSizeBytes > 0 {

@@ -2010,7 +2010,10 @@ func TestBootstrap(t *testing.T) {
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
 			tc := tc
-			steps, gotError := bootstrap(&tc.config)
+			envoyGen := NewEnvoyGen(EnvoyGenOpt{
+				XDSClusterName: DefaultXDSClusterName,
+			})
+			steps, gotError := envoyGen.bootstrap(&tc.config)
 			assert.Equal(t, tc.wantedError, gotError != nil)
 
 			gotConfigs := map[string]proto.Message{}

@@ -43,7 +43,7 @@ func clusterDefaults() *envoy_config_cluster_v3.Cluster {
 }
 
 // Cluster creates new envoy_config_cluster_v3.Cluster from dag.Cluster.
-func Cluster(c *dag.Cluster) *envoy_config_cluster_v3.Cluster {
+func (e *EnvoyGen) Cluster(c *dag.Cluster) *envoy_config_cluster_v3.Cluster {
 	service := c.Upstream
 	cluster := clusterDefaults()
 
@@ -61,7 +61,7 @@ func Cluster(c *dag.Cluster) *envoy_config_cluster_v3.Cluster {
 	case 0:
 		// external name not set, cluster will be discovered via EDS
 		cluster.ClusterDiscoveryType = ClusterDiscoveryType(envoy_config_cluster_v3.Cluster_EDS)
-		cluster.EdsClusterConfig = edsconfig("contour", service)
+		cluster.EdsClusterConfig = e.edsconfig(service)
 	default:
 		// external name set, use hard coded DNS name
 		// external name set to LOGICAL_DNS when user selects the ALL loookup family
@@ -71,7 +71,7 @@ func Cluster(c *dag.Cluster) *envoy_config_cluster_v3.Cluster {
 		}
 
 		cluster.ClusterDiscoveryType = clusterDiscoveryType
-		cluster.LoadAssignment = ExternalNameClusterLoadAssignment(service)
+		cluster.LoadAssignment = externalNameClusterLoadAssignment(service)
 	}
 
 	// Drain connections immediately if using healthchecks and the endpoint is known to be removed
@@ -85,7 +85,7 @@ func Cluster(c *dag.Cluster) *envoy_config_cluster_v3.Cluster {
 	switch c.Protocol {
 	case "tls":
 		cluster.TransportSocket = UpstreamTLSTransportSocket(
-			UpstreamTLSContext(
+			e.UpstreamTLSContext(
 				c.UpstreamValidation,
 				c.SNI,
 				c.ClientCertificate,
@@ -95,7 +95,7 @@ func Cluster(c *dag.Cluster) *envoy_config_cluster_v3.Cluster {
 	case "h2":
 		httpVersion = HTTPVersion2
 		cluster.TransportSocket = UpstreamTLSTransportSocket(
-			UpstreamTLSContext(
+			e.UpstreamTLSContext(
 				c.UpstreamValidation,
 				c.SNI,
 				c.ClientCertificate,
@@ -136,7 +136,7 @@ func Cluster(c *dag.Cluster) *envoy_config_cluster_v3.Cluster {
 }
 
 // ExtensionCluster builds a envoy_config_cluster_v3.Cluster struct for the given extension service.
-func ExtensionCluster(ext *dag.ExtensionCluster) *envoy_config_cluster_v3.Cluster {
+func (e *EnvoyGen) ExtensionCluster(ext *dag.ExtensionCluster) *envoy_config_cluster_v3.Cluster {
 	cluster := clusterDefaults()
 
 	// The Envoy cluster name has already been set.
@@ -156,7 +156,7 @@ func ExtensionCluster(ext *dag.ExtensionCluster) *envoy_config_cluster_v3.Cluste
 	// Cluster will be discovered via EDS.
 	cluster.ClusterDiscoveryType = ClusterDiscoveryType(envoy_config_cluster_v3.Cluster_EDS)
 	cluster.EdsClusterConfig = &envoy_config_cluster_v3.Cluster_EdsClusterConfig{
-		EdsConfig:   ConfigSource("contour"),
+		EdsConfig:   e.GetConfigSource(),
 		ServiceName: ext.Upstream.ClusterName,
 	}
 
@@ -167,7 +167,7 @@ func ExtensionCluster(ext *dag.ExtensionCluster) *envoy_config_cluster_v3.Cluste
 	case "h2":
 		http2Version = HTTPVersion2
 		cluster.TransportSocket = UpstreamTLSTransportSocket(
-			UpstreamTLSContext(
+			e.UpstreamTLSContext(
 				ext.UpstreamValidation,
 				ext.SNI,
 				ext.ClientCertificate,
@@ -208,7 +208,7 @@ func applyCircuitBreakers(cluster *envoy_config_cluster_v3.Cluster, settings dag
 }
 
 // DNSNameCluster builds a envoy_config_cluster_v3.Cluster for the given *dag.DNSNameCluster.
-func DNSNameCluster(c *dag.DNSNameCluster) *envoy_config_cluster_v3.Cluster {
+func (e *EnvoyGen) DNSNameCluster(c *dag.DNSNameCluster) *envoy_config_cluster_v3.Cluster {
 	cluster := clusterDefaults()
 
 	cluster.Name = envoy.DNSNameClusterName(c)
@@ -222,7 +222,7 @@ func DNSNameCluster(c *dag.DNSNameCluster) *envoy_config_cluster_v3.Cluster {
 
 	var transportSocket *envoy_config_core_v3.TransportSocket
 	if c.Scheme == "https" {
-		transportSocket = UpstreamTLSTransportSocket(UpstreamTLSContext(c.UpstreamValidation, c.Address, nil, c.UpstreamTLS))
+		transportSocket = UpstreamTLSTransportSocket(e.UpstreamTLSContext(c.UpstreamValidation, c.Address, nil, c.UpstreamTLS))
 	}
 
 	cluster.LoadAssignment = ClusterLoadAssignment(envoy.DNSNameClusterName(c), SocketAddress(c.Address, c.Port))
@@ -231,9 +231,9 @@ func DNSNameCluster(c *dag.DNSNameCluster) *envoy_config_cluster_v3.Cluster {
 	return cluster
 }
 
-func edsconfig(cluster string, service *dag.Service) *envoy_config_cluster_v3.Cluster_EdsClusterConfig {
+func (e *EnvoyGen) edsconfig(service *dag.Service) *envoy_config_cluster_v3.Cluster_EdsClusterConfig {
 	return &envoy_config_cluster_v3.Cluster_EdsClusterConfig{
-		EdsConfig: ConfigSource(cluster),
+		EdsConfig: e.GetConfigSource(),
 		ServiceName: xds.ClusterLoadAssignmentName(
 			types.NamespacedName{Name: service.Weighted.ServiceName, Namespace: service.Weighted.ServiceNamespace},
 			service.Weighted.ServicePort.Name,
@@ -279,31 +279,15 @@ func ClusterCommonLBConfig() *envoy_config_cluster_v3.Cluster_CommonLbConfig {
 	}
 }
 
-// ConfigSource returns a *envoy_config_core_v3.ConfigSource for cluster.
-func ConfigSource(cluster string) *envoy_config_core_v3.ConfigSource {
-	return &envoy_config_core_v3.ConfigSource{
-		ResourceApiVersion: envoy_config_core_v3.ApiVersion_V3,
-		ConfigSourceSpecifier: &envoy_config_core_v3.ConfigSource_ApiConfigSource{
-			ApiConfigSource: &envoy_config_core_v3.ApiConfigSource{
-				ApiType:             envoy_config_core_v3.ApiConfigSource_GRPC,
-				TransportApiVersion: envoy_config_core_v3.ApiVersion_V3,
-				GrpcServices: []*envoy_config_core_v3.GrpcService{
-					GrpcService(cluster, "", timeout.DefaultSetting()),
-				},
-			},
-		},
-	}
-}
-
 // ClusterDiscoveryType returns the type of a ClusterDiscovery as a Cluster_type.
 func ClusterDiscoveryType(t envoy_config_cluster_v3.Cluster_DiscoveryType) *envoy_config_cluster_v3.Cluster_Type {
 	return &envoy_config_cluster_v3.Cluster_Type{Type: t}
 }
 
-// ClusterDiscoveryTypeForAddress returns the type of a ClusterDiscovery as a Cluster_type.
+// clusterDiscoveryTypeForAddress returns the type of a ClusterDiscovery as a Cluster_type.
 // If the provided address is an IP, overrides the type to STATIC, otherwise uses the
 // passed in type.
-func ClusterDiscoveryTypeForAddress(address string, t envoy_config_cluster_v3.Cluster_DiscoveryType) *envoy_config_cluster_v3.Cluster_Type {
+func clusterDiscoveryTypeForAddress(address string, t envoy_config_cluster_v3.Cluster_DiscoveryType) *envoy_config_cluster_v3.Cluster_Type {
 	clusterType := t
 	if net.ParseIP(address) != nil {
 		clusterType = envoy_config_cluster_v3.Cluster_STATIC