api: add envoy internal address

[lambdai]

Commit Message:

Add envoy internal address for envoy internal connection.

Signed-off-by: Yuchen Dai silentdai@gmail.com

Additional Description:
Part of #11725

Risk Level: low (code unused)
Testing: new unit tests
Docs Changes: n/a
Release Notes: n/a

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/envoy/.
CC @envoyproxy/api-watchers: FYI only for changes made to api/envoy/.

🐱

Caused by: #12837 was opened by lambdai.

see: more, trace.

[lambdai]

Chatted offline: I want to clarify that

1. This internal address is used by Envoy cluster to locate the virtual listener(or internal listener).
   Dispatcher.registerPipeFactory(InternalAddress virtual_listener_address, ListenerCallbacks callbacks);
2. A natural requirement is that the virtual listener need to find the original address(as well as other socket options).
   Conceptually, the virtual connection should have those attributes

    internal_address: listener_9000, typed InternalAddressInstance
    internal_peer_address:  no prototype yet but C++ type is InternalAddressInstance
    original_L4_address: 10.0.0.1:443, typed Ipv4AddressInstance
    original_peer_L4_address: 10.0.0.2:12345: typed Ipv4AddressInstance

These connection attributes will be gradually added in the further PRs so that virtual address could support various of network filters, listener filters

[alyssawilk]

Looks good - just a few minor nits on my end.

[alyssawilk]

I'm mildly concerned that a panic() isn't the right call here. Can you take a peek at call sites and see what we should do here to make sure these can never be called for the new address type?

We should probably also update the comments in the include directory to make it clear when it's safe to call and when it's not.

[lambdai]

With NOT_IMPLEMENTED_GCOVR_EXCL_LINE it means
If the later version of control plane send the config containing EnvoyInternalAddress,
this particular version with this PR but no further of envoy might crash.

[lambdai]

What I can do is to find the potential usage of
this new type of address.
Listener and Endpoint as a immediate candidate, making sure these are either
invalidate config per config update, mostly in master thread.
or fail the connection when this address is used.

What else can I do?

[alyssawilk]

I think if we are making implementation of parts of the interface optional (panic if called), we either need to have TODOs to implement later or TODOs to check all call sites to make them internal-address compatible. Having bits of an interface which may work for some address and may not work for others, and no checks in the code base makes me uncomfortable. Again cc @mattklein123 in case he has other ideas of how to aim the decaped TCP stream back into a new envoy filter chain without a half-working address class.

[lambdai]

Updated to return nullptr and I mentally go through all the sockAddr() usage in the existing code base: all of them accepts nullptr usage without crash.
Luckily these usages are inline followed by syscall (connect/bind/send/recv) so I could inject syscall error code as if the following syscalls fail.
Now I believe these errors are now non-fatal.

[alyssawilk]

Also can you make sure to fill out the rest of the template for your PRs?
for this one I'd say something like

Risk Level: low (code unused)
Testing: new unit tests
Docs Changes: n/a
Release Notes: n/a

[lambdai]

For internal address as server address: I add the validation that all listener should reference internal address.
Such listener config will fails the addOrUpdateListener().

Internal address as client address is much harder.
Theoretically I can validate any internal address is not used in endpoint. However, we will allow it in the future.
And we need to fail the connections anyway.
I find that Envoy never fail fast at connection construction. I am not sure if this is good though.
I switch to provide a NullIoSocketIoHandler which always fails at sock related OS call. I assume the upper
connection should eventually close the connection given this NullIoSocket.
This client side efforts is WIP

I am more than happy to hear the alternative approaches from you @alyssawilk Thank you in advance!

[alyssawilk]

Please check CI, it looks like it is not passing.

[alyssawilk]

I think if we are making implementation of parts of the interface optional (panic if called), we either need to have TODOs to implement later or TODOs to check all call sites to make them internal-address compatible. Having bits of an interface which may work for some address and may not work for others, and no checks in the code base makes me uncomfortable. Again cc @mattklein123 in case he has other ideas of how to aim the decaped TCP stream back into a new envoy filter chain without a half-working address class.

[alyssawilk]

if this stands, there should be a unit test please.

[lambdai]

You are so right! My brain stop working last night so I pushed before I save this change.

The latest update has an integration test connecting to a internal address

[alyssawilk]

Unfortunately this looks like it's solid error handling but most callers of ioHandleForAddr will crash if it returns nullptr.

@mattklein123 @lambdai 's plan is basically creating this new listener type to be able to point a "cluster" at this new virtual address. Any thoughts on how that might best be done without causing this cascading chain of not-fully-implemented things?

[lambdai]

I fixed this by providing the NullIoSocketHandleImpl to give it a socket handle allow upper layer to create a connection but will fail to send/recv.
https://github.com/envoyproxy/envoy/pull/12837/files#r483259684

[lambdai]

The ideal case is control plane never send unsupported addresses before envoy could support.

1. Mark the cluster config invalid if it contains internal address. It's always safer to reject cluster configs at master.
   I did this check in LDS config as well. That is easy since LDS is the only entrance to receive new listener config.
2. In case of escaped internal address which we fail to invalid, the NullIoSocketHandle could fail the per client connect.
   This NullSocketHandle could also support mingled addresses such as

endpoints:
    - internal address: "not_yet_supported_listener_address"
    - socket address: "127.0.0.1:80"

[lambdai]

NullIoSocketHandle

[lambdai]

Testing Dispatcher::createClientConnection(). This should cover the client tcp connection IMO.
I have the concern of unknown unknown...

Now I am adding UDP socket test

[alyssawilk]

clang tidy is still failing. Let me know when this is ready for another pass?

[lambdai]

@alyssawilk @mattklein123

The recent update is that socket manipulation on internal address are non-fatal.
Either with socket() syscall series, or send()/recv() syscall series.

The goal is to enable internal address usage everywhere.

Let me know if this is good enough to move on. Thanks!

[alyssawilk]

OK, as discussed on slack let's hide the config and remove some of the temporary classes with TODOs (it's Ok to crash if you're configuring Envoy with hidden incomplete-implementation code :-P )
Thanks so much for bearing with me on this!

[htuch]

Yes, fine to leave docs until we un-hide.

[htuch]

/lgtm api

[lambdai]

Thanks! Updating PR

[lambdai]

I find a machine running sphinx correct and fixed the docs. It turns out to be EnvoyInternalAddress field(located in one_of) must be marked hidden as well. Now the doc should pass on CI...

[lambdai]

I find a machine running sphinx correct and fixed the docs. It turns out to be EnvoyInternalAddress field(located in one_of) must be marked hidden as well. Now the doc should pass on CI...

@htuch Sorry... another api approval is needed b/c my doc fix :(

[alyssawilk]

LGTM! over to @mattklein123

[mattklein123]

LGTM at a high level, though, I wonder whether it's really worth landing this PR vs. the real implementation. Some small comments. Thank you!

/wait

[mattklein123]

Just use NOT_IMPLEMENTED? Or just ASSERT not has_envoy_internal_address? Seems not worth it to handle this case right now.

[lambdai]

NOT_IMPLEMENTED will crash the Envoy. That is not expected.

ASSERT could replace the the ENVOY_LOG, but this if branch should be kept in case Envoy does receive a listener config with internal address. Schema check is not helping here.

[mattklein123]

What is the point of this PR? It's not that many lines of code and it doesn't actually do anything? I would rather you either a) just hold this PR and implement the full thing or b) put in ASSERT or RELEASE_ASSERT for stuff like this since you have a not implemented and not documented feature. It doesn't make any sense to add this type of logic.

[lambdai]

I'd like to push api first as the conversion.

I don't get your plan b RELEASE_ASSERT is easier but it will crash Envoy. Why do you prefer an unsupported listener config crashing Envoy? With these lines above envoy would NACK the listener config without crash.

[mattklein123]

Because you are adding error handling/logging logic for something that is not implemented. It bloats the code base for no good reason. If you want to make sure it crashes, do RELEASE_ASSERT(..., "this is not implemented yet."). Thanks.

/wait

[lambdai]

Oh, to NACK I should throw exception instead of return false.

[lambdai]

@mattklein123 Is throwing EnvoyException beating return false and RELEASE_ASSERT?

[mattklein123]

No. Crash, or please just close this PR and reopen when there is an implementation. It does not make any sense to add actual error handling for an unimplemented partial feature.

[lambdai]

Happy to crash and move to next listener config api.
And then the internal connection driven by scheduler.

Running tests...

[htuch]

/lgtm api

[mattklein123]

Thanks!

[lambdai]

Thank you @mattklein123
This crash on unimplemented strategy make my future PRs much easier.
I am expecting more combinations are allowed in the follow up