http: check virtual host-specific typed per filter config#15135
http: check virtual host-specific typed per filter config#15135htuch merged 6 commits intoenvoyproxy:mainfrom
Conversation
When filter doesn't support virtual host-specific typed per filter config, the envoy should reject any per filter config for that filter. Also, adds new runtime config `envoy.reloadable_features.check_unsupported_typed_per_filter_config` for backward-compatible. The default value is false, only whe value is true, the check will be executed. Risk Level: low Testing: unit tests added Doc Changes: n/a Release Notes: note new feature Signed-off-by: He Jie Xu <hejie.xu@intel.com>
|
Hi @soulxu, welcome and thank you for your contribution. We will try to review your Pull Request as quickly as possible. In the meantime, please take a look at the contribution guidelines if you have not done so already. |
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
antoniovicente
left a comment
There was a problem hiding this comment.
Welcome to Envoy and thanks for the improvement to config validation. I'm not that familiar with all the interactions between config components and object factories, so hopefully @htuch can help fill in my gaps in understanding.
tools/code_format/check_format.py
Outdated
| # processing. | ||
| EXCEPTION_ALLOWLIST = ("./source/common/config/utility.h") | ||
| EXCEPTION_ALLOWLIST = ("./source/common/config/utility.h", | ||
| "./source/extensions/filters/http/common/factory_base.h") |
There was a problem hiding this comment.
We may have some problems here depending on the intent behind this check. It seems to me that headers in this list may need to be restricted so they are not included from other headers in other to prevent multiple definitions in builds that partially disable exceptions at a per-library basis. That said, there seems to be no restrictions in place that control where source/common/config/utility.h is included from or the use of those functions in header files.
This PR introduces an exception that is thrown from a base class method of a class that seems to be widely used. I think this change could break compilation of libraries that disable exceptions.
There was a problem hiding this comment.
Another option is we can fix it here
envoy/source/common/router/config_impl.cc
Lines 1492 to 1502 in b23ee3b
There was a problem hiding this comment.
If we decide to have createRouteSpecificFilterConfigTyped throw an exception, the throw statement should be in the .cc file instead of the .h file. Then we don't need to add it to the exception allowlist.
There was a problem hiding this comment.
FactoryBase is a template class, the throw can't be moved to a cc file (well, except possibly by adding a helper function)
Returning null and doing the validation in config_impl.cc seems attractive. Is that the only place where this factory method is called from?
There was a problem hiding this comment.
Returning null and doing the validation in config_impl.cc seems attractive. Is that the only place where this factory method is called from?
Yes, that is the only place I found at least.
There was a problem hiding this comment.
I think config_impl.cc is more robust in any case, since regardless of inheritance hierarchy, if there is no config, we can fire the exception.
There was a problem hiding this comment.
It would be really helpful to some of us if exceptions were only thrown from cc files. Could you do the new config validation in config_impl.cc instead of the template factory class?
There was a problem hiding this comment.
Yes, I will update, thanks for the feedback!
| // Sentinel and test flag. | ||
| "envoy.reloadable_features.test_feature_false", | ||
| // Reject virtual host-specific configuration when filter doesn't support it. | ||
| "envoy.reloadable_features.check_unsupported_typed_per_filter_config", |
There was a problem hiding this comment.
My understanding is that runtime features should default to true. They provide a way for devs affected by a breaking change to temporarily rollback the behavior. Once we have given time to find and address all the breakages, we'll remove the runtime feature checks and only keep the new behavior.
Out of curiosity, are there any existing tests that fail when this runtime feature is enabled?
There was a problem hiding this comment.
My understanding is that runtime features should default to true. They provide a way for devs affected by a breaking change to temporarily rollback the behavior. Once we have given time to find and address all the breakages, we'll remove the runtime feature checks and only keep the new behavior.
As https://github.com/envoyproxy/envoy/issues/15043#issuecomment-778703531 said, I thought we should set ti as false default, then it won't break existing user. But I may miss understanding that.
Out of curiosity, are there any existing tests that fail when this runtime feature is enabled?
I tested with the default value is true. In my env, only get one test failed 'IoSocketHandleImplIntegration.LastRoundTripIntegrationTest', I don't think it is related.
There was a problem hiding this comment.
cc @htuch
Having the runtime flag so affected devs can disable the functionality while they fixed their config should be enough. I think that the default should be true.
And I agree that the 'IoSocketHandleImplIntegration.LastRoundTripIntegrationTest' failure is not related to this change. That's a non-hermetic test that does network communication. I think I'll file an issue about it.
There was a problem hiding this comment.
I think default true is fine, as long as we have the runtime for now.
There was a problem hiding this comment.
cc @htuch
Having the runtime flag so affected devs can disable the functionality while they fixed their config should be enough. I think that the default should be true.
And I agree that the 'IoSocketHandleImplIntegration.LastRoundTripIntegrationTest' failure is not related to this change. That's a non-hermetic test that does network communication. I think I'll file an issue about it.
There was a problem hiding this comment.
let me change the default value as true, thanks.
| ProtobufTypes::MessagePtr config = factory.createEmptyRouteConfigProto(); | ||
|
|
||
| EXPECT_EQ(nullptr, factory.createRouteSpecificFilterConfig( | ||
| *config, context, ProtobufMessage::getNullValidationVisitor())); |
There was a problem hiding this comment.
It would be good to have some e2e integration tests that cover this functionality. I don't know exactly what existing types would fail config load if you tried to provide per-route config for them. It seems that Envoy::Extensions::HttpFilters::HealthCheck::HealthCheckFilterConfig doesn't implement an override for createRouteSpecificFilterConfigTyped, perhaps that is a good extension to write a test against?
There was a problem hiding this comment.
Yea, HealthCheckFilterConfig doesn't implement override, let me add integration tests.
| "The filter {} doesn't support virtual host-specific configurations. Set runtime " | ||
| "config `envoy.reloadable_features.check_unsupported_typed_per_filter_config` as " | ||
| "true to reject any invalid virtual-host specific configuration.", | ||
| name()) |
There was a problem hiding this comment.
The continuous integration test run detected a build breakage on this line due to missing ; at the end of the line.
There was a problem hiding this comment.
/wait
Build still looks broken. Did you implement a fix but didn't "git push" it out?
| // Sentinel and test flag. | ||
| "envoy.reloadable_features.test_feature_false", | ||
| // Reject virtual host-specific configuration when filter doesn't support it. | ||
| "envoy.reloadable_features.check_unsupported_typed_per_filter_config", |
There was a problem hiding this comment.
I think default true is fine, as long as we have the runtime for now.
tools/code_format/check_format.py
Outdated
| # processing. | ||
| EXCEPTION_ALLOWLIST = ("./source/common/config/utility.h") | ||
| EXCEPTION_ALLOWLIST = ("./source/common/config/utility.h", | ||
| "./source/extensions/filters/http/common/factory_base.h") |
There was a problem hiding this comment.
I think config_impl.cc is more robust in any case, since regardless of inheritance hierarchy, if there is no config, we can fire the exception.
|
@markdroth does this match your intended behavior? |
|
Yes, this looks right to me. Thanks for doing this! |
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
|
/wait Please look into the build breakages. |
|
thanks for all the review! let me work on the update. |
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Commit Message: http: check virtual host-specific typed per filter config
Additional Description:
When filter doesn't support virtual host-specific typed per filter config,
the envoy should reject any per filter config for that filter.
Also, adds new runtime config
envoy.reloadable_features.check_unsupported_typed_per_filter_configfor backward-compatible. The default value is true, only when the value is true,
the check will be executed.
Risk Level: low
Testing: unit test added
Docs Changes: n/a
Release Notes: note new feature
Runtime guard: envoy.reloadable_features.check_unsupported_typed_per_filter_config
Fixes #15043
Signed-off-by: He Jie Xu hejie.xu@intel.com