feat: create envoy filters and authorization policies for tracing (#107)

kurtosis-tech · Aug 1, 2024 · 11f79b8 · 11f79b8
1 parent bc45af1
commit 11f79b8
Show file tree

Hide file tree

Showing 7 changed files with 459 additions and 22 deletions.
diff --git a/kontrol-service/api/server.go b/kontrol-service/api/server.go
@@ -102,6 +102,7 @@ func (sv *Server) GetTenantUuidTopology(_ context.Context, request api.GetTenant
 func (sv *Server) GetTenantUuidClusterResources(_ context.Context, request managerapi.GetTenantUuidClusterResourcesRequestObject) (managerapi.GetTenantUuidClusterResourcesResponseObject, error) {
 	namespace := "prod"
 
+	// TODO - this can be removed?
 	if cluster, found := sv.clusterByTenant[request.Uuid]; found {
 		clusterResources := template.RenderClusterResources(cluster)
 		managerAPIClusterResources := newManagerAPIClusterResources(clusterResources)
@@ -156,10 +157,12 @@ func applyProdDevFlow(sv *Server, tenantUuidStr string, serviceConfigs []apitype
 
 func newManagerAPIClusterResources(clusterResources types.ClusterResources) managerapitypes.ClusterResources {
 	return managerapitypes.ClusterResources{
-		Deployments:      &clusterResources.Deployments,
-		Services:         &clusterResources.Services,
-		VirtualServices:  &clusterResources.VirtualServices,
-		DestinationRules: &clusterResources.DestinationRules,
-		Gateway:          &clusterResources.Gateway,
+		Deployments:           &clusterResources.Deployments,
+		Services:              &clusterResources.Services,
+		VirtualServices:       &clusterResources.VirtualServices,
+		DestinationRules:      &clusterResources.DestinationRules,
+		Gateway:               &clusterResources.Gateway,
+		EnvoyFilters:          &clusterResources.EnvoyFilters,
+		AuthorizationPolicies: &clusterResources.AuthorizationPolicies,
 	}
 }
diff --git a/kontrol-service/engine/flow/constants.go b/kontrol-service/engine/flow/constants.go
@@ -0,0 +1,52 @@
+package flow
+
+const (
+	inboundRequestTraceIDFilter = `
+function envoy_on_request(request_handle)
+  local headers = request_handle:headers()
+  local trace_id = headers:get("x-kardinal-trace-id")
+  
+  if not trace_id then
+	request_handle:respond(
+	  {[":status"] = "400"},
+	  "Missing required x-kardinal-trace-id header"
+	)
+  end
+end
+`
+	// TODO(gm) - drop fallbacks and just exit the request like you exit in inboundRequestTraceIDFilter
+	outgoingRequestTraceIDFilter = `
+function envoy_on_request(request_handle)
+  local headers = request_handle:headers()
+  local trace_id = headers:get("x-kardinal-trace-id")
+  local hostname = headers:get(":authority")
+  
+  if trace_id then
+	local destination = determine_destination(request_handle, trace_id, hostname)
+	request_handle:headers():add("x-kardinal-destination", destination)
+  end
+end
+
+function determine_destination(request_handle, trace_id, hostname)
+  hostname = hostname:match("^([^:]+)")
+  local headers, body = request_handle:httpCall(
+	"outbound|8080||trace-router.default.svc.cluster.local",
+	{
+	  [":method"] = "GET",
+	  [":path"] = "/route?trace_id=" .. trace_id .. "&hostname=" .. hostname,
+	  [":authority"] = "trace-router.default.svc.cluster.local"
+	},
+	"",
+	5000
+  )
+  
+  if not headers then
+	return hostname .. "-prod"  -- Fallback to prod
+  end
+  
+  return body
+end
+`
+
+	luaFilterType = "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
+)