config: reworking HTTP upstream config (#14079)

Replacing the http-protocol-specific fields in the cluster config with a new plugin

Risk Level: medium
Testing: updated tests to use the new config
Docs Changes: updated docs to use the new config
Release Notes: deprecation notes in the PR
Deprecated: all http-specific cluster config.

Signed-off-by: Alyssa Wilk <alyssar@chromium.org>

Mirrored from https://github.com/envoyproxy/envoy @ 7554d61bccf136638bdfb383c10d049dc8bd3790

BUILD

@@ -248,6 +248,7 @@ proto_library(
         "//envoy/extensions/upstreams/http/generic/v3:pkg",
         "//envoy/extensions/upstreams/http/http/v3:pkg",
         "//envoy/extensions/upstreams/http/tcp/v3:pkg",
+        "//envoy/extensions/upstreams/http/v3:pkg",
         "//envoy/extensions/upstreams/tcp/generic/v3:pkg",
         "//envoy/extensions/wasm/v3:pkg",
         "//envoy/extensions/watchdog/profile_action/v3alpha:pkg",

envoy/config/cluster/v3/cluster.proto

@@ -767,14 +767,37 @@ message Cluster {
 
   // HTTP protocol options that are applied only to upstream HTTP connections.
   // These options apply to all HTTP versions.
-  core.v3.UpstreamHttpProtocolOptions upstream_http_protocol_options = 46;
+  // This has been deprecated in favor of
+  // :ref:`upstream_http_protocol_options <envoy_api_field_extensions.upstreams.http.v3.HttpProtocolOptions.upstream_http_protocol_options>`
+  // in the :ref:`http_protocol_options <envoy_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>` message.
+  // upstream_http_protocol_options can be set via the cluster's
+  // :ref:`extension_protocol_options<envoy_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`.
+  // See ref:`upstream_http_protocol_options
+  // <envoy_api_field_extensions.upstreams.http.v3.HttpProtocolOptions.upstream_http_protocol_options>`
+  // for example usage.
+  core.v3.UpstreamHttpProtocolOptions upstream_http_protocol_options = 46 [deprecated = true];
 
   // Additional options when handling HTTP requests upstream. These options will be applicable to
   // both HTTP1 and HTTP2 requests.
-  core.v3.HttpProtocolOptions common_http_protocol_options = 29;
+  // This has been deprecated in favor of
+  // :ref:`common_http_protocol_options <envoy_api_field_extensions.upstreams.http.v3.HttpProtocolOptions.common_http_protocol_options>`
+  // in the :ref:`http_protocol_options <envoy_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>` message.
+  // common_http_protocol_options can be set via the cluster's
+  // :ref:`extension_protocol_options<envoy_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`.
+  // See ref:`upstream_http_protocol_options
+  // <envoy_api_field_extensions.upstreams.http.v3.HttpProtocolOptions.upstream_http_protocol_options>`
+  // for example usage.
+  core.v3.HttpProtocolOptions common_http_protocol_options = 29 [deprecated = true];
 
   // Additional options when handling HTTP1 requests.
-  core.v3.Http1ProtocolOptions http_protocol_options = 13;
+  // This has been deprecated in favor of http_protocol_options fields in the in the
+  // :ref:`http_protocol_options <envoy_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>` message.
+  // http_protocol_options can be set via the cluster's
+  // :ref:`extension_protocol_options<envoy_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`.
+  // See ref:`upstream_http_protocol_options
+  // <envoy_api_field_extensions.upstreams.http.v3.HttpProtocolOptions.upstream_http_protocol_options>`
+  // for example usage.
+  core.v3.Http1ProtocolOptions http_protocol_options = 13 [deprecated = true];
 
   // Even if default HTTP2 protocol options are desired, this field must be
   // set so that Envoy will assume that the upstream supports HTTP/2 when
@@ -782,13 +805,21 @@ message Cluster {
   // supports prior knowledge for upstream connections. Even if TLS is used
   // with ALPN, `http2_protocol_options` must be specified. As an aside this allows HTTP/2
   // connections to happen over plain text.
+  // This has been deprecated in favor of http2_protocol_options fields in the in the
+  // :ref:`http_protocol_options <envoy_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>`
+  // message. http2_protocol_options can be set via the cluster's
+  // :ref:`extension_protocol_options<envoy_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`.
+  // See ref:`upstream_http_protocol_options
+  // <envoy_api_field_extensions.upstreams.http.v3.HttpProtocolOptions.upstream_http_protocol_options>`
+  // for example usage.
   core.v3.Http2ProtocolOptions http2_protocol_options = 14
-      [(udpa.annotations.security).configure_for_untrusted_upstream = true];
+      [deprecated = true, (udpa.annotations.security).configure_for_untrusted_upstream = true];
 
   // The extension_protocol_options field is used to provide extension-specific protocol options
   // for upstream connections. The key should match the extension filter name, such as
   // "envoy.filters.network.thrift_proxy". See the extension's documentation for details on
   // specific options.
+  // [#next-major-version: make this a list of typed extensions.]
   map<string, google.protobuf.Any> typed_extension_protocol_options = 36;
 
   // If the DNS refresh rate is specified and the cluster type is either
@@ -913,7 +944,12 @@ message Cluster {
   core.v3.Metadata metadata = 25;
 
   // Determines how Envoy selects the protocol used to speak to upstream hosts.
-  ClusterProtocolSelection protocol_selection = 26;
+  // This has been deprecated in favor of setting explicit protocol selection
+  // in the :ref:`http_protocol_options
+  // <envoy_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>` message.
+  // http_protocol_options can be set via the cluster's
+  // :ref:`extension_protocol_options<envoy_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`.
+  ClusterProtocolSelection protocol_selection = 26 [deprecated = true];
 
   // Optional options for upstream connections.
   UpstreamConnectionOptions upstream_connection_options = 30;

envoy/config/cluster/v4alpha/cluster.proto

@@ -10,7 +10,6 @@ import "envoy/config/core/v4alpha/base.proto";
 import "envoy/config/core/v4alpha/config_source.proto";
 import "envoy/config/core/v4alpha/extension.proto";
 import "envoy/config/core/v4alpha/health_check.proto";
-import "envoy/config/core/v4alpha/protocol.proto";
 import "envoy/config/endpoint/v3/endpoint.proto";
 import "envoy/type/v3/percent.proto";
 
@@ -654,9 +653,11 @@ message Cluster {
         [(validate.rules).double = {lte: 3.0 gte: 1.0}];
   }
 
-  reserved 12, 15, 7, 11, 35, 47;
+  reserved 12, 15, 7, 11, 35, 46, 29, 13, 14, 26, 47;
 
-  reserved "hosts", "tls_context", "extension_protocol_options", "track_timeout_budgets";
+  reserved "hosts", "tls_context", "extension_protocol_options", "upstream_http_protocol_options",
+      "common_http_protocol_options", "http_protocol_options", "http2_protocol_options",
+      "protocol_selection", "track_timeout_budgets";
 
   // Configuration to use different transport sockets for different endpoints.
   // The entry of *envoy.transport_socket_match* in the
@@ -775,30 +776,11 @@ message Cluster {
   // Optional :ref:`circuit breaking <arch_overview_circuit_break>` for the cluster.
   CircuitBreakers circuit_breakers = 10;
 
-  // HTTP protocol options that are applied only to upstream HTTP connections.
-  // These options apply to all HTTP versions.
-  core.v4alpha.UpstreamHttpProtocolOptions upstream_http_protocol_options = 46;
-
-  // Additional options when handling HTTP requests upstream. These options will be applicable to
-  // both HTTP1 and HTTP2 requests.
-  core.v4alpha.HttpProtocolOptions common_http_protocol_options = 29;
-
-  // Additional options when handling HTTP1 requests.
-  core.v4alpha.Http1ProtocolOptions http_protocol_options = 13;
-
-  // Even if default HTTP2 protocol options are desired, this field must be
-  // set so that Envoy will assume that the upstream supports HTTP/2 when
-  // making new HTTP connection pool connections. Currently, Envoy only
-  // supports prior knowledge for upstream connections. Even if TLS is used
-  // with ALPN, `http2_protocol_options` must be specified. As an aside this allows HTTP/2
-  // connections to happen over plain text.
-  core.v4alpha.Http2ProtocolOptions http2_protocol_options = 14
-      [(udpa.annotations.security).configure_for_untrusted_upstream = true];
-
   // The extension_protocol_options field is used to provide extension-specific protocol options
   // for upstream connections. The key should match the extension filter name, such as
   // "envoy.filters.network.thrift_proxy". See the extension's documentation for details on
   // specific options.
+  // [#next-major-version: make this a list of typed extensions.]
   map<string, google.protobuf.Any> typed_extension_protocol_options = 36;
 
   // If the DNS refresh rate is specified and the cluster type is either
@@ -922,9 +904,6 @@ message Cluster {
   // the Router filter, the filter name should be specified as *envoy.filters.http.router*.
   core.v4alpha.Metadata metadata = 25;
 
-  // Determines how Envoy selects the protocol used to speak to upstream hosts.
-  ClusterProtocolSelection protocol_selection = 26;
-
   // Optional options for upstream connections.
   UpstreamConnectionOptions upstream_connection_options = 30;
 

envoy/extensions/upstreams/http/v3/BUILD

@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)

envoy/extensions/upstreams/http/v3/http_protocol_options.proto

@@ -0,0 +1,95 @@
+syntax = "proto3";
+
+package envoy.extensions.upstreams.http.v3;
+
+import "envoy/config/core/v3/protocol.proto";
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.upstreams.http.v3";
+option java_outer_classname = "HttpProtocolOptionsProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: HTTP Protocol Options]
+// [#extension: envoy.upstreams.http.http_protocol_options]
+
+// HttpProtocolOptions specifies Http upstream protocol options. This object
+// is used in
+// :ref:`typed_extension_protocol_options<envoy_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`,
+// keyed by the name `envoy.extensions.upstreams.http.v3.HttpProtocolOptions`.
+//
+// This controls what protocol(s) should be used for upstream and how said protocol(s) are configured.
+//
+// This replaces the prior pattern of explicit protocol configuration directly
+// in the cluster. So a configuration like this, explicitly configuring the use of HTTP/2 upstream:
+//
+// .. code::
+//
+//   clusters:
+//     - name: some_service
+//       connect_timeout: 5s
+//       upstream_http_protocol_options:
+//         auto_sni: true
+//       common_http_protocol_options:
+//         idle_timeout: 1s
+//       http2_protocol_options:
+//         max_concurrent_streams: 100
+//        .... [further cluster config]
+//
+// Would now look like this:
+//
+// .. code::
+//
+//   clusters:
+//     - name: some_service
+//       connect_timeout: 5s
+//       typed_extension_protocol_options:
+//         envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+//           "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+//           upstream_http_protocol_options:
+//             auto_sni: true
+//           common_http_protocol_options:
+//             idle_timeout: 1s
+//           explicit_http_config:
+//             http2_protocol_options:
+//               max_concurrent_streams: 100
+//        .... [further cluster config]
+message HttpProtocolOptions {
+  // If this is used, the cluster will only operate on one of the possible upstream protocols (HTTP/1.1, HTTP/2).
+  // If :ref:`http2_protocol_options <envoy_api_field_config.cluster.v3.Cluster.http2_protocol_options>` are
+  // present, HTTP2 will be used, otherwise HTTP1.1 will be used.
+  message ExplicitHttpConfig {
+    oneof protocol_config {
+      config.core.v3.Http1ProtocolOptions http_protocol_options = 1;
+
+      config.core.v3.Http2ProtocolOptions http2_protocol_options = 2;
+    }
+  }
+
+  // If this is used, the cluster can use either of the configured protocols, and
+  // will use whichever protocol was used by the downstream connection.
+  message UseDownstreamHttpConfig {
+    config.core.v3.Http1ProtocolOptions http_protocol_options = 1;
+
+    config.core.v3.Http2ProtocolOptions http2_protocol_options = 2;
+  }
+
+  // This contains options common across HTTP/1 and HTTP/2
+  config.core.v3.HttpProtocolOptions common_http_protocol_options = 1;
+
+  // This contains common protocol options which are only applied upstream.
+  config.core.v3.UpstreamHttpProtocolOptions upstream_http_protocol_options = 2;
+
+  // This controls the actual protocol to be used upstream.
+  // If none of the *upstream_protocol_options* are chosen, the default is *explicit_http_config*.
+  oneof upstream_protocol_options {
+    // To explicitly configure either HTTP/1 or HTTP/2 (but not both!) use *explicit_http_config*.
+    // If the *explicit_http_config* is empty, HTTP/1.1 is used.
+    ExplicitHttpConfig explicit_http_config = 3;
+
+    // This allows switching on protocol based on what protocol the downstream
+    // connection used.
+    UseDownstreamHttpConfig use_downstream_protocol_config = 4;
+  }
+}

envoy/extensions/upstreams/http/v4alpha/BUILD

@@ -0,0 +1,13 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v4alpha:pkg",
+        "//envoy/extensions/upstreams/http/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)

envoy/extensions/upstreams/http/v4alpha/http_protocol_options.proto

@@ -0,0 +1,105 @@
+syntax = "proto3";
+
+package envoy.extensions.upstreams.http.v4alpha;
+
+import "envoy/config/core/v4alpha/protocol.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.upstreams.http.v4alpha";
+option java_outer_classname = "HttpProtocolOptionsProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE;
+
+// [#protodoc-title: HTTP Protocol Options]
+// [#extension: envoy.upstreams.http.http_protocol_options]
+
+// HttpProtocolOptions specifies Http upstream protocol options. This object
+// is used in
+// :ref:`typed_extension_protocol_options<envoy_api_field_config.cluster.v4alpha.Cluster.typed_extension_protocol_options>`,
+// keyed by the name `envoy.extensions.upstreams.http.v3.HttpProtocolOptions`.
+//
+// This controls what protocol(s) should be used for upstream and how said protocol(s) are configured.
+//
+// This replaces the prior pattern of explicit protocol configuration directly
+// in the cluster. So a configuration like this, explicitly configuring the use of HTTP/2 upstream:
+//
+// .. code::
+//
+//   clusters:
+//     - name: some_service
+//       connect_timeout: 5s
+//       upstream_http_protocol_options:
+//         auto_sni: true
+//       common_http_protocol_options:
+//         idle_timeout: 1s
+//       http2_protocol_options:
+//         max_concurrent_streams: 100
+//        .... [further cluster config]
+//
+// Would now look like this:
+//
+// .. code::
+//
+//   clusters:
+//     - name: some_service
+//       connect_timeout: 5s
+//       typed_extension_protocol_options:
+//         envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+//           "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+//           upstream_http_protocol_options:
+//             auto_sni: true
+//           common_http_protocol_options:
+//             idle_timeout: 1s
+//           explicit_http_config:
+//             http2_protocol_options:
+//               max_concurrent_streams: 100
+//        .... [further cluster config]
+message HttpProtocolOptions {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.extensions.upstreams.http.v3.HttpProtocolOptions";
+
+  // If this is used, the cluster will only operate on one of the possible upstream protocols (HTTP/1.1, HTTP/2).
+  // If :ref:`http2_protocol_options <envoy_api_field_config.cluster.v4alpha.Cluster.http2_protocol_options>` are
+  // present, HTTP2 will be used, otherwise HTTP1.1 will be used.
+  message ExplicitHttpConfig {
+    option (udpa.annotations.versioning).previous_message_type =
+        "envoy.extensions.upstreams.http.v3.HttpProtocolOptions.ExplicitHttpConfig";
+
+    oneof protocol_config {
+      config.core.v4alpha.Http1ProtocolOptions http_protocol_options = 1;
+
+      config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2;
+    }
+  }
+
+  // If this is used, the cluster can use either of the configured protocols, and
+  // will use whichever protocol was used by the downstream connection.
+  message UseDownstreamHttpConfig {
+    option (udpa.annotations.versioning).previous_message_type =
+        "envoy.extensions.upstreams.http.v3.HttpProtocolOptions.UseDownstreamHttpConfig";
+
+    config.core.v4alpha.Http1ProtocolOptions http_protocol_options = 1;
+
+    config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 2;
+  }
+
+  // This contains options common across HTTP/1 and HTTP/2
+  config.core.v4alpha.HttpProtocolOptions common_http_protocol_options = 1;
+
+  // This contains common protocol options which are only applied upstream.
+  config.core.v4alpha.UpstreamHttpProtocolOptions upstream_http_protocol_options = 2;
+
+  // This controls the actual protocol to be used upstream.
+  // If none of the *upstream_protocol_options* are chosen, the default is *explicit_http_config*.
+  oneof upstream_protocol_options {
+    // To explicitly configure either HTTP/1 or HTTP/2 (but not both!) use *explicit_http_config*.
+    // If the *explicit_http_config* is empty, HTTP/1.1 is used.
+    ExplicitHttpConfig explicit_http_config = 3;
+
+    // This allows switching on protocol based on what protocol the downstream
+    // connection used.
+    UseDownstreamHttpConfig use_downstream_protocol_config = 4;
+  }
+}

versioning/BUILD

@@ -131,6 +131,7 @@ proto_library(
         "//envoy/extensions/upstreams/http/generic/v3:pkg",
         "//envoy/extensions/upstreams/http/http/v3:pkg",
         "//envoy/extensions/upstreams/http/tcp/v3:pkg",
+        "//envoy/extensions/upstreams/http/v3:pkg",
         "//envoy/extensions/upstreams/tcp/generic/v3:pkg",
         "//envoy/extensions/wasm/v3:pkg",
         "//envoy/extensions/watchdog/profile_action/v3alpha:pkg",