hds: add support for cluster transport_socket_matches.

api/envoy/service/health/v3/BUILD

@@ -7,6 +7,7 @@ licenses(["notice"])  # Apache 2
 api_proto_package(
     has_services = True,
     deps = [
+        "//envoy/config/cluster/v3:pkg",
         "//envoy/config/core/v3:pkg",
         "//envoy/config/endpoint/v3:pkg",
         "//envoy/service/discovery/v2:pkg",

api/envoy/service/health/v3/hds.proto

@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package envoy.service.health.v3;
 
+import "envoy/config/cluster/v3/cluster.proto";
 import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/health_check.proto";
 import "envoy/config/endpoint/v3/endpoint_components.proto";
@@ -168,6 +169,11 @@ message ClusterHealthCheck {
   repeated config.core.v3.HealthCheck health_checks = 2;
 
   repeated LocalityEndpoints locality_endpoints = 3;
+
+  // Optional map that gets filtered by :ref:`health_checks.transport_socket_match_criteria <envoy_api_field_config.core.v3.HealthCheck.transport_socket_match_criteria>`
+  // on connection when health checking. For more details, see
+  // :ref:`config.cluster.v3.Cluster.transport_socket_matches <envoy_api_field_config.cluster.v3.Cluster.transport_socket_matches>`.
+  repeated config.cluster.v3.Cluster.TransportSocketMatch transport_socket_matches = 4;
 }
 
 message HealthCheckSpecifier {

docs/root/version_history/current.rst

@@ -72,6 +72,7 @@ New Features
   The emitted dynamic metadata is set by :ref:`dynamic metadata <envoy_v3_api_field_service.auth.v3.CheckResponse.dynamic_metadata>` field in a returned :ref:`CheckResponse <envoy_v3_api_msg_service.auth.v3.CheckResponse>`.
 * grpc-json: support specifying `response_body` field in for `google.api.HttpBody` message.
 * hds: added :ref:`cluster_endpoints_health <envoy_v3_api_field_service.health.v3.EndpointHealthResponse.cluster_endpoints_health>` to HDS responses, keeping endpoints in the same groupings as they were configured in the HDS specifier by cluster and locality instead of as a flat list.
+* hds: added :ref:`transport_socket_matches <envoy_v3_api_field_service.health.v3.ClusterHealthCheck.transport_socket_matches>` to HDS cluster health check specifier, so the existing match filter :ref:`transport_socket_match_criteria <envoy_v3_api_field_config.core.v3.HealthCheck.transport_socket_match_criteria>` in the repeated field :ref:`health_checks <envoy_v3_api_field_service.health.v3.ClusterHealthCheck.health_checks>` has context to match against. This unblocks support for health checks over HTTPS and HTTP/2.
 * http: added support for :ref:`%DOWNSTREAM_PEER_FINGERPRINT_1% <config_http_conn_man_headers_custom_request_headers>` as custom header.
 * http: added :ref:`allow_chunked_length <envoy_v3_api_field_config.core.v3.Http1ProtocolOptions.allow_chunked_length>` configuration option for HTTP/1 codec to allow processing requests/responses with both Content-Length and Transfer-Encoding: chunked headers. If such message is served and option is enabled - per RFC Content-Length is ignored and removed.
 * http: introduced new HTTP/1 and HTTP/2 codec implementations that will remove the use of exceptions for control flow due to high risk factors and instead use error statuses. The old behavior is used by default, but the new codecs can be enabled for testing by setting the runtime feature `envoy.reloadable_features.new_codec_behavior` to true. The new codecs will be in development for one month, and then enabled by default while the old codecs are deprecated.

source/common/upstream/health_discovery_service.cc

@@ -203,6 +203,10 @@ void HdsDelegate::processMessage(
       cluster_config.add_health_checks()->MergeFrom(health_check);
     }
 
+    // Add transport_socket_match to cluster for use in host connections.
+    cluster_config.mutable_transport_socket_matches()->MergeFrom(
+        cluster_health_check.transport_socket_matches());
+
     ENVOY_LOG(debug, "New HdsCluster config {} ", cluster_config.DebugString());
 
     // Create HdsCluster

test/common/upstream/BUILD

@@ -283,6 +283,8 @@ envoy_cc_test(
     srcs = ["hds_test.cc"],
     deps = [
         "//source/common/upstream:health_discovery_service_lib",
+        "//source/common/upstream:transport_socket_match_lib",
+        "//source/extensions/transport_sockets/raw_buffer:config",
         "//source/extensions/transport_sockets/tls:context_lib",
         "//test/mocks/access_log:access_log_mocks",
         "//test/mocks/event:event_mocks",
@@ -295,6 +297,8 @@ envoy_cc_test(
         "//test/mocks/upstream:cluster_info_factory_mocks",
         "//test/mocks/upstream:cluster_info_mocks",
         "//test/mocks/upstream:cluster_manager_mocks",
+        "//test/mocks/upstream:upstream_mocks",
+        "//test/test_common:environment_lib",
         "//test/test_common:simulated_time_system_lib",
         "//test/test_common:utility_lib",
         "@envoy_api//envoy/config/core/v3:pkg_cc_proto",

test/common/upstream/hds_test.cc

@@ -5,9 +5,12 @@
 #include "envoy/service/health/v3/hds.pb.h"
 #include "envoy/type/v3/http.pb.h"
 
+#include "common/protobuf/protobuf.h"
 #include "common/singleton/manager_impl.h"
 #include "common/upstream/health_discovery_service.h"
+#include "common/upstream/transport_socket_match_impl.h"
 
+#include "extensions/transport_sockets/raw_buffer/config.h"
 #include "extensions/transport_sockets/tls/context_manager_impl.h"
 
 #include "test/mocks/access_log/mocks.h"
@@ -21,9 +24,12 @@
 #include "test/mocks/upstream/cluster_info.h"
 #include "test/mocks/upstream/cluster_info_factory.h"
 #include "test/mocks/upstream/cluster_manager.h"
+#include "test/mocks/upstream/mocks.h"
+#include "test/test_common/environment.h"
 #include "test/test_common/simulated_time_system.h"
 #include "test/test_common/utility.h"
 
+#include "absl/strings/str_format.h"
 #include "gmock/gmock.h"
 #include "gtest/gtest.h"
 
@@ -480,6 +486,90 @@ TEST_F(HdsTest, TestMinimalOnReceiveMessage) {
   hds_delegate_->onReceiveMessage(std::move(message));
 }
 
+// Test that a transport_socket_matches and transport_socket_match_criteria filter as expected to
+// build the correct TransportSocketFactory based on these fields.
+TEST_F(HdsTest, TestSocketContext) {
+  EXPECT_CALL(*async_client_, startRaw(_, _, _, _)).WillOnce(Return(&async_stream_));
+  EXPECT_CALL(async_stream_, sendMessageRaw_(_, _));
+  createHdsDelegate();
+
+  // Create Message.
+  message.reset(createSimpleMessage());
+
+  // Add transport socket matches to message.
+  const std::string match_yaml = absl::StrFormat(
+      R"EOF(
+transport_socket_matches:
+- name: "test_socket"
+  match:
+    test_match: "true"
+  transport_socket:
+    name: "envoy.transport_sockets.raw_buffer"
+)EOF");
+  auto* cluster_health_check = message->mutable_cluster_health_checks(0);
+  cluster_health_check->MergeFrom(
+      TestUtility::parseYaml<envoy::service::health::v3::ClusterHealthCheck>(match_yaml));
+
+  // Add transport socket match criteria to our health check, for filtering matches.
+  const std::string criteria_yaml = absl::StrFormat(
+      R"EOF(
+transport_socket_match_criteria:
+  test_match: "true"
+)EOF");
+  cluster_health_check->mutable_health_checks(0)->MergeFrom(
+      TestUtility::parseYaml<envoy::config::core::v3::HealthCheck>(criteria_yaml));
+
+  Network::MockClientConnection* connection = new NiceMock<Network::MockClientConnection>();
+  EXPECT_CALL(dispatcher_, createClientConnection_(_, _, _, _)).WillRepeatedly(Return(connection));
+
+  // Pull out socket_matcher object normally internal to createClusterInfo, to test that a matcher
+  // would match the expected socket.
+  std::unique_ptr<TransportSocketMatcherImpl> socket_matcher;
+  EXPECT_CALL(test_factory_, createClusterInfo(_))
+      .WillRepeatedly(Invoke([&](const ClusterInfoFactory::CreateClusterInfoParams& params) {
+        // Build scope, factory_context as does ProdClusterInfoFactory.
+        Envoy::Stats::ScopePtr scope =
+            params.stats_.createScope(fmt::format("cluster.{}.", params.cluster_.name()));
+        Envoy::Server::Configuration::TransportSocketFactoryContextImpl factory_context(
+            params.admin_, params.ssl_context_manager_, *scope, params.cm_, params.local_info_,
+            params.dispatcher_, params.random_, params.stats_, params.singleton_manager_,
+            params.tls_, params.validation_visitor_, params.api_);
+
+        // Create a mock socket_factory for the scope of this unit test.
+        std::unique_ptr<Envoy::Network::TransportSocketFactory> socket_factory =
+            std::make_unique<Network::MockTransportSocketFactory>();
+
+        // set socket_matcher object in test scope.
+        socket_matcher = std::make_unique<Envoy::Upstream::TransportSocketMatcherImpl>(
+            params.cluster_.transport_socket_matches(), factory_context, socket_factory, *scope);
+
+        // But still use the fake cluster_info_.
+        return cluster_info_;
+      }));
+
+  EXPECT_CALL(*connection, setBufferLimits(_));
+  EXPECT_CALL(dispatcher_, deferredDelete_(_));
+
+  // Process message.
+  EXPECT_CALL(*server_response_timer_, enableTimer(_, _)).Times(AtLeast(1));
+  hds_delegate_->onReceiveMessage(std::move(message));
+
+  // pretend our endpoint was connected to.
+  connection->raiseEvent(Network::ConnectionEvent::Connected);
+
+  // Get our health checker to match against.
+  const auto clusters = hds_delegate_->hdsClusters();
+  ASSERT_EQ(clusters.size(), 1);
+  const auto hcs = clusters[0]->healthCheckers();
+  ASSERT_EQ(hcs.size(), 1);
+
+  // Check that our match hits.
+  HealthCheckerImplBase* health_checker_base = dynamic_cast<HealthCheckerImplBase*>(hcs[0].get());
+  const auto match =
+      socket_matcher->resolve(health_checker_base->transportSocketMatchMetadata().get());
+  EXPECT_EQ(match.name_, "test_socket");
+}
+
 // Tests OnReceiveMessage given a HealthCheckSpecifier message without interval field
 TEST_F(HdsTest, TestDefaultIntervalOnReceiveMessage) {
   EXPECT_CALL(*async_client_, startRaw(_, _, _, _)).WillOnce(Return(&async_stream_));

test/integration/BUILD

@@ -373,12 +373,10 @@ envoy_cc_test(
     ],
     deps = [
         ":http_integration_lib",
-        "//source/extensions/transport_sockets/tls:context_lib",
         "//test/common/upstream:utility_lib",
         "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto",
         "@envoy_api//envoy/config/route/v3:pkg_cc_proto",
         "@envoy_api//envoy/extensions/filters/network/http_connection_manager/v3:pkg_cc_proto",
-        "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto",
     ],
 )
 
@@ -494,6 +492,9 @@ envoy_cc_test_library(
     hdrs = [
         "http_integration.h",
     ],
+    data = [
+        "//test/config/integration/certs",
+    ],
     deps = [
         ":integration_lib",
         ":test_host_predicate_lib",
@@ -502,6 +503,7 @@ envoy_cc_test_library(
         "//source/extensions/filters/http/on_demand:config",
         "//source/extensions/filters/http/router:config",
         "//source/extensions/filters/network/http_connection_manager:config",
+        "//source/extensions/transport_sockets/tls:context_lib",
         "//test/common/upstream:utility_lib",
         "//test/integration/filters:add_body_filter_config_lib",
         "//test/integration/filters:add_trailers_filter_config_lib",
@@ -980,6 +982,9 @@ envoy_cc_test(
 envoy_cc_test(
     name = "hds_integration_test",
     srcs = ["hds_integration_test.cc"],
+    data = [
+        "//test/config/integration/certs",
+    ],
     shard_count = 2,
     # Alternately timing out and failing in CI on windows; observed to pass locally
     tags = ["flaky_on_windows"],
@@ -999,6 +1004,7 @@ envoy_cc_test(
         "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto",
         "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
         "@envoy_api//envoy/service/health/v3:pkg_cc_proto",
+        "@envoy_api//envoy/type/v3:pkg_cc_proto",
     ],
 )