Set-Metadata HTTP filter

[aguinet]

Commit Message: HTTP filter that can set or update dynamic metadata.

Additional Description:

This extension simply allows to add user-defined dynamic metadata. This is intended to be used with matchers, so that the "result" of a matching process can imply specific metadata.

See issue #16266

Risk Level: Medium
Testing: Unit tests for the extension are added
Docs Changes: A small documentation for the extension is added in docs/root/configuration/http/http_filters
Release Notes: N/A
Platform Specific Features: N/A
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Deprecated:]
[Optional API Considerations:]

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/envoy/.
envoyproxy/api-shepherds assignee is @htuch
CC @envoyproxy/api-watchers: FYI only for changes made to api/envoy/.

🐱

Caused by: #16400 was opened by aguinet.

see: more, trace.

[htuch]

Looks good generally, just want to verify the details around merge.

[htuch]

Need to update https://github.com/envoyproxy/envoy/blob/main/CODEOWNERS

[aguinet]

I tried to added myself, but it asked for a second maintainer. Who should I add? @snowp as he is sponsoring it :) ?

[htuch]

Yes, Snow and you.

[aguinet]

Sorry missed this answer. Done in d139579 !

[htuch]

RST link to docs providing details of the merge semantics.

[aguinet]

Should be fixed in 9d26ca2

[aguinet]

@htuch it looks like this conflicts with main. Should I rebase on main and squash into two commits? (one for StructUtil::update and one for the extension)

[htuch]

@aguinet in general, you should have a flow that you never rebase after creating a PR. Instead do local merges from origin/main.

[htuch]

Thanks. The merging now makes more sense. One question I have is how this extension relates to the header_to_metadata filter? https://github.com/envoyproxy/envoy/blob/main/api/envoy/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto

It seems that really we want both to behave similarly, and if we were designing from scratch they would be somewhat unified. We also have other filters, e.g. ext_authz, that set dynamic metadata base on return values from remote servers. Ideally these have aligned merge semantics.

We don't need to boil the ocean here, but having some explanation and game plan to get consistent behaviors would be helpful.

[aguinet]

Thanks. The merging now makes more sense. One question I have is how this extension relates to the header_to_metadata filter? https://github.com/envoyproxy/envoy/blob/main/api/envoy/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto

It seems that really we want both to behave similarly, and if we were designing from scratch they would be somewhat unified. We also have other filters, e.g. ext_authz, that set dynamic metadata base on return values from remote servers. Ideally these have aligned merge semantics.

We don't need to boil the ocean here, but having some explanation and game plan to get consistent behaviors would be helpful.

These are good questions I tried to resolve before starting this. Let me first explain my use case. What we'd like to do is leverage the matching engine to add "tags", and log this tag and/or take decisions according to these tags. This is configurable by the user in the end, and would be transformed to an envoy configuration file.

As an example, I could add the tag "tag0" if the cookie "mycookie" matches a given regular expression, and another tag "tag1" if the IP comes from AS3215. I would like these two tags to be logged, and let's say block the request if the two of them are there.

In order to reuse the matching engine, we would configure HTTP filters like this:

# Wrapped into a first matcher
- filter0: 
    @type: set_metadata
    namespace: mynamespace
    value:
      tags:
       tag0: 1
#  Wrapped into a second matcher
- filter1:
    @type: set_metadata 
    namespace: mynamespace
    value:
      tags:
        tag1: 1

In order to get the two tags, I need the current merging strategy.

Now about header_to_metadata. From my understanding, it's just setting strings (potentially base64 ones) or integers values, taken from headers. There are no issue of potentially merging two different recursive structures. But I might be missing something here.

I just checked ext_authz, the only place I found it setting metadata is here:

envoy/source/extensions/filters/http/ext_authz/ext_authz.cc

Lines 211 to 214 in 1f4ca4c

	if (!response->dynamic_metadata.fields().empty()) {
	decoder_callbacks_->streamInfo().setDynamicMetadata(HttpFilterNames::get().ExtAuthorization,
	response->dynamic_metadata);
	}

. This looks like there are no merging strategy involved, but I don't know the use cases enough to know if that even makes sens!

[aguinet]

@aguinet in general, you should have a flow that you never rebase after creating a PR. Instead do local merges from origin/main.

Okay. So I'll end up with a merge commit, right? Should I squash all of this before merging?

[htuch]

Thanks for the explanation. I agree this makes sense. @envoyproxy/api-shepherds I'd like us to think about adopting this as the standard merge strategy going forward, so we don't have inconsistent merging when filters are performing dynamic metadata update.

Okay. So I'll end up with a merge commit, right? Should I squash all of this before merging?

Yes, add a merge commit. You can't squash (since this is a rebase) once a PR has started. We will squash everything prior to the main merge once approved.

[htuch]

Thanks; a bunch of API and code comments to address, I think it's in the right shape.
/wait

[htuch]

@envoyproxy/api-shepherds this differs from MergeFrom in that it supports merging structs together, e.g. if you have a disjoint namespace things compose as expected. I think this makes sense, but flagging this for consideration in case there is some alternate merging preferences.

[htuch]

More const issues. Sorry if this seems nit-picky, but this style of const is different to the Envoy code base and consistency is important. There are some rare exceptions and we should fix them.

Can you just grep for const& in your difference from main and fix them all? Thanks.

[aguinet]

I'm sorry I thought I had checked them all... I completely understand the style consistency. Will indeed recheck this properly!

[aguinet]

Fixed in 45ca933 .

$ git diff main...feature/ext_add_metadata |grep 'const&' |wc -l
0

Hopefully I should be fine!

[htuch]

LGTM modulo nits and a main merge for conflict.

[htuch]

LGTM, thanks!

Needs main merge.

[aguinet]

@htuch main merged into the branch! Is there something else I need to do?

Thanks for the time you took for all the reviews and remarks!

[htuch]

@phlax do you know what is going on with this glint failure?

[phlax]

https://dev.azure.com/cncf/envoy/_build/results?buildId=76293&view=logs&j=c5dd2866-6ab3-5f3c-3a44-4cef0ec909b5&t=a9eb66d6-8944-5769-b3f7-476949dadcb8&l=60

[aguinet]

https://dev.azure.com/cncf/envoy/_build/results?buildId=76293&view=logs&j=c5dd2866-6ab3-5f3c-3a44-4cef0ec909b5&t=a9eb66d6-8944-5769-b3f7-476949dadcb8&l=60

Should be fixed with 0469f86 . Added a configuration to my vim to highlight these...

[phlax]

Added a configuration to my vim to highlight these...

i have my editor (emacs) automatically remove/fix on save

[htuch]

LGTM, thanks!

[htuch]

@aguinet the clang-tidy failures seem legit, see https://dev.azure.com/cncf/envoy/_build/results?buildId=76440&view=logs&j=430ab721-bbba-5b3a-3c7b-ff111cc657fe&t=b6238472-0f30-5195-100c-623a3015b9ef

[aguinet]

@htuch yep, I've just pushed d82b20a to fix it!

[aguinet]

\o/ Thanks a lot for the merge @htuch !