thrift_proxy: Add thrift header to metadata filter

api/BUILD

@@ -193,6 +193,7 @@ proto_library(
         "//envoy/extensions/filters/network/sni_cluster/v3:pkg",
         "//envoy/extensions/filters/network/sni_dynamic_forward_proxy/v3:pkg",
         "//envoy/extensions/filters/network/tcp_proxy/v3:pkg",
+        "//envoy/extensions/filters/network/thrift_proxy/filters/header_to_metadata/v3:pkg",
         "//envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v3:pkg",
         "//envoy/extensions/filters/network/thrift_proxy/router/v3:pkg",
         "//envoy/extensions/filters/network/thrift_proxy/v3:pkg",

api/envoy/extensions/filters/network/thrift_proxy/filters/header_to_metadata/v3/BUILD

@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/type/matcher/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)

api/envoy/extensions/filters/network/thrift_proxy/filters/header_to_metadata/v3/header_to_metadata.proto

@@ -0,0 +1,109 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.network.thrift_proxy.filters.header_to_metadata.v3;
+
+import "envoy/type/matcher/v3/regex.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.network.thrift_proxy.filters.header_to_metadata.v3";
+option java_outer_classname = "HeaderToMetadataProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Header-To-Metadata Filter]
+//
+// The configuration for transforming headers into metadata. This is useful
+// for matching load balancer subsets, logging, etc.
+//
+// Header to Metadata :ref:`configuration overview <config_thrift_filters_header_to_metadata>`.
+// [#extension: envoy.filters.thrift.header_to_metadata]
+
+message HeaderToMetadata {
+  enum ValueType {
+    STRING = 0;
+
+    NUMBER = 1;
+
+    // The value is a serialized `protobuf.Value
+    // <https://github.com/protocolbuffers/protobuf/blob/master/src/google/protobuf/struct.proto#L62>`_.
+    PROTOBUF_VALUE = 2;
+  }
+
+  // ValueEncode defines the encoding algorithm.
+  enum ValueEncode {
+    // The value is not encoded.
+    NONE = 0;
+
+    // The value is encoded in `Base64 <https://tools.ietf.org/html/rfc4648#section-4>`_.
+    // Note: this is mostly used for STRING and PROTOBUF_VALUE to escape the
+    // non-ASCII characters in the header.
+    BASE64 = 1;
+  }
+
+  // [#next-free-field: 7]
+  message KeyValuePair {
+    // The namespace — if this is empty, the filter's namespace will be used.
+    string metadata_namespace = 1;
+
+    // The key to use within the namespace.
+    string key = 2 [(validate.rules).string = {min_len: 1}];
+
+    oneof value_type {
+      // The value to pair with the given key.
+      //
+      // When used for on_present case, if value is non-empty it'll be used instead
+      // of the header value. If both are empty, no metadata is added.
+      //
+      // When used for on_missing case, a non-empty value must be provided otherwise
+      // no metadata is added.
+      string value = 3;
+
+      // If present, the header's value will be matched and substituted with this.
+      // If there is no match or substitution, the header value
+      // is used as-is.
+      //
+      // This is only used for on_present.
+      //
+      // Note: if the `value` field is non-empty this field should be empty.
+      type.matcher.v3.RegexMatchAndSubstitute regex_value_rewrite = 4;
+    }
+
+    // The value's type — defaults to string.
+    ValueType type = 5 [(validate.rules).enum = {defined_only: true}];
+
+    // How is the value encoded, default is NONE (not encoded).
+    // The value will be decoded accordingly before storing to metadata.
+    ValueEncode encode = 6;
+  }
+
+  // A Rule defines what metadata to apply when a header is present or missing.
+  message Rule {
+    // Specifies that a match will be performed on the value of a header.
+    //
+    // The header to be extracted.
+    string header = 1
+        [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
+
+    // If the header is present, apply this metadata KeyValuePair.
+    //
+    // If the value in the KeyValuePair is non-empty, it'll be used instead
+    // of the header value.
+    KeyValuePair on_present = 2;
+
+    // If the header is not present, apply this metadata KeyValuePair.
+    //
+    // The value in the KeyValuePair must be set, since it'll be used in lieu
+    // of the missing header value.
+    KeyValuePair on_missing = 3;
+
+    // Whether or not to remove the header after a rule is applied.
+    //
+    // This prevents headers from leaking.
+    bool remove = 4;
+  }
+
+  // The list of rules to apply to requests.
+  repeated Rule request_rules = 1 [(validate.rules).repeated = {min_items: 1}];
+}

api/versioning/BUILD

@@ -130,6 +130,7 @@ proto_library(
         "//envoy/extensions/filters/network/sni_cluster/v3:pkg",
         "//envoy/extensions/filters/network/sni_dynamic_forward_proxy/v3:pkg",
         "//envoy/extensions/filters/network/tcp_proxy/v3:pkg",
+        "//envoy/extensions/filters/network/thrift_proxy/filters/header_to_metadata/v3:pkg",
         "//envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v3:pkg",
         "//envoy/extensions/filters/network/thrift_proxy/router/v3:pkg",
         "//envoy/extensions/filters/network/thrift_proxy/v3:pkg",

docs/root/configuration/other_protocols/thrift_filters/header_to_metadata_filter.rst

@@ -0,0 +1,90 @@
+.. _config_thrift_filters_header_to_metadata:
+
+Envoy Header-To-Metadata Filter
+===============================
+* :ref:`v3 API reference <envoy_v3_api_msg_extensions.filters.http.header_to_metadata.v3.Config>`
+* This filter should be configured with the name *envoy.filters.http.header_to_metadata*.
+
+This filter is configured with rules that will be matched against requests.
+Each rule has either a header and can be triggered either when the header is present or missing.
+
+When a rule is triggered, dynamic metadata will be added based on the configuration of the rule.
+If the header is present, it's value is extracted and used along with the specified
+key as metadata. If the header is missing, on missing case is triggered and the value
+specified is used for adding metadata.
+
+The metadata can then be used for load balancing decisions, consumed from logs, etc.
+
+A typical use case for this filter is to dynamically match requests with load balancer
+subsets. For this, a given header's value would be extracted and attached to the request
+as dynamic metadata which would then be used to match a subset of endpoints.
+
+Example
+-------
+
+A sample filter configuration to route traffic to endpoints based on the presence or
+absence of a version header could be:
+
+.. code-block:: yaml
+
+  thrift_filters:
+    - name: envoy.filters.thrift.header_to_metadata
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.filters.thrift.header_to_metadata.v3.HeaderToMetadata
+        request_rules:
+          - header: x-version
+            on_header_present:
+              metadata_namespace: envoy.lb
+              key: version
+              type: STRING
+            on_header_missing:
+              metadata_namespace: envoy.lb
+              key: default
+              value: 'true'
+              type: STRING
+            remove: false
+
+A corresponding upstream cluster configuration could be:
+
+.. code-block:: yaml
+
+  clusters:
+    - name: versioned-cluster
+      type: EDS
+      lb_policy: ROUND_ROBIN
+      lb_subset_config:
+        fallback_policy: ANY_ENDPOINT
+        subset_selectors:
+          - keys:
+              - default
+          - keys:
+              - version
+
+This would then allow requests with the ``x-version`` header set to be matched against
+endpoints with the corresponding version. Whereas requests with that header missing
+would be matched with the default endpoints.
+
+If the header's value needs to be transformed before it's added to the request as
+dynamic metadata, this filter supports regex matching and substitution:
+
+.. code-block:: yaml
+
+  thrift_filters:
+    - name: envoy.filters.thrift.header_to_metadata
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.filters.thrift.header_to_metadata.v3.HeaderToMetadata
+        request_rules:
+          - header: ":path"
+            on_header_present:
+              metadata_namespace: envoy.lb
+              key: cluster
+              regex_value_rewrite:
+                pattern:
+                  google_re2: {}
+                  regex: "^/(cluster[\\d\\w-]+)/?.*$"
+                substitution: "\\1"
+
+Statistics
+----------
+
+Currently, this filter generates no statistics.

docs/root/configuration/other_protocols/thrift_filters/thrift_filters.rst

@@ -8,5 +8,6 @@ Envoy has the following builtin Thrift filters.
 .. toctree::
   :maxdepth: 2
 
+  header_to_metadata_filter
   rate_limit_filter
   router_filter

docs/root/version_history/current.rst

@@ -64,6 +64,7 @@ New Features
 * oauth filter: added :ref:`cookie_names <envoy_v3_api_field_extensions.filters.http.oauth2.v3.OAuth2Credentials.cookie_names>` to allow overriding (default) cookie names (``BearerToken``, ``OauthHMAC``, and ``OauthExpires``) set by the filter.
 * tcp: added a :ref:`FilterState <envoy_v3_api_msg_type.v3.HashPolicy.FilterState>` :ref:`hash policy <envoy_v3_api_msg_type.v3.HashPolicy>`, used by :ref:`TCP proxy <envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.hash_policy>` to allow hashing load balancer algorithms to hash on objects in filter state.
 * tcp_proxy: added support to populate upstream http connect header values from stream info.
+* thrift_proxy: add header to metadata filter for turning headers into dynamic metadata.
 * thrift_proxy: add upstream response zone metrics in the form ``cluster.cluster_name.zone.local_zone.upstream_zone.thrift.upstream_resp_success``.
 * thrift_proxy: add upstream metrics to show decoding errors and whether exception is from local or remote, e.g. ``cluster.cluster_name.thrift.upstream_resp_exception_remote``.
 * thrift_proxy: add host level success/error metrics where success is a reply of type success and error is any other response to a call.

source/extensions/extensions_build_config.bzl

@@ -173,6 +173,7 @@ EXTENSIONS = {
     #
 
     "envoy.filters.thrift.router":                      "//source/extensions/filters/network/thrift_proxy/router:config",
+    "envoy.filters.thrift.header_to_metadata":          "//source/extensions/filters/network/thrift_proxy/filters/header_to_metadata:config",
     "envoy.filters.thrift.ratelimit":                   "//source/extensions/filters/network/thrift_proxy/filters/ratelimit:config",
 
     #

source/extensions/extensions_metadata.yaml

@@ -393,6 +393,11 @@ envoy.filters.network.zookeeper_proxy:
   - envoy.filters.network
   security_posture: requires_trusted_downstream_and_upstream
   status: alpha
+envoy.filters.thrift.header_to_metadata:
+  categories:
+  - envoy.thrift_proxy.filters
+  security_posture: requires_trusted_downstream_and_upstream
+  status: alpha
 envoy.filters.thrift.ratelimit:
   categories:
   - envoy.thrift_proxy.filters

source/extensions/filters/network/thrift_proxy/filters/header_to_metadata/BUILD

@@ -0,0 +1,33 @@
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_extension",
+    "envoy_cc_library",
+    "envoy_extension_package",
+)
+
+licenses(["notice"])  # Apache 2
+
+envoy_extension_package()
+
+envoy_cc_extension(
+    name = "config",
+    srcs = ["config.cc"],
+    hdrs = ["config.h"],
+    deps = [
+        ":header_to_metadata_filter_lib",
+        "//envoy/registry",
+        "//source/extensions/filters/network/thrift_proxy/filters:factory_base_lib",
+        "@envoy_api//envoy/extensions/filters/network/thrift_proxy/filters/header_to_metadata/v3:pkg_cc_proto",
+    ],
+)
+
+envoy_cc_library(
+    name = "header_to_metadata_filter_lib",
+    srcs = ["header_to_metadata_filter.cc"],
+    hdrs = ["header_to_metadata_filter.h"],
+    deps = [
+        "//envoy/server:filter_config_interface",
+        "//source/extensions/filters/network/thrift_proxy/filters:pass_through_filter_lib",
+        "@envoy_api//envoy/extensions/filters/network/thrift_proxy/filters/header_to_metadata/v3:pkg_cc_proto",
+    ],
+)

source/extensions/filters/network/thrift_proxy/filters/header_to_metadata/config.cc

@@ -0,0 +1,35 @@
+#include "source/extensions/filters/network/thrift_proxy/filters/header_to_metadata/config.h"
+
+#include <string>
+
+#include "source/extensions/filters/network/thrift_proxy/filters/header_to_metadata/header_to_metadata_filter.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace ThriftFilters {
+namespace HeaderToMetadataFilter {
+
+using namespace Envoy::Extensions::NetworkFilters;
+
+ThriftProxy::ThriftFilters::FilterFactoryCb
+HeaderToMetadataFilterConfig::createFilterFactoryFromProtoTyped(
+    const envoy::extensions::filters::network::thrift_proxy::filters::header_to_metadata::v3::
+        HeaderToMetadata& proto_config,
+    const std::string&, Server::Configuration::FactoryContext&) {
+  ConfigSharedPtr filter_config(std::make_shared<Config>(proto_config));
+  return
+      [filter_config](ThriftProxy::ThriftFilters::FilterChainFactoryCallbacks& callbacks) -> void {
+        callbacks.addDecoderFilter(std::make_shared<HeaderToMetadataFilter>(filter_config));
+      };
+}
+
+/**
+ * Static registration for the header to metadata filter. @see RegisterFactory.
+ */
+REGISTER_FACTORY(HeaderToMetadataFilterConfig,
+                 ThriftProxy::ThriftFilters::NamedThriftFilterConfigFactory);
+
+} // namespace HeaderToMetadataFilter
+} // namespace ThriftFilters
+} // namespace Extensions
+} // namespace Envoy

source/extensions/filters/network/thrift_proxy/filters/header_to_metadata/config.h

@@ -0,0 +1,33 @@
+#pragma once
+
+#include "envoy/extensions/filters/network/thrift_proxy/filters/header_to_metadata/v3/header_to_metadata.pb.h"
+#include "envoy/extensions/filters/network/thrift_proxy/filters/header_to_metadata/v3/header_to_metadata.pb.validate.h"
+
+#include "source/extensions/filters/network/thrift_proxy/filters/factory_base.h"
+#include "source/extensions/filters/network/thrift_proxy/filters/header_to_metadata/header_to_metadata_filter.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace ThriftFilters {
+namespace HeaderToMetadataFilter {
+
+/**
+ * Config registration for the header to metadata filter. @see NamedThriftFilterConfigFactory.
+ */
+class HeaderToMetadataFilterConfig : public ThriftProxy::ThriftFilters::FactoryBase<
+                                         envoy::extensions::filters::network::thrift_proxy::
+                                             filters::header_to_metadata::v3::HeaderToMetadata> {
+public:
+  HeaderToMetadataFilterConfig() : FactoryBase("envoy.filters.thrift.header_to_metadata") {}
+
+private:
+  ThriftProxy::ThriftFilters::FilterFactoryCb createFilterFactoryFromProtoTyped(
+      const envoy::extensions::filters::network::thrift_proxy::filters::header_to_metadata::v3::
+          HeaderToMetadata& proto_config,
+      const std::string& stats_prefix, Server::Configuration::FactoryContext& context) override;
+};
+
+} // namespace HeaderToMetadataFilter
+} // namespace ThriftFilters
+} // namespace Extensions
+} // namespace Envoy