enable websockets for Gateway listeners (#5524)

Closes #5241. 

Signed-off-by: Steve Kriss <[email protected]>

Author: skriss

changelogs/unreleased/5524-skriss-small.md

@@ -0,0 +1 @@
+Gateway API: enable websockets upgrade by default.

internal/dag/builder_test.go

@@ -1951,6 +1951,7 @@ func TestDAGInsertGatewayAPI(t *testing.T) {
 						virtualhost("test.projectcontour.io",
 							prefixrouteHTTPRoute("/", service(kuardService)),
 						)),
+					EnableWebsockets: true,
 				},
 			),
 		},
@@ -16203,10 +16204,12 @@ func listeners(ls ...*Listener) []*Listener {
 			listener.Protocol = "http"
 			listener.Address = "0.0.0.0"
 			listener.Port = 8080
+			listener.EnableWebsockets = true
 		case "https-443":
 			listener.Protocol = "https"
 			listener.Address = "0.0.0.0"
 			listener.Port = 8443
+			listener.EnableWebsockets = true
 		}
 	}
 

internal/dag/dag.go

@@ -891,6 +891,10 @@ type Listener struct {
 	// This cannot be used with VirtualHosts/SecureVirtualHosts
 	// on a given Listener.
 	TCPProxy *TCPProxy
+
+	// EnableWebsockets defines whether to enable the websocket
+	// upgrade.
+	EnableWebsockets bool
 }
 
 // TCPProxy represents a cluster of TCP endpoints.

internal/dag/listener_processor.go

@@ -41,12 +41,13 @@ func (p *ListenerProcessor) Run(dag *DAG, cache *KubernetesCache) {
 				address = p.HTTPSAddress
 			}
 			dag.Listeners[port.Name] = &Listener{
-				Name:          port.Name,
-				Protocol:      port.Protocol,
-				Address:       address,
-				Port:          int(port.ContainerPort),
-				vhostsByName:  map[string]*VirtualHost{},
-				svhostsByName: map[string]*SecureVirtualHost{},
+				Name:             port.Name,
+				Protocol:         port.Protocol,
+				Address:          address,
+				Port:             int(port.ContainerPort),
+				EnableWebsockets: true,
+				vhostsByName:     map[string]*VirtualHost{},
+				svhostsByName:    map[string]*SecureVirtualHost{},
 			}
 		}
 	} else {

internal/envoy/v3/listener.go

@@ -167,6 +167,12 @@ type httpConnectionManagerBuilder struct {
 	numTrustedHops                uint32
 	tracingConfig                 *http.HttpConnectionManager_Tracing
 	maxRequestsPerConnection      *uint32
+	enableWebsockets              bool
+}
+
+func (b *httpConnectionManagerBuilder) EnableWebsockets(enable bool) *httpConnectionManagerBuilder {
+	b.enableWebsockets = enable
+	return b
 }
 
 // RouteConfigName sets the name of the RDS element that contains
@@ -527,6 +533,14 @@ func (b *httpConnectionManagerBuilder) Get() *envoy_listener_v3.Filter {
 		cm.CommonHttpProtocolOptions.MaxRequestsPerConnection = wrapperspb.UInt32(*b.maxRequestsPerConnection)
 	}
 
+	if b.enableWebsockets {
+		cm.UpgradeConfigs = append(cm.UpgradeConfigs,
+			&http.HttpConnectionManager_UpgradeConfig{
+				UpgradeType: "websocket",
+			},
+		)
+	}
+
 	return &envoy_listener_v3.Filter{
 		Name: wellknown.HTTPConnectionManager,
 		ConfigType: &envoy_listener_v3.Filter_TypedConfig{

internal/featuretests/v3/envoy.go

@@ -456,13 +456,23 @@ func httpsFilterFor(vhost string) *envoy_listener_v3.Filter {
 		Get()
 }
 
+func httpFilterForGateway() *envoy_listener_v3.Filter {
+	return envoy_v3.HTTPConnectionManagerBuilder().
+		DefaultFilters().
+		RouteConfigName("http-80").
+		AccessLoggers(envoy_v3.FileAccessLogEnvoy("/dev/stdout", "", nil, contour_api_v1alpha1.LogLevelInfo)).
+		EnableWebsockets(true).
+		Get()
+}
+
 func httpsFilterForGateway(listener, vhost string) *envoy_listener_v3.Filter {
 	return envoy_v3.HTTPConnectionManagerBuilder().
 		AddFilter(envoy_v3.FilterMisdirectedRequests(vhost)).
 		DefaultFilters().
 		RouteConfigName(path.Join(listener, vhost)).
 		MetricsPrefix(listener).
 		AccessLoggers(envoy_v3.FileAccessLogEnvoy("/dev/stdout", "", nil, contour_api_v1alpha1.LogLevelInfo)).
+		EnableWebsockets(true).
 		Get()
 }
 

internal/featuretests/v3/listeners_test.go

@@ -1466,11 +1466,9 @@ func TestGatewayListenersSetAddress(t *testing.T) {
 		TypeUrl: listenerType,
 		Resources: resources(t,
 			&envoy_listener_v3.Listener{
-				Name:    "http-80",
-				Address: envoy_v3.SocketAddress("127.0.0.100", 8080),
-				FilterChains: envoy_v3.FilterChains(
-					envoy_v3.HTTPConnectionManager("http-80", envoy_v3.FileAccessLogEnvoy("/dev/stdout", "", nil, contour_api_v1alpha1.LogLevelInfo), 0),
-				),
+				Name:          "http-80",
+				Address:       envoy_v3.SocketAddress("127.0.0.100", 8080),
+				FilterChains:  envoy_v3.FilterChains(httpFilterForGateway()),
 				SocketOptions: envoy_v3.TCPKeepaliveSocketOptions(),
 			},
 		),

internal/xdscache/v3/listener.go

@@ -386,6 +386,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) {
 				Tracing(envoy_v3.TracingConfig(envoyTracingConfig(cfg.TracingConfig))).
 				AddFilter(envoy_v3.GlobalRateLimitFilter(envoyGlobalRateLimitConfig(cfg.RateLimitConfig))).
 				AddFilter(httpGlobalExternalAuthConfig(cfg.GlobalExternalAuthConfig)).
+				EnableWebsockets(listener.EnableWebsockets).
 				Get()
 
 			listeners[listener.Name] = envoy_v3.Listener(
@@ -455,6 +456,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) {
 					AddFilter(envoy_v3.GlobalRateLimitFilter(envoyGlobalRateLimitConfig(cfg.RateLimitConfig))).
 					ForwardClientCertificate(forwardClientCertificate).
 					MaxRequestsPerConnection(cfg.MaxRequestsPerConnection).
+					EnableWebsockets(listener.EnableWebsockets).
 					Get()
 
 				filters = envoy_v3.Filters(cm)
@@ -520,6 +522,7 @@ func (c *ListenerCache) OnChange(root *dag.DAG) {
 					AddFilter(envoy_v3.GlobalRateLimitFilter(envoyGlobalRateLimitConfig(cfg.RateLimitConfig))).
 					ForwardClientCertificate(forwardClientCertificate).
 					MaxRequestsPerConnection(cfg.MaxRequestsPerConnection).
+					EnableWebsockets(listener.EnableWebsockets).
 					Get()
 
 				// Default filter chain

site/content/docs/main/config/websockets.md

@@ -23,3 +23,5 @@ spec:
     - name: chat-app
       port: 80
 ```
+
+If you are using Gateway API, websockets are enabled by default at the Listener level.