Per port config for ListenerPolicy (#13038)

Signed-off-by: Yuval Kohavi <[email protected]>

Author: yuval-k

api/v1alpha1/kgateway/listener_policy_types.go

@@ -54,6 +54,42 @@ type ListenerPolicySpec struct {
 	// +kubebuilder:validation:XValidation:rule="self.all(r, r.kind == 'Gateway' && (!has(r.group) || r.group == 'gateway.networking.k8s.io'))",message="targetSelectors may only reference Gateway resource"
 	TargetSelectors []shared.LocalPolicyTargetSelector `json:"targetSelectors,omitempty"`
 
+	// Default specifies default listener configuration for all Listeners, unless a per-port
+	// configuration is defined.
+	// +optional
+	Default *ListenerConfig `json:"default,omitempty"`
+
+	// Per port configuration allows overriding the listener config per port. Once set, this
+	// configuration completely replaces the default configuration for all listeners handling traffic
+	// that match this port. Unspecified fields in per-port configuration will not inherit values from default.
+	//
+	// +optional
+	// +listType=map
+	// +listMapKey=port
+	// +kubebuilder:validation:MaxItems=64
+	// +kubebuilder:validation:XValidation:message="Port for listener configuration must be unique within the Gateway",rule="self.all(t1, self.exists_one(t2, t1.port == t2.port))"
+	PerPort []ListenerPortConfig `json:"perPort,omitempty"`
+}
+
+type ListenerPortConfig struct {
+	// The Port indicates the Port Number to which the Listener configuration will be
+	// applied. This configuration will be applied to all Listeners handling
+	// traffic that match this port.
+	//
+	// +required
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=65535
+	Port int32 `json:"port"`
+
+	// Listener stores the configuration that will be applied to all Listeners handling
+	// matching the given port.
+	//
+	// +required
+	Listener ListenerConfig `json:"listener"`
+}
+
+type ListenerConfig struct {
+
 	// ProxyProtocol configures the PROXY protocol listener filter.
 	// When set, Envoy will expect connections to include the PROXY protocol header.
 	// This is commonly used when kgateway is behind a load balancer that preserves client IP information.

api/v1alpha1/kgateway/zz_generated.deepcopy.go

@@ -189,7 +189,7 @@ func (s *ourPolicyPass) ApplyForRoute(pCtx *ir.RouteContext, out *envoyroutev3.R
 	return nil
 }
 
-func (s *ourPolicyPass) HttpFilters(fc ir.FilterChainCommon) ([]filters.StagedHttpFilter, error) {
+func (s *ourPolicyPass) HttpFilters(_ ir.HttpFiltersContext, fc ir.FilterChainCommon) ([]filters.StagedHttpFilter, error) {
 	if !s.filterNeeded[fc.FilterChainName] {
 		return nil, nil
 	}

examples/plugin/main.go

@@ -57,24 +57,83 @@ spec:
             description: ListenerPolicySpec defines the desired state of a listener
               policy.
             properties:
-              perConnectionBufferLimitBytes:
+              default:
                 description: |-
-                  PerConnectionBufferLimitBytes sets the per-connection buffer limit for all listeners on the gateway.
-                  This controls the maximum size of read and write buffers for new connections.
-                  When using Envoy as an edge proxy, configuring the listener buffer limit is important to guard against
-                  potential attacks or misconfigured downstreams that could hog the proxy's resources.
-                  If unspecified, an implementation-defined default is applied (1MiB).
-                  See here for more information: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes
-                format: int32
-                minimum: 0
-                type: integer
-              proxyProtocol:
-                description: |-
-                  ProxyProtocol configures the PROXY protocol listener filter.
-                  When set, Envoy will expect connections to include the PROXY protocol header.
-                  This is commonly used when kgateway is behind a load balancer that preserves client IP information.
-                  See here for more information: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/listener/proxy_protocol/v3/proxy_protocol.proto
+                  Default specifies default listener configuration for all Listeners, unless a per-port
+                  configuration is defined.
+                properties:
+                  perConnectionBufferLimitBytes:
+                    description: |-
+                      PerConnectionBufferLimitBytes sets the per-connection buffer limit for all listeners on the gateway.
+                      This controls the maximum size of read and write buffers for new connections.
+                      When using Envoy as an edge proxy, configuring the listener buffer limit is important to guard against
+                      potential attacks or misconfigured downstreams that could hog the proxy's resources.
+                      If unspecified, an implementation-defined default is applied (1MiB).
+                      See here for more information: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes
+                    format: int32
+                    minimum: 0
+                    type: integer
+                  proxyProtocol:
+                    description: |-
+                      ProxyProtocol configures the PROXY protocol listener filter.
+                      When set, Envoy will expect connections to include the PROXY protocol header.
+                      This is commonly used when kgateway is behind a load balancer that preserves client IP information.
+                      See here for more information: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/listener/proxy_protocol/v3/proxy_protocol.proto
+                    type: object
                 type: object
+              perPort:
+                description: |-
+                  Per port configuration allows overriding the listener config per port. Once set, this
+                  configuration completely replaces the default configuration for all listeners handling traffic
+                  that match this port. Unspecified fields in per-port configuration will not inherit values from default.
+                items:
+                  properties:
+                    listener:
+                      description: |-
+                        Listener stores the configuration that will be applied to all Listeners handling
+                        matching the given port.
+                      properties:
+                        perConnectionBufferLimitBytes:
+                          description: |-
+                            PerConnectionBufferLimitBytes sets the per-connection buffer limit for all listeners on the gateway.
+                            This controls the maximum size of read and write buffers for new connections.
+                            When using Envoy as an edge proxy, configuring the listener buffer limit is important to guard against
+                            potential attacks or misconfigured downstreams that could hog the proxy's resources.
+                            If unspecified, an implementation-defined default is applied (1MiB).
+                            See here for more information: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes
+                          format: int32
+                          minimum: 0
+                          type: integer
+                        proxyProtocol:
+                          description: |-
+                            ProxyProtocol configures the PROXY protocol listener filter.
+                            When set, Envoy will expect connections to include the PROXY protocol header.
+                            This is commonly used when kgateway is behind a load balancer that preserves client IP information.
+                            See here for more information: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/listener/proxy_protocol/v3/proxy_protocol.proto
+                          type: object
+                      type: object
+                    port:
+                      description: |-
+                        The Port indicates the Port Number to which the Listener configuration will be
+                        applied. This configuration will be applied to all Listeners handling
+                        traffic that match this port.
+                      format: int32
+                      maximum: 65535
+                      minimum: 1
+                      type: integer
+                  required:
+                  - listener
+                  - port
+                  type: object
+                maxItems: 64
+                type: array
+                x-kubernetes-list-map-keys:
+                - port
+                x-kubernetes-list-type: map
+                x-kubernetes-validations:
+                - message: Port for listener configuration must be unique within the
+                    Gateway
+                  rule: self.all(t1, self.exists_one(t2, t1.port == t2.port))
               targetRefs:
                 description: |-
                   TargetRefs specifies the target resources by reference to attach the policy to.

install/helm/kgateway-crds/templates/gateway.kgateway.dev_listenerpolicies.yaml

@@ -268,7 +268,7 @@ func (p *endpointPickerPass) ApplyForBackend(
 }
 
 // HttpFilters returns one ext_proc filter, using the well-known filter name.
-func (p *endpointPickerPass) HttpFilters(fc ir.FilterChainCommon) ([]filters.StagedHttpFilter, error) {
+func (p *endpointPickerPass) HttpFilters(_ ir.HttpFiltersContext, fc ir.FilterChainCommon) ([]filters.StagedHttpFilter, error) {
 	if p == nil || len(p.usedPools) == 0 {
 		return nil, nil
 	}

pkg/kgateway/agentgatewaysyncer/backend/inferencepool/plugin.go

@@ -292,7 +292,7 @@ func (p *backendPlugin) ApplyForBackend(pCtx *ir.RouteBackendContext, in ir.Http
 // called 1 time per listener
 // if a plugin emits new filters, they must be with a plugin unique name.
 // any filter returned from route config must be disabled, so it doesnt impact other routes.
-func (p *backendPlugin) HttpFilters(fc ir.FilterChainCommon) ([]filters.StagedHttpFilter, error) {
+func (p *backendPlugin) HttpFilters(_ ir.HttpFiltersContext, fc ir.FilterChainCommon) ([]filters.StagedHttpFilter, error) {
 	result := []filters.StagedHttpFilter{}
 
 	var errs []error

pkg/kgateway/extensions2/plugins/backend/plugin.go

@@ -408,7 +408,7 @@ func (p *httpListenerPolicyPluginGwPass) ApplyHCM(
 	return nil
 }
 
-func (p *httpListenerPolicyPluginGwPass) HttpFilters(fc ir.FilterChainCommon) ([]filters.StagedHttpFilter, error) {
+func (p *httpListenerPolicyPluginGwPass) HttpFilters(hCtx ir.HttpFiltersContext, fc ir.FilterChainCommon) ([]filters.StagedHttpFilter, error) {
 	if p.healthCheckPolicy == nil {
 		return nil, nil
 	}