upstream_proxy_protocol: Introduce custom TLV support

[timflannagan]

Commit Message:

This commit introduces support for injecting custom TLVs into the Proxy Protocol v2 (PP2) header for upstream transport sockets. This enables xDS control planes to build upstream PP2 headers with greater flexibility. Previously, upstream PP2 headers only passed through TLVs from downstream connections when using the Proxy Protocol listener, limiting customization.

With this change, users can define custom TLVs by configuring the custom_tlvs field in the upstream_proxy_protocol transport socket config, or specifying host metadata in a well-known namespace in order to provide dynamic and more granular control over PP2 header content. For example:

      transport_socket:
        name: envoy.transport_sockets.upstream_proxy_protocol
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport
          config:
            version: V2
            added_tlvs:
              - type: 150
                value: Zm9v
              - type: 151
                value: YmFy

And

clusters:
      - name: httpbin
        load_assignment:
          ...
          endpoints:
          - lbEndpoints:
            - metadata:
                filter_metadata:
                  envoy.transport_socket_match:
                    outbound-proxy: true
                typed_filter_metadata:
                  envoy.transport_sockets.proxy_protocol:
                    "@type": type.googleapis.com/envoy.config.core.v3.ProxyProtocolConfig
                    added_tlvs:
                      - type: 0xD7
                        value: b3Zy
                      - type: 0xD8
                        value: bmV3
               ...

By decoupling upstream PP2 customization from downstream listener config, this unlocks more flexible use cases for Proxy Protocol in upstream paths.

Additional Description: N/A
Risk Level: Low
Testing: Unit & integration
Docs Changes: Include in the protobuf docs
Release Notes: Included in the changelog as a new feature
Platform Specific Features: N/A
[Optional Runtime guard:]
[Optional Fixes #Issue] #18520
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]

[repokitteh-read-only]

Hi @timflannagan, welcome and thank you for your contribution.

We will try to review your Pull Request as quickly as possible.

In the meantime, please take a look at the contribution guidelines if you have not done so already.

🐱

Caused by: #37591 was opened by timflannagan.

see: more, trace.

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @mattklein123
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #37591 was opened by timflannagan.

see: more, trace.

[timflannagan]

For more discussion on some of the implementation choices, see timflannagan#1 for an initial round of review. Also, I haven't written C++ in a while so I'm happy to make any style-related changes.

[timflannagan]

Looks like integration tests are failing. I'll fix that tomorrow. At a glance, the assertions are expecting a certain ordering for the custom TLVs that are being defined, and there's deterministic output issues.

[ggreenway]

/wait

[timflannagan]

Looks like the format check is failing:

ERROR: From ./source/extensions/transport_sockets/proxy_protocol/proxy_protocol.cc
ERROR: ./source/extensions/transport_sockets/proxy_protocol/proxy_protocol.cc:217: Don't use UnpackTo() directly, use MessageUtil::unpackToNoThrow() instead
ERROR: check format failed. diff has been applied'

I don't see that function defined anywhere, but I see several PRs that seem relevant here and I think I can figure out how to silence that linting violation. Does that linting rule need to be updated as well?

[mattklein123]

/api lgtm

[timflannagan]

@ggreenway Can you take another pass when you get a second? I need to look into getting the codecov check green, but the rest of the CI checks looked good last run.

[ggreenway]

/wait

[ggreenway]

This isn't related to this PR, but instead of this (and your new config) being copied by value here, the normal pattern is to hold a shared_ptr to a Config object that has already converted the protobuf config to the internal represenation, and done validation such as no duplicates.

[ggreenway]

/wait

[ggreenway]

This case was probably unreachable before this change, but now a bad config could result in a connection not generating a PP header at all. I think this case needs to be handled better, probably with the connection being aborted, or alternately generate a PP header omitting the TLV that is too long. cc @botengyao who added the TLV passthrough code.

[timflannagan]

Yeah, this becomes more problematic with these changes. I think I'd lean towards truncating the custom (and passthrough) TLVs for the upstream PP2 header. At a minimum, I think we'd need to log and possible document this behavior so users aren't caught over guard. cc @yuval-k in case you have any thoughts as well.

[timflannagan]

#37591 (comment)

[timflannagan]

Truncated custom or passthrough TLVs that exceed the max length in ad46d23. There were some header unit tests that were failing as a result as

envoy/source/extensions/transport_sockets/proxy_protocol/proxy_protocol.cc

Lines 106 to 109 in 3122ab3

	if (!Common::ProxyProtocol::generateV2Header(options, header_buffer_, pass_all_tlvs_,
	pass_through_tlvs_, custom_tlvs)) {
	// There is a warn log in generateV2Header method.
	stats_.v2_tlvs_exceed_max_length_.inc();

expects this function to return false to increment the stats.

I went back and forth on whether returning false here would be ambiguous when writing the output header was successful, but I didn't want to extend the function signature to return (bool written, bool skipped_tlvs) to handle this edge case at the call sites.

[phlax]

ping @ggreenway i think this is awaiting further review

@timflannagan requires main merge

[phlax]

wondering if this should be a header

[timflannagan]

Any examples on how to do that? I tried following https://www.sphinx-doc.org/en/master/usage/restructuredtext/basics.html#sections, but ci/do_ci.sh docs was failing when I ran it and I can't seem to find where the generated files live on my local box.

[phlax]

generated files live in bazel ether - unless you build them directly (eg bazel build //docs:rst inside the container)

you can view the rendered docs eg here:

https://storage.googleapis.com/envoy-pr/3122ab3/docs/api-v3/config/core/v3/proxy_protocol.proto.html#envoy-v3-api-msg-config-core-v3-proxyprotocolpassthroughtlvs

thinking more about my heading suggestion, im wondering if we should move some of this to a reference page and link it - eg the config example

i tried setting the "heading" to h5 - it kinda works but probs we shouldnt have headings inside the descriptions - they should be relatively terse

ill comment on the config now ...

[phlax]

for ref this is the Proxy Protocol ref page https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listener_filters/proxy_protocol.html

[timflannagan]

@phlax I like the reference page idea looking more at the current docset. Is this something we can tackle as a follow-up or is this a blocker in your mind.

[phlax]

not a blocker - but please at least fix the config indents

[phlax]

thanks! really appreciated

[timflannagan]

Fixed the indentation issues in b343e67. I also took a stab at the literalinclude approach in 7c5d4ed after mirroring the examples from #35532.

[phlax]

yeah - using literalinclude is what is super appreciated - its much more maintainable

probs we should add some docs somewhere - i have been pondering a plan to work on the tech debt here

[timflannagan]

I do think the reference docs or some high-level field documentation in the prot is still worth chasing -- I just have limited capacity right now. At a minimum, I think it would be good to have a header that explains pass_through_tlvs & added_tlvs and their interlope as there's some nuance in their behavior.

// The PROXY protocol transport socket allows carrying connection metadata (such as
// the original source IP address) to upstream services in either a human-readable
// (Version 1) or binary (Version 2) header.
//
// Behavior
// ========
// When the PROXY protocol transport socket is configured, Envoy can prepend a PROXY
// protocol header to connections going upstream. Depending on the protocol version,
// additional metadata such as custom Type-Length-Value (TLV) entries may also be sent.
//
// Configuration
// =============
// .. code-block:: yaml
//
//   transport_socket:
//     name: envoy.transport_sockets.proxy_protocol
//     typed_config:
//       "@type": type.googleapis.com/envoy.config.core.v3.ProxyProtocolConfig
//       version: V2
//       pass_through_tlvs:
//         match_type: INCLUDE_ALL
//
// Passing & Adding TLVs
// ---------------------
// - *pass_through_tlvs*:
//   Controls which TLVs from the downstream PROXY protocol request are forwarded
//   to the upstream connection. 
// - *added_tlvs*:
//   Defines new TLVs to add into the header for the upstream request. TLVs defined
//   at a host level take precedence over those defined at the transport socket level.

And then the individual added_tlvs field documentation could introduce the two config options and the precedence behavior. I'm not sure what's best w.r.t organization so I stopped messing around with it locally.

[phlax]

re unpackToNoThrow ...

I don't see that function defined anywhere, but I see several PRs that seem relevant here and I think I can figure out how to silence that linting violation. Does that linting rule need to be updated as well?

it would seem it does

cc @tyxia @alyssawilk

[alyssawilk]

yeah looks like that rule should have been updated with https://github.com/envoyproxy/envoy/pull/32775/files

#38138 should fix

[phlax]

/docs

[repokitteh-read-only]

Docs for this Pull Request will be rendered here:

https://storage.googleapis.com/envoy-pr/37591/docs/index.html

The docs are (re-)rendered each time the CI envoy-presubmit (precheck docs) job completes.

🐱

Caused by: a #37591 (comment) was created by @phlax.

see: more, trace.

[phlax]

for configs - we strongly encourage using a literalinclude with a full bootstrap yaml, as these are linted and tested variously for validity.

this avoids bitrot and is much more helpful for end users

we also enforce least indent on yaml formatting which is missed in code-block s

if we shift the example to a reference page its ~easier, but it can be done for api also