envoyproxy · zhaohuabing · Nov 8, 2024 · Nov 12, 2024
@@ -0,0 +1,17 @@
+tcp:
+- address: 0.0.0.0
+  connection:
+    bufferLimit: 50000000
+    limit:
+      closeDelay: 10s
+      value: 3
+  enableProxyProtocol: true
+  name: envoy-gateway/gateway-1/tls-1
+  port: 10443
+  tcpKeepalive:
+    idleTime: 1200
+    interval: 60
+    probes: 3
+  timeout:
+    tcp:
+      idleTimeout: 20m0s
@@ -1,3 +1,5 @@
+- name: NullRouteCluster
+  type: STATIC
 - circuitBreakers:
     thresholds:
     - maxRetries: 1024

@@ -30,6 +30,14 @@
         statPrefix: http-10080
         useRemoteAddress: true
     name: envoy-gateway/gateway-1/http1
+  filterChains:
+  - filters:
+    - name: envoy.filters.network.tcp_proxy
+      typedConfig:
+        '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+        cluster: NullRouteCluster
+        statPrefix: tcp-10080
+    name: NullRouteCluster
   name: envoy-gateway/gateway-1/http1
   perConnectionBufferLimitBytes: 32768
   statPrefix: envoy-gateway/gateway-1/http1

@@ -34,3 +34,5 @@
   outlierDetection: {}
   perConnectionBufferLimitBytes: 32768
   type: EDS
+- name: NullRouteCluster
+  type: STATIC
@@ -75,11 +75,38 @@
     socketAddress:
       address: 0.0.0.0
       portValue: 10082
+  filterChains:
+  - filters:
+    - name: envoy.filters.network.connection_limit
+      typedConfig:
+        '@type': type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
+        maxConnections: "3"
+        statPrefix: tcp-10082
+    - name: envoy.filters.network.tcp_proxy
+      typedConfig:
+        '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+        cluster: NullRouteCluster
+        statPrefix: tcp-10082
+    name: NullRouteCluster
   name: third-listener
   perConnectionBufferLimitBytes: 32768
 - address:
     socketAddress:
       address: 0.0.0.0
       portValue: 10083
+  filterChains:
+  - filters:
+    - name: envoy.filters.network.connection_limit
+      typedConfig:
+        '@type': type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
+        delay: 3s
+        maxConnections: "10"
+        statPrefix: tcp-10083
+    - name: envoy.filters.network.tcp_proxy
+      typedConfig:
+        '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+        cluster: NullRouteCluster
+        statPrefix: tcp-10083
+    name: NullRouteCluster
   name: fourth-listener
   perConnectionBufferLimitBytes: 32768
@@ -34,3 +34,5 @@
   outlierDetection: {}
   perConnectionBufferLimitBytes: 32768
   type: EDS
+- name: NullRouteCluster
+  type: STATIC
@@ -92,6 +92,14 @@
     socketAddress:
       address: 0.0.0.0
       portValue: 10082
+  filterChains:
+  - filters:
+    - name: envoy.filters.network.tcp_proxy
+      typedConfig:
+        '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+        cluster: NullRouteCluster
+        statPrefix: tcp-10082
+    name: NullRouteCluster
   name: third-listener
   perConnectionBufferLimitBytes: 32768
   socketOptions:
@@ -103,6 +111,14 @@
     socketAddress:
       address: 0.0.0.0
       portValue: 10083
+  filterChains:
+  - filters:
+    - name: envoy.filters.network.tcp_proxy
+      typedConfig:
+        '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+        cluster: NullRouteCluster
+        statPrefix: tcp-10083
+    name: NullRouteCluster
   name: fourth-listener
   perConnectionBufferLimitBytes: 32768
   socketOptions:

@@ -0,0 +1,2 @@
+- name: NullRouteCluster
+  type: STATIC
@@ -0,0 +1 @@
+[]
@@ -0,0 +1,42 @@
+- address:
+    socketAddress:
+      address: 0.0.0.0
+      portValue: 10443
+  filterChains:
+  - filters:
+    - name: envoy.filters.network.connection_limit
+      typedConfig:
+        '@type': type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit
+        delay: 10s
+        maxConnections: "3"
+        statPrefix: tcp-10443
+    - name: envoy.filters.network.tcp_proxy
+      typedConfig:
+        '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+        cluster: NullRouteCluster
+        idleTimeout: 1200s
+        statPrefix: tcp-10443
+    name: NullRouteCluster
+  listenerFilters:
+  - name: envoy.filters.listener.proxy_protocol
+    typedConfig:
+      '@type': type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
+  name: envoy-gateway/gateway-1/tls-1
+  perConnectionBufferLimitBytes: 50000000
+  socketOptions:
+  - description: socket option to enable tcp keep alive
+    intValue: "1"
+    level: "1"
+    name: "9"
+  - description: socket option for keep alive probes
+    intValue: "3"
+    level: "6"
+    name: "6"
+  - description: socket option for keep alive idle time
+    intValue: "1200"
+    level: "6"
+    name: "4"
+  - description: socket option for keep alive interval
+    intValue: "60"
+    level: "6"
+    name: "5"
@@ -0,0 +1 @@
+[]
@@ -1 +1,2 @@
-[]
+- name: NullRouteCluster
+  type: STATIC
@@ -2,5 +2,13 @@
     socketAddress:
       address: 0.0.0.0
       portValue: 10080
+  filterChains:
+  - filters:
+    - name: envoy.filters.network.tcp_proxy
+      typedConfig:
+        '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+        cluster: NullRouteCluster
+        statPrefix: tcp-10080
+    name: NullRouteCluster
   name: tcp-route-enable-endpoint-stats
   perConnectionBufferLimitBytes: 32768
@@ -1 +1,2 @@
-[]
+- name: NullRouteCluster
+  type: STATIC
@@ -2,5 +2,13 @@
     socketAddress:
       address: 0.0.0.0
       portValue: 10080
+  filterChains:
+  - filters:
+    - name: envoy.filters.network.tcp_proxy
+      typedConfig:
+        '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+        cluster: NullRouteCluster
+        statPrefix: tcp-10080
+    name: NullRouteCluster
   name: tcp-route-enable-req-resp-sizes-stats
   perConnectionBufferLimitBytes: 32768
@@ -39,7 +39,11 @@
 	ErrXdsSecretExists  = errors.New("xds secret exists")
 )
 
-const AuthorityHeaderKey = ":authority"
+const (
+	AuthorityHeaderKey = ":authority"
+	// The dummy cluster for TCP listeners that have no routes
+	nullRouteClusterName = "NullRouteCluster"
+)
 
 // Translator translates the xDS IR into xDS resources.
 type Translator struct {
@@ -627,6 +631,31 @@
 				errs = errors.Join(errs, err)
 			}
 		}
+
+		// If there are no routes, add a route without a destination to the listener to create a filter chain
+		// This is needed because Envoy requires a filter chain to be present in the listener, otherwise it will reject the listener and report a warning
+		if len(tcpListener.Routes) == 0 {
+			nullRouteCluster := &clusterv3.Cluster{
+				Name:                 nullRouteClusterName,
+				ClusterDiscoveryType: &clusterv3.Cluster_Type{Type: clusterv3.Cluster_STATIC},
+			}
+
+			if findXdsCluster(tCtx, nullRouteClusterName) == nil {
+				if err := tCtx.AddXdsResource(resourcev3.ClusterType, nullRouteCluster); err != nil {
+					errs = errors.Join(errs, err)
+				}
+			}
+
+			nullRoute := &ir.TCPRoute{
+				Name: nullRouteClusterName,
+				Destination: &ir.RouteDestination{
+					Name: nullRouteClusterName,
+				},
+			}
+			if err := addXdsTCPFilterChain(xdsListener, nullRoute, nullRouteClusterName, accesslog, tcpListener.Timeout, tcpListener.Connection); err != nil {
+				errs = errors.Join(errs, err)
+			}
+		}
 	}
 	return errs
 }

@@ -14,7 +14,7 @@ new features: |
 
 # Fixes for bugs identified in previous versions.
 bug fixes: |
-  Add a bug fix here
+  Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes
 
 # Enhancements that improve performance.
 performance improvements: |