feat(xds): don't merge listeners of headless service instances

pkg/xds/generator/outbound_proxy_generator.go

@@ -481,15 +481,23 @@ func buildServiceAdditionalAddressMap(outbounds []*mesh_proto.Dataplane_Networki
 		// scan from the beginning to find all possible siblings, because the outbounds are not sorted
 		// the value vips will contain all the VIPs pointing to the service, excluding the REAL service itself
 		for _, obInner := range outbounds {
+			// they should be pointing to the same service
 			if service != obInner.GetService() {
 				continue
 			}
 
+			// if this outbound is an instance of a headless service, we don't merge it
+			if _, ok := obInner.GetTags()[mesh_proto.InstanceTag]; ok {
+				continue
+			}
+
+			// there should be a VIP pointing to this service
 			if !fullVIPAddrMap[obInner.Address] {
 				nonVIPServiceFound = true
 				continue
 			}
 
+			// and it's not the REAL service itself
 			if !slices.ContainsFunc(vips, func(oface mesh_proto.OutboundInterface) bool {
 				return oface.DataplaneIP == obInner.Address && oface.DataplanePort == obInner.Port
 			}) {
@@ -505,5 +513,7 @@ func buildServiceAdditionalAddressMap(outbounds []*mesh_proto.Dataplane_Networki
 		}
 	}
 
+	// we don't create independent listeners for these VIPs
+	// because they are going to be added as additional addresses to the listeners for the REAL services
 	return vipToSkipMap, serviceToVIPMap
 }

pkg/xds/generator/outbound_proxy_generator_test.go

@@ -889,6 +889,44 @@ var _ = Describe("OutboundProxyGenerator", func() {
 `,
 			expected: "10.envoy.golden.yaml",
 		}),
+		Entry("11. service vips with headless service", testCase{
+			ctx: serviceVipCtx,
+			dataplane: `
+            networking:
+              address: 10.0.0.1
+              inbound:
+              - port: 8080
+                tags:
+                  kuma.io/service: web
+              outbound:
+              - port: 18080
+                tags:
+                  kuma.io/service: backend
+              - port: 80
+                address: 240.0.0.3
+                tags:
+                  kuma.io/service: backend
+              - port: 5432
+                address: 240.0.0.4
+                tags:
+                  kuma.io/service: db
+                  kuma.io/instance: db-1
+              - port: 5432
+                address: 10.16.26.3
+                tags:
+                  kuma.io/service: db
+                  kuma.io/instance: db-1
+              - port: 5432
+                address: 10.16.31.5
+                tags:
+                  kuma.io/service: backend
+                  kuma.io/instance: db-2
+              transparentProxying:
+                redirectPortOutbound: 15001
+                redirectPortInbound: 15006
+`,
+			expected: "11.envoy.golden.yaml",
+		}),
 	)
 
 	It("Add sanitized alternative cluster name for stats", func() {

pkg/xds/generator/testdata/outbound-proxy/11.envoy.golden.yaml

@@ -0,0 +1,148 @@
+resources:
+- name: backend
+  resource:
+    '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+    connectTimeout: 5s
+    edsClusterConfig:
+      edsConfig:
+        ads: {}
+        resourceApiVersion: V3
+    lbPolicy: MAGLEV
+    name: backend
+    transportSocket:
+      name: envoy.transport_sockets.tls
+      typedConfig:
+        '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+        commonTlsContext:
+          alpnProtocols:
+          - kuma
+          combinedValidationContext:
+            defaultValidationContext:
+              matchTypedSubjectAltNames:
+              - matcher:
+                  exact: spiffe://mesh1/backend
+                sanType: URI
+            validationContextSdsSecretConfig:
+              name: mesh_ca:secret:mesh1
+              sdsConfig:
+                ads: {}
+                resourceApiVersion: V3
+          tlsCertificateSdsSecretConfigs:
+          - name: identity_cert:secret:mesh1
+            sdsConfig:
+              ads: {}
+              resourceApiVersion: V3
+        sni: backend{mesh=mesh1}
+    type: EDS
+    typedExtensionProtocolOptions:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+        explicitHttpConfig:
+          http2ProtocolOptions: {}
+- name: backend
+  resource:
+    '@type': type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment
+    clusterName: backend
+    endpoints:
+    - lbEndpoints:
+      - endpoint:
+          address:
+            socketAddress:
+              address: 192.168.0.1
+              portValue: 8081
+        loadBalancingWeight: 1
+        metadata:
+          filterMetadata:
+            envoy.lb:
+              region: us
+            envoy.transport_socket_match:
+              region: us
+      - endpoint:
+          address:
+            socketAddress:
+              address: 192.168.0.2
+              portValue: 8082
+        loadBalancingWeight: 1
+- name: outbound:10.16.26.3:5432
+  resource:
+    '@type': type.googleapis.com/envoy.config.listener.v3.Listener
+    address:
+      socketAddress:
+        address: 10.16.26.3
+        portValue: 5432
+    bindToPort: false
+    filterChains:
+    - {}
+    metadata:
+      filterMetadata:
+        io.kuma.tags:
+          kuma.io/instance: db-1
+          kuma.io/service: db
+    name: outbound:10.16.26.3:5432
+    trafficDirection: OUTBOUND
+- name: outbound:10.16.31.5:5432
+  resource:
+    '@type': type.googleapis.com/envoy.config.listener.v3.Listener
+    additionalAddresses:
+    - address:
+        socketAddress:
+          address: 240.0.0.3
+          portValue: 80
+    address:
+      socketAddress:
+        address: 10.16.31.5
+        portValue: 5432
+    bindToPort: false
+    filterChains:
+    - {}
+    metadata:
+      filterMetadata:
+        io.kuma.tags:
+          kuma.io/instance: db-2
+          kuma.io/service: backend
+    name: outbound:10.16.31.5:5432
+    trafficDirection: OUTBOUND
+- name: outbound:127.0.0.1:18080
+  resource:
+    '@type': type.googleapis.com/envoy.config.listener.v3.Listener
+    additionalAddresses:
+    - address:
+        socketAddress:
+          address: 240.0.0.3
+          portValue: 80
+    address:
+      socketAddress:
+        address: 127.0.0.1
+        portValue: 18080
+    bindToPort: false
+    filterChains:
+    - filters:
+      - name: envoy.filters.network.tcp_proxy
+        typedConfig:
+          '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+          cluster: backend
+          idleTimeout: 0s
+          statPrefix: backend
+    metadata:
+      filterMetadata:
+        io.kuma.tags:
+          kuma.io/service: backend
+    name: outbound:127.0.0.1:18080
+    trafficDirection: OUTBOUND
+- name: outbound:240.0.0.4:5432
+  resource:
+    '@type': type.googleapis.com/envoy.config.listener.v3.Listener
+    address:
+      socketAddress:
+        address: 240.0.0.4
+        portValue: 5432
+    bindToPort: false
+    filterChains:
+    - {}
+    metadata:
+      filterMetadata:
+        io.kuma.tags:
+          kuma.io/instance: db-1
+          kuma.io/service: db
+    name: outbound:240.0.0.4:5432
+    trafficDirection: OUTBOUND