make connection termination an enum

Signed-off-by: Guy Daich <guy.daich@sap.com>

api/v1alpha1/shared_types.go

@@ -480,6 +480,13 @@ type BackendRef struct {
 // +kubebuilder:validation:Pattern=`((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+))`
 type CIDR string
 
+type InvalidMessageAction string
+
+const (
+	InvalidMessageActionTerminateConnection InvalidMessageAction = "TerminateConnection"
+	InvalidMessageActionTerminateStream     InvalidMessageAction = "TerminateStream"
+)
+
 // HTTP2Settings provides HTTP/2 configuration for listeners and backends.
 type HTTP2Settings struct {
 	// InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
@@ -503,10 +510,10 @@ type HTTP2Settings struct {
 	// +optional
 	MaxConcurrentStreams *uint32 `json:"maxConcurrentStreams,omitempty"`
 
-	// TerminateConnOnError determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
-	// It's recommended for L2 Envoy deployments to set this value to false.
+	// OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+	// It's recommended for L2 Envoy deployments to set this value to TerminateStream.
 	// https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
-	// Default: true
+	// Default: TerminateConnection
 	// +optional
-	TerminateConnOnError *bool `json:"terminateConnOnError,omitempty"`
+	OnInvalidMessage *InvalidMessageAction `json:"onInvalidMessage,omitempty"`
 }

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml

@@ -473,13 +473,13 @@ spec:
                     maximum: 2147483647
                     minimum: 1
                     type: integer
-                  terminateConnOnError:
+                  onInvalidMessage:
                     description: |-
-                      TerminateConnOnError determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
-                      It's recommended for L2 Envoy deployments to set this value to false.
+                      OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+                      It's recommended for L2 Envoy deployments to set this value to TerminateStream.
                       https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
-                      Default: true
-                    type: boolean
+                      Default: TerminateConnection
+                    type: string
                 type: object
               loadBalancer:
                 description: |-

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml

@@ -300,13 +300,13 @@ spec:
                     maximum: 2147483647
                     minimum: 1
                     type: integer
-                  terminateConnOnError:
+                  onInvalidMessage:
                     description: |-
-                      TerminateConnOnError determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
-                      It's recommended for L2 Envoy deployments to set this value to false.
+                      OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+                      It's recommended for L2 Envoy deployments to set this value to TerminateStream.
                       https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
-                      Default: true
-                    type: boolean
+                      Default: TerminateConnection
+                    type: string
                 type: object
               http3:
                 description: HTTP3 provides HTTP/3 configuration on the listener.

internal/gatewayapi/http.go

@@ -60,7 +60,14 @@ func buildIRHTTP2Settings(http2Settings *egv1a1.HTTP2Settings) (*ir.HTTP2Setting
 
 	http2.MaxConcurrentStreams = http2Settings.MaxConcurrentStreams
 
-	http2.TerminateConnOnError = http2Settings.TerminateConnOnError
+	if http2Settings.OnInvalidMessage != nil {
+		switch *http2Settings.OnInvalidMessage {
+		case egv1a1.InvalidMessageActionTerminateStream:
+			http2.ResetStreamOnError = ptr.To(true)
+		case egv1a1.InvalidMessageActionTerminateConnection:
+			http2.ResetStreamOnError = ptr.To(false)
+		}
+	}
 
 	return http2, errs
 }

internal/gatewayapi/testdata/backendtrafficpolicy-with-http2.in.yaml

@@ -77,6 +77,7 @@ backendTrafficPolicies:
         initialStreamWindowSize: 2Mi
         initialConnectionWindowSize: 1Gi
         maxConcurrentStreams: 500
+        onInvalidMessage: TerminateConnection
   - apiVersion: gateway.envoyproxy.io/v1alpha1
     kind: BackendTrafficPolicy
     metadata:
@@ -91,4 +92,4 @@ backendTrafficPolicies:
         initialStreamWindowSize: 1Mi
         initialConnectionWindowSize: 500Mi
         maxConcurrentStreams: 200
-        terminateConnOnError: false
+        onInvalidMessage: TerminateStream

internal/gatewayapi/testdata/backendtrafficpolicy-with-http2.out.yaml

@@ -10,7 +10,7 @@ backendTrafficPolicies:
       initialConnectionWindowSize: 500Mi
       initialStreamWindowSize: 1Mi
       maxConcurrentStreams: 200
-      terminateConnOnError: false
+      onInvalidMessage: TerminateStream
     targetRef:
       group: gateway.networking.k8s.io
       kind: HTTPRoute
@@ -41,6 +41,7 @@ backendTrafficPolicies:
       initialConnectionWindowSize: 1Gi
       initialStreamWindowSize: 2Mi
       maxConcurrentStreams: 500
+      onInvalidMessage: TerminateConnection
     targetRef:
       group: gateway.networking.k8s.io
       kind: Gateway
@@ -286,6 +287,7 @@ xdsIR:
             initialConnectionWindowSize: 2097152
             initialStreamWindowSize: 1073741824
             maxConcurrentStreams: 500
+            resetStreamOnError: false
   envoy-gateway/gateway-2:
     accessLog:
       text:
@@ -331,4 +333,4 @@ xdsIR:
             initialConnectionWindowSize: 1048576
             initialStreamWindowSize: 524288000
             maxConcurrentStreams: 200
-            terminateConnOnError: false
+            resetStreamOnError: true

internal/ir/xds.go

@@ -456,8 +456,8 @@ type HTTP2Settings struct {
 	InitialConnectionWindowSize *uint32 `json:"initialStreamWindowSize,omitempty" yaml:"initialStreamWindowSize,omitempty"`
 	// MaxConcurrentStreams is the maximum number of concurrent streams that can be opened on a connection.
 	MaxConcurrentStreams *uint32 `json:"maxConcurrentStreams,omitempty" yaml:"maxConcurrentStreams,omitempty"`
-	// TerminateConnOnError determines if a stream or connection is reset on messaging error.
-	TerminateConnOnError *bool `json:"terminateConnOnError,omitempty" yaml:"terminateConnOnError,omitempty"`
+	// ResetStreamOnError determines if a stream or connection is reset on messaging error.
+	ResetStreamOnError *bool `json:"resetStreamOnError,omitempty" yaml:"resetStreamOnError,omitempty"`
 }
 
 // HealthCheckSettings provides HealthCheck configuration on the HTTP/HTTPS listener.

internal/xds/translator/cluster.go

@@ -769,9 +769,9 @@ func buildHTTP2Settings(opts *ir.HTTP2Settings) *corev3.Http2ProtocolOptions {
 		}
 	}
 
-	if opts.TerminateConnOnError != nil {
+	if opts.ResetStreamOnError != nil {
 		out.OverrideStreamErrorOnInvalidHttpMessage = &wrapperspb.BoolValue{
-			Value: !*opts.TerminateConnOnError,
+			Value: *opts.ResetStreamOnError,
 		}
 	}
 

internal/xds/translator/listener.go

@@ -96,9 +96,9 @@ func http2ProtocolOptions(opts *ir.HTTP2Settings) *corev3.Http2ProtocolOptions {
 		},
 	}
 
-	if opts.TerminateConnOnError != nil {
+	if opts.ResetStreamOnError != nil {
 		out.OverrideStreamErrorOnInvalidHttpMessage = &wrapperspb.BoolValue{
-			Value: !*opts.TerminateConnOnError,
+			Value: *opts.ResetStreamOnError,
 		}
 	}
 

internal/xds/translator/testdata/in/xds-ir/http2-route.yaml

@@ -33,7 +33,7 @@ http:
         initialConnectionWindowSize: 1048576
         initialStreamWindowSize: 524288000
         maxConcurrentStreams: 200
-        terminateConnOnError: false
+        resetStreamOnError: true
   - name: "second-route"
     hostname: "*"
     pathMatch:
@@ -66,7 +66,7 @@ http:
         initialConnectionWindowSize: 1048576
         initialStreamWindowSize: 524288000
         maxConcurrentStreams: 200
-        terminateConnOnError: true
+        resetStreamOnError: false
   - name: "fourth-route-not-http2"
     hostname: "*"
     pathMatch:
@@ -83,4 +83,4 @@ http:
         initialConnectionWindowSize: 1048576
         initialStreamWindowSize: 524288000
         maxConcurrentStreams: 200
-        terminateConnOnError: false
+        resetStreamOnError: true

site/content/en/latest/api/extension_types.md

@@ -1801,7 +1801,7 @@ _Appears in:_
 | `initialStreamWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ |  false  | InitialStreamWindowSize sets the initial window size for HTTP/2 streams.<br />If not set, the default value is 64 KiB(64*1024). |
 | `initialConnectionWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ |  false  | InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.<br />If not set, the default value is 1 MiB. |
 | `maxConcurrentStreams` | _integer_ |  false  | MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.<br />If not set, the default value is 100. |
-| `terminateConnOnError` | _boolean_ |  false  | TerminateConnOnError determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error<br />It's recommended for L2 Envoy deployments to set this value to false.<br />https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two<br />Default: true |
+| `onInvalidMessage` | _[InvalidMessageAction](#invalidmessageaction)_ |  false  | OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error<br />It's recommended for L2 Envoy deployments to set this value to TerminateStream.<br />https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two<br />Default: TerminateConnection |
 
 
 #### HTTP3Settings
@@ -2050,6 +2050,21 @@ _Appears in:_
 | `Host` | InfrastructureProviderTypeHost defines the "Host" provider.<br /> | 
 
 
+#### InvalidMessageAction
+
+_Underlying type:_ _string_
+
+
+
+_Appears in:_
+- [HTTP2Settings](#http2settings)
+
+| Value | Description |
+| ----- | ----------- |
+| `TerminateConnection` |  | 
+| `TerminateStream` |  | 
+
+
 #### JSONPatchOperation
 
 

site/content/zh/latest/api/extension_types.md

@@ -1801,7 +1801,7 @@ _Appears in:_
 | `initialStreamWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ |  false  | InitialStreamWindowSize sets the initial window size for HTTP/2 streams.<br />If not set, the default value is 64 KiB(64*1024). |
 | `initialConnectionWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ |  false  | InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.<br />If not set, the default value is 1 MiB. |
 | `maxConcurrentStreams` | _integer_ |  false  | MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.<br />If not set, the default value is 100. |
-| `terminateConnOnError` | _boolean_ |  false  | TerminateConnOnError determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error<br />It's recommended for L2 Envoy deployments to set this value to false.<br />https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two<br />Default: true |
+| `onInvalidMessage` | _[InvalidMessageAction](#invalidmessageaction)_ |  false  | OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error<br />It's recommended for L2 Envoy deployments to set this value to TerminateStream.<br />https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two<br />Default: TerminateConnection |
 
 
 #### HTTP3Settings
@@ -2050,6 +2050,21 @@ _Appears in:_
 | `Host` | InfrastructureProviderTypeHost defines the "Host" provider.<br /> | 
 
 
+#### InvalidMessageAction
+
+_Underlying type:_ _string_
+
+
+
+_Appears in:_
+- [HTTP2Settings](#http2settings)
+
+| Value | Description |
+| ----- | ----------- |
+| `TerminateConnection` |  | 
+| `TerminateStream` |  | 
+
+
 #### JSONPatchOperation