fix(meshpassthrough): disable tls and http inspector for mysql protocol

[lukidzi]

Motivation

When trying to communicate with MySQL, the user wants to enable communication with the database. Unfortunately, the MySQL protocol is slightly different, and the usual method of configuring filter chains does not work when using MeshPassthrough.

Implementation information

• Added original_dst listener filter
• Added a protocol mysql which works only with CIDR/IP and requires port since we need to disable tls_inspector and http_inspector listener filters for the port
• Mysql protocol creates a tcp_proxy but with with disabled listener filters
• Added test

Why added mysql protocol and not just disable on ports with TCP protocol?

The user may have rules with HTTP traffic and TCP traffic on the same port matching different IP. example: tls matching on port 8080(IP: 192.168.1.1) and TCP matching on 8080 (IP: 172.1.1.1), that would disable TLS inspector on the port 8080 and wouldn't match

Supporting documentation

https://dev.mysql.com/doc/dev/mysql-server/8.4.3/page_protocol_connection_phase_packets.html
envoyproxy/envoy#21044

[github-actions]

Reviewer Checklist

🔍 Each of these sections need to be checked by the reviewer of the PR 🔍:
If something doesn't apply please check the box and add a justification if the reason is non obvious.

• Is the PR title satisfactory? Is this part of a larger feature and should be grouped using > Changelog?
• PR description is clear and complete. It Links to relevant issue as well as docs and UI issues
• This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as an image registry)
• IPv6 is taken into account (.e.g: no string concatenation of host port)
• Tests (Unit test, E2E tests, manual test on universal and k8s)
  • Don't forget ci/ labels to run additional/fewer tests
• Does this contain a change that needs to be notified to users? In this case, UPGRADE.md should be updated.
• Does it need to be backported according to the backporting policy? (this GH action will add "backport" label based on these file globs, if you want to prevent it from adding the "backport" label use no-backport-autolabel label)

[slonka]

One Q

[slonka]

Nitpick: usual spelling is MySQL

[lukidzi]

We lowercase each protocol so we should not make an exception for MySQL https://github.com/kumahq/kuma/blob/master/pkg/core/resources/apis/mesh/dataplane_helpers.go#L23.

[slonka]

Why is this original dest filter required always?

[lukidzi]

https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listener_filters/original_dst_filter#linux. Previously, I overlooked this filter because our TLS and HTTP inspectors were handling everything correctly. However, after disabling the TLS/HTTP filters, matching stopped working, so I realized that the original_dst_filter was missing. I don’t think we need to disable it in other scenarios.

[jijiechen]

Looks good to me, and I think this needs to be discussed/reviewed by extended members as it introduces a new protocol and touches many files.