fix(meshaccesslog): deduplicate access logs for shared inbound port (backport of #16374) (#16377)

Automatic cherry-pick of #16374 for branch release-2.12

Generated by
[action](https://github.com/kumahq/kuma/actions/runs/24882318941)

cherry-picked commit 9a57939

⚠️ ⚠️ ⚠️ Conflicts happened when cherry-picking!
⚠️ ⚠️ ⚠️
```
On branch release-2.12
Your branch is up to date with 'origin/release-2.12'.

You are currently cherry-picking commit 9a57939.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	new file:   pkg/plugins/policies/meshaccesslog/plugin/v1alpha1/testdata/inbound_route_duplicate_port.listener.golden.yaml

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   pkg/plugins/policies/meshaccesslog/plugin/v1alpha1/plugin.go
	both modified:   pkg/plugins/policies/meshaccesslog/plugin/v1alpha1/plugin_test.go

```

---------

Signed-off-by: Lukasz Dziedziak <lukidzi@gmail.com>
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
Co-authored-by: Lukasz Dziedziak <lukidzi@gmail.com>
Co-authored-by: Ilya Lobkov <ilya.lobkov@konghq.com>

Author: 3 people

pkg/plugins/policies/meshaccesslog/plugin/v1alpha1/plugin.go

@@ -112,18 +112,23 @@ func applyToInbounds(
 	backends *EndpointAccumulator,
 	accessLogSocketPath string,
 ) error {
+	configured := map[core_rules.InboundListener]struct{}{}
 	for _, inbound := range dataplane.Spec.GetNetworking().GetInbound() {
 		iface := dataplane.Spec.Networking.ToInboundInterface(inbound)
 
 		listenerKey := core_rules.InboundListener{
 			Address: iface.DataplaneIP,
 			Port:    iface.DataplanePort,
 		}
+		if _, ok := configured[listenerKey]; ok {
+			continue
+		}
 		listener, ok := inboundListeners[listenerKey]
 		if !ok {
 			continue
 		}
 		protocol := core_meta.ParseProtocol(inbound.GetProtocol())
+		configured[listenerKey] = struct{}{}
 		conf := rules_inbound.MatchesAllIncomingTraffic[api.Conf](rules.InboundRules[listenerKey])
 		kumaValues := listeners_v3.KumaValues{
 			SourceService:      mesh_proto.ServiceUnknown,

pkg/plugins/policies/meshaccesslog/plugin/v1alpha1/plugin_test.go

@@ -75,6 +75,7 @@ var _ = Describe("MeshAccessLog", func() {
 		expectedClusters  []string
 		features          xds_types.Features
 		meshServicesMode  mesh_proto.Mesh_MeshServices_Mode
+		extraInbounds     []*builders.InboundBuilder
 	}
 	DescribeTable("should generate proper Envoy config",
 		func(given sidecarTestCase) {
@@ -99,25 +100,28 @@ var _ = Describe("MeshAccessLog", func() {
 				AddServiceProtocol("other-service-tcp", core_meta.ProtocolTCP).
 				Build()
 
+			dpBuilder := builders.Dataplane().
+				WithName("backend").
+				WithMesh("default").
+				AddInbound(builders.Inbound().
+					WithService("backend").
+					WithAddress("127.0.0.1").
+					WithPort(17777).
+					WithTags(map[string]string{
+						mesh_proto.ProtocolTag: "http",
+					}),
+				)
+
+			for _, extra := range given.extraInbounds {
+				dpBuilder = dpBuilder.AddInbound(extra)
+			}
 			proxy := xds_builders.Proxy().
 				WithID(*core_xds.BuildProxyId("default", "backend")).
 				WithMetadata(&core_xds.DataplaneMetadata{
 					WorkDir:  "/tmp",
 					Features: given.features,
 				}).
-				WithDataplane(
-					builders.Dataplane().
-						WithName("backend").
-						WithMesh("default").
-						AddInbound(builders.Inbound().
-							WithService("backend").
-							WithAddress("127.0.0.1").
-							WithPort(17777).
-							WithTags(map[string]string{
-								mesh_proto.ProtocolTag: "http",
-							}),
-						),
-				).
+				WithDataplane(dpBuilder).
 				WithOutbounds(append(given.outbounds, &xds_types.Outbound{
 					LegacyOutbound: builders.Outbound().
 						WithService("other-service-http").
@@ -722,6 +726,65 @@ var _ = Describe("MeshAccessLog", func() {
 			},
 			expectedListeners: []string{"inbound_route.listener.golden.yaml"},
 		}),
+		Entry("inbound with two services on the same port does not duplicate access log", sidecarTestCase{
+			resources: []core_xds.Resource{{
+				Name:   "inbound",
+				Origin: metadata.OriginInbound,
+				Resource: NewInboundListenerBuilder(envoy_common.APIV3, "127.0.0.1", 17777, core_xds.SocketAddressProtocolTCP).
+					Configure(FilterChain(NewFilterChainBuilder(envoy_common.APIV3, envoy_common.AnonymousResource).
+						Configure(HttpConnectionManager("127.0.0.1:17777", false, nil, true)).
+						Configure(
+							HttpInboundRoutes(
+								envoy_names.GetInboundRouteName("backend"),
+								"backend",
+								envoy_common.Routes{
+									{
+										Clusters: []envoy_common.Cluster{envoy_common.NewCluster(
+											envoy_common.WithService("backend"),
+											envoy_common.WithWeight(100),
+										)},
+									},
+								},
+							),
+						),
+					)).MustBuild(),
+			}},
+			extraInbounds: []*builders.InboundBuilder{
+				builders.Inbound().
+					WithService("backend-canary").
+					WithAddress("127.0.0.1").
+					WithPort(17777).
+					WithTags(map[string]string{
+						mesh_proto.ProtocolTag: "http",
+					}),
+			},
+			fromRules: core_rules.FromRules{
+				Rules: map[core_rules.InboundListener]core_rules.Rules{
+					{Address: "127.0.0.1", Port: 17777}: {{
+						Subset: subsetutils.Subset{},
+						Conf: api.Conf{
+							Backends: &[]api.Backend{{
+								File: &api.FileBackend{
+									Path: "/tmp/log",
+								},
+							}},
+						},
+					}},
+				},
+				InboundRules: map[core_rules.InboundListener][]*inbound.Rule{
+					{Address: "127.0.0.1", Port: 17777}: {{
+						Conf: &api.Rule{Default: api.Conf{
+							Backends: &[]api.Backend{{
+								File: &api.FileBackend{
+									Path: "/tmp/log",
+								},
+							}},
+						}},
+					}},
+				},
+			},
+			expectedListeners: []string{"inbound_route_duplicate_port.listener.golden.yaml"},
+		}),
 	)
 	type gatewayTestCase struct {
 		routes []*core_mesh.MeshGatewayRouteResource

pkg/plugins/policies/meshaccesslog/plugin/v1alpha1/testdata/inbound_route_duplicate_port.listener.golden.yaml

@@ -0,0 +1,47 @@
+address:
+  socketAddress:
+    address: 127.0.0.1
+    portValue: 17777
+enableReusePort: false
+filterChains:
+- filters:
+  - name: envoy.filters.network.http_connection_manager
+    typedConfig:
+      '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+      accessLog:
+      - name: envoy.access_loggers.file
+        typedConfig:
+          '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+          logFormat:
+            textFormatSource:
+              inlineString: |
+                [%START_TIME%] default "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-B3-TRACEID?X-DATADOG-TRACEID)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "unknown" "backend" "127.0.0.1" "%UPSTREAM_HOST%"
+          path: /tmp/log
+      httpFilters:
+      - name: envoy.filters.http.router
+        typedConfig:
+          '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+      internalAddressConfig:
+        cidrRanges:
+        - addressPrefix: 127.0.0.1
+          prefixLen: 32
+        - addressPrefix: ::1
+          prefixLen: 128
+      routeConfig:
+        name: inbound:backend
+        requestHeadersToRemove:
+        - x-kuma-tags
+        validateClusters: false
+        virtualHosts:
+        - domains:
+          - '*'
+          name: backend
+          routes:
+          - match:
+              prefix: /
+            route:
+              cluster: backend
+              timeout: 0s
+      statPrefix: "127_0_0_1_17777"
+name: inbound:127.0.0.1:17777
+trafficDirection: INBOUND