add e2e tests for ext auth with grpc auth service (envoyproxy#2841)

* add e2e tests for ext auth with grpc auth service Signed-off-by: huabing zhao <[email protected]> * add BackedTLSPolicy Signed-off-by: huabing zhao <[email protected]> * generate TLS socket for ext auth services Signed-off-by: huabing zhao <[email protected]> --------- Signed-off-by: huabing zhao <[email protected]>
Xunzhuo · Mar 13, 2024 · e73c085 · e73c085
1 parent 96b1090
commit e73c085
Show file tree

Hide file tree

Showing 7 changed files with 671 additions and 8 deletions.
diff --git a/internal/xds/translator/extauth.go b/internal/xds/translator/extauth.go
@@ -231,20 +231,32 @@ func (*extAuth) patchResources(tCtx *types.ResourceVersionTable,
 }
 
 func createExtServiceXDSCluster(rd *ir.RouteDestination, tCtx *types.ResourceVersionTable) error {
+	var (
+		endpointType EndpointType
+		tSocket      *corev3.TransportSocket
+		err          error
+	)
+
 	// Get the address type from the first setting.
 	// This is safe because no mixed address types in the settings.
 	addrTypeState := rd.Settings[0].AddressType
-
-	var endpointType EndpointType
 	if addrTypeState != nil && *addrTypeState == ir.FQDN {
 		endpointType = EndpointTypeDNS
 	} else {
 		endpointType = EndpointTypeStatic
 	}
-	if err := addXdsCluster(tCtx, &xdsClusterArgs{
+
+	if rd.Settings[0].TLS != nil {
+		tSocket, err = processTLSSocket(rd.Settings[0].TLS, tCtx)
+		if err != nil {
+			return err
+		}
+	}
+
+	if err = addXdsCluster(tCtx, &xdsClusterArgs{
 		name:         rd.Name,
 		settings:     rd.Settings,
-		tSocket:      nil,
+		tSocket:      tSocket,
 		endpointType: endpointType,
 	}); err != nil && !errors.Is(err, ErrXdsClusterExists) {
 		return err

diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go
@@ -514,6 +514,27 @@ func processXdsCluster(tCtx *types.ResourceVersionTable, httpRoute *ir.HTTPRoute
 	return nil
 }
 
+// processTLSSocket generates a xDS TransportSocket for a given TLS config.
+// It also adds the necessary secrets to the resource version table.
+func processTLSSocket(tlsConfig *ir.TLSUpstreamConfig, tCtx *types.ResourceVersionTable) (*corev3.TransportSocket, error) {
+	if tlsConfig == nil {
+		return nil, nil
+	}
+	CaSecret := buildXdsUpstreamTLSCASecret(tlsConfig)
+	if CaSecret != nil {
+		if err := tCtx.AddXdsResource(resourcev3.SecretType, CaSecret); err != nil {
+			return nil, err
+		}
+	}
+	// for upstreamTLS , a fixed sni can be used. use auto_sni otherwise
+	// https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/sni#faq-how-to-setup-sni:~:text=For%20clusters%2C%20a,for%20trust%20anchor.
+	tlsSocket, err := buildXdsUpstreamTLSSocketWthCert(tlsConfig)
+	if err != nil {
+		return nil, err
+	}
+	return tlsSocket, nil
+}
+
 // findXdsSecret finds a xds secret with the same name, and returns nil if there is no match.
 func findXdsSecret(tCtx *types.ResourceVersionTable, name string) *tlsv3.Secret {
 	if tCtx == nil || tCtx.XdsResources == nil || tCtx.XdsResources[resourcev3.SecretType] == nil {

diff --git a/test/e2e/testdata/ext-auth-grpc-securitypolicy.yaml b/test/e2e/testdata/ext-auth-grpc-securitypolicy.yaml
@@ -0,0 +1,71 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-with-ext-auth
+  namespace: gateway-conformance-infra
+spec:
+  parentRefs:
+  - name: same-namespace
+  hostnames: ["www.example.com"]
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /myapp              # This is the path that will be protected by ext auth
+    backendRefs:
+    - name: infra-backend-v1
+      port: 8080
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-without-ext-auth
+  namespace: gateway-conformance-infra
+spec:
+  parentRefs:
+  - name: same-namespace
+  hostnames: ["www.example.com"]
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /public            # This is the path that will be public
+    backendRefs:
+    - name: infra-backend-v1
+      port: 8080
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: SecurityPolicy
+metadata:
+  name: ext-auth-test
+  namespace: gateway-conformance-infra
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: http-with-ext-auth
+  extAuth:
+    grpc:
+      backendRef:
+        name: grpc-ext-auth
+        namespace: gateway-conformance-infra
+        port: 9002
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: BackendTLSPolicy
+metadata:
+  name: grpc-ext-auth-btls
+  namespace: gateway-conformance-infra
+spec:
+  targetRef:
+    group: ''
+    kind: Service
+    name: grpc-ext-auth
+    sectionName: "9002"
+  tls:
+    caCertRefs:
+    - name: grpc-ext-auth-ca
+      group: ''
+      kind: ConfigMap
+    hostname: grpc-ext-auth