Skip to content

Commit

Permalink
fix btlsp section name
Browse files Browse the repository at this point in the history 
Signed-off-by: Huabing Zhao <[email protected]>
  • Loading branch information
@zhaohuabing
zhaohuabing committed Nov 26, 2024
1 parent 6a1fd8a commit 153fd00
Show file tree
Hide file tree
Showing 19 changed files with 65 additions and 24 deletions.
43 changes: 41 additions & 2 deletions internal/gatewayapi/backendtlspolicy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,14 @@ import (
"fmt"
"reflect"

corev1 "k8s.io/api/core/v1"

Check failure on line 12 in internal/gatewayapi/backendtlspolicy.go

View workflow job for this annotation

GitHub Actions / coverage-test 

other declaration of corev1

Check failure on line 12 in internal/gatewayapi/backendtlspolicy.go

View workflow job for this annotation

GitHub Actions / gen-check 

other declaration of corev1

Check failure on line 12 in internal/gatewayapi/backendtlspolicy.go

View workflow job for this annotation

GitHub Actions / lint 

other declaration of corev1

Check failure on line 12 in internal/gatewayapi/backendtlspolicy.go

View workflow job for this annotation

GitHub Actions / lint 

other declaration of corev1

Check failure on line 12 in internal/gatewayapi/backendtlspolicy.go

View workflow job for this annotation

GitHub Actions / lint 

other declaration of corev1
"k8s.io/utils/ptr"
gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3"

corev1 "k8s.io/api/core/v1"

Check failure on line 18 in internal/gatewayapi/backendtlspolicy.go

View workflow job for this annotation

GitHub Actions / coverage-test 

corev1 redeclared in this block

Check failure on line 18 in internal/gatewayapi/backendtlspolicy.go

View workflow job for this annotation

GitHub Actions / coverage-test 

"k8s.io/api/core/v1" imported as corev1 and not used

Check failure on line 18 in internal/gatewayapi/backendtlspolicy.go

View workflow job for this annotation

GitHub Actions / gen-check 

corev1 redeclared in this block

Check failure on line 18 in internal/gatewayapi/backendtlspolicy.go

View workflow job for this annotation

GitHub Actions / gen-check 

"k8s.io/api/core/v1" imported as corev1 and not used

Check failure on line 18 in internal/gatewayapi/backendtlspolicy.go

View workflow job for this annotation

GitHub Actions / lint 

corev1 redeclared in this block

Check failure on line 18 in internal/gatewayapi/backendtlspolicy.go

View workflow job for this annotation

GitHub Actions / lint 

"k8s.io/api/core/v1" imported as corev1 and not used) (typecheck)

Check failure on line 18 in internal/gatewayapi/backendtlspolicy.go

View workflow job for this annotation

GitHub Actions / lint 

corev1 redeclared in this block

Check failure on line 18 in internal/gatewayapi/backendtlspolicy.go

View workflow job for this annotation

GitHub Actions / lint 

"k8s.io/api/core/v1" imported as corev1 and not used) (typecheck)

Check failure on line 18 in internal/gatewayapi/backendtlspolicy.go

View workflow job for this annotation

GitHub Actions / lint 

corev1 redeclared in this block

egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
"github.com/envoyproxy/gateway/internal/gatewayapi/resource"
"github.com/envoyproxy/gateway/internal/gatewayapi/status"
Expand All @@ -32,7 +35,7 @@ func (t *Translator) processBackendTLSPolicy(
resources *resource.Resources,
envoyProxy *egv1a1.EnvoyProxy,
) (*ir.TLSUpstreamConfig, *gwapiv1a3.BackendTLSPolicy) {
policy := getBackendTLSPolicy(resources.BackendTLSPolicies, backendRef, backendNamespace)
policy := getBackendTLSPolicy(resources.BackendTLSPolicies, backendRef, backendNamespace, resources.Services)
if policy == nil {
return nil, nil
}
Expand Down Expand Up @@ -157,13 +160,49 @@ func backendTLSTargetMatched(policy gwapiv1a3.BackendTLSPolicy, target gwapiv1a2
return false
}

func getBackendTLSPolicy(policies []*gwapiv1a3.BackendTLSPolicy, backendRef gwapiv1a2.BackendObjectReference, backendNamespace string) *gwapiv1a3.BackendTLSPolicy {
func getTargetBackendReferenceWithPortName(backendRef gwapiv1a2.BackendObjectReference, backendNamespace string, services []*corev1.Service) gwapiv1a2.LocalPolicyTargetReferenceWithSectionName {
ref := getTargetBackendReference(backendRef)
if ref.SectionName == nil {
return ref
}
if backendRef.Kind != nil && *backendRef.Kind != resource.KindService {
return ref
}

for _, svc := range services {
if svc.Namespace == backendNamespace && svc.Name == string(backendRef.Name) {
for _, port := range svc.Spec.Ports {
if port.Port == int32(*backendRef.Port) {
if port.Name != "" {
ref.SectionName = SectionNamePtr(port.Name)
}
}
}
}
}
return ref
}

func getBackendTLSPolicy(
policies []*gwapiv1a3.BackendTLSPolicy,
backendRef gwapiv1a2.BackendObjectReference,
backendNamespace string,
services []*corev1.Service,
) *gwapiv1a3.BackendTLSPolicy {
target := getTargetBackendReference(backendRef)
for _, policy := range policies {
if backendTLSTargetMatched(*policy, target, backendNamespace) {
return policy
}
}

// SectionName can be port name for Kubernetes Service
target = getTargetBackendReferenceWithPortName(backendRef, backendNamespace, services)
for _, policy := range policies {
if backendTLSTargetMatched(*policy, target, backendNamespace) {
return policy
}
}
return nil
}

Expand Down
2 changes: 1 addition & 1 deletion internal/gatewayapi/testdata/backendtlspolicy-across-ns.in.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ backendTLSPolicies:
- group: ""
kind: Service
name: http-backend
sectionName: "8080"
sectionName: http
validation:
caCertificateRefs:
- name: ca-cmap
Expand Down
2 changes: 1 addition & 1 deletion internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ backendTLSPolicies:
- group: ""
kind: Service
name: http-backend
sectionName: "8080"
sectionName: http
validation:
caCertificateRefs:
- group: ""
Expand Down
2 changes: 1 addition & 1 deletion internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.in.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ backendTLSPolicies:
- group: ""
kind: Service
name: http-backend
sectionName: "8080"
sectionName: http
validation:
caCertificateRefs:
- name: ca-secret
Expand Down
2 changes: 1 addition & 1 deletion internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ backendTLSPolicies:
- group: ""
kind: Service
name: http-backend
sectionName: "8080"
sectionName: http
validation:
caCertificateRefs:
- group: ""
Expand Down
2 changes: 1 addition & 1 deletion internal/gatewayapi/testdata/backendtlspolicy-ca-only.in.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ backendTLSPolicies:
- group: ""
kind: Service
name: http-backend
sectionName: "8080"
sectionName: http
validation:
caCertificateRefs:
- name: ca-cmap
Expand Down
2 changes: 1 addition & 1 deletion internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ backendTLSPolicies:
- group: ""
kind: Service
name: http-backend
sectionName: "8080"
sectionName: http
validation:
caCertificateRefs:
- group: ""
Expand Down
2 changes: 1 addition & 1 deletion internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.in.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,7 @@ backendTLSPolicies:
- group: ""
kind: Service
name: http-backend
sectionName: "8080"
sectionName: http
- group: gateway.envoyproxy.io
kind: Backend
name: backend-ip-tls
Expand Down
2 changes: 1 addition & 1 deletion internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ backendTLSPolicies:
- group: ""
kind: Service
name: http-backend
sectionName: "8080"
sectionName: http
- group: gateway.envoyproxy.io
kind: Backend
name: backend-ip-tls
Expand Down
2 changes: 1 addition & 1 deletion internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ backendTLSPolicies:
- group: ""
kind: Service
name: http-backend
sectionName: "8080"
sectionName: http
validation:
caCertificateRefs:
- name: ca-cmap
Expand Down
2 changes: 1 addition & 1 deletion internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ backendTLSPolicies:
- group: ""
kind: Service
name: http-backend
sectionName: "8080"
sectionName: http
validation:
caCertificateRefs:
- group: ""
Expand Down
2 changes: 1 addition & 1 deletion internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.in.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ backendTLSPolicies:
- group: ""
kind: Service
name: http-backend
sectionName: "8080"
sectionName: http
validation:
caCertificateRefs:
- name: no-ca-cmap
Expand Down
2 changes: 1 addition & 1 deletion internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ backendTLSPolicies:
- group: ""
kind: Service
name: http-backend
sectionName: "8080"
sectionName: http
validation:
caCertificateRefs:
- group: ""
Expand Down
6 changes: 3 additions & 3 deletions internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,11 +64,11 @@ services:
clusterIP: 10.11.12.13
ports:
- port: 8080
name: http
name: http1
protocol: TCP
targetPort: 8080
- port: 8081
name: http
name: http2
protocol: TCP
targetPort: 8081

Expand Down Expand Up @@ -114,7 +114,7 @@ backendTLSPolicies:
- group: ""
kind: Service
name: http-backend
sectionName: "8081"
sectionName: http2
validation:
caCertificateRefs:
- name: ca-cmap
Expand Down
2 changes: 1 addition & 1 deletion internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ backendTLSPolicies:
- group: ""
kind: Service
name: http-backend
sectionName: "8081"
sectionName: http2
validation:
caCertificateRefs:
- group: ""
Expand Down
2 changes: 1 addition & 1 deletion internal/gatewayapi/testdata/backendtlspolicy-system-truststore.in.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ backendTLSPolicies:
- group: ""
kind: Service
name: http-backend
sectionName: "8080"
sectionName: http
validation:
wellKnownCACertificates: System
hostname: example.com
2 changes: 1 addition & 1 deletion internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ backendTLSPolicies:
- group: ""
kind: Service
name: http-backend
sectionName: "8080"
sectionName: http
validation:
hostname: example.com
wellKnownCACertificates: System
Expand Down
5 changes: 3 additions & 2 deletions test/e2e/testdata/backend-tls-settings.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,8 @@ spec:
selector:
app: tls-backend
ports:
- protocol: TCP
- name: https
protocol: TCP
port: 443
targetPort: 8443
---
Expand Down Expand Up @@ -137,7 +138,7 @@ spec:
- group: ""
kind: Service
name: tls-backend
sectionName: "443"
sectionName: https
validation:
caCertificateRefs:
- name: backend-tls-certificate
Expand Down
5 changes: 3 additions & 2 deletions test/e2e/testdata/backend-tls.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ spec:
- group: ""
kind: Service
name: tls-backend-2
sectionName: "443"
sectionName: https
validation:
caCertificateRefs:
- name: backend-tls-checks-certificate
Expand Down Expand Up @@ -42,7 +42,8 @@ spec:
selector:
app: tls-backend-2
ports:
- protocol: TCP
- name: https
protocol: TCP
port: 443
targetPort: 8443
---
Expand Down

0 comments on commit 153fd00

Please sign in to comment.