diff --git a/internal/gatewayapi/backendtlspolicy.go b/internal/gatewayapi/backendtlspolicy.go index b76e215f99a..842fda57f0b 100644 --- a/internal/gatewayapi/backendtlspolicy.go +++ b/internal/gatewayapi/backendtlspolicy.go @@ -9,11 +9,14 @@ import ( "fmt" "reflect" + corev1 "k8s.io/api/core/v1" "k8s.io/utils/ptr" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3" + corev1 "k8s.io/api/core/v1" + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/gatewayapi/status" @@ -32,7 +35,7 @@ func (t *Translator) processBackendTLSPolicy( resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy, ) (*ir.TLSUpstreamConfig, *gwapiv1a3.BackendTLSPolicy) { - policy := getBackendTLSPolicy(resources.BackendTLSPolicies, backendRef, backendNamespace) + policy := getBackendTLSPolicy(resources.BackendTLSPolicies, backendRef, backendNamespace, resources.Services) if policy == nil { return nil, nil } @@ -157,13 +160,49 @@ func backendTLSTargetMatched(policy gwapiv1a3.BackendTLSPolicy, target gwapiv1a2 return false } -func getBackendTLSPolicy(policies []*gwapiv1a3.BackendTLSPolicy, backendRef gwapiv1a2.BackendObjectReference, backendNamespace string) *gwapiv1a3.BackendTLSPolicy { +func getTargetBackendReferenceWithPortName(backendRef gwapiv1a2.BackendObjectReference, backendNamespace string, services []*corev1.Service) gwapiv1a2.LocalPolicyTargetReferenceWithSectionName { + ref := getTargetBackendReference(backendRef) + if ref.SectionName == nil { + return ref + } + if backendRef.Kind != nil && *backendRef.Kind != resource.KindService { + return ref + } + + for _, svc := range services { + if svc.Namespace == backendNamespace && svc.Name == string(backendRef.Name) { + for _, port := range svc.Spec.Ports { + if port.Port == int32(*backendRef.Port) { + if port.Name != "" { + ref.SectionName = SectionNamePtr(port.Name) + } + } + } + } + } + return ref +} + +func getBackendTLSPolicy( + policies []*gwapiv1a3.BackendTLSPolicy, + backendRef gwapiv1a2.BackendObjectReference, + backendNamespace string, + services []*corev1.Service, +) *gwapiv1a3.BackendTLSPolicy { target := getTargetBackendReference(backendRef) for _, policy := range policies { if backendTLSTargetMatched(*policy, target, backendNamespace) { return policy } } + + // SectionName can be port name for Kubernetes Service + target = getTargetBackendReferenceWithPortName(backendRef, backendNamespace, services) + for _, policy := range policies { + if backendTLSTargetMatched(*policy, target, backendNamespace) { + return policy + } + } return nil } diff --git a/internal/gatewayapi/testdata/backendtlspolicy-across-ns.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-across-ns.in.yaml index e87b3ad1cb9..efd69116641 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-across-ns.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-across-ns.in.yaml @@ -123,7 +123,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml index 7d776a1784f..2e6c7d9dd97 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.in.yaml index b701ad9800f..fd4caad15e4 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.in.yaml @@ -108,7 +108,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - name: ca-secret diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml index a65ea66d0ab..7d6a8237be1 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.in.yaml index cc6c0f17c8f..2b6701762f7 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.in.yaml @@ -123,7 +123,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml index f85b9c73c3f..b17f6528118 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.in.yaml index a86b1a25930..2fd3adc48e7 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.in.yaml @@ -167,7 +167,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http - group: gateway.envoyproxy.io kind: Backend name: backend-ip-tls diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml index 3467422f204..1056bc483ae 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http - group: gateway.envoyproxy.io kind: Backend name: backend-ip-tls diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml index 5a13fba2fc2..10ac7095127 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml @@ -134,7 +134,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml index c8898169624..bfe19432905 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.in.yaml index 7abc20d19c1..a5484a20358 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.in.yaml @@ -105,7 +105,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - name: no-ca-cmap diff --git a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml index cb968f9a6a0..2a7b7ab89d4 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml index d3458d06da8..73ed3aa49bc 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml @@ -64,11 +64,11 @@ services: clusterIP: 10.11.12.13 ports: - port: 8080 - name: http + name: http1 protocol: TCP targetPort: 8080 - port: 8081 - name: http + name: http2 protocol: TCP targetPort: 8081 @@ -114,7 +114,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8081" + sectionName: http2 validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml index 207713455e8..50d243d3e66 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml @@ -14,7 +14,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8081" + sectionName: http2 validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.in.yaml index 3b20aa31ee5..520065b82a4 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.in.yaml @@ -98,7 +98,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: wellKnownCACertificates: System hostname: example.com diff --git a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml index 8438c8551ce..659d092df7f 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: hostname: example.com wellKnownCACertificates: System diff --git a/test/e2e/testdata/backend-tls-settings.yaml b/test/e2e/testdata/backend-tls-settings.yaml index 749255f82e5..b78ace739fe 100644 --- a/test/e2e/testdata/backend-tls-settings.yaml +++ b/test/e2e/testdata/backend-tls-settings.yaml @@ -62,7 +62,8 @@ spec: selector: app: tls-backend ports: - - protocol: TCP + - name: https + protocol: TCP port: 443 targetPort: 8443 --- @@ -137,7 +138,7 @@ spec: - group: "" kind: Service name: tls-backend - sectionName: "443" + sectionName: https validation: caCertificateRefs: - name: backend-tls-certificate diff --git a/test/e2e/testdata/backend-tls.yaml b/test/e2e/testdata/backend-tls.yaml index f00218ab99c..5616e144ede 100644 --- a/test/e2e/testdata/backend-tls.yaml +++ b/test/e2e/testdata/backend-tls.yaml @@ -8,7 +8,7 @@ spec: - group: "" kind: Service name: tls-backend-2 - sectionName: "443" + sectionName: https validation: caCertificateRefs: - name: backend-tls-checks-certificate @@ -42,7 +42,8 @@ spec: selector: app: tls-backend-2 ports: - - protocol: TCP + - name: https + protocol: TCP port: 443 targetPort: 8443 ---