Skip to content

Commit

Permalink
Merge branch 'main' into fix-oidc
Browse files Browse the repository at this point in the history
  • Loading branch information
zhaohuabing committed Dec 28, 2023
2 parents fec1718 + 38a3399 commit 6ca792e
Show file tree
Hide file tree
Showing 5 changed files with 290 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -334,6 +334,12 @@ spec:
required:
- issuer
type: object
redirectURI:
description: The redirect URI to be used in the OIDC [Authentication
Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
maxLength: 253
minLength: 1
type: string
scopes:
description: The OIDC scopes to be used in the [Authentication
Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
Expand All @@ -346,6 +352,7 @@ spec:
- clientID
- clientSecret
- provider
- redirectURI
type: object
targetRef:
description: TargetRef is the name of the Gateway resource this policy
Expand Down
2 changes: 1 addition & 1 deletion internal/gatewayapi/backendtrafficpolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -263,7 +263,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen
}

// Apply IR to all relevant routes
prefix := irRoutePrefix(route)
prefix := irRoutePrefix(route) + "/" // Prevent mismatching routes with the same prefix
for _, ir := range xdsIR {
for _, http := range ir.HTTP {
for _, r := range http.Routes {
Expand Down
2 changes: 1 addition & 1 deletion internal/gatewayapi/securitypolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -293,7 +293,7 @@ func (t *Translator) translateSecurityPolicyForRoute(
// Apply IR to all relevant routes
// Note: there are multiple features in a security policy, even if some of them
// are invalid, we still want to apply the valid ones.
prefix := irRoutePrefix(route)
prefix := irRoutePrefix(route) + "/" // Prevent mismatching routes with the same prefix
for _, ir := range xdsIR {
for _, http := range ir.HTTP {
for _, r := range http.Routes {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
namespace: default
name: gateway-1
spec:
gatewayClassName: envoy-gateway-class
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
httpRoutes:
- apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: default
name: httproute-1
spec:
hostnames:
- gateway.envoyproxy.io
parentRefs:
- namespace: default
name: gateway-1
sectionName: http
rules:
- matches:
- path:
value: "/"
backendRefs:
- name: service-1
port: 8080
- apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: default
name: httproute-1-1
spec:
hostnames:
- gateway.envoyproxy.io
parentRefs:
- namespace: default
name: gateway-1
sectionName: http
rules:
- matches:
- path:
value: "/"
backendRefs:
- name: service-1
port: 8080
backendTrafficPolicies:
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
namespace: default
name: policy-for-httproute-1
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: httproute-1
namespace: default
circuitBreaker:
maxConnections: 2048
maxPendingRequests: 1
maxParallelRequests: 4294967295
Original file line number Diff line number Diff line change
@@ -0,0 +1,211 @@
backendTrafficPolicies:
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
creationTimestamp: null
name: policy-for-httproute-1
namespace: default
spec:
circuitBreaker:
maxConnections: 2048
maxParallelRequests: 4294967295
maxPendingRequests: 1
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: httproute-1
namespace: default
status:
conditions:
- lastTransitionTime: null
message: BackendTrafficPolicy has been accepted.
reason: Accepted
status: "True"
type: Accepted
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
creationTimestamp: null
name: gateway-1
namespace: default
spec:
gatewayClassName: envoy-gateway-class
listeners:
- allowedRoutes:
namespaces:
from: All
name: http
port: 80
protocol: HTTP
status:
listeners:
- attachedRoutes: 2
conditions:
- lastTransitionTime: null
message: Sending translated listener configuration to the data plane
reason: Programmed
status: "True"
type: Programmed
- lastTransitionTime: null
message: Listener has been successfully translated
reason: Accepted
status: "True"
type: Accepted
- lastTransitionTime: null
message: Listener references have been resolved
reason: ResolvedRefs
status: "True"
type: ResolvedRefs
name: http
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- group: gateway.networking.k8s.io
kind: GRPCRoute
httpRoutes:
- apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
creationTimestamp: null
name: httproute-1
namespace: default
spec:
hostnames:
- gateway.envoyproxy.io
parentRefs:
- name: gateway-1
namespace: default
sectionName: http
rules:
- backendRefs:
- name: service-1
port: 8080
matches:
- path:
value: /
status:
parents:
- conditions:
- lastTransitionTime: null
message: Route is accepted
reason: Accepted
status: "True"
type: Accepted
- lastTransitionTime: null
message: Resolved all the Object references for the Route
reason: ResolvedRefs
status: "True"
type: ResolvedRefs
controllerName: gateway.envoyproxy.io/gatewayclass-controller
parentRef:
name: gateway-1
namespace: default
sectionName: http
- apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
creationTimestamp: null
name: httproute-1-1
namespace: default
spec:
hostnames:
- gateway.envoyproxy.io
parentRefs:
- name: gateway-1
namespace: default
sectionName: http
rules:
- backendRefs:
- name: service-1
port: 8080
matches:
- path:
value: /
status:
parents:
- conditions:
- lastTransitionTime: null
message: Route is accepted
reason: Accepted
status: "True"
type: Accepted
- lastTransitionTime: null
message: Resolved all the Object references for the Route
reason: ResolvedRefs
status: "True"
type: ResolvedRefs
controllerName: gateway.envoyproxy.io/gatewayclass-controller
parentRef:
name: gateway-1
namespace: default
sectionName: http
infraIR:
default/gateway-1:
proxy:
listeners:
- address: null
name: default/gateway-1/http
ports:
- containerPort: 10080
name: http
protocol: HTTP
servicePort: 80
metadata:
labels:
gateway.envoyproxy.io/owning-gateway-name: gateway-1
gateway.envoyproxy.io/owning-gateway-namespace: default
name: default/gateway-1
xdsIR:
default/gateway-1:
accessLog:
text:
- path: /dev/stdout
http:
- address: 0.0.0.0
hostnames:
- '*'
isHTTP2: false
name: default/gateway-1/http
port: 10080
routes:
- backendWeights:
invalid: 0
valid: 0
circuitBreaker:
maxConnections: 2048
maxParallelRequests: 4294967295
maxPendingRequests: 1
destination:
name: httproute/default/httproute-1/rule/0
settings:
- addressType: IP
endpoints:
- host: 7.7.7.7
port: 8080
protocol: HTTP
weight: 1
hostname: gateway.envoyproxy.io
name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io
pathMatch:
distinct: false
name: ""
prefix: /
- backendWeights:
invalid: 0
valid: 0
destination:
name: httproute/default/httproute-1-1/rule/0
settings:
- addressType: IP
endpoints:
- host: 7.7.7.7
port: 8080
protocol: HTTP
weight: 1
hostname: gateway.envoyproxy.io
name: httproute/default/httproute-1-1/rule/0/match/0/gateway_envoyproxy_io
pathMatch:
distinct: false
name: ""
prefix: /

0 comments on commit 6ca792e

Please sign in to comment.