diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth.in.yaml index 12142460fa3b..a451b5767741 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth.in.yaml @@ -29,10 +29,16 @@ httpRoutes: rules: - matches: - path: - value: /foo + value: /foo1 backendRefs: - name: service-1 port: 8080 + - matches: + - path: + value: /foo2 + backendRefs: + - name: service-2 + port: 8080 - apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: @@ -50,7 +56,7 @@ httpRoutes: - path: value: /bar backendRefs: - - name: service-1 + - name: service-3 port: 8080 services: - apiVersion: v1 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml index 5754bcc67935..adad1912bc41 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml @@ -59,7 +59,13 @@ httpRoutes: port: 8080 matches: - path: - value: /foo + value: /foo1 + - backendRefs: + - name: service-2 + port: 8080 + matches: + - path: + value: /foo2 status: parents: - conditions: @@ -93,7 +99,7 @@ httpRoutes: sectionName: http rules: - backendRefs: - - name: service-1 + - name: service-3 port: 8080 matches: - path: @@ -245,7 +251,42 @@ xdsIR: pathMatch: distinct: false name: "" - prefix: /foo + prefix: /foo1 + - backendWeights: + invalid: 0 + valid: 0 + destination: + name: httproute/default/httproute-1/rule/1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + extAuth: + grpc: + authority: grpc-backend.default:9000 + destination: + name: securitypolicy/default/policy-for-http-route/grpc-backend + settings: + - addressType: IP + endpoints: + - host: 8.8.8.8 + port: 9000 + protocol: GRPC + weight: 1 + headersToExtAuth: + - header1 + - header2 + name: default/httproute-1 + hostname: www.foo.com + isHTTP2: false + name: httproute/default/httproute-1/rule/1/match/0/www_foo_com + pathMatch: + distinct: false + name: "" + prefix: /foo2 - backendWeights: invalid: 0 valid: 0 diff --git a/internal/xds/translator/extauth.go b/internal/xds/translator/extauth.go index eb0d0ad9b748..5c36d21d4c16 100644 --- a/internal/xds/translator/extauth.go +++ b/internal/xds/translator/extauth.go @@ -58,10 +58,8 @@ func (*extAuth) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPLi // Only generates one OAuth2 Envoy filter for each unique name. // For example, if there are two routes under the same gateway with the // same OIDC config, only one OAuth2 filter will be generated. - for _, existingFilter := range mgr.HttpFilters { - if existingFilter.Name == extAuthFilterName(route.ExtAuth) { - continue - } + if hcmContainsFilter(mgr, extAuthFilterName(route.ExtAuth)) { + continue } filter, err := buildHCMExtAuthFilter(route.ExtAuth) diff --git a/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml b/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml index be4653fce9f3..e8dd31814254 100644 --- a/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml @@ -35,6 +35,33 @@ http: port: 80 protocol: HTTP weight: 1 + - name: httproute/default/httproute-1/rule/1/match/0/www_example_com + hostname: "*" + pathMatch: + exact: "foo" + destination: + name: httproute/default/httproute-1/rule/0 + settings: + - endpoints: + - host: "10.0.0.1" + port: 50000 + extAuth: + name: default/httproute-1 + http: + authority: http-backend.envoy-gateway:80 + headersToBackend: + - header1 + - header2 + path: /auth + destination: + name: securitypolicy/default/policy-for-first-route/http-backend + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 80 + protocol: HTTP + weight: 1 - name: httproute/default/httproute-2/rule/0/match/0/www_example_com hostname: "*" pathMatch: @@ -46,7 +73,7 @@ http: - host: "10.0.0.2" port: 60000 extAuth: - name: default/httproute-2 + name: default/gateway-1 grpc: authority: grpc-backend.default:9000 destination: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml index f3a822fb1570..b5a0c93fe68c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml @@ -30,7 +30,7 @@ uri: http://http-backend.envoy-gateway:80/auth transportApiVersion: V3 - disabled: true - name: envoy.filters.http.ext_authz_default/httproute-2 + name: envoy.filters.http.ext_authz_default/gateway-1 typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz allowedHeaders: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.routes.yaml index 7b96a254ab78..d16f9a43047e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.routes.yaml @@ -16,6 +16,17 @@ envoy.filters.http.ext_authz_default/httproute-1: '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig config: {} + - match: + path: foo + name: httproute/default/httproute-1/rule/1/match/0/www_example_com + route: + cluster: httproute/default/httproute-1/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.ext_authz_default/httproute-1: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} - match: path: bar name: httproute/default/httproute-2/rule/0/match/0/www_example_com @@ -24,6 +35,6 @@ upgradeConfigs: - upgradeType: websocket typedPerFilterConfig: - envoy.filters.http.ext_authz_default/httproute-2: + envoy.filters.http.ext_authz_default/gateway-1: '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig config: {} diff --git a/internal/xds/translator/utils.go b/internal/xds/translator/utils.go index e3446a7c3d7d..8d16f1462717 100644 --- a/internal/xds/translator/utils.go +++ b/internal/xds/translator/utils.go @@ -14,6 +14,7 @@ import ( "strings" routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" + hcmv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" "google.golang.org/protobuf/types/known/anypb" ) @@ -109,6 +110,15 @@ func enableFilterOnRoute(filterType string, route *routev3.Route, configName str return nil } -func perRouteFilterName(filterType, routeName string) string { - return fmt.Sprintf("%s_%s", filterType, routeName) +func perRouteFilterName(filterType, configName string) string { + return fmt.Sprintf("%s_%s", filterType, configName) +} + +func hcmContainsFilter(mgr *hcmv3.HttpConnectionManager, filterName string) bool { + for _, existingFilter := range mgr.HttpFilters { + if existingFilter.Name == filterName { + return true + } + } + return false }