Merge branch 'main' into btls-san-validation

envoyproxy · May 30, 2024 · 8f97c03 · 8f97c03
2 parents 35dde2d + 90a4b99
commit 8f97c03
Show file tree

Hide file tree

Showing 7 changed files with 233 additions and 5 deletions.
diff --git a/api/v1alpha1/envoygateway_types.go b/api/v1alpha1/envoygateway_types.go
@@ -482,10 +482,17 @@ type XDSTranslatorHooks struct {
 
 // ExtensionService defines the configuration for connecting to a registered extension service.
 type ExtensionService struct {
+	// BackendEndpoint points to where the extension server can be found.
+	BackendEndpoint `json:",inline"`
+
 	// Host define the extension service hostname.
-	Host string `json:"host"`
+	// Deprecated: use the appropriate transport attribute instead (FQDN,IPv4,Unix)
+	//
+	// +optional
+	Host string `json:"host,omitempty"`
 
 	// Port defines the port the extension service is exposed on.
+	// Deprecated: use the appropriate transport attribute instead (FQDN,IPv4,Unix)
 	//
 	// +optional
 	// +kubebuilder:validation:Minimum=0

diff --git a/api/v1alpha1/validation/envoygateway_validate.go b/api/v1alpha1/validation/envoygateway_validate.go
@@ -85,6 +85,18 @@ func ValidateEnvoyGateway(eg *v1alpha1.EnvoyGateway) error {
 			return fmt.Errorf("extension service config is empty")
 		}
 
+		switch {
+		case eg.ExtensionManager.Service.Host == "" && eg.ExtensionManager.Service.FQDN == nil && eg.ExtensionManager.Service.Unix == nil && eg.ExtensionManager.Service.IPv4 == nil:
+			return fmt.Errorf("extension service must contain a configured target")
+
+		case eg.ExtensionManager.Service.FQDN != nil && (eg.ExtensionManager.Service.IPv4 != nil || eg.ExtensionManager.Service.Unix != nil || eg.ExtensionManager.Service.Host != ""),
+			eg.ExtensionManager.Service.IPv4 != nil && (eg.ExtensionManager.Service.FQDN != nil || eg.ExtensionManager.Service.Unix != nil || eg.ExtensionManager.Service.Host != ""),
+			eg.ExtensionManager.Service.Unix != nil && (eg.ExtensionManager.Service.IPv4 != nil || eg.ExtensionManager.Service.FQDN != nil || eg.ExtensionManager.Service.Host != ""):
+
+			return fmt.Errorf("only one backend target can be configured for the extension manager")
+
+		}
+
 		if eg.ExtensionManager.Service.TLS != nil {
 			certificateRefKind := eg.ExtensionManager.Service.TLS.CertificateRef.Kind
 

diff --git a/api/v1alpha1/validation/envoygateway_validate_test.go b/api/v1alpha1/validation/envoygateway_validate_test.go
@@ -547,6 +547,118 @@ func TestValidateEnvoyGateway(t *testing.T) {
 			},
 			expect: false,
 		},
+		{
+			name: "no extension server target set",
+			eg: &v1alpha1.EnvoyGateway{
+				EnvoyGatewaySpec: v1alpha1.EnvoyGatewaySpec{
+					Gateway:  v1alpha1.DefaultGateway(),
+					Provider: v1alpha1.DefaultEnvoyGatewayProvider(),
+					ExtensionManager: &v1alpha1.ExtensionManager{
+						Resources: []v1alpha1.GroupVersionKind{
+							{
+								Group:   "foo.example.io",
+								Version: "v1alpha1",
+								Kind:    "Foo",
+							},
+						},
+						Service: &v1alpha1.ExtensionService{
+							Port: 8080,
+						},
+					},
+				},
+			},
+			expect: false,
+		},
+		{
+			name: "both host and path targets are set for extension server",
+			eg: &v1alpha1.EnvoyGateway{
+				EnvoyGatewaySpec: v1alpha1.EnvoyGatewaySpec{
+					Gateway:  v1alpha1.DefaultGateway(),
+					Provider: v1alpha1.DefaultEnvoyGatewayProvider(),
+					ExtensionManager: &v1alpha1.ExtensionManager{
+						Resources: []v1alpha1.GroupVersionKind{
+							{
+								Group:   "foo.example.io",
+								Version: "v1alpha1",
+								Kind:    "Foo",
+							},
+						},
+						Service: &v1alpha1.ExtensionService{
+							BackendEndpoint: v1alpha1.BackendEndpoint{
+								FQDN: &v1alpha1.FQDNEndpoint{
+									Hostname: "foo.example.com",
+									Port:     8080,
+								},
+								Unix: &v1alpha1.UnixSocket{
+									Path: "/some/path",
+								},
+							},
+						},
+					},
+				},
+			},
+			expect: false,
+		},
+		{
+			name: "multiple backend targets are set for extension server",
+			eg: &v1alpha1.EnvoyGateway{
+				EnvoyGatewaySpec: v1alpha1.EnvoyGatewaySpec{
+					Gateway:  v1alpha1.DefaultGateway(),
+					Provider: v1alpha1.DefaultEnvoyGatewayProvider(),
+					ExtensionManager: &v1alpha1.ExtensionManager{
+						Resources: []v1alpha1.GroupVersionKind{
+							{
+								Group:   "foo.example.io",
+								Version: "v1alpha1",
+								Kind:    "Foo",
+							},
+						},
+						Service: &v1alpha1.ExtensionService{
+							BackendEndpoint: v1alpha1.BackendEndpoint{
+								FQDN: &v1alpha1.FQDNEndpoint{
+									Hostname: "foo.example.com",
+									Port:     8080,
+								},
+								IPv4: &v1alpha1.IPv4Endpoint{
+									Address: "10.9.8.7",
+									Port:    8080,
+								},
+							},
+						},
+					},
+				},
+			},
+			expect: false,
+		},
+		{
+			name: "both host and path targets are set for extension server",
+			eg: &v1alpha1.EnvoyGateway{
+				EnvoyGatewaySpec: v1alpha1.EnvoyGatewaySpec{
+					Gateway:  v1alpha1.DefaultGateway(),
+					Provider: v1alpha1.DefaultEnvoyGatewayProvider(),
+					ExtensionManager: &v1alpha1.ExtensionManager{
+						Resources: []v1alpha1.GroupVersionKind{
+							{
+								Group:   "foo.example.io",
+								Version: "v1alpha1",
+								Kind:    "Foo",
+							},
+						},
+						Service: &v1alpha1.ExtensionService{
+							Host: "foo.example.com",
+							Port: 8080,
+							BackendEndpoint: v1alpha1.BackendEndpoint{
+								FQDN: &v1alpha1.FQDNEndpoint{
+									Hostname: "foo.example.com",
+									Port:     8080,
+								},
+							},
+						},
+					},
+				},
+			},
+			expect: false,
+		},
 	}
 
 	for _, tc := range testCases {

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/internal/extension/registry/extension_manager.go b/internal/extension/registry/extension_manager.go
@@ -119,6 +119,21 @@ func (m *Manager) HasExtension(g v1.Group, k v1.Kind) bool {
 	return false
 }
 
+func getExtensionServerAddress(service *v1alpha1.ExtensionService) string {
+	var serverAddr string
+	switch {
+	case service.FQDN != nil:
+		serverAddr = fmt.Sprintf("%s:%d", service.FQDN.Hostname, service.FQDN.Port)
+	case service.IPv4 != nil:
+		serverAddr = fmt.Sprintf("%s:%d", service.IPv4.Address, service.IPv4.Port)
+	case service.Unix != nil:
+		serverAddr = fmt.Sprintf("unix://%s", service.Unix.Path)
+	case service.Host != "":
+		serverAddr = fmt.Sprintf("%s:%d", service.Host, service.Port)
+	}
+	return serverAddr
+}
+
 // GetPreXDSHookClient checks if the registered extension makes use of a particular hook type that modifies inputs
 // that are used to generate an xDS resource.
 // If the extension makes use of the hook then the XDS Hook Client is returned. If it does not support
@@ -146,7 +161,7 @@ func (m *Manager) GetPreXDSHookClient(xdsHookType v1alpha1.XDSTranslatorHook) ex
 	}
 
 	if m.extensionConnCache == nil {
-		serverAddr := fmt.Sprintf("%s:%d", ext.Service.Host, ext.Service.Port)
+		serverAddr := getExtensionServerAddress(ext.Service)
 
 		opts, err := setupGRPCOpts(ctx, m.k8sClient, &ext, m.namespace)
 		if err != nil {
@@ -195,7 +210,7 @@ func (m *Manager) GetPostXDSHookClient(xdsHookType v1alpha1.XDSTranslatorHook) e
 	}
 
 	if m.extensionConnCache == nil {
-		serverAddr := fmt.Sprintf("%s:%d", ext.Service.Host, ext.Service.Port)
+		serverAddr := getExtensionServerAddress(ext.Service)
 
 		opts, err := setupGRPCOpts(ctx, m.k8sClient, &ext, m.namespace)
 		if err != nil {

diff --git a/internal/extension/registry/extension_manager_test.go b/internal/extension/registry/extension_manager_test.go
@@ -0,0 +1,74 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package registry
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/envoyproxy/gateway/api/v1alpha1"
+)
+
+func TestGetExtensionServerAddress(t *testing.T) {
+	tests := []struct {
+		Name     string
+		Service  *v1alpha1.ExtensionService
+		Expected string
+	}{
+		{
+			Name: "has an FQDN",
+			Service: &v1alpha1.ExtensionService{
+				BackendEndpoint: v1alpha1.BackendEndpoint{
+					FQDN: &v1alpha1.FQDNEndpoint{
+						Hostname: "extserver.svc.cluster.local",
+						Port:     5050,
+					},
+				},
+			},
+			Expected: "extserver.svc.cluster.local:5050",
+		},
+		{
+			Name: "has an IPv4",
+			Service: &v1alpha1.ExtensionService{
+				BackendEndpoint: v1alpha1.BackendEndpoint{
+					IPv4: &v1alpha1.IPv4Endpoint{
+						Address: "10.10.10.10",
+						Port:    5050,
+					},
+				},
+			},
+			Expected: "10.10.10.10:5050",
+		},
+		{
+			Name: "has a Unix path",
+			Service: &v1alpha1.ExtensionService{
+				BackendEndpoint: v1alpha1.BackendEndpoint{
+					Unix: &v1alpha1.UnixSocket{
+						Path: "/some/path",
+					},
+				},
+			},
+			Expected: "unix:///some/path",
+		},
+		{
+			Name: "has a Unix path",
+			Service: &v1alpha1.ExtensionService{
+				Host: "foo.bar",
+				Port: 5050,
+			},
+			Expected: "foo.bar:5050",
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.Name, func(t *testing.T) {
+			out := getExtensionServerAddress(tc.Service)
+			require.Equal(t, tc.Expected, out)
+		})
+	}
+}
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
@@ -286,6 +286,7 @@ corresponding to Envoy's Address: https://www.envoyproxy.io/docs/envoy/latest/ap
 
 _Appears in:_
 - [BackendSpec](#backendspec)
+- [ExtensionService](#extensionservice)
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
@@ -1514,8 +1515,11 @@ _Appears in:_
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
-| `host` | _string_ |  true  | Host define the extension service hostname. |
-| `port` | _integer_ |  false  | Port defines the port the extension service is exposed on. |
+| `fqdn` | _[FQDNEndpoint](#fqdnendpoint)_ |  false  | FQDN defines a FQDN endpoint |
+| `ipv4` | _[IPv4Endpoint](#ipv4endpoint)_ |  false  | IPv4 defines an IPv4 endpoint |
+| `unix` | _[UnixSocket](#unixsocket)_ |  false  | Unix defines the unix domain socket endpoint |
+| `host` | _string_ |  false  | Host define the extension service hostname.<br />Deprecated: use the appropriate transport attribute instead (FQDN,IPv4,Unix) |
+| `port` | _integer_ |  false  | Port defines the port the extension service is exposed on.<br />Deprecated: use the appropriate transport attribute instead (FQDN,IPv4,Unix) |
 | `tls` | _[ExtensionTLS](#extensiontls)_ |  false  | TLS defines TLS configuration for communication between Envoy Gateway and<br />the extension service. |
 
 
@@ -1542,6 +1546,7 @@ https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#
 
 _Appears in:_
 - [BackendEndpoint](#backendendpoint)
+- [ExtensionService](#extensionservice)
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
@@ -1925,6 +1930,7 @@ https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#
 
 _Appears in:_
 - [BackendEndpoint](#backendendpoint)
+- [ExtensionService](#extensionservice)
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
@@ -3520,6 +3526,7 @@ https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#
 
 _Appears in:_
 - [BackendEndpoint](#backendendpoint)
+- [ExtensionService](#extensionservice)
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |