Skip to content

Commit

Permalink
fix: existing clusters and secretes
Browse files Browse the repository at this point in the history
Signed-off-by: Huabing Zhao <[email protected]>
  • Loading branch information
zhaohuabing committed Nov 13, 2024
1 parent ec56a83 commit a7d7e6b
Show file tree
Hide file tree
Showing 15 changed files with 361 additions and 55 deletions.
5 changes: 2 additions & 3 deletions internal/xds/translator/accesslog.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@
package translator

import (
"errors"
"sort"
"strings"

Expand Down Expand Up @@ -545,7 +544,7 @@ func processClusterForAccessLog(tCtx *types.ResourceVersionTable, al *ir.AccessL
backendConnection: traffic.BackendConnection,
dns: traffic.DNS,
http2Settings: traffic.HTTP2,
}); err != nil && !errors.Is(err, ErrXdsClusterExists) {
}); err != nil {
return err
}
}
Expand Down Expand Up @@ -573,7 +572,7 @@ func processClusterForAccessLog(tCtx *types.ResourceVersionTable, al *ir.AccessL
backendConnection: traffic.BackendConnection,
dns: traffic.DNS,
http2Settings: traffic.HTTP2,
}); err != nil && !errors.Is(err, ErrXdsClusterExists) {
}); err != nil {
return err
}
}
Expand Down
6 changes: 2 additions & 4 deletions internal/xds/translator/extauth.go
Original file line number Diff line number Diff line change
Expand Up @@ -226,14 +226,12 @@ func (*extAuth) patchResources(tCtx *types.ResourceVersionTable,
}
if route.Security.ExtAuth.HTTP != nil {
if err := createExtServiceXDSCluster(
&route.Security.ExtAuth.HTTP.Destination, route.Security.ExtAuth.Traffic, tCtx); err != nil && !errors.Is(
err, ErrXdsClusterExists) {
&route.Security.ExtAuth.HTTP.Destination, route.Security.ExtAuth.Traffic, tCtx); err != nil {
errs = errors.Join(errs, err)
}
} else {
if err := createExtServiceXDSCluster(
&route.Security.ExtAuth.GRPC.Destination, route.Security.ExtAuth.Traffic, tCtx); err != nil && !errors.Is(
err, ErrXdsClusterExists) {
&route.Security.ExtAuth.GRPC.Destination, route.Security.ExtAuth.Traffic, tCtx); err != nil {
errs = errors.Join(errs, err)
}
}
Expand Down
3 changes: 1 addition & 2 deletions internal/xds/translator/extproc.go
Original file line number Diff line number Diff line change
Expand Up @@ -173,8 +173,7 @@ func (*extProc) patchResources(tCtx *types.ResourceVersionTable,
for i := range route.EnvoyExtensions.ExtProcs {
ep := route.EnvoyExtensions.ExtProcs[i]
if err := createExtServiceXDSCluster(
&ep.Destination, ep.Traffic, tCtx); err != nil && !errors.Is(
err, ErrXdsClusterExists) {
&ep.Destination, ep.Traffic, tCtx); err != nil {
errs = errors.Join(errs, err)
}
}
Expand Down
9 changes: 2 additions & 7 deletions internal/xds/translator/oidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -310,8 +310,7 @@ func createOAuthServerClusters(tCtx *types.ResourceVersionTable,
// If the OIDC provider has a destination, use it.
if oidc.Provider.Destination != nil && len(oidc.Provider.Destination.Settings) > 0 {
if err := createExtServiceXDSCluster(
oidc.Provider.Destination, oidc.Provider.Traffic, tCtx); err != nil && !errors.Is(
err, ErrXdsClusterExists) {
oidc.Provider.Destination, oidc.Provider.Traffic, tCtx); err != nil {
errs = errors.Join(errs, err)
}
} else {
Expand Down Expand Up @@ -372,11 +371,7 @@ func createOAuth2TokenEndpointCluster(tCtx *types.ResourceVersionTable,
clusterArgs.tSocket = tSocket
}

if err = addXdsCluster(tCtx, clusterArgs); err != nil && !errors.Is(err, ErrXdsClusterExists) {
return err
}

return err
return addXdsCluster(tCtx, clusterArgs)
}

// createOAuth2Secrets creates OAuth2 client and HMAC secrets from the provided
Expand Down
9 changes: 2 additions & 7 deletions internal/xds/translator/ratelimit.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ package translator

import (
"bytes"
"errors"
"net/url"
"strconv"
"strings"
Expand Down Expand Up @@ -492,17 +491,13 @@ func (t *Translator) createRateLimitServiceCluster(tCtx *types.ResourceVersionTa
return err
}

if err := addXdsCluster(tCtx, &xdsClusterArgs{
return addXdsCluster(tCtx, &xdsClusterArgs{
name: clusterName,
settings: []*ir.DestinationSetting{ds},
tSocket: tSocket,
endpointType: EndpointTypeDNS,
metrics: metrics,
}); err != nil && !errors.Is(err, ErrXdsClusterExists) {
return err
}

return nil
})
}

func getRouteRuleDescriptor(ruleIndex, matchIndex int) string {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
http:
- name: "envoy-gateway/gateway-1/http"
address: 0.0.0.0
hostnames:
- '*'
isHTTP2: false
metadata:
kind: Gateway
name: gateway-1
namespace: envoy-gateway
sectionName: http
path:
escapedSlashesAction: UnescapeAndRedirect
mergeSlashes: true
port: 10080
routes:
- destination:
name: httproute/default/httproute-1/rule/0
settings:
- addressType: IP
endpoints:
- host: 7.7.7.7
port: 8080
protocol: HTTP
weight: 1
hostname: www.example.com
isHTTP2: false
metadata:
kind: HTTPRoute
name: httproute-1
namespace: default
name: httproute/default/httproute-1/rule/0/match/0/www_example_com
pathMatch:
distinct: false
name: ""
prefix: /foo
security:
authorization:
defaultAction: Deny
rules:
- action: Allow
name: allow
principal:
jwt:
claims:
- name: groups
valueType: StringArray
values:
- foobar
provider: exjwt
jwt:
providers:
- claimToHeaders:
- claim: email
header: x-user-email
extractFrom:
cookies:
- IdToken
issuer: https://oidc.example.com/auth/realms/example
name: exjwt
remoteJWKS:
uri: https://oidc.example.com/auth/realms/example/protocol/openid-connect/certs
oidc:
clientID: prometheus
clientSecret: '[redacted]'
cookieNameOverrides:
idToken: IdToken
cookieSuffix: 5f93c2e4
hmacSecret: '[redacted]'
logoutPath: /logout
name: securitypolicy/default/policy-for-http-route
provider:
authorizationEndpoint: https://oidc.example.com/authorize
tokenEndpoint: https://oidc.example.com/oauth/token
redirectPath: /oauth2/callback
redirectURL: '%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback'
scopes:
- openid
- email
- profile
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
- circuitBreakers:
thresholds:
- maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
edsClusterConfig:
edsConfig:
ads: {}
resourceApiVersion: V3
serviceName: httproute/default/httproute-1/rule/0
ignoreHealthOnHostRemoval: true
lbPolicy: LEAST_REQUEST
name: httproute/default/httproute-1/rule/0
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
type: EDS
- circuitBreakers:
thresholds:
- maxRetries: 1024
commonLbConfig:
localityWeightedLbConfig: {}
connectTimeout: 10s
dnsLookupFamily: V4_ONLY
dnsRefreshRate: 30s
lbPolicy: LEAST_REQUEST
loadAssignment:
clusterName: oidc_example_com_443
endpoints:
- lbEndpoints:
- endpoint:
address:
socketAddress:
address: oidc.example.com
portValue: 443
loadBalancingWeight: 1
loadBalancingWeight: 1
locality:
region: oidc_example_com_443/backend/0
name: oidc_example_com_443
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
respectDnsTtl: true
transportSocket:
name: envoy.transport_sockets.tls
typedConfig:
'@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
commonTlsContext:
validationContext:
trustedCa:
filename: /etc/ssl/certs/ca-certificates.crt
sni: oidc.example.com
type: STRICT_DNS
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
- clusterName: httproute/default/httproute-1/rule/0
endpoints:
- lbEndpoints:
- endpoint:
address:
socketAddress:
address: 7.7.7.7
portValue: 8080
loadBalancingWeight: 1
loadBalancingWeight: 1
locality:
region: httproute/default/httproute-1/rule/0/backend/0
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
- address:
socketAddress:
address: 0.0.0.0
portValue: 10080
defaultFilterChain:
filters:
- name: envoy.filters.network.http_connection_manager
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
commonHttpProtocolOptions:
headersWithUnderscoresAction: REJECT_REQUEST
http2ProtocolOptions:
initialConnectionWindowSize: 1048576
initialStreamWindowSize: 65536
maxConcurrentStreams: 100
httpFilters:
- disabled: true
name: envoy.filters.http.oauth2/securitypolicy/default/policy-for-http-route
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
config:
authScopes:
- openid
- email
- profile
authType: BASIC_AUTH
authorizationEndpoint: https://oidc.example.com/authorize
credentials:
clientId: prometheus
cookieNames:
bearerToken: AccessToken-5f93c2e4
idToken: IdToken
oauthExpires: OauthExpires-5f93c2e4
oauthHmac: OauthHMAC-5f93c2e4
oauthNonce: OauthNonce-5f93c2e4
refreshToken: RefreshToken-5f93c2e4
hmacSecret:
name: oauth2/hmac_secret/securitypolicy/default/policy-for-http-route
sdsConfig:
ads: {}
resourceApiVersion: V3
tokenSecret:
name: oauth2/client_secret/securitypolicy/default/policy-for-http-route
sdsConfig:
ads: {}
resourceApiVersion: V3
preserveAuthorizationHeader: true
redirectPathMatcher:
path:
exact: /oauth2/callback
redirectUri: '%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback'
signoutPath:
path:
exact: /logout
tokenEndpoint:
cluster: oidc_example_com_443
timeout: 10s
uri: https://oidc.example.com/oauth/token
useRefreshToken: false
- name: envoy.filters.http.jwt_authn
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
httproute/default/httproute-1/rule/0/match/0/www_example_com/exjwt:
claimToHeaders:
- claimName: email
headerName: x-user-email
forward: true
fromCookies:
- IdToken
issuer: https://oidc.example.com/auth/realms/example
normalizePayloadInMetadata:
spaceDelimitedClaims:
- scope
payloadInMetadata: exjwt
remoteJwks:
asyncFetch: {}
cacheDuration: 300s
httpUri:
cluster: oidc_example_com_443
timeout: 10s
uri: https://oidc.example.com/auth/realms/example/protocol/openid-connect/certs
retryPolicy: {}
requirementMap:
httproute/default/httproute-1/rule/0/match/0/www_example_com:
providerName: httproute/default/httproute-1/rule/0/match/0/www_example_com/exjwt
- name: envoy.filters.http.rbac
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
- name: envoy.filters.http.router
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
suppressEnvoyHeaders: true
mergeSlashes: true
normalizePath: true
pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
rds:
configSource:
ads: {}
resourceApiVersion: V3
routeConfigName: envoy-gateway/gateway-1/http
serverHeaderTransformation: PASS_THROUGH
statPrefix: http-10080
useRemoteAddress: true
name: envoy-gateway/gateway-1/http
name: envoy-gateway/gateway-1/http
perConnectionBufferLimitBytes: 32768
Loading

0 comments on commit a7d7e6b

Please sign in to comment.