address comment

Signed-off-by: Huabing Zhao <[email protected]>

internal/gatewayapi/backendtlspolicy.go

@@ -157,58 +157,19 @@ func backendTLSTargetMatched(policy gwapiv1a3.BackendTLSPolicy, target gwapiv1a2
 	return false
 }
 
-// getTargetBackendReferenceWithPortName returns the LocalPolicyTargetReference for the given BackendObjectReference,
-// and sets the sectionName to the port name if the BackendObjectReference is a Kubernetes Service.
-func getTargetBackendReferenceWithPortName(
-	backendRef gwapiv1a2.BackendObjectReference,
-	backendNamespace string,
-	resources *resource.Resources,
-) gwapiv1a2.LocalPolicyTargetReferenceWithSectionName {
-	ref := getTargetBackendReference(backendRef)
-	if backendRef.Port == nil {
-		return ref
-	}
-
-	if backendRef.Kind != nil && *backendRef.Kind != resource.KindService {
-		return ref
-	}
-
-	if service := resources.GetService(backendNamespace, string(backendRef.Name)); service != nil {
-		for _, port := range service.Spec.Ports {
-			if port.Port == int32(*backendRef.Port) {
-				if port.Name != "" {
-					ref.SectionName = SectionNamePtr(port.Name)
-				}
-			}
-		}
-	}
-
-	return ref
-}
-
 func getBackendTLSPolicy(
 	policies []*gwapiv1a3.BackendTLSPolicy,
 	backendRef gwapiv1a2.BackendObjectReference,
 	backendNamespace string,
 	resources *resource.Resources,
 ) *gwapiv1a3.BackendTLSPolicy {
-	target := getTargetBackendReference(backendRef)
+	// SectionName is port number for EG Backend object
+	target := getTargetBackendReference(backendRef, backendNamespace, resources)
 	for _, policy := range policies {
 		if backendTLSTargetMatched(*policy, target, backendNamespace) {
 			return policy
 		}
 	}
-
-	// SectionName can be port name for Kubernetes Service
-	if backendRef.Port != nil &&
-		(backendRef.Kind == nil || *backendRef.Kind == resource.KindService) {
-		target = getTargetBackendReferenceWithPortName(backendRef, backendNamespace, resources)
-		for _, policy := range policies {
-			if backendTLSTargetMatched(*policy, target, backendNamespace) {
-				return policy
-			}
-		}
-	}
 	return nil
 }
 

internal/gatewayapi/route.go

@@ -1596,30 +1596,45 @@ func getIREndpointsFromEndpointSlice(endpointSlice *discoveryv1.EndpointSlice, p
 	return endpoints
 }
 
-func getTargetBackendReference(backendRef gwapiv1a2.BackendObjectReference) gwapiv1a2.LocalPolicyTargetReferenceWithSectionName {
+func getTargetBackendReference(backendRef gwapiv1a2.BackendObjectReference, backendNamespace string, resources *resource.Resources) gwapiv1a2.LocalPolicyTargetReferenceWithSectionName {
 	ref := gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{
 		LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{
 			Group: func() gwapiv1a2.Group {
-				if backendRef.Group == nil {
+				if backendRef.Group == nil || *backendRef.Group == "" {
 					return ""
 				}
 				return *backendRef.Group
 			}(),
 			Kind: func() gwapiv1.Kind {
-				if backendRef.Kind == nil {
+				if backendRef.Kind == nil || *backendRef.Kind == resource.KindService {
 					return "Service"
 				}
 				return *backendRef.Kind
 			}(),
 			Name: backendRef.Name,
 		},
-		SectionName: func() *gwapiv1.SectionName {
-			if backendRef.Port != nil {
-				return SectionNamePtr(strconv.Itoa(int(*backendRef.Port)))
+	}
+	if backendRef.Port == nil {
+		return ref
+	}
+
+	// Set the section name to the port name if the backend is a Kubernetes Service
+	if backendRef.Kind == nil || *backendRef.Kind == resource.KindService {
+		if service := resources.GetService(backendNamespace, string(backendRef.Name)); service != nil {
+			for _, port := range service.Spec.Ports {
+				if port.Port == int32(*backendRef.Port) {
+					if port.Name != "" {
+						ref.SectionName = SectionNamePtr(port.Name)
+						break
+					}
+				}
 			}
-			return nil
-		}(),
+		}
+	} else {
+		// Set the section name to the port number if the backend is a EG Backend
+		ref.SectionName = SectionNamePtr(strconv.Itoa(int(*backendRef.Port)))
 	}
+
 	return ref
 }
 

internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml

@@ -110,7 +110,7 @@ backendTLSPolicies:
         - group: ""
           kind: Service
           name: http-backend
-          sectionName: "8080"
+          sectionName: http1
         - group: ""
           kind: Service
           name: http-backend

internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml

@@ -10,7 +10,7 @@ backendTLSPolicies:
     - group: ""
       kind: Service
       name: http-backend
-      sectionName: "8080"
+      sectionName: http1
     - group: ""
       kind: Service
       name: http-backend

internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml

@@ -160,7 +160,7 @@ backendTLSPolicies:
     - group: ''
       kind: Service
       name: grpc-backend
-      sectionName: "8000"
+      sectionName: grpc
     validation:
       caCertificateRefs:
       - name: ca-cmap
@@ -177,7 +177,7 @@ backendTLSPolicies:
     - group: ''
       kind: Service
       name: grpc-backend-2
-      sectionName: "9000"
+      sectionName: grpc
     validation:
       caCertificateRefs:
       - name: ca-cmap

internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml

@@ -10,7 +10,7 @@ backendTLSPolicies:
     - group: ""
       kind: Service
       name: grpc-backend
-      sectionName: "8000"
+      sectionName: grpc
     validation:
       caCertificateRefs:
       - group: ""
@@ -42,7 +42,7 @@ backendTLSPolicies:
     - group: ""
       kind: Service
       name: grpc-backend-2
-      sectionName: "9000"
+      sectionName: grpc
     validation:
       caCertificateRefs:
       - group: ""

internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.in.yaml

@@ -162,7 +162,7 @@ backendTLSPolicies:
     - group: ''
       kind: Service
       name: grpc-backend
-      sectionName: "8000"
+      sectionName: grpc
     validation:
       caCertificateRefs:
       - name: ca-cmap

internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml

@@ -10,7 +10,7 @@ backendTLSPolicies:
     - group: ""
       kind: Service
       name: grpc-backend
-      sectionName: "8000"
+      sectionName: grpc
     validation:
       caCertificateRefs:
       - group: ""

internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.in.yaml

@@ -162,7 +162,7 @@ backendTLSPolicies:
     - group: ''
       kind: Service
       name: grpc-backend
-      sectionName: "8000"
+      sectionName: grpc
     validation:
       caCertificateRefs:
       - name: ca-cmap

internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml

@@ -10,7 +10,7 @@ backendTLSPolicies:
     - group: ""
       kind: Service
       name: grpc-backend
-      sectionName: "8000"
+      sectionName: grpc
     validation:
       caCertificateRefs:
       - group: ""

internal/gatewayapi/testdata/envoyproxy-priority-backend.in.yaml

@@ -162,7 +162,7 @@ backendTLSPolicies:
         - group: ''
           kind: Service
           name: grpc-backend
-          sectionName: "8000"
+          sectionName: grpc
       validation:
         caCertificateRefs:
           - name: ca-cmap

internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml

@@ -10,7 +10,7 @@ backendTLSPolicies:
     - group: ""
       kind: Service
       name: grpc-backend
-      sectionName: "8000"
+      sectionName: grpc
     validation:
       caCertificateRefs:
       - group: ""

internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml

@@ -160,7 +160,7 @@ backendTLSPolicies:
         - group: ""
           kind: Service
           name: http-backend
-          sectionName: "80"
+          sectionName: http
       validation:
         caCertificateRefs:
           - name: ca-cmap
@@ -177,7 +177,7 @@ backendTLSPolicies:
         - group: ""
           kind: Service
           name: grpc-backend
-          sectionName: "9000"
+          sectionName: grpc
       validation:
         caCertificateRefs:
           - name: ca-cmap

internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml

@@ -10,7 +10,7 @@ backendTLSPolicies:
     - group: ""
       kind: Service
       name: http-backend
-      sectionName: "80"
+      sectionName: http
     validation:
       caCertificateRefs:
       - group: ""
@@ -42,7 +42,7 @@ backendTLSPolicies:
     - group: ""
       kind: Service
       name: grpc-backend
-      sectionName: "9000"
+      sectionName: grpc
     validation:
       caCertificateRefs:
       - group: ""

test/e2e/testdata/ext-auth-grpc-service.yaml

@@ -103,3 +103,4 @@ spec:
     - protocol: TCP
       port: 9002
       targetPort: 9002
+      name: grpc

test/e2e/testdata/ext-auth-http-service.yaml

@@ -39,3 +39,4 @@ spec:
     - protocol: TCP
       port: 9002
       targetPort: 9002
+      name: http

test/e2e/testdata/ext-proc-envoyextensionpolicy.yaml

@@ -80,7 +80,7 @@ spec:
   - group: ''
     kind: Service
     name: grpc-ext-proc
-    sectionName: "9002"
+    sectionName: grpc
   validation:
     caCertificateRefs:
     - name: grpc-ext-proc-ca