From e3180acb2ed1f6353695d4784e96eb4a391ff49f Mon Sep 17 00:00:00 2001 From: huabing zhao Date: Tue, 12 Mar 2024 17:19:34 +0800 Subject: [PATCH] fix test Signed-off-by: huabing zhao --- .../securitypolicy-with-extauth.in.yaml | 10 +++- .../securitypolicy-with-extauth.out.yaml | 47 +++++++++++++++++-- internal/xds/translator/basicauth.go | 3 +- internal/xds/translator/extauth.go | 9 ++-- internal/xds/translator/oidc.go | 2 +- .../testdata/in/xds-ir/ext-auth.yaml | 29 +++++++++++- .../out/xds-ir/ext-auth.listeners.yaml | 2 +- .../testdata/out/xds-ir/ext-auth.routes.yaml | 13 ++++- internal/xds/translator/utils.go | 20 ++++++-- 9 files changed, 115 insertions(+), 20 deletions(-) diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth.in.yaml index 12142460fa3b..a451b5767741 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth.in.yaml @@ -29,10 +29,16 @@ httpRoutes: rules: - matches: - path: - value: /foo + value: /foo1 backendRefs: - name: service-1 port: 8080 + - matches: + - path: + value: /foo2 + backendRefs: + - name: service-2 + port: 8080 - apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: @@ -50,7 +56,7 @@ httpRoutes: - path: value: /bar backendRefs: - - name: service-1 + - name: service-3 port: 8080 services: - apiVersion: v1 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml index 5754bcc67935..adad1912bc41 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml @@ -59,7 +59,13 @@ httpRoutes: port: 8080 matches: - path: - value: /foo + value: /foo1 + - backendRefs: + - name: service-2 + port: 8080 + matches: + - path: + value: /foo2 status: parents: - conditions: @@ -93,7 +99,7 @@ httpRoutes: sectionName: http rules: - backendRefs: - - name: service-1 + - name: service-3 port: 8080 matches: - path: @@ -245,7 +251,42 @@ xdsIR: pathMatch: distinct: false name: "" - prefix: /foo + prefix: /foo1 + - backendWeights: + invalid: 0 + valid: 0 + destination: + name: httproute/default/httproute-1/rule/1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + extAuth: + grpc: + authority: grpc-backend.default:9000 + destination: + name: securitypolicy/default/policy-for-http-route/grpc-backend + settings: + - addressType: IP + endpoints: + - host: 8.8.8.8 + port: 9000 + protocol: GRPC + weight: 1 + headersToExtAuth: + - header1 + - header2 + name: default/httproute-1 + hostname: www.foo.com + isHTTP2: false + name: httproute/default/httproute-1/rule/1/match/0/www_foo_com + pathMatch: + distinct: false + name: "" + prefix: /foo2 - backendWeights: invalid: 0 valid: 0 diff --git a/internal/xds/translator/basicauth.go b/internal/xds/translator/basicauth.go index 71bd70776e30..85cd77fa3c3a 100644 --- a/internal/xds/translator/basicauth.go +++ b/internal/xds/translator/basicauth.go @@ -129,7 +129,8 @@ func (*basicAuth) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error if irRoute.BasicAuth == nil { return nil } - if err := enableFilterOnRoute(basicAuthFilter, route, irRoute.Name); err != nil { + filterName := basicAuthFilterName(irRoute) + if err := enableFilterOnRoute(route, filterName); err != nil { return err } return nil diff --git a/internal/xds/translator/extauth.go b/internal/xds/translator/extauth.go index eb0d0ad9b748..28e509253aa8 100644 --- a/internal/xds/translator/extauth.go +++ b/internal/xds/translator/extauth.go @@ -58,10 +58,8 @@ func (*extAuth) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPLi // Only generates one OAuth2 Envoy filter for each unique name. // For example, if there are two routes under the same gateway with the // same OIDC config, only one OAuth2 filter will be generated. - for _, existingFilter := range mgr.HttpFilters { - if existingFilter.Name == extAuthFilterName(route.ExtAuth) { - continue - } + if hcmContainsFilter(mgr, extAuthFilterName(route.ExtAuth)) { + continue } filter, err := buildHCMExtAuthFilter(route.ExtAuth) @@ -285,7 +283,8 @@ func (*extAuth) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { if irRoute.ExtAuth == nil { return nil } - if err := enableFilterOnRoute(extAuthFilter, route, irRoute.ExtAuth.Name); err != nil { + filterName := extAuthFilterName(irRoute.ExtAuth) + if err := enableFilterOnRoute(route, filterName); err != nil { return err } return nil diff --git a/internal/xds/translator/oidc.go b/internal/xds/translator/oidc.go index a380aca6d832..3807f80a667a 100644 --- a/internal/xds/translator/oidc.go +++ b/internal/xds/translator/oidc.go @@ -341,7 +341,7 @@ func (*oidc) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { return nil } - if err := enableFilterOnRoute(oauth2Filter, route, irRoute.Name); err != nil { + if err := enableFilterOnRoute(route, irRoute.Name); err != nil { return err } return nil diff --git a/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml b/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml index be4653fce9f3..e8dd31814254 100644 --- a/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml @@ -35,6 +35,33 @@ http: port: 80 protocol: HTTP weight: 1 + - name: httproute/default/httproute-1/rule/1/match/0/www_example_com + hostname: "*" + pathMatch: + exact: "foo" + destination: + name: httproute/default/httproute-1/rule/0 + settings: + - endpoints: + - host: "10.0.0.1" + port: 50000 + extAuth: + name: default/httproute-1 + http: + authority: http-backend.envoy-gateway:80 + headersToBackend: + - header1 + - header2 + path: /auth + destination: + name: securitypolicy/default/policy-for-first-route/http-backend + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 80 + protocol: HTTP + weight: 1 - name: httproute/default/httproute-2/rule/0/match/0/www_example_com hostname: "*" pathMatch: @@ -46,7 +73,7 @@ http: - host: "10.0.0.2" port: 60000 extAuth: - name: default/httproute-2 + name: default/gateway-1 grpc: authority: grpc-backend.default:9000 destination: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml index f3a822fb1570..b5a0c93fe68c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml @@ -30,7 +30,7 @@ uri: http://http-backend.envoy-gateway:80/auth transportApiVersion: V3 - disabled: true - name: envoy.filters.http.ext_authz_default/httproute-2 + name: envoy.filters.http.ext_authz_default/gateway-1 typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz allowedHeaders: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.routes.yaml index 7b96a254ab78..d16f9a43047e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.routes.yaml @@ -16,6 +16,17 @@ envoy.filters.http.ext_authz_default/httproute-1: '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig config: {} + - match: + path: foo + name: httproute/default/httproute-1/rule/1/match/0/www_example_com + route: + cluster: httproute/default/httproute-1/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.ext_authz_default/httproute-1: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} - match: path: bar name: httproute/default/httproute-2/rule/0/match/0/www_example_com @@ -24,6 +35,6 @@ upgradeConfigs: - upgradeType: websocket typedPerFilterConfig: - envoy.filters.http.ext_authz_default/httproute-2: + envoy.filters.http.ext_authz_default/gateway-1: '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig config: {} diff --git a/internal/xds/translator/utils.go b/internal/xds/translator/utils.go index e3446a7c3d7d..afcc84491ced 100644 --- a/internal/xds/translator/utils.go +++ b/internal/xds/translator/utils.go @@ -14,6 +14,7 @@ import ( "strings" routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" + hcmv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" "google.golang.org/protobuf/types/known/anypb" ) @@ -78,18 +79,17 @@ func clusterName(host string, port uint32) string { } // enableFilterOnRoute enables a filterType on the provided route. -func enableFilterOnRoute(filterType string, route *routev3.Route, configName string) error { +func enableFilterOnRoute(route *routev3.Route, filterName string) error { if route == nil { return errors.New("xds route is nil") } - filterName := perRouteFilterName(filterType, configName) filterCfg := route.GetTypedPerFilterConfig() if _, ok := filterCfg[filterName]; ok { // This should not happen since this is the only place where the filter // config is added in a route. return fmt.Errorf("route already contains filter config: %s, %+v", - filterType, route) + filterName, route) } // Enable the corresponding filter for this route. @@ -109,6 +109,16 @@ func enableFilterOnRoute(filterType string, route *routev3.Route, configName str return nil } -func perRouteFilterName(filterType, routeName string) string { - return fmt.Sprintf("%s_%s", filterType, routeName) +// perRouteFilterName generates a unique filter name for the provided filterType and configName. +func perRouteFilterName(filterType, configName string) string { + return fmt.Sprintf("%s_%s", filterType, configName) +} + +func hcmContainsFilter(mgr *hcmv3.HttpConnectionManager, filterName string) bool { + for _, existingFilter := range mgr.HttpFilters { + if existingFilter.Name == filterName { + return true + } + } + return false }