From 94bcde0129156a24d590110c6fb5d2c4ee310143 Mon Sep 17 00:00:00 2001
From: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Date: Thu, 6 Jul 2023 09:25:39 +0200
Subject: [PATCH] fix(kuma-cp): handle external services with permissive mtls
 (#7179)

Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
---
 pkg/xds/context/mesh_context_builder.go       |  8 ++
 .../externalservices/permissive_mtls.go       | 86 +++++++++++++++++++
 .../kubernetes/kubernetes_suite_test.go       |  1 +
 3 files changed, 95 insertions(+)
 create mode 100644 test/e2e_env/kubernetes/externalservices/permissive_mtls.go

diff --git a/pkg/xds/context/mesh_context_builder.go b/pkg/xds/context/mesh_context_builder.go
index 6d148b1555cd..1dc75c93b24b 100644
--- a/pkg/xds/context/mesh_context_builder.go
+++ b/pkg/xds/context/mesh_context_builder.go
@@ -408,7 +408,15 @@ func (m *meshContextBuilder) resolveTLSReadiness(mesh *core_mesh.MeshResource, s
 	}
 
 	for svc, insight := range serviceInsights.Items[0].Spec.GetServices() {
+<<<<<<< HEAD
 		tlsReady[svc] = insight.IssuedBackends[backend.Name] == insight.Dataplanes.Total
+=======
+		if insight.ServiceType == mesh_proto.ServiceInsight_Service_external {
+			tlsReady[svc] = true
+		} else {
+			tlsReady[svc] = insight.IssuedBackends[backend.Name] == (insight.Dataplanes.Offline + insight.Dataplanes.Online)
+		}
+>>>>>>> 6e228b7e5 (fix(kuma-cp): handle external services with permissive mtls (#7179))
 	}
 	return tlsReady
 }
diff --git a/test/e2e_env/kubernetes/externalservices/permissive_mtls.go b/test/e2e_env/kubernetes/externalservices/permissive_mtls.go
new file mode 100644
index 000000000000..83f1e69fcc13
--- /dev/null
+++ b/test/e2e_env/kubernetes/externalservices/permissive_mtls.go
@@ -0,0 +1,86 @@
+package externalservices
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	. "github.com/kumahq/kuma/test/framework"
+	"github.com/kumahq/kuma/test/framework/client"
+	"github.com/kumahq/kuma/test/framework/deployments/democlient"
+	"github.com/kumahq/kuma/test/framework/deployments/testserver"
+	"github.com/kumahq/kuma/test/framework/envs/kubernetes"
+)
+
+func PermissiveMTLS() {
+	meshName := "perm-external-services"
+	namespace := "perm-external-services"
+	clientNamespace := "perm-client-external-services"
+
+	mesh := `
+apiVersion: kuma.io/v1alpha1
+kind: Mesh
+metadata:
+  name: perm-external-services
+spec:
+  mtls:
+    enabledBackend: ca-1
+    backends:
+      - name: ca-1
+        type: builtin
+        mode: PERMISSIVE
+  networking:
+    outbound:
+      passthrough: false
+  routing:
+    zoneEgress: true
+`
+
+	tlsExternalService := `
+apiVersion: kuma.io/v1alpha1
+kind: ExternalService
+mesh: perm-external-services
+metadata:
+  name: perm-tls-external-service
+spec:
+  tags:
+    kuma.io/service: perm-tls-external-service
+    kuma.io/protocol: http
+  networking:
+    address: perm-tls-external-service.perm-external-services.svc.cluster.local:80 # .svc.cluster.local is needed, otherwise Kubernetes will resolve this to the real IP
+    tls:
+      enabled: true
+`
+
+	BeforeAll(func() {
+		err := NewClusterSetup().
+			Install(YamlK8s(mesh)).
+			Install(YamlK8s(tlsExternalService)).
+			Install(Namespace(namespace)).
+			Install(NamespaceWithSidecarInjection(clientNamespace)).
+			Install(democlient.Install(democlient.WithNamespace(clientNamespace), democlient.WithMesh(meshName))).
+			Install(testserver.Install(
+				testserver.WithNamespace(namespace),
+				testserver.WithEchoArgs("--tls", "--crt=/kuma/server.crt", "--key=/kuma/server.key"),
+				testserver.WithName("perm-tls-external-service"),
+				testserver.WithoutProbes(), // not compatible with TLS
+			)).
+			Setup(kubernetes.Cluster)
+		Expect(err).ToNot(HaveOccurred())
+	})
+
+	E2EAfterAll(func() {
+		Expect(kubernetes.Cluster.TriggerDeleteNamespace(clientNamespace)).To(Succeed())
+		Expect(kubernetes.Cluster.TriggerDeleteNamespace(namespace)).To(Succeed())
+		Expect(kubernetes.Cluster.DeleteMesh(meshName)).To(Succeed())
+	})
+
+	It("should access external service", func() {
+		Eventually(func(g Gomega) {
+			_, err := client.CollectEchoResponse(
+				kubernetes.Cluster, "demo-client", "http://perm-tls-external-service.mesh",
+				client.FromKubernetesPod(clientNamespace, "demo-client"),
+			)
+			g.Expect(err).ToNot(HaveOccurred())
+		}, "30s", "1s").Should(Succeed())
+	})
+}
diff --git a/test/e2e_env/kubernetes/kubernetes_suite_test.go b/test/e2e_env/kubernetes/kubernetes_suite_test.go
index 3eca0d5ba144..dd573631b7c4 100644
--- a/test/e2e_env/kubernetes/kubernetes_suite_test.go
+++ b/test/e2e_env/kubernetes/kubernetes_suite_test.go
@@ -64,6 +64,7 @@ var (
 	_ = Describe("Reachable Services", reachableservices.ReachableServices, Ordered)
 	_ = Describe("Defaults", defaults.Defaults, Ordered)
 	_ = Describe("External Services", externalservices.ExternalServices, Ordered)
+	_ = Describe("External Services Permissive MTLS", externalservices.PermissiveMTLS, Ordered)
 	_ = Describe("Virtual Outbound", virtualoutbound.VirtualOutbound, Ordered)
 	_ = Describe("Kong Ingress Controller", Label("arm-not-supported"), kic.KICKubernetes, Ordered)
 	_ = Describe("MeshTrafficPermission API", meshtrafficpermission.API, Ordered)