fix: EnvoyExtensionPolicy reference grant (envoyproxy#4851)

* fix: EnvoyExtensionPolicy reference grant Signed-off-by: Guy Daich <[email protected]> * fix lint, add release note Signed-off-by: Guy Daich <[email protected]> --------- Signed-off-by: Guy Daich <[email protected]> (cherry picked from commit 905405e) Signed-off-by: Huabing Zhao <[email protected]>
zhaohuabing · Dec 13, 2024 · 0a5dcb7 · 0a5dcb7
1 parent f52cdd0
commit 0a5dcb7
Show file tree

Hide file tree

Showing 4 changed files with 171 additions and 5 deletions.
diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go
@@ -2088,7 +2088,7 @@ func (r *gatewayAPIReconciler) processEnvoyExtensionPolicyObjectRefs(
 
 				if backendNamespace != policy.Namespace {
 					from := ObjectKindNamespacedName{
-						kind:      resource.KindHTTPRoute,
+						kind:      resource.KindEnvoyExtensionPolicy,
 						namespace: policy.Namespace,
 						name:      policy.Name,
 					}

diff --git a/internal/provider/kubernetes/controller_test.go b/internal/provider/kubernetes/controller_test.go
@@ -12,8 +12,10 @@ import (
 	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
 	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+	gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
 
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
 	"github.com/envoyproxy/gateway/internal/envoygateway"
@@ -288,3 +290,162 @@ func TestProcessGatewayClassParamsRef(t *testing.T) {
 		})
 	}
 }
+
+func TestProcessEnvoyExtensionPolicyObjectRefs(t *testing.T) {
+	testCases := []struct {
+		name                 string
+		envoyExtensionPolicy *egv1a1.EnvoyExtensionPolicy
+		backend              *egv1a1.Backend
+		referenceGrant       *gwapiv1b1.ReferenceGrant
+		shouldBeAdded        bool
+	}{
+		{
+			name: "valid envoy extension policy with proper ref grant to backend",
+			envoyExtensionPolicy: &egv1a1.EnvoyExtensionPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "ns-1",
+					Name:      "test-policy",
+				},
+				Spec: egv1a1.EnvoyExtensionPolicySpec{
+					ExtProc: []egv1a1.ExtProc{
+						{
+							BackendCluster: egv1a1.BackendCluster{
+								BackendRefs: []egv1a1.BackendRef{
+									{
+										BackendObjectReference: gwapiv1.BackendObjectReference{
+											Namespace: gatewayapi.NamespacePtr("ns-2"),
+											Name:      "test-backend",
+											Kind:      gatewayapi.KindPtr(resource.KindBackend),
+											Group:     gatewayapi.GroupPtr(egv1a1.GroupName),
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			backend: &egv1a1.Backend{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "ns-2",
+					Name:      "test-backend",
+				},
+			},
+			referenceGrant: &gwapiv1b1.ReferenceGrant{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "ns-2",
+					Name:      "test-grant",
+				},
+				Spec: gwapiv1b1.ReferenceGrantSpec{
+					From: []gwapiv1b1.ReferenceGrantFrom{
+						{
+							Namespace: gwapiv1.Namespace("ns-1"),
+							Kind:      gwapiv1.Kind(resource.KindEnvoyExtensionPolicy),
+							Group:     gwapiv1.Group(egv1a1.GroupName),
+						},
+					},
+					To: []gwapiv1b1.ReferenceGrantTo{
+						{
+							Name:  gatewayapi.ObjectNamePtr("test-backend"),
+							Kind:  gwapiv1.Kind(resource.KindBackend),
+							Group: gwapiv1.Group(egv1a1.GroupName),
+						},
+					},
+				},
+			},
+			shouldBeAdded: true,
+		},
+		{
+			name: "valid envoy extension policy with wrong from kind in ref grant to backend",
+			envoyExtensionPolicy: &egv1a1.EnvoyExtensionPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "ns-1",
+					Name:      "test-policy",
+				},
+				Spec: egv1a1.EnvoyExtensionPolicySpec{
+					ExtProc: []egv1a1.ExtProc{
+						{
+							BackendCluster: egv1a1.BackendCluster{
+								BackendRefs: []egv1a1.BackendRef{
+									{
+										BackendObjectReference: gwapiv1.BackendObjectReference{
+											Namespace: gatewayapi.NamespacePtr("ns-2"),
+											Name:      "test-backend",
+											Kind:      gatewayapi.KindPtr(resource.KindBackend),
+											Group:     gatewayapi.GroupPtr(egv1a1.GroupName),
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			backend: &egv1a1.Backend{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "ns-2",
+					Name:      "test-backend",
+				},
+			},
+			referenceGrant: &gwapiv1b1.ReferenceGrant{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "ns-2",
+					Name:      "test-grant",
+				},
+				Spec: gwapiv1b1.ReferenceGrantSpec{
+					From: []gwapiv1b1.ReferenceGrantFrom{
+						{
+							Namespace: gwapiv1.Namespace("ns-1"),
+							Kind:      gwapiv1.Kind(resource.KindHTTPRoute),
+							Group:     gwapiv1.Group(gwapiv1.GroupName),
+						},
+					},
+					To: []gwapiv1b1.ReferenceGrantTo{
+						{
+							Name:  gatewayapi.ObjectNamePtr("test-backend"),
+							Kind:  gwapiv1.Kind(resource.KindBackend),
+							Group: gwapiv1.Group(egv1a1.GroupName),
+						},
+					},
+				},
+			},
+			shouldBeAdded: false,
+		},
+	}
+
+	for i := range testCases {
+		tc := testCases[i]
+		// Run the test cases.
+		t.Run(tc.name, func(t *testing.T) {
+			// Add objects referenced by test cases.
+			objs := []client.Object{tc.envoyExtensionPolicy, tc.backend, tc.referenceGrant}
+
+			// Create the reconciler.
+			logger := logging.DefaultLogger(egv1a1.LogLevelInfo)
+
+			ctx := context.Background()
+
+			r := &gatewayAPIReconciler{
+				log:             logger,
+				classController: "some-gateway-class",
+			}
+
+			r.client = fakeclient.NewClientBuilder().
+				WithScheme(envoygateway.GetScheme()).
+				WithObjects(objs...).
+				WithIndex(&gwapiv1b1.ReferenceGrant{}, targetRefGrantRouteIndex, getReferenceGrantIndexerFunc()).
+				Build()
+
+			resourceTree := resource.NewResources()
+			resourceMap := newResourceMapping()
+
+			err := r.processEnvoyExtensionPolicies(ctx, resourceTree, resourceMap)
+			require.NoError(t, err)
+			if tc.shouldBeAdded {
+				require.Contains(t, resourceTree.ReferenceGrants, tc.referenceGrant)
+			} else {
+				require.NotContains(t, resourceTree.ReferenceGrants, tc.referenceGrant)
+			}
+		})
+	}
+}
diff --git a/internal/provider/kubernetes/indexers.go b/internal/provider/kubernetes/indexers.go
@@ -52,17 +52,21 @@ const (
 )
 
 func addReferenceGrantIndexers(ctx context.Context, mgr manager.Manager) error {
-	if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1b1.ReferenceGrant{}, targetRefGrantRouteIndex, func(rawObj client.Object) []string {
+	if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1b1.ReferenceGrant{}, targetRefGrantRouteIndex, getReferenceGrantIndexerFunc()); err != nil {
+		return err
+	}
+	return nil
+}
+
+func getReferenceGrantIndexerFunc() func(rawObj client.Object) []string {
+	return func(rawObj client.Object) []string {
 		refGrant := rawObj.(*gwapiv1b1.ReferenceGrant)
 		var referredServices []string
 		for _, target := range refGrant.Spec.To {
 			referredServices = append(referredServices, string(target.Kind))
 		}
 		return referredServices
-	}); err != nil {
-		return err
 	}
-	return nil
 }
 
 // addHTTPRouteIndexers adds indexing on HTTPRoute.

diff --git a/release-notes/current.yaml b/release-notes/current.yaml
@@ -14,6 +14,7 @@ new features: |
 
 # Fixes for bugs identified in previous versions.
 bug fixes: |
+  Fixed reference grant from EnvoyExtensionPolicy to referenced ext-proc backend not respected
 
 # Enhancements that improve performance.
 performance improvements: |