forked from envoyproxy/gateway
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: BackendTlsPolicy specify multiple targetRefs of the same service…
…, only one will work (envoyproxy#4630) * add tests Signed-off-by: Huabing Zhao <[email protected]> * fix matching comparison Signed-off-by: Huabing Zhao <[email protected]> * add release note Signed-off-by: Huabing Zhao <[email protected]> * fix lint Signed-off-by: Huabing Zhao <[email protected]> * fix lint Signed-off-by: Huabing Zhao <[email protected]> --------- Signed-off-by: Huabing Zhao <[email protected]>
- Loading branch information
1 parent
7b6834e
commit 44c2f74
Showing
4 changed files
with
369 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
123 changes: 123 additions & 0 deletions
123
internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,123 @@ | ||
gateways: | ||
- apiVersion: gateway.networking.k8s.io/v1 | ||
kind: Gateway | ||
metadata: | ||
name: gateway-btls | ||
namespace: envoy-gateway | ||
spec: | ||
gatewayClassName: envoy-gateway-class | ||
listeners: | ||
- name: http | ||
protocol: HTTP | ||
port: 80 | ||
allowedRoutes: | ||
namespaces: | ||
from: All | ||
|
||
httpRoutes: | ||
- apiVersion: gateway.networking.k8s.io/v1 | ||
kind: HTTPRoute | ||
metadata: | ||
name: httproute-btls-1 | ||
namespace: envoy-gateway | ||
spec: | ||
parentRefs: | ||
- namespace: envoy-gateway | ||
name: gateway-btls | ||
sectionName: http | ||
rules: | ||
- matches: | ||
- path: | ||
type: Exact | ||
value: "/exact-1" | ||
backendRefs: | ||
- name: http-backend | ||
namespace: envoy-gateway | ||
port: 8080 | ||
- apiVersion: gateway.networking.k8s.io/v1 | ||
kind: HTTPRoute | ||
metadata: | ||
name: httproute-btls-2 | ||
namespace: envoy-gateway | ||
spec: | ||
parentRefs: | ||
- namespace: envoy-gateway | ||
name: gateway-btls | ||
sectionName: http | ||
rules: | ||
- matches: | ||
- path: | ||
type: Exact | ||
value: "/exact-2" | ||
backendRefs: | ||
- name: http-backend | ||
namespace: envoy-gateway | ||
port: 8081 | ||
|
||
services: | ||
- apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: http-backend | ||
namespace: envoy-gateway | ||
spec: | ||
clusterIP: 10.11.12.13 | ||
ports: | ||
- port: 8080 | ||
name: http | ||
protocol: TCP | ||
targetPort: 8080 | ||
- port: 8081 | ||
name: http | ||
protocol: TCP | ||
targetPort: 8081 | ||
|
||
configMaps: | ||
- apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: ca-cmap | ||
namespace: envoy-gateway | ||
data: | ||
ca.crt: | | ||
-----BEGIN CERTIFICATE----- | ||
MIIDJzCCAg+gAwIBAgIUAl6UKIuKmzte81cllz5PfdN2IlIwDQYJKoZIhvcNAQEL | ||
BQAwIzEQMA4GA1UEAwwHbXljaWVudDEPMA0GA1UECgwGa3ViZWRiMB4XDTIzMTAw | ||
MjA1NDE1N1oXDTI0MTAwMTA1NDE1N1owIzEQMA4GA1UEAwwHbXljaWVudDEPMA0G | ||
A1UECgwGa3ViZWRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSTc | ||
1yj8HW62nynkFbXo4VXKv2jC0PM7dPVky87FweZcTKLoWQVPQE2p2kLDK6OEszmM | ||
yyr+xxWtyiveremrWqnKkNTYhLfYPhgQkczib7eUalmFjUbhWdLvHakbEgCodn3b | ||
kz57mInX2VpiDOKg4kyHfiuXWpiBqrCx0KNLpxo3DEQcFcsQTeTHzh4752GV04RU | ||
Ti/GEWyzIsl4Rg7tGtAwmcIPgUNUfY2Q390FGqdH4ahn+mw/6aFbW31W63d9YJVq | ||
ioyOVcaMIpM5B/c7Qc8SuhCI1YGhUyg4cRHLEw5VtikioyE3X04kna3jQAj54YbR | ||
bpEhc35apKLB21HOUQIDAQABo1MwUTAdBgNVHQ4EFgQUyvl0VI5vJVSuYFXu7B48 | ||
6PbMEAowHwYDVR0jBBgwFoAUyvl0VI5vJVSuYFXu7B486PbMEAowDwYDVR0TAQH/ | ||
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMLxrgFVMuNRq2wAwcBt7SnNR5Cfz | ||
2MvXq5EUmuawIUi9kaYjwdViDREGSjk7JW17vl576HjDkdfRwi4E28SydRInZf6J | ||
i8HZcZ7caH6DxR335fgHVzLi5NiTce/OjNBQzQ2MJXVDd8DBmG5fyatJiOJQ4bWE | ||
A7FlP0RdP3CO3GWE0M5iXOB2m1qWkE2eyO4UHvwTqNQLdrdAXgDQlbam9e4BG3Gg | ||
d/6thAkWDbt/QNT+EJHDCvhDRKh1RuGHyg+Y+/nebTWWrFWsktRrbOoHCZiCpXI1 | ||
3eXE6nt0YkgtDxG22KqnhpAg9gUSs2hlhoxyvkzyF0mu6NhPlwAgnq7+/Q== | ||
-----END CERTIFICATE----- | ||
backendTLSPolicies: | ||
- apiVersion: gateway.networking.k8s.io/v1alpha2 | ||
kind: BackendTLSPolicy | ||
metadata: | ||
name: policy-btls | ||
namespace: envoy-gateway | ||
spec: | ||
targetRefs: | ||
- group: "" | ||
kind: Service | ||
name: http-backend | ||
sectionName: "8080" | ||
- group: "" | ||
kind: Service | ||
name: http-backend | ||
sectionName: "8081" | ||
validation: | ||
caCertificateRefs: | ||
- name: ca-cmap | ||
group: "" | ||
kind: ConfigMap | ||
hostname: example.com |
239 changes: 239 additions & 0 deletions
239
internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,239 @@ | ||
backendTLSPolicies: | ||
- apiVersion: gateway.networking.k8s.io/v1alpha2 | ||
kind: BackendTLSPolicy | ||
metadata: | ||
creationTimestamp: null | ||
name: policy-btls | ||
namespace: envoy-gateway | ||
spec: | ||
targetRefs: | ||
- group: "" | ||
kind: Service | ||
name: http-backend | ||
sectionName: "8080" | ||
- group: "" | ||
kind: Service | ||
name: http-backend | ||
sectionName: "8081" | ||
validation: | ||
caCertificateRefs: | ||
- group: "" | ||
kind: ConfigMap | ||
name: ca-cmap | ||
hostname: example.com | ||
status: | ||
ancestors: | ||
- ancestorRef: | ||
name: gateway-btls | ||
namespace: envoy-gateway | ||
sectionName: http | ||
conditions: | ||
- lastTransitionTime: null | ||
message: Policy has been accepted. | ||
reason: Accepted | ||
status: "True" | ||
type: Accepted | ||
controllerName: gateway.envoyproxy.io/gatewayclass-controller | ||
gateways: | ||
- apiVersion: gateway.networking.k8s.io/v1 | ||
kind: Gateway | ||
metadata: | ||
creationTimestamp: null | ||
name: gateway-btls | ||
namespace: envoy-gateway | ||
spec: | ||
gatewayClassName: envoy-gateway-class | ||
listeners: | ||
- allowedRoutes: | ||
namespaces: | ||
from: All | ||
name: http | ||
port: 80 | ||
protocol: HTTP | ||
status: | ||
listeners: | ||
- attachedRoutes: 2 | ||
conditions: | ||
- lastTransitionTime: null | ||
message: Sending translated listener configuration to the data plane | ||
reason: Programmed | ||
status: "True" | ||
type: Programmed | ||
- lastTransitionTime: null | ||
message: Listener has been successfully translated | ||
reason: Accepted | ||
status: "True" | ||
type: Accepted | ||
- lastTransitionTime: null | ||
message: Listener references have been resolved | ||
reason: ResolvedRefs | ||
status: "True" | ||
type: ResolvedRefs | ||
name: http | ||
supportedKinds: | ||
- group: gateway.networking.k8s.io | ||
kind: HTTPRoute | ||
- group: gateway.networking.k8s.io | ||
kind: GRPCRoute | ||
httpRoutes: | ||
- apiVersion: gateway.networking.k8s.io/v1 | ||
kind: HTTPRoute | ||
metadata: | ||
creationTimestamp: null | ||
name: httproute-btls-1 | ||
namespace: envoy-gateway | ||
spec: | ||
parentRefs: | ||
- name: gateway-btls | ||
namespace: envoy-gateway | ||
sectionName: http | ||
rules: | ||
- backendRefs: | ||
- name: http-backend | ||
namespace: envoy-gateway | ||
port: 8080 | ||
matches: | ||
- path: | ||
type: Exact | ||
value: /exact-1 | ||
status: | ||
parents: | ||
- conditions: | ||
- lastTransitionTime: null | ||
message: Route is accepted | ||
reason: Accepted | ||
status: "True" | ||
type: Accepted | ||
- lastTransitionTime: null | ||
message: Resolved all the Object references for the Route | ||
reason: ResolvedRefs | ||
status: "True" | ||
type: ResolvedRefs | ||
controllerName: gateway.envoyproxy.io/gatewayclass-controller | ||
parentRef: | ||
name: gateway-btls | ||
namespace: envoy-gateway | ||
sectionName: http | ||
- apiVersion: gateway.networking.k8s.io/v1 | ||
kind: HTTPRoute | ||
metadata: | ||
creationTimestamp: null | ||
name: httproute-btls-2 | ||
namespace: envoy-gateway | ||
spec: | ||
parentRefs: | ||
- name: gateway-btls | ||
namespace: envoy-gateway | ||
sectionName: http | ||
rules: | ||
- backendRefs: | ||
- name: http-backend | ||
namespace: envoy-gateway | ||
port: 8081 | ||
matches: | ||
- path: | ||
type: Exact | ||
value: /exact-2 | ||
status: | ||
parents: | ||
- conditions: | ||
- lastTransitionTime: null | ||
message: Route is accepted | ||
reason: Accepted | ||
status: "True" | ||
type: Accepted | ||
- lastTransitionTime: null | ||
message: Resolved all the Object references for the Route | ||
reason: ResolvedRefs | ||
status: "True" | ||
type: ResolvedRefs | ||
controllerName: gateway.envoyproxy.io/gatewayclass-controller | ||
parentRef: | ||
name: gateway-btls | ||
namespace: envoy-gateway | ||
sectionName: http | ||
infraIR: | ||
envoy-gateway/gateway-btls: | ||
proxy: | ||
listeners: | ||
- address: null | ||
name: envoy-gateway/gateway-btls/http | ||
ports: | ||
- containerPort: 10080 | ||
name: http-80 | ||
protocol: HTTP | ||
servicePort: 80 | ||
metadata: | ||
labels: | ||
gateway.envoyproxy.io/owning-gateway-name: gateway-btls | ||
gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway | ||
name: envoy-gateway/gateway-btls | ||
xdsIR: | ||
envoy-gateway/gateway-btls: | ||
accessLog: | ||
text: | ||
- path: /dev/stdout | ||
http: | ||
- address: 0.0.0.0 | ||
hostnames: | ||
- '*' | ||
isHTTP2: false | ||
metadata: | ||
kind: Gateway | ||
name: gateway-btls | ||
namespace: envoy-gateway | ||
sectionName: http | ||
name: envoy-gateway/gateway-btls/http | ||
path: | ||
escapedSlashesAction: UnescapeAndRedirect | ||
mergeSlashes: true | ||
port: 10080 | ||
routes: | ||
- destination: | ||
name: httproute/envoy-gateway/httproute-btls-1/rule/0 | ||
settings: | ||
- protocol: HTTP | ||
tls: | ||
alpnProtocols: null | ||
caCertificate: | ||
certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K | ||
name: policy-btls/envoy-gateway-ca | ||
sni: example.com | ||
weight: 1 | ||
directResponse: | ||
statusCode: 500 | ||
hostname: '*' | ||
isHTTP2: false | ||
metadata: | ||
kind: HTTPRoute | ||
name: httproute-btls-1 | ||
namespace: envoy-gateway | ||
name: httproute/envoy-gateway/httproute-btls-1/rule/0/match/0/* | ||
pathMatch: | ||
distinct: false | ||
exact: /exact-1 | ||
name: "" | ||
- destination: | ||
name: httproute/envoy-gateway/httproute-btls-2/rule/0 | ||
settings: | ||
- protocol: HTTP | ||
tls: | ||
alpnProtocols: null | ||
caCertificate: | ||
certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K | ||
name: policy-btls/envoy-gateway-ca | ||
sni: example.com | ||
weight: 1 | ||
directResponse: | ||
statusCode: 500 | ||
hostname: '*' | ||
isHTTP2: false | ||
metadata: | ||
kind: HTTPRoute | ||
name: httproute-btls-2 | ||
namespace: envoy-gateway | ||
name: httproute/envoy-gateway/httproute-btls-2/rule/0/match/0/* | ||
pathMatch: | ||
distinct: false | ||
exact: /exact-2 | ||
name: "" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters