add test files

internal/xds/translator/httpfilters_test.go

@@ -30,8 +30,10 @@ func Test_sortHTTPFilters(t *testing.T) {
 				httpFilterForTest(wellknown.HTTPRateLimit),
 				httpFilterForTest(wellknown.Fault),
 				httpFilterForTest(extAuthFilter + "-route1"),
+				httpFilterForTest(aclFilter + "-route1"),
 			},
 			want: []*hcmv3.HttpFilter{
+				httpFilterForTest(aclFilter + "-route1"),
 				httpFilterForTest(wellknown.CORS),
 				httpFilterForTest(extAuthFilter + "-route1"),
 				httpFilterForTest(basicAuthFilter + "-route1"),

internal/xds/translator/testdata/in/xds-ir/acl.yaml

@@ -0,0 +1,27 @@
+http:
+- name: "first-listener-v4"
+  address: "0.0.0.0"
+  port: 10080
+  hostnames:
+  - "www.example.com"
+  path:
+    mergeSlashes: true
+    escapedSlashesAction: UnescapeAndRedirect
+  routes:
+  - name: httproute/default/httproute-1/rule/0/match/0/www_example_com
+    hostname: "*"
+    pathMatch:
+      exact: "foo"
+    destination:
+      name: httproute/default/httproute-1/rule/0
+      settings:
+      - endpoints:
+        - host: "10.0.0.1"
+          port: 50000
+    acl:
+      allow:
+      - prefix: "8.8.8.0"
+        length: 24
+      deny:
+      - prefix: "8.8.8.8"
+        length: 32

internal/xds/translator/testdata/out/xds-ir/acl.clusters.yaml

@@ -0,0 +1,14 @@
+- commonLbConfig:
+    localityWeightedLbConfig: {}
+  connectTimeout: 10s
+  dnsLookupFamily: V4_ONLY
+  edsClusterConfig:
+    edsConfig:
+      ads: {}
+      resourceApiVersion: V3
+    serviceName: httproute/default/httproute-1/rule/0
+  lbPolicy: LEAST_REQUEST
+  name: httproute/default/httproute-1/rule/0
+  outlierDetection: {}
+  perConnectionBufferLimitBytes: 32768
+  type: EDS

internal/xds/translator/testdata/out/xds-ir/acl.endpoints.yaml

@@ -0,0 +1,12 @@
+- clusterName: httproute/default/httproute-1/rule/0
+  endpoints:
+  - lbEndpoints:
+    - endpoint:
+        address:
+          socketAddress:
+            address: 10.0.0.1
+            portValue: 50000
+      loadBalancingWeight: 1
+    loadBalancingWeight: 1
+    locality:
+      region: httproute/default/httproute-1/rule/0/backend/0

internal/xds/translator/testdata/out/xds-ir/acl.listeners.yaml

@@ -0,0 +1,60 @@
+- address:
+    socketAddress:
+      address: 0.0.0.0
+      portValue: 10080
+  defaultFilterChain:
+    filters:
+    - name: envoy.filters.network.http_connection_manager
+      typedConfig:
+        '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+        commonHttpProtocolOptions:
+          headersWithUnderscoresAction: REJECT_REQUEST
+        http2ProtocolOptions:
+          initialConnectionWindowSize: 1048576
+          initialStreamWindowSize: 65536
+          maxConcurrentStreams: 100
+        httpFilters:
+        - name: envoy.filters.http.acl_httproute/default/httproute-1/rule/0/match/0/www_example_com_ALLOW
+          typedConfig:
+            '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
+            rules:
+              policies:
+                allow-acl:
+                  permissions:
+                  - any: true
+                  principals:
+                  - sourceIp:
+                      addressPrefix: 8.8.8.0
+                      prefixLen: 24
+        - name: envoy.filters.http.acl_httproute/default/httproute-1/rule/0/match/0/www_example_com_DENY
+          typedConfig:
+            '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
+            rules:
+              action: DENY
+              policies:
+                deny-acl:
+                  permissions:
+                  - any: true
+                  principals:
+                  - sourceIp:
+                      addressPrefix: 8.8.8.8
+                      prefixLen: 32
+        - name: envoy.filters.http.router
+          typedConfig:
+            '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+            suppressEnvoyHeaders: true
+        mergeSlashes: true
+        normalizePath: true
+        pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
+        rds:
+          configSource:
+            ads: {}
+            resourceApiVersion: V3
+          routeConfigName: first-listener-v4
+        serverHeaderTransformation: PASS_THROUGH
+        statPrefix: http
+        upgradeConfigs:
+        - upgradeType: websocket
+        useRemoteAddress: true
+  name: first-listener-v4
+  perConnectionBufferLimitBytes: 32768

internal/xds/translator/testdata/out/xds-ir/acl.routes.yaml

@@ -0,0 +1,26 @@
+- ignorePortInHostMatching: true
+  name: first-listener-v4
+  virtualHosts:
+  - domains:
+    - '*'
+    name: first-listener-v4/*
+    routes:
+    - match:
+        path: foo
+      name: httproute/default/httproute-1/rule/0/match/0/www_example_com
+      route:
+        cluster: httproute/default/httproute-1/rule/0
+      typedPerFilterConfig:
+        envoy.filters.http.acl_httproute/default/httproute-1/rule/0/match/0/www_example_com_DENY:
+          '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute
+          rbac:
+            rules:
+              action: DENY
+              policies:
+                deny-acl:
+                  permissions:
+                  - any: true
+                  principals:
+                  - sourceIp:
+                      addressPrefix: 8.8.8.8
+                      prefixLen: 32

internal/xds/translator/translator_test.go

@@ -264,6 +264,9 @@ func TestTranslateXds(t *testing.T) {
 		{
 			name: "ext-auth",
 		},
+		{
+			name: "acl",
+		},
 		{
 			name: "http10",
 		},