fix: remove backendrefs validation (#4705)

* remove backendrefs validation Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * add tests Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * add tests Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com>
envoyproxy · Nov 14, 2024 · 5068698 · 5068698
1 parent c2b0ee3
commit 5068698
Show file tree

Hide file tree

Showing 8 changed files with 352 additions and 82 deletions.
diff --git a/api/v1alpha1/ext_auth_types.go b/api/v1alpha1/ext_auth_types.go
@@ -56,7 +56,6 @@ type ExtAuth struct {
 // The authorization request message is defined in
 // https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
 // +kubebuilder:validation:XValidation:message="backendRef or backendRefs needs to be set",rule="has(self.backendRef) || self.backendRefs.size() > 0"
-// +kubebuilder:validation:XValidation:message="BackendRefs must be used, backendRef is not supported.",rule="!has(self.backendRef)"
 // +kubebuilder:validation:XValidation:message="BackendRefs only supports Service and Backend kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service' || f.kind == 'Backend') : true"
 // +kubebuilder:validation:XValidation:message="BackendRefs only supports Core and gateway.envoyproxy.io group.",rule="has(self.backendRefs) ? (self.backendRefs.all(f, f.group == \"\" || f.group == 'gateway.envoyproxy.io')) : true"
 type GRPCExtAuthService struct {
@@ -67,7 +66,6 @@ type GRPCExtAuthService struct {
 // HTTPExtAuthService defines the HTTP External Authorization service
 //
 // +kubebuilder:validation:XValidation:message="backendRef or backendRefs needs to be set",rule="has(self.backendRef) || self.backendRefs.size() > 0"
-// +kubebuilder:validation:XValidation:message="BackendRefs must be used, backendRef is not supported.",rule="!has(self.backendRef)"
 // +kubebuilder:validation:XValidation:message="BackendRefs only supports Service and Backend kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service' || f.kind == 'Backend') : true"
 // +kubebuilder:validation:XValidation:message="BackendRefs only supports Core and gateway.envoyproxy.io group.",rule="has(self.backendRefs) ? (self.backendRefs.all(f, f.group == \"\" || f.group == 'gateway.envoyproxy.io')) : true"
 type HTTPExtAuthService struct {

diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -1204,8 +1204,6 @@ spec:
                     x-kubernetes-validations:
                     - message: backendRef or backendRefs needs to be set
                       rule: has(self.backendRef) || self.backendRefs.size() > 0
-                    - message: BackendRefs must be used, backendRef is not supported.
-                      rule: '!has(self.backendRef)'
                     - message: BackendRefs only supports Service and Backend kind.
                       rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind
                         == ''Service'' || f.kind == ''Backend'') : true'
@@ -2103,8 +2101,6 @@ spec:
                     x-kubernetes-validations:
                     - message: backendRef or backendRefs needs to be set
                       rule: has(self.backendRef) || self.backendRefs.size() > 0
-                    - message: BackendRefs must be used, backendRef is not supported.
-                      rule: '!has(self.backendRef)'
                     - message: BackendRefs only supports Service and Backend kind.
                       rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind
                         == ''Service'' || f.kind == ''Backend'') : true'

diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
@@ -841,14 +841,15 @@ func (t *Translator) buildBasicAuth(
 
 func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy) (*ir.ExtAuth, error) {
 	var (
-		http      = policy.Spec.ExtAuth.HTTP
-		grpc      = policy.Spec.ExtAuth.GRPC
-		backends  *egv1a1.BackendCluster
-		protocol  ir.AppProtocol
-		rd        *ir.RouteDestination
-		authority string
-		err       error
-		traffic   *ir.TrafficFeatures
+		http            = policy.Spec.ExtAuth.HTTP
+		grpc            = policy.Spec.ExtAuth.GRPC
+		backendRefs     []egv1a1.BackendRef
+		backendSettings *egv1a1.ClusterSettings
+		protocol        ir.AppProtocol
+		rd              *ir.RouteDestination
+		authority       string
+		err             error
+		traffic         *ir.TrafficFeatures
 	)
 
 	// These are sanity checks, they should never happen because the API server
@@ -861,18 +862,42 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *reso
 
 	switch {
 	case http != nil:
-		backends = &http.BackendCluster
 		protocol = ir.HTTP
+		switch {
+		case len(http.BackendRefs) > 0:
+			backendRefs = http.BackendCluster.BackendRefs
+		case http.BackendRef != nil:
+			backendRefs = []egv1a1.BackendRef{
+				{
+					BackendObjectReference: *http.BackendRef,
+				},
+			}
+		default:
+			// This is a sanity check, it should never happen because the API server should have caught it
+			return nil, errors.New("http backend refs must be specified")
+		}
 	case grpc != nil:
-		backends = &grpc.BackendCluster
 		protocol = ir.GRPC
+		switch {
+		case len(grpc.BackendCluster.BackendRefs) > 0:
+			backendRefs = grpc.BackendRefs
+		case grpc.BackendRef != nil:
+			backendRefs = []egv1a1.BackendRef{
+				{
+					BackendObjectReference: *grpc.BackendRef,
+				},
+			}
+		default:
+			// This is a sanity check, it should never happen because the API server should have caught it
+			return nil, errors.New("grpc backend refs must be specified")
+		}
 	}
 
-	if rd, err = t.translateExtServiceBackendRefs(policy, backends.BackendRefs, protocol, resources, envoyProxy, 0); err != nil {
+	if rd, err = t.translateExtServiceBackendRefs(policy, backendRefs, protocol, resources, envoyProxy, 0); err != nil {
 		return nil, err
 	}
 
-	for _, backendRef := range backends.BackendRefs {
+	for _, backendRef := range backendRefs {
 		// Authority is the calculated hostname that will be used as the Authority header.
 		// If there are multiple backend referenced, simply use the first one - there are no good answers here.
 		// When translated to XDS, the authority is used on the filter level not on the cluster level.
@@ -882,7 +907,7 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *reso
 		}
 	}
 
-	if traffic, err = translateTrafficFeatures(backends.BackendSettings); err != nil {
+	if traffic, err = translateTrafficFeatures(backendSettings); err != nil {
 		return nil, err
 	}
 	extAuth := &ir.ExtAuth{

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml
@@ -58,6 +58,44 @@ httpRoutes:
           backendRefs:
             - name: service-3
               port: 8080
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      namespace: default
+      name: httproute-3
+    spec:
+      hostnames:
+        - www.baz.com
+      parentRefs:
+        - namespace: default
+          name: gateway-1
+          sectionName: http
+      rules:
+        - matches:
+            - path:
+                value: /baz
+          backendRefs:
+            - name: service-4
+              port: 8080
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      namespace: default
+      name: httproute-4
+    spec:
+      hostnames:
+        - www.qux.com
+      parentRefs:
+        - namespace: default
+          name: gateway-1
+          sectionName: http
+      rules:
+        - matches:
+            - path:
+                value: /qux
+          backendRefs:
+            - name: service-5
+              port: 8080
 backends:
   - apiVersion: gateway.envoyproxy.io/v1alpha1
     kind: Backend
@@ -108,3 +146,40 @@ securityPolicies:
               kind: Backend
               group: gateway.envoyproxy.io
               port: 3000
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: SecurityPolicy
+    metadata:
+      namespace: default
+      name: policy-for-http-route-3--grpc-backendref
+    spec:
+      targetRef:
+        group: gateway.networking.k8s.io
+        kind: HTTPRoute
+        name: httproute-3
+      extAuth:
+        failOpen: true
+        headersToExtAuth:
+          - header3
+          - header4
+        grpc:
+          backendRef:
+            name: service-2
+            kind: Service
+            port: 8080
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: SecurityPolicy
+    metadata:
+      namespace: default
+      name: policy-for-http-route-3-http-backendref
+    spec:
+      targetRef:
+        group: gateway.networking.k8s.io
+        kind: HTTPRoute
+        name: httproute-4
+      extAuth:
+        http:
+          backendRef:
+            name: backend-fqdn
+            kind: Backend
+            group: gateway.envoyproxy.io
+            port: 3000