feat: Add secret resource support for EnvoyPatchPolicy (#2466)

* Add secret resource support for EnvoyPatchPolicy Signed-off-by: He Jie Xu <hejie.xu@intel.com> * fix format Signed-off-by: He Jie Xu <hejie.xu@intel.com> * generate manifest Signed-off-by: He Jie Xu <hejie.xu@intel.com> * fix format Signed-off-by: He Jie Xu <hejie.xu@intel.com> --------- Signed-off-by: He Jie Xu <hejie.xu@intel.com>
envoyproxy · Jan 23, 2024 · 50db4a0 · 50db4a0
1 parent d0c12eb
commit 50db4a0
Show file tree

Hide file tree

Showing 7 changed files with 111 additions and 5 deletions.
diff --git a/api/v1alpha1/envoypatchpolicy_types.go b/api/v1alpha1/envoypatchpolicy_types.go
@@ -86,7 +86,7 @@ type EnvoyJSONPatchConfig struct {
 }
 
 // EnvoyResourceType specifies the type URL of the Envoy resource.
-// +kubebuilder:validation:Enum=type.googleapis.com/envoy.config.listener.v3.Listener;type.googleapis.com/envoy.config.route.v3.RouteConfiguration;type.googleapis.com/envoy.config.cluster.v3.Cluster;type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment
+// +kubebuilder:validation:Enum=type.googleapis.com/envoy.config.listener.v3.Listener;type.googleapis.com/envoy.config.route.v3.RouteConfiguration;type.googleapis.com/envoy.config.cluster.v3.Cluster;type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment;type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret
 type EnvoyResourceType string
 
 const (

diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml
@@ -86,6 +86,7 @@ spec:
                       - type.googleapis.com/envoy.config.route.v3.RouteConfiguration
                       - type.googleapis.com/envoy.config.cluster.v3.Cluster
                       - type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment
+                      - type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret
                       type: string
                   required:
                   - name

diff --git a/internal/xds/translator/jsonpatch.go b/internal/xds/translator/jsonpatch.go
@@ -14,6 +14,7 @@ import (
 	endpointv3 "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3"
 	listenerv3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
 	routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
+	tlsv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
 	resourcev3 "github.com/envoyproxy/go-control-plane/pkg/resource/v3"
 	jsonpatchv5 "github.com/evanphx/json-patch/v5"
 	"google.golang.org/protobuf/encoding/protojson"
@@ -45,6 +46,7 @@ func processJSONPatches(tCtx *types.ResourceVersionTable, envoyPatchPolicies []*
 				routeConfig  *routev3.RouteConfiguration
 				cluster      *clusterv3.Cluster
 				endpoint     *endpointv3.ClusterLoadAssignment
+				secret       *tlsv3.Secret
 				resourceJSON []byte
 				err          error
 			)
@@ -118,6 +120,18 @@ func processJSONPatches(tCtx *types.ResourceVersionTable, envoyPatchPolicies []*
 						status.SetEnvoyPatchPolicyInvalid(e.Status, msg)
 						continue
 					}
+				case string(resourcev3.SecretType):
+					temp := &tlsv3.Secret{}
+					if err = protojson.Unmarshal(jsonBytes, temp); err != nil {
+						msg := unmarshalErrorMessage(err, p.Operation.Value)
+						status.SetEnvoyPatchPolicyInvalid(e.Status, msg)
+						continue
+					}
+					if err = tCtx.AddXdsResource(resourcev3.SecretType, temp); err != nil {
+						msg := fmt.Sprintf("validation failed for xds resource %+v, err:%s", p.Operation.Value, err.Error())
+						status.SetEnvoyPatchPolicyInvalid(e.Status, msg)
+						continue
+					}
 
 				}
 
@@ -175,6 +189,17 @@ func processJSONPatches(tCtx *types.ResourceVersionTable, envoyPatchPolicies []*
 					errs = errors.Join(errs, err)
 					continue
 				}
+			case string(resourcev3.SecretType):
+				if secret = findXdsSecret(tCtx, p.Name); secret == nil {
+					msg := fmt.Sprintf("unable to find xds resource %s: %s", p.Type, p.Name)
+					status.SetEnvoyPatchPolicyResourceNotFound(e.Status, msg)
+					continue
+				}
+				if resourceJSON, err = m.Marshal(secret); err != nil {
+					err = fmt.Errorf("unable to marshal xds resource %s: %s, err: %w", p.Type, p.Name, err)
+					errs = multierror.Append(errs, err)
+					continue
+				}
 			}
 
 			// Convert patch to JSON
@@ -281,6 +306,23 @@ func processJSONPatches(tCtx *types.ResourceVersionTable, envoyPatchPolicies []*
 					errs = errors.Join(errs, err)
 					continue
 				}
+			case string(resourcev3.SecretType):
+				temp := &tlsv3.Secret{}
+				if err = protojson.Unmarshal(modifiedJSON, temp); err != nil {
+					msg := unmarshalErrorMessage(err, string(modifiedJSON))
+					status.SetEnvoyPatchPolicyInvalid(e.Status, msg)
+					continue
+				}
+				if err = temp.Validate(); err != nil {
+					msg := fmt.Sprintf("validation failed for xds resource %s, err:%s", string(modifiedJSON), err.Error())
+					status.SetEnvoyPatchPolicyInvalid(e.Status, msg)
+					continue
+				}
+				if err = deepCopyPtr(temp, secret); err != nil {
+					err := fmt.Errorf("unable to copy xds resource %s, err: %w", string(modifiedJSON), err)
+					errs = multierror.Append(errs, err)
+					continue
+				}
 			}
 		}
 

diff --git a/internal/xds/translator/testdata/in/xds-ir/jsonpatch.yaml b/internal/xds/translator/testdata/in/xds-ir/jsonpatch.yaml
@@ -7,7 +7,7 @@ envoyPatchPolicies:
     name: "first-listener"
     operation:
       op: "add"
-      path: "/default_filter_chain/filters/0/typed_config/http_filters/0"
+      path: "/filter_chains/0/filters/0/typed_config/http_filters/0"
       value:
         name: "envoy.filters.http.ratelimit"
         typed_config:
@@ -54,6 +54,22 @@ envoyPatchPolicies:
       op: "replace"
       path: "/endpoints/0/load_balancing_weight"
       value: "50"
+  - type: "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
+    name: "secret-1"
+    operation:
+      op: "replace"
+      path: "/tls_certificate/certificate_chain/inline_bytes"
+      value: "a2V5LWRhdGE="
+  - type: "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
+    name: "test-secret"
+    operation:
+      op: "add"
+      path: ""
+      value:
+        name: test_secret
+        tls_certificate:
+          certificate_chain:
+            inline_bytes: Y2VydC1kYXRh
 http:
 - name: "first-listener"
   address: "0.0.0.0"
@@ -63,6 +79,19 @@ http:
   path:
     mergeSlashes: true
     escapedSlashesAction: UnescapeAndRedirect
+  tls:
+    alpnProtocols:
+    - h2
+    - http/1.1
+    certificates:
+    - name: secret-1
+      # byte slice representation of "key-data"
+      serverCertificate: [99, 101, 114, 116, 45, 100, 97, 116, 97]
+      # byte slice representation of "key-data"
+      privateKey: [107, 101, 121, 45, 100, 97, 116, 97]
+    - name: secret-2
+      serverCertificate: [99, 101, 114, 116, 45, 100, 97, 116, 97]
+      privateKey: [107, 101, 121, 45, 100, 97, 116, 97]
   routes:
   - name: "first-route"
     hostname: "*"

diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml
@@ -2,8 +2,8 @@
     socketAddress:
       address: 0.0.0.0
       portValue: 10080
-  defaultFilterChain:
-    filters:
+  filterChains:
+  - filters:
     - name: envoy.filters.network.http_connection_manager
       typedConfig:
         '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
@@ -36,9 +36,26 @@
             ads: {}
             resourceApiVersion: V3
           routeConfigName: first-listener
-        statPrefix: http
+        statPrefix: https
         upgradeConfigs:
         - upgradeType: websocket
         useRemoteAddress: true
+    transportSocket:
+      name: envoy.transport_sockets.tls
+      typedConfig:
+        '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
+        commonTlsContext:
+          alpnProtocols:
+          - h2
+          - http/1.1
+          tlsCertificateSdsSecretConfigs:
+          - name: secret-1
+            sdsConfig:
+              ads: {}
+              resourceApiVersion: V3
+          - name: secret-2
+            sdsConfig:
+              ads: {}
+              resourceApiVersion: V3
   name: first-listener
   perConnectionBufferLimitBytes: 32768
diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.secrets.yaml
@@ -0,0 +1,16 @@
+- name: secret-1
+  tlsCertificate:
+    certificateChain:
+      inlineBytes: a2V5LWRhdGE=
+    privateKey:
+      inlineBytes: a2V5LWRhdGE=
+- name: secret-2
+  tlsCertificate:
+    certificateChain:
+      inlineBytes: Y2VydC1kYXRh
+    privateKey:
+      inlineBytes: a2V5LWRhdGE=
+- name: test_secret
+  tlsCertificate:
+    certificateChain:
+      inlineBytes: Y2VydC1kYXRh
diff --git a/internal/xds/translator/translator_test.go b/internal/xds/translator/translator_test.go
@@ -167,6 +167,7 @@ func TestTranslateXds(t *testing.T) {
 		{
 			name:                      "jsonpatch",
 			requireEnvoyPatchPolicies: true,
+			requireSecrets:            true,
 		},
 		{
 			name:                      "jsonpatch-missing-resource",