fix test

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
envoyproxy · Mar 12, 2024 · 8a8e841 · 8a8e841
1 parent 5d8f2b9
commit 8a8e841
Show file tree

Hide file tree

Showing 9 changed files with 117 additions and 22 deletions.
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth.in.yaml
@@ -29,10 +29,16 @@ httpRoutes:
       rules:
         - matches:
             - path:
-                value: /foo
+                value: /foo1
           backendRefs:
             - name: service-1
               port: 8080
+        - matches:
+            - path:
+                value: /foo2
+          backendRefs:
+            - name: service-2
+              port: 8080
   - apiVersion: gateway.networking.k8s.io/v1
     kind: HTTPRoute
     metadata:
@@ -50,7 +56,7 @@ httpRoutes:
             - path:
                 value: /bar
           backendRefs:
-            - name: service-1
+            - name: service-3
               port: 8080
 services:
   - apiVersion: v1

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml
@@ -59,7 +59,13 @@ httpRoutes:
         port: 8080
       matches:
       - path:
-          value: /foo
+          value: /foo1
+    - backendRefs:
+      - name: service-2
+        port: 8080
+      matches:
+      - path:
+          value: /foo2
   status:
     parents:
     - conditions:
@@ -93,7 +99,7 @@ httpRoutes:
       sectionName: http
     rules:
     - backendRefs:
-      - name: service-1
+      - name: service-3
         port: 8080
       matches:
       - path:
@@ -245,7 +251,42 @@ xdsIR:
         pathMatch:
           distinct: false
           name: ""
-          prefix: /foo
+          prefix: /foo1
+      - backendWeights:
+          invalid: 0
+          valid: 0
+        destination:
+          name: httproute/default/httproute-1/rule/1
+          settings:
+          - addressType: IP
+            endpoints:
+            - host: 7.7.7.7
+              port: 8080
+            protocol: HTTP
+            weight: 1
+        extAuth:
+          grpc:
+            authority: grpc-backend.default:9000
+            destination:
+              name: securitypolicy/default/policy-for-http-route/grpc-backend
+              settings:
+              - addressType: IP
+                endpoints:
+                - host: 8.8.8.8
+                  port: 9000
+                protocol: GRPC
+                weight: 1
+          headersToExtAuth:
+          - header1
+          - header2
+          name: default/httproute-1
+        hostname: www.foo.com
+        isHTTP2: false
+        name: httproute/default/httproute-1/rule/1/match/0/www_foo_com
+        pathMatch:
+          distinct: false
+          name: ""
+          prefix: /foo2
       - backendWeights:
           invalid: 0
           valid: 0

diff --git a/internal/xds/translator/basicauth.go b/internal/xds/translator/basicauth.go
@@ -129,7 +129,8 @@ func (*basicAuth) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error
 	if irRoute.BasicAuth == nil {
 		return nil
 	}
-	if err := enableFilterOnRoute(basicAuthFilter, route, irRoute.Name); err != nil {
+	filterName := basicAuthFilterName(irRoute)
+	if err := enableFilterOnRoute(route, filterName); err != nil {
 		return err
 	}
 	return nil

diff --git a/internal/xds/translator/extauth.go b/internal/xds/translator/extauth.go
@@ -58,10 +58,8 @@ func (*extAuth) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPLi
 		// Only generates one OAuth2 Envoy filter for each unique name.
 		// For example, if there are two routes under the same gateway with the
 		// same OIDC config, only one OAuth2 filter will be generated.
-		for _, existingFilter := range mgr.HttpFilters {
-			if existingFilter.Name == extAuthFilterName(route.ExtAuth) {
-				continue
-			}
+		if hcmContainsFilter(mgr, extAuthFilterName(route.ExtAuth)) {
+			continue
 		}
 
 		filter, err := buildHCMExtAuthFilter(route.ExtAuth)
@@ -285,7 +283,8 @@ func (*extAuth) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
 	if irRoute.ExtAuth == nil {
 		return nil
 	}
-	if err := enableFilterOnRoute(extAuthFilter, route, irRoute.ExtAuth.Name); err != nil {
+	filterName := extAuthFilterName(irRoute.ExtAuth)
+	if err := enableFilterOnRoute(route, filterName); err != nil {
 		return err
 	}
 	return nil

diff --git a/internal/xds/translator/oidc.go b/internal/xds/translator/oidc.go
@@ -94,7 +94,7 @@ func buildHCMOAuth2Filter(route *ir.HTTPRoute) (*hcmv3.HttpFilter, error) {
 }
 
 func oauth2FilterName(route *ir.HTTPRoute) string {
-	return fmt.Sprintf("%s_%s", oauth2Filter, route.Name)
+	return perRouteFilterName(oauth2Filter, route.Name)
 }
 
 func oauth2Config(route *ir.HTTPRoute) (*oauth2v3.OAuth2, error) {
@@ -340,8 +340,8 @@ func (*oidc) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
 	if irRoute.OIDC == nil {
 		return nil
 	}
-
-	if err := enableFilterOnRoute(oauth2Filter, route, irRoute.Name); err != nil {
+	filterName := oauth2FilterName(irRoute)
+	if err := enableFilterOnRoute(route, filterName); err != nil {
 		return err
 	}
 	return nil

diff --git a/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml b/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml
@@ -35,6 +35,33 @@ http:
               port: 80
             protocol: HTTP
             weight: 1
+  - name: httproute/default/httproute-1/rule/1/match/0/www_example_com
+    hostname: "*"
+    pathMatch:
+      exact: "foo"
+    destination:
+      name: httproute/default/httproute-1/rule/0
+      settings:
+      - endpoints:
+        - host: "10.0.0.1"
+          port: 50000
+    extAuth:
+      name: default/httproute-1
+      http:
+        authority: http-backend.envoy-gateway:80
+        headersToBackend:
+        - header1
+        - header2
+        path: /auth
+        destination:
+          name: securitypolicy/default/policy-for-first-route/http-backend
+          settings:
+          - addressType: IP
+            endpoints:
+            - host: 7.7.7.7
+              port: 80
+            protocol: HTTP
+            weight: 1
   - name: httproute/default/httproute-2/rule/0/match/0/www_example_com
     hostname: "*"
     pathMatch:
@@ -46,7 +73,7 @@ http:
         - host: "10.0.0.2"
           port: 60000
     extAuth:
-      name: default/httproute-2
+      name: default/gateway-1
       grpc:
         authority: grpc-backend.default:9000
         destination:

diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml
@@ -30,7 +30,7 @@
                 uri: http://http-backend.envoy-gateway:80/auth
             transportApiVersion: V3
         - disabled: true
-          name: envoy.filters.http.ext_authz_default/httproute-2
+          name: envoy.filters.http.ext_authz_default/gateway-1
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
             allowedHeaders:

diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.routes.yaml
@@ -16,6 +16,17 @@
         envoy.filters.http.ext_authz_default/httproute-1:
           '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig
           config: {}
+    - match:
+        path: foo
+      name: httproute/default/httproute-1/rule/1/match/0/www_example_com
+      route:
+        cluster: httproute/default/httproute-1/rule/0
+        upgradeConfigs:
+        - upgradeType: websocket
+      typedPerFilterConfig:
+        envoy.filters.http.ext_authz_default/httproute-1:
+          '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig
+          config: {}
     - match:
         path: bar
       name: httproute/default/httproute-2/rule/0/match/0/www_example_com
@@ -24,6 +35,6 @@
         upgradeConfigs:
         - upgradeType: websocket
       typedPerFilterConfig:
-        envoy.filters.http.ext_authz_default/httproute-2:
+        envoy.filters.http.ext_authz_default/gateway-1:
           '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig
           config: {}
diff --git a/internal/xds/translator/utils.go b/internal/xds/translator/utils.go
@@ -14,6 +14,7 @@ import (
 	"strings"
 
 	routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
+	hcmv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
 	"google.golang.org/protobuf/types/known/anypb"
 )
 
@@ -78,18 +79,17 @@ func clusterName(host string, port uint32) string {
 }
 
 // enableFilterOnRoute enables a filterType on the provided route.
-func enableFilterOnRoute(filterType string, route *routev3.Route, configName string) error {
+func enableFilterOnRoute(route *routev3.Route, filterName string) error {
 	if route == nil {
 		return errors.New("xds route is nil")
 	}
 
-	filterName := perRouteFilterName(filterType, configName)
 	filterCfg := route.GetTypedPerFilterConfig()
 	if _, ok := filterCfg[filterName]; ok {
 		// This should not happen since this is the only place where the filter
 		// config is added in a route.
 		return fmt.Errorf("route already contains filter config: %s, %+v",
-			filterType, route)
+			filterName, route)
 	}
 
 	// Enable the corresponding filter for this route.
@@ -109,6 +109,16 @@ func enableFilterOnRoute(filterType string, route *routev3.Route, configName str
 	return nil
 }
 
-func perRouteFilterName(filterType, routeName string) string {
-	return fmt.Sprintf("%s_%s", filterType, routeName)
+// perRouteFilterName generates a unique filter name for the provided filterType and configName.
+func perRouteFilterName(filterType, configName string) string {
+	return fmt.Sprintf("%s_%s", filterType, configName)
+}
+
+func hcmContainsFilter(mgr *hcmv3.HttpConnectionManager, filterName string) bool {
+	for _, existingFilter := range mgr.HttpFilters {
+		if existingFilter.Name == filterName {
+			return true
+		}
+	}
+	return false
 }