When policies are attached to a gateway and mergeGateways is set to

true, don't apply policies to routes from other gateways.

Signed-off-by: Lior Okman <lior.okman@sap.com>

internal/gatewayapi/backendtrafficpolicy.go

@@ -345,7 +345,14 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back
 	// Should exist since we've validated this
 	ir := xdsIR[irKey]
 
+	policyTarget := irStringKey(
+		string(ptr.Deref(policy.Spec.TargetRef.Namespace, gwv1a2.Namespace(policy.Namespace))),
+		string(policy.Spec.TargetRef.Name),
+	)
 	for _, http := range ir.HTTP {
+		if t.MergeGateways && http.GatewayName != policyTarget {
+			continue
+		}
 		for _, r := range http.Routes {
 			// Apply if not already set
 			if r.RateLimit == nil {

internal/gatewayapi/listener.go

@@ -100,10 +100,11 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap
 			switch listener.Protocol {
 			case gwapiv1.HTTPProtocolType, gwapiv1.HTTPSProtocolType:
 				irListener := &ir.HTTPListener{
-					Name:    irHTTPListenerName(listener),
-					Address: "0.0.0.0",
-					Port:    uint32(containerPort),
-					TLS:     irTLSConfigs(listener.tlsSecrets),
+					GatewayName: irStringKey(gateway.Namespace, gateway.Name),
+					Name:        irHTTPListenerName(listener),
+					Address:     "0.0.0.0",
+					Port:        uint32(containerPort),
+					TLS:         irTLSConfigs(listener.tlsSecrets),
 					Path: ir.PathSettings{
 						MergeSlashes:         true,
 						EscapedSlashesAction: ir.UnescapeAndRedirect,

internal/gatewayapi/securitypolicy.go

@@ -362,7 +362,8 @@ func (t *Translator) translateSecurityPolicyForGateway(
 		}
 	}
 
-	// Apply IR to all the routes within the specific Gateway
+	// Apply IR to all the routes within the specific Gateway that originated
+	// from the gateway to which this security policy was attached.
 	// If the feature is already set, then skip it, since it must have be
 	// set by a policy attaching to the route
 	//
@@ -372,7 +373,14 @@ func (t *Translator) translateSecurityPolicyForGateway(
 	// Should exist since we've validated this
 	ir := xdsIR[irKey]
 
+	policyTarget := irStringKey(
+		string(ptr.Deref(policy.Spec.TargetRef.Namespace, gwv1a2.Namespace(policy.Namespace))),
+		string(policy.Spec.TargetRef.Name),
+	)
 	for _, http := range ir.HTTP {
+		if t.MergeGateways && http.GatewayName != policyTarget {
+			continue
+		}
 		for _, r := range http.Routes {
 			// Apply if not already set
 			if r.CORS == nil {

internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml

@@ -348,6 +348,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http
       path:
         escapedSlashesAction: UnescapeAndRedirect
@@ -374,6 +375,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: true
+      gatewayName: envoy-gateway/gateway-2
       name: envoy-gateway/gateway-2/http
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml

@@ -307,6 +307,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: true
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http
       path:
         escapedSlashesAction: UnescapeAndRedirect
@@ -343,6 +344,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-2
       name: envoy-gateway/gateway-2/http
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml

@@ -122,6 +122,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: true
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers.out.yaml

@@ -242,6 +242,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: true
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http
       path:
         escapedSlashesAction: UnescapeAndRedirect
@@ -275,6 +276,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-2
       name: envoy-gateway/gateway-2/http
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml

@@ -422,6 +422,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: true
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http
       path:
         escapedSlashesAction: UnescapeAndRedirect
@@ -469,6 +470,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-2
       name: envoy-gateway/gateway-2/http
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml

@@ -322,6 +322,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: true
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http
       path:
         escapedSlashesAction: UnescapeAndRedirect
@@ -353,6 +354,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-2
       name: envoy-gateway/gateway-2/http
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-default-route-level-limit.out.yaml

@@ -148,6 +148,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml

@@ -152,6 +152,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml

@@ -148,6 +148,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml

@@ -154,6 +154,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit.out.yaml

@@ -151,6 +151,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/backendtrafficpolicy-with-proxyprotocol.out.yaml

@@ -236,6 +236,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: true
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http
       path:
         escapedSlashesAction: UnescapeAndRedirect
@@ -267,6 +268,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-2
       name: envoy-gateway/gateway-2/http
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml

@@ -134,6 +134,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: true
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml

@@ -256,6 +256,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: true
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http
       path:
         escapedSlashesAction: UnescapeAndRedirect
@@ -297,6 +298,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-2
       name: envoy-gateway/gateway-2/http
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/backendtrafficpolicy-with-same-prefix-httproutes.out.yaml

@@ -166,6 +166,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: default/gateway-1
       name: default/gateway-1/http
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml

@@ -126,6 +126,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: true
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml

@@ -244,6 +244,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: true
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http
       path:
         escapedSlashesAction: UnescapeAndRedirect
@@ -279,6 +280,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-2
       name: envoy-gateway/gateway-2/http
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/clienttrafficpolicy-client-ip-detection.out.yaml

@@ -248,6 +248,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http-1
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/clienttrafficpolicy-headers.out.yaml

@@ -125,6 +125,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http-1
       path:
         escapedSlashesAction: UnescapeAndRedirect
@@ -136,6 +137,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http-2
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml

@@ -209,6 +209,7 @@ xdsIR:
       http1:
         http10: {}
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http-1
       path:
         escapedSlashesAction: UnescapeAndRedirect
@@ -221,6 +222,7 @@ xdsIR:
         http10:
           defaultHost: www.example.com
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http-2
       path:
         escapedSlashesAction: UnescapeAndRedirect
@@ -231,6 +233,7 @@ xdsIR:
       - '*'
       http1: {}
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http-3
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml

@@ -129,6 +129,7 @@ xdsIR:
       - '*'
       http3: {}
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/tls
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/clienttrafficpolicy-path-settings.out.yaml

@@ -124,6 +124,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http-1
       path:
         escapedSlashesAction: KeepUnchanged
@@ -133,6 +134,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http-2
       path:
         escapedSlashesAction: KeepUnchanged

internal/gatewayapi/testdata/clienttrafficpolicy-preserve-case.out.yaml

@@ -127,6 +127,7 @@ xdsIR:
         enableTrailers: true
         preserveHeaderCase: true
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http-1
       path:
         escapedSlashesAction: UnescapeAndRedirect
@@ -139,6 +140,7 @@ xdsIR:
         enableTrailers: true
         preserveHeaderCase: true
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http-2
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/clienttrafficpolicy-proxyprotocol.out.yaml

@@ -124,6 +124,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http-1
       path:
         escapedSlashesAction: UnescapeAndRedirect
@@ -133,6 +134,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http-2
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml

@@ -304,6 +304,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http
       path:
         escapedSlashesAction: UnescapeAndRedirect
@@ -318,6 +319,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-2
       name: envoy-gateway/gateway-2/http
       path:
         escapedSlashesAction: UnescapeAndRedirect

internal/gatewayapi/testdata/clienttrafficpolicy-tcp-keepalive.out.yaml

@@ -152,6 +152,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http-1
       path:
         escapedSlashesAction: UnescapeAndRedirect
@@ -165,6 +166,7 @@ xdsIR:
       hostnames:
       - '*'
       isHTTP2: false
+      gatewayName: envoy-gateway/gateway-1
       name: envoy-gateway/gateway-1/http-2
       path:
         escapedSlashesAction: UnescapeAndRedirect