Merge branch 'main' into translate-merged

envoyproxy · Mar 19, 2024 · b684ee4 · b684ee4
2 parents 151f5e4 + 6a57cd1
commit b684ee4
Show file tree

Hide file tree

Showing 25 changed files with 765 additions and 343 deletions.
diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
@@ -366,20 +366,24 @@ func (t *Translator) translateSecurityPolicyForRoute(
 	}
 
 	if policy.Spec.OIDC != nil {
-		if oidc, err = t.buildOIDC(policy, resources); err != nil {
+		if oidc, err = t.buildOIDC(
+			irConfigName(policy),
+			policy,
+			resources); err != nil {
 			errs = errors.Join(errs, err)
 		}
 	}
 
 	if policy.Spec.BasicAuth != nil {
-		if basicAuth, err = t.buildBasicAuth(policy, resources); err != nil {
+		if basicAuth, err = t.buildBasicAuth(
+			policy,
+			resources); err != nil {
 			errs = errors.Join(errs, err)
 		}
 	}
 
 	if policy.Spec.ExtAuth != nil {
 		if extAuth, err = t.buildExtAuth(
-			utils.NamespacedName(route).String(),
 			policy,
 			resources); err != nil {
 			errs = errors.Join(errs, err)
@@ -449,20 +453,24 @@ func (t *Translator) translateSecurityPolicyForGateway(
 	}
 
 	if policy.Spec.OIDC != nil {
-		if oidc, err = t.buildOIDC(policy, resources); err != nil {
+		if oidc, err = t.buildOIDC(
+			irConfigName(policy),
+			policy,
+			resources); err != nil {
 			errs = errors.Join(errs, err)
 		}
 	}
 
 	if policy.Spec.BasicAuth != nil {
-		if basicAuth, err = t.buildBasicAuth(policy, resources); err != nil {
+		if basicAuth, err = t.buildBasicAuth(
+			policy,
+			resources); err != nil {
 			errs = errors.Join(errs, err)
 		}
 	}
 
 	if policy.Spec.ExtAuth != nil {
 		if extAuth, err = t.buildExtAuth(
-			utils.NamespacedName(gateway).String(),
 			policy,
 			resources); err != nil {
 			errs = errors.Join(errs, err)
@@ -580,6 +588,7 @@ func (t *Translator) buildJWT(jwt *egv1a1.JWT) *ir.JWT {
 }
 
 func (t *Translator) buildOIDC(
+	name string,
 	policy *egv1a1.SecurityPolicy,
 	resources *Resources) (*ir.OIDC, error) {
 	var (
@@ -653,6 +662,7 @@ func (t *Translator) buildOIDC(
 	}
 
 	return &ir.OIDC{
+		Name:         name,
 		Provider:     *provider,
 		ClientID:     oidc.ClientID,
 		ClientSecret: clientSecretBytes,
@@ -795,11 +805,13 @@ func (t *Translator) buildBasicAuth(
 			usersSecret.Namespace, usersSecret.Name)
 	}
 
-	return &ir.BasicAuth{Users: usersSecretBytes}, nil
+	return &ir.BasicAuth{
+		Name:  irConfigName(policy),
+		Users: usersSecretBytes,
+	}, nil
 }
 
 func (t *Translator) buildExtAuth(
-	name string,
 	policy *egv1a1.SecurityPolicy,
 	resources *Resources) (*ir.ExtAuth, error) {
 	var (
@@ -847,12 +859,12 @@ func (t *Translator) buildExtAuth(
 		return nil, err
 	}
 	rd := ir.RouteDestination{
-		Name:     irExtServiceDestinationName(policy, string(backendRef.Name)),
+		Name:     irExtServiceDestinationName(policy, backendRef),
 		Settings: []*ir.DestinationSetting{ds},
 	}
 
 	extAuth := &ir.ExtAuth{
-		Name:             name,
+		Name:             irConfigName(policy),
 		HeadersToExtAuth: policy.Spec.ExtAuth.HeadersToExtAuth,
 		FailOpen:         policy.Spec.ExtAuth.FailOpen,
 	}
@@ -944,11 +956,21 @@ func (t *Translator) processExtServiceDestination(
 	}, nil
 }
 
-func irExtServiceDestinationName(policy *egv1a1.SecurityPolicy, service string) string {
+func irExtServiceDestinationName(policy *egv1a1.SecurityPolicy, backendRef *gwapiv1.BackendObjectReference) string {
+	nn := types.NamespacedName{
+		Name:      string(backendRef.Name),
+		Namespace: NamespaceDerefOr(backendRef.Namespace, policy.Namespace),
+	}
+
 	return strings.ToLower(fmt.Sprintf(
-		"%s/%s/%s/%s",
-		KindSecurityPolicy,
-		policy.GetNamespace(),
-		policy.GetName(),
-		service))
+		"%s/%s",
+		irConfigName(policy),
+		nn.String()))
+}
+
+func irConfigName(policy *egv1a1.SecurityPolicy) string {
+	return fmt.Sprintf(
+		"%s/%s",
+		strings.ToLower(KindSecurityPolicy),
+		utils.NamespacedName(policy).String())
 }
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.in.yaml
@@ -1,58 +1,104 @@
 secrets:
-- apiVersion: v1
-  kind: Secret
-  metadata:
-    namespace: default
-    name: users-secret
-  data:
-    .htpasswd: "dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo="
+  - apiVersion: v1
+    kind: Secret
+    metadata:
+      namespace: default
+      name: users-secret1
+    data:
+      .htpasswd: "dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo="
+  - apiVersion: v1
+    kind: Secret
+    metadata:
+      namespace: default
+      name: users-secret2
+    data:
+      .htpasswd: "Zm9vOntTSEF9WXMyM0FnLzVJT1dxWkN3OVFHYVZEZEh3SDAwPQpmb28xOntTSEF9ZGpaMTFxSFkwS09pamV5bUs3YUt2WXV2aHZNPQo="
 gateways:
-- apiVersion: gateway.networking.k8s.io/v1
-  kind: Gateway
-  metadata:
-    namespace: envoy-gateway
-    name: gateway-1
-  spec:
-    gatewayClassName: envoy-gateway-class
-    listeners:
-    - name: http
-      protocol: HTTP
-      port: 80
-      allowedRoutes:
-        namespaces:
-          from: All
-httpRoutes:
-- apiVersion: gateway.networking.k8s.io/v1
-  kind: HTTPRoute
-  metadata:
-    namespace: default
-    name: httproute-1
-  spec:
-    hostnames:
-    - gateway.envoyproxy.io
-    parentRefs:
-    - namespace: envoy-gateway
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: Gateway
+    metadata:
+      namespace: default
       name: gateway-1
-      sectionName: http
-    rules:
-    - matches:
-      - path:
-          value: "/foo"
-      backendRefs:
-      - name: service-1
-        port: 8080
-securityPolicies:
-- apiVersion: gateway.envoyproxy.io/v1alpha1
-  kind: SecurityPolicy
-  metadata:
-    namespace: default
-    name: policy-for-http-route
-  spec:
-    targetRef:
-      group: gateway.networking.k8s.io
-      kind: HTTPRoute
+    spec:
+      gatewayClassName: envoy-gateway-class
+      listeners:
+        - name: http
+          protocol: HTTP
+          port: 80
+          allowedRoutes:
+            namespaces:
+              from: All
+httpRoutes:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      namespace: default
       name: httproute-1
+    spec:
+      hostnames:
+        - www.foo.com
+      parentRefs:
+        - namespace: default
+          name: gateway-1
+          sectionName: http
+      rules:
+        - matches:
+            - path:
+                value: /foo1
+          backendRefs:
+            - name: service-1
+              port: 8080
+        - matches:
+            - path:
+                value: /foo2
+          backendRefs:
+            - name: service-2
+              port: 8080
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      namespace: default
+      name: httproute-2
+    spec:
+      hostnames:
+        - www.bar.com
+      parentRefs:
+        - namespace: default
+          name: gateway-1
+          sectionName: http
+      rules:
+        - matches:
+            - path:
+                value: /bar
+          backendRefs:
+            - name: service-3
+              port: 8080
+securityPolicies:
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: SecurityPolicy
+    metadata:
+      namespace: default
+      name: policy-for-http-route-1
+    spec:
+      targetRef:
+        group: gateway.networking.k8s.io
+        kind: HTTPRoute
+        name: httproute-1
+        namespace: default
+      basicAuth:
+        users:
+          name: "users-secret1"
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: SecurityPolicy
+    metadata:
       namespace: default
-    basicAuth:
-      users:
-        name: "users-secret"
+      name: policy-for-gateway-1               # This will only apply to the httproute-2
+    spec:
+      targetRef:
+        group: gateway.networking.k8s.io
+        kind: Gateway
+        name: gateway-1
+        namespace: default
+      basicAuth:
+        users:
+          name: "users-secret2"