diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 24604b4b4e7..434d9ce839a 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -366,20 +366,24 @@ func (t *Translator) translateSecurityPolicyForRoute( } if policy.Spec.OIDC != nil { - if oidc, err = t.buildOIDC(policy, resources); err != nil { + if oidc, err = t.buildOIDC( + irConfigName(policy), + policy, + resources); err != nil { errs = errors.Join(errs, err) } } if policy.Spec.BasicAuth != nil { - if basicAuth, err = t.buildBasicAuth(policy, resources); err != nil { + if basicAuth, err = t.buildBasicAuth( + policy, + resources); err != nil { errs = errors.Join(errs, err) } } if policy.Spec.ExtAuth != nil { if extAuth, err = t.buildExtAuth( - utils.NamespacedName(route).String(), policy, resources); err != nil { errs = errors.Join(errs, err) @@ -449,20 +453,24 @@ func (t *Translator) translateSecurityPolicyForGateway( } if policy.Spec.OIDC != nil { - if oidc, err = t.buildOIDC(policy, resources); err != nil { + if oidc, err = t.buildOIDC( + irConfigName(policy), + policy, + resources); err != nil { errs = errors.Join(errs, err) } } if policy.Spec.BasicAuth != nil { - if basicAuth, err = t.buildBasicAuth(policy, resources); err != nil { + if basicAuth, err = t.buildBasicAuth( + policy, + resources); err != nil { errs = errors.Join(errs, err) } } if policy.Spec.ExtAuth != nil { if extAuth, err = t.buildExtAuth( - utils.NamespacedName(gateway).String(), policy, resources); err != nil { errs = errors.Join(errs, err) @@ -580,6 +588,7 @@ func (t *Translator) buildJWT(jwt *egv1a1.JWT) *ir.JWT { } func (t *Translator) buildOIDC( + name string, policy *egv1a1.SecurityPolicy, resources *Resources) (*ir.OIDC, error) { var ( @@ -653,6 +662,7 @@ func (t *Translator) buildOIDC( } return &ir.OIDC{ + Name: name, Provider: *provider, ClientID: oidc.ClientID, ClientSecret: clientSecretBytes, @@ -795,11 +805,13 @@ func (t *Translator) buildBasicAuth( usersSecret.Namespace, usersSecret.Name) } - return &ir.BasicAuth{Users: usersSecretBytes}, nil + return &ir.BasicAuth{ + Name: irConfigName(policy), + Users: usersSecretBytes, + }, nil } func (t *Translator) buildExtAuth( - name string, policy *egv1a1.SecurityPolicy, resources *Resources) (*ir.ExtAuth, error) { var ( @@ -847,12 +859,12 @@ func (t *Translator) buildExtAuth( return nil, err } rd := ir.RouteDestination{ - Name: irExtServiceDestinationName(policy, string(backendRef.Name)), + Name: irExtServiceDestinationName(policy, backendRef), Settings: []*ir.DestinationSetting{ds}, } extAuth := &ir.ExtAuth{ - Name: name, + Name: irConfigName(policy), HeadersToExtAuth: policy.Spec.ExtAuth.HeadersToExtAuth, FailOpen: policy.Spec.ExtAuth.FailOpen, } @@ -944,11 +956,21 @@ func (t *Translator) processExtServiceDestination( }, nil } -func irExtServiceDestinationName(policy *egv1a1.SecurityPolicy, service string) string { +func irExtServiceDestinationName(policy *egv1a1.SecurityPolicy, backendRef *gwapiv1.BackendObjectReference) string { + nn := types.NamespacedName{ + Name: string(backendRef.Name), + Namespace: NamespaceDerefOr(backendRef.Namespace, policy.Namespace), + } + return strings.ToLower(fmt.Sprintf( - "%s/%s/%s/%s", - KindSecurityPolicy, - policy.GetNamespace(), - policy.GetName(), - service)) + "%s/%s", + irConfigName(policy), + nn.String())) +} + +func irConfigName(policy *egv1a1.SecurityPolicy) string { + return fmt.Sprintf( + "%s/%s", + strings.ToLower(KindSecurityPolicy), + utils.NamespacedName(policy).String()) } diff --git a/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.in.yaml index 619425c9bdb..3a696360dbc 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.in.yaml @@ -1,58 +1,104 @@ secrets: -- apiVersion: v1 - kind: Secret - metadata: - namespace: default - name: users-secret - data: - .htpasswd: "dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo=" + - apiVersion: v1 + kind: Secret + metadata: + namespace: default + name: users-secret1 + data: + .htpasswd: "dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo=" + - apiVersion: v1 + kind: Secret + metadata: + namespace: default + name: users-secret2 + data: + .htpasswd: "Zm9vOntTSEF9WXMyM0FnLzVJT1dxWkN3OVFHYVZEZEh3SDAwPQpmb28xOntTSEF9ZGpaMTFxSFkwS09pamV5bUs3YUt2WXV2aHZNPQo=" gateways: -- apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - metadata: - namespace: envoy-gateway - name: gateway-1 - spec: - gatewayClassName: envoy-gateway-class - listeners: - - name: http - protocol: HTTP - port: 80 - allowedRoutes: - namespaces: - from: All -httpRoutes: -- apiVersion: gateway.networking.k8s.io/v1 - kind: HTTPRoute - metadata: - namespace: default - name: httproute-1 - spec: - hostnames: - - gateway.envoyproxy.io - parentRefs: - - namespace: envoy-gateway + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: default name: gateway-1 - sectionName: http - rules: - - matches: - - path: - value: "/foo" - backendRefs: - - name: service-1 - port: 8080 -securityPolicies: -- apiVersion: gateway.envoyproxy.io/v1alpha1 - kind: SecurityPolicy - metadata: - namespace: default - name: policy-for-http-route - spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default name: httproute-1 + spec: + hostnames: + - www.foo.com + parentRefs: + - namespace: default + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: /foo1 + backendRefs: + - name: service-1 + port: 8080 + - matches: + - path: + value: /foo2 + backendRefs: + - name: service-2 + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-2 + spec: + hostnames: + - www.bar.com + parentRefs: + - namespace: default + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: /bar + backendRefs: + - name: service-3 + port: 8080 +securityPolicies: + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + namespace: default + name: policy-for-http-route-1 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + namespace: default + basicAuth: + users: + name: "users-secret1" + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: namespace: default - basicAuth: - users: - name: "users-secret" + name: policy-for-gateway-1 # This will only apply to the httproute-2 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: default + basicAuth: + users: + name: "users-secret2" diff --git a/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml index d862fd9d11e..3681d60e018 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml @@ -4,7 +4,7 @@ gateways: metadata: creationTimestamp: null name: gateway-1 - namespace: envoy-gateway + namespace: default spec: gatewayClassName: envoy-gateway-class listeners: @@ -16,7 +16,7 @@ gateways: protocol: HTTP status: listeners: - - attachedRoutes: 1 + - attachedRoutes: 2 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane @@ -48,10 +48,10 @@ httpRoutes: namespace: default spec: hostnames: - - gateway.envoyproxy.io + - www.foo.com parentRefs: - name: gateway-1 - namespace: envoy-gateway + namespace: default sectionName: http rules: - backendRefs: @@ -59,7 +59,51 @@ httpRoutes: port: 8080 matches: - path: - value: /foo + value: /foo1 + - backendRefs: + - name: service-2 + port: 8080 + matches: + - path: + value: /foo2 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: default + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-2 + namespace: default + spec: + hostnames: + - www.bar.com + parentRefs: + - name: gateway-1 + namespace: default + sectionName: http + rules: + - backendRefs: + - name: service-3 + port: 8080 + matches: + - path: + value: /bar status: parents: - conditions: @@ -76,14 +120,14 @@ httpRoutes: controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: name: gateway-1 - namespace: envoy-gateway + namespace: default sectionName: http infraIR: - envoy-gateway/gateway-1: + default/gateway-1: proxy: listeners: - address: null - name: envoy-gateway/gateway-1/http + name: default/gateway-1/http ports: - containerPort: 10080 name: http @@ -92,21 +136,21 @@ infraIR: metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 - gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway - name: envoy-gateway/gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: default + name: default/gateway-1 securityPolicies: - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: SecurityPolicy metadata: creationTimestamp: null - name: policy-for-http-route + name: policy-for-http-route-1 namespace: default spec: basicAuth: users: group: null kind: null - name: users-secret + name: users-secret1 targetRef: group: gateway.networking.k8s.io kind: HTTPRoute @@ -118,7 +162,7 @@ securityPolicies: group: gateway.networking.k8s.io kind: Gateway name: gateway-1 - namespace: envoy-gateway + namespace: default sectionName: http conditions: - lastTransitionTime: null @@ -127,8 +171,45 @@ securityPolicies: status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + creationTimestamp: null + name: policy-for-gateway-1 + namespace: default + spec: + basicAuth: + users: + group: null + kind: null + name: users-secret2 + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: default + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: default + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: 'This policy is being overridden by other securityPolicies for these + routes: [default/httproute-1]' + reason: Overridden + status: "True" + type: Overridden + controllerName: gateway.envoyproxy.io/gatewayclass-controller xdsIR: - envoy-gateway/gateway-1: + default/gateway-1: accessLog: text: - path: /dev/stdout @@ -137,7 +218,7 @@ xdsIR: hostnames: - '*' isHTTP2: false - name: envoy-gateway/gateway-1/http + name: default/gateway-1/http path: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true @@ -147,6 +228,7 @@ xdsIR: invalid: 0 valid: 0 basicAuth: + name: securitypolicy/default/policy-for-http-route-1 users: dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo= destination: name: httproute/default/httproute-1/rule/0 @@ -157,10 +239,54 @@ xdsIR: port: 8080 protocol: HTTP weight: 1 - hostname: gateway.envoyproxy.io + hostname: www.foo.com + isHTTP2: false + name: httproute/default/httproute-1/rule/0/match/0/www_foo_com + pathMatch: + distinct: false + name: "" + prefix: /foo1 + - backendWeights: + invalid: 0 + valid: 0 + basicAuth: + name: securitypolicy/default/policy-for-http-route-1 + users: dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo= + destination: + name: httproute/default/httproute-1/rule/1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.foo.com + isHTTP2: false + name: httproute/default/httproute-1/rule/1/match/0/www_foo_com + pathMatch: + distinct: false + name: "" + prefix: /foo2 + - backendWeights: + invalid: 0 + valid: 0 + basicAuth: + name: securitypolicy/default/policy-for-gateway-1 + users: Zm9vOntTSEF9WXMyM0FnLzVJT1dxWkN3OVFHYVZEZEh3SDAwPQpmb28xOntTSEF9ZGpaMTFxSFkwS09pamV5bUs3YUt2WXV2aHZNPQo= + destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.bar.com isHTTP2: false - name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + name: httproute/default/httproute-2/rule/0/match/0/www_bar_com pathMatch: distinct: false name: "" - prefix: /foo + prefix: /bar diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml index 5e557abb08c..5879169de28 100755 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml @@ -311,7 +311,7 @@ xdsIR: grpc: authority: grpc-backend.default:9000 destination: - name: securitypolicy/default/policy-for-http-route/grpc-backend + name: securitypolicy/default/policy-for-http-route/default/grpc-backend settings: - addressType: IP endpoints: @@ -327,7 +327,7 @@ xdsIR: headersToExtAuth: - header1 - header2 - name: default/httproute-1 + name: securitypolicy/default/policy-for-http-route hostname: www.foo.com isHTTP2: false name: httproute/default/httproute-1/rule/0/match/0/www_foo_com @@ -352,7 +352,7 @@ xdsIR: http: authority: http-backend.envoy-gateway:80 destination: - name: securitypolicy/default/policy-for-gateway/http-backend + name: securitypolicy/default/policy-for-gateway/envoy-gateway/http-backend settings: - addressType: IP endpoints: @@ -369,7 +369,7 @@ xdsIR: - header1 - header2 path: /auth - name: default/gateway-1 + name: securitypolicy/default/policy-for-gateway hostname: www.bar.com isHTTP2: false name: httproute/default/httproute-2/rule/0/match/0/www_bar_com diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth.in.yaml index 3d9382a95ea..9d7f17e93d3 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth.in.yaml @@ -133,41 +133,41 @@ securityPolicies: kind: SecurityPolicy metadata: namespace: default - name: policy-for-gateway + name: policy-for-http-route-1 spec: targetRef: group: gateway.networking.k8s.io - kind: Gateway - name: gateway-1 + kind: HTTPRoute + name: httproute-1 namespace: default extAuth: - http: + failOpen: true + headersToExtAuth: + - header1 + - header2 + grpc: backendRef: - Name: http-backend - Namespace: envoy-gateway - Port: 80 - Path: /auth - headersToBackend: - - header1 - - header2 - failOpen: false + name: grpc-backend + port: 9000 - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: SecurityPolicy metadata: namespace: default - name: policy-for-http-route + name: policy-for-gateway-1 # This will only apply to the httproute-2 spec: targetRef: group: gateway.networking.k8s.io - kind: HTTPRoute - name: httproute-1 + kind: Gateway + name: gateway-1 namespace: default extAuth: - headersToExtAuth: - - header1 - - header2 - grpc: + failOpen: false + http: backendRef: - name: grpc-backend - port: 9000 - failOpen: true + Name: http-backend + Namespace: envoy-gateway + Port: 80 + Path: /auth + headersToBackend: + - header1 + - header2 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml index 066e9ad2f9f..f9243d6f420 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml @@ -143,7 +143,7 @@ securityPolicies: kind: SecurityPolicy metadata: creationTimestamp: null - name: policy-for-http-route + name: policy-for-http-route-1 namespace: default spec: extAuth: @@ -179,7 +179,7 @@ securityPolicies: kind: SecurityPolicy metadata: creationTimestamp: null - name: policy-for-gateway + name: policy-for-gateway-1 namespace: default spec: extAuth: @@ -251,7 +251,7 @@ xdsIR: grpc: authority: grpc-backend.default:9000 destination: - name: securitypolicy/default/policy-for-http-route/grpc-backend + name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend settings: - addressType: IP endpoints: @@ -262,7 +262,7 @@ xdsIR: headersToExtAuth: - header1 - header2 - name: default/httproute-1 + name: securitypolicy/default/policy-for-http-route-1 hostname: www.foo.com isHTTP2: false name: httproute/default/httproute-1/rule/0/match/0/www_foo_com @@ -287,7 +287,7 @@ xdsIR: grpc: authority: grpc-backend.default:9000 destination: - name: securitypolicy/default/policy-for-http-route/grpc-backend + name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend settings: - addressType: IP endpoints: @@ -298,7 +298,7 @@ xdsIR: headersToExtAuth: - header1 - header2 - name: default/httproute-1 + name: securitypolicy/default/policy-for-http-route-1 hostname: www.foo.com isHTTP2: false name: httproute/default/httproute-1/rule/1/match/0/www_foo_com @@ -323,7 +323,7 @@ xdsIR: http: authority: http-backend.envoy-gateway:80 destination: - name: securitypolicy/default/policy-for-gateway/http-backend + name: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend settings: - addressType: IP endpoints: @@ -335,7 +335,7 @@ xdsIR: - header1 - header2 path: /auth - name: default/gateway-1 + name: securitypolicy/default/policy-for-gateway-1 hostname: www.bar.com isHTTP2: false name: httproute/default/httproute-2/rule/0/match/0/www_bar_com diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml index 303d05191f7..31fb6ee9bb8 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml @@ -86,7 +86,7 @@ securityPolicies: kind: SecurityPolicy metadata: namespace: envoy-gateway - name: policy-for-gateway-discover-endpoints # This policy should attach httproute-2 + name: policy-for-gateway # This policy should attach httproute-2 uid: b8284d0f-de82-4c65-b204-96a0d3f258a1 spec: targetRef: diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml index ad55d9bba65..dfd4a9f6073 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml @@ -181,7 +181,7 @@ securityPolicies: kind: SecurityPolicy metadata: creationTimestamp: null - name: policy-for-gateway-discover-endpoints + name: policy-for-gateway namespace: envoy-gateway uid: b8284d0f-de82-4c65-b204-96a0d3f258a1 spec: @@ -257,6 +257,7 @@ xdsIR: cookieSuffix: 5f93c2e4 hmacSecret: qrOYACHXoe7UEDI/raOjNSx+Z9ufXSc/22C3T6X/zPY= logoutPath: /foo/logout + name: securitypolicy/default/policy-for-http-route provider: authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth tokenEndpoint: https://oauth.foo.com/token @@ -291,6 +292,7 @@ xdsIR: cookieSuffix: b0a1b740 hmacSecret: qrOYACHXoe7UEDI/raOjNSx+Z9ufXSc/22C3T6X/zPY= logoutPath: /bar/logout + name: securitypolicy/envoy-gateway/policy-for-gateway provider: authorizationEndpoint: https://accounts.google.com/o/oauth2/v2/auth tokenEndpoint: https://oauth2.googleapis.com/token diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 4f6ed8ac00d..76545ab3c80 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -518,6 +518,10 @@ type JWT struct { // // +k8s:deepcopy-gen=true type OIDC struct { + // Name is a unique name for an OIDC configuration. + // The xds translator only generates one OAuth2 filter for each unique name. + Name string `json:"name" yaml:"name"` + // The OIDC Provider configuration. Provider OIDCProvider `json:"provider" yaml:"provider"` @@ -567,6 +571,10 @@ type OIDCProvider struct { // // +k8s:deepcopy-gen=true type BasicAuth struct { + // Name is a unique name for an BasicAuth configuration. + // The xds translator only generates one basic auth filter for each unique name. + Name string `json:"name" yaml:"name"` + // The username-password pairs in htpasswd format. Users []byte `json:"users,omitempty" yaml:"users,omitempty"` } diff --git a/internal/xds/translator/basicauth.go b/internal/xds/translator/basicauth.go index 85cd77fa3c3..720cd7dddd6 100644 --- a/internal/xds/translator/basicauth.go +++ b/internal/xds/translator/basicauth.go @@ -51,7 +51,14 @@ func (*basicAuth) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTP continue } - filter, err := buildHCMBasicAuthFilter(route) + // Only generates one BasicAuth Envoy filter for each unique name. + // For example, if there are two routes under the same gateway with the + // same BasicAuth config, only one BasicAuth filter will be generated. + if hcmContainsFilter(mgr, basicAuthFilterName(route.BasicAuth)) { + continue + } + + filter, err := buildHCMBasicAuthFilter(route.BasicAuth) if err != nil { errs = errors.Join(errs, err) continue @@ -64,8 +71,8 @@ func (*basicAuth) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTP } // buildHCMBasicAuthFilter returns a basic_auth HTTP filter from the provided IR HTTPRoute. -func buildHCMBasicAuthFilter(route *ir.HTTPRoute) (*hcmv3.HttpFilter, error) { - basicAuthProto := basicAuthConfig(route) +func buildHCMBasicAuthFilter(basicAuth *ir.BasicAuth) (*hcmv3.HttpFilter, error) { + basicAuthProto := basicAuthConfig(basicAuth) if err := basicAuthProto.ValidateAll(); err != nil { return nil, err @@ -77,7 +84,7 @@ func buildHCMBasicAuthFilter(route *ir.HTTPRoute) (*hcmv3.HttpFilter, error) { } return &hcmv3.HttpFilter{ - Name: basicAuthFilterName(route), + Name: basicAuthFilterName(basicAuth), Disabled: true, ConfigType: &hcmv3.HttpFilter_TypedConfig{ TypedConfig: basicAuthAny, @@ -85,15 +92,15 @@ func buildHCMBasicAuthFilter(route *ir.HTTPRoute) (*hcmv3.HttpFilter, error) { }, nil } -func basicAuthFilterName(route *ir.HTTPRoute) string { - return perRouteFilterName(basicAuthFilter, route.Name) +func basicAuthFilterName(basicAuth *ir.BasicAuth) string { + return perRouteFilterName(basicAuthFilter, basicAuth.Name) } -func basicAuthConfig(route *ir.HTTPRoute) *basicauthv3.BasicAuth { +func basicAuthConfig(basicAuth *ir.BasicAuth) *basicauthv3.BasicAuth { return &basicauthv3.BasicAuth{ Users: &corev3.DataSource{ Specifier: &corev3.DataSource_InlineBytes{ - InlineBytes: route.BasicAuth.Users, + InlineBytes: basicAuth.Users, }, }, } @@ -129,7 +136,7 @@ func (*basicAuth) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error if irRoute.BasicAuth == nil { return nil } - filterName := basicAuthFilterName(irRoute) + filterName := basicAuthFilterName(irRoute.BasicAuth) if err := enableFilterOnRoute(route, filterName); err != nil { return err } diff --git a/internal/xds/translator/oidc.go b/internal/xds/translator/oidc.go index 2a10254ec64..503d59e5f89 100644 --- a/internal/xds/translator/oidc.go +++ b/internal/xds/translator/oidc.go @@ -56,7 +56,14 @@ func (*oidc) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPListe continue } - filter, err := buildHCMOAuth2Filter(route) + // Only generates one BasicAuth Envoy filter for each unique name. + // For example, if there are two routes under the same gateway with the + // same BasicAuth config, only one BasicAuth filter will be generated. + if hcmContainsFilter(mgr, oauth2FilterName(route.OIDC)) { + continue + } + + filter, err := buildHCMOAuth2Filter(route.OIDC) if err != nil { errs = errors.Join(errs, err) continue @@ -69,8 +76,8 @@ func (*oidc) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPListe } // buildHCMOAuth2Filter returns an OAuth2 HTTP filter from the provided IR HTTPRoute. -func buildHCMOAuth2Filter(route *ir.HTTPRoute) (*hcmv3.HttpFilter, error) { - oauth2Proto, err := oauth2Config(route) +func buildHCMOAuth2Filter(oidc *ir.OIDC) (*hcmv3.HttpFilter, error) { + oauth2Proto, err := oauth2Config(oidc) if err != nil { return nil, err } @@ -85,7 +92,7 @@ func buildHCMOAuth2Filter(route *ir.HTTPRoute) (*hcmv3.HttpFilter, error) { } return &hcmv3.HttpFilter{ - Name: oauth2FilterName(route), + Name: oauth2FilterName(oidc), Disabled: true, ConfigType: &hcmv3.HttpFilter_TypedConfig{ TypedConfig: OAuth2Any, @@ -93,25 +100,25 @@ func buildHCMOAuth2Filter(route *ir.HTTPRoute) (*hcmv3.HttpFilter, error) { }, nil } -func oauth2FilterName(route *ir.HTTPRoute) string { - return perRouteFilterName(oauth2Filter, route.Name) +func oauth2FilterName(oidc *ir.OIDC) string { + return perRouteFilterName(oauth2Filter, oidc.Name) } -func oauth2Config(route *ir.HTTPRoute) (*oauth2v3.OAuth2, error) { - cluster, err := url2Cluster(route.OIDC.Provider.TokenEndpoint) +func oauth2Config(oidc *ir.OIDC) (*oauth2v3.OAuth2, error) { + cluster, err := url2Cluster(oidc.Provider.TokenEndpoint) if err != nil { return nil, err } if cluster.endpointType == EndpointTypeStatic { return nil, fmt.Errorf( "static IP cluster is not allowed: %s", - route.OIDC.Provider.TokenEndpoint) + oidc.Provider.TokenEndpoint) } oauth2 := &oauth2v3.OAuth2{ Config: &oauth2v3.OAuth2Config{ TokenEndpoint: &corev3.HttpUri{ - Uri: route.OIDC.Provider.TokenEndpoint, + Uri: oidc.Provider.TokenEndpoint, HttpUpstreamType: &corev3.HttpUri_Cluster{ Cluster: cluster.name, }, @@ -119,13 +126,13 @@ func oauth2Config(route *ir.HTTPRoute) (*oauth2v3.OAuth2, error) { Seconds: defaultExtServiceRequestTimeout, }, }, - AuthorizationEndpoint: route.OIDC.Provider.AuthorizationEndpoint, - RedirectUri: route.OIDC.RedirectURL, + AuthorizationEndpoint: oidc.Provider.AuthorizationEndpoint, + RedirectUri: oidc.RedirectURL, RedirectPathMatcher: &matcherv3.PathMatcher{ Rule: &matcherv3.PathMatcher_Path{ Path: &matcherv3.StringMatcher{ MatchPattern: &matcherv3.StringMatcher_Exact{ - Exact: route.OIDC.RedirectPath, + Exact: oidc.RedirectPath, }, }, }, @@ -134,35 +141,35 @@ func oauth2Config(route *ir.HTTPRoute) (*oauth2v3.OAuth2, error) { Rule: &matcherv3.PathMatcher_Path{ Path: &matcherv3.StringMatcher{ MatchPattern: &matcherv3.StringMatcher_Exact{ - Exact: route.OIDC.LogoutPath, + Exact: oidc.LogoutPath, }, }, }, }, ForwardBearerToken: true, Credentials: &oauth2v3.OAuth2Credentials{ - ClientId: route.OIDC.ClientID, + ClientId: oidc.ClientID, TokenSecret: &tlsv3.SdsSecretConfig{ - Name: oauth2ClientSecretName(route), + Name: oauth2ClientSecretName(oidc), SdsConfig: makeConfigSource(), }, TokenFormation: &oauth2v3.OAuth2Credentials_HmacSecret{ HmacSecret: &tlsv3.SdsSecretConfig{ - Name: oauth2HMACSecretName(route), + Name: oauth2HMACSecretName(oidc), SdsConfig: makeConfigSource(), }, }, CookieNames: &oauth2v3.OAuth2Credentials_CookieNames{ - BearerToken: fmt.Sprintf("BearerToken-%s", route.OIDC.CookieSuffix), - OauthHmac: fmt.Sprintf("OauthHMAC-%s", route.OIDC.CookieSuffix), - OauthExpires: fmt.Sprintf("OauthExpires-%s", route.OIDC.CookieSuffix), - IdToken: fmt.Sprintf("IdToken-%s", route.OIDC.CookieSuffix), - RefreshToken: fmt.Sprintf("RefreshToken-%s", route.OIDC.CookieSuffix), + BearerToken: fmt.Sprintf("BearerToken-%s", oidc.CookieSuffix), + OauthHmac: fmt.Sprintf("OauthHMAC-%s", oidc.CookieSuffix), + OauthExpires: fmt.Sprintf("OauthExpires-%s", oidc.CookieSuffix), + IdToken: fmt.Sprintf("IdToken-%s", oidc.CookieSuffix), + RefreshToken: fmt.Sprintf("RefreshToken-%s", oidc.CookieSuffix), }, }, // every OIDC provider supports basic auth AuthType: oauth2v3.OAuth2Config_BASIC_AUTH, - AuthScopes: route.OIDC.Scopes, + AuthScopes: oidc.Scopes, }, } return oauth2, nil @@ -273,12 +280,12 @@ func createOAuth2Secrets(tCtx *types.ResourceVersionTable, routes []*ir.HTTPRout // a separate secret is created for each route, even they share the same // oauth2 client ID and secret. - clientSecret := buildOAuth2ClientSecret(route) + clientSecret := buildOAuth2ClientSecret(route.OIDC) if err := addXdsSecret(tCtx, clientSecret); err != nil { errs = errors.Join(errs, err) } - if err := addXdsSecret(tCtx, buildOAuth2HMACSecret(route)); err != nil { + if err := addXdsSecret(tCtx, buildOAuth2HMACSecret(route.OIDC)); err != nil { errs = errors.Join(errs, err) } } @@ -286,14 +293,14 @@ func createOAuth2Secrets(tCtx *types.ResourceVersionTable, routes []*ir.HTTPRout return errs } -func buildOAuth2ClientSecret(route *ir.HTTPRoute) *tlsv3.Secret { +func buildOAuth2ClientSecret(oidc *ir.OIDC) *tlsv3.Secret { clientSecret := &tlsv3.Secret{ - Name: oauth2ClientSecretName(route), + Name: oauth2ClientSecretName(oidc), Type: &tlsv3.Secret_GenericSecret{ GenericSecret: &tlsv3.GenericSecret{ Secret: &corev3.DataSource{ Specifier: &corev3.DataSource_InlineBytes{ - InlineBytes: route.OIDC.ClientSecret, + InlineBytes: oidc.ClientSecret, }, }, }, @@ -303,14 +310,14 @@ func buildOAuth2ClientSecret(route *ir.HTTPRoute) *tlsv3.Secret { return clientSecret } -func buildOAuth2HMACSecret(route *ir.HTTPRoute) *tlsv3.Secret { +func buildOAuth2HMACSecret(oidc *ir.OIDC) *tlsv3.Secret { hmacSecret := &tlsv3.Secret{ - Name: oauth2HMACSecretName(route), + Name: oauth2HMACSecretName(oidc), Type: &tlsv3.Secret_GenericSecret{ GenericSecret: &tlsv3.GenericSecret{ Secret: &corev3.DataSource{ Specifier: &corev3.DataSource_InlineBytes{ - InlineBytes: route.OIDC.HMACSecret, + InlineBytes: oidc.HMACSecret, }, }, }, @@ -320,12 +327,12 @@ func buildOAuth2HMACSecret(route *ir.HTTPRoute) *tlsv3.Secret { return hmacSecret } -func oauth2ClientSecretName(route *ir.HTTPRoute) string { - return fmt.Sprintf("%s/oauth2/client_secret", route.Name) +func oauth2ClientSecretName(oidc *ir.OIDC) string { + return fmt.Sprintf("oauth2/client_secret/%s", oidc.Name) } -func oauth2HMACSecretName(route *ir.HTTPRoute) string { - return fmt.Sprintf("%s/oauth2/hmac_secret", route.Name) +func oauth2HMACSecretName(oidc *ir.OIDC) string { + return fmt.Sprintf("oauth2/hmac_secret/%s", oidc.Name) } // patchRoute patches the provided route with the oauth2 config if applicable. @@ -340,7 +347,7 @@ func (*oidc) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { if irRoute.OIDC == nil { return nil } - filterName := oauth2FilterName(irRoute) + filterName := oauth2FilterName(irRoute.OIDC) if err := enableFilterOnRoute(route, filterName); err != nil { return err } diff --git a/internal/xds/translator/testdata/in/xds-ir/basic-auth.yaml b/internal/xds/translator/testdata/in/xds-ir/basic-auth.yaml index af6baa0b77e..36df412f728 100644 --- a/internal/xds/translator/testdata/in/xds-ir/basic-auth.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/basic-auth.yaml @@ -1,22 +1,77 @@ http: -- name: "first-listener" - address: "0.0.0.0" - port: 10080 +- address: 0.0.0.0 hostnames: - - "*" + - '*' + isHTTP2: false + name: default/gateway-1/http path: - mergeSlashes: true escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 routes: - - name: "first-route" - hostname: "*" + - name: httproute/default/httproute-1/rule/0/match/0/www_foo_com + hostname: www.foo.com + isHTTP2: false + pathMatch: + distinct: false + name: "" + prefix: /foo1 + backendWeights: + invalid: 0 + valid: 0 + destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + basicAuth: + name: securitypolicy/default/policy-for-http-route-1 + users: dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo= + - name: httproute/default/httproute-1/rule/1/match/0/www_foo_com + backendWeights: + hostname: www.foo.com + isHTTP2: false + pathMatch: + distinct: false + name: "" + prefix: /foo2 + invalid: 0 + valid: 0 + destination: + name: httproute/default/httproute-1/rule/1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + basicAuth: + name: securitypolicy/default/policy-for-http-route-1 + users: dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo= + - name: httproute/default/httproute-2/rule/0/match/0/www_bar_com + hostname: www.bar.com + isHTTP2: false pathMatch: - exact: "foo/bar" + distinct: false + name: "" + prefix: /bar + backendWeights: + invalid: 0 + valid: 0 destination: - name: "first-route-dest" + name: httproute/default/httproute-2/rule/0 settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 basicAuth: - users: "dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo=" + name: securitypolicy/default/policy-for-gateway-1 + users: Zm9vOntTSEF9WXMyM0FnLzVJT1dxWkN3OVFHYVZEZEh3SDAwPQpmb28xOntTSEF9ZGpaMTFxSFkwS09pamV5bUs3YUt2WXV2aHZNPQo= diff --git a/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml b/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml index 3ed7a397f0c..32d5522e6df 100644 --- a/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml @@ -1,93 +1,120 @@ http: -- name: "first-listener" - address: "0.0.0.0" - port: 10080 - hostnames: - - "www.example.com" - path: - mergeSlashes: true - escapedSlashesAction: UnescapeAndRedirect - routes: - - name: httproute/default/httproute-1/rule/0/match/0/www_example_com - hostname: "*" - pathMatch: - exact: "foo" - destination: - name: httproute/default/httproute-1/rule/0 - settings: - - endpoints: - - host: "10.0.0.1" - port: 50000 - extAuth: - name: default/httproute-1 - http: - authority: http-backend.envoy-gateway:80 - headersToBackend: - - header1 - - header2 - path: /auth + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + name: default/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - name: httproute/default/httproute-1/rule/0/match/0/www_foo_com + hostname: www.foo.com + isHTTP2: false + pathMatch: + distinct: false + name: "" + prefix: /foo1 + backendWeights: + invalid: 0 + valid: 0 destination: - name: securitypolicy/default/policy-for-first-route/http-backend + name: httproute/default/httproute-1/rule/0 settings: - - addressType: IP - endpoints: - - host: 7.7.7.7 - port: 80 - protocol: HTTP - weight: 1 - failOpen: false - - name: httproute/default/httproute-1/rule/1/match/0/www_example_com - hostname: "*" - pathMatch: - exact: "foo" - destination: - name: httproute/default/httproute-1/rule/0 - settings: - - endpoints: - - host: "10.0.0.1" - port: 50000 - extAuth: - name: default/httproute-1 - http: - authority: http-backend.envoy-gateway:80 - headersToBackend: - - header1 - - header2 - path: /auth + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + extAuth: + name: securitypolicy/default/policy-for-http-route-1 + failOpen: false + grpc: + authority: grpc-backend.default:9000 + destination: + name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + settings: + - addressType: IP + endpoints: + - host: 8.8.8.8 + port: 9000 + protocol: GRPC + weight: 1 + headersToExtAuth: + - header1 + - header2 + - name: httproute/default/httproute-1/rule/1/match/0/www_foo_com + hostname: www.foo.com + isHTTP2: false + pathMatch: + distinct: false + name: "" + prefix: /foo2 + backendWeights: + invalid: 0 + valid: 0 destination: - name: securitypolicy/default/policy-for-first-route/http-backend + name: httproute/default/httproute-1/rule/1 settings: - - addressType: IP - endpoints: - - host: 7.7.7.7 - port: 80 - protocol: HTTP - weight: 1 - failOpen: false - - name: httproute/default/httproute-2/rule/0/match/0/www_example_com - hostname: "*" - pathMatch: - exact: "bar" - destination: - name: httproute/default/httproute-2/rule/0 - settings: - - endpoints: - - host: "10.0.0.2" - port: 60000 - extAuth: - name: default/gateway-1 - grpc: - authority: grpc-backend.default:9000 + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + extAuth: + name: securitypolicy/default/policy-for-http-route-1 + failOpen: false + grpc: + authority: grpc-backend.default:9000 + destination: + name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + settings: + - addressType: IP + endpoints: + - host: 8.8.8.8 + port: 9000 + protocol: GRPC + weight: 1 + headersToExtAuth: + - header1 + - header2 + - name: httproute/default/httproute-2/rule/0/match/0/www_bar_com + hostname: www.bar.com + isHTTP2: false + pathMatch: + distinct: false + name: "" + prefix: /bar + backendWeights: + invalid: 0 + valid: 0 destination: - name: securitypolicy/default/policy-for-second-route/grpc-backend + name: httproute/default/httproute-2/rule/0 settings: - - addressType: IP - endpoints: - - host: 8.8.8.8 - port: 9000 - protocol: GRPC - weight: 1 - headersToExtAuth: - - header1 - - header2 - failOpen: true + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + extAuth: + name: securitypolicy/default/policy-for-gateway-1 + failOpen: true + http: + authority: http-backend.envoy-gateway:80 + destination: + name: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 80 + protocol: HTTP + weight: 1 + headersToBackend: + - header1 + - header2 + path: /auth diff --git a/internal/xds/translator/testdata/in/xds-ir/oidc.yaml b/internal/xds/translator/testdata/in/xds-ir/oidc.yaml index b90a1c97f4a..59441c23d6c 100644 --- a/internal/xds/translator/testdata/in/xds-ir/oidc.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/oidc.yaml @@ -19,6 +19,7 @@ http: - host: "1.2.3.4" port: 50000 oidc: + name: securitypolicy/default/policy-for-first-route clientID: client.oauth.foo.com clientSecret: Y2xpZW50MTpzZWNyZXQK provider: @@ -43,6 +44,7 @@ http: - host: "1.2.3.4" port: 50000 oidc: + name: securitypolicy/default/policy-for-second-route clientID: client.oauth.bar.com clientSecret: Y2xpZW50MTpzZWNyZXQK provider: diff --git a/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml index d53a7a1b2ce..e4e5b8994bc 100644 --- a/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml @@ -9,9 +9,43 @@ edsConfig: ads: {} resourceApiVersion: V3 - serviceName: first-route-dest + serviceName: httproute/default/httproute-1/rule/0 lbPolicy: LEAST_REQUEST - name: first-route-dest + name: httproute/default/httproute-1/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/1 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/1 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-2/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-2/rule/0 outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/basic-auth.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/basic-auth.endpoints.yaml index 3b3f2d09076..bf9f0023789 100644 --- a/internal/xds/translator/testdata/out/xds-ir/basic-auth.endpoints.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/basic-auth.endpoints.yaml @@ -1,12 +1,36 @@ -- clusterName: first-route-dest +- clusterName: httproute/default/httproute-1/rule/0 endpoints: - lbEndpoints: - endpoint: address: socketAddress: - address: 1.2.3.4 - portValue: 50000 + address: 7.7.7.7 + portValue: 8080 loadBalancingWeight: 1 loadBalancingWeight: 1 locality: - region: first-route-dest/backend/0 + region: httproute/default/httproute-1/rule/0/backend/0 +- clusterName: httproute/default/httproute-1/rule/1 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/1/backend/0 +- clusterName: httproute/default/httproute-2/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-2/rule/0/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/basic-auth.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/basic-auth.listeners.yaml index 36ab0dbb7ba..bdf4ec12fab 100644 --- a/internal/xds/translator/testdata/out/xds-ir/basic-auth.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/basic-auth.listeners.yaml @@ -15,11 +15,17 @@ maxConcurrentStreams: 100 httpFilters: - disabled: true - name: envoy.filters.http.basic_auth/first-route + name: envoy.filters.http.basic_auth/securitypolicy/default/policy-for-http-route-1 typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.basic_auth.v3.BasicAuth users: inlineBytes: dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo= + - disabled: true + name: envoy.filters.http.basic_auth/securitypolicy/default/policy-for-gateway-1 + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.basic_auth.v3.BasicAuth + users: + inlineBytes: Zm9vOntTSEF9WXMyM0FnLzVJT1dxWkN3OVFHYVZEZEh3SDAwPQpmb28xOntTSEF9ZGpaMTFxSFkwS09pamV5bUs3YUt2WXV2aHZNPQo= - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router @@ -31,10 +37,10 @@ configSource: ads: {} resourceApiVersion: V3 - routeConfigName: first-listener + routeConfigName: default/gateway-1/http serverHeaderTransformation: PASS_THROUGH statPrefix: http useRemoteAddress: true drainType: MODIFY_ONLY - name: first-listener + name: default/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/basic-auth.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/basic-auth.routes.yaml index 22938d503e2..c7196e28f6f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/basic-auth.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/basic-auth.routes.yaml @@ -1,18 +1,44 @@ - ignorePortInHostMatching: true - name: first-listener + name: default/gateway-1/http virtualHosts: - domains: - - '*' - name: first-listener/* + - www.foo.com + name: default/gateway-1/http/www_foo_com routes: - match: - path: foo/bar - name: first-route + pathSeparatedPrefix: /foo1 + name: httproute/default/httproute-1/rule/0/match/0/www_foo_com route: - cluster: first-route-dest + cluster: httproute/default/httproute-1/rule/0 upgradeConfigs: - upgradeType: websocket typedPerFilterConfig: - envoy.filters.http.basic_auth/first-route: + envoy.filters.http.basic_auth/securitypolicy/default/policy-for-http-route-1: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} + - match: + pathSeparatedPrefix: /foo2 + name: httproute/default/httproute-1/rule/1/match/0/www_foo_com + route: + cluster: httproute/default/httproute-1/rule/1 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.basic_auth/securitypolicy/default/policy-for-http-route-1: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} + - domains: + - www.bar.com + name: default/gateway-1/http/www_bar_com + routes: + - match: + pathSeparatedPrefix: /bar + name: httproute/default/httproute-2/rule/0/match/0/www_bar_com + route: + cluster: httproute/default/httproute-2/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.basic_auth/securitypolicy/default/policy-for-gateway-1: '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig config: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml index d02aa6b4aa8..cf4fbc9b274 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml @@ -26,9 +26,9 @@ edsConfig: ads: {} resourceApiVersion: V3 - serviceName: httproute/default/httproute-2/rule/0 + serviceName: httproute/default/httproute-1/rule/1 lbPolicy: LEAST_REQUEST - name: httproute/default/httproute-2/rule/0 + name: httproute/default/httproute-1/rule/1 outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS @@ -43,9 +43,9 @@ edsConfig: ads: {} resourceApiVersion: V3 - serviceName: securitypolicy/default/policy-for-first-route/http-backend + serviceName: httproute/default/httproute-2/rule/0 lbPolicy: LEAST_REQUEST - name: securitypolicy/default/policy-for-first-route/http-backend + name: httproute/default/httproute-2/rule/0 outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS @@ -60,9 +60,9 @@ edsConfig: ads: {} resourceApiVersion: V3 - serviceName: securitypolicy/default/policy-for-second-route/grpc-backend + serviceName: securitypolicy/default/policy-for-http-route-1/default/grpc-backend lbPolicy: LEAST_REQUEST - name: securitypolicy/default/policy-for-second-route/grpc-backend + name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS @@ -71,3 +71,20 @@ '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: http2ProtocolOptions: {} +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + lbPolicy: LEAST_REQUEST + name: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.endpoints.yaml index ce53193cdb2..2c0f91a63f3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.endpoints.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.endpoints.yaml @@ -4,37 +4,37 @@ - endpoint: address: socketAddress: - address: 10.0.0.1 - portValue: 50000 + address: 7.7.7.7 + portValue: 8080 loadBalancingWeight: 1 loadBalancingWeight: 1 locality: region: httproute/default/httproute-1/rule/0/backend/0 -- clusterName: httproute/default/httproute-2/rule/0 +- clusterName: httproute/default/httproute-1/rule/1 endpoints: - lbEndpoints: - endpoint: address: socketAddress: - address: 10.0.0.2 - portValue: 60000 + address: 7.7.7.7 + portValue: 8080 loadBalancingWeight: 1 loadBalancingWeight: 1 locality: - region: httproute/default/httproute-2/rule/0/backend/0 -- clusterName: securitypolicy/default/policy-for-first-route/http-backend + region: httproute/default/httproute-1/rule/1/backend/0 +- clusterName: httproute/default/httproute-2/rule/0 endpoints: - lbEndpoints: - endpoint: address: socketAddress: address: 7.7.7.7 - portValue: 80 + portValue: 8080 loadBalancingWeight: 1 loadBalancingWeight: 1 locality: - region: securitypolicy/default/policy-for-first-route/http-backend/backend/0 -- clusterName: securitypolicy/default/policy-for-second-route/grpc-backend + region: httproute/default/httproute-2/rule/0/backend/0 +- clusterName: securitypolicy/default/policy-for-http-route-1/default/grpc-backend endpoints: - lbEndpoints: - endpoint: @@ -45,4 +45,16 @@ loadBalancingWeight: 1 loadBalancingWeight: 1 locality: - region: securitypolicy/default/policy-for-second-route/grpc-backend/backend/0 + region: securitypolicy/default/policy-for-http-route-1/default/grpc-backend/backend/0 +- clusterName: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 80 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml index 35a8b7f7ab5..e85a6d3b854 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml @@ -15,9 +15,24 @@ maxConcurrentStreams: 100 httpFilters: - disabled: true - name: envoy.filters.http.ext_authz/default/httproute-1 + name: envoy.filters.http.ext_authz/securitypolicy/default/policy-for-http-route-1 typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + allowedHeaders: + patterns: + - exact: header1 + - exact: header2 + grpcService: + envoyGrpc: + authority: grpc-backend.default:9000 + clusterName: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + timeout: 10s + transportApiVersion: V3 + - disabled: true + name: envoy.filters.http.ext_authz/securitypolicy/default/policy-for-gateway-1 + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + failureModeAllow: true httpService: authorizationResponse: allowedUpstreamHeaders: @@ -25,25 +40,10 @@ - exact: header1 - exact: header2 serverUri: - cluster: securitypolicy/default/policy-for-first-route/http-backend + cluster: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend timeout: 10s uri: http://http-backend.envoy-gateway:80/auth transportApiVersion: V3 - - disabled: true - name: envoy.filters.http.ext_authz/default/gateway-1 - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz - allowedHeaders: - patterns: - - exact: header1 - - exact: header2 - failureModeAllow: true - grpcService: - envoyGrpc: - authority: grpc-backend.default:9000 - clusterName: securitypolicy/default/policy-for-second-route/grpc-backend - timeout: 10s - transportApiVersion: V3 - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router @@ -55,10 +55,10 @@ configSource: ads: {} resourceApiVersion: V3 - routeConfigName: first-listener + routeConfigName: default/gateway-1/http serverHeaderTransformation: PASS_THROUGH statPrefix: http useRemoteAddress: true drainType: MODIFY_ONLY - name: first-listener + name: default/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.routes.yaml index 7ca5275220c..08edfc3c406 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.routes.yaml @@ -1,40 +1,44 @@ - ignorePortInHostMatching: true - name: first-listener + name: default/gateway-1/http virtualHosts: - domains: - - '*' - name: first-listener/* + - www.foo.com + name: default/gateway-1/http/www_foo_com routes: - match: - path: foo - name: httproute/default/httproute-1/rule/0/match/0/www_example_com + pathSeparatedPrefix: /foo1 + name: httproute/default/httproute-1/rule/0/match/0/www_foo_com route: cluster: httproute/default/httproute-1/rule/0 upgradeConfigs: - upgradeType: websocket typedPerFilterConfig: - envoy.filters.http.ext_authz/default/httproute-1: + envoy.filters.http.ext_authz/securitypolicy/default/policy-for-http-route-1: '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig config: {} - match: - path: foo - name: httproute/default/httproute-1/rule/1/match/0/www_example_com + pathSeparatedPrefix: /foo2 + name: httproute/default/httproute-1/rule/1/match/0/www_foo_com route: - cluster: httproute/default/httproute-1/rule/0 + cluster: httproute/default/httproute-1/rule/1 upgradeConfigs: - upgradeType: websocket typedPerFilterConfig: - envoy.filters.http.ext_authz/default/httproute-1: + envoy.filters.http.ext_authz/securitypolicy/default/policy-for-http-route-1: '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig config: {} + - domains: + - www.bar.com + name: default/gateway-1/http/www_bar_com + routes: - match: - path: bar - name: httproute/default/httproute-2/rule/0/match/0/www_example_com + pathSeparatedPrefix: /bar + name: httproute/default/httproute-2/rule/0/match/0/www_bar_com route: cluster: httproute/default/httproute-2/rule/0 upgradeConfigs: - upgradeType: websocket typedPerFilterConfig: - envoy.filters.http.ext_authz/default/gateway-1: + envoy.filters.http.ext_authz/securitypolicy/default/policy-for-gateway-1: '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig config: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml index 132b1d06a48..1d7cf7ba34b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml @@ -15,7 +15,7 @@ maxConcurrentStreams: 100 httpFilters: - disabled: true - name: envoy.filters.http.oauth2/first-route + name: envoy.filters.http.oauth2/securitypolicy/default/policy-for-first-route typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 config: @@ -34,12 +34,12 @@ oauthHmac: OauthHMAC-5F93C2E4 refreshToken: RefreshToken-5F93C2E4 hmacSecret: - name: first-route/oauth2/hmac_secret + name: oauth2/hmac_secret/securitypolicy/default/policy-for-first-route sdsConfig: ads: {} resourceApiVersion: V3 tokenSecret: - name: first-route/oauth2/client_secret + name: oauth2/client_secret/securitypolicy/default/policy-for-first-route sdsConfig: ads: {} resourceApiVersion: V3 @@ -56,7 +56,7 @@ timeout: 10s uri: https://oauth.foo.com/token - disabled: true - name: envoy.filters.http.oauth2/second-route + name: envoy.filters.http.oauth2/securitypolicy/default/policy-for-second-route typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 config: @@ -75,12 +75,12 @@ oauthHmac: OauthHMAC-5f93c2e4 refreshToken: RefreshToken-5f93c2e4 hmacSecret: - name: second-route/oauth2/hmac_secret + name: oauth2/hmac_secret/securitypolicy/default/policy-for-second-route sdsConfig: ads: {} resourceApiVersion: V3 tokenSecret: - name: second-route/oauth2/client_secret + name: oauth2/client_secret/securitypolicy/default/policy-for-second-route sdsConfig: ads: {} resourceApiVersion: V3 diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.routes.yaml index d597d98514e..2170a16d131 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc.routes.yaml @@ -13,7 +13,7 @@ upgradeConfigs: - upgradeType: websocket typedPerFilterConfig: - envoy.filters.http.oauth2/first-route: + envoy.filters.http.oauth2/securitypolicy/default/policy-for-first-route: '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig config: {} - match: @@ -24,6 +24,6 @@ upgradeConfigs: - upgradeType: websocket typedPerFilterConfig: - envoy.filters.http.oauth2/second-route: + envoy.filters.http.oauth2/securitypolicy/default/policy-for-second-route: '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig config: {} diff --git a/site/content/en/latest/user/traffic/http-redirect.md b/site/content/en/latest/user/traffic/http-redirect.md index ac6a3aceb18..1e67e4e6fd3 100644 --- a/site/content/en/latest/user/traffic/http-redirect.md +++ b/site/content/en/latest/user/traffic/http-redirect.md @@ -38,9 +38,6 @@ spec: statusCode: 301 hostname: www.example.com port: 443 - backendRefs: - - name: backend - port: 3000 EOF ```