diff --git a/internal/cmd/egctl/translate_test.go b/internal/cmd/egctl/translate_test.go index 20cf76d0162..e87167ce305 100644 --- a/internal/cmd/egctl/translate_test.go +++ b/internal/cmd/egctl/translate_test.go @@ -22,6 +22,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/yaml" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/utils/field" "github.com/envoyproxy/gateway/internal/utils/file" ) @@ -368,8 +369,12 @@ func TestTranslate(t *testing.T) { // want.GatewayClass.Status.SupportedFeatures = status.GatewaySupportedFeatures // } - opts := cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime") - require.Empty(t, cmp.Diff(want, got, opts)) + opts := []cmp.Option{ + cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime"), + cmpopts.IgnoreFields(resource.Resources{}, "serviceMap"), + } + + require.Empty(t, cmp.Diff(want, got, opts...)) }) } } diff --git a/internal/gatewayapi/backendtlspolicy.go b/internal/gatewayapi/backendtlspolicy.go index b76e215f99a..fbc9cafbf1a 100644 --- a/internal/gatewayapi/backendtlspolicy.go +++ b/internal/gatewayapi/backendtlspolicy.go @@ -32,7 +32,7 @@ func (t *Translator) processBackendTLSPolicy( resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy, ) (*ir.TLSUpstreamConfig, *gwapiv1a3.BackendTLSPolicy) { - policy := getBackendTLSPolicy(resources.BackendTLSPolicies, backendRef, backendNamespace) + policy := getBackendTLSPolicy(resources.BackendTLSPolicies, backendRef, backendNamespace, resources) if policy == nil { return nil, nil } @@ -157,8 +157,14 @@ func backendTLSTargetMatched(policy gwapiv1a3.BackendTLSPolicy, target gwapiv1a2 return false } -func getBackendTLSPolicy(policies []*gwapiv1a3.BackendTLSPolicy, backendRef gwapiv1a2.BackendObjectReference, backendNamespace string) *gwapiv1a3.BackendTLSPolicy { - target := getTargetBackendReference(backendRef) +func getBackendTLSPolicy( + policies []*gwapiv1a3.BackendTLSPolicy, + backendRef gwapiv1a2.BackendObjectReference, + backendNamespace string, + resources *resource.Resources, +) *gwapiv1a3.BackendTLSPolicy { + // SectionName is port number for EG Backend object + target := getTargetBackendReference(backendRef, backendNamespace, resources) for _, policy := range policies { if backendTLSTargetMatched(*policy, target, backendNamespace) { return policy diff --git a/internal/gatewayapi/resource/resource.go b/internal/gatewayapi/resource/resource.go index 97468511fa8..749e2efeef6 100644 --- a/internal/gatewayapi/resource/resource.go +++ b/internal/gatewayapi/resource/resource.go @@ -13,6 +13,7 @@ import ( corev1 "k8s.io/api/core/v1" discoveryv1 "k8s.io/api/discovery/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/types" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3" @@ -64,6 +65,8 @@ type Resources struct { ExtensionServerPolicies []unstructured.Unstructured `json:"extensionServerPolicies,omitempty" yaml:"extensionServerPolicies,omitempty"` Backends []*egv1a1.Backend `json:"backends,omitempty" yaml:"backends,omitempty"` HTTPRouteFilters []*egv1a1.HTTPRouteFilter `json:"httpFilters,omitempty" yaml:"httpFilters,omitempty"` + + serviceMap map[types.NamespacedName]*corev1.Service } func NewResources() *Resources { @@ -111,14 +114,20 @@ func (r *Resources) GetEnvoyProxy(namespace, name string) *egv1a1.EnvoyProxy { return nil } +// GetService returns the Service with the given namespace and name. +// This function creates a HashMap of Services for faster lookup when it's called for the first time. +// Subsequent calls will use the HashMap for lookup. +// Note: +// - This function is not thread-safe. +// - This function should be called after all the Services are added to the Resources. func (r *Resources) GetService(namespace, name string) *corev1.Service { - for _, svc := range r.Services { - if svc.Namespace == namespace && svc.Name == name { - return svc + if r.serviceMap == nil { + r.serviceMap = make(map[types.NamespacedName]*corev1.Service) + for _, svc := range r.Services { + r.serviceMap[types.NamespacedName{Namespace: svc.Namespace, Name: svc.Name}] = svc } } - - return nil + return r.serviceMap[types.NamespacedName{Namespace: namespace, Name: name}] } func (r *Resources) GetServiceImport(namespace, name string) *mcsapiv1a1.ServiceImport { diff --git a/internal/gatewayapi/resource/zz_generated.deepcopy.go b/internal/gatewayapi/resource/zz_generated.deepcopy.go index 06925b1467d..3caecc292c8 100644 --- a/internal/gatewayapi/resource/zz_generated.deepcopy.go +++ b/internal/gatewayapi/resource/zz_generated.deepcopy.go @@ -14,6 +14,7 @@ import ( corev1 "k8s.io/api/core/v1" discoveryv1 "k8s.io/api/discovery/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/gateway-api/apis/v1" "sigs.k8s.io/gateway-api/apis/v1alpha2" "sigs.k8s.io/gateway-api/apis/v1alpha3" @@ -290,6 +291,22 @@ func (in *Resources) DeepCopyInto(out *Resources) { } } } + if in.serviceMap != nil { + in, out := &in.serviceMap, &out.serviceMap + *out = make(map[types.NamespacedName]*corev1.Service, len(*in)) + for key, val := range *in { + var outVal *corev1.Service + if val == nil { + (*out)[key] = nil + } else { + inVal := (*in)[key] + in, out := &inVal, &outVal + *out = new(corev1.Service) + (*in).DeepCopyInto(*out) + } + (*out)[key] = outVal + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Resources. diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index ddada5f17b6..0fd60b0c51c 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -1598,30 +1598,45 @@ func getIREndpointsFromEndpointSlice(endpointSlice *discoveryv1.EndpointSlice, p return endpoints } -func getTargetBackendReference(backendRef gwapiv1a2.BackendObjectReference) gwapiv1a2.LocalPolicyTargetReferenceWithSectionName { +func getTargetBackendReference(backendRef gwapiv1a2.BackendObjectReference, backendNamespace string, resources *resource.Resources) gwapiv1a2.LocalPolicyTargetReferenceWithSectionName { ref := gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ Group: func() gwapiv1a2.Group { - if backendRef.Group == nil { + if backendRef.Group == nil || *backendRef.Group == "" { return "" } return *backendRef.Group }(), Kind: func() gwapiv1.Kind { - if backendRef.Kind == nil { + if backendRef.Kind == nil || *backendRef.Kind == resource.KindService { return "Service" } return *backendRef.Kind }(), Name: backendRef.Name, }, - SectionName: func() *gwapiv1.SectionName { - if backendRef.Port != nil { - return SectionNamePtr(strconv.Itoa(int(*backendRef.Port))) + } + if backendRef.Port == nil { + return ref + } + + // Set the section name to the port name if the backend is a Kubernetes Service + if backendRef.Kind == nil || *backendRef.Kind == resource.KindService { + if service := resources.GetService(backendNamespace, string(backendRef.Name)); service != nil { + for _, port := range service.Spec.Ports { + if port.Port == int32(*backendRef.Port) { + if port.Name != "" { + ref.SectionName = SectionNamePtr(port.Name) + break + } + } } - return nil - }(), + } + } else { + // Set the section name to the port number if the backend is a EG Backend + ref.SectionName = SectionNamePtr(strconv.Itoa(int(*backendRef.Port))) } + return ref } diff --git a/internal/gatewayapi/testdata/backendtlspolicy-across-ns.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-across-ns.in.yaml index e87b3ad1cb9..efd69116641 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-across-ns.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-across-ns.in.yaml @@ -123,7 +123,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml index fde390c7efe..ae77deb8c62 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.in.yaml index b701ad9800f..fd4caad15e4 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.in.yaml @@ -108,7 +108,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - name: ca-secret diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml index a5b87b3fa1f..cd7e70d8bfa 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.in.yaml index cc6c0f17c8f..2b6701762f7 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.in.yaml @@ -123,7 +123,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml index 8489f047341..a89dc859cdd 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.in.yaml index a86b1a25930..2fd3adc48e7 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.in.yaml @@ -167,7 +167,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http - group: gateway.envoyproxy.io kind: Backend name: backend-ip-tls diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml index 9f4874f90f4..bbea6c79f5f 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http - group: gateway.envoyproxy.io kind: Backend name: backend-ip-tls diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml index 5a13fba2fc2..10ac7095127 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml @@ -134,7 +134,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml index 2e2186879f9..0fbf1d8d411 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.in.yaml index 7abc20d19c1..a5484a20358 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.in.yaml @@ -105,7 +105,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - name: no-ca-cmap diff --git a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml index 100efbcab4f..20e749d0e90 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml index d3458d06da8..96a97fcb0ca 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml @@ -64,11 +64,11 @@ services: clusterIP: 10.11.12.13 ports: - port: 8080 - name: http + name: http1 protocol: TCP targetPort: 8080 - port: 8081 - name: http + name: http2 protocol: TCP targetPort: 8081 @@ -110,11 +110,11 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http1 - group: "" kind: Service name: http-backend - sectionName: "8081" + sectionName: http2 validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml index 8ecd25a2418..75f11c18849 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml @@ -10,11 +10,11 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http1 - group: "" kind: Service name: http-backend - sectionName: "8081" + sectionName: http2 validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.in.yaml index 3b20aa31ee5..520065b82a4 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.in.yaml @@ -98,7 +98,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: wellKnownCACertificates: System hostname: example.com diff --git a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml index f91dc4d768e..dbe5fcb90f2 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: hostname: example.com wellKnownCACertificates: System diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml index 95e8b95701f..a7c8128be50 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml @@ -160,7 +160,7 @@ backendTLSPolicies: - group: '' kind: Service name: grpc-backend - sectionName: "8000" + sectionName: grpc validation: caCertificateRefs: - name: ca-cmap @@ -177,7 +177,7 @@ backendTLSPolicies: - group: '' kind: Service name: grpc-backend-2 - sectionName: "9000" + sectionName: grpc validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml index 3fd129b8047..06461f085fe 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: grpc-backend - sectionName: "8000" + sectionName: grpc validation: caCertificateRefs: - group: "" @@ -42,7 +42,7 @@ backendTLSPolicies: - group: "" kind: Service name: grpc-backend-2 - sectionName: "9000" + sectionName: grpc validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.in.yaml index dad20362396..89be7cac752 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.in.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.in.yaml @@ -162,7 +162,7 @@ backendTLSPolicies: - group: '' kind: Service name: grpc-backend - sectionName: "8000" + sectionName: grpc validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml index a81a7cd4410..5f1cd880246 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: grpc-backend - sectionName: "8000" + sectionName: grpc validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.in.yaml index 1f25d8f7e0b..30af5a4dbd9 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.in.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.in.yaml @@ -162,7 +162,7 @@ backendTLSPolicies: - group: '' kind: Service name: grpc-backend - sectionName: "8000" + sectionName: grpc validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml index 21fb5de6103..df04fea804f 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: grpc-backend - sectionName: "8000" + sectionName: grpc validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/envoyproxy-priority-backend.in.yaml b/internal/gatewayapi/testdata/envoyproxy-priority-backend.in.yaml index 64b0b7a3ae9..42e46b8990e 100644 --- a/internal/gatewayapi/testdata/envoyproxy-priority-backend.in.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-priority-backend.in.yaml @@ -162,7 +162,7 @@ backendTLSPolicies: - group: '' kind: Service name: grpc-backend - sectionName: "8000" + sectionName: grpc validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml index 426268f6340..8044e3874ed 100644 --- a/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: grpc-backend - sectionName: "8000" + sectionName: grpc validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml index d2aee51b27e..abd7ed641b9 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml @@ -160,7 +160,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "80" + sectionName: http validation: caCertificateRefs: - name: ca-cmap @@ -177,7 +177,7 @@ backendTLSPolicies: - group: "" kind: Service name: grpc-backend - sectionName: "9000" + sectionName: grpc validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml index b87c7992c90..c4f0d3b6c99 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "80" + sectionName: http validation: caCertificateRefs: - group: "" @@ -42,7 +42,7 @@ backendTLSPolicies: - group: "" kind: Service name: grpc-backend - sectionName: "9000" + sectionName: grpc validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/translator_test.go b/internal/gatewayapi/translator_test.go index 61e0025fbdd..96a88bfdec9 100644 --- a/internal/gatewayapi/translator_test.go +++ b/internal/gatewayapi/translator_test.go @@ -320,11 +320,11 @@ func TestTranslate(t *testing.T) { opts := []cmp.Option{ cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime"), + cmpopts.IgnoreFields(resource.Resources{}, "serviceMap"), cmp.Transformer("ClearXdsEqual", xdsWithoutEqual), cmpopts.IgnoreTypes(ir.PrivateBytes{}), cmpopts.EquateEmpty(), } - require.Empty(t, cmp.Diff(want, got, opts...)) }) } @@ -519,8 +519,11 @@ func TestTranslateWithExtensionKinds(t *testing.T) { want := &TranslateResult{} mustUnmarshal(t, output, want) - opts := cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime") - require.Empty(t, cmp.Diff(want, got, opts)) + opts := []cmp.Option{ + cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime"), + cmpopts.IgnoreFields(resource.Resources{}, "serviceMap"), + } + require.Empty(t, cmp.Diff(want, got, opts...)) }) } } diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 6ba9c2ee5cb..b2bfc794438 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -17,6 +17,7 @@ new features: | # Fixes for bugs identified in previous versions. bug fixes: | + Fixed BackendTLSPolicy didn't support using port name as the sectionName in the targetRefs Fixed reference grant from EnvoyExtensionPolicy to referenced ext-proc backend not respected # Enhancements that improve performance. diff --git a/test/e2e/base/manifests.yaml b/test/e2e/base/manifests.yaml index 34ccc08390a..ef3e9841c3b 100644 --- a/test/e2e/base/manifests.yaml +++ b/test/e2e/base/manifests.yaml @@ -480,7 +480,8 @@ spec: selector: app: tls-backend-2 ports: - - protocol: TCP + - name: https + protocol: TCP port: 443 targetPort: 8443 --- diff --git a/test/e2e/testdata/backend-tls-settings.yaml b/test/e2e/testdata/backend-tls-settings.yaml index 749255f82e5..b78ace739fe 100644 --- a/test/e2e/testdata/backend-tls-settings.yaml +++ b/test/e2e/testdata/backend-tls-settings.yaml @@ -62,7 +62,8 @@ spec: selector: app: tls-backend ports: - - protocol: TCP + - name: https + protocol: TCP port: 443 targetPort: 8443 --- @@ -137,7 +138,7 @@ spec: - group: "" kind: Service name: tls-backend - sectionName: "443" + sectionName: https validation: caCertificateRefs: - name: backend-tls-certificate diff --git a/test/e2e/testdata/backend-tls.yaml b/test/e2e/testdata/backend-tls.yaml index f00218ab99c..ad77871ea74 100644 --- a/test/e2e/testdata/backend-tls.yaml +++ b/test/e2e/testdata/backend-tls.yaml @@ -8,7 +8,7 @@ spec: - group: "" kind: Service name: tls-backend-2 - sectionName: "443" + sectionName: https validation: caCertificateRefs: - name: backend-tls-checks-certificate diff --git a/test/e2e/testdata/ext-auth-grpc-securitypolicy.yaml b/test/e2e/testdata/ext-auth-grpc-securitypolicy.yaml index c75ee250f09..2d49f69c50a 100644 --- a/test/e2e/testdata/ext-auth-grpc-securitypolicy.yaml +++ b/test/e2e/testdata/ext-auth-grpc-securitypolicy.yaml @@ -62,7 +62,7 @@ spec: - group: '' kind: Service name: grpc-ext-auth - sectionName: "9002" + sectionName: grpc validation: caCertificateRefs: - name: grpc-ext-auth-ca diff --git a/test/e2e/testdata/ext-auth-grpc-service.yaml b/test/e2e/testdata/ext-auth-grpc-service.yaml index 587dad8a860..da74439592f 100644 --- a/test/e2e/testdata/ext-auth-grpc-service.yaml +++ b/test/e2e/testdata/ext-auth-grpc-service.yaml @@ -103,3 +103,4 @@ spec: - protocol: TCP port: 9002 targetPort: 9002 + name: grpc diff --git a/test/e2e/testdata/ext-auth-http-service.yaml b/test/e2e/testdata/ext-auth-http-service.yaml index a4e96928292..cada07e4712 100644 --- a/test/e2e/testdata/ext-auth-http-service.yaml +++ b/test/e2e/testdata/ext-auth-http-service.yaml @@ -39,3 +39,4 @@ spec: - protocol: TCP port: 9002 targetPort: 9002 + name: http diff --git a/test/e2e/testdata/ext-proc-envoyextensionpolicy.yaml b/test/e2e/testdata/ext-proc-envoyextensionpolicy.yaml index 90d25613be5..0190225933d 100644 --- a/test/e2e/testdata/ext-proc-envoyextensionpolicy.yaml +++ b/test/e2e/testdata/ext-proc-envoyextensionpolicy.yaml @@ -84,7 +84,7 @@ spec: - group: '' kind: Service name: grpc-ext-proc - sectionName: "9002" + sectionName: grpc validation: caCertificateRefs: - name: grpc-ext-proc-ca diff --git a/test/e2e/testdata/ext-proc-service.yaml b/test/e2e/testdata/ext-proc-service.yaml index 3dc4796e123..57581a80c38 100644 --- a/test/e2e/testdata/ext-proc-service.yaml +++ b/test/e2e/testdata/ext-proc-service.yaml @@ -95,3 +95,4 @@ spec: - protocol: TCP port: 9002 targetPort: 9002 + name: grpc