From d9a8e546a10a01b5cd3509b6a4d20165d2a9d60b Mon Sep 17 00:00:00 2001 From: zirain Date: Mon, 27 May 2024 03:09:15 +0800 Subject: [PATCH 1/2] e2e: skip UseClientProtocolTest (#3478) Signed-off-by: zirain --- test/e2e/e2e_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index 9f4f3353b64..35d52a8621c 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -57,6 +57,7 @@ func TestE2E(t *testing.T) { SkipTests: []string{ tests.ClientTimeoutTest.ShortName, // https://github.com/envoyproxy/gateway/issues/2720 tests.GatewayInfraResourceTest.ShortName, // https://github.com/envoyproxy/gateway/issues/3191 + tests.UseClientProtocolTest.ShortName, // https://github.com/envoyproxy/gateway/issues/3473 }, }) if err != nil { From 3f7767f71f89419bfbd920849580ea0ae4d71a8c Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Sun, 26 May 2024 14:30:40 -0500 Subject: [PATCH 2/2] fix: EEP RG enforcement (#3475) fix EEP RG enforcement Signed-off-by: Guy Daich --- internal/gatewayapi/envoyextensionpolicy.go | 1 + internal/gatewayapi/securitypolicy.go | 1 + ...yextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml | 2 +- ...ensionpolicy-with-extproc-with-multiple-backendrefs.in.yaml | 2 +- internal/gatewayapi/validate.go | 3 ++- 5 files changed, 6 insertions(+), 3 deletions(-) diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index 16229f2d7c9..b4c89db790f 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -416,6 +416,7 @@ func (t *Translator) buildExtProc( if err = t.validateExtServiceBackendReference( &extProc.BackendRefs[i].BackendObjectReference, policyNamespacedName.Namespace, + egv1a1.KindEnvoyExtensionPolicy, resources); err != nil { return nil, err } diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index bfb4d9e7eca..8cdca113bd0 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -790,6 +790,7 @@ func (t *Translator) buildExtAuth( if err = t.validateExtServiceBackendReference( backendRef, policy.Namespace, + KindSecurityPolicy, resources); err != nil { return nil, err } diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml index e55d3a9bf20..ca3297a5fae 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml @@ -117,7 +117,7 @@ referenceGrants: spec: from: - group: gateway.envoyproxy.io - kind: SecurityPolicy + kind: EnvoyExtensionPolicy namespace: default to: - group: '' diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.in.yaml index 9e1a3500adb..71ad79e6215 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.in.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.in.yaml @@ -117,7 +117,7 @@ referenceGrants: spec: from: - group: gateway.envoyproxy.io - kind: SecurityPolicy + kind: EnvoyExtensionPolicy namespace: default to: - group: '' diff --git a/internal/gatewayapi/validate.go b/internal/gatewayapi/validate.go index 208fa300d45..1e57a60b0fb 100644 --- a/internal/gatewayapi/validate.go +++ b/internal/gatewayapi/validate.go @@ -936,6 +936,7 @@ func (t *Translator) validateSecretObjectRef( func (t *Translator) validateExtServiceBackendReference( backendRef *gwapiv1.BackendObjectReference, ownerNamespace string, + policyKind string, resources *Resources, ) error { // These are sanity checks, they should never happen because the API server @@ -985,7 +986,7 @@ func (t *Translator) validateExtServiceBackendReference( if !t.validateCrossNamespaceRef( crossNamespaceFrom{ group: egv1a1.GroupName, - kind: KindSecurityPolicy, + kind: policyKind, namespace: ownerNamespace, }, crossNamespaceTo{