Skip to content

Commit 44c2f74

Browse files
zhaohuabingzhaohuabing
authored
fix: BackendTlsPolicy specify multiple targetRefs of the same service, only one will work (#4630)
* add tests Signed-off-by: Huabing Zhao <[email protected]> * fix matching comparison Signed-off-by: Huabing Zhao <[email protected]> * add release note Signed-off-by: Huabing Zhao <[email protected]> * fix lint Signed-off-by: Huabing Zhao <[email protected]> * fix lint Signed-off-by: Huabing Zhao <[email protected]> --------- Signed-off-by: Huabing Zhao <[email protected]>
1 parent 7b6834e commit 44c2f74

File tree

4 files changed

+369
-6
lines changed

4 files changed

+369
-6
lines changed

internal/gatewayapi/backendtlspolicy.go

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ package gatewayapi
77

88
import (
99
"fmt"
10+
"reflect"
1011

1112
"k8s.io/utils/ptr"
1213
gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
@@ -145,13 +146,12 @@ func backendTLSTargetMatched(policy gwapiv1a3.BackendTLSPolicy, target gwapiv1a2
145146
target.Kind == currTarget.Kind &&
146147
backendNamespace == policy.Namespace &&
147148
target.Name == currTarget.Name {
148-
if currTarget.SectionName != nil {
149-
if target.SectionName != nil && *currTarget.SectionName == *target.SectionName {
150-
return true
151-
}
152-
return false
149+
// if section name is not set, then it targets the entire backend
150+
if currTarget.SectionName == nil {
151+
return true
152+
} else if reflect.DeepEqual(currTarget.SectionName, target.SectionName) {
153+
return true
153154
}
154-
return true
155155
}
156156
}
157157
return false

internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml

Lines changed: 123 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,123 @@
1+
gateways:
2+
- apiVersion: gateway.networking.k8s.io/v1
3+
kind: Gateway
4+
metadata:
5+
name: gateway-btls
6+
namespace: envoy-gateway
7+
spec:
8+
gatewayClassName: envoy-gateway-class
9+
listeners:
10+
- name: http
11+
protocol: HTTP
12+
port: 80
13+
allowedRoutes:
14+
namespaces:
15+
from: All
16+
17+
httpRoutes:
18+
- apiVersion: gateway.networking.k8s.io/v1
19+
kind: HTTPRoute
20+
metadata:
21+
name: httproute-btls-1
22+
namespace: envoy-gateway
23+
spec:
24+
parentRefs:
25+
- namespace: envoy-gateway
26+
name: gateway-btls
27+
sectionName: http
28+
rules:
29+
- matches:
30+
- path:
31+
type: Exact
32+
value: "/exact-1"
33+
backendRefs:
34+
- name: http-backend
35+
namespace: envoy-gateway
36+
port: 8080
37+
- apiVersion: gateway.networking.k8s.io/v1
38+
kind: HTTPRoute
39+
metadata:
40+
name: httproute-btls-2
41+
namespace: envoy-gateway
42+
spec:
43+
parentRefs:
44+
- namespace: envoy-gateway
45+
name: gateway-btls
46+
sectionName: http
47+
rules:
48+
- matches:
49+
- path:
50+
type: Exact
51+
value: "/exact-2"
52+
backendRefs:
53+
- name: http-backend
54+
namespace: envoy-gateway
55+
port: 8081
56+
57+
services:
58+
- apiVersion: v1
59+
kind: Service
60+
metadata:
61+
name: http-backend
62+
namespace: envoy-gateway
63+
spec:
64+
clusterIP: 10.11.12.13
65+
ports:
66+
- port: 8080
67+
name: http
68+
protocol: TCP
69+
targetPort: 8080
70+
- port: 8081
71+
name: http
72+
protocol: TCP
73+
targetPort: 8081
74+
75+
configMaps:
76+
- apiVersion: v1
77+
kind: ConfigMap
78+
metadata:
79+
name: ca-cmap
80+
namespace: envoy-gateway
81+
data:
82+
ca.crt: |
83+
-----BEGIN CERTIFICATE-----
84+
MIIDJzCCAg+gAwIBAgIUAl6UKIuKmzte81cllz5PfdN2IlIwDQYJKoZIhvcNAQEL
85+
BQAwIzEQMA4GA1UEAwwHbXljaWVudDEPMA0GA1UECgwGa3ViZWRiMB4XDTIzMTAw
86+
MjA1NDE1N1oXDTI0MTAwMTA1NDE1N1owIzEQMA4GA1UEAwwHbXljaWVudDEPMA0G
87+
A1UECgwGa3ViZWRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSTc
88+
1yj8HW62nynkFbXo4VXKv2jC0PM7dPVky87FweZcTKLoWQVPQE2p2kLDK6OEszmM
89+
yyr+xxWtyiveremrWqnKkNTYhLfYPhgQkczib7eUalmFjUbhWdLvHakbEgCodn3b
90+
kz57mInX2VpiDOKg4kyHfiuXWpiBqrCx0KNLpxo3DEQcFcsQTeTHzh4752GV04RU
91+
Ti/GEWyzIsl4Rg7tGtAwmcIPgUNUfY2Q390FGqdH4ahn+mw/6aFbW31W63d9YJVq
92+
ioyOVcaMIpM5B/c7Qc8SuhCI1YGhUyg4cRHLEw5VtikioyE3X04kna3jQAj54YbR
93+
bpEhc35apKLB21HOUQIDAQABo1MwUTAdBgNVHQ4EFgQUyvl0VI5vJVSuYFXu7B48
94+
6PbMEAowHwYDVR0jBBgwFoAUyvl0VI5vJVSuYFXu7B486PbMEAowDwYDVR0TAQH/
95+
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMLxrgFVMuNRq2wAwcBt7SnNR5Cfz
96+
2MvXq5EUmuawIUi9kaYjwdViDREGSjk7JW17vl576HjDkdfRwi4E28SydRInZf6J
97+
i8HZcZ7caH6DxR335fgHVzLi5NiTce/OjNBQzQ2MJXVDd8DBmG5fyatJiOJQ4bWE
98+
A7FlP0RdP3CO3GWE0M5iXOB2m1qWkE2eyO4UHvwTqNQLdrdAXgDQlbam9e4BG3Gg
99+
d/6thAkWDbt/QNT+EJHDCvhDRKh1RuGHyg+Y+/nebTWWrFWsktRrbOoHCZiCpXI1
100+
3eXE6nt0YkgtDxG22KqnhpAg9gUSs2hlhoxyvkzyF0mu6NhPlwAgnq7+/Q==
101+
-----END CERTIFICATE-----
102+
backendTLSPolicies:
103+
- apiVersion: gateway.networking.k8s.io/v1alpha2
104+
kind: BackendTLSPolicy
105+
metadata:
106+
name: policy-btls
107+
namespace: envoy-gateway
108+
spec:
109+
targetRefs:
110+
- group: ""
111+
kind: Service
112+
name: http-backend
113+
sectionName: "8080"
114+
- group: ""
115+
kind: Service
116+
name: http-backend
117+
sectionName: "8081"
118+
validation:
119+
caCertificateRefs:
120+
- name: ca-cmap
121+
group: ""
122+
kind: ConfigMap
123+
hostname: example.com

internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml

Lines changed: 239 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,239 @@
1+
backendTLSPolicies:
2+
- apiVersion: gateway.networking.k8s.io/v1alpha2
3+
kind: BackendTLSPolicy
4+
metadata:
5+
creationTimestamp: null
6+
name: policy-btls
7+
namespace: envoy-gateway
8+
spec:
9+
targetRefs:
10+
- group: ""
11+
kind: Service
12+
name: http-backend
13+
sectionName: "8080"
14+
- group: ""
15+
kind: Service
16+
name: http-backend
17+
sectionName: "8081"
18+
validation:
19+
caCertificateRefs:
20+
- group: ""
21+
kind: ConfigMap
22+
name: ca-cmap
23+
hostname: example.com
24+
status:
25+
ancestors:
26+
- ancestorRef:
27+
name: gateway-btls
28+
namespace: envoy-gateway
29+
sectionName: http
30+
conditions:
31+
- lastTransitionTime: null
32+
message: Policy has been accepted.
33+
reason: Accepted
34+
status: "True"
35+
type: Accepted
36+
controllerName: gateway.envoyproxy.io/gatewayclass-controller
37+
gateways:
38+
- apiVersion: gateway.networking.k8s.io/v1
39+
kind: Gateway
40+
metadata:
41+
creationTimestamp: null
42+
name: gateway-btls
43+
namespace: envoy-gateway
44+
spec:
45+
gatewayClassName: envoy-gateway-class
46+
listeners:
47+
- allowedRoutes:
48+
namespaces:
49+
from: All
50+
name: http
51+
port: 80
52+
protocol: HTTP
53+
status:
54+
listeners:
55+
- attachedRoutes: 2
56+
conditions:
57+
- lastTransitionTime: null
58+
message: Sending translated listener configuration to the data plane
59+
reason: Programmed
60+
status: "True"
61+
type: Programmed
62+
- lastTransitionTime: null
63+
message: Listener has been successfully translated
64+
reason: Accepted
65+
status: "True"
66+
type: Accepted
67+
- lastTransitionTime: null
68+
message: Listener references have been resolved
69+
reason: ResolvedRefs
70+
status: "True"
71+
type: ResolvedRefs
72+
name: http
73+
supportedKinds:
74+
- group: gateway.networking.k8s.io
75+
kind: HTTPRoute
76+
- group: gateway.networking.k8s.io
77+
kind: GRPCRoute
78+
httpRoutes:
79+
- apiVersion: gateway.networking.k8s.io/v1
80+
kind: HTTPRoute
81+
metadata:
82+
creationTimestamp: null
83+
name: httproute-btls-1
84+
namespace: envoy-gateway
85+
spec:
86+
parentRefs:
87+
- name: gateway-btls
88+
namespace: envoy-gateway
89+
sectionName: http
90+
rules:
91+
- backendRefs:
92+
- name: http-backend
93+
namespace: envoy-gateway
94+
port: 8080
95+
matches:
96+
- path:
97+
type: Exact
98+
value: /exact-1
99+
status:
100+
parents:
101+
- conditions:
102+
- lastTransitionTime: null
103+
message: Route is accepted
104+
reason: Accepted
105+
status: "True"
106+
type: Accepted
107+
- lastTransitionTime: null
108+
message: Resolved all the Object references for the Route
109+
reason: ResolvedRefs
110+
status: "True"
111+
type: ResolvedRefs
112+
controllerName: gateway.envoyproxy.io/gatewayclass-controller
113+
parentRef:
114+
name: gateway-btls
115+
namespace: envoy-gateway
116+
sectionName: http
117+
- apiVersion: gateway.networking.k8s.io/v1
118+
kind: HTTPRoute
119+
metadata:
120+
creationTimestamp: null
121+
name: httproute-btls-2
122+
namespace: envoy-gateway
123+
spec:
124+
parentRefs:
125+
- name: gateway-btls
126+
namespace: envoy-gateway
127+
sectionName: http
128+
rules:
129+
- backendRefs:
130+
- name: http-backend
131+
namespace: envoy-gateway
132+
port: 8081
133+
matches:
134+
- path:
135+
type: Exact
136+
value: /exact-2
137+
status:
138+
parents:
139+
- conditions:
140+
- lastTransitionTime: null
141+
message: Route is accepted
142+
reason: Accepted
143+
status: "True"
144+
type: Accepted
145+
- lastTransitionTime: null
146+
message: Resolved all the Object references for the Route
147+
reason: ResolvedRefs
148+
status: "True"
149+
type: ResolvedRefs
150+
controllerName: gateway.envoyproxy.io/gatewayclass-controller
151+
parentRef:
152+
name: gateway-btls
153+
namespace: envoy-gateway
154+
sectionName: http
155+
infraIR:
156+
envoy-gateway/gateway-btls:
157+
proxy:
158+
listeners:
159+
- address: null
160+
name: envoy-gateway/gateway-btls/http
161+
ports:
162+
- containerPort: 10080
163+
name: http-80
164+
protocol: HTTP
165+
servicePort: 80
166+
metadata:
167+
labels:
168+
gateway.envoyproxy.io/owning-gateway-name: gateway-btls
169+
gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
170+
name: envoy-gateway/gateway-btls
171+
xdsIR:
172+
envoy-gateway/gateway-btls:
173+
accessLog:
174+
text:
175+
- path: /dev/stdout
176+
http:
177+
- address: 0.0.0.0
178+
hostnames:
179+
- '*'
180+
isHTTP2: false
181+
metadata:
182+
kind: Gateway
183+
name: gateway-btls
184+
namespace: envoy-gateway
185+
sectionName: http
186+
name: envoy-gateway/gateway-btls/http
187+
path:
188+
escapedSlashesAction: UnescapeAndRedirect
189+
mergeSlashes: true
190+
port: 10080
191+
routes:
192+
- destination:
193+
name: httproute/envoy-gateway/httproute-btls-1/rule/0
194+
settings:
195+
- protocol: HTTP
196+
tls:
197+
alpnProtocols: null
198+
caCertificate:
199+
certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
200+
name: policy-btls/envoy-gateway-ca
201+
sni: example.com
202+
weight: 1
203+
directResponse:
204+
statusCode: 500
205+
hostname: '*'
206+
isHTTP2: false
207+
metadata:
208+
kind: HTTPRoute
209+
name: httproute-btls-1
210+
namespace: envoy-gateway
211+
name: httproute/envoy-gateway/httproute-btls-1/rule/0/match/0/*
212+
pathMatch:
213+
distinct: false
214+
exact: /exact-1
215+
name: ""
216+
- destination:
217+
name: httproute/envoy-gateway/httproute-btls-2/rule/0
218+
settings:
219+
- protocol: HTTP
220+
tls:
221+
alpnProtocols: null
222+
caCertificate:
223+
certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
224+
name: policy-btls/envoy-gateway-ca
225+
sni: example.com
226+
weight: 1
227+
directResponse:
228+
statusCode: 500
229+
hostname: '*'
230+
isHTTP2: false
231+
metadata:
232+
kind: HTTPRoute
233+
name: httproute-btls-2
234+
namespace: envoy-gateway
235+
name: httproute/envoy-gateway/httproute-btls-2/rule/0/match/0/*
236+
pathMatch:
237+
distinct: false
238+
exact: /exact-2
239+
name: ""

release-notes/current.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ bug fixes: |
1818
The xDS translation failed when wasm http code source configured without a sha
1919
HTTPRoute status only shows one parent when targeting multiple Gateways from different GatewayClasses
2020
Route with multiple parents has incorrect namespace in parentRef status
21+
BackendTlsPolicy specify multiple targetRefs of the same service, only one will work
2122
Helm chart fails for Flux HelmRelease
2223
2324
# Enhancements that improve performance.

0 commit comments

Comments
 (0)