Skip to content

Commit bebede5

Browse files
zirainzirain
authored
Fix backendRef Provider processing for extAuth/OIDC (#6612)
* fix backendRefs processing for extAuth Signed-off-by: zirain <[email protected]> * add tests Signed-off-by: zirain <[email protected]> * fix Signed-off-by: zirain <[email protected]> * address comment Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]>
1 parent b99c49a commit bebede5

File tree

5 files changed

+1172
-37
lines changed

5 files changed

+1172
-37
lines changed

internal/gatewayapi/testdata/securitypolicy-with-extauth-backendrefs.in.yaml

Lines changed: 237 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,237 @@
1+
gateways:
2+
- apiVersion: gateway.networking.k8s.io/v1
3+
kind: Gateway
4+
metadata:
5+
namespace: default
6+
name: gateway-1
7+
spec:
8+
gatewayClassName: envoy-gateway-class
9+
listeners:
10+
- name: http
11+
protocol: HTTP
12+
port: 80
13+
allowedRoutes:
14+
namespaces:
15+
from: All
16+
httpRoutes:
17+
- apiVersion: gateway.networking.k8s.io/v1
18+
kind: HTTPRoute
19+
metadata:
20+
namespace: default
21+
name: httproute-1
22+
spec:
23+
hostnames:
24+
- www.foo.com
25+
parentRefs:
26+
- namespace: default
27+
name: gateway-1
28+
sectionName: http
29+
rules:
30+
- matches:
31+
- path:
32+
value: /foo1
33+
backendRefs:
34+
- name: service-1
35+
port: 8080
36+
- matches:
37+
- path:
38+
value: /foo2
39+
backendRefs:
40+
- name: service-2
41+
port: 8080
42+
- apiVersion: gateway.networking.k8s.io/v1
43+
kind: HTTPRoute
44+
metadata:
45+
namespace: default
46+
name: httproute-2
47+
spec:
48+
hostnames:
49+
- www.bar.com
50+
parentRefs:
51+
- namespace: default
52+
name: gateway-1
53+
sectionName: http
54+
rules:
55+
- matches:
56+
- path:
57+
value: /bar
58+
backendRefs:
59+
- name: service-3
60+
port: 8080
61+
services:
62+
- apiVersion: v1
63+
kind: Service
64+
metadata:
65+
namespace: envoy-gateway
66+
name: http-backend
67+
spec:
68+
ports:
69+
- port: 80
70+
name: http
71+
protocol: TCP
72+
- apiVersion: v1
73+
kind: Service
74+
metadata:
75+
namespace: envoy-gateway
76+
name: http-backend2
77+
spec:
78+
ports:
79+
- port: 80
80+
name: http
81+
protocol: TCP
82+
- apiVersion: v1
83+
kind: Service
84+
metadata:
85+
namespace: default
86+
name: grpc-backend
87+
spec:
88+
ports:
89+
- port: 9000
90+
name: grpc
91+
protocol: TCP
92+
- apiVersion: v1
93+
kind: Service
94+
metadata:
95+
namespace: default
96+
name: grpc-backend2
97+
spec:
98+
ports:
99+
- port: 9000
100+
name: grpc
101+
protocol: TCP
102+
endpointSlices:
103+
- apiVersion: discovery.k8s.io/v1
104+
kind: EndpointSlice
105+
metadata:
106+
name: endpointslice-http-backend
107+
namespace: envoy-gateway
108+
labels:
109+
kubernetes.io/service-name: http-backend
110+
addressType: IPv4
111+
ports:
112+
- name: http
113+
protocol: TCP
114+
port: 80
115+
endpoints:
116+
- addresses:
117+
- 7.7.7.7
118+
conditions:
119+
ready: true
120+
- apiVersion: discovery.k8s.io/v1
121+
kind: EndpointSlice
122+
metadata:
123+
name: endpointslice-http-backend2
124+
namespace: envoy-gateway
125+
labels:
126+
kubernetes.io/service-name: http-backend
127+
addressType: IPv4
128+
ports:
129+
- name: http
130+
protocol: TCP
131+
port: 80
132+
endpoints:
133+
- addresses:
134+
- 7.7.7.8
135+
conditions:
136+
ready: true
137+
- apiVersion: discovery.k8s.io/v1
138+
kind: EndpointSlice
139+
metadata:
140+
name: endpointslice-grpc-backend
141+
namespace: default
142+
labels:
143+
kubernetes.io/service-name: grpc-backend
144+
addressType: IPv4
145+
ports:
146+
- name: grpc
147+
protocol: TCP
148+
port: 9000
149+
endpoints:
150+
- addresses:
151+
- 8.8.8.8
152+
conditions:
153+
ready: true
154+
- apiVersion: discovery.k8s.io/v1
155+
kind: EndpointSlice
156+
metadata:
157+
name: endpointslice-grpc-backend2
158+
namespace: default
159+
labels:
160+
kubernetes.io/service-name: grpc-backend2
161+
addressType: IPv4
162+
ports:
163+
- name: grpc
164+
protocol: TCP
165+
port: 9000
166+
endpoints:
167+
- addresses:
168+
- 8.8.8.9
169+
conditions:
170+
ready: true
171+
referenceGrants:
172+
- apiVersion: gateway.networking.k8s.io/v1alpha2
173+
kind: ReferenceGrant
174+
metadata:
175+
namespace: envoy-gateway
176+
name: referencegrant-1
177+
spec:
178+
from:
179+
- group: gateway.envoyproxy.io
180+
kind: SecurityPolicy
181+
namespace: default
182+
to:
183+
- group: ""
184+
kind: Service
185+
securityPolicies:
186+
- apiVersion: gateway.envoyproxy.io/v1alpha1
187+
kind: SecurityPolicy
188+
metadata:
189+
namespace: default
190+
name: policy-for-http-route-1
191+
spec:
192+
targetRef:
193+
group: gateway.networking.k8s.io
194+
kind: HTTPRoute
195+
name: httproute-1
196+
extAuth:
197+
failOpen: true
198+
headersToExtAuth:
199+
- header1
200+
- header2
201+
grpc:
202+
backendRefs:
203+
- name: grpc-backend
204+
port: 9000
205+
- name: grpc-backend2
206+
port: 9000
207+
- apiVersion: gateway.envoyproxy.io/v1alpha1
208+
kind: SecurityPolicy
209+
metadata:
210+
namespace: default
211+
# This will only apply to the httproute-2
212+
name: policy-for-gateway-1
213+
spec:
214+
targetRef:
215+
group: gateway.networking.k8s.io
216+
kind: Gateway
217+
name: gateway-1
218+
extAuth:
219+
failOpen: false
220+
http:
221+
backendRefs:
222+
- Name: http-backend
223+
Namespace: envoy-gateway
224+
Port: 80
225+
- Name: http-backend2
226+
Namespace: envoy-gateway
227+
Port: 80
228+
Path: /auth
229+
headersToBackend:
230+
- header1
231+
- header2
232+
backendSettings:
233+
circuitBreaker:
234+
maxConnections: 30001
235+
maxParallelRequests: 1022
236+
maxParallelRetries: 1023
237+
maxPendingRequests: 1024

0 commit comments

Comments
 (0)