Send attributes of source workload to remote peer (#609)

Signed-off-by: Ziv Nevo <nevo@il.ibm.com>
clusterlink-net · May 26, 2024 · 1aa5bca · 1aa5bca
1 parent 3e93041
commit 1aa5bca
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 7 deletions.
diff --git a/pkg/controlplane/api/authz.go b/pkg/controlplane/api/authz.go
@@ -13,7 +13,10 @@
 
 package api
 
-import "github.com/lestrrat-go/jwx/jwa"
+import (
+	"github.com/clusterlink-net/clusterlink/pkg/controlplane/authz/connectivitypdp"
+	"github.com/lestrrat-go/jwx/jwa"
+)
 
 const (
 	// RemotePeerAuthorizationPath is the path remote peers use to send an authorization request.
@@ -50,6 +53,8 @@ type AuthorizationRequest struct {
 	ServiceName string
 	// ServiceNamespace is the namespace of the requested exported service.
 	ServiceNamespace string
+	// Attributes of the source workload, to be used by the PDP on the remote peer
+	SrcAttributes connectivitypdp.WorkloadAttrs
 }
 
 // AuthorizationResponse represents a response for a successful AuthorizationRequest.

diff --git a/pkg/controlplane/authz/manager.go b/pkg/controlplane/authz/manager.go
@@ -71,6 +71,8 @@ type egressAuthorizationResponse struct {
 type ingressAuthorizationRequest struct {
 	// Service is the name of the requested exported service.
 	ServiceName types.NamespacedName
+	// Attributes of the source workload, to be used by the PDP on the remote peer
+	SrcAttributes connectivitypdp.WorkloadAttrs
 }
 
 // ingressAuthorizationResponse (from remote peer controlplane) represents a response for an ingressAuthorizationRequest.
@@ -263,6 +265,7 @@ func (m *Manager) authorizeEgress(ctx context.Context, req *egressAuthorizationR
 		peerResp, err := cl.Authorize(&cpapi.AuthorizationRequest{
 			ServiceName:      DstName,
 			ServiceNamespace: DstNamespace,
+			SrcAttributes:    srcAttributes,
 		})
 		if err != nil {
 			m.logger.Infof("Unable to get access token from peer: %v", err)
@@ -322,7 +325,6 @@ func (m *Manager) parseAuthorizationHeader(token string) (string, error) {
 func (m *Manager) authorizeIngress(
 	ctx context.Context,
 	req *ingressAuthorizationRequest,
-	pr string,
 ) (*ingressAuthorizationResponse, error) {
 	m.logger.Infof("Received ingress authorization request: %v.", req)
 
@@ -344,13 +346,12 @@ func (m *Manager) authorizeIngress(
 
 	resp.ServiceExists = true
 
-	srcAttributes := connectivitypdp.WorkloadAttrs{GatewayNameLabel: pr}
 	dstAttributes := connectivitypdp.WorkloadAttrs{
 		ServiceNameLabel:      req.ServiceName.Name,
 		ServiceNamespaceLabel: req.ServiceName.Namespace,
 		GatewayNameLabel:      m.peerName,
 	}
-	decision, err := m.connectivityPDP.Decide(srcAttributes, dstAttributes, req.ServiceName.Namespace)
+	decision, err := m.connectivityPDP.Decide(req.SrcAttributes, dstAttributes, req.ServiceName.Namespace)
 	if err != nil {
 		return nil, fmt.Errorf("error deciding on an ingress connection: %w", err)
 	}

diff --git a/pkg/controlplane/authz/server.go b/pkg/controlplane/authz/server.go
@@ -141,16 +141,15 @@ func (s *server) PeerAuthorize(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	peerName := r.TLS.PeerCertificates[0].DNSNames[0]
 	resp, err := s.manager.authorizeIngress(
 		r.Context(),
 		&ingressAuthorizationRequest{
 			ServiceName: types.NamespacedName{
 				Namespace: req.ServiceNamespace,
 				Name:      req.ServiceName,
 			},
-		},
-		peerName)
+			SrcAttributes: req.SrcAttributes,
+		})
 	switch {
 	case err != nil:
 		http.Error(w, err.Error(), http.StatusInternalServerError)