[release/v1.2] cherry pick for v1.2.5 (#5029)

* fix: nil pointer error (#5000) * fix: nil pointer error Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> (cherry picked from commit 10a31f1) Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix: store one copy of HTTPRoute Extension Filters (#5002) * fix: store one copy of HTTPRoute Extension Filters Signed-off-by: Guy Daich <guy.daich@sap.com> * fix code review comments Signed-off-by: Guy Daich <guy.daich@sap.com> * check if httproutefilter crd exists Signed-off-by: Guy Daich <guy.daich@sap.com> --------- Signed-off-by: Guy Daich <guy.daich@sap.com> (cherry picked from commit 2a5ecaf) Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix: enable ipv4 compat mode for dual stack cluster support (#5018) enable ipv4 compat mode for dual stack cluster support Signed-off-by: Will Tekulve <tekulve.will@gmail.com> (cherry picked from commit e028254) Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix: explicitly set ip family and family policy in gateway spec (#5019) * explicitly set ip family and family policy Signed-off-by: Will Tekulve <tekulve.will@gmail.com> * add TestService cases Signed-off-by: Will Tekulve <tekulve.will@gmail.com> (cherry picked from commit 4d5d3f0) Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix: check before setting cookie TTL in sessionPersistence (#5026) * Check before setting Cookie TTL in Session Persistence Fixes a null ptr exception when the cookie ttl is nil but was being accessed without checking if its valid or not Signed-off-by: Arko Dasgupta <arko@tetrate.io> * simplify logic Signed-off-by: Arko Dasgupta <arko@tetrate.io> (cherry picked from commit dff0531) Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix: dont shift listener ports for Standalone mode (#5027) * fix: dont shift listener ports for Standalone mode Fixes: #4981 Signed-off-by: Arko Dasgupta <arko@tetrate.io> * test Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix lint Signed-off-by: Arko Dasgupta <arko@tetrate.io> --------- Signed-off-by: Arko Dasgupta <arko@tetrate.io> (cherry picked from commit 84f2ad2) Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix: shutdown-manager not respecting security context of container spec (#4938) * Fix shutdown-manager not respecting security context of container spec Signed-off-by: Dean Coakley <dean.s.coakley@gmail.com> * Update securityContext testdata Signed-off-by: Dean Coakley <dean.s.coakley@gmail.com> * Lint with gci Signed-off-by: Dean Coakley <dean.s.coakley@gmail.com> --------- Signed-off-by: Dean Coakley <dean.s.coakley@gmail.com> (cherry picked from commit 43621b4) Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix: use tls config from BTP when connecting to the OIDC provider's well-known endpoint. (#4857) * add e2e test for OIDC provider with TLS Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * delete file Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix lint Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * use TLS config from BTLPolicy to fetch auth endpoint Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * refactor Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * update release note Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * update release note Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix test Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix test Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix test Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix test Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix test Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix lint Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> (cherry picked from commit 3a39c35) Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Guy Daich <guy.daich@sap.com> Signed-off-by: Will Tekulve <tekulve.will@gmail.com> Signed-off-by: Arko Dasgupta <arko@tetrate.io> Signed-off-by: Dean Coakley <dean.s.coakley@gmail.com> Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Co-authored-by: Guy Daich <guy.daich@sap.com> Co-authored-by: Will Tekulve <tekulvw@users.noreply.github.com> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Co-authored-by: Dean Coakley <dean.s.coakley@gmail.com>
envoyproxy · Jan 14, 2025 · 7ce8cbc · 7ce8cbc
1 parent 7854b27
commit 7ce8cbc
Show file tree

Hide file tree

Showing 47 changed files with 1,003 additions and 257 deletions.
diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go
@@ -249,25 +249,6 @@ func OwnerLabels(gateway *gwapiv1.Gateway, mergeGateways bool) map[string]string
 	return GatewayOwnerLabels(gateway.Namespace, gateway.Name)
 }
 
-// servicePortToContainerPort translates a service port into an ephemeral
-// container port.
-func servicePortToContainerPort(servicePort int32, envoyProxy *egv1a1.EnvoyProxy) int32 {
-	if envoyProxy != nil {
-		if !envoyProxy.NeedToSwitchPorts() {
-			return servicePort
-		}
-	}
-
-	// If the service port is a privileged port (1-1023)
-	// add a constant to the value converting it into an ephemeral port.
-	// This allows the container to bind to the port without needing a
-	// CAP_NET_BIND_SERVICE capability.
-	if servicePort < minEphemeralPort {
-		return servicePort + wellKnownPortShift
-	}
-	return servicePort
-}
-
 // computeHosts returns a list of intersecting listener hostnames and route hostnames
 // that don't intersect with other listener hostnames.
 func computeHosts(routeHostnames []string, listenerContext *ListenerContext) []string {

diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go
@@ -109,7 +109,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource
 
 			// Add the listener to the Xds IR
 			servicePort := &protocolPort{protocol: listener.Protocol, port: int32(listener.Port)}
-			containerPort := servicePortToContainerPort(int32(listener.Port), gateway.envoyProxy)
+			containerPort := t.servicePortToContainerPort(int32(listener.Port), gateway.envoyProxy)
 			switch listener.Protocol {
 			case gwapiv1.HTTPProtocolType, gwapiv1.HTTPSProtocolType:
 				irListener := &ir.HTTPListener{
@@ -554,3 +554,27 @@ func validCELExpression(expr string) bool {
 	_, issue := celEnv.Parse(expr)
 	return issue.Err() == nil
 }
+
+// servicePortToContainerPort translates a service port into an ephemeral
+// container port.
+func (t *Translator) servicePortToContainerPort(servicePort int32, envoyProxy *egv1a1.EnvoyProxy) int32 {
+	if t.ListenerPortShiftDisabled {
+		return servicePort
+	}
+
+	if envoyProxy != nil {
+		if !envoyProxy.NeedToSwitchPorts() {
+			return servicePort
+		}
+	}
+
+	// If the service port is a privileged port (1-1023)
+	// add a constant to the value converting it into an ephemeral port.
+	// This allows the container to bind to the port without needing a
+	// CAP_NET_BIND_SERVICE capability.
+	if servicePort < minEphemeralPort {
+		return servicePort + wellKnownPortShift
+	}
+
+	return servicePort
+}
diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go
@@ -144,14 +144,15 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) {
 			for _, resources := range *val {
 				// Translate and publish IRs.
 				t := &gatewayapi.Translator{
-					GatewayControllerName:   r.Server.EnvoyGateway.Gateway.ControllerName,
-					GatewayClassName:        gwapiv1.ObjectName(resources.GatewayClass.Name),
-					GlobalRateLimitEnabled:  r.EnvoyGateway.RateLimit != nil,
-					EnvoyPatchPolicyEnabled: r.EnvoyGateway.ExtensionAPIs != nil && r.EnvoyGateway.ExtensionAPIs.EnableEnvoyPatchPolicy,
-					BackendEnabled:          r.EnvoyGateway.ExtensionAPIs != nil && r.EnvoyGateway.ExtensionAPIs.EnableBackend,
-					Namespace:               r.Namespace,
-					MergeGateways:           gatewayapi.IsMergeGatewaysEnabled(resources),
-					WasmCache:               r.wasmCache,
+					GatewayControllerName:     r.Server.EnvoyGateway.Gateway.ControllerName,
+					GatewayClassName:          gwapiv1.ObjectName(resources.GatewayClass.Name),
+					GlobalRateLimitEnabled:    r.EnvoyGateway.RateLimit != nil,
+					EnvoyPatchPolicyEnabled:   r.EnvoyGateway.ExtensionAPIs != nil && r.EnvoyGateway.ExtensionAPIs.EnableEnvoyPatchPolicy,
+					BackendEnabled:            r.EnvoyGateway.ExtensionAPIs != nil && r.EnvoyGateway.ExtensionAPIs.EnableBackend,
+					Namespace:                 r.Namespace,
+					MergeGateways:             gatewayapi.IsMergeGatewaysEnabled(resources),
+					WasmCache:                 r.wasmCache,
+					ListenerPortShiftDisabled: r.EnvoyGateway.Provider != nil && r.EnvoyGateway.Provider.IsRunningOnHost(),
 				}
 
 				// If an extension is loaded, pass its supported groups/kinds to the translator

diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
@@ -6,6 +6,7 @@
 package gatewayapi
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -16,7 +17,9 @@ import (
 	"sort"
 	"strconv"
 	"strings"
+	"time"
 
+	"github.com/cenkalti/backoff/v4"
 	perr "github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -672,26 +675,17 @@ func (t *Translator) buildOIDCProvider(policy *egv1a1.SecurityPolicy, resources
 		protocol              ir.AppProtocol
 		rd                    *ir.RouteDestination
 		traffic               *ir.TrafficFeatures
+		providerTLS           *ir.TLSUpstreamConfig
 		err                   error
 	)
 
-	// Discover the token and authorization endpoints from the issuer's
-	// well-known url if not explicitly specified
-	if provider.TokenEndpoint == nil || provider.AuthorizationEndpoint == nil {
-		tokenEndpoint, authorizationEndpoint, err = fetchEndpointsFromIssuer(provider.Issuer)
-		if err != nil {
-			return nil, fmt.Errorf("error fetching endpoints from issuer: %w", err)
-		}
+	var u *url.URL
+	if provider.TokenEndpoint != nil {
+		u, err = url.Parse(*provider.TokenEndpoint)
 	} else {
-		tokenEndpoint = *provider.TokenEndpoint
-		authorizationEndpoint = *provider.AuthorizationEndpoint
+		u, err = url.Parse(provider.Issuer)
 	}
 
-	if err = validateTokenEndpoint(tokenEndpoint); err != nil {
-		return nil, err
-	}
-
-	u, err := url.Parse(tokenEndpoint)
 	if err != nil {
 		return nil, err
 	}
@@ -708,6 +702,32 @@ func (t *Translator) buildOIDCProvider(policy *egv1a1.SecurityPolicy, resources
 		}
 	}
 
+	if rd != nil {
+		for _, st := range rd.Settings {
+			if st.TLS != nil {
+				providerTLS = st.TLS
+				break
+			}
+		}
+	}
+
+	// Discover the token and authorization endpoints from the issuer's well-known url if not explicitly specified.
+	// EG assumes that the issuer url uses the same protocol and CA as the token endpoint.
+	// If we need to support different protocols or CAs, we need to add more fields to the OIDCProvider CRD.
+	if provider.TokenEndpoint == nil || provider.AuthorizationEndpoint == nil {
+		tokenEndpoint, authorizationEndpoint, err = fetchEndpointsFromIssuer(provider.Issuer, providerTLS)
+		if err != nil {
+			return nil, fmt.Errorf("error fetching endpoints from issuer: %w", err)
+		}
+	} else {
+		tokenEndpoint = *provider.TokenEndpoint
+		authorizationEndpoint = *provider.AuthorizationEndpoint
+	}
+
+	if err = validateTokenEndpoint(tokenEndpoint); err != nil {
+		return nil, err
+	}
+
 	if traffic, err = translateTrafficFeatures(provider.BackendSettings); err != nil {
 		return nil, err
 	}
@@ -764,18 +784,38 @@ type OpenIDConfig struct {
 	AuthorizationEndpoint string `json:"authorization_endpoint"`
 }
 
-func fetchEndpointsFromIssuer(issuerURL string) (string, string, error) {
-	// Fetch the OpenID configuration from the issuer URL
-	resp, err := http.Get(fmt.Sprintf("%s/.well-known/openid-configuration", issuerURL))
-	if err != nil {
-		return "", "", err
+func fetchEndpointsFromIssuer(issuerURL string, providerTLS *ir.TLSUpstreamConfig) (string, string, error) {
+	var (
+		tlsConfig *tls.Config
+		err       error
+	)
+
+	if providerTLS != nil {
+		if tlsConfig, err = providerTLS.ToTLSConfig(); err != nil {
+			return "", "", err
+		}
+	}
+
+	client := &http.Client{}
+	if tlsConfig != nil {
+		client.Transport = &http.Transport{
+			TLSClientConfig: tlsConfig,
+		}
 	}
-	defer resp.Body.Close()
 
 	// Parse the OpenID configuration response
 	var config OpenIDConfig
-	err = json.NewDecoder(resp.Body).Decode(&config)
-	if err != nil {
+	if err = backoff.Retry(func() error {
+		resp, err := client.Get(fmt.Sprintf("%s/.well-known/openid-configuration", issuerURL))
+		if err != nil {
+			return err
+		}
+		defer resp.Body.Close()
+		if err = json.NewDecoder(resp.Body).Decode(&config); err != nil {
+			return err
+		}
+		return nil
+	}, backoff.NewExponentialBackOff(backoff.WithMaxElapsedTime(5*time.Second))); err != nil {
 		return "", "", err
 	}
 
@@ -955,10 +995,16 @@ func backendRefAuthority(resources *resource.Resources, backendRef *gwapiv1.Back
 		}
 	}
 
-	return net.JoinHostPort(
-		fmt.Sprintf("%s.%s", backendRef.Name, backendNamespace),
-		strconv.Itoa(int(*backendRef.Port)),
-	)
+	// Port is mandatory for Kubernetes services
+	if backendKind == resource.KindService {
+		return net.JoinHostPort(
+			fmt.Sprintf("%s.%s", backendRef.Name, backendNamespace),
+			strconv.Itoa(int(*backendRef.Port)),
+		)
+	}
+
+	// Fallback to the backendRef name, normally it's a unix domain socket in this case
+	return fmt.Sprintf("%s.%s", backendRef.Name, backendNamespace)
 }
 
 func (t *Translator) buildAuthorization(policy *egv1a1.SecurityPolicy) (*ir.Authorization, error) {

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml
@@ -107,6 +107,15 @@ backends:
         - fqdn:
             hostname: 'primary.foo.com'
             port: 3000
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: Backend
+    metadata:
+      name: backend-uds
+      namespace: default
+    spec:
+      endpoints:
+        - unix:
+            path: '/var/run/uds.sock'
 referenceGrants:
   - apiVersion: gateway.networking.k8s.io/v1alpha2
     kind: ReferenceGrant
@@ -179,7 +188,6 @@ securityPolicies:
       extAuth:
         http:
           backendRef:
-            name: backend-fqdn
+            name: backend-uds
             kind: Backend
             group: gateway.envoyproxy.io
-            port: 3000
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml
@@ -17,6 +17,23 @@ backends:
       reason: Accepted
       status: "True"
       type: Accepted
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: Backend
+  metadata:
+    creationTimestamp: null
+    name: backend-uds
+    namespace: default
+  spec:
+    endpoints:
+    - unix:
+        path: /var/run/uds.sock
+  status:
+    conditions:
+    - lastTransitionTime: null
+      message: The Backend was accepted
+      reason: Accepted
+      status: "True"
+      type: Accepted
 gateways:
 - apiVersion: gateway.networking.k8s.io/v1
   kind: Gateway
@@ -322,8 +339,7 @@ securityPolicies:
         backendRef:
           group: gateway.envoyproxy.io
           kind: Backend
-          name: backend-fqdn
-          port: 3000
+          name: backend-uds
     targetRef:
       group: gateway.networking.k8s.io
       kind: HTTPRoute
@@ -530,14 +546,15 @@ xdsIR:
         security:
           extAuth:
             http:
-              authority: primary.foo.com:3000
+              authority: backend-uds.default
               destination:
                 name: securitypolicy/default/policy-for-http-route-3-http-backendref/extauth/0
                 settings:
-                - addressType: FQDN
+                - addressType: IP
                   endpoints:
-                  - host: primary.foo.com
-                    port: 3000
+                  - host: ""
+                    path: /var/run/uds.sock
+                    port: 0
                   protocol: HTTP
                   weight: 1
               path: ""

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.in.yaml
@@ -99,3 +99,47 @@ securityPolicies:
       defaultTokenTTL: 30m
       refreshToken: true
       defaultRefreshTokenTTL: 24h
+configMaps:
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: ca-cmap
+    namespace: envoy-gateway
+  data:
+    ca.crt: |
+      -----BEGIN CERTIFICATE-----
+      MIIDJzCCAg+gAwIBAgIUAl6UKIuKmzte81cllz5PfdN2IlIwDQYJKoZIhvcNAQEL
+      BQAwIzEQMA4GA1UEAwwHbXljaWVudDEPMA0GA1UECgwGa3ViZWRiMB4XDTIzMTAw
+      MjA1NDE1N1oXDTI0MTAwMTA1NDE1N1owIzEQMA4GA1UEAwwHbXljaWVudDEPMA0G
+      A1UECgwGa3ViZWRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSTc
+      1yj8HW62nynkFbXo4VXKv2jC0PM7dPVky87FweZcTKLoWQVPQE2p2kLDK6OEszmM
+      yyr+xxWtyiveremrWqnKkNTYhLfYPhgQkczib7eUalmFjUbhWdLvHakbEgCodn3b
+      kz57mInX2VpiDOKg4kyHfiuXWpiBqrCx0KNLpxo3DEQcFcsQTeTHzh4752GV04RU
+      Ti/GEWyzIsl4Rg7tGtAwmcIPgUNUfY2Q390FGqdH4ahn+mw/6aFbW31W63d9YJVq
+      ioyOVcaMIpM5B/c7Qc8SuhCI1YGhUyg4cRHLEw5VtikioyE3X04kna3jQAj54YbR
+      bpEhc35apKLB21HOUQIDAQABo1MwUTAdBgNVHQ4EFgQUyvl0VI5vJVSuYFXu7B48
+      6PbMEAowHwYDVR0jBBgwFoAUyvl0VI5vJVSuYFXu7B486PbMEAowDwYDVR0TAQH/
+      BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMLxrgFVMuNRq2wAwcBt7SnNR5Cfz
+      2MvXq5EUmuawIUi9kaYjwdViDREGSjk7JW17vl576HjDkdfRwi4E28SydRInZf6J
+      i8HZcZ7caH6DxR335fgHVzLi5NiTce/OjNBQzQ2MJXVDd8DBmG5fyatJiOJQ4bWE
+      A7FlP0RdP3CO3GWE0M5iXOB2m1qWkE2eyO4UHvwTqNQLdrdAXgDQlbam9e4BG3Gg
+      d/6thAkWDbt/QNT+EJHDCvhDRKh1RuGHyg+Y+/nebTWWrFWsktRrbOoHCZiCpXI1
+      3eXE6nt0YkgtDxG22KqnhpAg9gUSs2hlhoxyvkzyF0mu6NhPlwAgnq7+/Q==
+      -----END CERTIFICATE-----
+backendTLSPolicies:
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+  kind: BackendTLSPolicy
+  metadata:
+    name: policy-btls-backend-fqdn
+    namespace: envoy-gateway
+  spec:
+    targetRefs:
+    - group: gateway.envoyproxy.io
+      kind: Backend
+      name: backend-fqdn
+    validation:
+      caCertificateRefs:
+      - name: ca-cmap
+        group: ''
+        kind: ConfigMap
+      hostname: oauth.foo.com