fix override issue for EEP (envoyproxy#3881)

* add test for empty policies

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* add test for eep

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* add teset for eep

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* fix eep override issue

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

---------

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

internal/gatewayapi/envoyextensionpolicy.go

@@ -351,8 +351,10 @@ func (t *Translator) translateEnvoyExtensionPolicyForRoute(
 			if irListener != nil {
 				for _, r := range irListener.Routes {
 					if strings.HasPrefix(r.Name, prefix) {
-						r.ExtProcs = extProcs
-						r.Wasms = wasms
+						r.EnvoyExtensions = &ir.EnvoyExtensionFeatures{
+							ExtProcs: extProcs,
+							Wasms:    wasms,
+						}
 					}
 				}
 			}
@@ -405,16 +407,13 @@ func (t *Translator) translateEnvoyExtensionPolicyForGateway(
 		// targeting a lesser specific scope(Gateway).
 		for _, r := range http.Routes {
 			// if already set - there's a route level policy, so skip
-			if r.ExtProcs != nil ||
-				r.Wasms != nil {
+			if r.EnvoyExtensions != nil {
 				continue
 			}
 
-			if r.ExtProcs == nil {
-				r.ExtProcs = extProcs
-			}
-			if r.Wasms == nil {
-				r.Wasms = wasms
+			r.EnvoyExtensions = &ir.EnvoyExtensionFeatures{
+				ExtProcs: extProcs,
+				Wasms:    wasms,
 			}
 		}
 	}

internal/gatewayapi/testdata/backend-invalid-feature-disabled.out.yaml

@@ -174,6 +174,7 @@ xdsIR:
           - weight: 1
         directResponse:
           statusCode: 500
+        envoyExtensions: {}
         hostname: '*'
         isHTTP2: false
         metadata:

internal/gatewayapi/testdata/backendtrafficpolicy-override-replace.in.yaml

@@ -52,6 +52,25 @@ httpRoutes:
       backendRefs:
       - name: service-1
         port: 8080
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    namespace: default
+    name: httproute-3
+  spec:
+    hostnames:
+    - gateway.envoyproxy.io
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-1
+      sectionName: http
+    rules:
+    - matches:
+      - path:
+          value: "/baz"
+      backendRefs:
+      - name: service-1
+        port: 8080
 backendTrafficPolicies:
 - apiVersion: gateway.envoyproxy.io/v1alpha1
   kind: BackendTrafficPolicy
@@ -85,3 +104,13 @@ backendTrafficPolicies:
       type: ConsistentHash
       consistentHash:
         type: SourceIP
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: BackendTrafficPolicy
+  metadata:
+    namespace: default
+    name: policy-for-route-3
+  spec:
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: httproute-3

internal/gatewayapi/testdata/backendtrafficpolicy-override-replace.out.yaml

@@ -29,6 +29,32 @@ backendTrafficPolicies:
         status: "True"
         type: Accepted
       controllerName: gateway.envoyproxy.io/gatewayclass-controller
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: BackendTrafficPolicy
+  metadata:
+    creationTimestamp: null
+    name: policy-for-route-3
+    namespace: default
+  spec:
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: httproute-3
+  status:
+    ancestors:
+    - ancestorRef:
+        group: gateway.networking.k8s.io
+        kind: Gateway
+        name: gateway-1
+        namespace: envoy-gateway
+        sectionName: http
+      conditions:
+      - lastTransitionTime: null
+        message: Policy has been accepted.
+        reason: Accepted
+        status: "True"
+        type: Accepted
+      controllerName: gateway.envoyproxy.io/gatewayclass-controller
 - apiVersion: gateway.envoyproxy.io/v1alpha1
   kind: BackendTrafficPolicy
   metadata:
@@ -63,7 +89,7 @@ backendTrafficPolicies:
         type: Accepted
       - lastTransitionTime: null
         message: 'This policy is being overridden by other backendTrafficPolicies
-          for these routes: [default/httproute-1]'
+          for these routes: [default/httproute-1 default/httproute-3]'
         reason: Overridden
         status: "True"
         type: Overridden
@@ -86,7 +112,7 @@ gateways:
       protocol: HTTP
   status:
     listeners:
-    - attachedRoutes: 2
+    - attachedRoutes: 3
       conditions:
       - lastTransitionTime: null
         message: Sending translated listener configuration to the data plane
@@ -186,6 +212,44 @@ httpRoutes:
         name: gateway-1
         namespace: envoy-gateway
         sectionName: http
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    creationTimestamp: null
+    name: httproute-3
+    namespace: default
+  spec:
+    hostnames:
+    - gateway.envoyproxy.io
+    parentRefs:
+    - name: gateway-1
+      namespace: envoy-gateway
+      sectionName: http
+    rules:
+    - backendRefs:
+      - name: service-1
+        port: 8080
+      matches:
+      - path:
+          value: /baz
+  status:
+    parents:
+    - conditions:
+      - lastTransitionTime: null
+        message: Route is accepted
+        reason: Accepted
+        status: "True"
+        type: Accepted
+      - lastTransitionTime: null
+        message: Resolved all the Object references for the Route
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
+      controllerName: gateway.envoyproxy.io/gatewayclass-controller
+      parentRef:
+        name: gateway-1
+        namespace: envoy-gateway
+        sectionName: http
 infraIR:
   envoy-gateway/gateway-1:
     proxy:
@@ -276,3 +340,24 @@ xdsIR:
               maxConnectionDuration: 22s
             tcp:
               connectTimeout: 20s
+      - destination:
+          name: httproute/default/httproute-3/rule/0
+          settings:
+          - addressType: IP
+            endpoints:
+            - host: 7.7.7.7
+              port: 8080
+            protocol: HTTP
+            weight: 1
+        hostname: gateway.envoyproxy.io
+        isHTTP2: false
+        metadata:
+          kind: HTTPRoute
+          name: httproute-3
+          namespace: default
+        name: httproute/default/httproute-3/rule/0/match/0/gateway_envoyproxy_io
+        pathMatch:
+          distinct: false
+          name: ""
+          prefix: /baz
+        traffic: {}

internal/gatewayapi/testdata/custom-filter-order.out.yaml

@@ -246,6 +246,30 @@ xdsIR:
           - weight: 1
         directResponse:
           statusCode: 500
+        envoyExtensions:
+          wasms:
+          - config:
+              parameter1:
+                key1: value1
+                key2: value2
+              parameter2: value3
+            failOpen: false
+            httpWasmCode:
+              originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm
+              servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm
+              sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5
+            name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0
+            wasmName: wasm-filter-1
+          - config:
+              parameter1: value1
+              parameter2: value2
+            failOpen: false
+            httpWasmCode:
+              originalDownloadingURL: https://www.example.com/wasm-filter-2.wasm
+              servingURL: https://envoy-gateway:18002/593e4cc60a7e0fa4d4f86531a5e20e785213a52000f056a7a8b5c5afcb908052.wasm
+              sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980
+            name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/1
+            wasmName: wasm-filter-2
         hostname: www.example.com
         isHTTP2: false
         metadata:
@@ -292,26 +316,3 @@ xdsIR:
               name: example2
               remoteJWKS:
                 uri: http://two.example.com/jwt/public-key/jwks.json
-        wasm:
-        - config:
-            parameter1:
-              key1: value1
-              key2: value2
-            parameter2: value3
-          failOpen: false
-          httpWasmCode:
-            originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm
-            servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm
-            sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5
-          name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0
-          wasmName: wasm-filter-1
-        - config:
-            parameter1: value1
-            parameter2: value2
-          failOpen: false
-          httpWasmCode:
-            originalDownloadingURL: https://www.example.com/wasm-filter-2.wasm
-            servingURL: https://envoy-gateway:18002/593e4cc60a7e0fa4d4f86531a5e20e785213a52000f056a7a8b5c5afcb908052.wasm
-            sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980
-          name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/1
-          wasmName: wasm-filter-2

internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.in.yaml

@@ -73,6 +73,25 @@ httpRoutes:
       backendRefs:
       - name: service-1
         port: 8080
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    namespace: default
+    name: httproute-3
+  spec:
+    hostnames:
+    - gateway.envoyproxy.io
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-1
+      sectionName: http
+    rules:
+    - matches:
+      - path:
+          value: "/baz"
+      backendRefs:
+      - name: service-1
+        port: 8080
 envoyExtensionPolicies:
 - apiVersion: gateway.envoyproxy.io/v1alpha1
   kind: EnvoyExtensionPolicy
@@ -102,3 +121,13 @@ envoyExtensionPolicies:
     - backendRefs:
       - name: grpc-backend-2
         port: 8000
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: EnvoyExtensionPolicy
+  metadata:
+    namespace: default
+    name: policy-for-route-3
+  spec:
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: httproute-3