From dd4085f97bcf67e07073b854ed08a6ecf393df80 Mon Sep 17 00:00:00 2001 From: Thomas Eckert Date: Mon, 11 Sep 2023 15:53:43 -0400 Subject: [PATCH 1/6] Group indices by resource --- .../api-gateway/controllers/index.go | 29 +++++++++++-------- 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/control-plane/api-gateway/controllers/index.go b/control-plane/api-gateway/controllers/index.go index d18e2dec85..e44fa4e970 100644 --- a/control-plane/api-gateway/controllers/index.go +++ b/control-plane/api-gateway/controllers/index.go @@ -5,6 +5,7 @@ package controllers import ( "context" + "k8s.io/apimachinery/pkg/types" ctrl "sigs.k8s.io/controller-runtime" @@ -20,18 +21,22 @@ const ( // Naming convention: TARGET_REFERENCE. GatewayClass_GatewayClassConfigIndex = "__gatewayclass_referencing_gatewayclassconfig" GatewayClass_ControllerNameIndex = "__gatewayclass_controller_name" - Gateway_GatewayClassIndex = "__gateway_referencing_gatewayclass" - HTTPRoute_GatewayIndex = "__httproute_referencing_gateway" - HTTPRoute_ServiceIndex = "__httproute_referencing_service" - HTTPRoute_MeshServiceIndex = "__httproute_referencing_mesh_service" - TCPRoute_GatewayIndex = "__tcproute_referencing_gateway" - TCPRoute_ServiceIndex = "__tcproute_referencing_service" - TCPRoute_MeshServiceIndex = "__tcproute_referencing_mesh_service" - MeshService_PeerIndex = "__meshservice_referencing_peer" - Secret_GatewayIndex = "__secret_referencing_gateway" - HTTPRoute_RouteRetryFilterIndex = "__httproute_referencing_retryfilter" - HTTPRoute_RouteTimeoutFilterIndex = "__httproute_referencing_timeoutfilter" - Gatewaypolicy_GatewayIndex = "__gatewaypolicy_referencing_gateway" + + Gateway_GatewayClassIndex = "__gateway_referencing_gatewayclass" + + HTTPRoute_GatewayIndex = "__httproute_referencing_gateway" + HTTPRoute_ServiceIndex = "__httproute_referencing_service" + HTTPRoute_MeshServiceIndex = "__httproute_referencing_mesh_service" + HTTPRoute_RouteRetryFilterIndex = "__httproute_referencing_retryfilter" + HTTPRoute_RouteTimeoutFilterIndex = "__httproute_referencing_timeoutfilter" + + TCPRoute_GatewayIndex = "__tcproute_referencing_gateway" + TCPRoute_ServiceIndex = "__tcproute_referencing_service" + TCPRoute_MeshServiceIndex = "__tcproute_referencing_mesh_service" + + MeshService_PeerIndex = "__meshservice_referencing_peer" + Secret_GatewayIndex = "__secret_referencing_gateway" + Gatewaypolicy_GatewayIndex = "__gatewaypolicy_referencing_gateway" ) // RegisterFieldIndexes registers all of the field indexes for the API gateway controllers. From c15b4c7b2b810cfc3fa2e8635ef122593873441d Mon Sep 17 00:00:00 2001 From: Thomas Eckert Date: Mon, 11 Sep 2023 16:19:31 -0400 Subject: [PATCH 2/6] Add index for HTTPRoutes referencing RouteAuthFilters --- control-plane/api-gateway/common/helpers.go | 2 +- control-plane/api-gateway/controllers/index.go | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/control-plane/api-gateway/common/helpers.go b/control-plane/api-gateway/common/helpers.go index f2ac883571..7bc7eb61b6 100644 --- a/control-plane/api-gateway/common/helpers.go +++ b/control-plane/api-gateway/common/helpers.go @@ -38,7 +38,7 @@ func FilterIsExternalFilter(filter gwv1beta1.HTTPRouteFilter) bool { } switch filter.ExtensionRef.Kind { - case v1alpha1.RouteRetryFilterKind, v1alpha1.RouteTimeoutFilterKind: + case v1alpha1.RouteRetryFilterKind, v1alpha1.RouteTimeoutFilterKind, v1alpha1.RouteAuthFilterKind: return true } diff --git a/control-plane/api-gateway/controllers/index.go b/control-plane/api-gateway/controllers/index.go index e44fa4e970..4bb5c5f666 100644 --- a/control-plane/api-gateway/controllers/index.go +++ b/control-plane/api-gateway/controllers/index.go @@ -29,6 +29,7 @@ const ( HTTPRoute_MeshServiceIndex = "__httproute_referencing_mesh_service" HTTPRoute_RouteRetryFilterIndex = "__httproute_referencing_retryfilter" HTTPRoute_RouteTimeoutFilterIndex = "__httproute_referencing_timeoutfilter" + HTTPRoute_RouteAuthFilterIndex = "__httproute_referencing_routeauthfilter" TCPRoute_GatewayIndex = "__tcproute_referencing_gateway" TCPRoute_ServiceIndex = "__tcproute_referencing_service" @@ -123,6 +124,11 @@ var indexes = []index{ target: &gwv1beta1.HTTPRoute{}, indexerFunc: filtersForHTTPRoute, }, + { + name: HTTPRoute_RouteAuthFilterIndex, + target: &gwv1beta1.HTTPRoute{}, + indexerFunc: filtersForHTTPRoute, + }, { name: Gatewaypolicy_GatewayIndex, target: &v1alpha1.GatewayPolicy{}, From 5e4526fef70c340e7ca02ce43904f68d1a846783 Mon Sep 17 00:00:00 2001 From: Thomas Eckert Date: Mon, 11 Sep 2023 16:19:47 -0400 Subject: [PATCH 3/6] Add watch for HTTPRoutes referencing RouteAuthFilters --- .../api-gateway/controllers/gateway_controller.go | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/control-plane/api-gateway/controllers/gateway_controller.go b/control-plane/api-gateway/controllers/gateway_controller.go index 7f72a7778a..af15d7546f 100644 --- a/control-plane/api-gateway/controllers/gateway_controller.go +++ b/control-plane/api-gateway/controllers/gateway_controller.go @@ -477,7 +477,13 @@ func SetupGatewayControllerWithManager(ctx context.Context, mgr ctrl.Manager, co Watches( source.NewKindWithCache((&v1alpha1.RouteTimeoutFilter{}), mgr.GetCache()), handler.EnqueueRequestsFromMapFunc(r.transformRouteTimeoutFilter(ctx)), - ).Complete(r) + ). + Watches( + // Subscribe to changes in RouteAuthFilter custom resources referenced by HTTPRoutes. + source.NewKindWithCache((&v1alpha1.RouteAuthFilter{}), mgr.GetCache()), + handler.EnqueueRequestsFromMapFunc(r.transformRouteAuthFilter(ctx)), + ). + Complete(r) } // transformGatewayClass will check the list of GatewayClass objects for a matching @@ -628,6 +634,12 @@ func (r *GatewayController) transformRouteTimeoutFilter(ctx context.Context) fun } } +func (r *GatewayController) transformRouteAuthFilter(ctx context.Context) func(object client.Object) []reconcile.Request { + return func(o client.Object) []reconcile.Request { + return r.gatewaysForRoutesReferencing(ctx, "", HTTPRoute_RouteAuthFilterIndex, client.ObjectKeyFromObject(o).String()) + } +} + func (r *GatewayController) transformConsulTCPRoute(ctx context.Context) func(entry api.ConfigEntry) []types.NamespacedName { return func(entry api.ConfigEntry) []types.NamespacedName { parents := mapset.NewSet() From 9c5e7e529c01ec6e5abf1cd2c195e6e1df48e216 Mon Sep 17 00:00:00 2001 From: Thomas Eckert Date: Tue, 12 Sep 2023 14:55:43 -0400 Subject: [PATCH 4/6] Add permissions to connect-inject clusterrole --- charts/consul/templates/connect-inject-clusterrole.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/consul/templates/connect-inject-clusterrole.yaml b/charts/consul/templates/connect-inject-clusterrole.yaml index ef1e93adac..94542838c1 100644 --- a/charts/consul/templates/connect-inject-clusterrole.yaml +++ b/charts/consul/templates/connect-inject-clusterrole.yaml @@ -37,6 +37,7 @@ rules: - peeringdialers {{- end }} - jwtproviders + - routeauthfilters verbs: - create - delete @@ -65,6 +66,7 @@ rules: - peeringdialers/status {{- end }} - jwtproviders/status + - routeauthfilters/status verbs: - get - patch From a0e4a1deb405fbbf5e6db664f4bfda4653c87660 Mon Sep 17 00:00:00 2001 From: Thomas Eckert Date: Wed, 13 Sep 2023 11:07:19 -0400 Subject: [PATCH 5/6] Compare JWT filters for equality --- control-plane/api-gateway/common/diff.go | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/control-plane/api-gateway/common/diff.go b/control-plane/api-gateway/common/diff.go index fcb05eb6cc..b37b961247 100644 --- a/control-plane/api-gateway/common/diff.go +++ b/control-plane/api-gateway/common/diff.go @@ -219,7 +219,8 @@ func (e entryComparator) httpRouteRulesEqual(a, b api.HTTPRouteRule) bool { slices.EqualFunc(a.Matches, b.Matches, e.httpMatchesEqual) && slices.EqualFunc(a.Services, b.Services, e.httpServicesEqual) && bothNilOrEqualFunc(a.Filters.RetryFilter, b.Filters.RetryFilter, e.retryFiltersEqual) && - bothNilOrEqualFunc(a.Filters.TimeoutFilter, b.Filters.TimeoutFilter, e.timeoutFiltersEqual) + bothNilOrEqualFunc(a.Filters.TimeoutFilter, b.Filters.TimeoutFilter, e.timeoutFiltersEqual) && + bothNilOrEqualFunc(a.Filters.JWT, b.Filters.JWT, e.jwtFiltersEqual) } func (e entryComparator) httpServicesEqual(a, b api.HTTPService) bool { @@ -269,6 +270,16 @@ func (e entryComparator) timeoutFiltersEqual(a, b api.TimeoutFilter) bool { return a.RequestTimeout == b.RequestTimeout && a.IdleTimeout == b.IdleTimeout } +// jwtFiltersEqual compares the contents of the list of providers on the JWT filters for a route, returning true if the +// filters have equal contents. +func (e entryComparator) jwtFiltersEqual(a, b api.JWTFilter) bool { + if len(a.Providers) != len(b.Providers) { + return false + } + + return slices.EqualFunc(a.Providers, b.Providers, providersEqual) +} + func tcpRoutesEqual(a, b *api.TCPRouteConfigEntry) bool { if a == nil || b == nil { return false From 43d62d38c103a510ad4c80d891b7f940dc64e05a Mon Sep 17 00:00:00 2001 From: Thomas Eckert Date: Wed, 13 Sep 2023 13:42:22 -0400 Subject: [PATCH 6/6] Add RouteAuthFilter to resource translator --- control-plane/api-gateway/controllers/gateway_controller.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/control-plane/api-gateway/controllers/gateway_controller.go b/control-plane/api-gateway/controllers/gateway_controller.go index af15d7546f..e01b4b931f 100644 --- a/control-plane/api-gateway/controllers/gateway_controller.go +++ b/control-plane/api-gateway/controllers/gateway_controller.go @@ -895,6 +895,8 @@ func (c *GatewayController) filterFiltersForExternalRefs(ctx context.Context, ro externalFilter = &v1alpha1.RouteRetryFilter{} case v1alpha1.RouteTimeoutFilterKind: externalFilter = &v1alpha1.RouteTimeoutFilter{} + case v1alpha1.RouteAuthFilterKind: + externalFilter = &v1alpha1.RouteAuthFilter{} default: continue }