create ds per envoyproxy

Signed-off-by: Huabing Zhao <[email protected]>

internal/gatewayapi/envoyextensionpolicy.go

@@ -410,8 +410,7 @@ func (t *Translator) buildExtProcs(policy *egv1a1.EnvoyExtensionPolicy, resource
 	}
 
 	for idx, ep := range policy.Spec.ExtProc {
-		name := irConfigNameForExtProc(policy, idx)
-		extProcIR, err := t.buildExtProc(name, policy, ep, idx, resources, envoyProxy)
+		extProcIR, err := t.buildExtProc(policy, ep, idx, resources, envoyProxy)
 		if err != nil {
 			return nil, err
 		}
@@ -421,7 +420,6 @@ func (t *Translator) buildExtProcs(policy *egv1a1.EnvoyExtensionPolicy, resource
 }
 
 func (t *Translator) buildExtProc(
-	name string,
 	policy *egv1a1.EnvoyExtensionPolicy,
 	extProc egv1a1.ExtProc,
 	extProcIdx int,
@@ -457,7 +455,7 @@ func (t *Translator) buildExtProc(
 	}
 
 	extProcIR := &ir.ExtProc{
-		Name:        name,
+		Name:        irConfigNameForExtProc(policy, extProcIdx, envoyProxy),
 		Destination: *rd,
 		Traffic:     traffic,
 		Authority:   authority,
@@ -494,11 +492,15 @@ func (t *Translator) buildExtProc(
 	return extProcIR, err
 }
 
-func irConfigNameForExtProc(policy *egv1a1.EnvoyExtensionPolicy, index int) string {
-	return fmt.Sprintf(
+func irConfigNameForExtProc(policy *egv1a1.EnvoyExtensionPolicy, index int, ep *egv1a1.EnvoyProxy) string {
+	name := fmt.Sprintf(
 		"%s/extproc/%s",
 		irConfigName(policy),
 		strconv.Itoa(index))
+	if ep != nil {
+		name = fmt.Sprintf("%s/%s", name, utils.NamespacedName(ep).String())
+	}
+	return name
 }
 
 func (t *Translator) buildWasms(

internal/gatewayapi/ext_service.go

@@ -67,7 +67,8 @@ func (t *Translator) translateExtServiceBackendRefs(
 	}
 
 	rs = &ir.RouteDestination{
-		Name:     irIndexedExtServiceDestinationName(pnn, policy.GetObjectKind().GroupVersionKind().Kind, configType, index),
+		Name:     irIndexedExtServiceDestinationName(
+			pnn, policy.GetObjectKind().GroupVersionKind().Kind, configType, index, envoyProxy),
 		Settings: ds,
 	}
 	return rs, nil
@@ -140,12 +141,23 @@ func (t *Translator) processExtServiceDestination(
 	return ds, nil
 }
 
-func irIndexedExtServiceDestinationName(policyNamespacedName types.NamespacedName, policyKind string, configType string, idx int) string {
-	return strings.ToLower(fmt.Sprintf(
+func irIndexedExtServiceDestinationName(
+	policyNamespacedName types.NamespacedName,
+	policyKind string, configType string,
+	idx int,
+	ep *egv1a1.EnvoyProxy) string {
+	name := strings.ToLower(fmt.Sprintf(
 		"%s/%s/%s/%s/%d",
 		policyKind,
 		policyNamespacedName.Namespace,
 		policyNamespacedName.Name,
 		configType,
 		idx))
+
+	// If the EnvoyProxy is set, append the EnvoyProxy name to the destination name because the generated destination
+	// setting is specific to the EnvoyProxy, such as the TLS settings and route type.
+	if ep != nil {
+		name = strings.ToLower(fmt.Sprintf("%s/%s", name, utils.NamespacedName(ep).String()))
+	}
+	return name
 }

internal/gatewayapi/helpers.go

@@ -540,6 +540,16 @@ func parseCIDR(cidr string) (*ir.CIDRMatch, error) {
 	}, nil
 }
 
+func irConfigNameWithEnvoyProxy(policy client.Object, ep *egv1a1.EnvoyProxy) string {
+	name := irConfigName(policy)
+	// If a config is associated with a cluster, the cluster settings are unique per EnvoyProxy,
+	// so include the EnvoyProxy name in the config name to avoid overwriting
+	if ep != nil {
+		name = fmt.Sprintf("%s/%s", name, utils.NamespacedName(ep).String())
+	}
+	return name
+}
+
 func irConfigName(policy client.Object) string {
 	return fmt.Sprintf(
 		"%s/%s",

internal/gatewayapi/securitypolicy.go

@@ -644,7 +644,7 @@ func (t *Translator) buildOIDC(
 	}
 
 	return &ir.OIDC{
-		Name:                   irConfigName(policy),
+		Name:                   irConfigNameWithEnvoyProxy(policy, envoyProxy),
 		Provider:               *provider,
 		ClientID:               oidc.ClientID,
 		ClientSecret:           clientSecretBytes,
@@ -913,7 +913,7 @@ func (t *Translator) buildExtAuth(
 		return nil, err
 	}
 	extAuth := &ir.ExtAuth{
-		Name:             irConfigName(policy),
+		Name:             irConfigNameWithEnvoyProxy(policy, envoyProxy),
 		HeadersToExtAuth: policy.Spec.ExtAuth.HeadersToExtAuth,
 		FailOpen:         policy.Spec.ExtAuth.FailOpen,
 		Traffic:          traffic,

internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.in.yaml

@@ -1,3 +1,11 @@
+envoyProxiesForGateways:
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: EnvoyProxy
+    metadata:
+      namespace: default
+      name: test
+    spec:
+      routingType: Endpoint
 gateways:
 - apiVersion: gateway.networking.k8s.io/v1
   kind: Gateway
@@ -6,6 +14,11 @@ gateways:
     name: gateway-1
   spec:
     gatewayClassName: envoy-gateway-class
+    infrastructure:
+      parametersRef:
+        group: gateway.envoyproxy.io
+        kind: EnvoyProxy
+        name: test
     listeners:
     - name: http
       protocol: HTTP

internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml

@@ -178,6 +178,11 @@ gateways:
     namespace: default
   spec:
     gatewayClassName: envoy-gateway-class
+    infrastructure:
+      parametersRef:
+        group: gateway.envoyproxy.io
+        kind: EnvoyProxy
+        name: test
     listeners:
     - allowedRoutes:
         namespaces:
@@ -290,6 +295,17 @@ httpRoutes:
 infraIR:
   default/gateway-1:
     proxy:
+      config:
+        apiVersion: gateway.envoyproxy.io/v1alpha1
+        kind: EnvoyProxy
+        metadata:
+          creationTimestamp: null
+          name: test
+          namespace: default
+        spec:
+          logging: {}
+          routingType: Endpoint
+        status: {}
       listeners:
       - address: null
         name: default/gateway-1/http
@@ -337,7 +353,7 @@ xdsIR:
           extProcs:
           - authority: grpc-backend.envoy-gateway:8000
             destination:
-              name: envoyextensionpolicy/default/policy-for-http-route/extproc/0
+              name: envoyextensionpolicy/default/policy-for-http-route/extproc/0/default/test
               settings:
               - addressType: IP
                 protocol: GRPC
@@ -372,7 +388,7 @@ xdsIR:
                     name: policy-btls-backend-ip/envoy-gateway-ca
                   sni: ip-backend
                 weight: 1
-            name: envoyextensionpolicy/default/policy-for-http-route/extproc/0
+            name: envoyextensionpolicy/default/policy-for-http-route/extproc/0/default/test
             traffic:
               backendConnection:
                 bufferLimit: 20971520

internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml

@@ -1,3 +1,11 @@
+envoyProxiesForGateways:
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: EnvoyProxy
+    metadata:
+      namespace: default
+      name: test
+    spec:
+      routingType: Endpoint
 gateways:
   - apiVersion: gateway.networking.k8s.io/v1
     kind: Gateway
@@ -6,6 +14,11 @@ gateways:
       name: gateway-1
     spec:
       gatewayClassName: envoy-gateway-class
+      infrastructure:
+        parametersRef:
+          group: gateway.envoyproxy.io
+          kind: EnvoyProxy
+          name: test
       listeners:
         - name: http
           protocol: HTTP

internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml

@@ -72,6 +72,11 @@ gateways:
     namespace: default
   spec:
     gatewayClassName: envoy-gateway-class
+    infrastructure:
+      parametersRef:
+        group: gateway.envoyproxy.io
+        kind: EnvoyProxy
+        name: test
     listeners:
     - allowedRoutes:
         namespaces:
@@ -184,6 +189,17 @@ httpRoutes:
 infraIR:
   default/gateway-1:
     proxy:
+      config:
+        apiVersion: gateway.envoyproxy.io/v1alpha1
+        kind: EnvoyProxy
+        metadata:
+          creationTimestamp: null
+          name: test
+          namespace: default
+        spec:
+          logging: {}
+          routingType: Endpoint
+        status: {}
       listeners:
       - address: null
         name: default/gateway-1/http
@@ -322,7 +338,7 @@ xdsIR:
             grpc:
               authority: grpc-backend.default:9000
               destination:
-                name: securitypolicy/default/policy-for-http-route/extauth/0
+                name: securitypolicy/default/policy-for-http-route/extauth/0/default/test
                 settings:
                 - addressType: IP
                   endpoints:
@@ -339,7 +355,7 @@ xdsIR:
             headersToExtAuth:
             - header1
             - header2
-            name: securitypolicy/default/policy-for-http-route
+            name: securitypolicy/default/policy-for-http-route/default/test
       - destination:
           name: httproute/default/httproute-2/rule/0
           settings:
@@ -366,7 +382,7 @@ xdsIR:
             http:
               authority: http-backend.envoy-gateway:80
               destination:
-                name: securitypolicy/default/policy-for-gateway/extauth/0
+                name: securitypolicy/default/policy-for-gateway/extauth/0/default/test
                 settings:
                 - addressType: IP
                   endpoints:
@@ -384,4 +400,4 @@ xdsIR:
               - header1
               - header2
               path: /auth
-            name: securitypolicy/default/policy-for-gateway
+            name: securitypolicy/default/policy-for-gateway/default/test

internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.in.yaml

@@ -13,6 +13,14 @@ secrets:
     name: envoy-oidc-hmac
   data:
     hmac-secret: qrOYACHXoe7UEDI/raOjNSx+Z9ufXSc/22C3T6X/zPY=
+envoyProxiesForGateways:
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: EnvoyProxy
+    metadata:
+      namespace: envoy-gateway
+      name: test
+    spec:
+      routingType: Endpoint
 gateways:
 - apiVersion: gateway.networking.k8s.io/v1
   kind: Gateway
@@ -21,6 +29,11 @@ gateways:
     name: gateway-1
   spec:
     gatewayClassName: envoy-gateway-class
+    infrastructure:
+      parametersRef:
+        group: gateway.envoyproxy.io
+        kind: EnvoyProxy
+        name: test
     listeners:
     - name: http
       protocol: HTTP

internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml

@@ -26,6 +26,11 @@ gateways:
     namespace: envoy-gateway
   spec:
     gatewayClassName: envoy-gateway-class
+    infrastructure:
+      parametersRef:
+        group: gateway.envoyproxy.io
+        kind: EnvoyProxy
+        name: test
     listeners:
     - allowedRoutes:
         namespaces:
@@ -100,6 +105,17 @@ httpRoutes:
 infraIR:
   envoy-gateway/gateway-1:
     proxy:
+      config:
+        apiVersion: gateway.envoyproxy.io/v1alpha1
+        kind: EnvoyProxy
+        metadata:
+          creationTimestamp: null
+          name: test
+          namespace: envoy-gateway
+        spec:
+          logging: {}
+          routingType: Endpoint
+        status: {}
       listeners:
       - address: null
         name: envoy-gateway/gateway-1/http
@@ -224,11 +240,11 @@ xdsIR:
             forwardAccessToken: true
             hmacSecret: '[redacted]'
             logoutPath: /bar/logout
-            name: securitypolicy/envoy-gateway/policy-for-gateway
+            name: securitypolicy/envoy-gateway/policy-for-gateway/envoy-gateway/test
             provider:
               authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth
               destination:
-                name: securitypolicy/envoy-gateway/policy-for-gateway/oidc/0
+                name: securitypolicy/envoy-gateway/policy-for-gateway/oidc/0/envoy-gateway/test
                 settings:
                 - addressType: FQDN
                   endpoints: