envoyproxy · zirain · Dec 6, 2024 · Nov 26, 2024 · Nov 26, 2024 · Nov 26, 2024
@@ -22,6 +22,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/yaml"
 
+	"github.com/envoyproxy/gateway/internal/gatewayapi/resource"
 	"github.com/envoyproxy/gateway/internal/utils/field"
 	"github.com/envoyproxy/gateway/internal/utils/file"
 )
@@ -368,8 +369,12 @@ func TestTranslate(t *testing.T) {
 			//	want.GatewayClass.Status.SupportedFeatures = status.GatewaySupportedFeatures
 			// }
 
-			opts := cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime")
-			require.Empty(t, cmp.Diff(want, got, opts))
+			opts := []cmp.Option{
+				cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime"),
+				cmpopts.IgnoreFields(resource.Resources{}, "serviceMap"),
+			}
+
+			require.Empty(t, cmp.Diff(want, got, opts...))
 		})
 	}
 }

@@ -32,7 +32,7 @@ func (t *Translator) processBackendTLSPolicy(
 	resources *resource.Resources,
 	envoyProxy *egv1a1.EnvoyProxy,
 ) (*ir.TLSUpstreamConfig, *gwapiv1a3.BackendTLSPolicy) {
-	policy := getBackendTLSPolicy(resources.BackendTLSPolicies, backendRef, backendNamespace)
+	policy := getBackendTLSPolicy(resources.BackendTLSPolicies, backendRef, backendNamespace, resources)
 	if policy == nil {
 		return nil, nil
 	}
@@ -157,13 +157,54 @@ func backendTLSTargetMatched(policy gwapiv1a3.BackendTLSPolicy, target gwapiv1a2
 	return false
 }
 
-func getBackendTLSPolicy(policies []*gwapiv1a3.BackendTLSPolicy, backendRef gwapiv1a2.BackendObjectReference, backendNamespace string) *gwapiv1a3.BackendTLSPolicy {
+// getTargetBackendReferenceWithPortName returns the LocalPolicyTargetReference for the given BackendObjectReference,
+// and sets the sectionName to the port name if the BackendObjectReference is a Kubernetes Service.
+func getTargetBackendReferenceWithPortName(
+	backendRef gwapiv1a2.BackendObjectReference,
+	backendNamespace string,
+	resources *resource.Resources,
+) gwapiv1a2.LocalPolicyTargetReferenceWithSectionName {
+	ref := getTargetBackendReference(backendRef)
+	if ref.SectionName == nil {
+		return ref
+	}
+	if backendRef.Kind != nil && *backendRef.Kind != resource.KindService {
+		return ref
+	}
+
+	if service := resources.GetService(backendNamespace, string(backendRef.Name)); service != nil {
+		for _, port := range service.Spec.Ports {
+			if port.Port == int32(*backendRef.Port) {
+				if port.Name != "" {
+					ref.SectionName = SectionNamePtr(port.Name)
+				}
+			}
+		}
+	}
+
+	return ref
+}
+
+func getBackendTLSPolicy(
+	policies []*gwapiv1a3.BackendTLSPolicy,
+	backendRef gwapiv1a2.BackendObjectReference,
+	backendNamespace string,
+	resources *resource.Resources,
+) *gwapiv1a3.BackendTLSPolicy {
 	target := getTargetBackendReference(backendRef)
 	for _, policy := range policies {
 		if backendTLSTargetMatched(*policy, target, backendNamespace) {
 			return policy
 		}
 	}
+
+	// SectionName can be port name for Kubernetes Service
+	target = getTargetBackendReferenceWithPortName(backendRef, backendNamespace, resources)
+	for _, policy := range policies {
+		if backendTLSTargetMatched(*policy, target, backendNamespace) {
+			return policy
+		}
+	}
 	return nil
 }
 

@@ -13,6 +13,7 @@
 	corev1 "k8s.io/api/core/v1"
 	discoveryv1 "k8s.io/api/discovery/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/types"
 	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 	gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
 	gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
@@ -64,6 +65,8 @@
 	ExtensionServerPolicies []unstructured.Unstructured    `json:"extensionServerPolicies,omitempty" yaml:"extensionServerPolicies,omitempty"`
 	Backends                []*egv1a1.Backend              `json:"backends,omitempty" yaml:"backends,omitempty"`
 	HTTPRouteFilters        []*egv1a1.HTTPRouteFilter      `json:"httpFilters,omitempty" yaml:"httpFilters,omitempty"`
+
+	serviceMap map[types.NamespacedName]*corev1.Service
 }
 
 func NewResources() *Resources {
@@ -111,14 +114,20 @@
 	return nil
 }
 
+// GetService returns the Service with the given namespace and name.
+// This function creates a HashMap of Services for faster lookup when it's called for the first time.
+// Subsequent calls will use the HashMap for lookup.
+// Note:
+// - This function is not thread-safe.
+// - This function should be called after all the Services are added to the Resources.
 func (r *Resources) GetService(namespace, name string) *corev1.Service {
-	for _, svc := range r.Services {
-		if svc.Namespace == namespace && svc.Name == name {
-			return svc
+	if r.serviceMap == nil {
+		r.serviceMap = make(map[types.NamespacedName]*corev1.Service)
+		for _, svc := range r.Services {
+			r.serviceMap[types.NamespacedName{Namespace: svc.Namespace, Name: svc.Name}] = svc
 		}
 	}
-
-	return nil
+	return r.serviceMap[types.NamespacedName{Namespace: namespace, Name: name}]
 }
 
 func (r *Resources) GetServiceImport(namespace, name string) *mcsapiv1a1.ServiceImport {

@@ -123,7 +123,7 @@ backendTLSPolicies:
         - group: ""
           kind: Service
           name: http-backend
-          sectionName: "8080"
+          sectionName: http
       validation:
         caCertificateRefs:
           - name: ca-cmap

@@ -10,7 +10,7 @@ backendTLSPolicies:
     - group: ""
       kind: Service
       name: http-backend
-      sectionName: "8080"
+      sectionName: http
     validation:
       caCertificateRefs:
       - group: ""

@@ -108,7 +108,7 @@ backendTLSPolicies:
         - group: ""
           kind: Service
           name: http-backend
-          sectionName: "8080"
+          sectionName: http
       validation:
         caCertificateRefs:
           - name: ca-secret

@@ -10,7 +10,7 @@ backendTLSPolicies:
     - group: ""
       kind: Service
       name: http-backend
-      sectionName: "8080"
+      sectionName: http
     validation:
       caCertificateRefs:
       - group: ""

@@ -123,7 +123,7 @@ backendTLSPolicies:
         - group: ""
           kind: Service
           name: http-backend
-          sectionName: "8080"
+          sectionName: http
       validation:
         caCertificateRefs:
           - name: ca-cmap

@@ -10,7 +10,7 @@ backendTLSPolicies:
     - group: ""
       kind: Service
       name: http-backend
-      sectionName: "8080"
+      sectionName: http
     validation:
       caCertificateRefs:
       - group: ""

@@ -167,7 +167,7 @@ backendTLSPolicies:
         - group: ""
           kind: Service
           name: http-backend
-          sectionName: "8080"
+          sectionName: http
         - group: gateway.envoyproxy.io
           kind: Backend
           name: backend-ip-tls

@@ -10,7 +10,7 @@ backendTLSPolicies:
     - group: ""
       kind: Service
       name: http-backend
-      sectionName: "8080"
+      sectionName: http
     - group: gateway.envoyproxy.io
       kind: Backend
       name: backend-ip-tls

@@ -134,7 +134,7 @@ backendTLSPolicies:
         - group: ""
           kind: Service
           name: http-backend
-          sectionName: "8080"
+          sectionName: http
       validation:
         caCertificateRefs:
           - name: ca-cmap

@@ -10,7 +10,7 @@ backendTLSPolicies:
     - group: ""
       kind: Service
       name: http-backend
-      sectionName: "8080"
+      sectionName: http
     validation:
       caCertificateRefs:
       - group: ""

@@ -105,7 +105,7 @@ backendTLSPolicies:
         - group: ""
           kind: Service
           name: http-backend
-          sectionName: "8080"
+          sectionName: http
       validation:
         caCertificateRefs:
           - name: no-ca-cmap

@@ -10,7 +10,7 @@ backendTLSPolicies:
     - group: ""
       kind: Service
       name: http-backend
-      sectionName: "8080"
+      sectionName: http
     validation:
       caCertificateRefs:
       - group: ""

@@ -64,11 +64,11 @@ services:
       clusterIP: 10.11.12.13
       ports:
         - port: 8080
-          name: http
+          name: http1
           protocol: TCP
           targetPort: 8080
         - port: 8081
-          name: http
+          name: http2
           protocol: TCP
           targetPort: 8081
 
@@ -114,7 +114,7 @@ backendTLSPolicies:
         - group: ""
           kind: Service
           name: http-backend
-          sectionName: "8081"
+          sectionName: http2
       validation:
         caCertificateRefs:
           - name: ca-cmap

@@ -14,7 +14,7 @@ backendTLSPolicies:
     - group: ""
       kind: Service
       name: http-backend
-      sectionName: "8081"
+      sectionName: http2
     validation:
       caCertificateRefs:
       - group: ""

@@ -98,7 +98,7 @@ backendTLSPolicies:
         - group: ""
           kind: Service
           name: http-backend
-          sectionName: "8080"
+          sectionName: http
       validation:
         wellKnownCACertificates: System
         hostname: example.com
@@ -10,7 +10,7 @@ backendTLSPolicies:
     - group: ""
       kind: Service
       name: http-backend
-      sectionName: "8080"
+      sectionName: http
     validation:
       hostname: example.com
       wellKnownCACertificates: System

@@ -320,11 +320,11 @@ func TestTranslate(t *testing.T) {
 
 			opts := []cmp.Option{
 				cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime"),
+				cmpopts.IgnoreFields(resource.Resources{}, "serviceMap"),
 				cmp.Transformer("ClearXdsEqual", xdsWithoutEqual),
 				cmpopts.IgnoreTypes(ir.PrivateBytes{}),
 				cmpopts.EquateEmpty(),
 			}
-
 			require.Empty(t, cmp.Diff(want, got, opts...))
 		})
 	}
@@ -519,8 +519,11 @@ func TestTranslateWithExtensionKinds(t *testing.T) {
 			want := &TranslateResult{}
 			mustUnmarshal(t, output, want)
 
-			opts := cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime")
-			require.Empty(t, cmp.Diff(want, got, opts))
+			opts := []cmp.Option{
+				cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime"),
+				cmpopts.IgnoreFields(resource.Resources{}, "serviceMap"),
+			}
+			require.Empty(t, cmp.Diff(want, got, opts...))
 		})
 	}
 }

@@ -20,6 +20,7 @@ bug fixes: |
   Fixed failed to update SecurityPolicy resources with the `backendRef` field specified
   Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes
   Fixed xDS translation failed when oidc tokenEndpoint and jwt remoteJWKS are specified in the same SecurityPolicy and using the same hostname
+  Fixed BackendTLSPolicy didn't support using port name as the sectionName in the targetRefs
 
 # Enhancements that improve performance.
 performance improvements: |

@@ -62,7 +62,8 @@ spec:
   selector:
     app: tls-backend
   ports:
-    - protocol: TCP
+    - name: https
+      protocol: TCP
       port: 443
       targetPort: 8443
 ---
@@ -137,7 +138,7 @@ spec:
     - group: ""
       kind: Service
       name: tls-backend
-      sectionName: "443"
+      sectionName: https
   validation:
     caCertificateRefs:
       - name: backend-tls-certificate

@@ -8,7 +8,7 @@ spec:
     - group: ""
       kind: Service
       name: tls-backend-2
-      sectionName: "443"
+      sectionName: https
   validation:
     caCertificateRefs:
       - name: backend-tls-checks-certificate
@@ -42,7 +42,8 @@ spec:
   selector:
     app: tls-backend-2
   ports:
-    - protocol: TCP
+    - name: https
+      protocol: TCP
       port: 443
       targetPort: 8443
 ---