fix: existing clusters and secretes

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
envoyproxy · Nov 13, 2024 · bd01257 · bd01257
1 parent ec56a83
commit bd01257
Show file tree

Hide file tree

Showing 15 changed files with 361 additions and 55 deletions.
diff --git a/internal/xds/translator/accesslog.go b/internal/xds/translator/accesslog.go
@@ -6,7 +6,6 @@
 package translator
 
 import (
-	"errors"
 	"sort"
 	"strings"
 
@@ -545,7 +544,7 @@ func processClusterForAccessLog(tCtx *types.ResourceVersionTable, al *ir.AccessL
 			backendConnection: traffic.BackendConnection,
 			dns:               traffic.DNS,
 			http2Settings:     traffic.HTTP2,
-		}); err != nil && !errors.Is(err, ErrXdsClusterExists) {
+		}); err != nil {
 			return err
 		}
 	}
@@ -573,7 +572,7 @@ func processClusterForAccessLog(tCtx *types.ResourceVersionTable, al *ir.AccessL
 			backendConnection: traffic.BackendConnection,
 			dns:               traffic.DNS,
 			http2Settings:     traffic.HTTP2,
-		}); err != nil && !errors.Is(err, ErrXdsClusterExists) {
+		}); err != nil {
 			return err
 		}
 	}

diff --git a/internal/xds/translator/extauth.go b/internal/xds/translator/extauth.go
@@ -226,14 +226,12 @@ func (*extAuth) patchResources(tCtx *types.ResourceVersionTable,
 		}
 		if route.Security.ExtAuth.HTTP != nil {
 			if err := createExtServiceXDSCluster(
-				&route.Security.ExtAuth.HTTP.Destination, route.Security.ExtAuth.Traffic, tCtx); err != nil && !errors.Is(
-				err, ErrXdsClusterExists) {
+				&route.Security.ExtAuth.HTTP.Destination, route.Security.ExtAuth.Traffic, tCtx); err != nil {
 				errs = errors.Join(errs, err)
 			}
 		} else {
 			if err := createExtServiceXDSCluster(
-				&route.Security.ExtAuth.GRPC.Destination, route.Security.ExtAuth.Traffic, tCtx); err != nil && !errors.Is(
-				err, ErrXdsClusterExists) {
+				&route.Security.ExtAuth.GRPC.Destination, route.Security.ExtAuth.Traffic, tCtx); err != nil {
 				errs = errors.Join(errs, err)
 			}
 		}

diff --git a/internal/xds/translator/extproc.go b/internal/xds/translator/extproc.go
@@ -173,8 +173,7 @@ func (*extProc) patchResources(tCtx *types.ResourceVersionTable,
 		for i := range route.EnvoyExtensions.ExtProcs {
 			ep := route.EnvoyExtensions.ExtProcs[i]
 			if err := createExtServiceXDSCluster(
-				&ep.Destination, ep.Traffic, tCtx); err != nil && !errors.Is(
-				err, ErrXdsClusterExists) {
+				&ep.Destination, ep.Traffic, tCtx); err != nil {
 				errs = errors.Join(errs, err)
 			}
 		}

diff --git a/internal/xds/translator/oidc.go b/internal/xds/translator/oidc.go
@@ -310,8 +310,7 @@ func createOAuthServerClusters(tCtx *types.ResourceVersionTable,
 		// If the OIDC provider has a destination, use it.
 		if oidc.Provider.Destination != nil && len(oidc.Provider.Destination.Settings) > 0 {
 			if err := createExtServiceXDSCluster(
-				oidc.Provider.Destination, oidc.Provider.Traffic, tCtx); err != nil && !errors.Is(
-				err, ErrXdsClusterExists) {
+				oidc.Provider.Destination, oidc.Provider.Traffic, tCtx); err != nil {
 				errs = errors.Join(errs, err)
 			}
 		} else {
@@ -372,11 +371,7 @@ func createOAuth2TokenEndpointCluster(tCtx *types.ResourceVersionTable,
 		clusterArgs.tSocket = tSocket
 	}
 
-	if err = addXdsCluster(tCtx, clusterArgs); err != nil && !errors.Is(err, ErrXdsClusterExists) {
-		return err
-	}
-
-	return err
+	return addXdsCluster(tCtx, clusterArgs)
 }
 
 // createOAuth2Secrets creates OAuth2 client and HMAC secrets from the provided

diff --git a/internal/xds/translator/ratelimit.go b/internal/xds/translator/ratelimit.go
@@ -7,7 +7,6 @@ package translator
 
 import (
 	"bytes"
-	"errors"
 	"net/url"
 	"strconv"
 	"strings"
@@ -492,17 +491,13 @@ func (t *Translator) createRateLimitServiceCluster(tCtx *types.ResourceVersionTa
 		return err
 	}
 
-	if err := addXdsCluster(tCtx, &xdsClusterArgs{
+	return addXdsCluster(tCtx, &xdsClusterArgs{
 		name:         clusterName,
 		settings:     []*ir.DestinationSetting{ds},
 		tSocket:      tSocket,
 		endpointType: EndpointTypeDNS,
 		metrics:      metrics,
-	}); err != nil && !errors.Is(err, ErrXdsClusterExists) {
-		return err
-	}
-
-	return nil
+	})
 }
 
 func getRouteRuleDescriptor(ruleIndex, matchIndex int) string {

diff --git a/internal/xds/translator/testdata/in/xds-ir/securitypolicy-with-oidc-jwt-authz.yaml b/internal/xds/translator/testdata/in/xds-ir/securitypolicy-with-oidc-jwt-authz.yaml
@@ -0,0 +1,80 @@
+http:
+- name: "envoy-gateway/gateway-1/http"
+  address: 0.0.0.0
+  hostnames:
+  - '*'
+  isHTTP2: false
+  metadata:
+    kind: Gateway
+    name: gateway-1
+    namespace: envoy-gateway
+    sectionName: http
+  path:
+    escapedSlashesAction: UnescapeAndRedirect
+    mergeSlashes: true
+  port: 10080
+  routes:
+  - destination:
+      name: httproute/default/httproute-1/rule/0
+      settings:
+      - addressType: IP
+        endpoints:
+        - host: 7.7.7.7
+          port: 8080
+        protocol: HTTP
+        weight: 1
+    hostname: www.example.com
+    isHTTP2: false
+    metadata:
+      kind: HTTPRoute
+      name: httproute-1
+      namespace: default
+    name: httproute/default/httproute-1/rule/0/match/0/www_example_com
+    pathMatch:
+      distinct: false
+      name: ""
+      prefix: /foo
+    security:
+      authorization:
+        defaultAction: Deny
+        rules:
+        - action: Allow
+          name: allow
+          principal:
+            jwt:
+              claims:
+              - name: groups
+                valueType: StringArray
+                values:
+                - foobar
+              provider: exjwt
+      jwt:
+        providers:
+        - claimToHeaders:
+          - claim: email
+            header: x-user-email
+          extractFrom:
+            cookies:
+            - IdToken
+          issuer: https://oidc.example.com/auth/realms/example
+          name: exjwt
+          remoteJWKS:
+            uri: https://oidc.example.com/auth/realms/example/protocol/openid-connect/certs
+      oidc:
+        clientID: prometheus
+        clientSecret: '[redacted]'
+        cookieNameOverrides:
+          idToken: IdToken
+        cookieSuffix: 5f93c2e4
+        hmacSecret: '[redacted]'
+        logoutPath: /logout
+        name: securitypolicy/default/policy-for-http-route
+        provider:
+          authorizationEndpoint: https://oidc.example.com/authorize
+          tokenEndpoint: https://oidc.example.com/oauth/token
+        redirectPath: /oauth2/callback
+        redirectURL: '%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback'
+        scopes:
+        - openid
+        - email
+        - profile
diff --git a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.clusters.yaml
@@ -0,0 +1,54 @@
+- circuitBreakers:
+    thresholds:
+    - maxRetries: 1024
+  commonLbConfig:
+    localityWeightedLbConfig: {}
+  connectTimeout: 10s
+  dnsLookupFamily: V4_ONLY
+  edsClusterConfig:
+    edsConfig:
+      ads: {}
+      resourceApiVersion: V3
+    serviceName: httproute/default/httproute-1/rule/0
+  ignoreHealthOnHostRemoval: true
+  lbPolicy: LEAST_REQUEST
+  name: httproute/default/httproute-1/rule/0
+  outlierDetection: {}
+  perConnectionBufferLimitBytes: 32768
+  type: EDS
+- circuitBreakers:
+    thresholds:
+    - maxRetries: 1024
+  commonLbConfig:
+    localityWeightedLbConfig: {}
+  connectTimeout: 10s
+  dnsLookupFamily: V4_ONLY
+  dnsRefreshRate: 30s
+  lbPolicy: LEAST_REQUEST
+  loadAssignment:
+    clusterName: oidc_example_com_443
+    endpoints:
+    - lbEndpoints:
+      - endpoint:
+          address:
+            socketAddress:
+              address: oidc.example.com
+              portValue: 443
+        loadBalancingWeight: 1
+      loadBalancingWeight: 1
+      locality:
+        region: oidc_example_com_443/backend/0
+  name: oidc_example_com_443
+  outlierDetection: {}
+  perConnectionBufferLimitBytes: 32768
+  respectDnsTtl: true
+  transportSocket:
+    name: envoy.transport_sockets.tls
+    typedConfig:
+      '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+      commonTlsContext:
+        validationContext:
+          trustedCa:
+            filename: /etc/ssl/certs/ca-certificates.crt
+      sni: oidc.example.com
+  type: STRICT_DNS
diff --git a/...rnal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.endpoints.yaml b/...rnal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.endpoints.yaml
@@ -0,0 +1,12 @@
+- clusterName: httproute/default/httproute-1/rule/0
+  endpoints:
+  - lbEndpoints:
+    - endpoint:
+        address:
+          socketAddress:
+            address: 7.7.7.7
+            portValue: 8080
+      loadBalancingWeight: 1
+    loadBalancingWeight: 1
+    locality:
+      region: httproute/default/httproute-1/rule/0/backend/0
diff --git a/...rnal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml b/...rnal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml
@@ -0,0 +1,107 @@
+- address:
+    socketAddress:
+      address: 0.0.0.0
+      portValue: 10080
+  defaultFilterChain:
+    filters:
+    - name: envoy.filters.network.http_connection_manager
+      typedConfig:
+        '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+        commonHttpProtocolOptions:
+          headersWithUnderscoresAction: REJECT_REQUEST
+        http2ProtocolOptions:
+          initialConnectionWindowSize: 1048576
+          initialStreamWindowSize: 65536
+          maxConcurrentStreams: 100
+        httpFilters:
+        - disabled: true
+          name: envoy.filters.http.oauth2/securitypolicy/default/policy-for-http-route
+          typedConfig:
+            '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
+            config:
+              authScopes:
+              - openid
+              - email
+              - profile
+              authType: BASIC_AUTH
+              authorizationEndpoint: https://oidc.example.com/authorize
+              credentials:
+                clientId: prometheus
+                cookieNames:
+                  bearerToken: AccessToken-5f93c2e4
+                  idToken: IdToken
+                  oauthExpires: OauthExpires-5f93c2e4
+                  oauthHmac: OauthHMAC-5f93c2e4
+                  oauthNonce: OauthNonce-5f93c2e4
+                  refreshToken: RefreshToken-5f93c2e4
+                hmacSecret:
+                  name: oauth2/hmac_secret/securitypolicy/default/policy-for-http-route
+                  sdsConfig:
+                    ads: {}
+                    resourceApiVersion: V3
+                tokenSecret:
+                  name: oauth2/client_secret/securitypolicy/default/policy-for-http-route
+                  sdsConfig:
+                    ads: {}
+                    resourceApiVersion: V3
+              preserveAuthorizationHeader: true
+              redirectPathMatcher:
+                path:
+                  exact: /oauth2/callback
+              redirectUri: '%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback'
+              signoutPath:
+                path:
+                  exact: /logout
+              tokenEndpoint:
+                cluster: oidc_example_com_443
+                timeout: 10s
+                uri: https://oidc.example.com/oauth/token
+              useRefreshToken: false
+        - name: envoy.filters.http.jwt_authn
+          typedConfig:
+            '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
+            providers:
+              httproute/default/httproute-1/rule/0/match/0/www_example_com/exjwt:
+                claimToHeaders:
+                - claimName: email
+                  headerName: x-user-email
+                forward: true
+                fromCookies:
+                - IdToken
+                issuer: https://oidc.example.com/auth/realms/example
+                normalizePayloadInMetadata:
+                  spaceDelimitedClaims:
+                  - scope
+                payloadInMetadata: exjwt
+                remoteJwks:
+                  asyncFetch: {}
+                  cacheDuration: 300s
+                  httpUri:
+                    cluster: oidc_example_com_443
+                    timeout: 10s
+                    uri: https://oidc.example.com/auth/realms/example/protocol/openid-connect/certs
+                  retryPolicy: {}
+            requirementMap:
+              httproute/default/httproute-1/rule/0/match/0/www_example_com:
+                providerName: httproute/default/httproute-1/rule/0/match/0/www_example_com/exjwt
+        - name: envoy.filters.http.rbac
+          typedConfig:
+            '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
+        - name: envoy.filters.http.router
+          typedConfig:
+            '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+            suppressEnvoyHeaders: true
+        mergeSlashes: true
+        normalizePath: true
+        pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
+        rds:
+          configSource:
+            ads: {}
+            resourceApiVersion: V3
+          routeConfigName: envoy-gateway/gateway-1/http
+        serverHeaderTransformation: PASS_THROUGH
+        statPrefix: http-10080
+        useRemoteAddress: true
+    name: envoy-gateway/gateway-1/http
+  name: envoy-gateway/gateway-1/http
+  perConnectionBufferLimitBytes: 32768