feat(kuma-cp): policy origin in rules (#5184)

Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
kumahq · Oct 20, 2022 · 2259d7b · 2259d7b
1 parent 1bf643d
commit 2259d7b
Show file tree

Hide file tree

Showing 14 changed files with 259 additions and 44 deletions.
diff --git a/pkg/core/xds/matched_policies.go b/pkg/core/xds/matched_policies.go
@@ -20,6 +20,11 @@ type PolicyItem interface {
 	GetDefaultAsProto() proto.Message
 }
 
+type PolicyItemWithMeta struct {
+	PolicyItem
+	core_model.ResourceMeta
+}
+
 type Policy interface {
 	core_model.ResourceSpec
 	GetTargetRef() *common_proto.TargetRef
@@ -45,6 +50,17 @@ type InboundListener struct {
 	Port    uint32
 }
 
+func BuildPolicyItemsWithMeta(items []PolicyItem, meta core_model.ResourceMeta) []PolicyItemWithMeta {
+	var result []PolicyItemWithMeta
+	for _, item := range items {
+		result = append(result, PolicyItemWithMeta{
+			PolicyItem:   item,
+			ResourceMeta: meta,
+		})
+	}
+	return result
+}
+
 // We need to implement TextMarshaler because InboundListener is used
 // as a key for maps that are JSON encoded for logging.
 var _ encoding.TextMarshaler = InboundListener{}

diff --git a/pkg/core/xds/rules.go b/pkg/core/xds/rules.go
@@ -83,7 +83,6 @@ func (ss Subset) IndexOfPositive() int {
 type Rule struct {
 	Subset Subset
 	Conf   proto.Message
-	// todo(lobkovilya): add support for Origin to implement Inspect API
 	Origin []core_model.ResourceMeta
 }
 
@@ -104,7 +103,7 @@ func (rs Rules) Compute(sub Subset) proto.Message {
 // Filtering out of negative rules could be useful for XDS generators that don't have a way to configure negations.
 //
 // See the detailed algorithm description in docs/madr/decisions/007-mesh-traffic-permission.md
-func BuildRules(list []PolicyItem) (Rules, error) {
+func BuildRules(list []PolicyItemWithMeta) (Rules, error) {
 	rules := Rules{}
 
 	// 1. Each targetRef should be represented as a list of tags
@@ -139,6 +138,7 @@ func BuildRules(list []PolicyItem) (Rules, error) {
 		}
 		// 3. For each combination determine a configuration
 		confs := []any{}
+		distinctOrigins := map[core_model.ResourceKey]core_model.ResourceMeta{}
 		for i := 0; i < len(list); i++ {
 			item := list[i]
 			itemSubset, err := asSubset(item.GetTargetRef())
@@ -147,16 +147,25 @@ func BuildRules(list []PolicyItem) (Rules, error) {
 			}
 			if itemSubset.IsSubset(ss) {
 				confs = append(confs, item.GetDefaultAsProto())
+				distinctOrigins[core_model.MetaToResourceKey(item.ResourceMeta)] = item.ResourceMeta
 			}
 		}
 		merged, err := merge(confs)
 		if err != nil {
 			return nil, err
 		}
 		if merged != nil {
+			var origins []core_model.ResourceMeta
+			for _, origin := range distinctOrigins {
+				origins = append(origins, origin)
+			}
+			sort.Slice(origins, func(i, j int) bool {
+				return origins[i].GetName() < origins[j].GetName()
+			})
 			rules = append(rules, &Rule{
 				Subset: ss,
 				Conf:   merged,
+				Origin: origins,
 			})
 		}
 	}

diff --git a/pkg/core/xds/rules_test.go b/pkg/core/xds/rules_test.go
@@ -162,7 +162,7 @@ var _ = Describe("Rules", func() {
 				Expect(ok).To(BeTrue())
 
 				// when
-				rules, err := xds.BuildRules(mtp.GetFromList())
+				rules, err := xds.BuildRules(xds.BuildPolicyItemsWithMeta(mtp.GetFromList(), policy.GetMeta()))
 				Expect(err).ToNot(HaveOccurred())
 
 				// then
@@ -200,13 +200,13 @@ var _ = Describe("Rules", func() {
 				Expect(err).ToNot(HaveOccurred())
 
 				yamls := util_yaml.SplitYAML(string(policyBytes))
-				policies := []xds.PolicyItem{}
+				policies := []xds.PolicyItemWithMeta{}
 				for _, yaml := range yamls {
 					policy, err := rest.YAML.UnmarshalCore([]byte(yaml))
 					Expect(err).ToNot(HaveOccurred())
 					mt, ok := policy.(*meshtrace_api.MeshTraceResource)
 					Expect(ok).To(BeTrue())
-					policies = append(policies, mt.Spec.GetPolicyItem())
+					policies = append(policies, xds.PolicyItemWithMeta{mt.Spec.GetPolicyItem(), policy.GetMeta()})
 				}
 
 				// when

diff --git a/pkg/core/xds/testdata/rules/01.golden.yaml b/pkg/core/xds/testdata/rules/01.golden.yaml
@@ -1,6 +1,11 @@
 - Conf:
     action: ALLOW
-  Origin: null
+  Origin:
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mtp-1
+    type: MeshTrafficPermission
   Subset:
   - Key: env
     Not: false
@@ -10,7 +15,12 @@
     Value: us-east
 - Conf:
     action: ALLOW
-  Origin: null
+  Origin:
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mtp-1
+    type: MeshTrafficPermission
   Subset:
   - Key: env
     Not: false
@@ -20,7 +30,12 @@
     Value: us-east
 - Conf:
     action: DENY
-  Origin: null
+  Origin:
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mtp-1
+    type: MeshTrafficPermission
   Subset:
   - Key: env
     Not: true
@@ -33,7 +48,12 @@
     Value: us-east
 - Conf:
     action: ALLOW
-  Origin: null
+  Origin:
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mtp-1
+    type: MeshTrafficPermission
   Subset:
   - Key: env
     Not: false
@@ -43,7 +63,12 @@
     Value: us-east
 - Conf:
     action: ALLOW
-  Origin: null
+  Origin:
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mtp-1
+    type: MeshTrafficPermission
   Subset:
   - Key: env
     Not: false
@@ -53,7 +78,12 @@
     Value: us-east
 - Conf:
     action: ALLOW
-  Origin: null
+  Origin:
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mtp-1
+    type: MeshTrafficPermission
   Subset:
   - Key: env
     Not: true

diff --git a/pkg/core/xds/testdata/rules/02.golden.yaml b/pkg/core/xds/testdata/rules/02.golden.yaml
@@ -1,6 +1,11 @@
 - Conf:
     action: ALLOW
-  Origin: null
+  Origin:
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mtp-1
+    type: MeshTrafficPermission
   Subset:
   - Key: env
     Not: false
@@ -13,7 +18,12 @@
     Value: us-east
 - Conf:
     action: DENY
-  Origin: null
+  Origin:
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mtp-1
+    type: MeshTrafficPermission
   Subset:
   - Key: env
     Not: true
@@ -26,7 +36,12 @@
     Value: us-east
 - Conf:
     action: ALLOW
-  Origin: null
+  Origin:
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mtp-1
+    type: MeshTrafficPermission
   Subset:
   - Key: env
     Not: false
@@ -39,7 +54,12 @@
     Value: us-east
 - Conf:
     action: ALLOW
-  Origin: null
+  Origin:
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mtp-1
+    type: MeshTrafficPermission
   Subset:
   - Key: env
     Not: false
@@ -52,7 +72,12 @@
     Value: us-east
 - Conf:
     action: DENY
-  Origin: null
+  Origin:
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mtp-1
+    type: MeshTrafficPermission
   Subset:
   - Key: env
     Not: true
@@ -65,7 +90,12 @@
     Value: us-east
 - Conf:
     action: ALLOW
-  Origin: null
+  Origin:
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mtp-1
+    type: MeshTrafficPermission
   Subset:
   - Key: env
     Not: true
@@ -78,7 +108,12 @@
     Value: us-east
 - Conf:
     action: ALLOW
-  Origin: null
+  Origin:
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mtp-1
+    type: MeshTrafficPermission
   Subset:
   - Key: env
     Not: false

diff --git a/pkg/core/xds/testdata/rules/03.golden.yaml b/pkg/core/xds/testdata/rules/03.golden.yaml
@@ -1,27 +1,47 @@
 - Conf:
     action: DENY
-  Origin: null
+  Origin:
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mtp-1
+    type: MeshTrafficPermission
   Subset:
   - Key: kuma.io/service
     Not: false
     Value: web
 - Conf:
     action: DENY_WITH_SHADOW_ALLOW
-  Origin: null
+  Origin:
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mtp-1
+    type: MeshTrafficPermission
   Subset:
   - Key: kuma.io/service
     Not: false
     Value: orders
 - Conf:
     action: ALLOW
-  Origin: null
+  Origin:
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mtp-1
+    type: MeshTrafficPermission
   Subset:
   - Key: kuma.io/service
     Not: false
     Value: backend
 - Conf:
     action: ALLOW_WITH_SHADOW_DENY
-  Origin: null
+  Origin:
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mtp-1
+    type: MeshTrafficPermission
   Subset:
   - Key: kuma.io/service
     Not: false

diff --git a/pkg/core/xds/testdata/rules/04.golden.yaml b/pkg/core/xds/testdata/rules/04.golden.yaml
@@ -1,4 +1,9 @@
 - Conf:
     backends: []
-  Origin: null
+  Origin:
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mal-1
+    type: MeshAccessLog
   Subset: []
diff --git a/pkg/core/xds/testdata/rules/05.golden.yaml b/pkg/core/xds/testdata/rules/05.golden.yaml
@@ -2,5 +2,10 @@
     backends:
     - tcp:
         address: logging:8080
-  Origin: null
+  Origin:
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mal-1
+    type: MeshAccessLog
   Subset: []
diff --git a/pkg/core/xds/testdata/rules/06.golden.yaml b/pkg/core/xds/testdata/rules/06.golden.yaml
@@ -5,5 +5,10 @@
     tags:
     - literal: core
       name: team
-  Origin: null
+  Origin:
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mt-1
+    type: MeshTrace
   Subset: []
diff --git a/pkg/core/xds/testdata/rules/07.golden.yaml b/pkg/core/xds/testdata/rules/07.golden.yaml
@@ -5,5 +5,15 @@
     tags:
     - literal: support
       name: team
-  Origin: null
+  Origin:
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mt-1
+    type: MeshTrace
+  - creationTime: "0001-01-01T00:00:00Z"
+    mesh: mesh-1
+    modificationTime: "0001-01-01T00:00:00Z"
+    name: mt-2
+    type: MeshTrace
   Subset: []