fix(MeshTrafficPermission): use serviceName instead of resource name …

…for egress MTP (#7225) Signed-off-by: Lukasz Dziedziak <lukidzi@gmail.com>
kumahq · Jul 13, 2023 · fdc37b6 · fdc37b6
1 parent 6c11867
commit fdc37b6
Show file tree

Hide file tree

Showing 3 changed files with 251 additions and 0 deletions.
diff --git a/pkg/plugins/policies/meshtrafficpermission/plugin/v1alpha1/plugin.go b/pkg/plugins/policies/meshtrafficpermission/plugin/v1alpha1/plugin.go
@@ -4,6 +4,7 @@ import (
 	envoy_listener "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
 	envoy_resource "github.com/envoyproxy/go-control-plane/pkg/resource/v3"
 
+	mesh_proto "github.com/kumahq/kuma/api/mesh/v1alpha1"
 	"github.com/kumahq/kuma/pkg/core"
 	core_plugins "github.com/kumahq/kuma/pkg/core/plugins"
 	core_mesh "github.com/kumahq/kuma/pkg/core/resources/apis/mesh"
@@ -82,3 +83,55 @@ func (p plugin) Apply(rs *core_xds.ResourceSet, ctx xds_context.Context, proxy *
 	}
 	return nil
 }
+<<<<<<< HEAD
+=======
+
+func (p plugin) configureEgress(rs *core_xds.ResourceSet, proxy *core_xds.Proxy) error {
+	listeners := policies_xds.GatherListeners(rs)
+	for _, resource := range proxy.ZoneEgressProxy.MeshResourcesList {
+		if !resource.Mesh.MTLSEnabled() {
+			log.V(1).Info("skip applying MeshTrafficPermission, MTLS is disabled",
+				"mesh", resource.Mesh.GetMeta().GetName())
+			continue
+		}
+		for _, es := range resource.ExternalServices {
+			meshName := resource.Mesh.GetMeta().GetName()
+			esName, ok := es.Spec.GetTags()[mesh_proto.ServiceTag]
+			if !ok {
+				continue
+			}
+			policies, ok := resource.Dynamic[esName]
+			if !ok {
+				continue
+			}
+			mtp, ok := policies[api.MeshTrafficPermissionType]
+			if !ok {
+				continue
+			}
+			if listeners.Egress == nil {
+				log.V(1).Info("skip applying MeshTrafficPermission, Egress has no listener",
+					"proxyName", proxy.ZoneEgressProxy.ZoneEgressResource.GetMeta().GetName(),
+					"mesh", resource.Mesh.GetMeta().GetName(),
+				)
+				return nil
+			}
+
+			for _, rule := range mtp.FromRules.Rules {
+				configurer := &v3.RBACConfigurer{
+					StatsName: listeners.Egress.Name,
+					Rules:     rule,
+					Mesh:      resource.Mesh.GetMeta().GetName(),
+				}
+				for _, filterChain := range listeners.Egress.FilterChains {
+					if filterChain.Name == names.GetEgressFilterChainName(esName, meshName) {
+						if err := configurer.Configure(filterChain); err != nil {
+							return err
+						}
+					}
+				}
+			}
+		}
+	}
+	return nil
+}
+>>>>>>> e6ced1005 (fix(MeshTrafficPermission): use serviceName instead of resource name for egress MTP (#7225))
diff --git a/pkg/plugins/policies/meshtrafficpermission/plugin/v1alpha1/plugin_test.go b/pkg/plugins/policies/meshtrafficpermission/plugin/v1alpha1/plugin_test.go
@@ -41,6 +41,7 @@ var _ = Describe("Apply", func() {
 			Resource: listener,
 		})
 
+<<<<<<< HEAD
 		// listener that is originated from inbound proxy generator but won't match
 		listener2, err := listeners.NewListenerBuilder(envoy.APIV3).
 			Configure(listeners.InboundListener("test_listener2", "192.168.0.1", 8081, core_xds.SocketAddressProtocolTCP)).
@@ -52,6 +53,172 @@ var _ = Describe("Apply", func() {
 			Name:     listener2.GetName(),
 			Origin:   generator.OriginInbound,
 			Resource: listener2,
+=======
+	Context("for ZoneEgress", func() {
+		It("should enrich matching listener with RBAC filter", func() {
+			// given
+			rs := core_xds.NewResourceSet()
+
+			// listener that matches
+			listener, err := listeners.NewInboundListenerBuilder(envoy.APIV3, "192.168.0.1", 10002, core_xds.SocketAddressProtocolTCP).
+				WithOverwriteName("test_listener").
+				Configure(
+					listeners.FilterChain(listeners.NewFilterChainBuilder(envoy.APIV3, "external-service-1_mesh-1").Configure(
+						listeners.MatchTransportProtocol("tls"),
+						listeners.MatchServerNames("external-service-1{mesh=mesh-1}"),
+						listeners.HttpConnectionManager("external-service-1", false),
+					)),
+					listeners.FilterChain(listeners.NewFilterChainBuilder(envoy.APIV3, "external-service-2_mesh-1").Configure(
+						listeners.MatchTransportProtocol("tls"),
+						listeners.MatchServerNames("external-service-2{mesh=mesh-1}"),
+						listeners.TCPProxy("external-service-2"),
+					)),
+					listeners.FilterChain(listeners.NewFilterChainBuilder(envoy.APIV3, "external-service-1_mesh-2").Configure(
+						listeners.MatchTransportProtocol("tls"),
+						listeners.MatchServerNames("external-service-1{mesh=mesh-2}"),
+						listeners.TCPProxy("external-service-1"),
+					)),
+					listeners.FilterChain(listeners.NewFilterChainBuilder(envoy.APIV3, "internal-service-1_mesh-1").Configure(
+						listeners.MatchTransportProtocol("tls"),
+						listeners.MatchServerNames("internal-service-1{mesh=mesh-1}"),
+						listeners.TCPProxy("internal-service-1"),
+					)),
+				).
+				Build()
+			Expect(err).ToNot(HaveOccurred())
+			rs.Add(&core_xds.Resource{
+				Name:     listener.GetName(),
+				Origin:   egress.OriginEgress,
+				Resource: listener,
+			})
+
+			// mesh with enabled mTLS and egress
+			ctx := xds_context.Context{
+				Mesh: xds_context.MeshContext{
+					Resource: &mesh.MeshResource{
+						Meta: &test_model.ResourceMeta{Name: "mesh-1", Mesh: core_model.NoMesh},
+						Spec: &mesh_proto.Mesh{
+							Mtls: &mesh_proto.Mesh_Mtls{
+								EnabledBackend: "builtin-1",
+								Backends: []*mesh_proto.CertificateAuthorityBackend{
+									{
+										Name: "builtin-1",
+										Type: "builtin",
+									},
+								},
+							},
+							Routing: &mesh_proto.Routing{
+								ZoneEgress: true,
+							},
+						},
+					},
+				},
+			}
+
+			proxy := &core_xds.Proxy{
+				APIVersion: envoy.APIV3,
+				ZoneEgressProxy: &core_xds.ZoneEgressProxy{
+					ZoneEgressResource: &mesh.ZoneEgressResource{
+						Meta: &test_model.ResourceMeta{Name: "dp1", Mesh: "mesh-1"},
+						Spec: &mesh_proto.ZoneEgress{
+							Networking: &mesh_proto.ZoneEgress_Networking{
+								Address: "192.168.0.1",
+								Port:    10002,
+							},
+						},
+					},
+					ZoneIngresses: []*mesh.ZoneIngressResource{},
+					MeshResourcesList: []*core_xds.MeshResources{
+						{
+							Mesh: builders.Mesh().WithName("mesh-1").WithEnabledMTLSBackend("ca-1").WithBuiltinMTLSBackend("ca-1").Build(),
+							ExternalServices: []*mesh.ExternalServiceResource{
+								{
+									Meta: &test_model.ResourceMeta{
+										Mesh: "mesh-1",
+										Name: "es-1",
+									},
+									Spec: &mesh_proto.ExternalService{
+										Tags: map[string]string{
+											"kuma.io/service": "external-service-1",
+										},
+										Networking: &mesh_proto.ExternalService_Networking{
+											Address: "externalservice-1.org",
+										},
+									},
+								},
+							},
+							Dynamic: core_xds.ExternalServiceDynamicPolicies{
+								"external-service-1": {
+									policies_api.MeshTrafficPermissionType: core_xds.TypedMatchingPolicies{
+										FromRules: core_rules.FromRules{
+											Rules: map[core_rules.InboundListener]core_rules.Rules{
+												{
+													Address: "192.168.0.1", Port: 10002,
+												}: {
+													{
+														Subset: core_rules.MeshService("frontend"),
+														Conf:   policies_api.Conf{Action: policies_api.Allow},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+						{
+							Mesh: builders.Mesh().WithName("mesh-2").WithEnabledMTLSBackend("ca-2").WithBuiltinMTLSBackend("ca-2").Build(),
+							ExternalServices: []*mesh.ExternalServiceResource{
+								{
+									Meta: &test_model.ResourceMeta{
+										Mesh: "mesh-2",
+										Name: "es-1",
+									},
+									Spec: &mesh_proto.ExternalService{
+										Tags: map[string]string{
+											"kuma.io/service": "external-service-1",
+										},
+										Networking: &mesh_proto.ExternalService_Networking{
+											Address: "externalservice-1.org",
+										},
+									},
+								},
+							},
+							Dynamic: core_xds.ExternalServiceDynamicPolicies{
+								"external-service-1": {
+									policies_api.MeshTrafficPermissionType: core_xds.TypedMatchingPolicies{
+										FromRules: core_rules.FromRules{
+											Rules: map[core_rules.InboundListener]core_rules.Rules{
+												{
+													Address: "192.168.0.1", Port: 10002,
+												}: {
+													{
+														Subset: core_rules.MeshSubset(),
+														Conf:   policies_api.Conf{Action: policies_api.Allow},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			}
+
+			// when
+			p := meshtrafficpermission.NewPlugin().(plugins.PolicyPlugin)
+			err = p.Apply(rs, ctx, proxy)
+			Expect(err).ToNot(HaveOccurred())
+
+			// then
+			resp, err := rs.List().ToDeltaDiscoveryResponse()
+			Expect(err).ToNot(HaveOccurred())
+			bytes, err := util_proto.ToYAML(resp)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(bytes).To(matchers.MatchGoldenYAML(path.Join("testdata", "apply-egress.golden.yaml")))
+>>>>>>> e6ced1005 (fix(MeshTrafficPermission): use serviceName instead of resource name for egress MTP (#7225))
 		})
 
 		// listener that matches but is not originated from inbound proxy generator

diff --git a/test/e2e_env/multizone/meshtrafficpermission/meshtrafficpermission.go b/test/e2e_env/multizone/meshtrafficpermission/meshtrafficpermission.go
@@ -10,6 +10,37 @@ import (
 	"github.com/kumahq/kuma/test/framework/envs/multizone"
 )
 
+<<<<<<< HEAD
+=======
+func externalService(mesh string, ip string) InstallFunc {
+	return YamlUniversal(fmt.Sprintf(`
+type: ExternalService
+mesh: "%s"
+name: es-1
+tags:
+  kuma.io/service: external-service
+  kuma.io/protocol: http
+networking:
+  address: "%s"
+`, mesh, net.JoinHostPort(ip, "80")))
+}
+
+func mtlsAndEgressMeshUniversal(name string) InstallFunc {
+	mesh := fmt.Sprintf(`
+type: Mesh
+name: %s
+mtls:
+  enabledBackend: ca-1
+  backends:
+    - name: ca-1
+      type: builtin
+routing:
+  zoneEgress: true
+`, name)
+	return YamlUniversal(mesh)
+}
+
+>>>>>>> e6ced1005 (fix(MeshTrafficPermission): use serviceName instead of resource name for egress MTP (#7225))
 func MeshTrafficPermission() {
 	const meshName = "mtp-test"
 	const namespace = "mtp-test"