Support using L4 policy to TCP proxy created by Gateway API (#632)

Fix #631 Signed-off-by: spacewander <[email protected]>
mosn · Jul 9, 2024 · cd81da1 · cd81da1
1 parent 24e24b1
commit cd81da1
Show file tree

Hide file tree

Showing 9 changed files with 94 additions and 9 deletions.
diff --git a/controller/internal/translation/init_state.go b/controller/internal/translation/init_state.go
@@ -246,10 +246,6 @@ func (s *InitState) AddPolicyForK8sGateway(policy *mosniov1.FilterPolicy, gw *gw
 
 	for _, ls := range gw.Spec.Listeners {
 		proto := mosniov1.NormalizeK8sGatewayProtocol(ls.Protocol)
-		if proto != "HTTP" && proto != "HTTPS" {
-			continue
-		}
-
 		scope := PolicyScopeGateway
 		if targetRef != nil && targetRef.SectionName != nil {
 			if ls.Name != *targetRef.SectionName {

diff --git a/e2e/Makefile b/e2e/Makefile
@@ -35,7 +35,8 @@ helm: $(LOCALBIN)
 .PHONY: create-cluster
 create-cluster: kind kubectl
 	$(KIND) create cluster --name htnn --image kindest/node:v$(MIN_K8S_VERSION)
-	$(KUBECTL) kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v$(GATEWAY_API_VERSION)" | $(KUBECTL) apply -f -
+	$(KUBECTL) apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v$(GATEWAY_API_VERSION)/standard-install.yaml
+	$(KUBECTL) apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v$(GATEWAY_API_VERSION)/experimental-install.yaml
 
 .PHONY: delete-cluster
 delete-cluster: kind

diff --git a/e2e/base/default.yml b/e2e/base/default.yml
@@ -16,6 +16,12 @@ spec:
     hostname: "localhost"
     port: 10000
     protocol: HTTP
+  - name: tcp
+    port: 10001
+    protocol: TCP
+    allowedRoutes:
+      kinds:
+      - kind: TCPRoute
 ---
 apiVersion: v1
 kind: Service

diff --git a/e2e/htnn_controller_values.yaml b/e2e/htnn_controller_values.yaml
@@ -2,6 +2,7 @@ pilot:
   image: "htnn/controller:e2e"
   env:
     HTNN_ENABLE_LDS_PLUGIN_VIA_ECDS: "true"
+    PILOT_ENABLE_ALPHA_GATEWAY_API: true
     UNSAFE_PILOT_ENABLE_RUNTIME_ASSERTIONS: "true"
     UNSAFE_PILOT_ENABLE_DELTA_TEST: "true"
   volumes:

diff --git a/e2e/pkg/suite/suite.go b/e2e/pkg/suite/suite.go
@@ -145,7 +145,8 @@ func (suite *Suite) startPortForward(t *testing.T) {
 
 	cmdline := "./port-forward.sh"
 	dests := []string{"istio-ingressgateway", "istio-ingressgateway-tcp",
-		"k8s-gateway-api", "k8s-gateway-api-another"}
+		"k8s-gateway-api", "k8s-gateway-api-tcp",
+		"k8s-gateway-api-another"}
 	for _, d := range dests {
 		forwarder := exec.Command(cmdline, d)
 		forwarder.Stdout = os.Stdout

diff --git a/e2e/port-forward.sh b/e2e/port-forward.sh
@@ -24,6 +24,8 @@ elif [[ "$DEST" == "istio-ingressgateway-tcp" ]]; then
     exec kubectl port-forward -n istio-system pod/"$(kubectl -n istio-system get pods | grep '^istio-ingressgateway' |  cut -d' ' -f 1)" 18001:18001
 elif [[ "$DEST" == "k8s-gateway-api" ]]; then
     exec kubectl port-forward -n e2e pod/"$(kubectl -n e2e get pods | grep '^default-istio' |  cut -d' ' -f 1)" 10000:10000
+elif [[ "$DEST" == "k8s-gateway-api-tcp" ]]; then
+    exec kubectl port-forward -n e2e pod/"$(kubectl -n e2e get pods | grep '^default-istio' |  cut -d' ' -f 1)" 10001:10001
 else
-    exec kubectl port-forward -n e2e-another pod/"$(kubectl -n e2e-another get pods | grep '^default-istio' |  cut -d' ' -f 1)" 10001:10000
+    exec kubectl port-forward -n e2e-another pod/"$(kubectl -n e2e-another get pods | grep '^default-istio' |  cut -d' ' -f 1)" 10100:10000
 fi
diff --git a/e2e/tests/httproute_other_namespace.go b/e2e/tests/httproute_other_namespace.go
@@ -42,7 +42,7 @@ func init() {
 
 			// Same host, in different gateway of different namespace
 			tr = &http.Transport{DialContext: func(ctx context.Context, proto, addr string) (conn net.Conn, err error) {
-				return net.DialTimeout("tcp", ":10001", 1*time.Second)
+				return net.DialTimeout("tcp", ":10100", 1*time.Second)
 			}}
 			client = &http.Client{Transport: tr, Timeout: 10 * time.Second}
 			rsp, err = client.Get("http://localhost:10000/echo")

diff --git a/e2e/tests/policy_to_tcp_proxy.go b/e2e/tests/policy_to_tcp_proxy.go
@@ -53,6 +53,25 @@ func init() {
 			rsp, err := client.Get("http://default.local:18001/echo")
 			require.NoError(t, err)
 			require.Equal(t, 200, rsp.StatusCode)
+
+			// Do the same with Gateway API
+			tr = &http.Transport{DialContext: func(ctx context.Context, proto, addr string) (conn net.Conn, err error) {
+				return net.DialTimeout("tcp", ":10001", 1*time.Second)
+			}}
+			client = &http.Client{Transport: tr, Timeout: 10 * time.Second}
+			_, err = client.Get("http://localhost:10001/echo")
+			require.Error(t, err)
+
+			nsName = types.NamespacedName{Name: "policy", Namespace: k8s.DefaultNamespace}
+			err = c.Get(ctx, nsName, &policy)
+			require.NoError(t, err)
+			err = c.Delete(ctx, &policy)
+			require.NoError(t, err)
+
+			time.Sleep(1 * time.Second)
+			rsp, err = client.Get("http://localhost:10001/echo")
+			require.NoError(t, err)
+			require.Equal(t, 200, rsp.StatusCode)
 		},
 	})
 }
diff --git a/e2e/tests/policy_to_tcp_proxy.yml b/e2e/tests/policy_to_tcp_proxy.yml
@@ -1,4 +1,3 @@
-# TODO: support Gateway API
 apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -65,3 +64,63 @@ spec:
                         "@type": type.googleapis.com/envoy.config.rbac.v3.Action
                         name: match-all
                         action: ALLOW
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TCPRoute
+metadata:
+  name: test
+spec:
+  parentRefs:
+  - name: default
+    sectionName: tcp
+  rules:
+  - backendRefs:
+    - name: backend
+      port: 8080
+---
+apiVersion: htnn.mosn.io/v1
+kind: FilterPolicy
+metadata:
+  name: policy
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: Gateway
+    name: default
+    sectionName: tcp
+  filters:
+    networkRBAC:
+      config:
+        statPrefix: network_rbac
+        matcher:
+          matcherTree:
+            input:
+              name: envoy.matching.inputs.source_ip
+              typedConfig:
+                "@type": type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.SourceIPInput
+            customMatch:
+              name: ip-matcher
+              typedConfig:
+                "@type": type.googleapis.com/xds.type.matcher.v3.IPMatcher
+                rangeMatchers:
+                - ranges:
+                  - addressPrefix: 127.0.0.1
+                    prefixLen: 32
+                  onMatch:
+                    action:
+                      name: envoy.filters.rbac.action
+                      typedConfig:
+                        "@type": type.googleapis.com/envoy.config.rbac.v3.Action
+                        name: localhost
+                        action: DENY
+                # match-all action
+                - ranges:
+                  - addressPrefix: 0.0.0.0
+                    prefixLen: 0
+                  onMatch:
+                    action:
+                      name: envoy.filters.rbac.action
+                      typedConfig:
+                        "@type": type.googleapis.com/envoy.config.rbac.v3.Action
+                        name: match-all
+                        action: ALLOW