Skip to content

Commit

Permalink
Add Security Policy conversion.
Browse files Browse the repository at this point in the history
  • Loading branch information
@sawsa307
sawsa307 committed Sep 11, 2024
1 parent 57ce2ae commit f6ee19f
Show file tree
Hide file tree
Showing 4 changed files with 224 additions and 8 deletions.
38 changes: 38 additions & 0 deletions pkg/i2gw/providers/gce/extensions/output_extensions.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
/*
Copyright 2024 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package extensions

import (
gkegatewayv1 "github.com/GoogleCloudPlatform/gke-gateway-api/apis/networking/v1"
"github.com/kubernetes-sigs/ingress2gateway/pkg/i2gw/intermediate"
)

func BuildBackendPolicySessionAffinityConfig(serviceIR intermediate.ProviderSpecificServiceIR) *gkegatewayv1.SessionAffinityConfig {
affinityType := serviceIR.Gce.SessionAffinity.AffinityType
saConfig := gkegatewayv1.SessionAffinityConfig{
Type: &affinityType,
}
if affinityType == "GENERATED_COOKIE" {
saConfig.CookieTTLSec = serviceIR.Gce.SessionAffinity.CookieTTLSec
}
return &saConfig
}

func BuildBackendPolicySecurityPolicyConfig(serviceIR intermediate.ProviderSpecificServiceIR) *string {
securityPolicy := serviceIR.Gce.SecurityPolicy.Name
return &securityPolicy
}
59 changes: 59 additions & 0 deletions pkg/i2gw/providers/gce/gateway_converter_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ func Test_irToGateway(t *testing.T) {
saTypeClientIP := "CLIENT_IP"
testCookieTTLSec := int64(10)
saTypeCookie := "GENERATED_COOKIE"
testSecurityPolicy := "test-security-policy"

testGateway := gatewayv1.Gateway{
ObjectMeta: metav1.ObjectMeta{Name: testGatewayName, Namespace: testNamespace},
Expand Down Expand Up @@ -140,6 +141,28 @@ func Test_irToGateway(t *testing.T) {
}
testSaGCPBackendPolicyClientIP.SetGroupVersionKind(GCPBackendPolicyGVK)
testSaGCPBackendPolicyClientIPUnstructured, err := i2gw.CastToUnstructured(&testSaGCPBackendPolicyClientIP)
if err != nil {
t.Errorf("Failed to generate unstructured GCP Backend Policy with Security Policy feature: %v", err)
}

testSpGCPBackendPolicy := gkegatewayv1.GCPBackendPolicy{
ObjectMeta: metav1.ObjectMeta{
Namespace: testNamespace,
Name: testSaBackendPolicyName,
},
Spec: gkegatewayv1.GCPBackendPolicySpec{
Default: &gkegatewayv1.GCPBackendPolicyConfig{
SecurityPolicy: &testSecurityPolicy,
},
TargetRef: v1alpha2.NamespacedPolicyTargetReference{
Group: "",
Kind: "Service",
Name: gatewayv1.ObjectName(testServiceName),
},
},
}
testSpGCPBackendPolicy.SetGroupVersionKind(GCPBackendPolicyGVK)
testSpGCPBackendPolicyUnstructured, err := i2gw.CastToUnstructured(&testSpGCPBackendPolicy)
if err != nil {
t.Errorf("Failed to generate unstructured GCP Backend Policy with ClientIP-based session affinity feature: %v", err)
}
Expand Down Expand Up @@ -222,6 +245,42 @@ func Test_irToGateway(t *testing.T) {
},
expectedErrors: field.ErrorList{},
},
{
name: "ingress with a Backend Config specifying Security Policy",
ir: intermediate.IR{
Gateways: map[types.NamespacedName]intermediate.GatewayContext{
{Namespace: testNamespace, Name: testGatewayName}: {
Gateway: testGateway,
},
},
HTTPRoutes: map[types.NamespacedName]intermediate.HTTPRouteContext{
{Namespace: testNamespace, Name: testHTTPRouteName}: {
HTTPRoute: testHTTPRoute,
},
},
Services: map[types.NamespacedName]intermediate.ProviderSpecificServiceIR{
{Namespace: testNamespace, Name: testServiceName}: {
Gce: &intermediate.GceServiceIR{
SecurityPolicy: &intermediate.SecurityPolicyConfig{
Name: testSecurityPolicy,
},
},
},
},
},
expectedGatewayResources: i2gw.GatewayResources{
Gateways: map[types.NamespacedName]gatewayv1.Gateway{
{Namespace: testNamespace, Name: testGatewayName}: testGateway,
},
HTTPRoutes: map[types.NamespacedName]gatewayv1.HTTPRoute{
{Namespace: testNamespace, Name: testHTTPRouteName}: testHTTPRoute,
},
GatewayExtensions: []unstructured.Unstructured{
*testSpGCPBackendPolicyUnstructured,
},
},
expectedErrors: field.ErrorList{},
},
}

for _, tc := range testCases {
Expand Down
12 changes: 4 additions & 8 deletions pkg/i2gw/providers/gce/gce_extensions.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -187,14 +187,10 @@ func addBackendPolicyIfConfigured(serviceNamespacedName types.NamespacedName, se
backendPolicy.SetGroupVersionKind(GCPBackendPolicyGVK)

if serviceIR.Gce.SessionAffinity != nil {
affinityType := serviceIR.Gce.SessionAffinity.AffinityType
saConfig := gkegatewayv1.SessionAffinityConfig{
Type: &affinityType,
}
if affinityType == "GENERATED_COOKIE" {
saConfig.CookieTTLSec = serviceIR.Gce.SessionAffinity.CookieTTLSec
}
backendPolicy.Spec.Default.SessionAffinity = &saConfig
backendPolicy.Spec.Default.SessionAffinity = extensions.BuildBackendPolicySessionAffinityConfig(serviceIR)
}
if serviceIR.Gce.SecurityPolicy != nil {
backendPolicy.Spec.Default.SecurityPolicy = extensions.BuildBackendPolicySecurityPolicyConfig(serviceIR)
}

return &backendPolicy
Expand Down
123 changes: 123 additions & 0 deletions pkg/i2gw/providers/gce/ir_converter_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ func Test_convertToIR(t *testing.T) {
saTypeClientIP := "CLIENT_IP"
testCookieTTLSec := int64(10)
saTypeCookie := "GENERATED_COOKIE"
testSecurityPolicy := "test-security-policy"

testCases := []struct {
name string
Expand Down Expand Up @@ -889,6 +890,128 @@ func Test_convertToIR(t *testing.T) {
},
expectedErrors: field.ErrorList{},
},
{
name: "ingress with a Backend Config specifying GENERATED_COOKIE type session affinity config",
ingresses: map[types.NamespacedName]*networkingv1.Ingress{
{Namespace: testNamespace, Name: extIngClassIngressName}: {
ObjectMeta: metav1.ObjectMeta{
Name: extIngClassIngressName,
Namespace: testNamespace,
Annotations: map[string]string{networkingv1beta1.AnnotationIngressClass: gceIngressClass},
},
Spec: networkingv1.IngressSpec{
Rules: []networkingv1.IngressRule{{
Host: testHost,
IngressRuleValue: networkingv1.IngressRuleValue{
HTTP: &networkingv1.HTTPIngressRuleValue{
Paths: []networkingv1.HTTPIngressPath{{
Path: "/",
PathType: &iPrefix,
Backend: networkingv1.IngressBackend{
Service: &networkingv1.IngressServiceBackend{
Name: testServiceName,
Port: networkingv1.ServiceBackendPort{
Number: 80,
},
},
},
}},
},
},
}},
},
},
},
services: map[types.NamespacedName]*apiv1.Service{
{Namespace: testNamespace, Name: testServiceName}: {
ObjectMeta: metav1.ObjectMeta{
Namespace: testNamespace,
Name: testServiceName,
Annotations: map[string]string{
backendConfigKey: `{"default":"test-backendconfig"}`,
},
},
},
},
backendConfigs: map[types.NamespacedName]*backendconfigv1.BackendConfig{
{Namespace: testNamespace, Name: testBackendConfigName}: {
ObjectMeta: metav1.ObjectMeta{
Namespace: testNamespace,
Name: testBackendConfigName,
},
Spec: backendconfigv1.BackendConfigSpec{
SecurityPolicy: &backendconfigv1.SecurityPolicyConfig{
Name: testSecurityPolicy,
},
},
},
},
expectedIR: intermediate.IR{
Gateways: map[types.NamespacedName]intermediate.GatewayContext{
{Namespace: testNamespace, Name: gceIngressClass}: {
Gateway: gatewayv1.Gateway{
ObjectMeta: metav1.ObjectMeta{Name: gceIngressClass, Namespace: testNamespace},
Spec: gatewayv1.GatewaySpec{
GatewayClassName: gceL7GlobalExternalManagedGatewayClass,
Listeners: []gatewayv1.Listener{{
Name: "test-mydomain-com-http",
Port: 80,
Protocol: gatewayv1.HTTPProtocolType,
Hostname: ptrTo(gatewayv1.Hostname(testHost)),
}},
},
},
},
},
HTTPRoutes: map[types.NamespacedName]intermediate.HTTPRouteContext{
{Namespace: testNamespace, Name: fmt.Sprintf("%s-test-mydomain-com", extIngClassIngressName)}: {
HTTPRoute: gatewayv1.HTTPRoute{
ObjectMeta: metav1.ObjectMeta{Name: fmt.Sprintf("%s-test-mydomain-com", extIngClassIngressName), Namespace: testNamespace},
Spec: gatewayv1.HTTPRouteSpec{
CommonRouteSpec: gatewayv1.CommonRouteSpec{
ParentRefs: []gatewayv1.ParentReference{{
Name: gceIngressClass,
}},
},
Hostnames: []gatewayv1.Hostname{gatewayv1.Hostname(testHost)},
Rules: []gatewayv1.HTTPRouteRule{
{
Matches: []gatewayv1.HTTPRouteMatch{
{
Path: &gatewayv1.HTTPPathMatch{
Type: &gPathPrefix,
Value: ptrTo("/"),
},
},
},
BackendRefs: []gatewayv1.HTTPBackendRef{
{
BackendRef: gatewayv1.BackendRef{
BackendObjectReference: gatewayv1.BackendObjectReference{
Name: gatewayv1.ObjectName(testServiceName),
Port: ptrTo(gatewayv1.PortNumber(80)),
},
},
},
},
},
},
},
},
},
},
Services: map[types.NamespacedName]intermediate.ProviderSpecificServiceIR{
{Namespace: testNamespace, Name: testServiceName}: {
Gce: &intermediate.GceServiceIR{
SecurityPolicy: &intermediate.SecurityPolicyConfig{
Name: testSecurityPolicy,
},
},
},
},
},
expectedErrors: field.ErrorList{},
},
}

for _, tc := range testCases {
Expand Down

0 comments on commit f6ee19f

Please sign in to comment.