From 752759813330fa7fa312d66e86be2be97af75dd1 Mon Sep 17 00:00:00 2001 From: resoluteCoder Date: Tue, 2 Dec 2025 10:20:25 -0600 Subject: [PATCH] changed envoy filter to use EDS instead of strict DNS --- .../resources/envoyfilter-authn.tmpl.yaml | 13 +----- tests/e2e/gateway_test.go | 40 +++++++++++++++---- 2 files changed, 34 insertions(+), 19 deletions(-) diff --git a/internal/controller/services/gateway/resources/envoyfilter-authn.tmpl.yaml b/internal/controller/services/gateway/resources/envoyfilter-authn.tmpl.yaml index 83de1f3aa67..12b311b878c 100644 --- a/internal/controller/services/gateway/resources/envoyfilter-authn.tmpl.yaml +++ b/internal/controller/services/gateway/resources/envoyfilter-authn.tmpl.yaml @@ -113,7 +113,7 @@ spec: operation: ADD value: name: {{.KubeAuthProxyServiceName}} - type: STRICT_DNS + type: EDS connect_timeout: {{.AuthProxyTimeout}} transport_socket: name: envoy.transport_sockets.tls @@ -123,13 +123,4 @@ spec: validation_context: trusted_ca: filename: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - sni: {{.KubeAuthProxyServiceName}}.{{.GatewayNamespace}}.svc.cluster.local - load_assignment: - cluster_name: {{.KubeAuthProxyServiceName}} - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: {{.KubeAuthProxyServiceName}}.{{.GatewayNamespace}}.svc.cluster.local - port_value: {{.GatewayHTTPSPort}} \ No newline at end of file + sni: {{.KubeAuthProxyServiceName}}.{{.GatewayNamespace}}.svc.cluster.local \ No newline at end of file diff --git a/tests/e2e/gateway_test.go b/tests/e2e/gateway_test.go index d9f9e5a570a..d80a676e00b 100644 --- a/tests/e2e/gateway_test.go +++ b/tests/e2e/gateway_test.go @@ -86,6 +86,7 @@ func gatewayTestSuite(t *testing.T) { {"Validate NetworkPolicy creation", gatewayCtx.ValidateNetworkPolicy}, {"Validate OAuth callback HTTPRoute", gatewayCtx.ValidateOAuthCallbackRoute}, {"Validate EnvoyFilter creation", gatewayCtx.ValidateEnvoyFilter}, + {"Validate EDS endpoint discovery", gatewayCtx.ValidateEDSEndpointDiscovery}, {"Validate Gateway ready status", gatewayCtx.ValidateGatewayReadyStatus}, {"Validate unauthenticated access redirects to login", gatewayCtx.ValidateUnauthenticatedRedirect}, } @@ -442,20 +443,17 @@ func (tc *GatewayTestCtx) ValidateEnvoyFilter(t *testing.T) { jq.Match(`.spec.configPatches[1].patch.value.typed_config.inline_code | contains("Bearer")`), jq.Match(`.spec.configPatches[1].patch.value.typed_config.inline_code | contains("authorization")`), - // Patch 3: Cluster for kube-auth-proxy + // Patch 3: Cluster for kube-auth-proxy with EDS jq.Match(`.spec.configPatches[2].applyTo == "CLUSTER"`), jq.Match(`.spec.configPatches[2].match.context == "GATEWAY"`), jq.Match(`.spec.configPatches[2].patch.operation == "ADD"`), jq.Match(`.spec.configPatches[2].patch.value.name == "%s"`, kubeAuthProxyName), - jq.Match(`.spec.configPatches[2].patch.value.type == "STRICT_DNS"`), + jq.Match(`.spec.configPatches[2].patch.value.type == "EDS"`), jq.Match(`.spec.configPatches[2].patch.value.connect_timeout == "5s"`), - // cluster endpoints - jq.Match(`.spec.configPatches[2].patch.value.load_assignment.cluster_name == "%s"`, kubeAuthProxyName), - jq.Match(`.spec.configPatches[2].patch.value.load_assignment.endpoints | length == 1`), - jq.Match(`.spec.configPatches[2].patch.value.load_assignment.endpoints[0].lb_endpoints | length == 1`), - jq.Match(`.spec.configPatches[2].patch.value.load_assignment.endpoints[0].lb_endpoints[0].endpoint.address.socket_address.address == "%s"`, authProxyFQDN), - jq.Match(`.spec.configPatches[2].patch.value.load_assignment.endpoints[0].lb_endpoints[0].endpoint.address.socket_address.port_value == %d`, kubeAuthProxyHTTPSPort), + // EDS configuration validation - ensure no static endpoint config + jq.Match(`.spec.configPatches[2].patch.value | has("load_assignment") | not`), + jq.Match(`.spec.configPatches[2].patch.value | has("hosts") | not`), // TLS config for cluster jq.Match(`.spec.configPatches[2].patch.value.transport_socket.name == "envoy.transport_sockets.tls"`), @@ -469,6 +467,32 @@ func (tc *GatewayTestCtx) ValidateEnvoyFilter(t *testing.T) { t.Log("EnvoyFilter validation completed") } +// ValidateEDSEndpointDiscovery validates that the Service is properly configured for EDS. +// +// This test verifies: +// - Kubernetes Service exists for kube-auth-proxy +// - Service has correct selector labels to match auth proxy pods +// - Service is properly configured for EDS to discover endpoints +func (tc *GatewayTestCtx) ValidateEDSEndpointDiscovery(t *testing.T) { + t.Helper() + t.Log("Validating EDS service configuration for kube-auth-proxy") + + tc.EnsureResourceExists( + WithMinimalObject(gvk.Service, types.NamespacedName{ + Name: kubeAuthProxyName, + Namespace: gatewayNamespace, + }), + WithCondition(And( + jq.Match(`.spec.selector.app == "%s"`, kubeAuthProxyName), + jq.Match(`.spec.ports[] | select(.name == "https") | .port == %d`, kubeAuthProxyHTTPSPort), + jq.Match(`.spec.ports[] | select(.name == "https") | .targetPort == %d`, kubeAuthProxyHTTPSPort), + )), + WithCustomErrorMsg("kube-auth-proxy Service should exist with correct pod selector for EDS endpoint discovery"), + ) + + t.Log("EDS service configuration validation completed") +} + // ValidateGatewayReadyStatus validates Gateway resource is fully operational and ready to route traffic. func (tc *GatewayTestCtx) ValidateGatewayReadyStatus(t *testing.T) { t.Helper()