Skip to content

changed envoy filter to use EDS instead of strict DNS #2953

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
resoluteCoder wants to merge 1 commit into
base: main
Choose a base branch
from
+34 −19
Draft

changed envoy filter to use EDS instead of strict DNS #2953

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 2 additions & 11 deletions internal/controller/services/gateway/resources/envoyfilter-authn.tmpl.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ spec:
operation: ADD
value:
name: {{.KubeAuthProxyServiceName}}
type: STRICT_DNS
type: EDS
connect_timeout: {{.AuthProxyTimeout}}
transport_socket:
name: envoy.transport_sockets.tls
Expand All @@ -123,13 +123,4 @@ spec:
validation_context:
trusted_ca:
filename: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
sni: {{.KubeAuthProxyServiceName}}.{{.GatewayNamespace}}.svc.cluster.local
load_assignment:
cluster_name: {{.KubeAuthProxyServiceName}}
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: {{.KubeAuthProxyServiceName}}.{{.GatewayNamespace}}.svc.cluster.local
port_value: {{.GatewayHTTPSPort}}
sni: {{.KubeAuthProxyServiceName}}.{{.GatewayNamespace}}.svc.cluster.local
40 changes: 32 additions & 8 deletions tests/e2e/gateway_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,7 @@
{"Validate NetworkPolicy creation", gatewayCtx.ValidateNetworkPolicy},
{"Validate OAuth callback HTTPRoute", gatewayCtx.ValidateOAuthCallbackRoute},
{"Validate EnvoyFilter creation", gatewayCtx.ValidateEnvoyFilter},
{"Validate EDS endpoint discovery", gatewayCtx.ValidateEDSEndpointDiscovery},
{"Validate Gateway ready status", gatewayCtx.ValidateGatewayReadyStatus},
{"Validate unauthenticated access redirects to login", gatewayCtx.ValidateUnauthenticatedRedirect},
}
Expand Down Expand Up @@ -442,20 +443,17 @@
jq.Match(`.spec.configPatches[1].patch.value.typed_config.inline_code | contains("Bearer")`),
jq.Match(`.spec.configPatches[1].patch.value.typed_config.inline_code | contains("authorization")`),

// Patch 3: Cluster for kube-auth-proxy
// Patch 3: Cluster for kube-auth-proxy with EDS
jq.Match(`.spec.configPatches[2].applyTo == "CLUSTER"`),
jq.Match(`.spec.configPatches[2].match.context == "GATEWAY"`),
jq.Match(`.spec.configPatches[2].patch.operation == "ADD"`),
jq.Match(`.spec.configPatches[2].patch.value.name == "%s"`, kubeAuthProxyName),
jq.Match(`.spec.configPatches[2].patch.value.type == "STRICT_DNS"`),
jq.Match(`.spec.configPatches[2].patch.value.type == "EDS"`),
jq.Match(`.spec.configPatches[2].patch.value.connect_timeout == "5s"`),

// cluster endpoints
jq.Match(`.spec.configPatches[2].patch.value.load_assignment.cluster_name == "%s"`, kubeAuthProxyName),
jq.Match(`.spec.configPatches[2].patch.value.load_assignment.endpoints | length == 1`),
jq.Match(`.spec.configPatches[2].patch.value.load_assignment.endpoints[0].lb_endpoints | length == 1`),
jq.Match(`.spec.configPatches[2].patch.value.load_assignment.endpoints[0].lb_endpoints[0].endpoint.address.socket_address.address == "%s"`, authProxyFQDN),
jq.Match(`.spec.configPatches[2].patch.value.load_assignment.endpoints[0].lb_endpoints[0].endpoint.address.socket_address.port_value == %d`, kubeAuthProxyHTTPSPort),
// EDS configuration validation - ensure no static endpoint config
jq.Match(`.spec.configPatches[2].patch.value | has("load_assignment") | not`),
jq.Match(`.spec.configPatches[2].patch.value | has("hosts") | not`),

// TLS config for cluster
jq.Match(`.spec.configPatches[2].patch.value.transport_socket.name == "envoy.transport_sockets.tls"`),
Expand All @@ -469,6 +467,32 @@
t.Log("EnvoyFilter validation completed")
}

// ValidateEDSEndpointDiscovery validates that the Service is properly configured for EDS.
//
// This test verifies:
// - Kubernetes Service exists for kube-auth-proxy
// - Service has correct selector labels to match auth proxy pods
// - Service is properly configured for EDS to discover endpoints

Check failure on line 475 in tests/e2e/gateway_test.go

View workflow job for this annotation

GitHub Actions / golangci-lint 

Comment should end in a period (godot)
func (tc *GatewayTestCtx) ValidateEDSEndpointDiscovery(t *testing.T) {
t.Helper()
t.Log("Validating EDS service configuration for kube-auth-proxy")

tc.EnsureResourceExists(
WithMinimalObject(gvk.Service, types.NamespacedName{
Name: kubeAuthProxyName,
Namespace: gatewayNamespace,
}),
WithCondition(And(
jq.Match(`.spec.selector.app == "%s"`, kubeAuthProxyName),
jq.Match(`.spec.ports[] | select(.name == "https") | .port == %d`, kubeAuthProxyHTTPSPort),
jq.Match(`.spec.ports[] | select(.name == "https") | .targetPort == %d`, kubeAuthProxyHTTPSPort),
)),
WithCustomErrorMsg("kube-auth-proxy Service should exist with correct pod selector for EDS endpoint discovery"),
)

t.Log("EDS service configuration validation completed")
}

// ValidateGatewayReadyStatus validates Gateway resource is fully operational and ready to route traffic.
func (tc *GatewayTestCtx) ValidateGatewayReadyStatus(t *testing.T) {
t.Helper()
Expand Down
Loading