Skip to content
This repository has been archived by the owner on Jul 11, 2023. It is now read-only.

Commit

Permalink
[backport] cherry-pick commit 15e46da to release-v1.2 (#5063)
Browse files Browse the repository at this point in the history
  • Loading branch information
nshankar13 authored Sep 1, 2022
1 parent 893ff87 commit d2175d3
Show file tree
Hide file tree
Showing 21 changed files with 276 additions and 180 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ jobs:
- name: golangci-lint
uses: golangci/golangci-lint-action@v3
with:
version: latest
version: v1.47.0
skip-pkg-cache: true

codegen:
Expand Down
6 changes: 6 additions & 0 deletions pkg/catalog/catalog.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ func NewMeshCatalog(kubeController k8s.Controller, meshSpec smi.MeshSpec, certMa
meshSpec: meshSpec,
policyController: policyController,
configurator: cfg,
certManager: certManager,

kubeController: kubeController,
}
Expand All @@ -42,3 +43,8 @@ func NewMeshCatalog(kubeController k8s.Controller, meshSpec smi.MeshSpec, certMa
func (mc *MeshCatalog) GetKubeController() k8s.Controller {
return mc.kubeController
}

// GetTrustDomain returns the currently configured trust domain, ie: cluster.local
func (mc *MeshCatalog) GetTrustDomain() string {
return mc.certManager.GetTrustDomain()
}
14 changes: 7 additions & 7 deletions pkg/catalog/inbound_traffic_policies.go
Original file line number Diff line number Diff line change
Expand Up @@ -131,8 +131,8 @@ func (mc *MeshCatalog) getInboundTrafficPoliciesForUpstream(upstreamSvc service.
// Only a single rule for permissive mode.
inboundPolicyForUpstreamSvc.Rules = []*trafficpolicy.Rule{
{
Route: *trafficpolicy.NewRouteWeightedCluster(trafficpolicy.WildCardRouteMatch, []service.WeightedCluster{localCluster}, upstreamTrafficSetting),
AllowedServiceIdentities: mapset.NewSetWith(identity.WildcardServiceIdentity),
Route: *trafficpolicy.NewRouteWeightedCluster(trafficpolicy.WildCardRouteMatch, []service.WeightedCluster{localCluster}, upstreamTrafficSetting),
AllowedPrincipals: mapset.NewSetWith(identity.WildcardPrincipal),
},
}
} else {
Expand Down Expand Up @@ -178,17 +178,17 @@ func (mc *MeshCatalog) getRoutingRulesFromTrafficTarget(trafficTarget access.Tra
}

// Compute the allowed downstream service identities for the given TrafficTarget object
allowedDownstreamIdentities := mapset.NewSet()
trustDomain := mc.GetTrustDomain()
allowedDownstreamPrincipals := mapset.NewSet()
for _, source := range trafficTarget.Spec.Sources {
sourceSvcIdentity := trafficTargetIdentityToSvcAccount(source).ToServiceIdentity()
allowedDownstreamIdentities.Add(sourceSvcIdentity)
allowedDownstreamPrincipals.Add(trafficTargetIdentityToSvcAccount(source).AsPrincipal(trustDomain))
}

var routingRules []*trafficpolicy.Rule
for _, httpRouteMatch := range httpRouteMatches {
rule := &trafficpolicy.Rule{
Route: *trafficpolicy.NewRouteWeightedCluster(httpRouteMatch, []service.WeightedCluster{routingCluster}, upstreamTrafficSetting),
AllowedServiceIdentities: allowedDownstreamIdentities,
Route: *trafficpolicy.NewRouteWeightedCluster(httpRouteMatch, []service.WeightedCluster{routingCluster}, upstreamTrafficSetting),
AllowedPrincipals: allowedDownstreamPrincipals,
}
routingRules = append(routingRules, rule)
}
Expand Down
88 changes: 45 additions & 43 deletions pkg/catalog/inbound_traffic_policies_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"fmt"
"reflect"
"testing"
"time"

mapset "github.com/deckarep/golang-set"
"github.com/golang/mock/gomock"
Expand All @@ -15,6 +16,7 @@ import (
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"

policyv1alpha1 "github.com/openservicemesh/osm/pkg/apis/policy/v1alpha1"
tresorFake "github.com/openservicemesh/osm/pkg/certificate/providers/tresor/fake"

"github.com/openservicemesh/osm/pkg/configurator"
"github.com/openservicemesh/osm/pkg/endpoint"
Expand Down Expand Up @@ -168,10 +170,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -207,10 +209,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -473,10 +475,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
{
Route: trafficpolicy.RouteWeightedClusters{
Expand All @@ -493,10 +495,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -532,10 +534,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
{
Route: trafficpolicy.RouteWeightedClusters{
Expand All @@ -552,10 +554,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -721,10 +723,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -758,10 +760,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -797,10 +799,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -914,7 +916,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
},
},
},
Expand All @@ -941,7 +943,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
},
},
},
Expand Down Expand Up @@ -970,7 +972,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
},
},
},
Expand Down Expand Up @@ -1116,10 +1118,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
AllowedPrincipals: mapset.NewSet("sa2.ns2.cluster.local"),
},
},
},
Expand Down Expand Up @@ -1287,15 +1286,15 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(
AllowedPrincipals: mapset.NewSet(
identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity(),
}.AsPrincipal("cluster.local"),
identity.K8sServiceAccount{
Name: "sa3",
Namespace: "ns3",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -1331,15 +1330,15 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(
AllowedPrincipals: mapset.NewSet(
identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity(),
}.AsPrincipal("cluster.local"),
identity.K8sServiceAccount{
Name: "sa3",
Namespace: "ns3",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -1503,10 +1502,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -1542,10 +1541,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -1653,7 +1652,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
},
},
},
Expand All @@ -1680,7 +1679,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
},
},
},
Expand Down Expand Up @@ -1825,10 +1824,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
}),
RateLimit: perRouteRateLimitConfig,
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -1866,10 +1865,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
}),
RateLimit: perRouteRateLimitConfig,
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -1953,7 +1952,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
}),
RateLimit: perRouteRateLimitConfig,
},
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
},
},
},
Expand Down Expand Up @@ -1984,7 +1983,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
}),
RateLimit: perRouteRateLimitConfig,
},
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
},
},
},
Expand Down Expand Up @@ -2014,6 +2013,8 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
mockCtrl := gomock.NewController(t)
defer mockCtrl.Finish()

fakeCertManager := tresorFake.NewFake(nil, 1*time.Hour)

mockKubeController := k8s.NewMockController(mockCtrl)
mockPolicyController := policy.NewMockController(mockCtrl)
mockEndpointProvider := endpoint.NewMockProvider(mockCtrl)
Expand All @@ -2025,6 +2026,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
policyController: mockPolicyController,
endpointsProviders: []endpoint.Provider{mockEndpointProvider},
serviceProviders: []service.Provider{mockServiceProvider},
certManager: fakeCertManager,
configurator: mockCfg,
meshSpec: mockMeshSpec,
}
Expand Down
Loading

0 comments on commit d2175d3

Please sign in to comment.