diff --git a/cmd/control_plane.go b/cmd/control_plane.go
index 89232eb..8267cd2 100644
--- a/cmd/control_plane.go
+++ b/cmd/control_plane.go
@@ -135,7 +135,7 @@ func (cp *controlPlane) Run(ctx context.Context, logger logr.Logger) error {
}
cacheLoggerInst := cacheLogger(logger.WithName("envoy-snapshot-cache"))
- envoySnapshotCache := cachev3.NewSnapshotCache(true, cachev3.IDHash{}, cacheLoggerInst)
+ envoySnapshotCache := cachev3.NewSnapshotCache(false, cachev3.IDHash{}, cacheLoggerInst)
serverCert, err := cp.ensureControlPlaneTlsCert(ctx, bootstrapClient)
if err != nil {
diff --git a/internal/controller/storage_api_controller_test.go b/internal/controller/storage_api_controller_test.go
index a081e1e..12c1fa5 100644
--- a/internal/controller/storage_api_controller_test.go
+++ b/internal/controller/storage_api_controller_test.go
@@ -68,7 +68,7 @@ var _ = Describe("Storage Controller", func() {
})
It("should successfully reconcile the resource", func() {
By("Reconciling the created resource")
- controllerReconciler := &StorageReconciler{
+ controllerReconciler := &StorageApiReconciler{
Client: k8sClient,
Scheme: k8sClient.Scheme(),
}
diff --git a/internal/controlplane/apigateway_controller.go b/internal/controlplane/apigateway_controller.go
index 9f2145b..d41af9a 100644
--- a/internal/controlplane/apigateway_controller.go
+++ b/internal/controlplane/apigateway_controller.go
@@ -21,7 +21,6 @@ import (
"fmt"
"strconv"
"strings"
- "sync/atomic"
"time"
cachev3 "github.com/envoyproxy/go-control-plane/pkg/cache/v3"
@@ -45,7 +44,6 @@ import (
// APIGatewayReconciler reconciles a APIGateway object
type APIGatewayReconciler struct {
- initialReconciliation atomic.Bool
client.Client
Scheme *runtime.Scheme
Cache cachev3.SnapshotCache
diff --git a/internal/controlplane/auth_filters.go b/internal/controlplane/auth_filters.go
index e3d9b31..f669817 100644
--- a/internal/controlplane/auth_filters.go
+++ b/internal/controlplane/auth_filters.go
@@ -148,12 +148,6 @@ func RBACAllowAllConfig() *rbacv3.RBAC {
}
func RBACRequireAuthConfig() *rbacv3.RBAC {
- /*
- Identifier: &rbacv3cfg.Principal_SourcedMetadata{
- SourcedMetadata: &rbacv3cfg.SourcedMetadata{
- MetadataSource: rbacv3cfg.MetadataSource_DYNAMIC,
- MetadataMatcher: &matcherv3.MetadataMatcher{
- */
return &rbacv3.RBAC{
Rules: &rbacv3cfg.RBAC{
Action: rbacv3cfg.RBAC_ALLOW,
@@ -167,48 +161,51 @@ func RBACRequireAuthConfig() *rbacv3.RBAC {
OrIds: &rbacv3cfg.Principal_Set{
Ids: []*rbacv3cfg.Principal{
{
- Identifier: &rbacv3cfg.Principal_Metadata{
- Metadata: &matcherv3.MetadataMatcher{
- Filter: FilterNameJwtAuthn,
- Path: []*matcherv3.MetadataMatcher_PathSegment{
- {
- Segment: &matcherv3.MetadataMatcher_PathSegment_Key{
- Key: "jwt_payload",
+ Identifier: &rbacv3cfg.Principal_SourcedMetadata{
+ SourcedMetadata: &rbacv3cfg.SourcedMetadata{
+ MetadataSource: rbacv3cfg.MetadataSource_DYNAMIC,
+ MetadataMatcher: &matcherv3.MetadataMatcher{
+ Filter: FilterNameJwtAuthn,
+ Path: []*matcherv3.MetadataMatcher_PathSegment{
+ {
+ Segment: &matcherv3.MetadataMatcher_PathSegment_Key{
+ Key: "jwt_payload",
+ },
+ },
+ {
+ Segment: &matcherv3.MetadataMatcher_PathSegment_Key{
+ Key: "role",
+ },
},
},
- {
- Segment: &matcherv3.MetadataMatcher_PathSegment_Key{
- Key: "role",
- },
- },
- },
- Value: &matcherv3.ValueMatcher{
- MatchPattern: &matcherv3.ValueMatcher_OrMatch{
- OrMatch: &matcherv3.OrMatcher{
- ValueMatchers: []*matcherv3.ValueMatcher{
- {
- MatchPattern: &matcherv3.ValueMatcher_StringMatch{
- StringMatch: &matcherv3.StringMatcher{
- MatchPattern: &matcherv3.StringMatcher_Exact{
- Exact: "anon",
+ Value: &matcherv3.ValueMatcher{
+ MatchPattern: &matcherv3.ValueMatcher_OrMatch{
+ OrMatch: &matcherv3.OrMatcher{
+ ValueMatchers: []*matcherv3.ValueMatcher{
+ {
+ MatchPattern: &matcherv3.ValueMatcher_StringMatch{
+ StringMatch: &matcherv3.StringMatcher{
+ MatchPattern: &matcherv3.StringMatcher_Exact{
+ Exact: "anon",
+ },
},
},
},
- },
- {
- MatchPattern: &matcherv3.ValueMatcher_StringMatch{
- StringMatch: &matcherv3.StringMatcher{
- MatchPattern: &matcherv3.StringMatcher_Exact{
- Exact: "authenticated",
+ {
+ MatchPattern: &matcherv3.ValueMatcher_StringMatch{
+ StringMatch: &matcherv3.StringMatcher{
+ MatchPattern: &matcherv3.StringMatcher_Exact{
+ Exact: "authenticated",
+ },
},
},
},
- },
- {
- MatchPattern: &matcherv3.ValueMatcher_StringMatch{
- StringMatch: &matcherv3.StringMatcher{
- MatchPattern: &matcherv3.StringMatcher_Exact{
- Exact: "admin",
+ {
+ MatchPattern: &matcherv3.ValueMatcher_StringMatch{
+ StringMatch: &matcherv3.StringMatcher{
+ MatchPattern: &matcherv3.StringMatcher_Exact{
+ Exact: "admin",
+ },
},
},
},
diff --git a/internal/controlplane/snapshot.go b/internal/controlplane/snapshot.go
index 1133f68..f3eb4a4 100644
--- a/internal/controlplane/snapshot.go
+++ b/internal/controlplane/snapshot.go
@@ -156,7 +156,7 @@ func (s *EnvoyServices) snapshot(ctx context.Context, instance, version string)
},
}}
- if studioListener := s.studioListener(); studioListener != nil {
+ if studioListener := s.studioListener(instance); studioListener != nil {
listeners = append(listeners, studioListener)
}
@@ -176,7 +176,7 @@ func (s *EnvoyServices) snapshot(ctx context.Context, instance, version string)
)...)
if oauth2Spec := s.Gateway.Spec.DashboardEndpoint.OAuth2(); oauth2Spec != nil {
- if oauth2TokenEndpointCluster, err := s.oauth2TokenEndpointCluster(); err != nil {
+ if oauth2TokenEndpointCluster, err := s.oauth2TokenEndpointCluster(instance); err != nil {
return nil, nil, err
} else {
clusters = append(clusters, oauth2TokenEndpointCluster)
@@ -350,7 +350,7 @@ func (s *EnvoyServices) apiRouteConfiguration(instance string) *routev3.RouteCon
}
}
-func (s *EnvoyServices) studioListener() *listenerv3.Listener {
+func (s *EnvoyServices) studioListener(instance string) *listenerv3.Listener {
if s.Studio == nil {
return nil
}
@@ -367,7 +367,7 @@ func (s *EnvoyServices) studioListener() *listenerv3.Listener {
Config: &oauth2v3.OAuth2Config{
TokenEndpoint: &corev3.HttpUri{
HttpUpstreamType: &corev3.HttpUri_Cluster{
- Cluster: dashboardOAuth2ClusterName,
+ Cluster: fmt.Sprintf("%s@%s", dashboardOAuth2ClusterName, instance),
},
Uri: s.Gateway.Spec.DashboardEndpoint.Auth.OAuth2.TokenEndpoint,
Timeout: durationpb.New(3 * time.Second),
@@ -493,7 +493,7 @@ func (s *EnvoyServices) studioRoute(instance string) *routev3.RouteConfiguration
}
}
-func (s *EnvoyServices) oauth2TokenEndpointCluster() (*clusterv3.Cluster, error) {
+func (s *EnvoyServices) oauth2TokenEndpointCluster(instance string) (*clusterv3.Cluster, error) {
oauth2Spec := s.Gateway.Spec.DashboardEndpoint.OAuth2()
parsedTokenEndpoint, err := url.Parse(oauth2Spec.TokenEndpoint)
if err != nil {
@@ -523,7 +523,7 @@ func (s *EnvoyServices) oauth2TokenEndpointCluster() (*clusterv3.Cluster, error)
}
cluster := &clusterv3.Cluster{
- Name: dashboardOAuth2ClusterName,
+ Name: fmt.Sprintf("%s@%s", dashboardOAuth2ClusterName, instance),
ConnectTimeout: durationpb.New(3 * time.Second),
ClusterDiscoveryType: &clusterv3.Cluster_Type{
Type: clusterv3.Cluster_LOGICAL_DNS,