fix: route propagation

2025-02-03 15:51:00 +01:00 · 2025-02-03 15:51:00 +01:00 · 6c61adb1c7
commit 6c61adb1c7
parent 8066c34eb5
5 changed files with 45 additions and 50 deletions
--- a/cmd/control_plane.go
+++ b/cmd/control_plane.go
@ -135,7 +135,7 @@ func (cp *controlPlane) Run(ctx context.Context, logger logr.Logger) error {
 	}

 	cacheLoggerInst := cacheLogger(logger.WithName("envoy-snapshot-cache"))
-	envoySnapshotCache := cachev3.NewSnapshotCache(true, cachev3.IDHash{}, cacheLoggerInst)
+	envoySnapshotCache := cachev3.NewSnapshotCache(false, cachev3.IDHash{}, cacheLoggerInst)

 	serverCert, err := cp.ensureControlPlaneTlsCert(ctx, bootstrapClient)
 	if err != nil {
--- a/internal/controller/storage_api_controller_test.go
+++ b/internal/controller/storage_api_controller_test.go
@ -68,7 +68,7 @@ var _ = Describe("Storage Controller", func() {
 		})
 		It("should successfully reconcile the resource", func() {
 			By("Reconciling the created resource")
-			controllerReconciler := &StorageReconciler{
+			controllerReconciler := &StorageApiReconciler{
 				Client: k8sClient,
 				Scheme: k8sClient.Scheme(),
 			}
--- a/internal/controlplane/apigateway_controller.go
+++ b/internal/controlplane/apigateway_controller.go
@ -21,7 +21,6 @@ import (
 	"fmt"
 	"strconv"
 	"strings"
-	"sync/atomic"
 	"time"

 	cachev3 "github.com/envoyproxy/go-control-plane/pkg/cache/v3"
@ -45,7 +44,6 @@ import (

 // APIGatewayReconciler reconciles a APIGateway object
 type APIGatewayReconciler struct {
-	initialReconciliation atomic.Bool
 	client.Client
 	Scheme *runtime.Scheme
 	Cache  cachev3.SnapshotCache
--- a/internal/controlplane/auth_filters.go
+++ b/internal/controlplane/auth_filters.go
@ -148,12 +148,6 @@ func RBACAllowAllConfig() *rbacv3.RBAC {
 }

 func RBACRequireAuthConfig() *rbacv3.RBAC {
-	/*
-		Identifier: &rbacv3cfg.Principal_SourcedMetadata{
-				SourcedMetadata: &rbacv3cfg.SourcedMetadata{
-					MetadataSource: rbacv3cfg.MetadataSource_DYNAMIC,
-					MetadataMatcher: &matcherv3.MetadataMatcher{
-	*/
 	return &rbacv3.RBAC{
 		Rules: &rbacv3cfg.RBAC{
 			Action: rbacv3cfg.RBAC_ALLOW,
@ -167,48 +161,51 @@ func RBACRequireAuthConfig() *rbacv3.RBAC {
 							OrIds: &rbacv3cfg.Principal_Set{
 								Ids: []*rbacv3cfg.Principal{
 									{
-										Identifier: &rbacv3cfg.Principal_Metadata{
-											Metadata: &matcherv3.MetadataMatcher{
-												Filter: FilterNameJwtAuthn,
-												Path: []*matcherv3.MetadataMatcher_PathSegment{
-													{
-														Segment: &matcherv3.MetadataMatcher_PathSegment_Key{
-															Key: "jwt_payload",
+										Identifier: &rbacv3cfg.Principal_SourcedMetadata{
+											SourcedMetadata: &rbacv3cfg.SourcedMetadata{
+												MetadataSource: rbacv3cfg.MetadataSource_DYNAMIC,
+												MetadataMatcher: &matcherv3.MetadataMatcher{
+													Filter: FilterNameJwtAuthn,
+													Path: []*matcherv3.MetadataMatcher_PathSegment{
+														{
+															Segment: &matcherv3.MetadataMatcher_PathSegment_Key{
+																Key: "jwt_payload",
+															},
+														},
+														{
+															Segment: &matcherv3.MetadataMatcher_PathSegment_Key{
+																Key: "role",
+															},
 														},
 													},
-													{
-														Segment: &matcherv3.MetadataMatcher_PathSegment_Key{
-															Key: "role",
-														},
-													},
-												},
-												Value: &matcherv3.ValueMatcher{
-													MatchPattern: &matcherv3.ValueMatcher_OrMatch{
-														OrMatch: &matcherv3.OrMatcher{
-															ValueMatchers: []*matcherv3.ValueMatcher{
-																{
-																	MatchPattern: &matcherv3.ValueMatcher_StringMatch{
-																		StringMatch: &matcherv3.StringMatcher{
-																			MatchPattern: &matcherv3.StringMatcher_Exact{
-																				Exact: "anon",
+													Value: &matcherv3.ValueMatcher{
+														MatchPattern: &matcherv3.ValueMatcher_OrMatch{
+															OrMatch: &matcherv3.OrMatcher{
+																ValueMatchers: []*matcherv3.ValueMatcher{
+																	{
+																		MatchPattern: &matcherv3.ValueMatcher_StringMatch{
+																			StringMatch: &matcherv3.StringMatcher{
+																				MatchPattern: &matcherv3.StringMatcher_Exact{
+																					Exact: "anon",
+																				},
 																			},
 																		},
 																	},
-																},
-																{
-																	MatchPattern: &matcherv3.ValueMatcher_StringMatch{
-																		StringMatch: &matcherv3.StringMatcher{
-																			MatchPattern: &matcherv3.StringMatcher_Exact{
-																				Exact: "authenticated",
+																	{
+																		MatchPattern: &matcherv3.ValueMatcher_StringMatch{
+																			StringMatch: &matcherv3.StringMatcher{
+																				MatchPattern: &matcherv3.StringMatcher_Exact{
+																					Exact: "authenticated",
+																				},
 																			},
 																		},
 																	},
-																},
-																{
-																	MatchPattern: &matcherv3.ValueMatcher_StringMatch{
-																		StringMatch: &matcherv3.StringMatcher{
-																			MatchPattern: &matcherv3.StringMatcher_Exact{
-																				Exact: "admin",
+																	{
+																		MatchPattern: &matcherv3.ValueMatcher_StringMatch{
+																			StringMatch: &matcherv3.StringMatcher{
+																				MatchPattern: &matcherv3.StringMatcher_Exact{
+																					Exact: "admin",
+																				},
 																			},
 																		},
 																	},
--- a/internal/controlplane/snapshot.go
+++ b/internal/controlplane/snapshot.go
@ -156,7 +156,7 @@ func (s *EnvoyServices) snapshot(ctx context.Context, instance, version string)
 		},
 	}}

-	if studioListener := s.studioListener(); studioListener != nil {
+	if studioListener := s.studioListener(instance); studioListener != nil {
 		listeners = append(listeners, studioListener)
 	}

@ -176,7 +176,7 @@ func (s *EnvoyServices) snapshot(ctx context.Context, instance, version string)
 		)...)

 	if oauth2Spec := s.Gateway.Spec.DashboardEndpoint.OAuth2(); oauth2Spec != nil {
-		if oauth2TokenEndpointCluster, err := s.oauth2TokenEndpointCluster(); err != nil {
+		if oauth2TokenEndpointCluster, err := s.oauth2TokenEndpointCluster(instance); err != nil {
 			return nil, nil, err
 		} else {
 			clusters = append(clusters, oauth2TokenEndpointCluster)
@ -350,7 +350,7 @@ func (s *EnvoyServices) apiRouteConfiguration(instance string) *routev3.RouteCon
 	}
 }

-func (s *EnvoyServices) studioListener() *listenerv3.Listener {
+func (s *EnvoyServices) studioListener(instance string) *listenerv3.Listener {
 	if s.Studio == nil {
 		return nil
 	}
@ -367,7 +367,7 @@ func (s *EnvoyServices) studioListener() *listenerv3.Listener {
 				Config: &oauth2v3.OAuth2Config{
 					TokenEndpoint: &corev3.HttpUri{
 						HttpUpstreamType: &corev3.HttpUri_Cluster{
-							Cluster: dashboardOAuth2ClusterName,
+							Cluster: fmt.Sprintf("%s@%s", dashboardOAuth2ClusterName, instance),
 						},
 						Uri:     s.Gateway.Spec.DashboardEndpoint.Auth.OAuth2.TokenEndpoint,
 						Timeout: durationpb.New(3 * time.Second),
@ -493,7 +493,7 @@ func (s *EnvoyServices) studioRoute(instance string) *routev3.RouteConfiguration
 	}
 }

-func (s *EnvoyServices) oauth2TokenEndpointCluster() (*clusterv3.Cluster, error) {
+func (s *EnvoyServices) oauth2TokenEndpointCluster(instance string) (*clusterv3.Cluster, error) {
 	oauth2Spec := s.Gateway.Spec.DashboardEndpoint.OAuth2()
 	parsedTokenEndpoint, err := url.Parse(oauth2Spec.TokenEndpoint)
 	if err != nil {
@ -523,7 +523,7 @@ func (s *EnvoyServices) oauth2TokenEndpointCluster() (*clusterv3.Cluster, error)
 	}

 	cluster := &clusterv3.Cluster{
-		Name:           dashboardOAuth2ClusterName,
+		Name:           fmt.Sprintf("%s@%s", dashboardOAuth2ClusterName, instance),
 		ConnectTimeout: durationpb.New(3 * time.Second),
 		ClusterDiscoveryType: &clusterv3.Cluster_Type{
 			Type: clusterv3.Cluster_LOGICAL_DNS,