From 7cf7f423da4a9fd164b29e7cf2c12779dd8fcf91 Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 14 Jun 2025 06:06:00 +0800 Subject: [PATCH 1/2] bugfix: BackendTlsPolicy should not reference across namespace Signed-off-by: zirain --- internal/gatewayapi/backendtlspolicy.go | 50 ++++++++++-------- .../backend-with-skip-tls-verify.in.yaml | 2 +- .../backendtlspolicy-ca-only-secret.in.yaml | 2 +- ...with-extproc-with-backendtlspolicy.in.yaml | 2 +- ...ith-extproc-with-backendtlspolicy.out.yaml | 51 ++++++++++++------- ...-extproc-with-multiple-backendrefs.in.yaml | 2 +- ...with-extproc-with-traffic-features.in.yaml | 2 +- .../envoyproxy-priority-backend.in.yaml | 2 +- .../httproute-dynamic-resolver.in.yaml | 2 +- ...with-extauth-with-backendtlspolicy.in.yaml | 26 ++++++++++ release-notes/current.yaml | 1 + 11 files changed, 94 insertions(+), 48 deletions(-) diff --git a/internal/gatewayapi/backendtlspolicy.go b/internal/gatewayapi/backendtlspolicy.go index 123904c467..b9ca0bf87a 100644 --- a/internal/gatewayapi/backendtlspolicy.go +++ b/internal/gatewayapi/backendtlspolicy.go @@ -21,6 +21,10 @@ import ( "github.com/envoyproxy/gateway/internal/ir" ) +const ( + caCertsKey = "ca.crt" +) + func (t *Translator) applyBackendTLSSetting( backendRef gwapiv1.BackendObjectReference, backendNamespace string, @@ -112,7 +116,7 @@ func (t *Translator) processDynamicResolverBackendTLSConfig( Name: fmt.Sprintf("%s/%s-ca", backend.Name, backend.Namespace), } } else { - caCert, err := getCaCertsFromCARefs(backend.Spec.TLS.CACertificateRefs, resources) + caCert, err := getCaCertsFromCARefs(backend.Namespace, backend.Spec.TLS.CACertificateRefs, resources) if err != nil { return nil, err } @@ -271,7 +275,7 @@ func getBackendTLSBundle(backendTLSPolicy *gwapiv1a3.BackendTLSPolicy, resources return tlsBundle, nil } - caCert, err := getCaCertsFromCARefs(backendTLSPolicy.Spec.Validation.CACertificateRefs, resources) + caCert, err := getCaCertsFromCARefs(backendTLSPolicy.Namespace, backendTLSPolicy.Spec.Validation.CACertificateRefs, resources) if err != nil { return nil, err } @@ -282,43 +286,45 @@ func getBackendTLSBundle(backendTLSPolicy *gwapiv1a3.BackendTLSPolicy, resources return tlsBundle, nil } -func getCaCertsFromCARefs(caCertificates []gwapiv1.LocalObjectReference, resources *resource.Resources) ([]byte, error) { +func getCaCertsFromCARefs(namespace string, caCertificates []gwapiv1.LocalObjectReference, resources *resource.Resources) ([]byte, error) { ca := "" for _, caRef := range caCertificates { kind := string(caRef.Kind) switch kind { case resource.KindConfigMap: - for _, cmap := range resources.ConfigMaps { - if cmap.Name == string(caRef.Name) { - if crt, dataOk := cmap.Data["ca.crt"]; dataOk { - if ca != "" { - ca += "\n" - } - ca += crt - } else { - return nil, fmt.Errorf("no ca found in configmap %s", cmap.Name) + cm := resources.GetConfigMap(namespace, string(caRef.Name)) + if cm != nil { + if crt, dataOk := cm.Data[caCertsKey]; dataOk { + if ca != "" { + ca += "\n" } + ca += crt + } else { + return nil, fmt.Errorf("no ca found in configmap %s", cm.Name) } + } else { + return nil, fmt.Errorf("configmap %s not found in namespace %s", caRef.Name, namespace) } case resource.KindSecret: - for _, secret := range resources.Secrets { - if secret.Name == string(caRef.Name) { - if crt, dataOk := secret.Data["ca.crt"]; dataOk { - if ca != "" { - ca += "\n" - } - ca += string(crt) - } else { - return nil, fmt.Errorf("no ca found in secret %s", secret.Name) + secret := resources.GetSecret(namespace, string(caRef.Name)) + if secret != nil { + if crt, dataOk := secret.Data[caCertsKey]; dataOk { + if ca != "" { + ca += "\n" } + ca += string(crt) + } else { + return nil, fmt.Errorf("no ca found in secret %s", secret.Name) } + } else { + return nil, fmt.Errorf("secret %s not found in namespace %s", caRef.Name, namespace) } } } if ca == "" { - return nil, fmt.Errorf("no ca found in referred configmaps") + return nil, fmt.Errorf("no ca found in referred ConfigMap or Secret") } return []byte(ca), nil } diff --git a/internal/gatewayapi/testdata/backend-with-skip-tls-verify.in.yaml b/internal/gatewayapi/testdata/backend-with-skip-tls-verify.in.yaml index 6364d5c63e..8d30e2b1aa 100644 --- a/internal/gatewayapi/testdata/backend-with-skip-tls-verify.in.yaml +++ b/internal/gatewayapi/testdata/backend-with-skip-tls-verify.in.yaml @@ -76,7 +76,7 @@ secrets: kind: Secret metadata: name: ca-secret - namespace: policies + namespace: backends data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.in.yaml index fd4caad15e..b7a7e20a21 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.in.yaml @@ -94,7 +94,7 @@ secrets: kind: Secret metadata: name: ca-secret - namespace: policies + namespace: backends data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K backendTLSPolicies: diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml index c1ab243b13..c1aeda28d8 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml @@ -127,7 +127,7 @@ configMaps: kind: ConfigMap metadata: name: ca-cmap - namespace: default + namespace: envoy-gateway data: ca.crt: | -----BEGIN CERTIFICATE----- diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml index 81d222e0de..d0b17187ee 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml @@ -58,9 +58,9 @@ backendTLSPolicies: namespace: default conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Configmap ca-cmap not found in namespace default. + reason: Invalid + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller envoyExtensionPolicies: @@ -92,9 +92,9 @@ envoyExtensionPolicies: sectionName: http conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: 'ExtProc: configmap ca-cmap not found in namespace default.' + reason: Invalid + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - apiVersion: gateway.envoyproxy.io/v1alpha1 @@ -328,36 +328,49 @@ xdsIR: name: httproute/default/httproute-1/rule/0/backend/0 protocol: HTTP weight: 1 + directResponse: + statusCode: 500 envoyExtensions: extProcs: - - authority: grpc-backend-2.default:9000 + - allowModeOverride: true + authority: grpc-backend.envoy-gateway:8000 destination: metadata: kind: EnvoyExtensionPolicy - name: policy-for-http-route + name: policy-for-gateway namespace: default - name: envoyextensionpolicy/default/policy-for-http-route/extproc/0 + name: envoyextensionpolicy/default/policy-for-gateway/extproc/0 settings: - addressType: IP - endpoints: - - host: 8.8.8.8 - port: 9000 metadata: kind: Service - name: grpc-backend-2 - namespace: default - sectionName: "9000" - name: envoyextensionpolicy/default/policy-for-http-route/extproc/0/backend/0 + name: grpc-backend + namespace: envoy-gateway + sectionName: "8000" + name: envoyextensionpolicy/default/policy-for-gateway/extproc/0/backend/0 protocol: GRPC tls: alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - name: policy-btls-grpc-2/default-ca - sni: grpc-backend-2 + name: policy-btls-grpc/envoy-gateway-ca + sni: grpc-backend weight: 1 - name: envoyextensionpolicy/default/policy-for-http-route/extproc/0 + failOpen: true + forwardingMetadataNamespaces: + - envoy.filters.http.ext_authz + messageTimeout: 5s + name: envoyextensionpolicy/default/policy-for-gateway/extproc/0 + receivingMetadataNamespaces: + - envoy.filters.http.my_custom + requestAttributes: + - request.path + requestBodyProcessingMode: Buffered requestHeaderProcessing: true + responseAttributes: + - xds.route_metadata + - connection.requested_server_name + responseBodyProcessingMode: Streamed responseHeaderProcessing: true hostname: www.foo.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.in.yaml index 89be7cac75..b99388294f 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.in.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.in.yaml @@ -129,7 +129,7 @@ configMaps: kind: ConfigMap metadata: name: ca-cmap - namespace: default + namespace: envoy-gateway data: ca.crt: | -----BEGIN CERTIFICATE----- diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.in.yaml index 30af5a4dbd..614a841e6b 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.in.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.in.yaml @@ -129,7 +129,7 @@ configMaps: kind: ConfigMap metadata: name: ca-cmap - namespace: default + namespace: envoy-gateway data: ca.crt: | -----BEGIN CERTIFICATE----- diff --git a/internal/gatewayapi/testdata/envoyproxy-priority-backend.in.yaml b/internal/gatewayapi/testdata/envoyproxy-priority-backend.in.yaml index 42e46b8990..fb48d771c2 100644 --- a/internal/gatewayapi/testdata/envoyproxy-priority-backend.in.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-priority-backend.in.yaml @@ -129,7 +129,7 @@ configMaps: kind: ConfigMap metadata: name: ca-cmap - namespace: default + namespace: envoy-gateway data: ca.crt: | -----BEGIN CERTIFICATE----- diff --git a/internal/gatewayapi/testdata/httproute-dynamic-resolver.in.yaml b/internal/gatewayapi/testdata/httproute-dynamic-resolver.in.yaml index 2e124969fd..13f78a01fe 100644 --- a/internal/gatewayapi/testdata/httproute-dynamic-resolver.in.yaml +++ b/internal/gatewayapi/testdata/httproute-dynamic-resolver.in.yaml @@ -77,7 +77,7 @@ configMaps: kind: ConfigMap metadata: name: ca-cmap - namespace: backends + namespace: default data: ca.crt: | -----BEGIN CERTIFICATE----- diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml index abd7ed641b..a019d9118e 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml @@ -123,6 +123,32 @@ referenceGrants: - group: "" kind: Service configMaps: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: ca-cmap + namespace: envoy-gateway + data: + ca.crt: | + -----BEGIN CERTIFICATE----- + MIIDJzCCAg+gAwIBAgIUAl6UKIuKmzte81cllz5PfdN2IlIwDQYJKoZIhvcNAQEL + BQAwIzEQMA4GA1UEAwwHbXljaWVudDEPMA0GA1UECgwGa3ViZWRiMB4XDTIzMTAw + MjA1NDE1N1oXDTI0MTAwMTA1NDE1N1owIzEQMA4GA1UEAwwHbXljaWVudDEPMA0G + A1UECgwGa3ViZWRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSTc + 1yj8HW62nynkFbXo4VXKv2jC0PM7dPVky87FweZcTKLoWQVPQE2p2kLDK6OEszmM + yyr+xxWtyiveremrWqnKkNTYhLfYPhgQkczib7eUalmFjUbhWdLvHakbEgCodn3b + kz57mInX2VpiDOKg4kyHfiuXWpiBqrCx0KNLpxo3DEQcFcsQTeTHzh4752GV04RU + Ti/GEWyzIsl4Rg7tGtAwmcIPgUNUfY2Q390FGqdH4ahn+mw/6aFbW31W63d9YJVq + ioyOVcaMIpM5B/c7Qc8SuhCI1YGhUyg4cRHLEw5VtikioyE3X04kna3jQAj54YbR + bpEhc35apKLB21HOUQIDAQABo1MwUTAdBgNVHQ4EFgQUyvl0VI5vJVSuYFXu7B48 + 6PbMEAowHwYDVR0jBBgwFoAUyvl0VI5vJVSuYFXu7B486PbMEAowDwYDVR0TAQH/ + BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMLxrgFVMuNRq2wAwcBt7SnNR5Cfz + 2MvXq5EUmuawIUi9kaYjwdViDREGSjk7JW17vl576HjDkdfRwi4E28SydRInZf6J + i8HZcZ7caH6DxR335fgHVzLi5NiTce/OjNBQzQ2MJXVDd8DBmG5fyatJiOJQ4bWE + A7FlP0RdP3CO3GWE0M5iXOB2m1qWkE2eyO4UHvwTqNQLdrdAXgDQlbam9e4BG3Gg + d/6thAkWDbt/QNT+EJHDCvhDRKh1RuGHyg+Y+/nebTWWrFWsktRrbOoHCZiCpXI1 + 3eXE6nt0YkgtDxG22KqnhpAg9gUSs2hlhoxyvkzyF0mu6NhPlwAgnq7+/Q== + -----END CERTIFICATE----- - apiVersion: v1 kind: ConfigMap metadata: diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 6a7c3024b5..ef4110d1cb 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -28,6 +28,7 @@ bug fixes: | Fixed issue which UDP listeners were not created in the Envoy proxy config when Gateway was created. Keep ALPN configuration for listeners with overlapping certificates when ALPN is explicitly set in ClientTrafficPolicy. Fixed issue that switch on wrong SubjectAltNameType enum value in BackendTLSPolicy. + Fixed issue that BackendTLSPolicy should not reference ConfigMap or Secret across namespace. # Enhancements that improve performance. performance improvements: | From 67f84b4a3820e6337e8ed8a916a43c4810ce2f1b Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 14 Jun 2025 11:03:00 +0800 Subject: [PATCH 2/2] nit Signed-off-by: zirain --- internal/gatewayapi/backendtlspolicy.go | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/internal/gatewayapi/backendtlspolicy.go b/internal/gatewayapi/backendtlspolicy.go index b9ca0bf87a..8cce36d0fd 100644 --- a/internal/gatewayapi/backendtlspolicy.go +++ b/internal/gatewayapi/backendtlspolicy.go @@ -21,10 +21,6 @@ import ( "github.com/envoyproxy/gateway/internal/ir" ) -const ( - caCertsKey = "ca.crt" -) - func (t *Translator) applyBackendTLSSetting( backendRef gwapiv1.BackendObjectReference, backendNamespace string, @@ -295,7 +291,7 @@ func getCaCertsFromCARefs(namespace string, caCertificates []gwapiv1.LocalObject case resource.KindConfigMap: cm := resources.GetConfigMap(namespace, string(caRef.Name)) if cm != nil { - if crt, dataOk := cm.Data[caCertsKey]; dataOk { + if crt, dataOk := cm.Data[caCertKey]; dataOk { if ca != "" { ca += "\n" } @@ -309,7 +305,7 @@ func getCaCertsFromCARefs(namespace string, caCertificates []gwapiv1.LocalObject case resource.KindSecret: secret := resources.GetSecret(namespace, string(caRef.Name)) if secret != nil { - if crt, dataOk := secret.Data[caCertsKey]; dataOk { + if crt, dataOk := secret.Data[caCertKey]; dataOk { if ca != "" { ca += "\n" }