Add ext-auth edge cases test case

updated outputs to what i think is the correct output (not current output)
current failing:
- for section name http1, the config needs to be disabled on the listener and enabled on the virtualHost.
- section-name-gw-extauth should not be present on tls2 filter chain

Signed-off-by: Yuval Kohavi <[email protected]>

Author: yuval-k

api/v1alpha1/shared_types.go

@@ -19,6 +19,10 @@ type LocalPolicyTargetReference struct {
 
 	// The name of the target resource.
 	Name gwv1.ObjectName `json:"name"`
+
+	// The section name of the target resource.
+	// +optional
+	SectionName *gwv1.SectionName `json:"sectionName,omitempty"`
 }
 
 // Select the object to attach the policy by Group, Kind, and its labels.

internal/kgateway/extensions2/plugins/trafficpolicy/traffic_policy_plugin.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/kgateway-dev/kgateway/v2/api/v1alpha1"
 	"github.com/kgateway-dev/kgateway/v2/internal/kgateway/ir"
+	"k8s.io/utils/ptr"
 )
 
 func TargetRefsToPolicyRefs(
@@ -14,9 +15,10 @@ func TargetRefsToPolicyRefs(
 	refs := make([]ir.PolicyRef, 0, len(targetRefs)+len(targetSelectors))
 	for _, targetRef := range targetRefs {
 		refs = append(refs, ir.PolicyRef{
-			Group: string(targetRef.Group),
-			Kind:  string(targetRef.Kind),
-			Name:  string(targetRef.Name),
+			Group:       string(targetRef.Group),
+			Kind:        string(targetRef.Kind),
+			Name:        string(targetRef.Name),
+			SectionName: string(ptr.Deref(targetRef.SectionName, "")),
 		})
 	}
 	for _, targetSelector := range targetSelectors {

internal/kgateway/extensions2/pluginutils/policy.go

@@ -305,12 +305,12 @@ type targetRefIndexKey struct {
 	Group       string
 	Kind        string
 	Name        string
-	SectionName string
 	Namespace   string
+	SectionName string
 }
 
 func (k targetRefIndexKey) String() string {
-	return fmt.Sprintf("%s/%s/%s/%s", k.Group, k.Kind, k.Name, k.Namespace)
+	return fmt.Sprintf("%s/%s/%s/%s/%s", k.Group, k.Kind, k.Name, k.Namespace, k.SectionName)
 }
 
 // HTTPRouteSelector is used to lookup HttpRouteIR using one of the following ways:
@@ -529,52 +529,31 @@ func (p *PolicyIndex) getTargetingPoliciesMaybeForBackends(
 
 	// no need for ref grants here as target refs are namespace local
 	refIndexKey := targetRefIndexKey{
-		Group:     targetRef.Group,
-		Kind:      targetRef.Kind,
-		Name:      targetRef.Name,
-		Namespace: targetRef.Namespace,
+		Group:       targetRef.Group,
+		Kind:        targetRef.Kind,
+		Name:        targetRef.Name,
+		Namespace:   targetRef.Namespace,
+		SectionName: sectionName,
 	}
+
 	policies := p.fetchByTargetRef(kctx, refIndexKey, onlyBackends)
-	var sectionNamePolicies []ir.PolicyWrapper
-	if sectionName != "" {
-		refIndexKey.SectionName = sectionName
-		sectionNamePolicies = p.fetchByTargetRef(kctx, refIndexKey, onlyBackends)
-	}
 	// Lookup policies that select targetLabels
 	if len(targetLabels) > 0 {
 		refIndexKeyByNamespace := targetRefIndexKey{
-			Group:     targetRef.Group,
-			Kind:      targetRef.Kind,
-			Namespace: targetRef.Namespace,
+			Group:       targetRef.Group,
+			Kind:        targetRef.Kind,
+			Namespace:   targetRef.Namespace,
+			SectionName: sectionName,
 		}
 		policiesByLabel := p.fetchByTargetRefLabels(kctx, refIndexKeyByNamespace, onlyBackends, targetLabels)
 		policies = append(policies, policiesByLabel...)
-		var sectionNamePoliciesByLabel []ir.PolicyWrapper
-		if sectionName != "" {
-			refIndexKeyByNamespace.SectionName = sectionName
-			sectionNamePoliciesByLabel = p.fetchByTargetRefLabels(kctx, refIndexKeyByNamespace, onlyBackends, targetLabels)
-		}
-		sectionNamePolicies = append(sectionNamePolicies, sectionNamePoliciesByLabel...)
 	}
 
 	for _, p := range policies {
 		ret = append(ret, ir.PolicyAtt{
 			Generation: p.Policy.GetGeneration(),
 			GroupKind:  p.GetGroupKind(),
 			PolicyIr:   p.PolicyIR,
-			PolicyRef: &ir.AttachedPolicyRef{
-				Group:     p.Group,
-				Kind:      p.Kind,
-				Name:      p.Name,
-				Namespace: p.Namespace,
-			},
-			Errors: p.Errors,
-		})
-	}
-	for _, p := range sectionNamePolicies {
-		ret = append(ret, ir.PolicyAtt{
-			GroupKind: p.GetGroupKind(),
-			PolicyIr:  p.PolicyIR,
 			PolicyRef: &ir.AttachedPolicyRef{
 				Group:       p.Group,
 				Kind:        p.Kind,
@@ -585,6 +564,7 @@ func (p *PolicyIndex) getTargetingPoliciesMaybeForBackends(
 			Errors: p.Errors,
 		})
 	}
+
 	slices.SortFunc(ret, func(a, b ir.PolicyAtt) int {
 		return a.PolicyIr.CreationTime().Compare(b.PolicyIr.CreationTime())
 	})

internal/kgateway/krtcollections/policy.go

@@ -100,8 +100,11 @@ func (r *RouteInfo) Clone() *RouteInfo {
 
 // UniqueRouteName returns a unique name for the route based on the route kind, name, namespace,
 // and the given indexes.
-func (r *RouteInfo) UniqueRouteName(ruleIdx, matchIdx int) string {
-	return fmt.Sprintf("%s-%s-%s-%d-%d", strings.ToLower(r.GetKind()), r.GetName(), r.GetNamespace(), ruleIdx, matchIdx)
+func (r *RouteInfo) UniqueRouteName(ruleIdx, matchIdx int, ruleName string) string {
+	if ruleName == "" {
+		return fmt.Sprintf("%s-%s-%s-%d-%d", strings.ToLower(r.GetKind()), r.GetName(), r.GetNamespace(), ruleIdx, matchIdx)
+	}
+	return fmt.Sprintf("%s-%s-%s-%d-%d-%s", strings.ToLower(r.GetKind()), r.GetName(), r.GetNamespace(), ruleIdx, matchIdx, ruleName)
 }
 
 // GetRouteChain recursively resolves all backends for the given route object.

internal/kgateway/query/httproute.go

@@ -219,6 +219,16 @@ var _ = DescribeTable("Basic GatewayTranslator Tests",
 				}
 			},
 		}),
+	Entry(
+		"TrafficPolicy edge cases",
+		translatorTestCase{
+			inputFile:  "traffic-policy/extauth.yaml",
+			outputFile: "traffic-policy/extauth.yaml",
+			gwNN: types.NamespacedName{
+				Namespace: "infra",
+				Name:      "example-gateway",
+			},
+		}),
 	Entry(
 		"tcp gateway with basic routing",
 		translatorTestCase{