feat: support section name in policies, and add tests for all attachment types. #11272
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
updated outputs to what i think is the correct output (not current output) current failing: - for section name http1, the config needs to be disabled on the listener and enabled on the virtualHost. - section-name-gw-extauth should not be present on tls2 filter chain Signed-off-by: Yuval Kohavi <[email protected]>
github-actions
bot
added
do-not-merge/kind-invalid
Signed-off-by: Yuval Kohavi <[email protected]>
Signed-off-by: Yuval Kohavi <[email protected]>
Signed-off-by: Yuval Kohavi <[email protected]>
There was a problem hiding this comment.
Pull Request Overview
This PR adds edge-case tests for ext-auth policies and enhances policy targeting by introducing section names, updating how filters are attached per filter chain.
- Add a new test entry for TrafficPolicy edge cases in gateway translator tests
- Extend data structures and logic to carry and match
SectionNamefor policy attachments - Refactor
trafficPolicyPluginGwPassto track per-filter-chain state and disable/enable filters accordingly
Reviewed Changes
Copilot reviewed 55 out of 55 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| internal/kgateway/translator/gateway/gateway_translator_test.go | Added table entry for TrafficPolicy edge cases |
| internal/kgateway/setup/testdata/standard/*.yaml | Updated expected YAML to include disabled: true and typedPerFilterConfig per chain |
| internal/kgateway/query/httproute.go | Extended UniqueRouteName to accept an optional ruleName |
| internal/kgateway/krtcollections/policy.go | Incorporated SectionName in targetRefs indexing and lookup |
| internal/kgateway/extensions2/pluginutils/policy.go | Propagate SectionName into IR conversion |
| internal/kgateway/extensions2/plugins/trafficpolicy/traffic_policy_plugin.go | Refactored to use maps keyed by filter-chain and track per-chain provider state |
| internal/kgateway/extensions2/plugins/trafficpolicy/extauth_policy_test.go | Updated tests to supply FilterChainName context |
| install/helm/kgateway-crds/templates/*.yaml | Added sectionName field in CRD schemas |
| api/v1alpha1/*.go | Added SectionName to API types and updated deep copy methods |
| api/applyconfiguration/*.go | Added SectionName in apply configurations |
Comments suppressed due to low confidence (3)
internal/kgateway/extensions2/plugins/trafficpolicy/traffic_policy_plugin.go:261
- [nitpick] The name
ProviderNeededMapis generic. Consider renaming it to something more descriptive, e.g.FilterChainProviderMap, to clarify its purpose.
type ProviderNeededMap struct {
internal/kgateway/extensions2/plugins/trafficpolicy/traffic_policy_plugin.go:507
- [nitpick] The plugin name returned is
routepoliciesbut this extension now handles a broader traffic policy. Consider updating it totrafficpoliciesto reflect its intent and avoid confusion.
func (p *TrafficPolicy) Name() string {
internal/kgateway/query/httproute.go:103
- The signature of
UniqueRouteNamenow takes an extraruleNameargument. Consider adding unit tests for whenruleNameis non-empty to cover the new branch.
func (r *RouteInfo) UniqueRouteName(ruleIdx, matchIdx int, ruleName string) string {
internal/kgateway/extensions2/plugins/trafficpolicy/traffic_policy_plugin.go
Outdated
Show resolved
Hide resolved
yaml updates Signed-off-by: Yuval Kohavi <[email protected]>
Signed-off-by: Yuval Kohavi <[email protected]>
yuval-k
added
the
work in progress
|
i noticed some multi listener tests are flakey due to ordering; i'll fix that; but otherwise ready for review |
Signed-off-by: Yuval Kohavi <[email protected]>
yuval-k
removed
the
work in progress
lgadban
reviewed
May 22, 2025
yuval-k
changed the title
shashankram
reviewed
May 22, 2025
Comment on lines
41
to
44
| attachedPoliciesSlice := []ir.AttachedPolicies{ | ||
| h.gw.AttachedHttpPolicies, | ||
| h.attachedPolicies, | ||
| } |
There was a problem hiding this comment.
Could you pre-merge the policies per GK here so that it is easier to invoke a Merge() on them within the loop
attachedPolicies := ir.AttachedPolicies{
Policies: map[schema.GroupKind][]ir.PolicyAtt{},
}
attachedHttpPolicies.Append(h.gw.AttachedHttpPolicies, h.attachedPolicies)
| // TODO: user error - they attached a non http policy | ||
| continue | ||
| } | ||
| for _, pol := range pols { |
There was a problem hiding this comment.
Do you need to MergePolicies when pass.MergePolicies != nil?
Signed-off-by: Yuval Kohavi <[email protected]>
Signed-off-by: Yuval Kohavi <[email protected]>
Signed-off-by: Yuval Kohavi <[email protected]>
…is if we like these merge semantics Signed-off-by: Yuval Kohavi <[email protected]>
Signed-off-by: Yuval Kohavi <[email protected]>
shashankram
reviewed
May 22, 2025
internal/kgateway/setup/testdata/standard/extauth-gw-and-route-disable-out.yaml
Show resolved
Hide resolved
shashankram
reviewed
May 22, 2025
internal/kgateway/translator/gateway/testutils/outputs/delegation/traffic_policy.yaml
Show resolved
Hide resolved
shashankram
approved these changes
May 22, 2025
Signed-off-by: Yuval Kohavi <[email protected]>
shashankram
approved these changes
May 22, 2025
github-merge-queue bot
pushed a commit
that referenced
this pull request
May 22, 2025
…ent types. (#11272) Signed-off-by: Yuval Kohavi <[email protected]>
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
MayorFaj
pushed a commit
to MayorFaj/kgateway
that referenced
this pull request
May 25, 2025
…ent types. (kgateway-dev#11272) Signed-off-by: Yuval Kohavi <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Handle attachment edge cases, and allow policies to target section names.
Change Type
Changelog
Additional Notes
Behavior after this PR:
Main implication is that HCM plugins can't attach to http plain text listeners by section name, because the http filter chain is shared. (But does work on tls).
Option to address this is to remove section name from the http listener policy.
Additional changes
getTargetingPoliciesto not return policies without a section name when a section name is requested. instead we use envoy's hierarchy to get the same data plane behaviour.