diff --git a/pkg/xds/generator/egress/external_services_generator.go b/pkg/xds/generator/egress/external_services_generator.go index c4ba2b2f9a66..eeba064c3788 100644 --- a/pkg/xds/generator/egress/external_services_generator.go +++ b/pkg/xds/generator/egress/external_services_generator.go @@ -106,7 +106,7 @@ func (*ExternalServicesGenerator) generateCDS( } resources = append(resources, &core_xds.Resource{ - Name: serviceName, + Name: cluster.GetName(), Origin: OriginEgress, Resource: cluster, }) diff --git a/pkg/xds/generator/egress/generator_test.go b/pkg/xds/generator/egress/generator_test.go index bc8d34f50b19..b673bab8b069 100644 --- a/pkg/xds/generator/egress/generator_test.go +++ b/pkg/xds/generator/egress/generator_test.go @@ -19,6 +19,7 @@ import ( meshhttproute_api "github.com/kumahq/kuma/pkg/plugins/policies/meshhttproute/api/v1alpha1" . "github.com/kumahq/kuma/pkg/test/matchers" "github.com/kumahq/kuma/pkg/test/xds" + "github.com/kumahq/kuma/pkg/util/maps" util_proto "github.com/kumahq/kuma/pkg/util/proto" xds_context "github.com/kumahq/kuma/pkg/xds/context" envoy_common "github.com/kumahq/kuma/pkg/xds/envoy" @@ -150,8 +151,8 @@ var _ = Describe("EgressGenerator", func() { } var meshResourcesList []*core_xds.MeshResources - for _, meshResources := range meshResourcesMap { - meshResourcesList = append(meshResourcesList, meshResources) + for _, meshName := range maps.SortedKeys(meshResourcesMap) { + meshResourcesList = append(meshResourcesList, meshResourcesMap[meshName]) } proxy := &core_xds.Proxy{ @@ -216,5 +217,9 @@ var _ = Describe("EgressGenerator", func() { fileWithResourcesName: "subsets-with-meshhttproute.yaml", expected: "subsets-with-meshhttproute.golden.yaml", }), + Entry("same kuma.io/service", testCase{ + fileWithResourcesName: "same-kuma-io-service.yaml", + expected: "same-kuma-io-service.golden.yaml", + }), ) }) diff --git a/pkg/xds/generator/egress/testdata/01.externalservice-only.golden.yaml b/pkg/xds/generator/egress/testdata/01.externalservice-only.golden.yaml index 5879416bba28..135c83448ac2 100644 --- a/pkg/xds/generator/egress/testdata/01.externalservice-only.golden.yaml +++ b/pkg/xds/generator/egress/testdata/01.externalservice-only.golden.yaml @@ -1,5 +1,5 @@ resources: -- name: externalservice-1 +- name: mesh-1:externalservice-1 resource: '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster altStatName: mesh-1_externalservice-1 diff --git a/pkg/xds/generator/egress/testdata/03.mixed-services.golden.yaml b/pkg/xds/generator/egress/testdata/03.mixed-services.golden.yaml index 270b5ecb99ae..ca0eea4a7c0b 100644 --- a/pkg/xds/generator/egress/testdata/03.mixed-services.golden.yaml +++ b/pkg/xds/generator/egress/testdata/03.mixed-services.golden.yaml @@ -1,5 +1,5 @@ resources: -- name: externalservice-1 +- name: mesh-1:externalservice-1 resource: '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster altStatName: mesh-1_externalservice-1 @@ -30,7 +30,7 @@ resources: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: httpProtocolOptions: {} -- name: externalservice-2 +- name: mesh-1:externalservice-2 resource: '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster altStatName: mesh-1_externalservice-2 diff --git a/pkg/xds/generator/egress/testdata/04.mixed-services-custom-trafficroute.golden.yaml b/pkg/xds/generator/egress/testdata/04.mixed-services-custom-trafficroute.golden.yaml index 538dc58d50bc..39d8bc631f4b 100644 --- a/pkg/xds/generator/egress/testdata/04.mixed-services-custom-trafficroute.golden.yaml +++ b/pkg/xds/generator/egress/testdata/04.mixed-services-custom-trafficroute.golden.yaml @@ -1,5 +1,5 @@ resources: -- name: externalservice-1 +- name: mesh-1:externalservice-1 resource: '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster altStatName: mesh-1_externalservice-1 @@ -30,7 +30,7 @@ resources: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: httpProtocolOptions: {} -- name: externalservice-2 +- name: mesh-1:externalservice-2 resource: '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster altStatName: mesh-1_externalservice-2 diff --git a/pkg/xds/generator/egress/testdata/05.mixed-services-with-custom-trafficpermissions.golden.yaml b/pkg/xds/generator/egress/testdata/05.mixed-services-with-custom-trafficpermissions.golden.yaml index 98abc3f1846f..a30917974090 100644 --- a/pkg/xds/generator/egress/testdata/05.mixed-services-with-custom-trafficpermissions.golden.yaml +++ b/pkg/xds/generator/egress/testdata/05.mixed-services-with-custom-trafficpermissions.golden.yaml @@ -1,5 +1,5 @@ resources: -- name: externalservice-1 +- name: mesh-1:externalservice-1 resource: '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster altStatName: mesh-1_externalservice-1 @@ -30,7 +30,7 @@ resources: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: httpProtocolOptions: {} -- name: externalservice-2 +- name: mesh-1:externalservice-2 resource: '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster altStatName: mesh-1_externalservice-2 diff --git a/pkg/xds/generator/egress/testdata/06.mixed-services-with-external-in-other-zone.golden.yaml b/pkg/xds/generator/egress/testdata/06.mixed-services-with-external-in-other-zone.golden.yaml index e13edcd4b1ee..43d065bf2c5f 100644 --- a/pkg/xds/generator/egress/testdata/06.mixed-services-with-external-in-other-zone.golden.yaml +++ b/pkg/xds/generator/egress/testdata/06.mixed-services-with-external-in-other-zone.golden.yaml @@ -1,5 +1,5 @@ resources: -- name: externalservice-1 +- name: mesh-1:externalservice-1 resource: '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster altStatName: mesh-1_externalservice-1 diff --git a/pkg/xds/generator/egress/testdata/input/same-kuma-io-service.yaml b/pkg/xds/generator/egress/testdata/input/same-kuma-io-service.yaml new file mode 100644 index 000000000000..03b637819e34 --- /dev/null +++ b/pkg/xds/generator/egress/testdata/input/same-kuma-io-service.yaml @@ -0,0 +1,90 @@ +type: ZoneEgress +name: zoneegress-1 +zone: zone-1 +networking: + address: 192.168.0.1 + port: 10002 +--- +type: Mesh +name: mesh-1 +mtls: + enabledBackend: ca-1 + backends: + - name: ca-1 + type: builtin +--- +type: TrafficPermission +name: allow-all-traffic-1 +mesh: mesh-1 +sources: + - match: + kuma.io/service: '*' +destinations: + - match: + kuma.io/service: '*' +--- +type: TrafficRoute +name: trafficroute-1 +mesh: mesh-1 +sources: + - match: + kuma.io/service: "*" +destinations: + - match: + kuma.io/service: "*" +conf: + loadBalancer: + roundRobin: {} + destination: + kuma.io/service: "*" +--- +type: ExternalService +name: externalservice-1 +mesh: mesh-1 +tags: + kuma.io/service: externalservice # same kuma.io/service + kuma.io/protocol: http +networking: + address: kuma.io:80 +--- +type: Mesh +name: mesh-2 +mtls: + enabledBackend: ca-1 + backends: + - name: ca-1 + type: builtin +--- +type: TrafficPermission +name: allow-all-traffic-2 +mesh: mesh-2 +sources: + - match: + kuma.io/service: '*' +destinations: + - match: + kuma.io/service: '*' +--- +type: TrafficRoute +name: trafficroute-2 +mesh: mesh-2 +sources: + - match: + kuma.io/service: "*" +destinations: + - match: + kuma.io/service: "*" +conf: + loadBalancer: + roundRobin: {} + destination: + kuma.io/service: "*" +--- +type: ExternalService +name: externalservice-2 +mesh: mesh-2 +tags: + kuma.io/service: externalservice # same kuma.io/service + kuma.io/protocol: http +networking: + address: kuma.io:80 diff --git a/pkg/xds/generator/egress/testdata/same-kuma-io-service.golden.yaml b/pkg/xds/generator/egress/testdata/same-kuma-io-service.golden.yaml new file mode 100644 index 000000000000..8cadb936ad49 --- /dev/null +++ b/pkg/xds/generator/egress/testdata/same-kuma-io-service.golden.yaml @@ -0,0 +1,230 @@ +resources: +- name: mesh-1:externalservice + resource: + '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster + altStatName: mesh-1_externalservice + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + loadAssignment: + clusterName: mesh-1:externalservice + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: kuma.io + portValue: 80 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/protocol: http + mesh: mesh-1 + envoy.transport_socket_match: + kuma.io/protocol: http + mesh: mesh-1 + name: mesh-1:externalservice + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + httpProtocolOptions: {} +- name: mesh-2:externalservice + resource: + '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster + altStatName: mesh-2_externalservice + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + loadAssignment: + clusterName: mesh-2:externalservice + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: kuma.io + portValue: 80 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/protocol: http + mesh: mesh-2 + envoy.transport_socket_match: + kuma.io/protocol: http + mesh: mesh-2 + name: mesh-2:externalservice + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + httpProtocolOptions: {} +- name: inbound:192.168.0.1:10002 + resource: + '@type': type.googleapis.com/envoy.config.listener.v3.Listener + address: + socketAddress: + address: 192.168.0.1 + portValue: 10002 + enableReusePort: false + filterChains: + - filterChainMatch: + serverNames: + - externalservice{mesh=mesh-1} + transportProtocol: tls + filters: + - name: envoy.filters.network.rbac + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC + rules: + policies: + allow-all-traffic-1: + permissions: + - any: true + principals: + - any: true + statPrefix: externalservice. + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + httpFilters: + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + routeConfig: + name: outbound:externalservice + validateClusters: false + virtualHosts: + - domains: + - '*' + name: externalservice + routes: + - match: + prefix: / + route: + cluster: mesh-1:externalservice + timeout: 0s + statPrefix: externalservice + name: externalservice_mesh-1 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + prefix: spiffe://mesh-1/ + sanType: URI + validationContextSdsSecretConfig: + name: mesh_ca:secret:mesh-1 + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:mesh-1 + sdsConfig: + ads: {} + resourceApiVersion: V3 + requireClientCertificate: true + - filterChainMatch: + serverNames: + - externalservice{mesh=mesh-2} + transportProtocol: tls + filters: + - name: envoy.filters.network.rbac + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC + rules: + policies: + allow-all-traffic-1: + permissions: + - any: true + principals: + - any: true + statPrefix: externalservice. + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + httpFilters: + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + routeConfig: + name: outbound:externalservice + validateClusters: false + virtualHosts: + - domains: + - '*' + name: externalservice + routes: + - match: + prefix: / + route: + cluster: mesh-2:externalservice + timeout: 0s + statPrefix: externalservice + name: externalservice_mesh-2 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + prefix: spiffe://mesh-2/ + sanType: URI + validationContextSdsSecretConfig: + name: mesh_ca:secret:mesh-2 + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:mesh-2 + sdsConfig: + ads: {} + resourceApiVersion: V3 + requireClientCertificate: true + listenerFilters: + - name: envoy.filters.listener.tls_inspector + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: inbound:192.168.0.1:10002 + trafficDirection: INBOUND +- name: identity_cert:secret:mesh-1 + resource: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret + name: identity_cert:secret:mesh-1 + tlsCertificate: + certificateChain: + inlineBytes: Q0VSVA== + privateKey: + inlineBytes: S0VZ +- name: identity_cert:secret:mesh-2 + resource: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret + name: identity_cert:secret:mesh-2 + tlsCertificate: + certificateChain: + inlineBytes: Q0VSVA== + privateKey: + inlineBytes: S0VZ +- name: mesh_ca:secret:mesh-1 + resource: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret + name: mesh_ca:secret:mesh-1 + validationContext: + trustedCa: + inlineBytes: Q0E= +- name: mesh_ca:secret:mesh-2 + resource: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret + name: mesh_ca:secret:mesh-2 + validationContext: + trustedCa: + inlineBytes: Q0E=