Skip to content

fix: SecurityPolicy reference grant #5792

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

fix: SecurityPolicy reference grant #5792

wants to merge 9 commits into from
+688 −293

Conversation

kkk777-7
Copy link

What this PR does / why we need it:
Fix reference grant from SecurityPolicy to referenced remoteJWKS backend not respected.

Which issue(s) this PR fixes:

Fixes #5743

Release Notes: Yes

@kkk777-7 kkk777-7 requested a review from a team as a code owner April 22, 2025 16:53
@arkodg arkodg requested review from zhaohuabing and guydc April 22, 2025 16:55
@codecov Codecov
Copy link

codecov bot commented Apr 23, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 68.45238% with 53 lines in your changes missing coverage. Please review.

Project coverage is 65.72%. Comparing base (096cb8d) to head (d0fbe14).
Report is 51 commits behind head on main.

Files with missing lines Patch % Lines
internal/provider/kubernetes/routes.go 63.63% 18 Missing and 6 partials ⚠️
internal/provider/kubernetes/controller.go 77.92% 17 Missing ⚠️
internal/provider/kubernetes/indexers.go 52.00% 9 Missing and 3 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #5792      +/-   ##
==========================================
+ Coverage   65.19%   65.72%   +0.52%     
==========================================
  Files         214      220       +6     
  Lines       34321    35101     +780     
==========================================
+ Hits        22377    23070     +693     
- Misses      10591    10611      +20     
- Partials     1353     1420      +67

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@kkk777-7
Copy link
Author

/retest

zhaohuabing
zhaohuabing previously approved these changes Apr 23, 2025
View reviewed changes
Copy link
Member

@zhaohuabing zhaohuabing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks!

@zhaohuabing
Copy link
Member

@kkk777-7 Sorry for the extra churn, but could we reuse the processNonRouteBackendRef for handling route backends in the routes.go as well?

If yes, it should be renamed back to processBackendRef.

@kkk777-7
revert func name
25ad110 
Signed-off-by: kkk777-7 <[email protected]>
@kkk777-7
Copy link
Author

@zhaohuabing
I have overlooked routes.go, thanks for letting me know!
You are right, so I reverted the function name.

Would it be better to replace routes.go in this PR?

@zhaohuabing
Copy link
Member

@zhaohuabing I have overlooked routes.go, thanks for letting me know! You are right, so I reverted the function name.

Would it be better to replace routes.go in this PR?

Yes, please also use processBackendRef to handle route backends in this PR. Thanks!

@kkk777-7
Copy link
Author

@zhaohuabing
I’ve updated it to use processBackendRef to handle the route backends.
When you get a chance, please review it.

zhaohuabing
zhaohuabing previously approved these changes Apr 24, 2025
View reviewed changes
Copy link
Member

@zhaohuabing zhaohuabing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks!

shawnh2
shawnh2 reviewed Apr 26, 2025
View reviewed changes
internal/provider/kubernetes/controller.go
"name", refGrant.Name)
}
}
if err := r.processBackendRef(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you also add a testcase for ExtAuth in TestProcessSecurityPolicyObjectRefs ? TIA

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added by the following commit.
b6f83df

internal/provider/kubernetes/controller.go Outdated
resource.KindSecurityPolicy,
policy.Namespace,
policy.Name,
*backendRef); err != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

may panic here if backendRef is a nil pointer, can you also add a testcase to verify this? and should not call processBackendRef anymore if backendRef is a nil pointer.

Copy link
Author

@kkk777-7 kkk777-7 Apr 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for review!
You're right. I have fixed the logic where the variable is defined before calling processBackendRef.
6bb7c7d

internal/provider/kubernetes/controller.go
ownerKind string,
ownerNS string,
ownerName string,
backendRef gwapiv1.BackendObjectReference,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would a pointer type be better? in this way, can directly return if backendRef is a nil pointer.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for comment, You're right.

In this case, only the mentioned situation above pass pointer type to function.
In most cases, gwapiv1.BackendObjectReference type is passed to function.

e.g. routes.go

gateway/internal/provider/kubernetes/routes.go

Lines 237 to 253 in d0fbe14

for _, backendRef := range rule.BackendRefs {
if err := validateBackendRef(&backendRef.BackendRef); err != nil {
r.log.Error(err, "invalid backendRef")
continue
}
if err := r.processBackendRef(
ctx,
resourceMap,
resourceTree,
resource.KindHTTPRoute,
httpRoute.Namespace,
httpRoute.Name,
backendRef.BackendObjectReference); err != nil {
r.log.Error(err,
"failed to process BackendRef for HTTPRoute",
"httpRoute", httpRoute, "backendRef", backendRef.BackendObjectReference)
}

https://github.com/kubernetes-sigs/gateway-api/blob/main/apis/v1/shared_types.go#L264-L287

so, fixed in the following commit.
6bb7c7d

internal/provider/kubernetes/controller_test.go Outdated
@@ -450,3 +589,19 @@ func TestProcessEnvoyExtensionPolicyObjectRefs(t *testing.T) {
})
}
}

func setupFakeReconciler(objs []client.Object) *gatewayAPIReconciler {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: about naming here, prefer setupReferenceGrantReconciler, since it's just for ReferenceGrant.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for review, I've renamed setupReferenceGrantReconciler.

@kkk777-7
Copy link
Author

@zhaohuabing @shawnh2
Sorry, I missed the following fix earlier, so I have added it now. Please review it when you have a moment.
d0fbe14

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shawnh2 shawnh2 shawnh2 left review comments

@zhaohuabing zhaohuabing zhaohuabing left review comments

@guydc guydc Awaiting requested review from guydc

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Referencegrant support for backendref(s) in other namespaces than securitypolicy referencing them
3 participants
@kkk777-7 @zhaohuabing @shawnh2