fix(MeshTrace): don't allow MeshGateway listener selection (#8936)

Signed-off-by: Mike Beaumont <[email protected]>

pkg/plugins/policies/core/matchers/testdata/matchedpolicies/meshgateways/01.golden.yaml

@@ -38,13 +38,6 @@ FromRules:
       name: gateway
       type: MeshAccessLog
     Subset: []
-SingleItemRules:
-  127.0.0.1:8080:
-    Rules: null
-  127.0.0.1:8081:
-    Rules: null
-  127.0.0.1:8082:
-    Rules: null
 ToRules:
   127.0.0.1:8080:
   - Conf:

pkg/plugins/policies/core/matchers/testdata/matchedpolicies/meshgateways/02.golden.yaml

@@ -2,13 +2,6 @@ FromRules:
   127.0.0.1:8080: []
   127.0.0.1:8081: []
   127.0.0.1:8082: []
-SingleItemRules:
-  127.0.0.1:8080:
-    Rules: null
-  127.0.0.1:8081:
-    Rules: null
-  127.0.0.1:8082:
-    Rules: null
 ToRules:
   127.0.0.1:8080:
   - Conf:

pkg/plugins/policies/core/rules/rules.go

@@ -47,9 +47,8 @@ type ToRules struct {
 }
 
 type GatewayRules struct {
-	ToRules         map[InboundListener]Rules
-	FromRules       map[InboundListener]Rules
-	SingleItemRules map[InboundListener]SingleItemRules
+	ToRules   map[InboundListener]Rules
+	FromRules map[InboundListener]Rules
 }
 
 type SingleItemRules struct {
@@ -262,7 +261,6 @@ func BuildGatewayRules(
 	matchedPoliciesByInbound map[InboundListener][]core_model.Resource,
 	httpRoutes []core_model.Resource,
 ) (GatewayRules, error) {
-	singleItemRules := map[InboundListener]SingleItemRules{}
 	toRulesByInbound := map[InboundListener]Rules{}
 	for inbound, policies := range matchedPoliciesByInbound {
 		toRules, err := BuildToRules(policies, httpRoutes)
@@ -274,11 +272,6 @@ func BuildGatewayRules(
 			return GatewayRules{}, err
 		}
 		toRulesByInbound[inbound] = toRules.Rules
-
-		singleItemRules[inbound], err = BuildSingleItemRules(policies)
-		if err != nil {
-			return GatewayRules{}, err
-		}
 	}
 
 	fromRules, err := BuildFromRules(matchedPoliciesByInbound)
@@ -287,9 +280,8 @@ func BuildGatewayRules(
 	}
 
 	return GatewayRules{
-		ToRules:         toRulesByInbound,
-		FromRules:       fromRules.Rules,
-		SingleItemRules: singleItemRules,
+		ToRules:   toRulesByInbound,
+		FromRules: fromRules.Rules,
 	}, nil
 }
 

pkg/plugins/policies/meshtrace/api/v1alpha1/validator.go

@@ -33,7 +33,7 @@ func validateTop(targetRef common_api.TargetRef) validators.ValidationError {
 			common_api.MeshService,
 			common_api.MeshServiceSubset,
 		},
-		GatewayListenerTagsAllowed: true,
+		GatewayListenerTagsAllowed: false,
 	})
 	return targetRefErr
 }

pkg/plugins/policies/meshtrace/api/v1alpha1/validator_test.go

@@ -97,8 +97,6 @@ default:
 targetRef:
   kind: MeshGateway
   name: edge
-  tags:
-    name: listener-1
 default:
   backends:
     - type: Datadog
@@ -395,6 +393,24 @@ violations:
   - field: spec.default.backends[0].openTelemetry
     message: must be defined`,
 			}),
+			Entry("gateway listener tags not allowed", testCase{
+				inputYaml: `
+targetRef:
+  kind: MeshGateway
+  name: edge
+  tags:
+    name: listener-1
+default:
+  backends:
+    - type: Datadog
+      datadog:
+        url: http://intake.datadoghq.eu:8126
+        splitService: true`,
+				expected: `
+violations:
+  - field: spec.targetRef.tags
+    message: must not be set with kind MeshGateway`,
+			}),
 		)
 	})
 })

pkg/plugins/policies/meshtrace/plugin/v1alpha1/plugin.go

@@ -52,15 +52,15 @@ func (p plugin) Apply(rs *xds.ResourceSet, ctx xds_context.Context, proxy *xds.P
 	if err := applyToClusters(policies.SingleItemRules, rs, proxy); err != nil {
 		return err
 	}
-	if err := applyToGateway(policies.GatewayRules.SingleItemRules, listeners.Gateway, ctx.Mesh.Resources.MeshLocalResources, proxy.Dataplane); err != nil {
+	if err := applyToGateway(policies.SingleItemRules, listeners.Gateway, ctx.Mesh.Resources.MeshLocalResources, proxy.Dataplane); err != nil {
 		return err
 	}
 
 	return nil
 }
 
 func applyToGateway(
-	listenerRules map[core_rules.InboundListener]core_rules.SingleItemRules,
+	rules core_rules.SingleItemRules,
 	gatewayListeners map[core_rules.InboundListener]*envoy_listener.Listener,
 	resources xds_context.ResourceMap,
 	dataplane *core_mesh.DataplaneResource,
@@ -88,10 +88,6 @@ func applyToGateway(
 		if !ok {
 			continue
 		}
-		rules, ok := listenerRules[inboundListener]
-		if !ok {
-			continue
-		}
 
 		if err := configureListener(
 			rules,

pkg/plugins/policies/meshtrace/plugin/v1alpha1/plugin_test.go

@@ -605,7 +605,7 @@ var _ = Describe("MeshTrace", func() {
 		}),
 	)
 	type gatewayTestCase struct {
-		rules map[core_rules.InboundListener]core_rules.SingleItemRules
+		rules core_rules.SingleItemRules
 	}
 	DescribeTable("should generate proper Envoy config for gateways",
 		func(given gatewayTestCase) {
@@ -621,9 +621,7 @@ var _ = Describe("MeshTrace", func() {
 
 			proxy := xds_builders.Proxy().
 				WithDataplane(samples.GatewayDataplaneBuilder()).
-				WithPolicies(xds_builders.MatchedPolicies().WithGatewayPolicy(api.MeshTraceType, core_rules.GatewayRules{
-					SingleItemRules: given.rules,
-				})).
+				WithPolicies(xds_builders.MatchedPolicies().WithSingleItemPolicy(api.MeshTraceType, given.rules)).
 				Build()
 			for n, p := range core_plugins.Plugins().ProxyPlugins() {
 				Expect(p.Apply(context.Background(), xdsCtx.Mesh, proxy)).To(Succeed(), n)
@@ -643,9 +641,9 @@ var _ = Describe("MeshTrace", func() {
 				To(matchers.MatchGoldenYAML(filepath.Join("testdata", fmt.Sprintf("%s.listeners.golden.yaml", name))))
 		},
 		Entry("simple-gateway", gatewayTestCase{
-			rules: map[core_rules.InboundListener]core_rules.SingleItemRules{
-				{Address: "192.168.0.1", Port: 8080}: {
-					Rules: []*core_rules.Rule{{
+			rules: core_rules.SingleItemRules{
+				Rules: []*core_rules.Rule{
+					{
 						Subset: []core_rules.Tag{},
 						Conf: api.Conf{
 							Backends: &[]api.Backend{{
@@ -656,7 +654,7 @@ var _ = Describe("MeshTrace", func() {
 								},
 							}},
 						},
-					}},
+					},
 				},
 			},
 		}),