diff --git a/pkg/xds/generator/egress/external_services_generator.go b/pkg/xds/generator/egress/external_services_generator.go index 1dee041f39ad..3cba72e22b05 100644 --- a/pkg/xds/generator/egress/external_services_generator.go +++ b/pkg/xds/generator/egress/external_services_generator.go @@ -106,7 +106,7 @@ func (*ExternalServicesGenerator) generateCDS( } resources = append(resources, &core_xds.Resource{ - Name: serviceName, + Name: cluster.GetName(), Origin: OriginEgress, Resource: cluster, }) diff --git a/pkg/xds/generator/egress/generator_test.go b/pkg/xds/generator/egress/generator_test.go index ef5083aaa70e..1f5943cdac36 100644 --- a/pkg/xds/generator/egress/generator_test.go +++ b/pkg/xds/generator/egress/generator_test.go @@ -18,6 +18,7 @@ import ( meshhttproute_api "github.com/kumahq/kuma/pkg/plugins/policies/meshhttproute/api/v1alpha1" . "github.com/kumahq/kuma/pkg/test/matchers" "github.com/kumahq/kuma/pkg/test/xds" + "github.com/kumahq/kuma/pkg/util/maps" util_proto "github.com/kumahq/kuma/pkg/util/proto" xds_context "github.com/kumahq/kuma/pkg/xds/context" envoy_common "github.com/kumahq/kuma/pkg/xds/envoy" @@ -149,8 +150,8 @@ var _ = Describe("EgressGenerator", func() { } var meshResourcesList []*core_xds.MeshResources - for _, meshResources := range meshResourcesMap { - meshResourcesList = append(meshResourcesList, meshResources) + for _, meshName := range maps.SortedKeys(meshResourcesMap) { + meshResourcesList = append(meshResourcesList, meshResourcesMap[meshName]) } proxy := &core_xds.Proxy{ @@ -219,5 +220,9 @@ var _ = Describe("EgressGenerator", func() { fileWithResourcesName: "subsets-with-external-meshhttproute.yaml", expected: "subsets-with-external-meshhttproute.golden.yaml", }), + Entry("same kuma.io/service", testCase{ + fileWithResourcesName: "same-kuma-io-service.yaml", + expected: "same-kuma-io-service.golden.yaml", + }), ) }) diff --git a/pkg/xds/generator/egress/testdata/01.externalservice-only.golden.yaml b/pkg/xds/generator/egress/testdata/01.externalservice-only.golden.yaml index a9a48bbe78df..116459af52f2 100644 --- a/pkg/xds/generator/egress/testdata/01.externalservice-only.golden.yaml +++ b/pkg/xds/generator/egress/testdata/01.externalservice-only.golden.yaml @@ -1,5 +1,5 @@ resources: -- name: externalservice-1 +- name: mesh-1:externalservice-1 resource: '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster altStatName: mesh-1_externalservice-1 diff --git a/pkg/xds/generator/egress/testdata/03.mixed-services.golden.yaml b/pkg/xds/generator/egress/testdata/03.mixed-services.golden.yaml index fa91c5b55885..1fcdac315517 100644 --- a/pkg/xds/generator/egress/testdata/03.mixed-services.golden.yaml +++ b/pkg/xds/generator/egress/testdata/03.mixed-services.golden.yaml @@ -1,5 +1,5 @@ resources: -- name: externalservice-1 +- name: mesh-1:externalservice-1 resource: '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster altStatName: mesh-1_externalservice-1 @@ -30,7 +30,7 @@ resources: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: httpProtocolOptions: {} -- name: externalservice-2 +- name: mesh-1:externalservice-2 resource: '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster altStatName: mesh-1_externalservice-2 diff --git a/pkg/xds/generator/egress/testdata/04.mixed-services-custom-trafficroute.golden.yaml b/pkg/xds/generator/egress/testdata/04.mixed-services-custom-trafficroute.golden.yaml index 31388609fd3c..5b98a93e778b 100644 --- a/pkg/xds/generator/egress/testdata/04.mixed-services-custom-trafficroute.golden.yaml +++ b/pkg/xds/generator/egress/testdata/04.mixed-services-custom-trafficroute.golden.yaml @@ -1,5 +1,5 @@ resources: -- name: externalservice-1 +- name: mesh-1:externalservice-1 resource: '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster altStatName: mesh-1_externalservice-1 @@ -30,7 +30,7 @@ resources: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: httpProtocolOptions: {} -- name: externalservice-2 +- name: mesh-1:externalservice-2 resource: '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster altStatName: mesh-1_externalservice-2 diff --git a/pkg/xds/generator/egress/testdata/05.mixed-services-with-custom-trafficpermissions.golden.yaml b/pkg/xds/generator/egress/testdata/05.mixed-services-with-custom-trafficpermissions.golden.yaml index cf3834548859..98248f852a62 100644 --- a/pkg/xds/generator/egress/testdata/05.mixed-services-with-custom-trafficpermissions.golden.yaml +++ b/pkg/xds/generator/egress/testdata/05.mixed-services-with-custom-trafficpermissions.golden.yaml @@ -1,5 +1,5 @@ resources: -- name: externalservice-1 +- name: mesh-1:externalservice-1 resource: '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster altStatName: mesh-1_externalservice-1 @@ -30,7 +30,7 @@ resources: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: httpProtocolOptions: {} -- name: externalservice-2 +- name: mesh-1:externalservice-2 resource: '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster altStatName: mesh-1_externalservice-2 diff --git a/pkg/xds/generator/egress/testdata/06.mixed-services-with-external-in-other-zone.golden.yaml b/pkg/xds/generator/egress/testdata/06.mixed-services-with-external-in-other-zone.golden.yaml index aeab6c4c58ca..941528ba4a09 100644 --- a/pkg/xds/generator/egress/testdata/06.mixed-services-with-external-in-other-zone.golden.yaml +++ b/pkg/xds/generator/egress/testdata/06.mixed-services-with-external-in-other-zone.golden.yaml @@ -1,5 +1,5 @@ resources: -- name: externalservice-1 +- name: mesh-1:externalservice-1 resource: '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster altStatName: mesh-1_externalservice-1 diff --git a/pkg/xds/generator/egress/testdata/input/same-kuma-io-service.yaml b/pkg/xds/generator/egress/testdata/input/same-kuma-io-service.yaml new file mode 100644 index 000000000000..03b637819e34 --- /dev/null +++ b/pkg/xds/generator/egress/testdata/input/same-kuma-io-service.yaml @@ -0,0 +1,90 @@ +type: ZoneEgress +name: zoneegress-1 +zone: zone-1 +networking: + address: 192.168.0.1 + port: 10002 +--- +type: Mesh +name: mesh-1 +mtls: + enabledBackend: ca-1 + backends: + - name: ca-1 + type: builtin +--- +type: TrafficPermission +name: allow-all-traffic-1 +mesh: mesh-1 +sources: + - match: + kuma.io/service: '*' +destinations: + - match: + kuma.io/service: '*' +--- +type: TrafficRoute +name: trafficroute-1 +mesh: mesh-1 +sources: + - match: + kuma.io/service: "*" +destinations: + - match: + kuma.io/service: "*" +conf: + loadBalancer: + roundRobin: {} + destination: + kuma.io/service: "*" +--- +type: ExternalService +name: externalservice-1 +mesh: mesh-1 +tags: + kuma.io/service: externalservice # same kuma.io/service + kuma.io/protocol: http +networking: + address: kuma.io:80 +--- +type: Mesh +name: mesh-2 +mtls: + enabledBackend: ca-1 + backends: + - name: ca-1 + type: builtin +--- +type: TrafficPermission +name: allow-all-traffic-2 +mesh: mesh-2 +sources: + - match: + kuma.io/service: '*' +destinations: + - match: + kuma.io/service: '*' +--- +type: TrafficRoute +name: trafficroute-2 +mesh: mesh-2 +sources: + - match: + kuma.io/service: "*" +destinations: + - match: + kuma.io/service: "*" +conf: + loadBalancer: + roundRobin: {} + destination: + kuma.io/service: "*" +--- +type: ExternalService +name: externalservice-2 +mesh: mesh-2 +tags: + kuma.io/service: externalservice # same kuma.io/service + kuma.io/protocol: http +networking: + address: kuma.io:80 diff --git a/pkg/xds/generator/egress/testdata/same-kuma-io-service.golden.yaml b/pkg/xds/generator/egress/testdata/same-kuma-io-service.golden.yaml new file mode 100644 index 000000000000..084a5b7b464c --- /dev/null +++ b/pkg/xds/generator/egress/testdata/same-kuma-io-service.golden.yaml @@ -0,0 +1,232 @@ +resources: +- name: mesh-1:externalservice + resource: + '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster + altStatName: mesh-1_externalservice + connectTimeout: 5s + dnsLookupFamily: V4_ONLY + loadAssignment: + clusterName: mesh-1:externalservice + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: kuma.io + portValue: 80 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/protocol: http + mesh: mesh-1 + envoy.transport_socket_match: + kuma.io/protocol: http + mesh: mesh-1 + name: mesh-1:externalservice + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + httpProtocolOptions: {} +- name: mesh-2:externalservice + resource: + '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster + altStatName: mesh-2_externalservice + connectTimeout: 5s + dnsLookupFamily: V4_ONLY + loadAssignment: + clusterName: mesh-2:externalservice + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: kuma.io + portValue: 80 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.lb: + kuma.io/protocol: http + mesh: mesh-2 + envoy.transport_socket_match: + kuma.io/protocol: http + mesh: mesh-2 + name: mesh-2:externalservice + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + httpProtocolOptions: {} +- name: inbound:192.168.0.1:10002 + resource: + '@type': type.googleapis.com/envoy.config.listener.v3.Listener + address: + socketAddress: + address: 192.168.0.1 + portValue: 10002 + enableReusePort: false + filterChains: + - filterChainMatch: + serverNames: + - externalservice{mesh=mesh-1} + transportProtocol: tls + filters: + - name: envoy.filters.network.rbac + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC + rules: + policies: + allow-all-traffic-1: + permissions: + - any: true + principals: + - any: true + statPrefix: externalservice. + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + httpFilters: + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + routeConfig: + name: outbound:externalservice + validateClusters: false + virtualHosts: + - domains: + - '*' + name: externalservice + routes: + - match: + prefix: / + route: + autoHostRewrite: true + cluster: mesh-1:externalservice + timeout: 0s + statPrefix: externalservice + name: externalservice_mesh-1 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + prefix: spiffe://mesh-1/ + sanType: URI + validationContextSdsSecretConfig: + name: mesh_ca:secret:mesh-1 + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:mesh-1 + sdsConfig: + ads: {} + resourceApiVersion: V3 + requireClientCertificate: true + - filterChainMatch: + serverNames: + - externalservice{mesh=mesh-2} + transportProtocol: tls + filters: + - name: envoy.filters.network.rbac + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC + rules: + policies: + allow-all-traffic-1: + permissions: + - any: true + principals: + - any: true + statPrefix: externalservice. + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + httpFilters: + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + routeConfig: + name: outbound:externalservice + validateClusters: false + virtualHosts: + - domains: + - '*' + name: externalservice + routes: + - match: + prefix: / + route: + autoHostRewrite: true + cluster: mesh-2:externalservice + timeout: 0s + statPrefix: externalservice + name: externalservice_mesh-2 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + prefix: spiffe://mesh-2/ + sanType: URI + validationContextSdsSecretConfig: + name: mesh_ca:secret:mesh-2 + sdsConfig: + ads: {} + resourceApiVersion: V3 + tlsCertificateSdsSecretConfigs: + - name: identity_cert:secret:mesh-2 + sdsConfig: + ads: {} + resourceApiVersion: V3 + requireClientCertificate: true + listenerFilters: + - name: envoy.filters.listener.tls_inspector + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector + name: inbound:192.168.0.1:10002 + trafficDirection: INBOUND +- name: identity_cert:secret:mesh-1 + resource: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret + name: identity_cert:secret:mesh-1 + tlsCertificate: + certificateChain: + inlineBytes: Q0VSVA== + privateKey: + inlineBytes: S0VZ +- name: identity_cert:secret:mesh-2 + resource: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret + name: identity_cert:secret:mesh-2 + tlsCertificate: + certificateChain: + inlineBytes: Q0VSVA== + privateKey: + inlineBytes: S0VZ +- name: mesh_ca:secret:mesh-1 + resource: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret + name: mesh_ca:secret:mesh-1 + validationContext: + trustedCa: + inlineBytes: Q0E= +- name: mesh_ca:secret:mesh-2 + resource: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret + name: mesh_ca:secret:mesh-2 + validationContext: + trustedCa: + inlineBytes: Q0E= diff --git a/pkg/xds/generator/egress/testdata/subsets-with-external-meshhttproute.golden.yaml b/pkg/xds/generator/egress/testdata/subsets-with-external-meshhttproute.golden.yaml index 80455d264ac3..aba7a5b4ad31 100644 --- a/pkg/xds/generator/egress/testdata/subsets-with-external-meshhttproute.golden.yaml +++ b/pkg/xds/generator/egress/testdata/subsets-with-external-meshhttproute.golden.yaml @@ -1,5 +1,5 @@ resources: -- name: externalservice-2 +- name: mesh-1:externalservice-2 resource: '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster altStatName: mesh-1_externalservice-2