Skip to content
This repository was archived by the owner on Jul 11, 2023. It is now read-only.

Commit d2175d3

Browse files
nshankar13nshankar13
authored
[backport] cherry-pick commit 15e46da to release-v1.2 (#5063)
1 parent 893ff87 commit d2175d3

21 files changed

+276
-180
lines changed

.github/workflows/main.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@ jobs:
5454
- name: golangci-lint
5555
uses: golangci/golangci-lint-action@v3
5656
with:
57-
version: latest
57+
version: v1.47.0
5858
skip-pkg-cache: true
5959

6060
codegen:

pkg/catalog/catalog.go

+6
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ func NewMeshCatalog(kubeController k8s.Controller, meshSpec smi.MeshSpec, certMa
2525
meshSpec: meshSpec,
2626
policyController: policyController,
2727
configurator: cfg,
28+
certManager: certManager,
2829

2930
kubeController: kubeController,
3031
}
@@ -42,3 +43,8 @@ func NewMeshCatalog(kubeController k8s.Controller, meshSpec smi.MeshSpec, certMa
4243
func (mc *MeshCatalog) GetKubeController() k8s.Controller {
4344
return mc.kubeController
4445
}
46+
47+
// GetTrustDomain returns the currently configured trust domain, ie: cluster.local
48+
func (mc *MeshCatalog) GetTrustDomain() string {
49+
return mc.certManager.GetTrustDomain()
50+
}

pkg/catalog/inbound_traffic_policies.go

+7-7
Original file line numberDiff line numberDiff line change
@@ -131,8 +131,8 @@ func (mc *MeshCatalog) getInboundTrafficPoliciesForUpstream(upstreamSvc service.
131131
// Only a single rule for permissive mode.
132132
inboundPolicyForUpstreamSvc.Rules = []*trafficpolicy.Rule{
133133
{
134-
Route: *trafficpolicy.NewRouteWeightedCluster(trafficpolicy.WildCardRouteMatch, []service.WeightedCluster{localCluster}, upstreamTrafficSetting),
135-
AllowedServiceIdentities: mapset.NewSetWith(identity.WildcardServiceIdentity),
134+
Route: *trafficpolicy.NewRouteWeightedCluster(trafficpolicy.WildCardRouteMatch, []service.WeightedCluster{localCluster}, upstreamTrafficSetting),
135+
AllowedPrincipals: mapset.NewSetWith(identity.WildcardPrincipal),
136136
},
137137
}
138138
} else {
@@ -178,17 +178,17 @@ func (mc *MeshCatalog) getRoutingRulesFromTrafficTarget(trafficTarget access.Tra
178178
}
179179

180180
// Compute the allowed downstream service identities for the given TrafficTarget object
181-
allowedDownstreamIdentities := mapset.NewSet()
181+
trustDomain := mc.GetTrustDomain()
182+
allowedDownstreamPrincipals := mapset.NewSet()
182183
for _, source := range trafficTarget.Spec.Sources {
183-
sourceSvcIdentity := trafficTargetIdentityToSvcAccount(source).ToServiceIdentity()
184-
allowedDownstreamIdentities.Add(sourceSvcIdentity)
184+
allowedDownstreamPrincipals.Add(trafficTargetIdentityToSvcAccount(source).AsPrincipal(trustDomain))
185185
}
186186

187187
var routingRules []*trafficpolicy.Rule
188188
for _, httpRouteMatch := range httpRouteMatches {
189189
rule := &trafficpolicy.Rule{
190-
Route: *trafficpolicy.NewRouteWeightedCluster(httpRouteMatch, []service.WeightedCluster{routingCluster}, upstreamTrafficSetting),
191-
AllowedServiceIdentities: allowedDownstreamIdentities,
190+
Route: *trafficpolicy.NewRouteWeightedCluster(httpRouteMatch, []service.WeightedCluster{routingCluster}, upstreamTrafficSetting),
191+
AllowedPrincipals: allowedDownstreamPrincipals,
192192
}
193193
routingRules = append(routingRules, rule)
194194
}

pkg/catalog/inbound_traffic_policies_test.go

+45-43
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ import (
44
"fmt"
55
"reflect"
66
"testing"
7+
"time"
78

89
mapset "github.com/deckarep/golang-set"
910
"github.com/golang/mock/gomock"
@@ -15,6 +16,7 @@ import (
1516
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
1617

1718
policyv1alpha1 "github.com/openservicemesh/osm/pkg/apis/policy/v1alpha1"
19+
tresorFake "github.com/openservicemesh/osm/pkg/certificate/providers/tresor/fake"
1820

1921
"github.com/openservicemesh/osm/pkg/configurator"
2022
"github.com/openservicemesh/osm/pkg/endpoint"
@@ -168,10 +170,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
168170
Weight: 100,
169171
}),
170172
},
171-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
173+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
172174
Name: "sa2",
173175
Namespace: "ns2",
174-
}.ToServiceIdentity()),
176+
}.AsPrincipal("cluster.local")),
175177
},
176178
},
177179
},
@@ -207,10 +209,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
207209
Weight: 100,
208210
}),
209211
},
210-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
212+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
211213
Name: "sa2",
212214
Namespace: "ns2",
213-
}.ToServiceIdentity()),
215+
}.AsPrincipal("cluster.local")),
214216
},
215217
},
216218
},
@@ -473,10 +475,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
473475
Weight: 100,
474476
}),
475477
},
476-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
478+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
477479
Name: "sa2",
478480
Namespace: "ns2",
479-
}.ToServiceIdentity()),
481+
}.AsPrincipal("cluster.local")),
480482
},
481483
{
482484
Route: trafficpolicy.RouteWeightedClusters{
@@ -493,10 +495,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
493495
Weight: 100,
494496
}),
495497
},
496-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
498+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
497499
Name: "sa2",
498500
Namespace: "ns2",
499-
}.ToServiceIdentity()),
501+
}.AsPrincipal("cluster.local")),
500502
},
501503
},
502504
},
@@ -532,10 +534,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
532534
Weight: 100,
533535
}),
534536
},
535-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
537+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
536538
Name: "sa2",
537539
Namespace: "ns2",
538-
}.ToServiceIdentity()),
540+
}.AsPrincipal("cluster.local")),
539541
},
540542
{
541543
Route: trafficpolicy.RouteWeightedClusters{
@@ -552,10 +554,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
552554
Weight: 100,
553555
}),
554556
},
555-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
557+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
556558
Name: "sa2",
557559
Namespace: "ns2",
558-
}.ToServiceIdentity()),
560+
}.AsPrincipal("cluster.local")),
559561
},
560562
},
561563
},
@@ -721,10 +723,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
721723
Weight: 100,
722724
}),
723725
},
724-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
726+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
725727
Name: "sa2",
726728
Namespace: "ns2",
727-
}.ToServiceIdentity()),
729+
}.AsPrincipal("cluster.local")),
728730
},
729731
},
730732
},
@@ -758,10 +760,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
758760
Weight: 100,
759761
}),
760762
},
761-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
763+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
762764
Name: "sa2",
763765
Namespace: "ns2",
764-
}.ToServiceIdentity()),
766+
}.AsPrincipal("cluster.local")),
765767
},
766768
},
767769
},
@@ -797,10 +799,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
797799
Weight: 100,
798800
}),
799801
},
800-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
802+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
801803
Name: "sa2",
802804
Namespace: "ns2",
803-
}.ToServiceIdentity()),
805+
}.AsPrincipal("cluster.local")),
804806
},
805807
},
806808
},
@@ -914,7 +916,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
914916
Weight: 100,
915917
}),
916918
},
917-
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
919+
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
918920
},
919921
},
920922
},
@@ -941,7 +943,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
941943
Weight: 100,
942944
}),
943945
},
944-
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
946+
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
945947
},
946948
},
947949
},
@@ -970,7 +972,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
970972
Weight: 100,
971973
}),
972974
},
973-
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
975+
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
974976
},
975977
},
976978
},
@@ -1116,10 +1118,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
11161118
Weight: 100,
11171119
}),
11181120
},
1119-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
1120-
Name: "sa2",
1121-
Namespace: "ns2",
1122-
}.ToServiceIdentity()),
1121+
AllowedPrincipals: mapset.NewSet("sa2.ns2.cluster.local"),
11231122
},
11241123
},
11251124
},
@@ -1287,15 +1286,15 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
12871286
Weight: 100,
12881287
}),
12891288
},
1290-
AllowedServiceIdentities: mapset.NewSet(
1289+
AllowedPrincipals: mapset.NewSet(
12911290
identity.K8sServiceAccount{
12921291
Name: "sa2",
12931292
Namespace: "ns2",
1294-
}.ToServiceIdentity(),
1293+
}.AsPrincipal("cluster.local"),
12951294
identity.K8sServiceAccount{
12961295
Name: "sa3",
12971296
Namespace: "ns3",
1298-
}.ToServiceIdentity()),
1297+
}.AsPrincipal("cluster.local")),
12991298
},
13001299
},
13011300
},
@@ -1331,15 +1330,15 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
13311330
Weight: 100,
13321331
}),
13331332
},
1334-
AllowedServiceIdentities: mapset.NewSet(
1333+
AllowedPrincipals: mapset.NewSet(
13351334
identity.K8sServiceAccount{
13361335
Name: "sa2",
13371336
Namespace: "ns2",
1338-
}.ToServiceIdentity(),
1337+
}.AsPrincipal("cluster.local"),
13391338
identity.K8sServiceAccount{
13401339
Name: "sa3",
13411340
Namespace: "ns3",
1342-
}.ToServiceIdentity()),
1341+
}.AsPrincipal("cluster.local")),
13431342
},
13441343
},
13451344
},
@@ -1503,10 +1502,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
15031502
Weight: 100,
15041503
}),
15051504
},
1506-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
1505+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
15071506
Name: "sa2",
15081507
Namespace: "ns2",
1509-
}.ToServiceIdentity()),
1508+
}.AsPrincipal("cluster.local")),
15101509
},
15111510
},
15121511
},
@@ -1542,10 +1541,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
15421541
Weight: 100,
15431542
}),
15441543
},
1545-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
1544+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
15461545
Name: "sa2",
15471546
Namespace: "ns2",
1548-
}.ToServiceIdentity()),
1547+
}.AsPrincipal("cluster.local")),
15491548
},
15501549
},
15511550
},
@@ -1653,7 +1652,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
16531652
Weight: 100,
16541653
}),
16551654
},
1656-
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
1655+
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
16571656
},
16581657
},
16591658
},
@@ -1680,7 +1679,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
16801679
Weight: 100,
16811680
}),
16821681
},
1683-
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
1682+
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
16841683
},
16851684
},
16861685
},
@@ -1825,10 +1824,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
18251824
}),
18261825
RateLimit: perRouteRateLimitConfig,
18271826
},
1828-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
1827+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
18291828
Name: "sa2",
18301829
Namespace: "ns2",
1831-
}.ToServiceIdentity()),
1830+
}.AsPrincipal("cluster.local")),
18321831
},
18331832
},
18341833
},
@@ -1866,10 +1865,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
18661865
}),
18671866
RateLimit: perRouteRateLimitConfig,
18681867
},
1869-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
1868+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
18701869
Name: "sa2",
18711870
Namespace: "ns2",
1872-
}.ToServiceIdentity()),
1871+
}.AsPrincipal("cluster.local")),
18731872
},
18741873
},
18751874
},
@@ -1953,7 +1952,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
19531952
}),
19541953
RateLimit: perRouteRateLimitConfig,
19551954
},
1956-
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
1955+
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
19571956
},
19581957
},
19591958
},
@@ -1984,7 +1983,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
19841983
}),
19851984
RateLimit: perRouteRateLimitConfig,
19861985
},
1987-
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
1986+
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
19881987
},
19891988
},
19901989
},
@@ -2014,6 +2013,8 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
20142013
mockCtrl := gomock.NewController(t)
20152014
defer mockCtrl.Finish()
20162015

2016+
fakeCertManager := tresorFake.NewFake(nil, 1*time.Hour)
2017+
20172018
mockKubeController := k8s.NewMockController(mockCtrl)
20182019
mockPolicyController := policy.NewMockController(mockCtrl)
20192020
mockEndpointProvider := endpoint.NewMockProvider(mockCtrl)
@@ -2025,6 +2026,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
20252026
policyController: mockPolicyController,
20262027
endpointsProviders: []endpoint.Provider{mockEndpointProvider},
20272028
serviceProviders: []service.Provider{mockServiceProvider},
2029+
certManager: fakeCertManager,
20282030
configurator: mockCfg,
20292031
meshSpec: mockMeshSpec,
20302032
}

0 commit comments

Comments
 (0)