diff --git a/internal/xds/translator/ratelimit.go b/internal/xds/translator/ratelimit.go index 03b01298dd..35679f05b8 100644 --- a/internal/xds/translator/ratelimit.go +++ b/internal/xds/translator/ratelimit.go @@ -649,7 +649,7 @@ func buildRateLimitServiceDescriptors(route *ir.HTTPRoute) []*rlsconfv3.RateLimi } // buildRateLimitTLSocket builds the TLS socket for the rate limit service. -func buildRateLimitTLSocket() (*corev3.TransportSocket, error) { +func (t *Translator) buildRateLimitTLSocket() (*corev3.TransportSocket, error) { tlsCtx := &tlsv3.UpstreamTlsContext{ CommonTlsContext: &tlsv3.CommonTlsContext{ TlsCertificates: []*tlsv3.TlsCertificate{}, @@ -663,15 +663,19 @@ func buildRateLimitTLSocket() (*corev3.TransportSocket, error) { }, } - tlsCert := &tlsv3.TlsCertificate{ - CertificateChain: &corev3.DataSource{ - Specifier: &corev3.DataSource_Filename{Filename: rateLimitClientTLSCertFilename}, - }, - PrivateKey: &corev3.DataSource{ - Specifier: &corev3.DataSource_Filename{Filename: rateLimitClientTLSKeyFilename}, - }, + // Add client certificates only when not in gateway namespace mode + // TODO: Add better support for gateway namespace mode + if !t.GatewayNamespaceMode { + tlsCert := &tlsv3.TlsCertificate{ + CertificateChain: &corev3.DataSource{ + Specifier: &corev3.DataSource_Filename{Filename: rateLimitClientTLSCertFilename}, + }, + PrivateKey: &corev3.DataSource{ + Specifier: &corev3.DataSource_Filename{Filename: rateLimitClientTLSKeyFilename}, + }, + } + tlsCtx.CommonTlsContext.TlsCertificates = append(tlsCtx.CommonTlsContext.TlsCertificates, tlsCert) } - tlsCtx.CommonTlsContext.TlsCertificates = append(tlsCtx.CommonTlsContext.TlsCertificates, tlsCert) tlsCtxAny, err := anypb.New(tlsCtx) if err != nil { @@ -701,7 +705,7 @@ func (t *Translator) createRateLimitServiceCluster(tCtx *types.ResourceVersionTa Name: destinationSettingName(clusterName), } - tSocket, err := buildRateLimitTLSocket() + tSocket, err := t.buildRateLimitTLSocket() if err != nil { return err } diff --git a/internal/xds/translator/runner/runner.go b/internal/xds/translator/runner/runner.go index 6348b6a934..6221e7ea15 100644 --- a/internal/xds/translator/runner/runner.go +++ b/internal/xds/translator/runner/runner.go @@ -67,8 +67,9 @@ func (r *Runner) subscribeAndTranslate(sub <-chan watchable.Snapshot[string, *ir } else { // Translate to xds resources t := &translator.Translator{ - FilterOrder: val.FilterOrder, - Logger: r.Logger, + GatewayNamespaceMode: r.EnvoyGateway.GatewayNamespaceMode(), + FilterOrder: val.FilterOrder, + Logger: r.Logger, } // Set the extension manager if an extension is loaded diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index 5118ffd329..28b8e9f0a5 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -44,6 +44,7 @@ const ( // Translator translates the xDS IR into xDS resources. type Translator struct { + GatewayNamespaceMode bool // GlobalRateLimit holds the global rate limit settings // required during xds translation. GlobalRateLimit *GlobalRateLimitSettings diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index c7de5de62e..1016bbfff9 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -67,18 +67,6 @@ func TestE2E(t *testing.T) { tests.HTTPWasmTest.ShortName, tests.OCIWasmTest.ShortName, tests.ZoneAwareRoutingTest.ShortName, - - // Skip RateLimit tests because they are not supported in GatewayNamespaceMode - tests.RateLimitCIDRMatchTest.ShortName, - tests.RateLimitHeaderMatchTest.ShortName, - tests.GlobalRateLimitHeaderInvertMatchTest.ShortName, - tests.RateLimitHeadersDisabled.ShortName, - tests.RateLimitBasedJwtClaimsTest.ShortName, - tests.RateLimitMultipleListenersTest.ShortName, - tests.RateLimitHeadersAndCIDRMatchTest.ShortName, - tests.UsageRateLimitTest.ShortName, - tests.RateLimitGlobalSharedCidrMatchTest.ShortName, - tests.RateLimitGlobalSharedGatewayHeaderMatchTest.ShortName, ) }