diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index 9653beec4c3..f35c85be7ef 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -203,13 +203,6 @@ func buildXdsCluster(args *xdsClusterArgs) (*buildClusterResult, error) { } } - // Set Proxy Protocol - if args.proxyProtocol != nil { - cluster.TransportSocket = buildProxyProtocolSocket(args.proxyProtocol, args.tSocket) - } else if args.tSocket != nil { - cluster.TransportSocket = args.tSocket - } - // scan through settings to determine cluster-level configuration options, as some of them // influence transport socket specific settings requiresAutoHTTPConfig := false @@ -235,6 +228,14 @@ func buildXdsCluster(args *xdsClusterArgs) (*buildClusterResult, error) { // only enable auto sni if TLS is configured requiresAutoSNI := !hasLiteralSNI && requiresAutoHTTPConfig + // Set Proxy Protocol + proxyProtocolEnabled := args.proxyProtocol != nil + if proxyProtocolEnabled { + cluster.TransportSocket = buildProxyProtocolSocket(args.proxyProtocol, args.tSocket, requiresAutoHTTPConfig) + } else if args.tSocket != nil { + cluster.TransportSocket = args.tSocket + } + for i, ds := range args.settings { if ds.TLS != nil { socket, err := buildXdsUpstreamTLSSocketWthCert(ds.TLS, requiresAutoSNI, args.endpointType) @@ -242,8 +243,8 @@ func buildXdsCluster(args *xdsClusterArgs) (*buildClusterResult, error) { // TODO: Log something here return nil, err } - if args.proxyProtocol != nil { - socket = buildProxyProtocolSocket(args.proxyProtocol, socket) + if proxyProtocolEnabled { + socket = buildProxyProtocolSocket(args.proxyProtocol, socket, requiresAutoHTTPConfig) } matchName := fmt.Sprintf("%s/tls/%d", args.name, i) @@ -265,7 +266,7 @@ func buildXdsCluster(args *xdsClusterArgs) (*buildClusterResult, error) { } // TransportSocket is required for auto HTTP config - if requiresAutoHTTPConfig && cluster.TransportSocket == nil { + if requiresAutoHTTPConfig && cluster.TransportSocket == nil && !proxyProtocolEnabled { // we need a dummy transport socket to pass the validation cluster.TransportSocket = dummyTransportSocket } @@ -275,7 +276,8 @@ func buildXdsCluster(args *xdsClusterArgs) (*buildClusterResult, error) { if err != nil { return nil, err } - if epo != nil { + // Set TypedExtensionProtocolOptions if not using Proxy Protocol + if !proxyProtocolEnabled && epo != nil { cluster.TypedExtensionProtocolOptions = epo } @@ -1006,7 +1008,7 @@ func buildUpstreamCodecFilter() (*hcmv3.HttpFilter, error) { } // buildProxyProtocolSocket builds the ProxyProtocol transport socket. -func buildProxyProtocolSocket(proxyProtocol *ir.ProxyProtocol, tSocket *corev3.TransportSocket) *corev3.TransportSocket { +func buildProxyProtocolSocket(proxyProtocol *ir.ProxyProtocol, tSocket *corev3.TransportSocket, requiresAutoHTTPConfig bool) *corev3.TransportSocket { if proxyProtocol == nil { return nil } @@ -1026,18 +1028,22 @@ func buildProxyProtocolSocket(proxyProtocol *ir.ProxyProtocol, tSocket *corev3.T // If existing transport socket does not exist wrap around raw buffer if tSocket == nil { - rawCtx := &rawbufferv3.RawBuffer{} - rawCtxAny, err := proto.ToAnyWithValidation(rawCtx) - if err != nil { - return nil - } - rawSocket := &corev3.TransportSocket{ - Name: wellknown.TransportSocketRawBuffer, - ConfigType: &corev3.TransportSocket_TypedConfig{ - TypedConfig: rawCtxAny, - }, + if requiresAutoHTTPConfig { + ppCtx.TransportSocket = dummyTransportSocket + } else { + rawCtx := &rawbufferv3.RawBuffer{} + rawCtxAny, err := proto.ToAnyWithValidation(rawCtx) + if err != nil { + return nil + } + rawSocket := &corev3.TransportSocket{ + Name: wellknown.TransportSocketRawBuffer, + ConfigType: &corev3.TransportSocket_TypedConfig{ + TypedConfig: rawCtxAny, + }, + } + ppCtx.TransportSocket = rawSocket } - ppCtx.TransportSocket = rawSocket } else { ppCtx.TransportSocket = tSocket } diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog-als-tcp.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog-als-tcp.yaml index 163e6a780ce..221d510c339 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog-als-tcp.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog-als-tcp.yaml @@ -32,8 +32,6 @@ accesslog: interval: 5s maxEjectionPercent: 10 splitExternalLocalOriginErrors: false - proxyProtocol: - version: V2 tcpKeepalive: probes: 7 timeout: diff --git a/internal/xds/translator/testdata/in/xds-ir/ext-proc-with-retries.yaml b/internal/xds/translator/testdata/in/xds-ir/ext-proc-with-retries.yaml index 222efaf66d2..4d367a86c52 100644 --- a/internal/xds/translator/testdata/in/xds-ir/ext-proc-with-retries.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/ext-proc-with-retries.yaml @@ -102,8 +102,6 @@ http: roundRobin: slowStart: window: 5s - proxyProtocol: - version: V2 tcpKeepalive: probes: 7 timeout: diff --git a/internal/xds/translator/testdata/in/xds-ir/ext-proc-with-traffic-settings.yaml b/internal/xds/translator/testdata/in/xds-ir/ext-proc-with-traffic-settings.yaml index 46635150ddd..e373d5d283f 100644 --- a/internal/xds/translator/testdata/in/xds-ir/ext-proc-with-traffic-settings.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/ext-proc-with-traffic-settings.yaml @@ -89,8 +89,6 @@ http: roundRobin: slowStart: window: 5s - proxyProtocol: - version: V2 tcpKeepalive: probes: 7 timeout: diff --git a/internal/xds/translator/testdata/in/xds-ir/tracing.yaml b/internal/xds/translator/testdata/in/xds-ir/tracing.yaml index c0196ca747f..d5e009ba791 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tracing.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tracing.yaml @@ -41,8 +41,6 @@ tracing: interval: 5s maxEjectionPercent: 10 splitExternalLocalOriginErrors: false - proxyProtocol: - version: V2 tcpKeepalive: probes: 7 timeout: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml index ccbf5dc34e6..36afbc7d3f4 100755 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml @@ -30,16 +30,6 @@ interval: 5s maxEjectionPercent: 10 perConnectionBufferLimitBytes: 20971520 - transportSocket: - name: envoy.transport_sockets.upstream_proxy_protocol - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport - config: - version: V2 - transportSocket: - name: envoy.transport_sockets.raw_buffer - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer type: EDS typedExtensionProtocolOptions: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-retries.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-retries.clusters.yaml index c0ae4804db4..c9001860088 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-retries.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-retries.clusters.yaml @@ -80,68 +80,51 @@ maxEjectionPercent: 10 perConnectionBufferLimitBytes: 20971520 transportSocket: - name: envoy.transport_sockets.upstream_proxy_protocol + name: dummy.transport_socket typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport - config: - version: V2 - transportSocket: - name: envoy.transport_sockets.raw_buffer - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: {} transportSocketMatches: - match: name: envoyextensionpolicy/default/policy-for-http-route/0/tls/0 name: envoyextensionpolicy/default/policy-for-http-route/0/tls/0 transportSocket: - name: envoy.transport_sockets.upstream_proxy_protocol + name: envoy.transport_sockets.tls typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport - config: - version: V2 - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - commonTlsContext: - combinedValidationContext: - defaultValidationContext: - matchTypedSubjectAltNames: - - matcher: - exact: grpc-backend - sanType: DNS - validationContextSdsSecretConfig: - name: policy-btls-grpc/envoy-gateway-ca - sdsConfig: - ads: {} - resourceApiVersion: V3 - sni: grpc-backend + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: grpc-backend + sanType: DNS + validationContextSdsSecretConfig: + name: policy-btls-grpc/envoy-gateway-ca + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: grpc-backend - match: name: envoyextensionpolicy/default/policy-for-http-route/0/tls/3 name: envoyextensionpolicy/default/policy-for-http-route/0/tls/3 transportSocket: - name: envoy.transport_sockets.upstream_proxy_protocol + name: envoy.transport_sockets.tls typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport - config: - version: V2 - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - commonTlsContext: - combinedValidationContext: - defaultValidationContext: - matchTypedSubjectAltNames: - - matcher: - exact: ip-backend - sanType: DNS - validationContextSdsSecretConfig: - name: policy-btls-backend-ip/envoy-gateway-ca - sdsConfig: - ads: {} - resourceApiVersion: V3 - sni: ip-backend + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: ip-backend + sanType: DNS + validationContextSdsSecretConfig: + name: policy-btls-backend-ip/envoy-gateway-ca + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: ip-backend type: EDS typedExtensionProtocolOptions: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml index c0ae4804db4..c9001860088 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml @@ -80,68 +80,51 @@ maxEjectionPercent: 10 perConnectionBufferLimitBytes: 20971520 transportSocket: - name: envoy.transport_sockets.upstream_proxy_protocol + name: dummy.transport_socket typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport - config: - version: V2 - transportSocket: - name: envoy.transport_sockets.raw_buffer - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: {} transportSocketMatches: - match: name: envoyextensionpolicy/default/policy-for-http-route/0/tls/0 name: envoyextensionpolicy/default/policy-for-http-route/0/tls/0 transportSocket: - name: envoy.transport_sockets.upstream_proxy_protocol + name: envoy.transport_sockets.tls typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport - config: - version: V2 - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - commonTlsContext: - combinedValidationContext: - defaultValidationContext: - matchTypedSubjectAltNames: - - matcher: - exact: grpc-backend - sanType: DNS - validationContextSdsSecretConfig: - name: policy-btls-grpc/envoy-gateway-ca - sdsConfig: - ads: {} - resourceApiVersion: V3 - sni: grpc-backend + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: grpc-backend + sanType: DNS + validationContextSdsSecretConfig: + name: policy-btls-grpc/envoy-gateway-ca + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: grpc-backend - match: name: envoyextensionpolicy/default/policy-for-http-route/0/tls/3 name: envoyextensionpolicy/default/policy-for-http-route/0/tls/3 transportSocket: - name: envoy.transport_sockets.upstream_proxy_protocol + name: envoy.transport_sockets.tls typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport - config: - version: V2 - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - commonTlsContext: - combinedValidationContext: - defaultValidationContext: - matchTypedSubjectAltNames: - - matcher: - exact: ip-backend - sanType: DNS - validationContextSdsSecretConfig: - name: policy-btls-backend-ip/envoy-gateway-ca - sdsConfig: - ads: {} - resourceApiVersion: V3 - sni: ip-backend + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: ip-backend + sanType: DNS + validationContextSdsSecretConfig: + name: policy-btls-backend-ip/envoy-gateway-ca + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: ip-backend type: EDS typedExtensionProtocolOptions: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml index 8e8f5e24564..19c5aee92d9 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml @@ -106,9 +106,10 @@ config: version: V2 transportSocket: - name: envoy.transport_sockets.raw_buffer + name: dummy.transport_socket typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: {} transportSocketMatches: - match: name: httproute/envoy-gateway/httproute-btls-2/rule/0/tls/1 @@ -137,11 +138,3 @@ resourceApiVersion: V3 sni: example.com type: EDS - typedExtensionProtocolOptions: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - autoConfig: - http2ProtocolOptions: - initialConnectionWindowSize: 1048576 - initialStreamWindowSize: 65536 - httpProtocolOptions: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml index 28d736bc179..e2d59b86642 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml @@ -64,16 +64,6 @@ maxEjectionPercent: 10 perConnectionBufferLimitBytes: 20971520 respectDnsTtl: true - transportSocket: - name: envoy.transport_sockets.upstream_proxy_protocol - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport - config: - version: V2 - transportSocket: - name: envoy.transport_sockets.raw_buffer - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer type: STRICT_DNS typedExtensionProtocolOptions: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/test/e2e/testdata/proxy-protocol-with-tls.yaml b/test/e2e/testdata/proxy-protocol-with-tls.yaml new file mode 100644 index 00000000000..8272a1c5225 --- /dev/null +++ b/test/e2e/testdata/proxy-protocol-with-tls.yaml @@ -0,0 +1,168 @@ +# This's used to test proxy protocol. +# Traffic from http 80 will be redirected to https://www.example.com:443 with proxy protocol enabled. +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: proxy-protocol-gtw + namespace: gateway-conformance-infra +spec: + gatewayClassName: "{GATEWAY_CLASS_NAME}" + listeners: + - name: http + port: 80 + protocol: HTTP + - name: https + protocol: HTTPS + port: 443 + tls: + mode: Terminate + certificateRefs: + - kind: Secret + group: "" + name: example-com-tls +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: ClientTrafficPolicy +metadata: + name: enable-proxy-protocol-policy + namespace: gateway-conformance-infra +spec: + enableProxyProtocol: true + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: proxy-protocol-gtw + sectionName: https +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http + namespace: gateway-conformance-infra +spec: + parentRefs: + - kind: Gateway + name: proxy-protocol-gtw + sectionName: http + rules: + - matches: + - path: + type: PathPrefix + value: / + filters: + - type: URLRewrite + urlRewrite: + hostname: www.example.com + backendRefs: + - group: "gateway.envoyproxy.io" + kind: Backend + name: proxy-protocol-backend + port: 443 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: proxy-protocol + namespace: gateway-conformance-infra +spec: + hostnames: + - www.example.com + parentRefs: + - kind: Gateway + name: proxy-protocol-gtw + sectionName: https + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: infra-backend-v1 + port: 8080 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: enable-proxy-protocol + namespace: gateway-conformance-infra +spec: + proxyProtocol: + version: V2 + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: http +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: proxy-protocol-backend + namespace: gateway-conformance-infra +spec: + endpoints: + - fqdn: + # the service name of the gateway, this's not right on gateway namespace mode + hostname: envoy-gateway-conformance-infra-proxy-protocol-gtw-4aabe705.envoy-gateway-system.svc + port: 443 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: BackendTLSPolicy +metadata: + name: btls-proxy-protocol-backend + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: proxy-protocol-backend + validation: + caCertificateRefs: + - name: example-ca + group: "" + kind: ConfigMap + hostname: www.example.com +--- +# ./certs/client-mtls-trustbundle.sh +# +# kubectl create secret generic example-com-tls -n gateway-conformance-infra --from-file=ca.crt=example.com.crt --from-file=tls.crt=www.example.com.crt --from-file=tls.key=www.example.com.key --dry-run=client -o yaml > example-com-tls.yaml +apiVersion: v1 +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWVENDQWoyZ0F3SUJBZ0lVVCtlWHNsNDIrWnoyNzVZaVBjTWUvQnBuajJ3d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdgpiVEFlRncweU5UQTJNVGt4TWpFNU5URmFGdzB5TmpBMk1Ua3hNakU1TlRGYU1DMHhGVEFUQmdOVkJBb01ER1Y0CllXMXdiR1VnU1c1akxqRVVNQklHQTFVRUF3d0xaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNQRWloRzZwbE5oU01nZkFYWmdQSDFzdjNWbklUV1hxbzRYd1I4SGVKRgpFYXVtVE1pcCtCM2djcXY4T3JNV2VORERWSzl3Q0lzVVpjNDIxcTFsRWRNWmdCNHBiQ1VMWUUzMkdjblh4TVNKCnVOUldYdU9JOTM5TkE4THJGb1dQV3BmNTUvcERhUTJKVFlDK1Jya05RcVhoa09rdlMvYTNuOEd3dDJnNjUzdUQKcUI4aWdtd0dESWliK2VBY0UxSnNMVldjaytHaG9wMkFyRjZoZFFDdXdBaHppSXR4RVhmQ3lJekhORXU0UXRtTQoybDRkd0xaYWdidjZqRkpvYTJ0cE9wYnFuQzNxZmZTRkN0RVVoMkRITXpVbUtsNGl3N0l4dWM1VWhHcVBFRWFLClZKUENnRSs3UXdHYWV3MzUxKzZtZFNVV1FtWDRIcWZMNllMMTNoR3FEOWtqQWdNQkFBR2piVEJyTUIwR0ExVWQKRGdRV0JCUWtKUDhZRVhVSUVrbmtsRGViNFNhQXlhYWIxVEFmQmdOVkhTTUVHREFXZ0JRa0pQOFlFWFVJRWtuawpsRGViNFNhQXlhYWIxVEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQmdHQTFVZEVRUVJNQStDRFNvdVpYaGhiWEJzClpTNWpiMjB3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUNDcVNvRkgrZ3Z4SUtmcmE4dURDV1pGdVVrVWhKbE8KNFZmblo1SVpsZHlZSWk3c2hHbWdyWDZCcEdFK1RNM1E0Mk5nditMZUF2OUpyaTZ3YXFlNVdDc09oRWY2clBXNQpCNVp6OUEwN28vQUFYZDVVd25WWTNuejFEcC9pcUJ3WUJPbzk1U2U1Mnd4WXM0Qk1pOVF2ZlNQVEcrMFp3T3hoCnpjRjVrb0VIL0MxcGJtTWtSMFlpRHBpM295c0FxRnBMTy80MXozQ2hjbzY3QWlMaEV1K0JDdytGeHN3NVR5dGgKRlZJeGxtSnZhUklqcHFzWVRwcmUvUGFKUjEva2dveVorR1BRWFl0aGN0bmhZM203M2hRYWtTVGtRYUVBakxTMApDZEdOczJxMzk3ZmJ6dWw2eEhWUjQwRFFBV3IzaCs5a2tJamhVR3VCVnljSE1BY0hXeXcxWUNFPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQwakNDQXJxZ0F3SUJBZ0lVTzdKTjJjSE56ZmV6elBhSHlpK2kyRU9pL1Jnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdgpiVEFlRncweU5UQTJNVGt4TWpFNU5URmFGdzB6TlRBMk1UY3hNakU1TlRGYU1Ea3hHREFXQmdOVkJBTU1EM2QzCmR5NWxlR0Z0Y0d4bExtTnZiVEVkTUJzR0ExVUVDZ3dVWlhoaGJYQnNaU0J2Y21kaGJtbDZZWFJwYjI0d2dnRWkKTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEaGV3bEd3cFNpNFpwWVhuSjBDR0pvZFFLMwo4RlZ5NzEyWVNVaHZGN3NBRzFHcmlqbUZBWDJ3SkFUMnNpVkRlOTdPODRtbGRDWXIxdTducWVqa090MDVuOFpBCjVyNk9RZUJnWmtyS1lmcjRyODdDeU5TTmJEZ1VRa1lIN1Fac0FWM2lqSmpmWm1KVk9HbUlPMFJFYjM5WFFVT3gKQjJrblp2QVBrWVBwZ0owd0JPS2JmRnhBUkM3YktGei9DQVROcEQ1TUFRWmlEbFFyTVNXT0FYTVFMNHh6RDNhVApSTnRlVW11RmxsVzJIRGZyVzA2RGw0OFlUZmt2bFU3bGJINUhBQVY3ZkkvZFJyYmhPSXRFajNSR2lHaitCS1gxCkpZSXE4ZXFyQXFubnZzckFKcEw0bks2eWFVMC93bzYzd2NFUGFpUE9KZlNLN2U3d3FWUU50aVlVaE8rYkFnTUIKQUFHamdkMHdnZG93SFFZRFZSME9CQllFRkhDK1NRcDZ3eW9jeG53Yjk4UU1vQTA1TmtXZU1HZ0dBMVVkSXdSaApNRitBRkNRay94Z1JkUWdTU2VTVU41dmhKb0RKcHB2Vm9UR2tMekF0TVJVd0V3WURWUVFLREF4bGVHRnRjR3hsCklFbHVZeTR4RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dGdoUlA1NWV5WGpiNW5QYnZsaUk5d3g3OEdtZVAKYkRBTUJnTlZIUk1FQlRBREFRSC9NQXNHQTFVZER3UUVBd0lDL0RBYUJnTlZIUkVFRXpBUmdnOTNkM2N1WlhoaApiWEJzWlM1amIyMHdHQVlEVlIwU0JCRXdENElOS2k1bGVHRnRjR3hsTG1OdmJUQU5CZ2txaGtpRzl3MEJBUXNGCkFBT0NBUUVBZEFqaDVhbWFRQmJoRE5JQ2JqVHZ3Y0lWaFhnNTI1NkxKaGwvRHc1Zk9vNWdIT05wVUJwWVBQcUQKVjMwdmlNMXloNkthb2lRc3JXSHNoMFgvR3RYT1JwemhaajN3c0NVTEFpRmsvb2Vva2pYZnFKbm1DNlc0b08rTwpsMzFFQnNtVkxPcmRDZFJrOTJMZ0FYY0lsdE1VVjViV25mdDF1RTExWEJTclUrcWNoS3h6VStUZ29yK3g4Nk5jCnNzKzdzMXFzbUFLc01OUXJVQXJFY21NZCtrZDFqTWJoV3BNQ2VWMXJ3QTB6UDVJa0F6Ym1GVmVkMEtyOVRwazQKWWw3V21kSnlNNVd3bENSS1JRWW5sN3RCUzdIVmZDck9pRW1rTU9SVU9XUEJwVU5uc0ZPVWVWNUo1N0x0WEVzcApwdWV3UytmdG5aZm91ODUyYUp1Nzc5Qnh6THN0U2c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRGhld2xHd3BTaTRacFkKWG5KMENHSm9kUUszOEZWeTcxMllTVWh2RjdzQUcxR3Jpam1GQVgyd0pBVDJzaVZEZTk3Tzg0bWxkQ1lyMXU3bgpxZWprT3QwNW44WkE1cjZPUWVCZ1prcktZZnI0cjg3Q3lOU05iRGdVUWtZSDdRWnNBVjNpakpqZlptSlZPR21JCk8wUkViMzlYUVVPeEIya25adkFQa1lQcGdKMHdCT0tiZkZ4QVJDN2JLRnovQ0FUTnBENU1BUVppRGxRck1TV08KQVhNUUw0eHpEM2FUUk50ZVVtdUZsbFcySERmclcwNkRsNDhZVGZrdmxVN2xiSDVIQUFWN2ZJL2RScmJoT0l0RQpqM1JHaUdqK0JLWDFKWUlxOGVxckFxbm52c3JBSnBMNG5LNnlhVTAvd282M3djRVBhaVBPSmZTSzdlN3dxVlFOCnRpWVVoTytiQWdNQkFBRUNnZ0VBVE9iNXN2aUtXVU00c1FzRlhpMjk0b0tGK3RZdFRwWDFCZ3Q0ZU90UERDcEYKSUl4ME1iamdkVUxUcm8venhhQnB6WXVpVnB2V3FQMFZYazNFOEpKakFWUk0rYlc1S0N1dnF6RTRNTzVaK3BkNwpuVk9CcXZwTjVocjBaNStmb1JhV1ByNVZKVngyRFRyQVE0WnpNaVFVK2wxNENOak9OSElYVGpnREZaQ1lDOWY2CnBSU2RJejZ3SjlqR1RsUzhuWHZnc053WHZ4TG1tZ2hpNFdKYWtqUlh5T0NFUkxlV1JzeThCU2pKY0YvYkpLdFIKVlpWT0JsL29Dd1l4TCtwZExBUkUzdDgyOVQyQ2h5S2pFM2htRXhZT2tEQjc5R21JcEN1QTJBVXgrVCtkbVQ5QQpta1ZHK29lNHlUQWdSK004cW41N3FNeWZ0U3hRdmFhRFQzQXA5eFU5QVFLQmdRRDdPeHlZQVVYMVpnR2kwc2JHCnh3V2xyMnRHSXFZcFdCMjh0d1R6RlVCaVI4MStrTml0bVpEN0E5N2c5RUpaSWtQbEhwMkhzeHlFeVlFRHRkcGkKdXhRb1ZlVWZRcmd4ZmIrZWdFZmtQUVJqVjFnRU9aRGIzOWNaT1hVVXJoMGtNY1R4dGtManQ3eE9RV3FsZ20wKwphcTlVcmtZOFMzTExSNExOdWVzMXFHL0NTUUtCZ1FEbHdzbW8yaEg1K25SeVFlOWpNencyUG01djJ6c0YxOW9XCmN0ODU3VFB6eG83M1psZFllL2lRdktzQzJxcWtwTHZtdWh5ZkxQV00xRHVOYzhwbURtRHpTTHFPbXc0b1BwUjYKaURtMXA3UmhraWxKS3NBZEVNaXFNQkJQRHVxQmNDNWo4ZFkwaUlhb3JDVTV2eGY4V090N3FaVTVEVkRza2xncwpwbVlMUnVSaXd3S0JnRnhMSHZvSW5iYkZQcHllYWova0pZTDBxcWdkV29XZHhXN3FuWHJmdDhOak5XN2xyM1EzCkVqZmsrQ0FVRzd1N0JzNUpMUDRKSXRUMVlkd0hGcTltb3NVZXFRbU83VFBoU2wva0tJVUVsWFFaUmxCbkJYeUIKQXZoVlQxbkZqUmNhNFlzYXRnQUtJN2RyK00zTTJHMHhyQytqeGxHb05nZlB3WkhxVnlwak1vdGhBb0dCQU1NLwo1ZmxNNEF2cjc3c05GeTdZNG1sQ1lyMUJzNFhDcWYxN3Z3Rk45MkZKTWtOQndDWmNxNTNzQnZPVStZQ1MwVzlBClo0UkpRNTVhMlFUYkNudng2aWUwZlgwa2ZVSnI4K2V4RGtHMTg0OGJFMlN2SkxWT2h3aEJjZ3FOSlhHNzhHQlUKcW5EWU9IN3NVM0lnVjNURjU4K2VERWFBYjIycTY2MTk5cWZNcGRiYkFvR0JBUFBFa2cvMXVRdldsZmtRd3RiSwpRV3B1WXlvNlliUWwrUktYUUJzaFpTSUZwQXJTNTRUYWNtREd6eWhRNXV0RDhQWUJkL3hDMDhYRXA4T3FTckhGCnh3MnFtd1ZWZ2hSY1FWOThTUUNiMGhqWWRaMHJxL0tEaXZxMnBJSlpEYmpxSWp0dHZrSGR3V0JWbnM3ZU5vU2IKVnV4QmhMcHNEU05qSFYzTE9MQ3k2R0UyCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K +kind: Secret +metadata: + creationTimestamp: null + name: example-com-tls + namespace: gateway-conformance-infra +type: kubernetes.io/tls +--- +apiVersion: v1 +data: + ca.crt: | + -----BEGIN CERTIFICATE----- + MIIDVTCCAj2gAwIBAgIUT+eXsl42+Zz275YiPcMe/Bpnj2wwDQYJKoZIhvcNAQEL + BQAwLTEVMBMGA1UECgwMZXhhbXBsZSBJbmMuMRQwEgYDVQQDDAtleGFtcGxlLmNv + bTAeFw0yNTA2MTkxMjE5NTFaFw0yNjA2MTkxMjE5NTFaMC0xFTATBgNVBAoMDGV4 + YW1wbGUgSW5jLjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEB + AQUAA4IBDwAwggEKAoIBAQCPEihG6plNhSMgfAXZgPH1sv3VnITWXqo4XwR8HeJF + EaumTMip+B3gcqv8OrMWeNDDVK9wCIsUZc421q1lEdMZgB4pbCULYE32GcnXxMSJ + uNRWXuOI939NA8LrFoWPWpf55/pDaQ2JTYC+RrkNQqXhkOkvS/a3n8Gwt2g653uD + qB8igmwGDIib+eAcE1JsLVWck+Ghop2ArF6hdQCuwAhziItxEXfCyIzHNEu4QtmM + 2l4dwLZagbv6jFJoa2tpOpbqnC3qffSFCtEUh2DHMzUmKl4iw7Ixuc5UhGqPEEaK + VJPCgE+7QwGaew351+6mdSUWQmX4HqfL6YL13hGqD9kjAgMBAAGjbTBrMB0GA1Ud + DgQWBBQkJP8YEXUIEknklDeb4SaAyaab1TAfBgNVHSMEGDAWgBQkJP8YEXUIEknk + lDeb4SaAyaab1TAPBgNVHRMBAf8EBTADAQH/MBgGA1UdEQQRMA+CDSouZXhhbXBs + ZS5jb20wDQYJKoZIhvcNAQELBQADggEBACCqSoFH+gvxIKfra8uDCWZFuUkUhJlO + 4VfnZ5IZldyYIi7shGmgrX6BpGE+TM3Q42Ngv+LeAv9Jri6waqe5WCsOhEf6rPW5 + B5Zz9A07o/AAXd5UwnVY3nz1Dp/iqBwYBOo95Se52wxYs4BMi9QvfSPTG+0ZwOxh + zcF5koEH/C1pbmMkR0YiDpi3oysAqFpLO/41z3Chco67AiLhEu+BCw+Fxsw5Tyth + FVIxlmJvaRIjpqsYTpre/PaJR1/kgoyZ+GPQXYthctnhY3m73hQakSTkQaEAjLS0 + CdGNs2q397fbzul6xHVR40DQAWr3h+9kkIjhUGuBVycHMAcHWyw1YCE= + -----END CERTIFICATE----- +kind: ConfigMap +metadata: + name: example-ca + namespace: gateway-conformance-infra +--- + diff --git a/test/e2e/tests/proxy_protocol.go b/test/e2e/tests/proxy_protocol.go new file mode 100644 index 00000000000..0219574a14b --- /dev/null +++ b/test/e2e/tests/proxy_protocol.go @@ -0,0 +1,69 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e + +package tests + +import ( + "fmt" + "testing" + + "github.com/stretchr/testify/require" + "k8s.io/apimachinery/pkg/types" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" + httputils "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" +) + +func init() { + ConformanceTests = append(ConformanceTests, ProxyProtocolTest) +} + +var ProxyProtocolTest = suite.ConformanceTest{ + ShortName: "ProxyProtocol", + Description: "Make sure ProxyProtocol is working", + Manifests: []string{"testdata/proxy-protocol-with-tls.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "http", Namespace: ns} + gwNN := types.NamespacedName{Name: "proxy-protocol-gtw", Namespace: ns} + + // Update the backend FQDN to point to the service in the same namespace when using gateway namespace mode. + if IsGatewayNamespaceMode() { + backend := &egv1a1.Backend{} + err := suite.Client.Get(t.Context(), types.NamespacedName{ + Name: "proxy-protocol-backend", + Namespace: ns, + }, backend) + require.NoError(t, err) + + for _, ep := range backend.Spec.Endpoints { + if ep.FQDN != nil { + ep.FQDN.Hostname = fmt.Sprintf("%s.%s.svc", gwNN.Name, gwNN.Namespace) + } + } + + err = suite.Client.Update(t.Context(), backend) + require.NoError(t, err) + } + + gwAddr := kubernetes.GatewayAndRoutesMustBeAccepted(t, suite.Client, + suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), &gwapiv1.HTTPRoute{}, false, routeNN) + expectedResponse := httputils.ExpectedResponse{ + Request: httputils.Request{ + Path: "/", + }, + Response: httputils.Response{ + StatusCodes: []int{200}, + }, + Namespace: ns, + } + httputils.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + }, +}