Skip to content

perf: introduce translator context #7535

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zirain merged 18 commits into from
Dec 3, 2025
Merged

perf: introduce translator context #7535

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
872400b
perf: introduce translator context
kkk777-7 Nov 8, 2025
14a3784
perf: add policy map in translator context
kkk777-7 Nov 16, 2025
ce0cfcc
chore: update tranlate bench
kkk777-7 Nov 16, 2025
3614571
Revert "perf: add policy map in translator context"
kkk777-7 Nov 18, 2025
3d4c714
add translator context method, remove unused function
kkk777-7 Nov 18, 2025
19123b4
update gatewayapi test output
kkk777-7 Nov 18, 2025
41a4daa
add resources in translator context
kkk777-7 Nov 20, 2025
0d63071
add gatewayapi translate bench
kkk777-7 Nov 20, 2025
4145704
fix: set resources in translator context
kkk777-7 Nov 20, 2025
25a048e
fix: go lint
kkk777-7 Nov 20, 2025
11ee9b0
address comments
kkk777-7 Nov 26, 2025
55d088a
feat: support egctl translate options
kkk777-7 Nov 26, 2025
106844b
Merge branch 'main' into perf-translator-context
kkk777-7 Nov 30, 2025
6461f2c
update: bench test
kkk777-7 Nov 30, 2025
cffcc19
update embedded field
kkk777-7 Dec 2, 2025
6b6e3dc
Merge branch 'main' into perf-translator-context
kkk777-7 Dec 2, 2025
789c18f
fix gatewayapi testdata output
kkk777-7 Dec 2, 2025
860773e
Merge branch 'main' into perf-translator-context
zirain Dec 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 33 additions & 19 deletions internal/gatewayapi/backendtlspolicy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ func localPolicyTargetReferenceWithSectionNameToKey(ns string, targetRef gwapiv1
// applyBackendTLSSetting processes TLS settings from Backend resource, BackendTLSPolicy, and EnvoyProxy resource.
// It merges the TLS settings from these resources and returns the final TLS config to be applied to the upstream cluster.
func (t *Translator) applyBackendTLSSetting(
translatorContext *TranslatorContext,
backendRef gwapiv1.BackendObjectReference,
backendNamespace string,
parent gwapiv1.ParentReference,
Expand All @@ -93,27 +94,28 @@ func (t *Translator) applyBackendTLSSetting(

// If the backendRef is a Backend resource, we need to check if it has TLS settings.
if KindDerefOr(backendRef.Kind, resource.KindService) == egv1a1.KindBackend {
backend := resources.GetBackend(backendNamespace, string(backendRef.Name))
backend := translatorContext.GetBackend(backendNamespace, string(backendRef.Name))
if backend == nil {
return nil, fmt.Errorf("backend %s not found", backendRef.Name)
}
if backend.Spec.TLS != nil {
// Get the server certificate validation settings from Backend resource.
if backendValidationTLSConfig, err = t.processServerValidationTLSSettings(backend, resources); err != nil {
if backendValidationTLSConfig, err = t.processServerValidationTLSSettings(translatorContext, backend); err != nil {
return nil, err
}

// Get the client certificate and common TLS settings from Backend resource.
if backend.Spec.TLS.BackendTLSConfig != nil {
if backendClientTLSConfig, err = t.processClientTLSSettings(resources, backend.Spec.TLS.BackendTLSConfig, backend.Namespace, backend.Name, false); err != nil {
if backendClientTLSConfig, err = t.processClientTLSSettings(translatorContext,
backend.Spec.TLS.BackendTLSConfig, backend.Namespace, backend.Name, false); err != nil {
return nil, err
}
}
}
}

// Get the backend certificate validation settings from BackendTLSPolicy.
if btpValidationTLSConfig, err = t.processBackendTLSPolicy(backendRef, backendNamespace, parent, resources); err != nil {
if btpValidationTLSConfig, err = t.processBackendTLSPolicy(translatorContext, backendRef, backendNamespace, parent, resources); err != nil {
return nil, err
}

Expand All @@ -132,7 +134,8 @@ func (t *Translator) applyBackendTLSSetting(

// Get the client certificate and common TLS settings from EnvoyProxy resource.
if envoyProxy != nil && envoyProxy.Spec.BackendTLS != nil {
if envoyProxyClientTLSConfig, err = t.processClientTLSSettings(resources, envoyProxy.Spec.BackendTLS, envoyProxy.Namespace, envoyProxy.Name, true); err != nil {
if envoyProxyClientTLSConfig, err = t.processClientTLSSettings(translatorContext,
envoyProxy.Spec.BackendTLS, envoyProxy.Namespace, envoyProxy.Name, true); err != nil {
return nil, err
}
}
Expand Down Expand Up @@ -238,8 +241,8 @@ func mergeClientTLSConfigs(
}

func (t *Translator) processServerValidationTLSSettings(
translatorContext *TranslatorContext,
backend *egv1a1.Backend,
resources *resource.Resources,
) (*ir.TLSUpstreamConfig, error) {
tlsConfig := &ir.TLSUpstreamConfig{
InsecureSkipVerify: ptr.Deref(backend.Spec.TLS.InsecureSkipVerify, false),
Expand All @@ -257,7 +260,7 @@ func (t *Translator) processServerValidationTLSSettings(
Name: fmt.Sprintf("%s/%s-ca", backend.Name, backend.Namespace),
}
} else if len(backend.Spec.TLS.CACertificateRefs) > 0 {
caCert, err := getCaCertsFromCARefs(backend.Namespace, backend.Spec.TLS.CACertificateRefs, resources)
caCert, err := getCaCertsFromCARefs(translatorContext, backend.Namespace, backend.Spec.TLS.CACertificateRefs)
if err != nil {
return nil, err
}
Expand All @@ -271,17 +274,18 @@ func (t *Translator) processServerValidationTLSSettings(
}

func (t *Translator) processBackendTLSPolicy(
translatorContext *TranslatorContext,
backendRef gwapiv1.BackendObjectReference,
backendNamespace string,
parent gwapiv1.ParentReference,
resources *resource.Resources,
) (*ir.TLSUpstreamConfig, error) {
policy := getBackendTLSPolicy(resources.BackendTLSPolicies, backendRef, backendNamespace, resources)
policy := getBackendTLSPolicy(translatorContext, resources.BackendTLSPolicies, backendRef, backendNamespace)
if policy == nil {
return nil, nil
}

tlsBundle, err := getBackendTLSBundle(policy, resources)
tlsBundle, err := getBackendTLSBundle(translatorContext, policy)
ancestorRefs := getAncestorRefs(policy)
ancestorRefs = append(ancestorRefs, &parent)

Expand Down Expand Up @@ -326,7 +330,12 @@ func (t *Translator) processBackendTLSPolicy(
return tlsBundle, nil
}

func (t *Translator) processClientTLSSettings(resources *resource.Resources, clientTLS *egv1a1.BackendTLSConfig, ownerNs, ownerName string, fromEnvoyProxy bool) (*ir.TLSConfig, error) {
func (t *Translator) processClientTLSSettings(
translatorContext *TranslatorContext,
clientTLS *egv1a1.BackendTLSConfig,
ownerNs, ownerName string,
fromEnvoyProxy bool,
) (*ir.TLSConfig, error) {
tlsConfig := &ir.TLSConfig{}

if len(clientTLS.Ciphers) > 0 {
Expand Down Expand Up @@ -365,7 +374,7 @@ func (t *Translator) processClientTLSSettings(resources *resource.Resources, cli
err = fmt.Errorf("ClientCertificateRef Secret is not located in the same namespace as %s. Secret namespace: %s does not match %s namespace: %s", ownerResource, ns, ownerResource, ownerNs)
return tlsConfig, err
}
secret := resources.GetSecret(ns, string(clientTLS.ClientCertificateRef.Name))
secret := translatorContext.GetSecret(ns, string(clientTLS.ClientCertificateRef.Name))
if secret == nil {
err = fmt.Errorf(
"failed to locate TLS secret for client auth: %s specified in %s %s",
Expand Down Expand Up @@ -405,13 +414,13 @@ func backendTLSTargetMatched(policy *gwapiv1.BackendTLSPolicy, target gwapiv1.Lo
}

func getBackendTLSPolicy(
translatorContext *TranslatorContext,
policies []*gwapiv1.BackendTLSPolicy,
backendRef gwapiv1.BackendObjectReference,
backendNamespace string,
resources *resource.Resources,
) *gwapiv1.BackendTLSPolicy {
// SectionName is port number for EG Backend object
target := getTargetBackendReference(backendRef, backendNamespace, resources)
target := getTargetBackendReference(translatorContext, backendRef, backendNamespace)
for _, policy := range policies {
if backendTLSTargetMatched(policy, target, backendNamespace) {
return policy
Expand All @@ -420,7 +429,7 @@ func getBackendTLSPolicy(
return nil
}

func getBackendTLSBundle(backendTLSPolicy *gwapiv1.BackendTLSPolicy, resources *resource.Resources) (*ir.TLSUpstreamConfig, error) {
func getBackendTLSBundle(translatorContext *TranslatorContext, backendTLSPolicy *gwapiv1.BackendTLSPolicy) (*ir.TLSUpstreamConfig, error) {
// Translate SubjectAltNames from gwapiv1a3 to ir
subjectAltNames := make([]ir.SubjectAltName, 0, len(backendTLSPolicy.Spec.Validation.SubjectAltNames))
for _, san := range backendTLSPolicy.Spec.Validation.SubjectAltNames {
Expand Down Expand Up @@ -448,7 +457,8 @@ func getBackendTLSBundle(backendTLSPolicy *gwapiv1.BackendTLSPolicy, resources *
return tlsBundle, nil
}

caCert, err := getCaCertsFromCARefs(backendTLSPolicy.Namespace, backendTLSPolicy.Spec.Validation.CACertificateRefs, resources)
caCert, err := getCaCertsFromCARefs(translatorContext,
backendTLSPolicy.Namespace, backendTLSPolicy.Spec.Validation.CACertificateRefs)
if err != nil {
return nil, err
}
Expand All @@ -459,14 +469,18 @@ func getBackendTLSBundle(backendTLSPolicy *gwapiv1.BackendTLSPolicy, resources *
return tlsBundle, nil
}

func getCaCertsFromCARefs(namespace string, caCertificates []gwapiv1.LocalObjectReference, resources *resource.Resources) ([]byte, error) {
func getCaCertsFromCARefs(
translatorContext *TranslatorContext,
namespace string,
caCertificates []gwapiv1.LocalObjectReference,
) ([]byte, error) {
ca := ""
for _, caRef := range caCertificates {
kind := string(caRef.Kind)

switch kind {
case resource.KindConfigMap:
cm := resources.GetConfigMap(namespace, string(caRef.Name))
cm := translatorContext.GetConfigMap(namespace, string(caRef.Name))
if cm != nil {
if crt, dataOk := getOrFirstFromData(cm.Data, caCertKey); dataOk {
if ca != "" {
Expand All @@ -480,7 +494,7 @@ func getCaCertsFromCARefs(namespace string, caCertificates []gwapiv1.LocalObject
return nil, fmt.Errorf("configmap %s not found in namespace %s", caRef.Name, namespace)
}
case resource.KindSecret:
secret := resources.GetSecret(namespace, string(caRef.Name))
secret := translatorContext.GetSecret(namespace, string(caRef.Name))
if secret != nil {
if crt, dataOk := getOrFirstFromData(secret.Data, caCertKey); dataOk {
if ca != "" {
Expand All @@ -494,7 +508,7 @@ func getCaCertsFromCARefs(namespace string, caCertificates []gwapiv1.LocalObject
return nil, fmt.Errorf("secret %s not found in namespace %s", caRef.Name, namespace)
}
case resource.KindClusterTrustBundle:
ctb := resources.GetClusterTrustBundle(string(caRef.Name))
ctb := translatorContext.GetClusterTrustBundle(string(caRef.Name))
if ctb != nil {
if ca != "" {
ca += "\n"
Expand Down
Loading