1
// Copyright Istio Authors
3
// Licensed under the Apache License, Version 2.0 (the "License");
4
// you may not use this file except in compliance with the License.
5
// You may obtain a copy of the License at
7
// http://www.apache.org/licenses/LICENSE-2.0
9
// Unless required by applicable law or agreed to in writing, software
10
// distributed under the License is distributed on an "AS IS" BASIS,
11
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
// See the License for the specific language governing permissions and
13
// limitations under the License.
18
corev1 "k8s.io/api/core/v1"
19
k8s "sigs.k8s.io/gateway-api/apis/v1alpha2"
21
"istio.io/istio/pilot/pkg/credentials"
22
"istio.io/istio/pilot/pkg/model"
23
creds "istio.io/istio/pilot/pkg/model/credentials"
24
"istio.io/istio/pkg/config"
25
"istio.io/istio/pkg/config/schema/gvk"
26
"istio.io/istio/pkg/util/sets"
30
gatewayAliasForAnnotationKey = "gateway.istio.io/alias-for"
31
gatewayTLSTerminateModeKey = "gateway.istio.io/tls-terminate-mode"
32
gatewayNameOverride = "gateway.istio.io/name-override"
33
gatewaySAOverride = "gateway.istio.io/service-account"
34
serviceTypeOverride = "networking.istio.io/service-type"
35
addressTypeOverride = "networking.istio.io/address-type"
38
// GatewayResources stores all gateway resources used for our conversion.
39
type GatewayResources struct {
40
GatewayClass []config.Config
41
Gateway []config.Config
42
HTTPRoute []config.Config
43
GRPCRoute []config.Config
44
TCPRoute []config.Config
45
TLSRoute []config.Config
46
ReferenceGrant []config.Config
47
ServiceEntry []config.Config
48
// Namespaces stores all namespace in the cluster, keyed by name
49
Namespaces map[string]*corev1.Namespace
50
// Credentials stores all credentials in the cluster
51
Credentials credentials.Controller
53
// Domain for the cluster. Typically, cluster.local
55
Context GatewayContext
60
AllowedNames sets.String
63
type AllowedReferences map[Reference]map[Reference]*Grants
65
func (refs AllowedReferences) SecretAllowed(resourceName string, namespace string) bool {
66
p, err := creds.ParseResourceName(resourceName, "", "", "")
68
log.Warnf("failed to parse resource name %q: %v", resourceName, err)
71
from := Reference{Kind: gvk.KubernetesGateway, Namespace: k8s.Namespace(namespace)}
72
to := Reference{Kind: gvk.Secret, Namespace: k8s.Namespace(p.Namespace)}
73
allow := refs[from][to]
77
return allow.AllowAll || allow.AllowedNames.Contains(p.Name)
80
func (refs AllowedReferences) BackendAllowed(
81
k config.GroupVersionKind,
82
backendName k8s.ObjectName,
83
backendNamespace k8s.Namespace,
84
routeNamespace string,
86
from := Reference{Kind: k, Namespace: k8s.Namespace(routeNamespace)}
87
to := Reference{Kind: gvk.Service, Namespace: backendNamespace}
88
allow := refs[from][to]
92
return allow.AllowAll || allow.AllowedNames.Contains(string(backendName))
95
// IstioResources stores all outputs of our conversion
96
type IstioResources struct {
97
Gateway []config.Config
98
VirtualService []config.Config
99
// AllowedReferences stores all allowed references, from Reference -> to Reference(s)
100
AllowedReferences AllowedReferences
101
// ReferencedNamespaceKeys stores the label key of all namespace selections. This allows us to quickly
102
// determine if a namespace update could have impacted any Gateways. See namespaceEvent.
103
ReferencedNamespaceKeys sets.String
105
// ResourceReferences stores all resources referenced by gateway-api resources. This allows us to quickly
106
// determine if a resource update could have impacted any Gateways.
107
// key: referenced resources(e.g. secrets), value: gateway-api resources(e.g. gateways)
108
ResourceReferences map[model.ConfigKey][]model.ConfigKey
111
// Reference stores a reference to a namespaced GVK, as used by ReferencePolicy
112
type Reference struct {
113
Kind config.GroupVersionKind
114
Namespace k8s.Namespace