istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/config/kube/gateway/model.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/config/kube/gateway/model.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package gateway
    16  
    17  import (
    18  	corev1 "k8s.io/api/core/v1"
    19  	k8s "sigs.k8s.io/gateway-api/apis/v1alpha2"
    20  
    21  	"istio.io/istio/pilot/pkg/credentials"
    22  	"istio.io/istio/pilot/pkg/model"
    23  	creds "istio.io/istio/pilot/pkg/model/credentials"
    24  	"istio.io/istio/pkg/config"
    25  	"istio.io/istio/pkg/config/schema/gvk"
    26  	"istio.io/istio/pkg/util/sets"
    27  )
    28  
    29  const (
    30  	gatewayAliasForAnnotationKey = "gateway.istio.io/alias-for"
    31  	gatewayTLSTerminateModeKey   = "gateway.istio.io/tls-terminate-mode"
    32  	gatewayNameOverride          = "gateway.istio.io/name-override"
    33  	gatewaySAOverride            = "gateway.istio.io/service-account"
    34  	serviceTypeOverride          = "networking.istio.io/service-type"
    35  	addressTypeOverride          = "networking.istio.io/address-type"
    36  )
    37  
    38  // GatewayResources stores all gateway resources used for our conversion.
    39  type GatewayResources struct {
    40  	GatewayClass   []config.Config
    41  	Gateway        []config.Config
    42  	HTTPRoute      []config.Config
    43  	GRPCRoute      []config.Config
    44  	TCPRoute       []config.Config
    45  	TLSRoute       []config.Config
    46  	ReferenceGrant []config.Config
    47  	ServiceEntry   []config.Config
    48  	// Namespaces stores all namespace in the cluster, keyed by name
    49  	Namespaces map[string]*corev1.Namespace
    50  	// Credentials stores all credentials in the cluster
    51  	Credentials credentials.Controller
    52  
    53  	// Domain for the cluster. Typically, cluster.local
    54  	Domain  string
    55  	Context GatewayContext
    56  }
    57  
    58  type Grants struct {
    59  	AllowAll     bool
    60  	AllowedNames sets.String
    61  }
    62  
    63  type AllowedReferences map[Reference]map[Reference]*Grants
    64  
    65  func (refs AllowedReferences) SecretAllowed(resourceName string, namespace string) bool {
    66  	p, err := creds.ParseResourceName(resourceName, "", "", "")
    67  	if err != nil {
    68  		log.Warnf("failed to parse resource name %q: %v", resourceName, err)
    69  		return false
    70  	}
    71  	from := Reference{Kind: gvk.KubernetesGateway, Namespace: k8s.Namespace(namespace)}
    72  	to := Reference{Kind: gvk.Secret, Namespace: k8s.Namespace(p.Namespace)}
    73  	allow := refs[from][to]
    74  	if allow == nil {
    75  		return false
    76  	}
    77  	return allow.AllowAll || allow.AllowedNames.Contains(p.Name)
    78  }
    79  
    80  func (refs AllowedReferences) BackendAllowed(
    81  	k config.GroupVersionKind,
    82  	backendName k8s.ObjectName,
    83  	backendNamespace k8s.Namespace,
    84  	routeNamespace string,
    85  ) bool {
    86  	from := Reference{Kind: k, Namespace: k8s.Namespace(routeNamespace)}
    87  	to := Reference{Kind: gvk.Service, Namespace: backendNamespace}
    88  	allow := refs[from][to]
    89  	if allow == nil {
    90  		return false
    91  	}
    92  	return allow.AllowAll || allow.AllowedNames.Contains(string(backendName))
    93  }
    94  
    95  // IstioResources stores all outputs of our conversion
    96  type IstioResources struct {
    97  	Gateway        []config.Config
    98  	VirtualService []config.Config
    99  	// AllowedReferences stores all allowed references, from Reference -> to Reference(s)
   100  	AllowedReferences AllowedReferences
   101  	// ReferencedNamespaceKeys stores the label key of all namespace selections. This allows us to quickly
   102  	// determine if a namespace update could have impacted any Gateways. See namespaceEvent.
   103  	ReferencedNamespaceKeys sets.String
   104  
   105  	// ResourceReferences stores all resources referenced by gateway-api resources. This allows us to quickly
   106  	// determine if a resource update could have impacted any Gateways.
   107  	// key: referenced resources(e.g. secrets), value: gateway-api resources(e.g. gateways)
   108  	ResourceReferences map[model.ConfigKey][]model.ConfigKey
   109  }
   110  
   111  // Reference stores a reference to a namespaced GVK, as used by ReferencePolicy
   112  type Reference struct {
   113  	Kind      config.GroupVersionKind
   114  	Namespace k8s.Namespace
   115  }