Add initial token validation, add tests and review changes

Signed-off-by: Karol Szwaj <[email protected]>

Author: cnvergence

internal/cmd/certgen.go

@@ -97,7 +97,7 @@ func certGen(ctx context.Context, logOut io.Writer, local bool) error {
 func outputCertsForKubernetes(ctx context.Context, cli client.Client, cfg *config.Server,
 	updateSecrets bool, certs *crypto.Certificates,
 ) error {
-	secrets, err := kubernetes.CreateOrUpdateSecrets(ctx, cli, kubernetes.CertsToSecret(cfg.Namespace, certs), updateSecrets)
+	secrets, err := kubernetes.CreateOrUpdateSecrets(ctx, cli, kubernetes.CertsToSecret(cfg.ControllerNamespace, certs), updateSecrets)
 	log := cfg.Logger
 
 	if err != nil {
@@ -121,7 +121,7 @@ func patchTopologyInjectorWebhook(ctx context.Context, cli client.Client, cfg *c
 		return nil
 	}
 
-	webhookConfigName := fmt.Sprintf("%s.%s", topologyWebhookNamePrefix, cfg.Namespace)
+	webhookConfigName := fmt.Sprintf("%s.%s", topologyWebhookNamePrefix, cfg.ControllerNamespace)
 	webhookCfg := &admissionregistrationv1.MutatingWebhookConfiguration{}
 	if err := cli.Get(ctx, client.ObjectKey{Name: webhookConfigName}, webhookCfg); err != nil {
 		return fmt.Errorf("failed to get mutating webhook configuration: %w", err)

internal/cmd/certgen_test.go

@@ -65,7 +65,7 @@ func TestPatchTopologyWebhook(t *testing.T) {
 			caseName: "Update caBundle",
 			webhook: &admissionregistrationv1.MutatingWebhookConfiguration{
 				ObjectMeta: metav1.ObjectMeta{
-					Name: fmt.Sprintf("%s.%s", topologyWebhookNamePrefix, cfg.Namespace),
+					Name: fmt.Sprintf("%s.%s", topologyWebhookNamePrefix, cfg.ControllerNamespace),
 				},
 				Webhooks: []admissionregistrationv1.MutatingWebhook{{ClientConfig: admissionregistrationv1.WebhookClientConfig{}}},
 			},
@@ -77,7 +77,7 @@ func TestPatchTopologyWebhook(t *testing.T) {
 			caseName: "No-op",
 			webhook: &admissionregistrationv1.MutatingWebhookConfiguration{
 				ObjectMeta: metav1.ObjectMeta{
-					Name: fmt.Sprintf("%s.%s", topologyWebhookNamePrefix, cfg.Namespace),
+					Name: fmt.Sprintf("%s.%s", topologyWebhookNamePrefix, cfg.ControllerNamespace),
 				},
 				Webhooks: []admissionregistrationv1.MutatingWebhook{{ClientConfig: admissionregistrationv1.WebhookClientConfig{CABundle: []byte("foo")}}},
 			},

internal/cmd/egctl/config_test.go

@@ -223,8 +223,6 @@ func TestExtractSubResourcesConfigDump(t *testing.T) {
 }
 
 func TestLabelSelectorBadInput(t *testing.T) {
-	podNamespace = "default"
-
 	cases := []struct {
 		name   string
 		args   []string

internal/crypto/certgen.go

@@ -108,8 +108,8 @@ func GenerateCerts(cfg *config.Server) (*Certificates, error) {
 		egProvider := cfg.EnvoyGateway.GetEnvoyGatewayProvider().Type
 		switch egProvider {
 		case egv1a1.ProviderTypeKubernetes:
-			egDNSNames = kubeServiceNames(DefaultEnvoyGatewayDNSPrefix, cfg.Namespace, cfg.DNSDomain)
-			envoyDNSNames = append(envoyDNSNames, fmt.Sprintf("*.%s", cfg.Namespace))
+			egDNSNames = kubeServiceNames(DefaultEnvoyGatewayDNSPrefix, cfg.ControllerNamespace, cfg.DNSDomain)
+			envoyDNSNames = append(envoyDNSNames, fmt.Sprintf("*.%s", cfg.ControllerNamespace))
 		default:
 			// Kubernetes is the only supported Envoy Gateway provider.
 			return nil, fmt.Errorf("unsupported provider type %v", egProvider)

internal/envoygateway/config/config.go

@@ -31,8 +31,8 @@ const (
 type Server struct {
 	// EnvoyGateway is the configuration used to startup Envoy Gateway.
 	EnvoyGateway *egv1a1.EnvoyGateway
-	// Namespace is the namespace that Envoy Gateway runs in.
-	Namespace string
+	// ControllerNamespace is the namespace that Envoy Gateway runs in.
+	ControllerNamespace string
 	// DNSDomain is the dns domain used by k8s services. Defaults to "cluster.local".
 	DNSDomain string
 	// Logger is the logr implementation used by Envoy Gateway.
@@ -44,11 +44,11 @@ type Server struct {
 // New returns a Server with default parameters.
 func New(logOut io.Writer) (*Server, error) {
 	return &Server{
-		EnvoyGateway: egv1a1.DefaultEnvoyGateway(),
-		Namespace:    env.Lookup("ENVOY_GATEWAY_NAMESPACE", DefaultNamespace),
-		DNSDomain:    env.Lookup("KUBERNETES_CLUSTER_DOMAIN", DefaultDNSDomain),
-		Logger:       logging.DefaultLogger(logOut, egv1a1.LogLevelInfo),
-		Elected:      make(chan struct{}),
+		EnvoyGateway:        egv1a1.DefaultEnvoyGateway(),
+		ControllerNamespace: env.Lookup("ENVOY_GATEWAY_NAMESPACE", DefaultNamespace),
+		DNSDomain:           env.Lookup("KUBERNETES_CLUSTER_DOMAIN", DefaultDNSDomain),
+		Logger:              logging.DefaultLogger(logOut, egv1a1.LogLevelInfo),
+		Elected:             make(chan struct{}),
 	}, nil
 }
 
@@ -57,7 +57,7 @@ func (s *Server) Validate() error {
 	switch {
 	case s == nil:
 		return errors.New("server config is unspecified")
-	case len(s.Namespace) == 0:
+	case len(s.ControllerNamespace) == 0:
 		return errors.New("namespace is empty string")
 	}
 	if err := validation.ValidateEnvoyGateway(s.EnvoyGateway); err != nil {

internal/envoygateway/config/config_test.go

@@ -49,15 +49,15 @@ func TestValidate(t *testing.T) {
 						Provider: egv1a1.DefaultEnvoyGatewayProvider(),
 					},
 				},
-				Namespace: "",
+				ControllerNamespace: "",
 			},
 			expect: false,
 		},
 		{
 			name: "unspecified envoy gateway",
 			cfg: &Server{
-				Namespace: "test-ns",
-				Logger:    logging.DefaultLogger(os.Stdout, egv1a1.LogLevelInfo),
+				ControllerNamespace: "test-ns",
+				Logger:              logging.DefaultLogger(os.Stdout, egv1a1.LogLevelInfo),
 			},
 			expect: false,
 		},

internal/extension/registry/extension_manager.go

@@ -77,7 +77,7 @@ func NewManager(cfg *config.Server) (extTypes.Manager, error) {
 
 	return &Manager{
 		k8sClient: cli,
-		namespace: cfg.Namespace,
+		namespace: cfg.ControllerNamespace,
 		extension: *extension,
 	}, nil
 }

internal/gatewayapi/runner/runner.go

@@ -157,7 +157,7 @@ func (r *Runner) subscribeAndTranslate(sub <-chan watchable.Snapshot[string, *re
 					GlobalRateLimitEnabled:    r.EnvoyGateway.RateLimit != nil,
 					EnvoyPatchPolicyEnabled:   r.EnvoyGateway.ExtensionAPIs != nil && r.EnvoyGateway.ExtensionAPIs.EnableEnvoyPatchPolicy,
 					BackendEnabled:            r.EnvoyGateway.ExtensionAPIs != nil && r.EnvoyGateway.ExtensionAPIs.EnableBackend,
-					Namespace:                 r.Namespace,
+					ControllerNamespace:       r.ControllerNamespace,
 					GatewayNamespaceMode:      r.EnvoyGateway.GatewayNamespaceMode(),
 					MergeGateways:             gatewayapi.IsMergeGatewaysEnabled(resources),
 					WasmCache:                 r.wasmCache,
@@ -313,7 +313,7 @@ func (r *Runner) subscribeAndTranslate(sub <-chan watchable.Snapshot[string, *re
 func (r *Runner) loadTLSConfig(ctx context.Context) (tlsConfig *tls.Config, salt []byte, err error) {
 	switch {
 	case r.EnvoyGateway.Provider.IsRunningOnKubernetes():
-		salt, err = hmac(ctx, r.Namespace)
+		salt, err = hmac(ctx, r.ControllerNamespace)
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to get hmac secret: %w", err)
 		}

internal/gatewayapi/securitypolicy.go

@@ -905,14 +905,14 @@ func (t *Translator) buildOIDC(
 	// HMAC secret is generated by the CertGen job and stored in a secret
 	// We need to rotate the HMAC secret in the future, probably the same
 	// way we rotate the certs generated by the CertGen job.
-	hmacSecret := resources.GetSecret(t.Namespace, oidcHMACSecretName)
+	hmacSecret := resources.GetSecret(t.ControllerNamespace, oidcHMACSecretName)
 	if hmacSecret == nil {
-		return nil, fmt.Errorf("HMAC secret %s/%s not found", t.Namespace, oidcHMACSecretName)
+		return nil, fmt.Errorf("HMAC secret %s/%s not found", t.ControllerNamespace, oidcHMACSecretName)
 	}
 	hmacData, ok := hmacSecret.Data[oidcHMACSecretKey]
 	if !ok || len(hmacData) == 0 {
 		return nil, fmt.Errorf(
-			"HMAC secret not found in secret %s/%s", t.Namespace, oidcHMACSecretName)
+			"HMAC secret not found in secret %s/%s", t.ControllerNamespace, oidcHMACSecretName)
 	}
 
 	return &ir.OIDC{

internal/gatewayapi/testdata/backendtrafficpolicy-request-buffer.out.yaml

@@ -228,6 +228,7 @@ infraIR:
           gateway.envoyproxy.io/owning-gateway-name: gateway-1
           gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
       name: envoy-gateway/gateway-1
+      namespace: envoy-gateway-system
   envoy-gateway/gateway-2:
     proxy:
       listeners:
@@ -243,6 +244,7 @@ infraIR:
           gateway.envoyproxy.io/owning-gateway-name: gateway-2
           gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
       name: envoy-gateway/gateway-2
+      namespace: envoy-gateway-system
 xdsIR:
   envoy-gateway/gateway-1:
     accessLog:

internal/gatewayapi/translator.go

@@ -90,8 +90,8 @@ type Translator struct {
 	// store referenced resources in the IR for later use.
 	ExtensionGroupKinds []schema.GroupKind
 
-	// Namespace is the namespace that Envoy Gateway runs in.
-	Namespace string
+	// ControllerNamespace is the namespace that Envoy Gateway controller runs in.
+	ControllerNamespace string
 
 	// WasmCache is the cache for Wasm modules.
 	WasmCache wasm.Cache
@@ -308,7 +308,7 @@ func (t *Translator) InitIRs(gateways []*GatewayContext) (map[string]*ir.Xds, ma
 		}
 
 		gwInfraIR.Proxy.Name = irKey
-		gwInfraIR.Proxy.Namespace = t.Namespace
+		gwInfraIR.Proxy.Namespace = t.ControllerNamespace
 		if t.GatewayNamespaceMode {
 			gwInfraIR.Proxy.Namespace = gateway.Gateway.Namespace
 		}

internal/gatewayapi/translator_test.go

@@ -96,7 +96,7 @@ func TestTranslate(t *testing.T) {
 				GlobalRateLimitEnabled:  true,
 				EnvoyPatchPolicyEnabled: envoyPatchPolicyEnabled,
 				BackendEnabled:          backendEnabled,
-				Namespace:               "envoy-gateway-system",
+				ControllerNamespace:     "envoy-gateway-system",
 				MergeGateways:           IsMergeGatewaysEnabled(resources),
 				GatewayNamespaceMode:    gatewayNamespaceMode,
 				WasmCache:               &mockWasmCache{},

internal/infrastructure/host/proxy_infra.go

@@ -74,7 +74,7 @@ func (i *Infra) CreateOrUpdateProxyInfra(ctx context.Context, infra *ir.Infra) e
 		StatsServerPort: ptr.To(int32(0)),
 	}
 
-	args, err := common.BuildProxyArgs(proxyInfra, proxyConfig.Spec.Shutdown, bootstrapConfigOptions, proxyName, i.EnvoyGateway.GatewayNamespaceMode())
+	args, err := common.BuildProxyArgs(proxyInfra, proxyConfig.Spec.Shutdown, bootstrapConfigOptions, proxyName, false)
 	if err != nil {
 		return err
 	}

internal/infrastructure/kubernetes/infra.go

@@ -63,7 +63,7 @@ type Infra struct {
 func NewInfra(cli client.Client, cfg *config.Server) *Infra {
 	var ns string
 	if !cfg.EnvoyGateway.GatewayNamespaceMode() {
-		ns = cfg.Namespace
+		ns = cfg.ControllerNamespace
 	}
 	return &Infra{
 		Namespace:    ns,

internal/infrastructure/kubernetes/proxy/resource.go

@@ -289,21 +289,17 @@ func expectedShutdownPreStopCommand(cfg *egv1a1.ShutdownConfig) []string {
 
 // expectedContainerVolumeMounts returns expected proxy container volume mounts.
 func expectedContainerVolumeMounts(containerSpec *egv1a1.KubernetesContainerSpec) []corev1.VolumeMount {
-	var volumeMounts []corev1.VolumeMount
-
-	certsMount := corev1.VolumeMount{
-		Name:      "certs",
-		MountPath: "/certs",
-		ReadOnly:  true,
-	}
-	volumeMounts = append(volumeMounts, certsMount)
-
-	sdsMount := corev1.VolumeMount{
-		Name:      "sds",
-		MountPath: "/sds",
+	volumeMounts := []corev1.VolumeMount{
+		{
+			Name:      "certs",
+			MountPath: "/certs",
+			ReadOnly:  true,
+		},
+		{
+			Name:      "sds",
+			MountPath: "/sds",
+		},
 	}
-	volumeMounts = append(volumeMounts, sdsMount)
-
 	return resource.ExpectedContainerVolumeMounts(containerSpec, volumeMounts)
 }
 

internal/infrastructure/kubernetes/proxy/resource_provider_test.go

@@ -45,6 +45,12 @@ func newTestInfra() *ir.Infra {
 	return newTestInfraWithAnnotations(nil)
 }
 
+func newTestInfraWithNamespace(namespace string) *ir.Infra {
+	i := newTestInfra()
+	i.Proxy.Namespace = namespace
+	return i
+}
+
 func newTestInfraWithIPFamily(family *egv1a1.IPFamily) *ir.Infra {
 	i := newTestInfra()
 	i.Proxy.Config = &egv1a1.EnvoyProxy{
@@ -120,16 +126,17 @@ func TestDeployment(t *testing.T) {
 	require.NoError(t, err)
 
 	cases := []struct {
-		caseName        string
-		infra           *ir.Infra
-		deploy          *egv1a1.KubernetesDeploymentSpec
-		shutdown        *egv1a1.ShutdownConfig
-		shutdownManager *egv1a1.ShutdownManager
-		proxyLogging    map[egv1a1.ProxyLogComponent]egv1a1.LogLevel
-		bootstrap       string
-		telemetry       *egv1a1.ProxyTelemetry
-		concurrency     *int32
-		extraArgs       []string
+		caseName             string
+		infra                *ir.Infra
+		deploy               *egv1a1.KubernetesDeploymentSpec
+		shutdown             *egv1a1.ShutdownConfig
+		shutdownManager      *egv1a1.ShutdownManager
+		proxyLogging         map[egv1a1.ProxyLogComponent]egv1a1.LogLevel
+		bootstrap            string
+		telemetry            *egv1a1.ProxyTelemetry
+		concurrency          *int32
+		extraArgs            []string
+		gatewayNamespaceMode bool
 	}{
 		{
 			caseName: "default",
@@ -560,6 +567,11 @@ func TestDeployment(t *testing.T) {
 				Name: ptr.To("custom-deployment-name"),
 			},
 		},
+		{
+			caseName:             "gateway-namespace-mode",
+			infra:                newTestInfraWithNamespace("default"),
+			gatewayNamespaceMode: true,
+		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.caseName, func(t *testing.T) {
@@ -604,8 +616,21 @@ func TestDeployment(t *testing.T) {
 			if len(tc.extraArgs) > 0 {
 				tc.infra.Proxy.Config.Spec.ExtraArgs = tc.extraArgs
 			}
+			namespace := cfg.ControllerNamespace
+			if tc.gatewayNamespaceMode {
+				deployType := egv1a1.KubernetesDeployModeType(egv1a1.KubernetesDeployModeTypeGatewayNamespace)
+				cfg.EnvoyGateway.Provider = &egv1a1.EnvoyGatewayProvider{
+					Type: egv1a1.ProviderTypeKubernetes,
+					Kubernetes: &egv1a1.EnvoyGatewayKubernetesProvider{
+						Deploy: &egv1a1.KubernetesDeployMode{
+							Type: &deployType,
+						},
+					},
+				}
+				namespace = tc.infra.GetProxyInfra().Namespace
+			}
 
-			r := NewResourceRender(cfg.Namespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway)
+			r := NewResourceRender(namespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway)
 			dp, err := r.Deployment()
 			require.NoError(t, err)
 
@@ -1034,7 +1059,7 @@ func TestDaemonSet(t *testing.T) {
 				tc.infra.Proxy.Config.Spec.ExtraArgs = tc.extraArgs
 			}
 
-			r := NewResourceRender(cfg.Namespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway)
+			r := NewResourceRender(cfg.ControllerNamespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway)
 			ds, err := r.DaemonSet()
 			require.NoError(t, err)
 
@@ -1199,7 +1224,7 @@ func TestService(t *testing.T) {
 				provider.EnvoyService = tc.service
 			}
 
-			r := NewResourceRender(cfg.Namespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway)
+			r := NewResourceRender(cfg.ControllerNamespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway)
 			svc, err := r.Service()
 			require.NoError(t, err)
 
@@ -1242,7 +1267,7 @@ func TestConfigMap(t *testing.T) {
 
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
-			r := NewResourceRender(cfg.Namespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway)
+			r := NewResourceRender(cfg.ControllerNamespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway)
 			cm, err := r.ConfigMap("")
 			require.NoError(t, err)
 
@@ -1285,7 +1310,7 @@ func TestServiceAccount(t *testing.T) {
 
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
-			r := NewResourceRender(cfg.Namespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway)
+			r := NewResourceRender(cfg.ControllerNamespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway)
 			sa, err := r.ServiceAccount()
 			require.NoError(t, err)
 
@@ -1400,7 +1425,7 @@ func TestPDB(t *testing.T) {
 
 			provider.GetEnvoyProxyKubeProvider()
 
-			r := NewResourceRender(cfg.Namespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway)
+			r := NewResourceRender(cfg.ControllerNamespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway)
 
 			pdb, err := r.PodDisruptionBudget()
 			require.NoError(t, err)
@@ -1512,7 +1537,7 @@ func TestHorizontalPodAutoscaler(t *testing.T) {
 			}
 			provider.GetEnvoyProxyKubeProvider()
 
-			r := NewResourceRender(cfg.Namespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway)
+			r := NewResourceRender(cfg.ControllerNamespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway)
 			hpa, err := r.HorizontalPodAutoscaler()
 			require.NoError(t, err)