fix: multiple reference grants in same namespace

[ardikabs]

What type of PR is this?

The current behavior of Envoy Gateway when working with multiple ReferenceGrants in the same namespace is problematic. When searching for a ReferenceGrant for corresponding resources, such as the HTTPRoute, it only checks the ReferenceGrant.spec.from semantics. However, during translation, the translator validates both the ReferenceGrant.spec.from and ReferenceGrant.spec.to semantics thoroughly.
As a result, the findReferenceGrant method only captures the first ReferenceGrant with the correct From, meaning other ReferenceGrants are not honored. This leads to the corresponding resource that uses two different resource references encountering an error message such as Backend ref to service <namespace>/<service_name> not permitted by any ReferenceGrant during translation.

Code for findReferenceGrant:

gateway/internal/provider/kubernetes/controller.go

Lines 771 to 782 in 3497600

	for _, refGrant := range refGrants {
	if refGrant.Namespace == to.namespace {
	for _, src := range refGrant.Spec.From {
	if src.Kind == gwapiv1a2.Kind(from.kind) && string(src.Namespace) == from.namespace {
	return &refGrant, nil
	}
	}
	}
	}
	// No ReferenceGrant found.
	return nil, nil

Code for translation:

gateway/internal/gatewayapi/validate.go

Lines 832 to 857 in 3497600

	var fromAllowed bool
	for _, refGrantFrom := range referenceGrant.Spec.From {
	if string(refGrantFrom.Namespace) == from.namespace && string(refGrantFrom.Group) == from.group && string(refGrantFrom.Kind) == from.kind {
	fromAllowed = true
	break
	}
	}
	if !fromAllowed {
	continue
	}
	// Check if the ReferenceGrant has a matching "to".
	var toAllowed bool
	for _, refGrantTo := range referenceGrant.Spec.To {
	if string(refGrantTo.Group) == to.group && string(refGrantTo.Kind) == to.kind && (refGrantTo.Name == nil || *refGrantTo.Name == "" || string(*refGrantTo.Name) == to.name) {
	toAllowed = true
	break
	}
	}
	if !toAllowed {
	continue
	}
	// If we got here, both the "from" and the "to" were allowed by this
	// reference grant.
	return true

Proposed Solution

This PR modifies the findReferenceGrant method to also check the To semantics.

Fixes #2149

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 17 lines in your changes missing coverage. Please review.

Project coverage is 67.62%. Comparing base (975b1e8) to head (dd4fde8).

Files	Patch %	Lines
internal/provider/kubernetes/controller.go	0.00%	17 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4008      +/-   ##
==========================================
+ Coverage   67.61%   67.62%   +0.01%     
==========================================
  Files         185      185              
  Lines       22578    22591      +13     
==========================================
+ Hits        15265    15277      +12     
- Misses       6217     6221       +4     
+ Partials     1096     1093       -3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ardikabs]

since there is no existing unit test for the corresponding line, could anyone advise me on whether I should add a unit test elsewhere?

[shawnh2]

since there is no existing unit test for the corresponding line, could anyone advise me on whether I should add a unit test elsewhere?

An e2e test would be nice!

[ardikabs]

An e2e test would be nice!

@shawnh2 do you mean the integration, like here?

[shawnh2]

An e2e test would be nice!

@shawnh2 do you mean the integration, like here?

no, it's under test/e2e.

[ardikabs]

hi @shawnh2,
I've added an e2e test, but it seems that some of the other tests, like TestE2E/Wasm_HTTP_Code_Source, are a bit flaky.

[shawnh2]

they sure are flaky, and we are trying to repair them. 😿

[shawnh2]

LGTM! Thanks for fixing this

[shawnh2]

/retest

[arkodg]

LGTM !
thanks for adding an e2e