multi-network: fix eastwest gateway endpoint filtering (#38762) (#39275)

* multi-network: prevent eastwest gateway endpoint filtering Change-Id: I8395c8272bb6ba4b79b663194102852a739400b9 * rel note Change-Id: I4f34b1f47ddf976fa9417a63c3a4331a76f2b613 * skip check for 500s Change-Id: I3b9ca40346467c91d479f0d91c8d5c813f3898c4 * multiple calls per-cluster Change-Id: I2cb8653f4cbd20f78c2f25c9ac7d6fa983dff2c8 * remove global dr workaround Change-Id: I045946df16e54fe49f7a6a5103d9cafa446474af * remove old tests Change-Id: I074b4145eac7fe8d7ce967f3a149fb94be5427a6
istio · Jun 3, 2022 · 097fed9 · 097fed9
1 parent 2bf6d17
commit 097fed9
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 6 deletions.
diff --git a/pilot/pkg/xds/endpoint_builder.go b/pilot/pkg/xds/endpoint_builder.go
@@ -103,10 +103,11 @@ func NewEndpointBuilder(clusterName string, proxy *model.Proxy, push *model.Push
 		port:       port,
 	}
 
+	passthroughMode := model.IsDNSSrvSubsetKey(clusterName)
 	// We need this for multi-network, or for clusters meant for use with AUTO_PASSTHROUGH.
 	if features.EnableAutomTLSCheckPolicies ||
-		b.push.NetworkManager().IsMultiNetworkEnabled() || model.IsDNSSrvSubsetKey(clusterName) {
-		b.mtlsChecker = newMtlsChecker(push, port, dr)
+		b.push.NetworkManager().IsMultiNetworkEnabled() || passthroughMode {
+		b.mtlsChecker = newMtlsChecker(push, port, dr, passthroughMode)
 	}
 	return b
 }
@@ -435,19 +436,26 @@ type mtlsChecker struct {
 	rootPolicyMode *networkingapi.ClientTLSSettings_TLSmode
 }
 
-func newMtlsChecker(push *model.PushContext, svcPort int, dr *config.Config) *mtlsChecker {
+func newMtlsChecker(push *model.PushContext, svcPort int, dr *config.Config, passthroughMode bool) *mtlsChecker {
+	var rootPolicyMode *networkingapi.ClientTLSSettings_TLSmode
 	var drSpec *networkingapi.DestinationRule
-	if dr != nil {
-		drSpec = dr.Spec.(*networkingapi.DestinationRule)
+
+	// tcp passthrough gateways don't care about client settings
+	if !passthroughMode {
+		rootPolicyMode = mtlsModeForDefaultTrafficPolicy(dr, svcPort)
+		if dr != nil {
+			drSpec = dr.Spec.(*networkingapi.DestinationRule)
+		}
 	}
+
 	return &mtlsChecker{
 		push:                 push,
 		svcPort:              svcPort,
 		destinationRule:      drSpec,
 		mtlsDisabledHosts:    map[string]struct{}{},
 		peerAuthDisabledMTLS: map[string]bool{},
 		subsetPolicyMode:     map[string]*networkingapi.ClientTLSSettings_TLSmode{},
-		rootPolicyMode:       mtlsModeForDefaultTrafficPolicy(dr, svcPort),
+		rootPolicyMode:       rootPolicyMode,
 	}
 }
 

diff --git a/releasenotes/notes/38704.yaml b/releasenotes/notes/38704.yaml
@@ -0,0 +1,7 @@
+apiVersion: release-notes/v2
+kind: bug-fix
+area: traffic-management
+issue: [38704]
+releaseNotes:
+- |
+  **Fixed** improper filtering of endpoints from East-West Gateway caused by `DestinationRule` TLS settings.