From f55689104f066d35418a8720236c440820c4c3b8 Mon Sep 17 00:00:00 2001 From: Lei Tang <32078630+lei-tang@users.noreply.github.com> Date: Thu, 9 Jun 2022 09:36:20 -0700 Subject: [PATCH] Revert "multi-network: fix eastwest gateway endpoint filtering (#38762) (#39275)" This reverts commit 097fed9817564fbb9ee33c55db245c2c226f52b9. --- pilot/pkg/xds/endpoint_builder.go | 20 ++++++-------------- releasenotes/notes/38704.yaml | 7 ------- 2 files changed, 6 insertions(+), 21 deletions(-) delete mode 100644 releasenotes/notes/38704.yaml diff --git a/pilot/pkg/xds/endpoint_builder.go b/pilot/pkg/xds/endpoint_builder.go index 7f2b7222e743..6b061ca6465c 100644 --- a/pilot/pkg/xds/endpoint_builder.go +++ b/pilot/pkg/xds/endpoint_builder.go @@ -103,11 +103,10 @@ func NewEndpointBuilder(clusterName string, proxy *model.Proxy, push *model.Push port: port, } - passthroughMode := model.IsDNSSrvSubsetKey(clusterName) // We need this for multi-network, or for clusters meant for use with AUTO_PASSTHROUGH. if features.EnableAutomTLSCheckPolicies || - b.push.NetworkManager().IsMultiNetworkEnabled() || passthroughMode { - b.mtlsChecker = newMtlsChecker(push, port, dr, passthroughMode) + b.push.NetworkManager().IsMultiNetworkEnabled() || model.IsDNSSrvSubsetKey(clusterName) { + b.mtlsChecker = newMtlsChecker(push, port, dr) } return b } @@ -436,18 +435,11 @@ type mtlsChecker struct { rootPolicyMode *networkingapi.ClientTLSSettings_TLSmode } -func newMtlsChecker(push *model.PushContext, svcPort int, dr *config.Config, passthroughMode bool) *mtlsChecker { - var rootPolicyMode *networkingapi.ClientTLSSettings_TLSmode +func newMtlsChecker(push *model.PushContext, svcPort int, dr *config.Config) *mtlsChecker { var drSpec *networkingapi.DestinationRule - - // tcp passthrough gateways don't care about client settings - if !passthroughMode { - rootPolicyMode = mtlsModeForDefaultTrafficPolicy(dr, svcPort) - if dr != nil { - drSpec = dr.Spec.(*networkingapi.DestinationRule) - } + if dr != nil { + drSpec = dr.Spec.(*networkingapi.DestinationRule) } - return &mtlsChecker{ push: push, svcPort: svcPort, @@ -455,7 +447,7 @@ func newMtlsChecker(push *model.PushContext, svcPort int, dr *config.Config, pas mtlsDisabledHosts: map[string]struct{}{}, peerAuthDisabledMTLS: map[string]bool{}, subsetPolicyMode: map[string]*networkingapi.ClientTLSSettings_TLSmode{}, - rootPolicyMode: rootPolicyMode, + rootPolicyMode: mtlsModeForDefaultTrafficPolicy(dr, svcPort), } } diff --git a/releasenotes/notes/38704.yaml b/releasenotes/notes/38704.yaml deleted file mode 100644 index ba7558e07e0c..000000000000 --- a/releasenotes/notes/38704.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: release-notes/v2 -kind: bug-fix -area: traffic-management -issue: [38704] -releaseNotes: -- | - **Fixed** improper filtering of endpoints from East-West Gateway caused by `DestinationRule` TLS settings.