Revert "multi-network: fix eastwest gateway endpoint filtering (istio…

…#38762)" This reverts commit 7f8c1c1.
nmittler · Jun 7, 2022 · 87c7e55 · 87c7e55
1 parent 7888660
commit 87c7e55
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 22 deletions.
diff --git a/pilot/pkg/xds/endpoint_builder.go b/pilot/pkg/xds/endpoint_builder.go
@@ -107,11 +107,10 @@ func NewEndpointBuilder(clusterName string, proxy *model.Proxy, push *model.Push
 		port:       port,
 	}
 
-	passthroughMode := model.IsDNSSrvSubsetKey(clusterName)
 	// We need this for multi-network, or for clusters meant for use with AUTO_PASSTHROUGH.
 	if features.EnableAutomTLSCheckPolicies ||
-		b.push.NetworkManager().IsMultiNetworkEnabled() || passthroughMode {
-		b.mtlsChecker = newMtlsChecker(push, port, dr, passthroughMode)
+		b.push.NetworkManager().IsMultiNetworkEnabled() || model.IsDNSSrvSubsetKey(clusterName) {
+		b.mtlsChecker = newMtlsChecker(push, port, dr)
 	}
 	return b
 }
@@ -423,26 +422,19 @@ type mtlsChecker struct {
 	rootPolicyMode *networkingapi.ClientTLSSettings_TLSmode
 }
 
-func newMtlsChecker(push *model.PushContext, svcPort int, dr *config.Config, passthroughMode bool) *mtlsChecker {
-	var rootPolicyMode *networkingapi.ClientTLSSettings_TLSmode
+func newMtlsChecker(push *model.PushContext, svcPort int, dr *config.Config) *mtlsChecker {
 	var drSpec *networkingapi.DestinationRule
-
-	// tcp passthrough gateways don't care about client settings
-	if !passthroughMode {
-		rootPolicyMode = mtlsModeForDefaultTrafficPolicy(dr, svcPort)
-		if dr != nil {
-			drSpec = dr.Spec.(*networkingapi.DestinationRule)
-		}
+	if dr != nil {
+		drSpec = dr.Spec.(*networkingapi.DestinationRule)
 	}
-
 	return &mtlsChecker{
 		push:                 push,
 		svcPort:              svcPort,
 		destinationRule:      drSpec,
 		mtlsDisabledHosts:    map[string]struct{}{},
 		peerAuthDisabledMTLS: map[string]bool{},
 		subsetPolicyMode:     map[string]*networkingapi.ClientTLSSettings_TLSmode{},
-		rootPolicyMode:       rootPolicyMode,
+		rootPolicyMode:       mtlsModeForDefaultTrafficPolicy(dr, svcPort),
 	}
 }
 

diff --git a/pkg/test/framework/components/echo/check/checkers.go b/pkg/test/framework/components/echo/check/checkers.go
@@ -383,7 +383,7 @@ func checkReachedNetworks(result echo.CallResult, allClusters cluster.Clusters,
 	// Verify that all expected networks were reached.
 	for network := range expectedByNetwork {
 		if networkHits[network] == 0 {
-			return fmt.Errorf("did not reach network %q, got %v", network, networkHits)
+			return fmt.Errorf("did not reach network %v, got %v", network, networkHits)
 		}
 	}
 

diff --git a/releasenotes/notes/38704.yaml b/releasenotes/notes/38704.yaml
diff --git a/tests/integration/security/authz/testdata/v1beta1/egress-gateway.yaml.tmpl b/tests/integration/security/authz/testdata/v1beta1/egress-gateway.yaml.tmpl
@@ -161,3 +161,18 @@ spec:
         tls:
           mode: ISTIO_MUTUAL
 ---
+# TODO(nmittler): Shouldn't need this. Workaround for https://github.com/istio/istio/issues/38704.
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: test-egress
+  namespace: {{ .SystemNamespace.Name }}
+spec:
+  host: "istio-egressgateway.{{ .SystemNamespace.Name }}.svc.cluster.local"
+  trafficPolicy:
+    portLevelSettings:
+      - port:
+          number: 443
+        tls:
+          mode: ISTIO_MUTUAL
+---