Skip to content

Commit 6f2ecc3

Browse files
committed
wip
Signed-off-by: npolshakova <nina.polshakova@solo.io>
1 parent 7766774 commit 6f2ecc3

19 files changed

Lines changed: 2290 additions & 224 deletions

File tree

.ko.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,5 +19,6 @@ defaultPlatforms:
1919
- linux/arm64
2020

2121
baseImageOverrides:
22+
github.com/agent-substrate/substrate/cmd/ateom-gvisor: cr.agentgateway.dev/agentgateway:v1.3.0-alpha.1
2223
github.com/agent-substrate/substrate/demos/sandbox: alpine
2324
github.com/agent-substrate/substrate/demos/agent-secret: alpine

cmd/ateapi/internal/controlapi/workload_spec.go

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,53 @@ func buildAteletEgressPolicyRules(rules []atev1alpha1.EgressPolicyRule) []*atele
6969
Protocol: string(port.Protocol),
7070
})
7171
}
72+
outRule.Tls = buildAteletEgressTLSPolicy(rule.TLS)
73+
outRule.Credentials = buildAteletEgressCredentialPolicy(rule.Credentials)
7274
out = append(out, outRule)
7375
}
7476
return out
7577
}
78+
79+
func buildAteletEgressTLSPolicy(policy *atev1alpha1.EgressTLSPolicy) *ateletpb.EgressTLSPolicy {
80+
if policy == nil {
81+
return nil
82+
}
83+
out := &ateletpb.EgressTLSPolicy{
84+
Mode: string(policy.Mode),
85+
Required: policy.Required,
86+
}
87+
if policy.Intercept != nil {
88+
out.Intercept = &ateletpb.EgressTLSInterceptPolicy{
89+
ValidateUpstream: policy.Intercept.ValidateUpstream,
90+
}
91+
if policy.Intercept.IssuerSecretRef != nil {
92+
out.Intercept.IssuerSecretRef = &ateletpb.SecretReference{
93+
Name: policy.Intercept.IssuerSecretRef.Name,
94+
Namespace: policy.Intercept.IssuerSecretRef.Namespace,
95+
}
96+
}
97+
}
98+
return out
99+
}
100+
101+
func buildAteletEgressCredentialPolicy(policy *atev1alpha1.EgressCredentialPolicy) *ateletpb.EgressCredentialPolicy {
102+
if policy == nil {
103+
return nil
104+
}
105+
out := &ateletpb.EgressCredentialPolicy{}
106+
for _, injection := range policy.Inject {
107+
outInjection := &ateletpb.EgressCredentialInjection{
108+
Header: injection.Header,
109+
}
110+
if injection.ValueFrom.SecretKeyRef != nil {
111+
outInjection.ValueFrom = &ateletpb.EgressCredentialValueFrom{
112+
SecretKeyRef: &ateletpb.SecretKeySelector{
113+
Name: injection.ValueFrom.SecretKeyRef.Name,
114+
Key: injection.ValueFrom.SecretKeyRef.Key,
115+
},
116+
}
117+
}
118+
out.Inject = append(out.Inject, outInjection)
119+
}
120+
return out
121+
}

cmd/ateapi/internal/controlapi/workload_spec_test.go

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,32 @@ func TestBuildAteletWorkloadSpecIncludesEgressPolicy(t *testing.T) {
4040
Ports: []atev1alpha1.EgressPort{
4141
{Port: 443, Protocol: corev1.ProtocolTCP},
4242
},
43+
TLS: &atev1alpha1.EgressTLSPolicy{
44+
Mode: atev1alpha1.EgressTLSModeIntercept,
45+
Required: true,
46+
Intercept: &atev1alpha1.EgressTLSInterceptPolicy{
47+
IssuerSecretRef: &corev1.SecretReference{
48+
Name: "egress-ca",
49+
Namespace: "ate-system",
50+
},
51+
ValidateUpstream: true,
52+
},
53+
},
54+
Credentials: &atev1alpha1.EgressCredentialPolicy{
55+
Inject: []atev1alpha1.EgressCredentialInjection{
56+
{
57+
Header: "Authorization",
58+
ValueFrom: atev1alpha1.EgressCredentialValueFrom{
59+
SecretKeyRef: &corev1.SecretKeySelector{
60+
Key: "token",
61+
LocalObjectReference: corev1.LocalObjectReference{
62+
Name: "github-token",
63+
},
64+
},
65+
},
66+
},
67+
},
68+
},
4369
},
4470
},
4571
},
@@ -62,4 +88,13 @@ func TestBuildAteletWorkloadSpecIncludesEgressPolicy(t *testing.T) {
6288
if got, want := allow[0].GetPorts()[0].GetProtocol(), "TCP"; got != want {
6389
t.Fatalf("protocol = %q, want %q", got, want)
6490
}
91+
if got, want := allow[0].GetTls().GetMode(), "Intercept"; got != want {
92+
t.Fatalf("tls mode = %q, want %q", got, want)
93+
}
94+
if got, want := allow[0].GetTls().GetIntercept().GetIssuerSecretRef().GetName(), "egress-ca"; got != want {
95+
t.Fatalf("issuer secret = %q, want %q", got, want)
96+
}
97+
if got, want := allow[0].GetCredentials().GetInject()[0].GetValueFrom().GetSecretKeyRef().GetName(), "github-token"; got != want {
98+
t.Fatalf("credential secret = %q, want %q", got, want)
99+
}
65100
}

cmd/atelet/main.go

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -550,11 +550,57 @@ func buildAteomEgressPolicyRules(rules []*ateletpb.EgressPolicyRule) []*ateompb.
550550
Protocol: port.GetProtocol(),
551551
})
552552
}
553+
outRule.Tls = buildAteomEgressTLSPolicy(rule.GetTls())
554+
outRule.Credentials = buildAteomEgressCredentialPolicy(rule.GetCredentials())
553555
out = append(out, outRule)
554556
}
555557
return out
556558
}
557559

560+
func buildAteomEgressTLSPolicy(policy *ateletpb.EgressTLSPolicy) *ateompb.EgressTLSPolicy {
561+
if policy == nil {
562+
return nil
563+
}
564+
out := &ateompb.EgressTLSPolicy{
565+
Mode: policy.GetMode(),
566+
Required: policy.GetRequired(),
567+
}
568+
if policy.GetIntercept() != nil {
569+
out.Intercept = &ateompb.EgressTLSInterceptPolicy{
570+
ValidateUpstream: policy.GetIntercept().GetValidateUpstream(),
571+
}
572+
if policy.GetIntercept().GetIssuerSecretRef() != nil {
573+
out.Intercept.IssuerSecretRef = &ateompb.SecretReference{
574+
Name: policy.GetIntercept().GetIssuerSecretRef().GetName(),
575+
Namespace: policy.GetIntercept().GetIssuerSecretRef().GetNamespace(),
576+
}
577+
}
578+
}
579+
return out
580+
}
581+
582+
func buildAteomEgressCredentialPolicy(policy *ateletpb.EgressCredentialPolicy) *ateompb.EgressCredentialPolicy {
583+
if policy == nil {
584+
return nil
585+
}
586+
out := &ateompb.EgressCredentialPolicy{}
587+
for _, injection := range policy.GetInject() {
588+
outInjection := &ateompb.EgressCredentialInjection{
589+
Header: injection.GetHeader(),
590+
}
591+
if injection.GetValueFrom().GetSecretKeyRef() != nil {
592+
outInjection.ValueFrom = &ateompb.EgressCredentialValueFrom{
593+
SecretKeyRef: &ateompb.SecretKeySelector{
594+
Name: injection.GetValueFrom().GetSecretKeyRef().GetName(),
595+
Key: injection.GetValueFrom().GetSecretKeyRef().GetKey(),
596+
},
597+
}
598+
}
599+
out.Inject = append(out.Inject, outInjection)
600+
}
601+
return out
602+
}
603+
558604
// uploadIfExists uploads a local file to GCS (zstd-compressed) only if
559605
// the file is present. Missing files are silently skipped — used for
560606
// optional checkpoint side-files (pages.img, pages_meta.img).

cmd/atelet/main_test.go

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,30 @@ func TestBuildAteomWorkloadSpecIncludesEgressPolicy(t *testing.T) {
3333
Ports: []*ateletpb.EgressPort{
3434
{Port: 443, Protocol: "TCP"},
3535
},
36+
Tls: &ateletpb.EgressTLSPolicy{
37+
Mode: "Intercept",
38+
Required: true,
39+
Intercept: &ateletpb.EgressTLSInterceptPolicy{
40+
IssuerSecretRef: &ateletpb.SecretReference{
41+
Name: "egress-ca",
42+
Namespace: "ate-system",
43+
},
44+
ValidateUpstream: true,
45+
},
46+
},
47+
Credentials: &ateletpb.EgressCredentialPolicy{
48+
Inject: []*ateletpb.EgressCredentialInjection{
49+
{
50+
Header: "Authorization",
51+
ValueFrom: &ateletpb.EgressCredentialValueFrom{
52+
SecretKeyRef: &ateletpb.SecretKeySelector{
53+
Name: "github-token",
54+
Key: "token",
55+
},
56+
},
57+
},
58+
},
59+
},
3660
},
3761
},
3862
},
@@ -47,4 +71,10 @@ func TestBuildAteomWorkloadSpecIncludesEgressPolicy(t *testing.T) {
4771
if got, want := spec.GetEgressPolicy().GetAllow()[0].GetPorts()[0].GetPort(), uint32(443); got != want {
4872
t.Fatalf("port = %d, want %d", got, want)
4973
}
74+
if got, want := spec.GetEgressPolicy().GetAllow()[0].GetTls().GetMode(), "Intercept"; got != want {
75+
t.Fatalf("tls mode = %q, want %q", got, want)
76+
}
77+
if got, want := spec.GetEgressPolicy().GetAllow()[0].GetCredentials().GetInject()[0].GetHeader(), "Authorization"; got != want {
78+
t.Fatalf("credential header = %q, want %q", got, want)
79+
}
5080
}

0 commit comments

Comments
 (0)