fix: nil pointer error (envoyproxy#5000)

* fix: nil pointer error Signed-off-by: Huabing Zhao <[email protected]>
guydc · Jan 3, 2025 · 10a31f1 · 10a31f1
1 parent f71fa99
commit 10a31f1
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 12 deletions.
diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
@@ -962,10 +962,16 @@ func backendRefAuthority(resources *resource.Resources, backendRef *gwapiv1.Back
 		}
 	}
 
-	return net.JoinHostPort(
-		fmt.Sprintf("%s.%s", backendRef.Name, backendNamespace),
-		strconv.Itoa(int(*backendRef.Port)),
-	)
+	// Port is mandatory for Kubernetes services
+	if backendKind == resource.KindService {
+		return net.JoinHostPort(
+			fmt.Sprintf("%s.%s", backendRef.Name, backendNamespace),
+			strconv.Itoa(int(*backendRef.Port)),
+		)
+	}
+
+	// Fallback to the backendRef name, normally it's a unix domain socket in this case
+	return fmt.Sprintf("%s.%s", backendRef.Name, backendNamespace)
 }
 
 func (t *Translator) buildAuthorization(policy *egv1a1.SecurityPolicy) (*ir.Authorization, error) {

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml
@@ -107,6 +107,15 @@ backends:
         - fqdn:
             hostname: 'primary.foo.com'
             port: 3000
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: Backend
+    metadata:
+      name: backend-uds
+      namespace: default
+    spec:
+      endpoints:
+        - unix:
+            path: '/var/run/uds.sock'
 referenceGrants:
   - apiVersion: gateway.networking.k8s.io/v1alpha2
     kind: ReferenceGrant
@@ -179,7 +188,6 @@ securityPolicies:
       extAuth:
         http:
           backendRef:
-            name: backend-fqdn
+            name: backend-uds
             kind: Backend
             group: gateway.envoyproxy.io
-            port: 3000
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml
@@ -17,6 +17,23 @@ backends:
       reason: Accepted
       status: "True"
       type: Accepted
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: Backend
+  metadata:
+    creationTimestamp: null
+    name: backend-uds
+    namespace: default
+  spec:
+    endpoints:
+    - unix:
+        path: /var/run/uds.sock
+  status:
+    conditions:
+    - lastTransitionTime: null
+      message: The Backend was accepted
+      reason: Accepted
+      status: "True"
+      type: Accepted
 gateways:
 - apiVersion: gateway.networking.k8s.io/v1
   kind: Gateway
@@ -322,8 +339,7 @@ securityPolicies:
         backendRef:
           group: gateway.envoyproxy.io
           kind: Backend
-          name: backend-fqdn
-          port: 3000
+          name: backend-uds
     targetRef:
       group: gateway.networking.k8s.io
       kind: HTTPRoute
@@ -526,14 +542,15 @@ xdsIR:
         security:
           extAuth:
             http:
-              authority: primary.foo.com:3000
+              authority: backend-uds.default
               destination:
                 name: securitypolicy/default/policy-for-http-route-3-http-backendref/extauth/0
                 settings:
-                - addressType: FQDN
+                - addressType: IP
                   endpoints:
-                  - host: primary.foo.com
-                    port: 3000
+                  - host: ""
+                    path: /var/run/uds.sock
+                    port: 0
                   protocol: HTTP
                   weight: 1
               path: ""

diff --git a/release-notes/current.yaml b/release-notes/current.yaml
@@ -20,6 +20,7 @@ new features: |
 
 # Fixes for bugs identified in previous versions.
 bug fixes: |
+  Fixed a nil pointer error that occurs when a SecurityPolicy refers to a UDS backend
 
 # Enhancements that improve performance.
 performance improvements: |