Revert "targetRef implementation for RequestAuthentication (istio#46915…

…)" (istio#47060) This reverts commit 67badcf.
WillardHu · Sep 21, 2023 · e07b87a · e07b87a
1 parent c840fa5
commit e07b87a
Showing 27 changed files with 40 additions and 2,027 deletions.
diff --git a/pilot/pkg/config/kube/gateway/deploymentcontroller.go b/pilot/pkg/config/kube/gateway/deploymentcontroller.go
@@ -436,7 +436,7 @@ func (d *DeploymentController) render(templateName string, mi TemplateInput) ([]
 		return nil, fmt.Errorf("no %q template defined", templateName)
 	}
 
-	labelToMatch := map[string]string{constants.GatewayNameLabel: mi.Name}
+	labelToMatch := map[string]string{"istio.io/gateway-name": mi.Name}
 	proxyConfig := d.env.GetProxyConfigOrDefault(mi.Namespace, labelToMatch, nil, cfg.MeshConfig)
 	input := derivedInput{
 		TemplateInput: mi,

diff --git a/pilot/pkg/features/pilot.go b/pilot/pkg/features/pilot.go
@@ -676,10 +676,6 @@ var (
 	// User should not rely on builtin resource labels, this flag will be removed in future releases(1.20).
 	EnableOTELBuiltinResourceLables = env.Register("ENABLE_OTEL_BUILTIN_RESOURCE_LABELS", false,
 		"If enabled, envoy will send builtin lables(e.g. node_name) via OTel sink.").Get()
-
-	EnableSelectorBasedK8sGatewayPolicy = env.Register("ENABLE_SELECTOR_BASED_K8S_GATEWAY_POLICY", true,
-		"If disabled, Gateway API gateways will ignore workloadSelector policies, only"+
-			"applying policies that select the gateway with a targetRef.").Get()
 )
 
 // UnsafeFeaturesEnabled returns true if any unsafe features are enabled.

diff --git a/pilot/pkg/model/authentication.go b/pilot/pkg/model/authentication.go
@@ -200,27 +200,15 @@ func (policy *AuthenticationPolicies) GetNamespaceMutualTLSMode(namespace string
 // GetJwtPoliciesForWorkload returns a list of JWT policies matching to labels.
 func (policy *AuthenticationPolicies) GetJwtPoliciesForWorkload(namespace string,
 	workloadLabels labels.Instance,
-	isWaypoint bool,
 ) []*config.Config {
-	return getConfigsForWorkload(policy.requestAuthentications, WorkloadSelectionOpts{
-		rootNamespace:  policy.rootNamespace,
-		namespace:      namespace,
-		workloadLabels: workloadLabels,
-		isWaypoint:     isWaypoint,
-	})
+	return getConfigsForWorkload(policy.requestAuthentications, policy.rootNamespace, namespace, workloadLabels)
 }
 
 // GetPeerAuthenticationsForWorkload returns a list of peer authentication policies matching to labels.
 func (policy *AuthenticationPolicies) GetPeerAuthenticationsForWorkload(namespace string,
 	workloadLabels labels.Instance,
-	isWaypoint bool,
 ) []*config.Config {
-	return getConfigsForWorkload(policy.peerAuthentications, WorkloadSelectionOpts{
-		rootNamespace:  policy.rootNamespace,
-		namespace:      namespace,
-		workloadLabels: workloadLabels,
-		isWaypoint:     isWaypoint,
-	})
+	return getConfigsForWorkload(policy.peerAuthentications, policy.rootNamespace, namespace, workloadLabels)
 }
 
 // GetRootNamespace return root namespace that is tracked by the policy object.
@@ -242,10 +230,11 @@ func GetAmbientPolicyConfigName(key ConfigKey) string {
 	}
 }
 
-func getConfigsForWorkload(configsByNamespace map[string][]config.Config, selectionOpts WorkloadSelectionOpts) []*config.Config {
-	workloadLabels := selectionOpts.workloadLabels
-	namespace := selectionOpts.namespace
-	rootNamespace := selectionOpts.rootNamespace
+func getConfigsForWorkload(configsByNamespace map[string][]config.Config,
+	rootNamespace string,
+	namespace string,
+	workloadLabels labels.Instance,
+) []*config.Config {
 	configs := make([]*config.Config, 0)
 	var lookupInNamespaces []string
 	if namespace != rootNamespace {
@@ -264,19 +253,10 @@ func getConfigsForWorkload(configsByNamespace map[string][]config.Config, select
 					log.Warnf("Seeing config %s with namespace %s in map entry for %s. Ignored", cfg.Name, cfg.Namespace, ns)
 					continue
 				}
-				var selector labels.Instance // NOTE: nil/empty selector matches all workloads
+				var selector labels.Instance
 				switch cfg.GroupVersionKind {
 				case gvk.RequestAuthentication:
-					ra := cfg.Spec.(*v1beta1.RequestAuthentication)
-					switch getPolicyMatcher(cfg.GroupVersionKind, cfg.Name, selectionOpts, ra) {
-					case policyMatchSelector:
-						selector = ra.GetSelector().GetMatchLabels()
-					case policyMatchDirect:
-						configs = append(configs, cfg)
-						continue
-					case policyMatchIgnore:
-						continue
-					}
+					selector = cfg.Spec.(*v1beta1.RequestAuthentication).GetSelector().GetMatchLabels()
 				case gvk.PeerAuthentication:
 					selector = cfg.Spec.(*v1beta1.PeerAuthentication).GetSelector().GetMatchLabels()
 				default: