ambient: fix auto-allow waypoint

Probably we need to increase our test coverage here
istio · Apr 22, 2024 · 815149b · 815149b
1 parent 0546b5b
commit 815149b
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 6 deletions.
diff --git a/pilot/pkg/serviceregistry/kube/controller/ambient/ambientindex_test.go b/pilot/pkg/serviceregistry/kube/controller/ambient/ambientindex_test.go
@@ -1073,15 +1073,15 @@ func TestAmbientIndex_Policy(t *testing.T) {
 
 func TestDefaultAllowWaypointPolicy(t *testing.T) {
 	// while the Waypoint is in testNS, the policies live in the Pods' namespaces
-	policyName := "istio_allow_waypoint_" + testNS + "_" + "waypoint-ns"
+	policyName := "ns1/istio_allow_waypoint_" + testNS + "_" + "waypoint-ns"
 	test.SetForTest(t, &features.DefaultAllowFromWaypoint, true)
 
 	s := newAmbientTestServer(t, testC, testNW)
 	setupPolicyTest(t, s)
 
 	t.Run("policy with service accounts", func(t *testing.T) {
 		assert.EventuallyEqual(t, func() []string {
-			waypointPolicy := s.authorizationPolicies.GetKey(krt.Key[model.WorkloadAuthorization]("ns1/" + policyName))
+			waypointPolicy := s.authorizationPolicies.GetKey(krt.Key[model.WorkloadAuthorization](policyName))
 			if waypointPolicy == nil {
 				return nil
 			}
@@ -1090,8 +1090,8 @@ func TestDefaultAllowWaypointPolicy(t *testing.T) {
 				return sm.GetExact()
 			})
 		}, []string{
-			"spiffe://cluster.local/ns/ns1/sa/namespace-wide",
-			"spiffe://cluster.local/ns/ns1/sa/waypoint-sa",
+			"cluster.local/ns/ns1/sa/namespace-wide",
+			"cluster.local/ns/ns1/sa/waypoint-sa",
 		})
 	})
 

diff --git a/pilot/pkg/serviceregistry/kube/controller/ambient/policies.go b/pilot/pkg/serviceregistry/kube/controller/ambient/policies.go
@@ -16,6 +16,8 @@
 package ambient
 
 import (
+	"strings"
+
 	v1 "k8s.io/api/core/v1"
 
 	securityclient "istio.io/client-go/pkg/apis/security/v1beta1"
@@ -124,7 +126,7 @@ func implicitWaypointPolicy(ctx krt.HandlerContext, waypoint Waypoint) *model.Wo
 							{
 								Principals: slices.Map(waypoint.ServiceAccounts, func(sa string) *security.StringMatch {
 									return &security.StringMatch{MatchType: &security.StringMatch_Exact{
-										Exact: spiffe.MustGenSpiffeURI(waypoint.Namespace, sa),
+										Exact: strings.TrimPrefix(spiffe.MustGenSpiffeURI(waypoint.Namespace, sa), spiffe.URIPrefix),
 									}}
 								}),
 							},

diff --git a/pilot/pkg/serviceregistry/kube/controller/ambient/workloads.go b/pilot/pkg/serviceregistry/kube/controller/ambient/workloads.go
@@ -507,6 +507,6 @@ func implicitWaypointPolicies(ctx krt.HandlerContext, Waypoints krt.Collection[W
 		if policy == "" {
 			return nil
 		}
-		return &policy
+		return ptr.Of(w.Namespace + "/" + policy)
 	})
 }