fix: nil pointer error (envoyproxy#5000)

zhaohuabing · web-flow · commit 10a31f12f618 · 2025-01-03T11:59:06.000-08:00
* fix: nil pointer error

Signed-off-by: Huabing Zhao &lt;zhaohuabing@gmail.com&gt;
diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
@@ -962,10 +962,16 @@ func backendRefAuthority(resources *resource.Resources, backendRef *gwapiv1.Back
 		}
 	}
 
-	return net.JoinHostPort(
-		fmt.Sprintf("%s.%s", backendRef.Name, backendNamespace),
-		strconv.Itoa(int(*backendRef.Port)),
-	)
+	// Port is mandatory for Kubernetes services
+	if backendKind == resource.KindService {
+		return net.JoinHostPort(
+			fmt.Sprintf("%s.%s", backendRef.Name, backendNamespace),
+			strconv.Itoa(int(*backendRef.Port)),
+		)
+	}
+
+	// Fallback to the backendRef name, normally it's a unix domain socket in this case
+	return fmt.Sprintf("%s.%s", backendRef.Name, backendNamespace)
 }
 
 func (t *Translator) buildAuthorization(policy *egv1a1.SecurityPolicy) (*ir.Authorization, error) {
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml
@@ -107,6 +107,15 @@ backends:
         - fqdn:
             hostname: 'primary.foo.com'
             port: 3000
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: Backend
+    metadata:
+      name: backend-uds
+      namespace: default
+    spec:
+      endpoints:
+        - unix:
+            path: '/var/run/uds.sock'
 referenceGrants:
   - apiVersion: gateway.networking.k8s.io/v1alpha2
     kind: ReferenceGrant
@@ -179,7 +188,6 @@ securityPolicies:
       extAuth:
         http:
           backendRef:
-            name: backend-fqdn
+            name: backend-uds
             kind: Backend
             group: gateway.envoyproxy.io
-            port: 3000
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml
@@ -17,6 +17,23 @@ backends:
       reason: Accepted
       status: "True"
       type: Accepted
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: Backend
+  metadata:
+    creationTimestamp: null
+    name: backend-uds
+    namespace: default
+  spec:
+    endpoints:
+    - unix:
+        path: /var/run/uds.sock
+  status:
+    conditions:
+    - lastTransitionTime: null
+      message: The Backend was accepted
+      reason: Accepted
+      status: "True"
+      type: Accepted
 gateways:
 - apiVersion: gateway.networking.k8s.io/v1
   kind: Gateway
@@ -322,8 +339,7 @@ securityPolicies:
         backendRef:
           group: gateway.envoyproxy.io
           kind: Backend
-          name: backend-fqdn
-          port: 3000
+          name: backend-uds
     targetRef:
       group: gateway.networking.k8s.io
       kind: HTTPRoute
@@ -526,14 +542,15 @@ xdsIR:
         security:
           extAuth:
             http:
-              authority: primary.foo.com:3000
+              authority: backend-uds.default
               destination:
                 name: securitypolicy/default/policy-for-http-route-3-http-backendref/extauth/0
                 settings:
-                - addressType: FQDN
+                - addressType: IP
                   endpoints:
-                  - host: primary.foo.com
-                    port: 3000
+                  - host: ""
+                    path: /var/run/uds.sock
+                    port: 0
                   protocol: HTTP
                   weight: 1
               path: ""
diff --git a/release-notes/current.yaml b/release-notes/current.yaml
@@ -20,6 +20,7 @@ new features: |
 
 # Fixes for bugs identified in previous versions.
 bug fixes: |
+  Fixed a nil pointer error that occurs when a SecurityPolicy refers to a UDS backend
 
 # Enhancements that improve performance.
 performance improvements: |

Original file line number	Diff line number	Diff line change
`@@ -962,10 +962,16 @@ func backendRefAuthority(resources resource.Resources, backendRef gwapiv1.Back`
`962`	`962`	`}`
`963`	`963`	`}`
`964`	`964`
`965`		`- return net.JoinHostPort(`
`966`		`- fmt.Sprintf("%s.%s", backendRef.Name, backendNamespace),`
`967`		`- strconv.Itoa(int(*backendRef.Port)),`
`968`		`- )`
	`965`	`+ // Port is mandatory for Kubernetes services`
	`966`	`+ if backendKind == resource.KindService {`
	`967`	`+ return net.JoinHostPort(`
	`968`	`+ fmt.Sprintf("%s.%s", backendRef.Name, backendNamespace),`
	`969`	`+ strconv.Itoa(int(*backendRef.Port)),`
	`970`	`+ )`
	`971`	`+ }`
	`972`	`+`
	`973`	`+ // Fallback to the backendRef name, normally it's a unix domain socket in this case`
	`974`	`+ return fmt.Sprintf("%s.%s", backendRef.Name, backendNamespace)`
`969`	`975`	`}`
`970`	`976`
`971`	`977`	`func (t Translator) buildAuthorization(policy egv1a1.SecurityPolicy) (*ir.Authorization, error) {`