test

Arko Dasgupta · Arko Dasgupta · commit 7c608cde7085 · 2025-10-15T17:18:09.000-07:00
Signed-off-by: Arko Dasgupta &lt;arko@tetrate.io&gt;
diff --git a/internal/xds/translator/testdata/in/xds-ir/tcp-route-authorization.yaml b/internal/xds/translator/testdata/in/xds-ir/tcp-route-authorization.yaml
@@ -0,0 +1,34 @@
+tcp:
+- name: "tcp-listener-authorization"
+  address: "::"
+  port: 10080
+  routes:
+  - name: "tcp-route-authorization"
+    authorization:
+      defaultAction: Allow
+      rules:
+      - action: Deny
+        name: deny-office
+        principal:
+          clientCIDRs:
+          - cidr: 10.0.0.0/24
+            distinct: false
+            ip: 10.0.0.0
+            isIPv6: false
+            maskLen: 24
+      - action: Allow
+        name: allow-corp
+        principal:
+          clientCIDRs:
+          - cidr: 192.168.100.0/24
+            distinct: false
+            ip: 192.168.100.0
+            isIPv6: false
+            maskLen: 24
+    destination:
+      name: "tcp-route-authorization-dest"
+      settings:
+      - endpoints:
+        - host: "10.2.3.4"
+          port: 50000
+        name: "tcp-route-authorization-dest/backend/0"
diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-authorization.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-authorization.clusters.yaml
@@ -0,0 +1,24 @@
+- circuitBreakers:
+    thresholds:
+    - maxRetries: 1024
+  commonLbConfig: {}
+  connectTimeout: 10s
+  dnsLookupFamily: V4_PREFERRED
+  edsClusterConfig:
+    edsConfig:
+      ads: {}
+      resourceApiVersion: V3
+    serviceName: tcp-route-authorization-dest
+  ignoreHealthOnHostRemoval: true
+  lbPolicy: LEAST_REQUEST
+  loadBalancingPolicy:
+    policies:
+    - typedExtensionConfig:
+        name: envoy.load_balancing_policies.least_request
+        typedConfig:
+          '@type': type.googleapis.com/envoy.extensions.load_balancing_policies.least_request.v3.LeastRequest
+          localityLbConfig:
+            localityWeightedLbConfig: {}
+  name: tcp-route-authorization-dest
+  perConnectionBufferLimitBytes: 32768
+  type: EDS
diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-authorization.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-authorization.endpoints.yaml
@@ -0,0 +1,12 @@
+- clusterName: tcp-route-authorization-dest
+  endpoints:
+  - lbEndpoints:
+    - endpoint:
+        address:
+          socketAddress:
+            address: 10.2.3.4
+            portValue: 50000
+      loadBalancingWeight: 1
+    loadBalancingWeight: 1
+    locality:
+      region: tcp-route-authorization-dest/backend/0
diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-authorization.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-authorization.listeners.yaml
@@ -0,0 +1,69 @@
+- address:
+    socketAddress:
+      address: '::'
+      portValue: 10080
+  filterChains:
+  - filters:
+    - name: envoy.filters.network.rbac
+      typedConfig:
+        '@type': type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC
+        matcher:
+          matcherList:
+            matchers:
+            - onMatch:
+                action:
+                  name: deny-office
+                  typedConfig:
+                    '@type': type.googleapis.com/envoy.config.rbac.v3.Action
+                    action: DENY
+                    name: DENY
+              predicate:
+                singlePredicate:
+                  customMatch:
+                    name: ip_matcher
+                    typedConfig:
+                      '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.ip.v3.Ip
+                      cidrRanges:
+                      - addressPrefix: 10.0.0.0
+                        prefixLen: 24
+                      statPrefix: client_ip
+                  input:
+                    name: client_ip
+                    typedConfig:
+                      '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.SourceIPInput
+            - onMatch:
+                action:
+                  name: allow-corp
+                  typedConfig:
+                    '@type': type.googleapis.com/envoy.config.rbac.v3.Action
+                    name: ALLOW
+              predicate:
+                singlePredicate:
+                  customMatch:
+                    name: ip_matcher
+                    typedConfig:
+                      '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.ip.v3.Ip
+                      cidrRanges:
+                      - addressPrefix: 192.168.100.0
+                        prefixLen: 24
+                      statPrefix: client_ip
+                  input:
+                    name: client_ip
+                    typedConfig:
+                      '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.SourceIPInput
+          onNoMatch:
+            action:
+              name: default
+              typedConfig:
+                '@type': type.googleapis.com/envoy.config.rbac.v3.Action
+                name: ALLOW
+        statPrefix: tcp-10080
+    - name: envoy.filters.network.tcp_proxy
+      typedConfig:
+        '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+        cluster: tcp-route-authorization-dest
+        statPrefix: tcp-10080
+    name: tcp-route-authorization
+  maxConnectionsToAcceptPerSocketEvent: 1
+  name: tcp-listener-authorization
+  perConnectionBufferLimitBytes: 32768
diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-authorization.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-authorization.routes.yaml
@@ -0,0 +1 @@
+[]
