From 3a2836fba3726b921cd838e7aa8fb9c9a7231fdd Mon Sep 17 00:00:00 2001
From: skpratt <sarah.pratt@hashicorp.com>
Date: Tue, 23 Jan 2024 12:24:07 -0600
Subject: [PATCH] update comment

---
 agent/xdsv2/rbac_resources.go                 | 31 ++++++++-----------
 .../sidecarproxy/builder/local_app.go         |  8 ++---
 2 files changed, 17 insertions(+), 22 deletions(-)

diff --git a/agent/xdsv2/rbac_resources.go b/agent/xdsv2/rbac_resources.go
index 1c5481e244..dbe83eb903 100644
--- a/agent/xdsv2/rbac_resources.go
+++ b/agent/xdsv2/rbac_resources.go
@@ -24,7 +24,7 @@ const (
 	baseL7PermissionKey = "consul-intentions-layer7"
 )
 
-// MakeL4RBAC returns the envoy deny and allow rules from the traffic permissions. After calling this function these
+// MakeRBAC returns the envoy deny and allow rules from the traffic permissions. After calling this function these
 // rules can be put into a network rbac filter or http rbac filter depending on the local app port protocol.
 func MakeRBAC(trafficPermissions *pbproxystate.TrafficPermissions, makePolicies func([]*pbproxystate.Permission) map[string]*envoy_rbac_v3.Policy) (deny *envoy_rbac_v3.RBAC, allow *envoy_rbac_v3.RBAC, err error) {
 	var denyRBAC *envoy_rbac_v3.RBAC
@@ -134,23 +134,17 @@ func makeRBACHTTPFilter(rbac *envoy_rbac_v3.RBAC) (*envoy_http_v3.HttpFilter, er
 }
 
 func makeL4RBACPolicies(l4Permissions []*pbproxystate.Permission) map[string]*envoy_rbac_v3.Policy {
-	policyLabel := func(i int) string {
-		if len(l4Permissions) == 1 {
-			return baseL4PermissionKey
-		}
-		return fmt.Sprintf("%s-%d", baseL4PermissionKey, i)
-	}
-
 	policies := make(map[string]*envoy_rbac_v3.Policy, len(l4Permissions))
 
 	for i, permission := range l4Permissions {
 		if len(permission.DestinationRules) != 0 {
 			// This is an L7-only permission
+			// ports are split out for separate configuration before this point and L7 filters are configured separately
 			continue
 		}
 		policy := makeL4RBACPolicy(permission)
 		if policy != nil {
-			policies[policyLabel(i)] = policy
+			policies[l4PolicyLabel(l4Permissions, i)] = policy
 		}
 	}
 
@@ -158,7 +152,7 @@ func makeL4RBACPolicies(l4Permissions []*pbproxystate.Permission) map[string]*en
 }
 
 func makeL4RBACPolicy(p *pbproxystate.Permission) *envoy_rbac_v3.Policy {
-	if len(p.Principals) == 0 {
+	if p == nil || len(p.Principals) == 0 {
 		return nil
 	}
 
@@ -174,6 +168,13 @@ func makeL4RBACPolicy(p *pbproxystate.Permission) *envoy_rbac_v3.Policy {
 	}
 }
 
+func l4PolicyLabel(perms []*pbproxystate.Permission, i int) string {
+	if len(perms) == 1 {
+		return baseL4PermissionKey
+	}
+	return fmt.Sprintf("%s-%d", baseL4PermissionKey, i)
+}
+
 func makeL7RBACPolicies(l7Permissions []*pbproxystate.Permission) map[string]*envoy_rbac_v3.Policy {
 	// sort permissions into those with L7-specific features and those without, to match labeling and behavior
 	// conventions in V1: https://github.com/hashicorp/consul/blob/4e451f23584473a7eaf7f123145ca85e0a31783a/agent/xds/rbac.go#L647
@@ -188,12 +189,6 @@ func makeL7RBACPolicies(l7Permissions []*pbproxystate.Permission) map[string]*en
 			l4Perms = append(l4Perms, p)
 		}
 	}
-	l4PolicyLabel := func(i int) string {
-		if len(l4Perms) == 1 {
-			return baseL4PermissionKey
-		}
-		return fmt.Sprintf("%s-%d", baseL4PermissionKey, i)
-	}
 
 	policies := make(map[string]*envoy_rbac_v3.Policy, len(l7Permissions))
 
@@ -207,7 +202,7 @@ func makeL7RBACPolicies(l7Permissions []*pbproxystate.Permission) map[string]*en
 	for i, permission := range l4Perms {
 		policy := makeL4RBACPolicy(permission)
 		if policy != nil {
-			policies[l4PolicyLabel(i)] = policy
+			policies[l4PolicyLabel(l4Perms, i)] = policy
 		}
 	}
 
@@ -215,7 +210,7 @@ func makeL7RBACPolicies(l7Permissions []*pbproxystate.Permission) map[string]*en
 }
 
 func makeL7RBACPolicy(p *pbproxystate.Permission) *envoy_rbac_v3.Policy {
-	if len(p.Principals) == 0 {
+	if p == nil || len(p.Principals) == 0 {
 		return nil
 	}
 
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go
index 518822501d..5ae549a4dd 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go
@@ -187,9 +187,9 @@ func convertDestinationRule(allPorts []string, dr *pbauth.DestinationRule) ([]st
 		PathRegex:  dr.PathRegex,
 		Methods:    dr.Methods,
 	}
-	var hrs []*pbproxystate.DestinationRuleHeader
-	for _, hr := range dr.Headers {
-		hrs = append(hrs, &pbproxystate.DestinationRuleHeader{
+	hrs := make([]*pbproxystate.DestinationRuleHeader, len(dr.Headers))
+	for i, hr := range dr.Headers {
+		hrs[i] = &pbproxystate.DestinationRuleHeader{
 			Name:    hr.Name,
 			Present: hr.Present,
 			Exact:   hr.Exact,
@@ -197,7 +197,7 @@ func convertDestinationRule(allPorts []string, dr *pbauth.DestinationRule) ([]st
 			Suffix:  hr.Suffix,
 			Regex:   hr.Regex,
 			Invert:  hr.Invert,
-		})
+		}
 	}
 	psdr.DestinationRuleHeader = hrs
 
-- 
GitLab