perf(rules): add withNegation flag to simplify to policy flow (backport of #13151) (#13195)

Automatic cherry-pick of #13151 for branch release-2.8

Generated by
[action](https://github.com/kumahq/kuma/actions/runs/14056954185)

cherry-picked commit c3781d4

⚠️ ⚠️ ⚠️ Conflicts happened when cherry-picking!
⚠️ ⚠️ ⚠️
```
On branch release-2.8
Your branch is up to date with 'origin/release-2.8'.

You are currently cherry-picking commit c3781d4.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   pkg/api-server/testdata/resources/inspect/dataplanes/_rules/overriding_meshtimeout.golden.json
	modified:   pkg/plugins/policies/core/matchers/egress.go
	modified:   pkg/plugins/policies/core/matchers/testdata/matchedpolicies/torules/03.policies.yaml
	modified:   pkg/plugins/policies/core/rules/testdata/rules/to/meshtimeout.golden.yaml
	modified:   pkg/plugins/policies/core/rules/testdata/rules/to/single-to.golden.yaml

Unmerged paths:
  (use "git add/rm <file>..." as appropriate to mark resolution)
	both modified:   pkg/api-server/testdata/resources/inspect/dataplanes/_rules/meshhttproute.golden.json
	deleted by us:   pkg/api-server/testdata/resources/inspect/dataplanes/_rules/resource_rule_meshtimeout_index.golden.json
	both modified:   pkg/plugins/policies/core/matchers/testdata/matchedpolicies/torules/03.golden.yaml
	both modified:   pkg/plugins/policies/core/rules/rules.go
	deleted by us:   pkg/plugins/policies/core/rules/subsetutils/subset.go

```

---------

Signed-off-by: Ilya Lobkov <[email protected]>
Signed-off-by: Lukasz Dziedziak <[email protected]>
Co-authored-by: Lukasz Dziedziak <[email protected]>
Co-authored-by: Ilya Lobkov <[email protected]>

Author: 3 people

pkg/api-server/testdata/resources/inspect/dataplanes/_rules/meshhttproute.golden.json

@@ -38,7 +38,14 @@
          "backendRefs": [
           {
            "kind": "MeshServiceSubset",
-           "name": "backend_kuma-demo_svc_3001",
+           "name": "other-svc",
+           "tags": {
+            "version": "1.0"
+           }
+          },
+          {
+           "kind": "MeshServiceSubset",
+           "name": "other-svc-2",
            "tags": {
             "version": "1.0"
            }
@@ -52,14 +59,14 @@
       {
        "key": "kuma.io/service",
        "not": false,
-       "value": "backend_kuma-demo_svc_3001"
+       "value": "other-svc"
       }
      ],
      "origin": [
       {
        "labels": {},
        "mesh": "default",
-       "name": "the-http-route",
+       "name": "the-other-http-route",
        "type": "MeshHTTPRoute"
       }
      ]
@@ -80,14 +87,7 @@
          "backendRefs": [
           {
            "kind": "MeshServiceSubset",
-           "name": "other-svc",
-           "tags": {
-            "version": "1.0"
-           }
-          },
-          {
-           "kind": "MeshServiceSubset",
-           "name": "other-svc-2",
+           "name": "backend_kuma-demo_svc_3001",
            "tags": {
             "version": "1.0"
            }
@@ -101,14 +101,14 @@
       {
        "key": "kuma.io/service",
        "not": false,
-       "value": "other-svc"
+       "value": "backend_kuma-demo_svc_3001"
       }
      ],
      "origin": [
       {
        "labels": {},
        "mesh": "default",
-       "name": "the-other-http-route",
+       "name": "the-http-route",
        "type": "MeshHTTPRoute"
       }
      ]

pkg/api-server/testdata/resources/inspect/dataplanes/_rules/overriding_meshtimeout.golden.json

@@ -113,18 +113,7 @@
        "requestTimeout": "10s"
       }
      },
-     "matchers": [
-      {
-       "key": "kuma.io/service",
-       "not": true,
-       "value": "bar"
-      },
-      {
-       "key": "kuma.io/service",
-       "not": true,
-       "value": "foo"
-      }
-     ],
+     "matchers": [],
      "origin": [
       {
        "labels": {},

pkg/plugins/policies/core/matchers/egress.go

@@ -167,7 +167,7 @@ func processToRules(tags map[string]string, policies []core_model.Resource, mes
 		}
 	}
 
-	rules, err := core_rules.BuildRules(toList)
+	rules, err := core_rules.BuildRules(toList, false)
 	if err != nil {
 		return core_rules.FromRules{}, err
 	}

pkg/plugins/policies/core/matchers/testdata/matchedpolicies/torules/03.golden.yaml

@@ -11,7 +11,7 @@ Rules:
   - creationTime: "0001-01-01T00:00:00Z"
     mesh: mesh-1
     modificationTime: "0001-01-01T00:00:00Z"
-    name: mtp-2
+    name: mtp-3
     type: MeshTimeout
   Subset:
   - Key: __rule-matches-hash__
@@ -22,12 +22,12 @@ Rules:
     Value: test-server
 - Conf:
     http:
-      requestTimeout: 3s
+      requestTimeout: 2s
   Origin:
   - creationTime: "0001-01-01T00:00:00Z"
     mesh: mesh-1
     modificationTime: "0001-01-01T00:00:00Z"
-    name: mtp-2
+    name: mtp-3
     type: MeshTimeout
   Subset:
   - Key: __rule-matches-hash__
@@ -36,35 +36,3 @@ Rules:
   - Key: kuma.io/service
     Not: false
     Value: test-server
-- Conf:
-    http:
-      requestTimeout: 3s
-  Origin:
-  - creationTime: "0001-01-01T00:00:00Z"
-    mesh: mesh-1
-    modificationTime: "0001-01-01T00:00:00Z"
-    name: mtp-2
-    type: MeshTimeout
-  Subset:
-  - Key: __rule-matches-hash__
-    Not: false
-    Value: JNNc6//C3P17nUsOJm5f4kqG+U3v8pXhS0od9C3+oss=
-  - Key: kuma.io/service
-    Not: true
-    Value: test-server
-- Conf:
-    http:
-      requestTimeout: 3s
-  Origin:
-  - creationTime: "0001-01-01T00:00:00Z"
-    mesh: mesh-1
-    modificationTime: "0001-01-01T00:00:00Z"
-    name: mtp-2
-    type: MeshTimeout
-  Subset:
-  - Key: __rule-matches-hash__
-    Not: true
-    Value: JNNc6//C3P17nUsOJm5f4kqG+U3v8pXhS0od9C3+oss=
-  - Key: kuma.io/service
-    Not: true
-    Value: test-server

pkg/plugins/policies/core/matchers/testdata/matchedpolicies/torules/03.policies.yaml

@@ -43,3 +43,16 @@ spec:
       default:
         http:
           requestTimeout: 3s
+type: MeshTimeout
+mesh: mesh-1
+name: mtp-3
+spec:
+  targetRef:
+    kind: Mesh
+  to:
+    - targetRef:
+        kind: MeshService
+        name: test-server
+      default:
+        http:
+          requestTimeout: 2s

pkg/plugins/policies/core/rules/rules.go

@@ -397,7 +397,7 @@ func BuildFromRules(
 			}
 			fromList = append(fromList, BuildPolicyItemsWithMeta(policyWithFrom.GetFromList(), p.GetMeta())...)
 		}
-		rules, err := BuildRules(fromList)
+		rules, err := BuildRules(fromList, true)
 		if err != nil {
 			return FromRules{}, err
 		}
@@ -418,7 +418,7 @@ func BuildToRules(matchedPolicies []core_model.Resource, httpRoutes []core_model
 		toList = append(toList, BuildPolicyItemsWithMeta(tl, mp.GetMeta())...)
 	}
 
-	rules, err := BuildRules(toList)
+	rules, err := BuildRules(toList, false)
 	if err != nil {
 		return ToRules{}, err
 	}
@@ -558,7 +558,7 @@ func BuildSingleItemRules(matchedPolicies []core_model.Resource) (SingleItemRule
 		items = append(items, item)
 	}
 
-	rules, err := BuildRules(items)
+	rules, err := BuildRules(items, false)
 	if err != nil {
 		return SingleItemRules{}, err
 	}
@@ -569,21 +569,51 @@ func BuildSingleItemRules(matchedPolicies []core_model.Resource) (SingleItemRule
 // BuildRules creates a list of rules with negations sorted by the number of positive tags.
 // If rules with negative tags are filtered out then the order becomes 'most specific to less specific'.
 // Filtering out of negative rules could be useful for XDS generators that don't have a way to configure negations.
+// In case of `to` policies we don't need to check negations since only possible value for `to` is either Mesh
+// which has empty subset or kuma.io/service.
 //
 // See the detailed algorithm description in docs/madr/decisions/007-mesh-traffic-permission.md
-func BuildRules(list []PolicyItemWithMeta) (Rules, error) {
+func BuildRules(list []PolicyItemWithMeta, withNegations bool) (Rules, error) {
 	rules := Rules{}
 
+	uniqueKeys := map[string]struct{}{}
 	// 1. Convert list of rules into the list of subsets
 	var subsets []Subset
 	for _, item := range list {
 		ss, err := asSubset(item.GetTargetRef())
 		if err != nil {
 			return nil, err
 		}
+		for _, tag := range ss {
+			uniqueKeys[tag.Key] = struct{}{}
+		}
 		subsets = append(subsets, ss)
 	}
 
+	// we don't need to generate all permutations when there is no negations
+	// and we have only 0 or one tag, in other cases we need to generate.
+	// in case of `to` policies it can happen when using top target ref MeshGateway,
+	// for policy MeshHTTPRoute.
+	if !withNegations && len(uniqueKeys) <= 1 {
+		// deduplicate subsets
+		subsets = Deduplicate(subsets)
+
+		for _, ss := range subsets {
+			if r, err := createRule(ss, list); err != nil {
+				return nil, err
+			} else {
+				rules = append(rules, r...)
+			}
+		}
+
+		sort.SliceStable(rules, func(i, j int) bool {
+			// resource with more tags should be first
+			return len(rules[i].Subset) > len(rules[j].Subset)
+		})
+
+		return rules, nil
+	}
+
 	// 2. Create a graph where nodes are subsets and edge exists between 2 subsets only if there is an intersection
 	g := simple.NewUndirectedGraph()
 
@@ -634,36 +664,12 @@ func BuildRules(list []PolicyItemWithMeta) (Rules, error) {
 			if ss == nil {
 				break
 			}
+
 			// 5. For each combination determine a configuration
-			confs := []interface{}{}
-			distinctOrigins := map[core_model.ResourceKey]core_model.ResourceMeta{}
-			for i := 0; i < len(list); i++ {
-				item := list[i]
-				itemSubset, err := asSubset(item.GetTargetRef())
-				if err != nil {
-					return nil, err
-				}
-				if itemSubset.IsSubset(ss) {
-					confs = append(confs, item.GetDefault())
-					distinctOrigins[core_model.MetaToResourceKey(item.ResourceMeta)] = item.ResourceMeta
-				}
-			}
-			merged, err := MergeConfs(confs)
-			if err != nil {
+			if r, err := createRule(ss, list); err != nil {
 				return nil, err
-			}
-			if merged != nil {
-				origins := maps.Values(distinctOrigins)
-				sort.Slice(origins, func(i, j int) bool {
-					return origins[i].GetName() < origins[j].GetName()
-				})
-				for _, mergedRule := range merged {
-					rules = append(rules, &Rule{
-						Subset: ss,
-						Conf:   mergedRule,
-						Origin: origins,
-					})
-				}
+			} else {
+				rules = append(rules, r...)
 			}
 		}
 	}
@@ -675,6 +681,42 @@ func BuildRules(list []PolicyItemWithMeta) (Rules, error) {
 	return rules, nil
 }
 
+func createRule(ss Subset, items []PolicyItemWithMeta) ([]*Rule, error) {
+	rules := Rules{}
+	confs := []interface{}{}
+	distinctOrigins := map[core_model.ResourceKey]core_model.ResourceMeta{}
+	for i := 0; i < len(items); i++ {
+		item := items[i]
+		itemSubset, err := asSubset(item.GetTargetRef())
+		if err != nil {
+			return nil, err
+		}
+		if itemSubset.IsSubset(ss) {
+			confs = append(confs, item.GetDefault())
+			distinctOrigins[core_model.MetaToResourceKey(item.ResourceMeta)] = item.ResourceMeta
+		}
+	}
+	merged, err := MergeConfs(confs)
+	if err != nil {
+		return nil, err
+	}
+	if merged != nil {
+		origins := maps.Values(distinctOrigins)
+		sort.Slice(origins, func(i, j int) bool {
+			return origins[i].GetName() < origins[j].GetName()
+		})
+		for _, mergedRule := range merged {
+			rules = append(rules, &Rule{
+				Subset: ss,
+				Conf:   mergedRule,
+				Origin: origins,
+			})
+		}
+	}
+
+	return rules, nil
+}
+
 func sortComponents(components [][]graph.Node) {
 	for _, c := range components {
 		sort.SliceStable(c, func(i, j int) bool {
@@ -728,6 +770,18 @@ func NewSubsetIter(tags []Tag) *SubsetIter {
 	}
 }
 
+func (ss Subset) Sorted() {
+	sort.SliceStable(ss, func(i, j int) bool {
+		if ss[i].Key != ss[j].Key {
+			return ss[i].Key < ss[j].Key
+		}
+		if ss[i].Value != ss[j].Value {
+			return ss[i].Value < ss[j].Value
+		}
+		return !ss[i].Not && ss[j].Not
+	})
+}
+
 // Next returns the next subset of the partition. When reaches the end Next returns 'nil'
 func (c *SubsetIter) Next() Subset {
 	if c.finished {
@@ -794,3 +848,43 @@ func (c *SubsetIter) simplified() Subset {
 
 	return result
 }
+
+// Deduplicate returns a new slice of subsetutils.Subset with duplicates removed.
+func Deduplicate(subsets []Subset) []Subset {
+	seen := make(map[string]struct{})
+	result := make([]Subset, 0, len(subsets))
+
+	for _, s := range subsets {
+		key := canonicalSubset(s)
+		if _, exists := seen[key]; !exists {
+			seen[key] = struct{}{}
+			result = append(result, s)
+		}
+	}
+	return result
+}
+
+// canonicalSubset returns a canonical string representation for a subset.
+// It assumes that a subset is a slice of subsetutils.Tag with fields Key, Value, and Not.
+func canonicalSubset(s Subset) string {
+	if len(s) == 0 {
+		return ""
+	}
+	s.Sorted()
+	var sb strings.Builder
+	for i, t := range s {
+		if i > 0 {
+			sb.WriteByte('|') // Separator
+		}
+		sb.WriteString(t.Key)
+		sb.WriteByte(':')
+		sb.WriteString(t.Value)
+		sb.WriteByte(':')
+		if t.Not {
+			sb.WriteByte('1')
+		} else {
+			sb.WriteByte('0')
+		}
+	}
+	return sb.String()
+}