revert bad import, testfix, new test

Signed-off-by: Shubham Chauhan <shubham@tetrate.io>

internal/gatewayapi/runner/runner.go

@@ -3,8 +3,8 @@ package runner
 import (
 	"context"
 
-	"gopkg.in/yaml.v2"
 	"sigs.k8s.io/gateway-api/apis/v1beta1"
+	"sigs.k8s.io/yaml"
 
 	"github.com/envoyproxy/gateway/internal/envoygateway/config"
 	"github.com/envoyproxy/gateway/internal/gatewayapi"

internal/gatewayapi/sort.go

@@ -50,6 +50,8 @@ func sortXdsIRMap(xdsIR XdsIRMap) {
 			// descending order
 			sort.Sort(sort.Reverse(XdsIRRoutes(http.Routes)))
 		}
+
+		sort.SliceStable(ir.TCP, func(i, j int) bool { return ir.TCP[i].Name < ir.TCP[j].Name })
 	}
 }
 

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.in.yaml

@@ -8,6 +8,7 @@ gateways:
       gatewayClassName: envoy-gateway-class
       listeners:
         - name: tls
+          hostname: foo.com
           protocol: TLS
           port: 80
           tls:

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.out.yaml

@@ -9,6 +9,7 @@ gateways:
       listeners:
         - name: tls
           protocol: TLS
+          hostname: foo.com
           port: 80
           tls:
             mode: Passthrough

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.in.yaml

@@ -9,6 +9,7 @@ gateways:
       listeners:
         - name: tls
           protocol: HTTPS
+          hostname: foo.com
           port: 443
           allowedRoutes:
             namespaces:

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.out.yaml

@@ -9,6 +9,7 @@ gateways:
       listeners:
         - name: tls
           protocol: HTTPS
+          hostname: foo.com
           port: 443
           allowedRoutes:
             namespaces:

internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.in.yaml

@@ -9,6 +9,7 @@ gateways:
       listeners:
         - name: tls
           protocol: TLS
+          hostname: foo.com
           port: 90
           tls:
             mode: Passthrough

internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.out.yaml

@@ -9,6 +9,7 @@ gateways:
       listeners:
         - name: tls
           protocol: TLS
+          hostname: foo.com
           port: 90
           tls:
             mode: Passthrough
@@ -60,7 +61,7 @@ xdsIR:
         port: 10090
         tls:
           snis:
-            - "*"
+            - foo.com
         destinations:
           - host: 7.7.7.7
             port: 8080

internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.in.yaml

@@ -9,6 +9,7 @@ gateways:
       listeners:
         - name: tls
           protocol: TLS
+          hostname: foo.com
           port: 90
           tls:
             mode: Passthrough

internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml

@@ -9,6 +9,7 @@ gateways:
       listeners:
         - name: tls
           protocol: TLS
+          hostname: foo.com
           port: 90
           tls:
             mode: Passthrough
@@ -61,7 +62,7 @@ xdsIR:
         port: 10090
         tls:
           snis:
-            - "*"
+            - foo.com
         destinations:
           - host: 7.7.7.7
             port: 8080

internal/gatewayapi/testdata/tlsroute-with-listener-both-passthrough-and-cert-data.in.yaml

@@ -9,6 +9,7 @@ gateways:
       listeners:
         - name: tls
           protocol: TLS
+          hostname: foo.com
           tls:
             mode: Passthrough
             certificateRefs:

internal/gatewayapi/testdata/tlsroute-with-listener-both-passthrough-and-cert-data.out.yaml

@@ -9,6 +9,7 @@ gateways:
       listeners:
         - name: tls
           protocol: TLS
+          hostname: foo.com
           tls:
             mode: Passthrough
             certificateRefs:

internal/gatewayapi/testdata/tlsroute-with-partial-wildcard-hostname.in.yaml

@@ -0,0 +1,52 @@
+gateways:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    metadata:
+      namespace: envoy-gateway
+      name: gateway-1
+    spec:
+      gatewayClassName: envoy-gateway-class
+      listeners:
+        # TODO: add test for partial wildcard
+        # - name: tls-1
+        #   protocol: TLS
+        #   hostname: "*w.example.com"
+        #   port: 90
+        #   tls:
+        #     mode: Passthrough
+        #   allowedRoutes:
+        #     namespaces:
+        #       from: All
+        - name: tls
+          protocol: TLS
+          port: 91
+          tls:
+            mode: Passthrough
+          allowedRoutes:
+            namespaces:
+              from: All
+tlsRoutes:
+  - apiVersion: gateway.networking.k8s.io/v1alpha2
+    kind: TLSRoute
+    metadata:
+      namespace: default
+      name: tlsroute-1
+    spec:
+      parentRefs:
+        - namespace: envoy-gateway
+          name: gateway-1
+      rules:
+        - backendRefs:
+            - name: service-1
+              namespace: test-service-namespace
+              port: 8080
+services:
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      namespace: default
+      name: service-1
+    spec:
+      clusterIP: 7.7.7.7
+      ports:
+        - port: 8080

internal/gatewayapi/testdata/tlsroute-with-partial-wildcard-hostname.out.yaml

@@ -0,0 +1,68 @@
+gateways:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    metadata:
+      namespace: envoy-gateway
+      name: gateway-1
+    spec:
+      gatewayClassName: envoy-gateway-class
+      listeners:
+        - name: tls
+          protocol: TLS
+          port: 91
+          tls:
+            mode: Passthrough
+          allowedRoutes:
+            namespaces:
+              from: All
+    status:
+      listeners:
+        - name: tls
+          supportedKinds:
+            - group: gateway.networking.k8s.io
+              kind: TLSRoute
+          attachedRoutes: 0
+          conditions:
+            - type: Ready
+              status: "False"
+              reason: Invalid
+              message: Hostname must not be empty with TLS mode Passthrough.
+tlsRoutes:
+  - apiVersion: gateway.networking.k8s.io/v1alpha2
+    kind: TLSRoute
+    metadata:
+      namespace: default
+      name: tlsroute-1
+    spec:
+      parentRefs:
+        - namespace: envoy-gateway
+          name: gateway-1
+      rules:
+        - backendRefs:
+            - name: service-1
+              namespace: test-service-namespace
+              port: 8080
+    status:
+      parents:
+        - parentRef:
+            namespace: envoy-gateway
+            name: gateway-1
+          controllerName: gateway.envoyproxy.io/gatewayclass-controller
+          conditions:
+            - type: Accepted
+              status: "False"
+              reason: NoReadyListeners
+              message: There are no ready listeners for this parent ref
+xdsIR:
+  envoy-gateway-gateway-1: {}
+infraIR:
+  envoy-gateway-gateway-1:
+    proxy:
+      metadata:
+        labels:
+          gateway.envoyproxy.io/owning-gateway-name: gateway-1
+          gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+      name: envoy-gateway-gateway-1
+      image: envoyproxy/envoy:v1.23-latest
+      listeners:
+        - address: ""

internal/gatewayapi/translator.go

@@ -496,6 +496,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap
 
 				// With TLS Passthrough, partial wildcards are not allowed in xDS config, so "*", "*w.abc.com" are
 				// invalid configurations.
+				// TODO: add regex match to detect partial wildcards like *w.abc.com
 				if listener.Hostname == nil || *listener.Hostname == "" {
 					listener.SetCondition(
 						v1beta1.ListenerConditionReady,

internal/xds/translator/testdata/in/xds-ir/tls-route-passthrough.yaml

@@ -4,7 +4,7 @@ tcp:
   port: 10080
   tls:
     snis:
-    - "www.example.com"
+    - foo.com
   destinations:
   - host: "1.2.3.4"
     port: 50000

internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml

@@ -5,7 +5,7 @@
   filterChains:
   - filterChainMatch:
       serverNames:
-      - www.example.com
+      - foo.com
     filters:
     - name: envoy.filters.network.tcp_proxy
       typedConfig: