diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go index 2d6cf70d72e..d4793d5ecdb 100644 --- a/internal/gatewayapi/runner/runner.go +++ b/internal/gatewayapi/runner/runner.go @@ -3,8 +3,8 @@ package runner import ( "context" - "gopkg.in/yaml.v2" "sigs.k8s.io/gateway-api/apis/v1beta1" + "sigs.k8s.io/yaml" "github.com/envoyproxy/gateway/internal/envoygateway/config" "github.com/envoyproxy/gateway/internal/gatewayapi" diff --git a/internal/gatewayapi/sort.go b/internal/gatewayapi/sort.go index 035d2f6093b..7539778fff2 100644 --- a/internal/gatewayapi/sort.go +++ b/internal/gatewayapi/sort.go @@ -50,6 +50,8 @@ func sortXdsIRMap(xdsIR XdsIRMap) { // descending order sort.Sort(sort.Reverse(XdsIRRoutes(http.Routes))) } + + sort.SliceStable(ir.TCP, func(i, j int) bool { return ir.TCP[i].Name < ir.TCP[j].Name }) } } diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.in.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.in.yaml index 692adbfd82d..c5762afbaff 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.in.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.in.yaml @@ -8,6 +8,7 @@ gateways: gatewayClassName: envoy-gateway-class listeners: - name: tls + hostname: foo.com protocol: TLS port: 80 tls: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.out.yaml index eacb1696ff6..59c61cc7162 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.out.yaml @@ -9,6 +9,7 @@ gateways: listeners: - name: tls protocol: TLS + hostname: foo.com port: 80 tls: mode: Passthrough diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.in.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.in.yaml index c17a2ef492e..a4793ddeff2 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.in.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.in.yaml @@ -9,6 +9,7 @@ gateways: listeners: - name: tls protocol: HTTPS + hostname: foo.com port: 443 allowedRoutes: namespaces: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.out.yaml index 40a696060d1..13c19dc555f 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.out.yaml @@ -9,6 +9,7 @@ gateways: listeners: - name: tls protocol: HTTPS + hostname: foo.com port: 443 allowedRoutes: namespaces: diff --git a/internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.in.yaml b/internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.in.yaml index 09f2b84a80f..71db6c0ece6 100644 --- a/internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.in.yaml +++ b/internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.in.yaml @@ -9,6 +9,7 @@ gateways: listeners: - name: tls protocol: TLS + hostname: foo.com port: 90 tls: mode: Passthrough diff --git a/internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.out.yaml b/internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.out.yaml index ad6b334f8ca..9a82becdbce 100644 --- a/internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.out.yaml @@ -9,6 +9,7 @@ gateways: listeners: - name: tls protocol: TLS + hostname: foo.com port: 90 tls: mode: Passthrough @@ -60,7 +61,7 @@ xdsIR: port: 10090 tls: snis: - - "*" + - foo.com destinations: - host: 7.7.7.7 port: 8080 diff --git a/internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.in.yaml b/internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.in.yaml index 636dc9fa3ad..d18aca10b82 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.in.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.in.yaml @@ -9,6 +9,7 @@ gateways: listeners: - name: tls protocol: TLS + hostname: foo.com port: 90 tls: mode: Passthrough diff --git a/internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml index fab2100044c..9bc5dc2c00d 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml @@ -9,6 +9,7 @@ gateways: listeners: - name: tls protocol: TLS + hostname: foo.com port: 90 tls: mode: Passthrough @@ -61,7 +62,7 @@ xdsIR: port: 10090 tls: snis: - - "*" + - foo.com destinations: - host: 7.7.7.7 port: 8080 diff --git a/internal/gatewayapi/testdata/tlsroute-with-listener-both-passthrough-and-cert-data.in.yaml b/internal/gatewayapi/testdata/tlsroute-with-listener-both-passthrough-and-cert-data.in.yaml index d190f65e471..81afa2331b1 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-listener-both-passthrough-and-cert-data.in.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-listener-both-passthrough-and-cert-data.in.yaml @@ -9,6 +9,7 @@ gateways: listeners: - name: tls protocol: TLS + hostname: foo.com tls: mode: Passthrough certificateRefs: diff --git a/internal/gatewayapi/testdata/tlsroute-with-listener-both-passthrough-and-cert-data.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-listener-both-passthrough-and-cert-data.out.yaml index a8ec24c2dcc..b8b13220444 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-listener-both-passthrough-and-cert-data.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-listener-both-passthrough-and-cert-data.out.yaml @@ -9,6 +9,7 @@ gateways: listeners: - name: tls protocol: TLS + hostname: foo.com tls: mode: Passthrough certificateRefs: diff --git a/internal/gatewayapi/testdata/tlsroute-with-partial-wildcard-hostname.in.yaml b/internal/gatewayapi/testdata/tlsroute-with-partial-wildcard-hostname.in.yaml new file mode 100644 index 00000000000..ac35ef26721 --- /dev/null +++ b/internal/gatewayapi/testdata/tlsroute-with-partial-wildcard-hostname.in.yaml @@ -0,0 +1,52 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + # TODO: add test for partial wildcard + # - name: tls-1 + # protocol: TLS + # hostname: "*w.example.com" + # port: 90 + # tls: + # mode: Passthrough + # allowedRoutes: + # namespaces: + # from: All + - name: tls + protocol: TLS + port: 91 + tls: + mode: Passthrough + allowedRoutes: + namespaces: + from: All +tlsRoutes: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: TLSRoute + metadata: + namespace: default + name: tlsroute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + rules: + - backendRefs: + - name: service-1 + namespace: test-service-namespace + port: 8080 +services: + - apiVersion: v1 + kind: Service + metadata: + namespace: default + name: service-1 + spec: + clusterIP: 7.7.7.7 + ports: + - port: 8080 diff --git a/internal/gatewayapi/testdata/tlsroute-with-partial-wildcard-hostname.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-partial-wildcard-hostname.out.yaml new file mode 100644 index 00000000000..feb5f807144 --- /dev/null +++ b/internal/gatewayapi/testdata/tlsroute-with-partial-wildcard-hostname.out.yaml @@ -0,0 +1,68 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: tls + protocol: TLS + port: 91 + tls: + mode: Passthrough + allowedRoutes: + namespaces: + from: All + status: + listeners: + - name: tls + supportedKinds: + - group: gateway.networking.k8s.io + kind: TLSRoute + attachedRoutes: 0 + conditions: + - type: Ready + status: "False" + reason: Invalid + message: Hostname must not be empty with TLS mode Passthrough. +tlsRoutes: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: TLSRoute + metadata: + namespace: default + name: tlsroute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + rules: + - backendRefs: + - name: service-1 + namespace: test-service-namespace + port: 8080 + status: + parents: + - parentRef: + namespace: envoy-gateway + name: gateway-1 + controllerName: gateway.envoyproxy.io/gatewayclass-controller + conditions: + - type: Accepted + status: "False" + reason: NoReadyListeners + message: There are no ready listeners for this parent ref +xdsIR: + envoy-gateway-gateway-1: {} +infraIR: + envoy-gateway-gateway-1: + proxy: + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway-gateway-1 + image: envoyproxy/envoy:v1.23-latest + listeners: + - address: "" diff --git a/internal/gatewayapi/translator.go b/internal/gatewayapi/translator.go index 6a6ff75e1d7..71e3ef9a115 100644 --- a/internal/gatewayapi/translator.go +++ b/internal/gatewayapi/translator.go @@ -496,6 +496,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap // With TLS Passthrough, partial wildcards are not allowed in xDS config, so "*", "*w.abc.com" are // invalid configurations. + // TODO: add regex match to detect partial wildcards like *w.abc.com if listener.Hostname == nil || *listener.Hostname == "" { listener.SetCondition( v1beta1.ListenerConditionReady, diff --git a/internal/xds/translator/testdata/in/xds-ir/tls-route-passthrough.yaml b/internal/xds/translator/testdata/in/xds-ir/tls-route-passthrough.yaml index b1e087cf335..c7f59633067 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tls-route-passthrough.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tls-route-passthrough.yaml @@ -4,7 +4,7 @@ tcp: port: 10080 tls: snis: - - "www.example.com" + - foo.com destinations: - host: "1.2.3.4" port: 50000 diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml index 226cc034007..b52cb5d8d2b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml @@ -5,7 +5,7 @@ filterChains: - filterChainMatch: serverNames: - - www.example.com + - foo.com filters: - name: envoy.filters.network.tcp_proxy typedConfig: