diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index 1e85fb5ffab..1ef7ecd9163 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -1,4 +1,4 @@ -envoyProxy: +envoyProxyForGatewayClass: metadata: creationTimestamp: null name: default-envoy-proxy diff --git a/internal/cmd/egctl/testdata/translate/out/invalid-envoyproxy.all.yaml b/internal/cmd/egctl/testdata/translate/out/invalid-envoyproxy.all.yaml index 41be265b365..df303817570 100644 --- a/internal/cmd/egctl/testdata/translate/out/invalid-envoyproxy.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/invalid-envoyproxy.all.yaml @@ -1,4 +1,4 @@ -envoyProxy: +envoyProxyForGatewayClass: metadata: creationTimestamp: null name: example diff --git a/internal/cmd/egctl/testdata/translate/out/valid-envoyproxy.all.yaml b/internal/cmd/egctl/testdata/translate/out/valid-envoyproxy.all.yaml index 53dcd574842..09fb3051c14 100644 --- a/internal/cmd/egctl/testdata/translate/out/valid-envoyproxy.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/valid-envoyproxy.all.yaml @@ -1,4 +1,4 @@ -envoyProxy: +envoyProxyForGatewayClass: metadata: creationTimestamp: null name: example diff --git a/internal/cmd/egctl/translate.go b/internal/cmd/egctl/translate.go index 2cf06396078..a9d16269be5 100644 --- a/internal/cmd/egctl/translate.go +++ b/internal/cmd/egctl/translate.go @@ -315,13 +315,13 @@ func translateGatewayAPIToGatewayAPI(resources *gatewayapi.Resources) (gatewayap gRes, _ := gTranslator.Translate(resources) // Update the status of the GatewayClass based on EnvoyProxy validation epInvalid := false - if resources.EnvoyProxy != nil { - if err := validation.ValidateEnvoyProxy(resources.EnvoyProxy); err != nil { + if resources.EnvoyProxyForGatewayClass != nil { + if err := validation.ValidateEnvoyProxy(resources.EnvoyProxyForGatewayClass); err != nil { epInvalid = true msg := fmt.Sprintf("%s: %v", status.MsgGatewayClassInvalidParams, err) status.SetGatewayClassAccepted(resources.GatewayClass, false, string(gwapiv1.GatewayClassReasonInvalidParameters), msg) } - gRes.EnvoyProxy = resources.EnvoyProxy + gRes.EnvoyProxyForGatewayClass = resources.EnvoyProxyForGatewayClass } if !epInvalid { status.SetGatewayClassAccepted(resources.GatewayClass, true, string(gwapiv1.GatewayClassReasonAccepted), status.MsgValidGatewayClass) @@ -364,8 +364,8 @@ func translateGatewayAPIToXds(dnsDomain string, resourceType string, resources * ServiceURL: ratelimit.GetServiceURL("envoy-gateway", dnsDomain), }, } - if resources.EnvoyProxy != nil { - xTranslator.FilterOrder = resources.EnvoyProxy.Spec.FilterOrder + if resources.EnvoyProxyForGatewayClass != nil { + xTranslator.FilterOrder = resources.EnvoyProxyForGatewayClass.Spec.FilterOrder } xRes, err := xTranslator.Translate(val) if err != nil { @@ -445,8 +445,8 @@ func constructConfigDump(resources *gatewayapi.Resources, tCtx *xds_types.Resour // Apply Bootstrap from EnvoyProxy API if set by the user // The config should have been validated already - if resources.EnvoyProxy != nil && resources.EnvoyProxy.Spec.Bootstrap != nil { - bootstrapConfigurations, err = bootstrap.ApplyBootstrapConfig(resources.EnvoyProxy.Spec.Bootstrap, bootstrapConfigurations) + if resources.EnvoyProxyForGatewayClass != nil && resources.EnvoyProxyForGatewayClass.Spec.Bootstrap != nil { + bootstrapConfigurations, err = bootstrap.ApplyBootstrapConfig(resources.EnvoyProxyForGatewayClass.Spec.Bootstrap, bootstrapConfigurations) if err != nil { return nil, err } @@ -685,7 +685,7 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*gatewayap }, Spec: typedSpec.(egv1a1.EnvoyProxySpec), } - resources.EnvoyProxy = envoyProxy + resources.EnvoyProxyForGatewayClass = envoyProxy case gatewayapi.KindGatewayClass: typedSpec := spec.Interface() gatewayClass := &gwapiv1.GatewayClass{ @@ -923,7 +923,7 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*gatewayap } // Add EnvoyProxy if it does not exist - if resources.EnvoyProxy == nil { + if resources.EnvoyProxyForGatewayClass == nil { if err := addDefaultEnvoyProxy(resources); err != nil { return nil, err } @@ -955,7 +955,7 @@ func addDefaultEnvoyProxy(resources *gatewayapi.Resources) error { }, }, } - resources.EnvoyProxy = ep + resources.EnvoyProxyForGatewayClass = ep ns := gwapiv1.Namespace(namespace) resources.GatewayClass.Spec.ParametersRef = &gwapiv1.ParametersReference{ Group: gwapiv1.Group(egv1a1.GroupVersion.Group), diff --git a/internal/gatewayapi/backendtlspolicy.go b/internal/gatewayapi/backendtlspolicy.go index f82161181d8..87682425d6b 100644 --- a/internal/gatewayapi/backendtlspolicy.go +++ b/internal/gatewayapi/backendtlspolicy.go @@ -13,13 +13,14 @@ import ( gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3" + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi/status" "github.com/envoyproxy/gateway/internal/ir" ) -func (t *Translator) applyBackendTLSSetting(backendRef gwapiv1.BackendObjectReference, backendNamespace string, parent gwapiv1a2.ParentReference, resources *Resources) *ir.TLSUpstreamConfig { - upstreamConfig, policy := t.processBackendTLSPolicy(backendRef, backendNamespace, parent, resources) - return t.applyEnvoyProxyBackendTLSSetting(policy, upstreamConfig, resources, parent) +func (t *Translator) applyBackendTLSSetting(backendRef gwapiv1.BackendObjectReference, backendNamespace string, parent gwapiv1a2.ParentReference, resources *Resources, envoyProxy *egv1a1.EnvoyProxy) *ir.TLSUpstreamConfig { + upstreamConfig, policy := t.processBackendTLSPolicy(backendRef, backendNamespace, parent, resources, envoyProxy) + return t.applyEnvoyProxyBackendTLSSetting(policy, upstreamConfig, resources, parent, envoyProxy) } func (t *Translator) processBackendTLSPolicy( @@ -27,6 +28,7 @@ func (t *Translator) processBackendTLSPolicy( backendNamespace string, parent gwapiv1a2.ParentReference, resources *Resources, + envoyProxy *egv1a1.EnvoyProxy, ) (*ir.TLSUpstreamConfig, *gwapiv1a3.BackendTLSPolicy) { policy := getBackendTLSPolicy(resources.BackendTLSPolicies, backendRef, backendNamespace) if policy == nil { @@ -53,27 +55,27 @@ func (t *Translator) processBackendTLSPolicy( status.SetAcceptedForPolicyAncestors(&policy.Status, ancestorRefs, t.GatewayControllerName) // apply defaults as per envoyproxy - if resources.EnvoyProxy != nil { - if resources.EnvoyProxy.Spec.BackendTLS != nil { - if len(resources.EnvoyProxy.Spec.BackendTLS.Ciphers) > 0 { - tlsBundle.Ciphers = resources.EnvoyProxy.Spec.BackendTLS.Ciphers + if envoyProxy != nil { + if envoyProxy.Spec.BackendTLS != nil { + if len(envoyProxy.Spec.BackendTLS.Ciphers) > 0 { + tlsBundle.Ciphers = envoyProxy.Spec.BackendTLS.Ciphers } - if len(resources.EnvoyProxy.Spec.BackendTLS.ECDHCurves) > 0 { - tlsBundle.ECDHCurves = resources.EnvoyProxy.Spec.BackendTLS.ECDHCurves + if len(envoyProxy.Spec.BackendTLS.ECDHCurves) > 0 { + tlsBundle.ECDHCurves = envoyProxy.Spec.BackendTLS.ECDHCurves } - if len(resources.EnvoyProxy.Spec.BackendTLS.SignatureAlgorithms) > 0 { - tlsBundle.SignatureAlgorithms = resources.EnvoyProxy.Spec.BackendTLS.SignatureAlgorithms + if len(envoyProxy.Spec.BackendTLS.SignatureAlgorithms) > 0 { + tlsBundle.SignatureAlgorithms = envoyProxy.Spec.BackendTLS.SignatureAlgorithms } - if resources.EnvoyProxy.Spec.BackendTLS.MinVersion != nil { - tlsBundle.MinVersion = ptr.To(ir.TLSVersion(*resources.EnvoyProxy.Spec.BackendTLS.MinVersion)) + if envoyProxy.Spec.BackendTLS.MinVersion != nil { + tlsBundle.MinVersion = ptr.To(ir.TLSVersion(*envoyProxy.Spec.BackendTLS.MinVersion)) } - if resources.EnvoyProxy.Spec.BackendTLS.MinVersion != nil { - tlsBundle.MaxVersion = ptr.To(ir.TLSVersion(*resources.EnvoyProxy.Spec.BackendTLS.MaxVersion)) + if envoyProxy.Spec.BackendTLS.MinVersion != nil { + tlsBundle.MaxVersion = ptr.To(ir.TLSVersion(*envoyProxy.Spec.BackendTLS.MaxVersion)) } - if len(resources.EnvoyProxy.Spec.BackendTLS.ALPNProtocols) > 0 { - tlsBundle.ALPNProtocols = make([]string, len(resources.EnvoyProxy.Spec.BackendTLS.ALPNProtocols)) - for i := range resources.EnvoyProxy.Spec.BackendTLS.ALPNProtocols { - tlsBundle.ALPNProtocols[i] = string(resources.EnvoyProxy.Spec.BackendTLS.ALPNProtocols[i]) + if len(envoyProxy.Spec.BackendTLS.ALPNProtocols) > 0 { + tlsBundle.ALPNProtocols = make([]string, len(envoyProxy.Spec.BackendTLS.ALPNProtocols)) + for i := range envoyProxy.Spec.BackendTLS.ALPNProtocols { + tlsBundle.ALPNProtocols[i] = string(envoyProxy.Spec.BackendTLS.ALPNProtocols[i]) } } } @@ -81,9 +83,7 @@ func (t *Translator) processBackendTLSPolicy( return tlsBundle, policy } -func (t *Translator) applyEnvoyProxyBackendTLSSetting(policy *gwapiv1a3.BackendTLSPolicy, tlsConfig *ir.TLSUpstreamConfig, resources *Resources, parent gwapiv1a2.ParentReference) *ir.TLSUpstreamConfig { - ep := resources.EnvoyProxy - +func (t *Translator) applyEnvoyProxyBackendTLSSetting(policy *gwapiv1a3.BackendTLSPolicy, tlsConfig *ir.TLSUpstreamConfig, resources *Resources, parent gwapiv1a2.ParentReference, ep *egv1a1.EnvoyProxy) *ir.TLSUpstreamConfig { if ep == nil || ep.Spec.BackendTLS == nil || tlsConfig == nil { return tlsConfig } diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go index cfa108bf73d..b8faaef5bc9 100644 --- a/internal/gatewayapi/clienttrafficpolicy.go +++ b/internal/gatewayapi/clienttrafficpolicy.go @@ -39,9 +39,11 @@ func hasSectionName(target *gwapiv1a2.LocalPolicyTargetReferenceWithSectionName) return target.SectionName != nil } -func (t *Translator) ProcessClientTrafficPolicies(resources *Resources, +func (t *Translator) ProcessClientTrafficPolicies( + resources *Resources, gateways []*GatewayContext, - xdsIR XdsIRMap, infraIR InfraIRMap, + xdsIR XdsIRMap, + infraIR InfraIRMap, ) []*egv1a1.ClientTrafficPolicy { var res []*egv1a1.ClientTrafficPolicy @@ -132,7 +134,7 @@ func (t *Translator) ProcessClientTrafficPolicies(resources *Resources, var err error for _, l := range gateway.listeners { // Find IR - irKey := t.getIRKey(l.gateway) + irKey := t.getIRKey(l.gateway.Gateway) // It must exist since we've already finished processing the gateways gwXdsIR := xdsIR[irKey] if string(l.Name) == section { @@ -251,7 +253,7 @@ func (t *Translator) ProcessClientTrafficPolicies(resources *Resources, } // Find IR - irKey := t.getIRKey(l.gateway) + irKey := t.getIRKey(l.gateway.Gateway) // It must exist since we've already finished processing the gateways gwXdsIR := xdsIR[irKey] if err := validatePortOverlapForClientTrafficPolicy(l, gwXdsIR, true); err != nil { @@ -378,7 +380,7 @@ func (t *Translator) translateClientTrafficPolicyForListener(policy *egv1a1.Clie xdsIR XdsIRMap, infraIR InfraIRMap, resources *Resources, ) error { // Find IR - irKey := t.getIRKey(l.gateway) + irKey := t.getIRKey(l.gateway.Gateway) // It must exist since we've already finished processing the gateways gwXdsIR := xdsIR[irKey] diff --git a/internal/gatewayapi/contexts.go b/internal/gatewayapi/contexts.go index 9d3e90fbe8c..414386c973d 100644 --- a/internal/gatewayapi/contexts.go +++ b/internal/gatewayapi/contexts.go @@ -14,6 +14,8 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" ) // GatewayContext wraps a Gateway and provides helper methods for @@ -21,12 +23,13 @@ import ( type GatewayContext struct { *gwapiv1.Gateway - listeners []*ListenerContext + listeners []*ListenerContext + envoyProxy *egv1a1.EnvoyProxy } // ResetListeners resets the listener statuses and re-generates the GatewayContext // ListenerContexts from the Gateway spec. -func (g *GatewayContext) ResetListeners() { +func (g *GatewayContext) ResetListeners(resource *Resources) { numListeners := len(g.Spec.Listeners) g.Status.Listeners = make([]gwapiv1.ListenerStatus, numListeners) g.listeners = make([]*ListenerContext, numListeners) @@ -35,10 +38,28 @@ func (g *GatewayContext) ResetListeners() { g.Status.Listeners[i] = gwapiv1.ListenerStatus{Name: listener.Name} g.listeners[i] = &ListenerContext{ Listener: listener, - gateway: g.Gateway, + gateway: g, listenerStatusIdx: i, } } + + g.attachEnvoyProxy(resource) +} + +func (g *GatewayContext) attachEnvoyProxy(resources *Resources) { + if g.Spec.Infrastructure != nil && g.Spec.Infrastructure.ParametersRef != nil && !IsMergeGatewaysEnabled(resources) { + ref := g.Spec.Infrastructure.ParametersRef + if string(ref.Group) == egv1a1.GroupVersion.Group && ref.Kind == egv1a1.KindEnvoyProxy { + ep := resources.GetEnvoyProxy(g.Namespace, ref.Name) + if ep != nil { + g.envoyProxy = ep + return + } + } + // not found, fallthrough to use envoyProxy attached to gatewayclass + } + + g.envoyProxy = resources.EnvoyProxyForGatewayClass } // ListenerContext wraps a Listener and provides helper methods for @@ -47,7 +68,7 @@ func (g *GatewayContext) ResetListeners() { type ListenerContext struct { *gwapiv1.Listener - gateway *gwapiv1.Gateway + gateway *GatewayContext listenerStatusIdx int namespaceSelector labels.Selector tlsSecrets []*corev1.Secret @@ -209,18 +230,8 @@ func GetHostnames(route RouteContext) []string { // GetParentReferences returns the ParentReference of the Route object. func GetParentReferences(route RouteContext) []gwapiv1.ParentReference { rv := reflect.ValueOf(route).Elem() - kind := rv.FieldByName("Kind").String() pr := rv.FieldByName("Spec").FieldByName("ParentRefs") - if kind == KindHTTPRoute || kind == KindGRPCRoute { - return pr.Interface().([]gwapiv1.ParentReference) - } - - parentReferences := make([]gwapiv1.ParentReference, pr.Len()) - for i := 0; i < len(parentReferences); i++ { - p := pr.Index(i).Interface().(gwapiv1.ParentReference) - parentReferences[i] = UpgradeParentReference(p) - } - return parentReferences + return pr.Interface().([]gwapiv1.ParentReference) } // GetRouteStatus returns the RouteStatus object associated with the Route. @@ -254,17 +265,8 @@ func GetRouteParentContext(route RouteContext, forParentRef gwapiv1.ParentRefere specParentRefs := rv.FieldByName("Spec").FieldByName("ParentRefs") for i := 0; i < specParentRefs.Len(); i++ { p := specParentRefs.Index(i).Interface().(gwapiv1.ParentReference) - up := p - if !isHTTPRoute { - up = UpgradeParentReference(p) - } - if reflect.DeepEqual(up, forParentRef) { - if isHTTPRoute { - parentRef = &p - } else { - upgraded := UpgradeParentReference(p) - parentRef = &upgraded - } + if reflect.DeepEqual(p, forParentRef) { + parentRef = &p break } } @@ -332,6 +334,14 @@ type RouteParentContext struct { listeners []*ListenerContext } +// GetGateway returns the GatewayContext if parent resource is a gateway. +func (r *RouteParentContext) GetGateway() *GatewayContext { + if r == nil || len(r.listeners) == 0 { + return nil + } + return r.listeners[0].gateway +} + func (r *RouteParentContext) SetListeners(listeners ...*ListenerContext) { r.listeners = append(r.listeners, listeners...) } diff --git a/internal/gatewayapi/contexts_test.go b/internal/gatewayapi/contexts_test.go index ee17cec5fcd..b594dc92e7a 100644 --- a/internal/gatewayapi/contexts_test.go +++ b/internal/gatewayapi/contexts_test.go @@ -16,6 +16,13 @@ import ( ) func TestContexts(t *testing.T) { + r := &Resources{ + GatewayClass: &gwapiv1.GatewayClass{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + }, + }, + } gateway := &gwapiv1.Gateway{ ObjectMeta: metav1.ObjectMeta{ Namespace: "envoy-gateway", @@ -33,13 +40,13 @@ func TestContexts(t *testing.T) { gctx := &GatewayContext{ Gateway: gateway, } - gctx.ResetListeners() + gctx.ResetListeners(r) require.Len(t, gctx.listeners, 1) lctx := gctx.listeners[0] require.NotNil(t, lctx) - status.SetGatewayListenerStatusCondition(lctx.gateway, lctx.listenerStatusIdx, + status.SetGatewayListenerStatusCondition(lctx.gateway.Gateway, lctx.listenerStatusIdx, gwapiv1.ListenerConditionAccepted, metav1.ConditionFalse, gwapiv1.ListenerReasonUnsupportedProtocol, "HTTPS protocol is not supported yet") require.Len(t, gateway.Status.Listeners, 1) @@ -56,11 +63,18 @@ func TestContexts(t *testing.T) { require.Len(t, gateway.Status.Listeners[0].SupportedKinds, 1) require.EqualValues(t, "HTTPRoute", gateway.Status.Listeners[0].SupportedKinds[0].Kind) - gctx.ResetListeners() + gctx.ResetListeners(r) require.Empty(t, gateway.Status.Listeners[0].Conditions) } func TestContextsStaleListener(t *testing.T) { + r := &Resources{ + GatewayClass: &gwapiv1.GatewayClass{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + }, + }, + } gateway := &gwapiv1.Gateway{ ObjectMeta: metav1.ObjectMeta{ Namespace: "envoy-gateway", @@ -104,7 +118,7 @@ func TestContextsStaleListener(t *testing.T) { Listener: &gwapiv1.Listener{ Name: "https", }, - gateway: gateway, + gateway: gCtx, listenerStatusIdx: 0, } @@ -112,11 +126,11 @@ func TestContextsStaleListener(t *testing.T) { Listener: &gwapiv1.Listener{ Name: "http", }, - gateway: gateway, + gateway: gCtx, listenerStatusIdx: 1, } - gCtx.ResetListeners() + gCtx.ResetListeners(r) require.Len(t, gCtx.listeners, 2) @@ -141,7 +155,7 @@ func TestContextsStaleListener(t *testing.T) { // Remove one of the listeners gateway.Spec.Listeners = gateway.Spec.Listeners[:1] - gCtx.ResetListeners() + gCtx.ResetListeners(r) // Ensure the listener status has been updated and the stale listener has been // removed. diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index 536f7938738..69dd7b10887 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -306,15 +306,10 @@ func (t *Translator) translateEnvoyExtensionPolicyForRoute(policy *egv1a1.EnvoyE xdsIR XdsIRMap, resources *Resources, ) error { var ( - extProcs []ir.ExtProc wasms []ir.Wasm err, errs error ) - if extProcs, err = t.buildExtProcs(policy, resources); err != nil { - err = perr.WithMessage(err, "ExtProcs") - errs = errors.Join(errs, err) - } if wasms, err = t.buildWasms(policy); err != nil { err = perr.WithMessage(err, "WASMs") errs = errors.Join(errs, err) @@ -327,19 +322,34 @@ func (t *Translator) translateEnvoyExtensionPolicyForRoute(policy *egv1a1.EnvoyE // Apply IR to all relevant routes prefix := irRoutePrefix(route) - for _, x := range xdsIR { - for _, http := range x.HTTP { - for _, r := range http.Routes { - // Apply if there is a match - if strings.HasPrefix(r.Name, prefix) { - r.ExtProcs = extProcs - r.Wasms = wasms + parentRefs := GetParentReferences(route) + for _, p := range parentRefs { + parentRefCtx := GetRouteParentContext(route, p) + gtwCtx := parentRefCtx.GetGateway() + if gtwCtx == nil { + continue + } + + var extProcs []ir.ExtProc + if extProcs, err = t.buildExtProcs(policy, resources, gtwCtx.envoyProxy); err != nil { + err = perr.WithMessage(err, "ExtProcs") + errs = errors.Join(errs, err) + } + irKey := t.getIRKey(gtwCtx.Gateway) + for _, listener := range parentRefCtx.listeners { + irListener := xdsIR[irKey].GetHTTPListener(irListenerName(listener)) + if irListener != nil { + for _, r := range irListener.Routes { + if strings.HasPrefix(r.Name, prefix) { + r.ExtProcs = extProcs + r.Wasms = wasms + } } } } } - return nil + return errs } func (t *Translator) translateEnvoyExtensionPolicyForGateway( @@ -355,7 +365,7 @@ func (t *Translator) translateEnvoyExtensionPolicyForGateway( err, errs error ) - if extProcs, err = t.buildExtProcs(policy, resources); err != nil { + if extProcs, err = t.buildExtProcs(policy, resources, gateway.envoyProxy); err != nil { err = perr.WithMessage(err, "ExtProcs") errs = errors.Join(errs, err) } @@ -402,7 +412,7 @@ func (t *Translator) translateEnvoyExtensionPolicyForGateway( return nil } -func (t *Translator) buildExtProcs(policy *egv1a1.EnvoyExtensionPolicy, resources *Resources) ([]ir.ExtProc, error) { +func (t *Translator) buildExtProcs(policy *egv1a1.EnvoyExtensionPolicy, resources *Resources, envoyProxy *egv1a1.EnvoyProxy) ([]ir.ExtProc, error) { var extProcIRList []ir.ExtProc if policy == nil { @@ -411,7 +421,7 @@ func (t *Translator) buildExtProcs(policy *egv1a1.EnvoyExtensionPolicy, resource for idx, ep := range policy.Spec.ExtProc { name := irConfigNameForEEP(policy, idx) - extProcIR, err := t.buildExtProc(name, utils.NamespacedName(policy), ep, idx, resources) + extProcIR, err := t.buildExtProc(name, utils.NamespacedName(policy), ep, idx, resources, envoyProxy) if err != nil { return nil, err } @@ -426,6 +436,7 @@ func (t *Translator) buildExtProc( extProc egv1a1.ExtProc, extProcIdx int, resources *Resources, + envoyProxy *egv1a1.EnvoyProxy, ) (*ir.ExtProc, error) { var ( ds *ir.DestinationSetting @@ -448,7 +459,9 @@ func (t *Translator) buildExtProc( policyNamespacedName, egv1a1.KindEnvoyExtensionPolicy, ir.GRPC, - resources) + resources, + envoyProxy, + ) if err != nil { return nil, err } diff --git a/internal/gatewayapi/ext_service.go b/internal/gatewayapi/ext_service.go index 283d9810996..3574e8249ef 100644 --- a/internal/gatewayapi/ext_service.go +++ b/internal/gatewayapi/ext_service.go @@ -26,6 +26,7 @@ func (t *Translator) processExtServiceDestination( policyKind string, protocol ir.AppProtocol, resources *Resources, + envoyProxy *egv1a1.EnvoyProxy, ) (*ir.DestinationSetting, error) { var ( backendTLS *ir.TLSUpstreamConfig @@ -36,7 +37,7 @@ func (t *Translator) processExtServiceDestination( switch KindDerefOr(backendRef.Kind, KindService) { case KindService: - ds = t.processServiceDestinationSetting(*backendRef, backendNamespace, protocol, resources) + ds = t.processServiceDestinationSetting(*backendRef, backendNamespace, protocol, resources, envoyProxy) case egv1a1.KindBackend: if !t.BackendEnabled { return nil, fmt.Errorf("resource %s of type Backend cannot be used since Backend is disabled in Envoy Gateway configuration", string(backendRef.Name)) @@ -51,7 +52,7 @@ func (t *Translator) processExtServiceDestination( } // TODO: support mixed endpointslice address type for the same backendRef - if !t.IsEnvoyServiceRouting(resources) && ds.AddressType != nil && *ds.AddressType == ir.MIXED { + if !t.IsEnvoyServiceRouting(envoyProxy) && ds.AddressType != nil && *ds.AddressType == ir.MIXED { return nil, errors.New( "mixed endpointslice address type for the same backendRef is not supported") } @@ -69,7 +70,9 @@ func (t *Translator) processExtServiceDestination( Namespace: ptr.To(gwapiv1.Namespace(policyNamespacedName.Namespace)), Name: gwapiv1.ObjectName(policyNamespacedName.Name), }, - resources) + resources, + envoyProxy, + ) ds.TLS = backendTLS diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go index 05865225505..ed35961ca0f 100644 --- a/internal/gatewayapi/helpers.go +++ b/internal/gatewayapi/helpers.go @@ -125,25 +125,21 @@ func IsRefToGateway(parentRef gwapiv1.ParentReference, gateway types.NamespacedN // are included by the parent ref (either one specific Listener, or all Listeners // in the Gateway, depending on whether section name is specified or not). func GetReferencedListeners(parentRef gwapiv1.ParentReference, gateways []*GatewayContext) (bool, []*ListenerContext) { - var selectsGateway bool var referencedListeners []*ListenerContext for _, gateway := range gateways { - if !IsRefToGateway(parentRef, utils.NamespacedName(gateway)) { - continue - } - - selectsGateway = true - - // The parentRef may be to the entire Gateway, or to a specific listener. - for _, listener := range gateway.listeners { - if (parentRef.SectionName == nil || *parentRef.SectionName == listener.Name) && (parentRef.Port == nil || *parentRef.Port == listener.Port) { - referencedListeners = append(referencedListeners, listener) + if IsRefToGateway(parentRef, utils.NamespacedName(gateway)) { + // The parentRef may be to the entire Gateway, or to a specific listener. + for _, listener := range gateway.listeners { + if (parentRef.SectionName == nil || *parentRef.SectionName == listener.Name) && (parentRef.Port == nil || *parentRef.Port == listener.Port) { + referencedListeners = append(referencedListeners, listener) + } } + return true, referencedListeners } } - return selectsGateway, referencedListeners + return false, referencedListeners } // HasReadyListener returns true if at least one Listener in the @@ -417,7 +413,7 @@ func irTLSCACertName(namespace, name string) string { } func IsMergeGatewaysEnabled(resources *Resources) bool { - return resources.EnvoyProxy != nil && resources.EnvoyProxy.Spec.MergeGateways != nil && *resources.EnvoyProxy.Spec.MergeGateways + return resources.EnvoyProxyForGatewayClass != nil && resources.EnvoyProxyForGatewayClass.Spec.MergeGateways != nil && *resources.EnvoyProxyForGatewayClass.Spec.MergeGateways } func protocolSliceToStringSlice(protocols []gwapiv1.ProtocolType) []string { diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go index 47c1df0a7b1..8957874cbae 100644 --- a/internal/gatewayapi/listener.go +++ b/internal/gatewayapi/listener.go @@ -43,8 +43,8 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap for _, gateway := range gateways { irKey := t.getIRKey(gateway.Gateway) - if resources.EnvoyProxy != nil { - infraIR[irKey].Proxy.Config = resources.EnvoyProxy + if gateway.envoyProxy != nil { + infraIR[irKey].Proxy.Config = gateway.envoyProxy } t.processProxyObservability(gateway, xdsIR[irKey], infraIR[irKey].Proxy.Config, resources) @@ -71,7 +71,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap case gwapiv1.UDPProtocolType: t.validateAllowedRoutes(listener, KindUDPRoute) default: - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionAccepted, metav1.ConditionFalse, @@ -97,7 +97,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap } // Add the listener to the Xds IR servicePort := &protocolPort{protocol: listener.Protocol, port: int32(listener.Port)} - containerPort := servicePortToContainerPort(int32(listener.Port), resources.EnvoyProxy) + containerPort := servicePortToContainerPort(int32(listener.Port), gateway.envoyProxy) switch listener.Protocol { case gwapiv1.HTTPProtocolType, gwapiv1.HTTPSProtocolType: irListener := &ir.HTTPListener{ @@ -271,7 +271,7 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources * } // TODO: how to get authority from the backendRefs? - ds, err := t.processBackendRefs(sink.OpenTelemetry.BackendRefs, envoyproxy.Namespace, resources) + ds, err := t.processBackendRefs(sink.OpenTelemetry.BackendRefs, envoyproxy.Namespace, resources, envoyproxy) if err != nil { return nil, err } @@ -315,7 +315,7 @@ func (t *Translator) processTracing(gw *gwapiv1.Gateway, envoyproxy *egv1a1.Envo tracing := envoyproxy.Spec.Telemetry.Tracing // TODO: how to get authority from the backendRefs? - ds, err := t.processBackendRefs(tracing.Provider.BackendRefs, envoyproxy.Namespace, resources) + ds, err := t.processBackendRefs(tracing.Provider.BackendRefs, envoyproxy.Namespace, resources, envoyproxy) if err != nil { return nil, err } @@ -368,7 +368,7 @@ func (t *Translator) processMetrics(envoyproxy *egv1a1.EnvoyProxy, resources *Re continue } - _, err := t.processBackendRefs(sink.OpenTelemetry.BackendRefs, envoyproxy.Namespace, resources) + _, err := t.processBackendRefs(sink.OpenTelemetry.BackendRefs, envoyproxy.Namespace, resources, envoyproxy) if err != nil { return nil, err } @@ -380,7 +380,7 @@ func (t *Translator) processMetrics(envoyproxy *egv1a1.EnvoyProxy, resources *Re }, nil } -func (t *Translator) processBackendRefs(backendRefs []egv1a1.BackendRef, namespace string, resources *Resources) ([]*ir.DestinationSetting, error) { +func (t *Translator) processBackendRefs(backendRefs []egv1a1.BackendRef, namespace string, resources *Resources, envoyProxy *egv1a1.EnvoyProxy) ([]*ir.DestinationSetting, error) { result := make([]*ir.DestinationSetting, 0, len(backendRefs)) for _, ref := range backendRefs { ns := NamespaceDerefOr(ref.Namespace, namespace) @@ -392,7 +392,7 @@ func (t *Translator) processBackendRefs(backendRefs []egv1a1.BackendRef, namespa return nil, err } - ds := t.processServiceDestinationSetting(ref.BackendObjectReference, ns, ir.GRPC, resources) + ds := t.processServiceDestinationSetting(ref.BackendObjectReference, ns, ir.GRPC, resources, envoyProxy) result = append(result, ds) } if len(result) == 0 { diff --git a/internal/gatewayapi/resource.go b/internal/gatewayapi/resource.go index da7c49441f6..3595e9c1c60 100644 --- a/internal/gatewayapi/resource.go +++ b/internal/gatewayapi/resource.go @@ -34,6 +34,12 @@ type ( type Resources struct { // This field is only used for marshalling/unmarshalling purposes and is not used by // the translator + + // EnvoyProxyForGatewayClass holds EnvoyProxy attached to GatewayClass + EnvoyProxyForGatewayClass *egv1a1.EnvoyProxy `json:"envoyProxyForGatewayClass,omitempty" yaml:"envoyProxyForGatewayClass,omitempty"` + // EnvoyProxiesForGateways holds EnvoyProxiesForGateways attached to Gateways + EnvoyProxiesForGateways []*egv1a1.EnvoyProxy `json:"envoyProxiesForGateways,omitempty" yaml:"envoyProxiesForGateways,omitempty"` + GatewayClass *gwapiv1.GatewayClass `json:"gatewayClass,omitempty" yaml:"gatewayClass,omitempty"` Gateways []*gwapiv1.Gateway `json:"gateways,omitempty" yaml:"gateways,omitempty"` HTTPRoutes []*gwapiv1.HTTPRoute `json:"httpRoutes,omitempty" yaml:"httpRoutes,omitempty"` @@ -48,7 +54,6 @@ type Resources struct { EndpointSlices []*discoveryv1.EndpointSlice `json:"endpointSlices,omitempty" yaml:"endpointSlices,omitempty"` Secrets []*corev1.Secret `json:"secrets,omitempty" yaml:"secrets,omitempty"` ConfigMaps []*corev1.ConfigMap `json:"configMaps,omitempty" yaml:"configMaps,omitempty"` - EnvoyProxy *egv1a1.EnvoyProxy `json:"envoyProxy,omitempty" yaml:"envoyProxy,omitempty"` ExtensionRefFilters []unstructured.Unstructured `json:"extensionRefFilters,omitempty" yaml:"extensionRefFilters,omitempty"` EnvoyPatchPolicies []*egv1a1.EnvoyPatchPolicy `json:"envoyPatchPolicies,omitempty" yaml:"envoyPatchPolicies,omitempty"` ClientTrafficPolicies []*egv1a1.ClientTrafficPolicy `json:"clientTrafficPolicies,omitempty" yaml:"clientTrafficPolicies,omitempty"` @@ -94,6 +99,16 @@ func (r *Resources) GetNamespace(name string) *corev1.Namespace { return nil } +func (r *Resources) GetEnvoyProxy(namespace, name string) *egv1a1.EnvoyProxy { + for _, ep := range r.EnvoyProxiesForGateways { + if ep.Namespace == namespace && ep.Name == name { + return ep + } + } + + return nil +} + func (r *Resources) GetService(namespace, name string) *corev1.Service { for _, svc := range r.Services { if svc.Namespace == namespace && svc.Name == name { diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index 6d4ac03b663..db59bf551e2 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -172,6 +172,12 @@ func (t *Translator) processHTTPRouteParentRefs(httpRoute *HTTPRouteContext, res func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRef *RouteParentContext, resources *Resources) ([]*ir.HTTPRoute, error) { var routeRoutes []*ir.HTTPRoute + var envoyProxy *egv1a1.EnvoyProxy + + gatewayCtx := httpRoute.ParentRefs[*parentRef.ParentReference].GetGateway() + if gatewayCtx != nil { + envoyProxy = gatewayCtx.envoyProxy + } // compute matches, filters, backends for ruleIdx, rule := range httpRoute.Spec.Rules { @@ -190,7 +196,8 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe for _, backendRef := range rule.BackendRefs { backendRef := backendRef ds := t.processDestination(backendRef, parentRef, httpRoute, resources) - if !t.IsEnvoyServiceRouting(resources) && ds != nil && len(ds.Endpoints) > 0 && ds.AddressType != nil { + + if !t.IsEnvoyServiceRouting(envoyProxy) && ds != nil && len(ds.Endpoints) > 0 && ds.AddressType != nil { dstAddrTypeMap[*ds.AddressType]++ } if ds == nil { @@ -214,7 +221,7 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe } // TODO: support mixed endpointslice address type between backendRefs - if !t.IsEnvoyServiceRouting(resources) && len(dstAddrTypeMap) > 1 { + if !t.IsEnvoyServiceRouting(envoyProxy) && len(dstAddrTypeMap) > 1 { routeStatus := GetRouteStatus(httpRoute) status.SetRouteStatusCondition(routeStatus, parentRef.routeParentStatusIdx, @@ -698,7 +705,7 @@ func (t *Translator) processHTTPRouteParentRefListener(route RouteContext, route perHostRoutes = append(perHostRoutes, hostRoute) } } - irKey := t.getIRKey(listener.gateway) + irKey := t.getIRKey(listener.gateway.Gateway) irListener := xdsIR[irKey].GetHTTPListener(irListenerName(listener)) if irListener != nil { @@ -792,7 +799,7 @@ func (t *Translator) processTLSRouteParentRefs(tlsRoute *TLSRouteContext, resour hasHostnameIntersection = true - irKey := t.getIRKey(listener.gateway) + irKey := t.getIRKey(listener.gateway.Gateway) gwXdsIR := xdsIR[irKey] irListener := gwXdsIR.GetTCPListener(irListenerName(listener)) @@ -929,7 +936,7 @@ func (t *Translator) processUDPRouteParentRefs(udpRoute *UDPRouteContext, resour } accepted = true - irKey := t.getIRKey(listener.gateway) + irKey := t.getIRKey(listener.gateway.Gateway) gwXdsIR := xdsIR[irKey] irListener := gwXdsIR.GetUDPListener(irListenerName(listener)) @@ -1062,7 +1069,7 @@ func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resour continue } accepted = true - irKey := t.getIRKey(listener.gateway) + irKey := t.getIRKey(listener.gateway.Gateway) gwXdsIR := xdsIR[irKey] irListener := gwXdsIR.GetTCPListener(irListenerName(listener)) @@ -1143,6 +1150,12 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext, return nil } + var envoyProxy *egv1a1.EnvoyProxy + gatewayCtx := GetRouteParentContext(route, *parentRef.ParentReference).GetGateway() + if gatewayCtx != nil { + envoyProxy = gatewayCtx.envoyProxy + } + var ( endpoints []*ir.DestinationEndpoint addrType *ir.DestinationAddressType @@ -1159,7 +1172,7 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext, } } - if !t.IsEnvoyServiceRouting(resources) { + if !t.IsEnvoyServiceRouting(envoyProxy) { endpointSlices := resources.GetEndpointSlicesForBackend(backendNamespace, string(backendRef.Name), KindDerefOr(backendRef.Kind, KindService)) endpoints, addrType = getIREndpointsFromEndpointSlices(endpointSlices, servicePort.Name, servicePort.Protocol) } else { @@ -1179,7 +1192,8 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext, AddressType: addrType, } case KindService: - ds = t.processServiceDestinationSetting(backendRef.BackendObjectReference, backendNamespace, protocol, resources) + ds = t.processServiceDestinationSetting(backendRef.BackendObjectReference, backendNamespace, protocol, resources, envoyProxy) + ds.TLS = t.applyBackendTLSSetting( backendRef.BackendObjectReference, backendNamespace, @@ -1191,10 +1205,13 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext, SectionName: parentRef.SectionName, Port: parentRef.Port, }, - resources) + resources, + envoyProxy, + ) ds.Filters = t.processDestinationFilters(routeType, backendRefContext, parentRef, route, resources) case egv1a1.KindBackend: ds = t.processBackendDestinationSetting(backendRef.BackendObjectReference, backendNamespace, resources) + ds.TLS = t.applyBackendTLSSetting( backendRef.BackendObjectReference, backendNamespace, @@ -1206,11 +1223,13 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext, SectionName: parentRef.SectionName, Port: parentRef.Port, }, - resources) + resources, + envoyProxy, + ) ds.Filters = t.processDestinationFilters(routeType, backendRefContext, parentRef, route, resources) } - if err := validateDestinationSettings(ds, t.IsEnvoyServiceRouting(resources), backendRef.Kind); err != nil { + if err := validateDestinationSettings(ds, t.IsEnvoyServiceRouting(envoyProxy), backendRef.Kind); err != nil { routeStatus := GetRouteStatus(route) status.SetRouteStatusCondition(routeStatus, parentRef.routeParentStatusIdx, @@ -1241,8 +1260,12 @@ func validateDestinationSettings(destinationSettings *ir.DestinationSetting, end return nil } -func (t *Translator) processServiceDestinationSetting(backendRef gwapiv1.BackendObjectReference, backendNamespace string, - protocol ir.AppProtocol, resources *Resources, +func (t *Translator) processServiceDestinationSetting( + backendRef gwapiv1.BackendObjectReference, + backendNamespace string, + protocol ir.AppProtocol, + resources *Resources, + envoyProxy *egv1a1.EnvoyProxy, ) *ir.DestinationSetting { var ( endpoints []*ir.DestinationEndpoint @@ -1265,7 +1288,7 @@ func (t *Translator) processServiceDestinationSetting(backendRef gwapiv1.Backend } // Route to endpoints by default - if !t.IsEnvoyServiceRouting(resources) { + if !t.IsEnvoyServiceRouting(envoyProxy) { endpointSlices := resources.GetEndpointSlicesForBackend(backendNamespace, string(backendRef.Name), KindDerefOr(backendRef.Kind, KindService)) endpoints, addrType = getIREndpointsFromEndpointSlices(endpointSlices, servicePort.Name, servicePort.Protocol) } else { diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index a47da721e48..34e2410ae55 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -357,7 +357,6 @@ func (t *Translator) translateSecurityPolicyForRoute( jwt *ir.JWT oidc *ir.OIDC basicAuth *ir.BasicAuth - extAuth *ir.ExtAuth authorization *ir.Authorization err, errs error ) @@ -388,15 +387,6 @@ func (t *Translator) translateSecurityPolicyForRoute( } } - if policy.Spec.ExtAuth != nil { - if extAuth, err = t.buildExtAuth( - policy, - resources); err != nil { - err = perr.WithMessage(err, "ExtAuth") - errs = errors.Join(errs, err) - } - } - if policy.Spec.Authorization != nil { if authorization, err = t.buildAuthorization(policy); err != nil { errs = errors.Join(errs, err) @@ -407,21 +397,39 @@ func (t *Translator) translateSecurityPolicyForRoute( // Note: there are multiple features in a security policy, even if some of them // are invalid, we still want to apply the valid ones. prefix := irRoutePrefix(route) - for _, x := range xdsIR { - for _, h := range x.HTTP { - for _, r := range h.Routes { - // Apply if there is a match - // route is associated with a Gateway API xRoute - if strings.HasPrefix(r.Name, prefix) { - // This security policy matches the current route. - // It should only be accepted if it doesn't match any other route - r.Security = &ir.SecurityFeatures{ - CORS: cors, - JWT: jwt, - OIDC: oidc, - BasicAuth: basicAuth, - ExtAuth: extAuth, - Authorization: authorization, + parentRefs := GetParentReferences(route) + for _, p := range parentRefs { + parentRefCtx := GetRouteParentContext(route, p) + gtwCtx := parentRefCtx.GetGateway() + if gtwCtx == nil { + continue + } + + var extAuth *ir.ExtAuth + if policy.Spec.ExtAuth != nil { + if extAuth, err = t.buildExtAuth( + policy, + resources, + gtwCtx.envoyProxy, + ); err != nil { + err = perr.WithMessage(err, "ExtAuth") + errs = errors.Join(errs, err) + } + } + irKey := t.getIRKey(gtwCtx.Gateway) + for _, listener := range parentRefCtx.listeners { + irListener := xdsIR[irKey].GetHTTPListener(irListenerName(listener)) + if irListener != nil { + for _, r := range irListener.Routes { + if strings.HasPrefix(r.Name, prefix) { + r.Security = &ir.SecurityFeatures{ + CORS: cors, + JWT: jwt, + OIDC: oidc, + BasicAuth: basicAuth, + ExtAuth: extAuth, + Authorization: authorization, + } } } } @@ -477,7 +485,9 @@ func (t *Translator) translateSecurityPolicyForGateway( if policy.Spec.ExtAuth != nil { if extAuth, err = t.buildExtAuth( policy, - resources); err != nil { + resources, + gateway.envoyProxy, + ); err != nil { err = perr.WithMessage(err, "ExtAuth") errs = errors.Join(errs, err) } @@ -812,7 +822,7 @@ func (t *Translator) buildBasicAuth( }, nil } -func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *Resources) (*ir.ExtAuth, error) { +func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *Resources, envoyProxy *egv1a1.EnvoyProxy) (*ir.ExtAuth, error) { var ( http = policy.Spec.ExtAuth.HTTP grpc = policy.Spec.ExtAuth.GRPC @@ -860,7 +870,9 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *Reso pnn, KindSecurityPolicy, protocol, - resources); err != nil { + resources, + envoyProxy, + ); err != nil { return nil, err } rd := ir.RouteDestination{ diff --git a/internal/gatewayapi/testdata/conflicting-policies.in.yaml b/internal/gatewayapi/testdata/conflicting-policies.in.yaml index 0019de717be..a53cb56fb6a 100644 --- a/internal/gatewayapi/testdata/conflicting-policies.in.yaml +++ b/internal/gatewayapi/testdata/conflicting-policies.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/custom-filter-order.in.yaml b/internal/gatewayapi/testdata/custom-filter-order.in.yaml index 7bbef11264b..d3e931aed52 100644 --- a/internal/gatewayapi/testdata/custom-filter-order.in.yaml +++ b/internal/gatewayapi/testdata/custom-filter-order.in.yaml @@ -6,7 +6,7 @@ secrets: name: users-secret1 data: .htpasswd: "dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo=" -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/disable-accesslog.in.yaml b/internal/gatewayapi/testdata/disable-accesslog.in.yaml index c6fa25f5cc6..29176f3e9c6 100644 --- a/internal/gatewayapi/testdata/disable-accesslog.in.yaml +++ b/internal/gatewayapi/testdata/disable-accesslog.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/envoypatchpolicy-invalid-feature-disabled.in.yaml b/internal/gatewayapi/testdata/envoypatchpolicy-invalid-feature-disabled.in.yaml index d75a6e91e49..2ffb3b21648 100644 --- a/internal/gatewayapi/testdata/envoypatchpolicy-invalid-feature-disabled.in.yaml +++ b/internal/gatewayapi/testdata/envoypatchpolicy-invalid-feature-disabled.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/envoypatchpolicy-invalid-target-kind-merge-gateways.in.yaml b/internal/gatewayapi/testdata/envoypatchpolicy-invalid-target-kind-merge-gateways.in.yaml index 8d00c96d3a8..d87effdca85 100644 --- a/internal/gatewayapi/testdata/envoypatchpolicy-invalid-target-kind-merge-gateways.in.yaml +++ b/internal/gatewayapi/testdata/envoypatchpolicy-invalid-target-kind-merge-gateways.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/envoypatchpolicy-valid-merge-gateways.in.yaml b/internal/gatewayapi/testdata/envoypatchpolicy-valid-merge-gateways.in.yaml index 3daa484dc73..5a1d480305a 100644 --- a/internal/gatewayapi/testdata/envoypatchpolicy-valid-merge-gateways.in.yaml +++ b/internal/gatewayapi/testdata/envoypatchpolicy-valid-merge-gateways.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-backend-invalid.in.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-backend-invalid.in.yaml index 0c045e3165f..c6c6f9b9c7d 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-backend-invalid.in.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-backend-invalid.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-backend.in.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-backend.in.yaml index 4dccf1a36d3..9e93d96a9f6 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-backend.in.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-backend.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json-no-format.in.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json-no-format.in.yaml index 67db26d8e71..de2444639ca 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json-no-format.in.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json-no-format.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json.in.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json.in.yaml index 3dc3c98a88c..d4ca30a7ea4 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json.in.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-with-bad-sinks.in.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-with-bad-sinks.in.yaml index cccabc9cd4d..488d9a14957 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-with-bad-sinks.in.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-with-bad-sinks.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog.in.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog.in.yaml index 0d691420576..3eec4aa41fc 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog.in.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/envoyproxy-endpoint-routing-for-gateway.in.yaml b/internal/gatewayapi/testdata/envoyproxy-endpoint-routing-for-gateway.in.yaml new file mode 100644 index 00000000000..032aac10633 --- /dev/null +++ b/internal/gatewayapi/testdata/envoyproxy-endpoint-routing-for-gateway.in.yaml @@ -0,0 +1,45 @@ +envoyProxiesForGateways: + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + namespace: envoy-gateway + name: test + spec: + routingType: Endpoint +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + infrastructure: + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: test + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + rules: + - matches: + - path: + value: "/" + backendRefs: + - name: service-1 + port: 8080 diff --git a/internal/gatewayapi/testdata/envoyproxy-endpoint-routing-for-gateway.out.yaml b/internal/gatewayapi/testdata/envoyproxy-endpoint-routing-for-gateway.out.yaml new file mode 100755 index 00000000000..faf3935c73d --- /dev/null +++ b/internal/gatewayapi/testdata/envoyproxy-endpoint-routing-for-gateway.out.yaml @@ -0,0 +1,140 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + infrastructure: + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: test + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway +infraIR: + envoy-gateway/gateway-1: + proxy: + config: + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + creationTimestamp: null + name: test + namespace: envoy-gateway + spec: + logging: {} + routingType: Endpoint + status: {} + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: '*' + isHTTP2: false + name: httproute/default/httproute-1/rule/0/match/0/* + pathMatch: + distinct: false + name: "" + prefix: / diff --git a/internal/gatewayapi/testdata/envoyproxy-endpoint-routing.in.yaml b/internal/gatewayapi/testdata/envoyproxy-endpoint-routing.in.yaml index b0d79c07573..f55e5f77198 100644 --- a/internal/gatewayapi/testdata/envoyproxy-endpoint-routing.in.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-endpoint-routing.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/envoyproxy-metric-backend-invalid.in.yaml b/internal/gatewayapi/testdata/envoyproxy-metric-backend-invalid.in.yaml index 0c60778b2aa..c8faf616eab 100644 --- a/internal/gatewayapi/testdata/envoyproxy-metric-backend-invalid.in.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-metric-backend-invalid.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/envoyproxy-metric-backend.in.yaml b/internal/gatewayapi/testdata/envoyproxy-metric-backend.in.yaml index 3a5228cc271..f6db7f1f1f0 100644 --- a/internal/gatewayapi/testdata/envoyproxy-metric-backend.in.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-metric-backend.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/envoyproxy-service-routing-for-gateway.in.yaml b/internal/gatewayapi/testdata/envoyproxy-service-routing-for-gateway.in.yaml new file mode 100644 index 00000000000..058da5a4e09 --- /dev/null +++ b/internal/gatewayapi/testdata/envoyproxy-service-routing-for-gateway.in.yaml @@ -0,0 +1,45 @@ +envoyProxiesForGateways: + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + namespace: envoy-gateway + name: test + spec: + routingType: Service +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + infrastructure: + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: test + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + rules: + - matches: + - path: + value: "/" + backendRefs: + - name: service-1 + port: 8080 diff --git a/internal/gatewayapi/testdata/envoyproxy-service-routing-for-gateway.out.yaml b/internal/gatewayapi/testdata/envoyproxy-service-routing-for-gateway.out.yaml new file mode 100755 index 00000000000..10160cd17cd --- /dev/null +++ b/internal/gatewayapi/testdata/envoyproxy-service-routing-for-gateway.out.yaml @@ -0,0 +1,139 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + infrastructure: + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: test + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway +infraIR: + envoy-gateway/gateway-1: + proxy: + config: + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + creationTimestamp: null + name: test + namespace: envoy-gateway + spec: + logging: {} + routingType: Service + status: {} + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - endpoints: + - host: 1.1.1.1 + port: 8080 + protocol: HTTP + weight: 1 + hostname: '*' + isHTTP2: false + name: httproute/default/httproute-1/rule/0/match/0/* + pathMatch: + distinct: false + name: "" + prefix: / diff --git a/internal/gatewayapi/testdata/envoyproxy-service-routing.in.yaml b/internal/gatewayapi/testdata/envoyproxy-service-routing.in.yaml index 81c141103a9..00c59d08c38 100644 --- a/internal/gatewayapi/testdata/envoyproxy-service-routing.in.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-service-routing.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.in.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.in.yaml index 78df58c55e8..46b9070f24e 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.in.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.in.yaml @@ -124,7 +124,7 @@ backendTLSPolicies: validation: wellKnownCACertificates: System hostname: example.com -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.in.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.in.yaml index 76139b7d2ac..7917eda836f 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.in.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.in.yaml @@ -124,7 +124,7 @@ backendTLSPolicies: validation: wellKnownCACertificates: System hostname: example.com -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings.in.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings.in.yaml index b745a770602..d813cefb5c7 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings.in.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings.in.yaml @@ -124,7 +124,7 @@ backendTLSPolicies: validation: wellKnownCACertificates: System hostname: example.com -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/envoyproxy-tracing-backend-invalid.in.yaml b/internal/gatewayapi/testdata/envoyproxy-tracing-backend-invalid.in.yaml index 2feceaf788e..508ecb83b17 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tracing-backend-invalid.in.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tracing-backend-invalid.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/envoyproxy-tracing-backend.in.yaml b/internal/gatewayapi/testdata/envoyproxy-tracing-backend.in.yaml index 42e91b06cf7..9cd3485cec3 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tracing-backend.in.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tracing-backend.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/envoyproxy-valid.in.yaml b/internal/gatewayapi/testdata/envoyproxy-valid.in.yaml index fced37e87f2..cabf69d5018 100644 --- a/internal/gatewayapi/testdata/envoyproxy-valid.in.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-valid.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/gateway-with-infrastructure-parametersref.in.yaml b/internal/gatewayapi/testdata/gateway-with-infrastructure-parametersref.in.yaml new file mode 100644 index 00000000000..a86a76b76e2 --- /dev/null +++ b/internal/gatewayapi/testdata/gateway-with-infrastructure-parametersref.in.yaml @@ -0,0 +1,55 @@ +envoyProxiesForGateways: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + namespace: envoy-gateway + name: test + spec: + telemetry: + tracing: + samplingRate: 100 + provider: + host: otel-collector.monitoring.svc.cluster.local + port: 4317 + type: OpenTelemetry +gateways: +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + infrastructure: + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: test + listeners: + - name: http + protocol: HTTP + port: 80 + hostname: "*.envoyproxy.io" + allowedRoutes: + namespaces: + from: All +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/" + backendRefs: + - name: service-1 + port: 8080 diff --git a/internal/gatewayapi/testdata/gateway-with-infrastructure-parametersref.out.yaml b/internal/gatewayapi/testdata/gateway-with-infrastructure-parametersref.out.yaml new file mode 100644 index 00000000000..1e47494ffed --- /dev/null +++ b/internal/gatewayapi/testdata/gateway-with-infrastructure-parametersref.out.yaml @@ -0,0 +1,163 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + infrastructure: + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: test + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.envoyproxy.io' + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + config: + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + creationTimestamp: null + name: test + namespace: envoy-gateway + spec: + logging: {} + telemetry: + tracing: + provider: + host: otel-collector.monitoring.svc.cluster.local + port: 4317 + type: OpenTelemetry + samplingRate: 100 + status: {} + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.envoyproxy.io' + isHTTP2: false + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: gateway.envoyproxy.io + isHTTP2: false + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / + tracing: + authority: otel-collector.monitoring.svc.cluster.local + destination: + name: tracing + settings: + - endpoints: + - host: otel-collector.monitoring.svc.cluster.local + port: 4317 + protocol: GRPC + weight: 1 + samplingRate: 100 + serviceName: gateway-1.envoy-gateway diff --git a/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-does-not-exist.in.yaml b/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-does-not-exist.in.yaml new file mode 100644 index 00000000000..76e88c39d82 --- /dev/null +++ b/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-does-not-exist.in.yaml @@ -0,0 +1,41 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + infrastructure: + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: test + listeners: + - name: http + protocol: HTTP + port: 80 + hostname: "*.envoyproxy.io" + allowedRoutes: + namespaces: + from: All +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/" + backendRefs: + - name: service-1 + port: 8080 diff --git a/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-does-not-exist.out.yaml b/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-does-not-exist.out.yaml new file mode 100644 index 00000000000..bbbaab6a3b1 --- /dev/null +++ b/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-does-not-exist.out.yaml @@ -0,0 +1,134 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + infrastructure: + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: test + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.envoyproxy.io' + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.envoyproxy.io' + isHTTP2: false + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: gateway.envoyproxy.io + isHTTP2: false + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / diff --git a/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-fallback.in.yaml b/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-fallback.in.yaml new file mode 100644 index 00000000000..73e30d9bf74 --- /dev/null +++ b/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-fallback.in.yaml @@ -0,0 +1,56 @@ +envoyProxyForGatewayClass: + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + namespace: envoy-gateway + name: test + spec: + telemetry: + tracing: + samplingRate: 100 + provider: + host: otel-collector.monitoring.svc.cluster.local + port: 4317 + type: OpenTelemetry +envoyProxiesForGateways: +gateways: +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + infrastructure: + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: not-exist + listeners: + - name: http + protocol: HTTP + port: 80 + hostname: "*.envoyproxy.io" + allowedRoutes: + namespaces: + from: All +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/" + backendRefs: + - name: service-1 + port: 8080 diff --git a/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-fallback.out.yaml b/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-fallback.out.yaml new file mode 100644 index 00000000000..8a477792a8f --- /dev/null +++ b/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-fallback.out.yaml @@ -0,0 +1,163 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + infrastructure: + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: not-exist + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.envoyproxy.io' + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + config: + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + creationTimestamp: null + name: test + namespace: envoy-gateway + spec: + logging: {} + telemetry: + tracing: + provider: + host: otel-collector.monitoring.svc.cluster.local + port: 4317 + type: OpenTelemetry + samplingRate: 100 + status: {} + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.envoyproxy.io' + isHTTP2: false + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: gateway.envoyproxy.io + isHTTP2: false + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / + tracing: + authority: otel-collector.monitoring.svc.cluster.local + destination: + name: tracing + settings: + - endpoints: + - host: otel-collector.monitoring.svc.cluster.local + port: 4317 + protocol: GRPC + weight: 1 + samplingRate: 100 + serviceName: gateway-1.envoy-gateway diff --git a/internal/gatewayapi/testdata/merge-invalid-multiple-gateways.in.yaml b/internal/gatewayapi/testdata/merge-invalid-multiple-gateways.in.yaml index a109f785281..e9c06e7b29e 100644 --- a/internal/gatewayapi/testdata/merge-invalid-multiple-gateways.in.yaml +++ b/internal/gatewayapi/testdata/merge-invalid-multiple-gateways.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-listeners-same-ports.in.yaml b/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-listeners-same-ports.in.yaml index 81e8ae3c976..a0f17504ebc 100644 --- a/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-listeners-same-ports.in.yaml +++ b/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-listeners-same-ports.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-routes.in.yaml b/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-routes.in.yaml index b88c25a8808..6bb2a07dd53 100644 --- a/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-routes.in.yaml +++ b/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-routes.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/merge-valid-multiple-gateways.in.yaml b/internal/gatewayapi/testdata/merge-valid-multiple-gateways.in.yaml index aad24f222ea..54a1e9ad2cb 100644 --- a/internal/gatewayapi/testdata/merge-valid-multiple-gateways.in.yaml +++ b/internal/gatewayapi/testdata/merge-valid-multiple-gateways.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/merge-with-isolated-policies-2.in.yaml b/internal/gatewayapi/testdata/merge-with-isolated-policies-2.in.yaml index d343d0070ff..ba426f531bf 100644 --- a/internal/gatewayapi/testdata/merge-with-isolated-policies-2.in.yaml +++ b/internal/gatewayapi/testdata/merge-with-isolated-policies-2.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/merge-with-isolated-policies.in.yaml b/internal/gatewayapi/testdata/merge-with-isolated-policies.in.yaml index 1f5291f72df..22df4983a8a 100644 --- a/internal/gatewayapi/testdata/merge-with-isolated-policies.in.yaml +++ b/internal/gatewayapi/testdata/merge-with-isolated-policies.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/tracing-merged-multiple-routes.in.yaml b/internal/gatewayapi/testdata/tracing-merged-multiple-routes.in.yaml index 0f89e2f86d1..e85b2b20db9 100644 --- a/internal/gatewayapi/testdata/tracing-merged-multiple-routes.in.yaml +++ b/internal/gatewayapi/testdata/tracing-merged-multiple-routes.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/testdata/tracing-multiple-routes.in.yaml b/internal/gatewayapi/testdata/tracing-multiple-routes.in.yaml index a647019a9a9..b25b6dac21a 100644 --- a/internal/gatewayapi/testdata/tracing-multiple-routes.in.yaml +++ b/internal/gatewayapi/testdata/tracing-multiple-routes.in.yaml @@ -1,4 +1,4 @@ -envoyproxy: +envoyProxyForGatewayClass: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: diff --git a/internal/gatewayapi/translator.go b/internal/gatewayapi/translator.go index 3e392d2e949..191a75d460f 100644 --- a/internal/gatewayapi/translator.go +++ b/internal/gatewayapi/translator.go @@ -61,7 +61,7 @@ var _ TranslatorManager = (*Translator)(nil) type TranslatorManager interface { Translate(resources *Resources) (*TranslateResult, error) - GetRelevantGateways(gateways []*gwapiv1.Gateway) []*GatewayContext + GetRelevantGateways(resources *Resources) []*GatewayContext RoutesTranslator ListenersTranslator @@ -166,7 +166,7 @@ func newTranslateResult(gateways []*GatewayContext, func (t *Translator) Translate(resources *Resources) (*TranslateResult, error) { // Get Gateways belonging to our GatewayClass. - gateways := t.GetRelevantGateways(resources.Gateways) + gateways := t.GetRelevantGateways(resources) // Sort gateways based on timestamp. sort.Slice(gateways, func(i, j int) bool { @@ -244,10 +244,10 @@ func (t *Translator) Translate(resources *Resources) (*TranslateResult, error) { // Set custom filter order if EnvoyProxy is set // The custom filter order will be applied when generating the HTTP filter chain. - if resources.EnvoyProxy != nil { - for _, gateway := range gateways { + for _, gateway := range gateways { + if gateway.envoyProxy != nil { irKey := t.getIRKey(gateway.Gateway) - xdsIR[irKey].FilterOrder = resources.EnvoyProxy.Spec.FilterOrder + xdsIR[irKey].FilterOrder = gateway.envoyProxy.Spec.FilterOrder } } @@ -259,10 +259,10 @@ func (t *Translator) Translate(resources *Resources) (*TranslateResult, error) { // GetRelevantGateways returns GatewayContexts, containing a copy of the original // Gateway with the Listener statuses reset. -func (t *Translator) GetRelevantGateways(gateways []*gwapiv1.Gateway) []*GatewayContext { +func (t *Translator) GetRelevantGateways(resources *Resources) []*GatewayContext { var relevant []*GatewayContext - for _, gateway := range gateways { + for _, gateway := range resources.Gateways { if gateway == nil { panic("received nil gateway") } @@ -271,7 +271,7 @@ func (t *Translator) GetRelevantGateways(gateways []*gwapiv1.Gateway) []*Gateway gc := &GatewayContext{ Gateway: gateway.DeepCopy(), } - gc.ResetListeners() + gc.ResetListeners(resources) relevant = append(relevant, gc) } @@ -317,14 +317,14 @@ func (t *Translator) InitIRs(gateways []*GatewayContext, resources *Resources) ( // IsEnvoyServiceRouting returns true if EnvoyProxy.Spec.RoutingType == ServiceRoutingType // or, alternatively, if Translator.EndpointRoutingDisabled has been explicitly set to true; // otherwise, it returns false. -func (t *Translator) IsEnvoyServiceRouting(r *Resources) bool { +func (t *Translator) IsEnvoyServiceRouting(r *egv1a1.EnvoyProxy) bool { if t.EndpointRoutingDisabled { return true } - if r.EnvoyProxy == nil { + if r == nil { return false } - switch ptr.Deref(r.EnvoyProxy.Spec.RoutingType, egv1a1.EndpointRoutingType) { + switch ptr.Deref(r.Spec.RoutingType, egv1a1.EndpointRoutingType) { case egv1a1.ServiceRoutingType: return true case egv1a1.EndpointRoutingType: diff --git a/internal/gatewayapi/validate.go b/internal/gatewayapi/validate.go index 1817f6e06fc..f2172f2726c 100644 --- a/internal/gatewayapi/validate.go +++ b/internal/gatewayapi/validate.go @@ -335,13 +335,13 @@ func (t *Translator) validateBackendRefBackend(backendRef *gwapiv1a2.BackendRef, func (t *Translator) validateListenerConditions(listener *ListenerContext) (isReady bool) { lConditions := listener.GetConditions() if len(lConditions) == 0 { - status.SetGatewayListenerStatusCondition(listener.gateway, listener.listenerStatusIdx, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionProgrammed, metav1.ConditionTrue, gwapiv1.ListenerReasonProgrammed, "Sending translated listener configuration to the data plane") - status.SetGatewayListenerStatusCondition(listener.gateway, listener.listenerStatusIdx, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionAccepted, metav1.ConditionTrue, gwapiv1.ListenerReasonAccepted, "Listener has been successfully translated") - status.SetGatewayListenerStatusCondition(listener.gateway, listener.listenerStatusIdx, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionResolvedRefs, metav1.ConditionTrue, gwapiv1.ListenerReasonResolvedRefs, "Listener references have been resolved") return true @@ -361,7 +361,7 @@ func (t *Translator) validateListenerConditions(listener *ListenerContext) (isRe } // set "Programmed: false" if it's not set already. if !hasProgrammedCond { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionProgrammed, metav1.ConditionFalse, @@ -371,7 +371,7 @@ func (t *Translator) validateListenerConditions(listener *ListenerContext) (isRe } // set "ResolvedRefs: true" if it's not set already. if !hasRefsCond { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionResolvedRefs, metav1.ConditionTrue, @@ -391,7 +391,7 @@ func (t *Translator) validateAllowedNamespaces(listener *ListenerContext) { listener.AllowedRoutes.Namespaces.From != nil && *listener.AllowedRoutes.Namespaces.From == gwapiv1.NamespacesFromSelector { if listener.AllowedRoutes.Namespaces.Selector == nil { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionProgrammed, metav1.ConditionFalse, @@ -401,7 +401,7 @@ func (t *Translator) validateAllowedNamespaces(listener *ListenerContext) { } else { selector, err := metav1.LabelSelectorAsSelector(listener.AllowedRoutes.Namespaces.Selector) if err != nil { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionProgrammed, metav1.ConditionFalse, @@ -417,7 +417,7 @@ func (t *Translator) validateAllowedNamespaces(listener *ListenerContext) { func (t *Translator) validateTerminateModeAndGetTLSSecrets(listener *ListenerContext, resources *Resources) []*corev1.Secret { if len(listener.TLS.CertificateRefs) == 0 { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionProgrammed, metav1.ConditionFalse, @@ -431,7 +431,7 @@ func (t *Translator) validateTerminateModeAndGetTLSSecrets(listener *ListenerCon for _, certificateRef := range listener.TLS.CertificateRefs { // TODO zhaohuabing: reuse validateSecretRef if certificateRef.Group != nil && string(*certificateRef.Group) != "" { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionResolvedRefs, metav1.ConditionFalse, @@ -442,7 +442,7 @@ func (t *Translator) validateTerminateModeAndGetTLSSecrets(listener *ListenerCon } if certificateRef.Kind != nil && string(*certificateRef.Kind) != KindSecret { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionResolvedRefs, metav1.ConditionFalse, @@ -469,7 +469,7 @@ func (t *Translator) validateTerminateModeAndGetTLSSecrets(listener *ListenerCon }, resources.ReferenceGrants, ) { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionResolvedRefs, metav1.ConditionFalse, @@ -485,7 +485,7 @@ func (t *Translator) validateTerminateModeAndGetTLSSecrets(listener *ListenerCon secret := resources.GetSecret(secretNamespace, string(certificateRef.Name)) if secret == nil { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionResolvedRefs, metav1.ConditionFalse, @@ -496,7 +496,7 @@ func (t *Translator) validateTerminateModeAndGetTLSSecrets(listener *ListenerCon } if secret.Type != corev1.SecretTypeTLS { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionResolvedRefs, metav1.ConditionFalse, @@ -507,7 +507,7 @@ func (t *Translator) validateTerminateModeAndGetTLSSecrets(listener *ListenerCon } if len(secret.Data[corev1.TLSCertKey]) == 0 || len(secret.Data[corev1.TLSPrivateKeyKey]) == 0 { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionResolvedRefs, metav1.ConditionFalse, @@ -522,7 +522,7 @@ func (t *Translator) validateTerminateModeAndGetTLSSecrets(listener *ListenerCon err := validateTLSSecretsData(secrets, listener.Hostname) if err != nil { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionResolvedRefs, metav1.ConditionFalse, @@ -538,7 +538,7 @@ func (t *Translator) validateTLSConfiguration(listener *ListenerContext, resourc switch listener.Protocol { case gwapiv1.HTTPProtocolType, gwapiv1.UDPProtocolType, gwapiv1.TCPProtocolType: if listener.TLS != nil { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionProgrammed, metav1.ConditionFalse, @@ -548,7 +548,7 @@ func (t *Translator) validateTLSConfiguration(listener *ListenerContext, resourc } case gwapiv1.HTTPSProtocolType: if listener.TLS == nil { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionProgrammed, metav1.ConditionFalse, @@ -559,7 +559,7 @@ func (t *Translator) validateTLSConfiguration(listener *ListenerContext, resourc } if listener.TLS.Mode != nil && *listener.TLS.Mode != gwapiv1.TLSModeTerminate { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionProgrammed, metav1.ConditionFalse, @@ -574,7 +574,7 @@ func (t *Translator) validateTLSConfiguration(listener *ListenerContext, resourc case gwapiv1.TLSProtocolType: if listener.TLS == nil { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionProgrammed, metav1.ConditionFalse, @@ -586,7 +586,7 @@ func (t *Translator) validateTLSConfiguration(listener *ListenerContext, resourc if listener.TLS.Mode != nil && *listener.TLS.Mode == gwapiv1.TLSModePassthrough { if len(listener.TLS.CertificateRefs) > 0 { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionProgrammed, metav1.ConditionFalse, @@ -599,7 +599,7 @@ func (t *Translator) validateTLSConfiguration(listener *ListenerContext, resourc if listener.TLS.Mode != nil && *listener.TLS.Mode == gwapiv1.TLSModeTerminate { if len(listener.TLS.CertificateRefs) == 0 { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionProgrammed, metav1.ConditionFalse, @@ -617,7 +617,7 @@ func (t *Translator) validateTLSConfiguration(listener *ListenerContext, resourc func (t *Translator) validateHostName(listener *ListenerContext) { if listener.Protocol == gwapiv1.UDPProtocolType || listener.Protocol == gwapiv1.TCPProtocolType { if listener.Hostname != nil { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionProgrammed, metav1.ConditionFalse, @@ -646,7 +646,7 @@ func (t *Translator) validateAllowedRoutes(listener *ListenerContext, routeKinds // if there is a group it must match `gateway.networking.k8s.io` if kind.Group != nil && string(*kind.Group) != gwapiv1.GroupName { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionResolvedRefs, metav1.ConditionFalse, @@ -678,7 +678,7 @@ func (t *Translator) validateAllowedRoutes(listener *ListenerContext, routeKinds } else { printRouteKinds = supportedRouteKinds } - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionResolvedRefs, metav1.ConditionFalse, @@ -707,7 +707,7 @@ func (t *Translator) validateConflictedMergedListeners(gateways []*GatewayContex } portProtocolHostname := fmt.Sprintf("%s:%s:%d", listener.Protocol, *hostname, listener.Port) if listenerSets.Has(portProtocolHostname) { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionConflicted, metav1.ConditionTrue, @@ -760,7 +760,7 @@ func (t *Translator) validateConflictedLayer7Listeners(gateways []*GatewayContex for _, info := range portListenerInfo { for _, listener := range info.listeners { if len(info.protocols) > 1 { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionConflicted, metav1.ConditionTrue, @@ -775,7 +775,7 @@ func (t *Translator) validateConflictedLayer7Listeners(gateways []*GatewayContex } if info.hostnames[hostname] > 1 { - status.SetGatewayListenerStatusCondition(listener.gateway, + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionConflicted, metav1.ConditionTrue, @@ -807,7 +807,7 @@ func (t *Translator) validateConflictedLayer4Listeners(gateways []*GatewayContex for _, info := range portListenerInfo { if len(info.listeners) > 1 { for i := 1; i < len(info.listeners); i++ { - status.SetGatewayListenerStatusCondition(info.listeners[i].gateway, + status.SetGatewayListenerStatusCondition(info.listeners[i].gateway.Gateway, info.listeners[i].listenerStatusIdx, gwapiv1.ListenerConditionConflicted, metav1.ConditionTrue, diff --git a/internal/gatewayapi/zz_generated.deepcopy.go b/internal/gatewayapi/zz_generated.deepcopy.go index a5bf8c9974f..0ed43eea39d 100644 --- a/internal/gatewayapi/zz_generated.deepcopy.go +++ b/internal/gatewayapi/zz_generated.deepcopy.go @@ -10,7 +10,7 @@ package gatewayapi import ( - apiv1alpha1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/api/v1alpha1" corev1 "k8s.io/api/core/v1" discoveryv1 "k8s.io/api/discovery/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -18,12 +18,28 @@ import ( "sigs.k8s.io/gateway-api/apis/v1alpha2" "sigs.k8s.io/gateway-api/apis/v1alpha3" "sigs.k8s.io/gateway-api/apis/v1beta1" - "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" + apisv1alpha1 "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Resources) DeepCopyInto(out *Resources) { *out = *in + if in.EnvoyProxyForGatewayClass != nil { + in, out := &in.EnvoyProxyForGatewayClass, &out.EnvoyProxyForGatewayClass + *out = new(v1alpha1.EnvoyProxy) + (*in).DeepCopyInto(*out) + } + if in.EnvoyProxiesForGateways != nil { + in, out := &in.EnvoyProxiesForGateways, &out.EnvoyProxiesForGateways + *out = make([]*v1alpha1.EnvoyProxy, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(v1alpha1.EnvoyProxy) + (*in).DeepCopyInto(*out) + } + } + } if in.GatewayClass != nil { in, out := &in.GatewayClass, &out.GatewayClass *out = new(v1.GatewayClass) @@ -130,11 +146,11 @@ func (in *Resources) DeepCopyInto(out *Resources) { } if in.ServiceImports != nil { in, out := &in.ServiceImports, &out.ServiceImports - *out = make([]*v1alpha1.ServiceImport, len(*in)) + *out = make([]*apisv1alpha1.ServiceImport, len(*in)) for i := range *in { if (*in)[i] != nil { in, out := &(*in)[i], &(*out)[i] - *out = new(v1alpha1.ServiceImport) + *out = new(apisv1alpha1.ServiceImport) (*in).DeepCopyInto(*out) } } @@ -172,11 +188,6 @@ func (in *Resources) DeepCopyInto(out *Resources) { } } } - if in.EnvoyProxy != nil { - in, out := &in.EnvoyProxy, &out.EnvoyProxy - *out = new(apiv1alpha1.EnvoyProxy) - (*in).DeepCopyInto(*out) - } if in.ExtensionRefFilters != nil { in, out := &in.ExtensionRefFilters, &out.ExtensionRefFilters *out = make([]unstructured.Unstructured, len(*in)) @@ -186,44 +197,44 @@ func (in *Resources) DeepCopyInto(out *Resources) { } if in.EnvoyPatchPolicies != nil { in, out := &in.EnvoyPatchPolicies, &out.EnvoyPatchPolicies - *out = make([]*apiv1alpha1.EnvoyPatchPolicy, len(*in)) + *out = make([]*v1alpha1.EnvoyPatchPolicy, len(*in)) for i := range *in { if (*in)[i] != nil { in, out := &(*in)[i], &(*out)[i] - *out = new(apiv1alpha1.EnvoyPatchPolicy) + *out = new(v1alpha1.EnvoyPatchPolicy) (*in).DeepCopyInto(*out) } } } if in.ClientTrafficPolicies != nil { in, out := &in.ClientTrafficPolicies, &out.ClientTrafficPolicies - *out = make([]*apiv1alpha1.ClientTrafficPolicy, len(*in)) + *out = make([]*v1alpha1.ClientTrafficPolicy, len(*in)) for i := range *in { if (*in)[i] != nil { in, out := &(*in)[i], &(*out)[i] - *out = new(apiv1alpha1.ClientTrafficPolicy) + *out = new(v1alpha1.ClientTrafficPolicy) (*in).DeepCopyInto(*out) } } } if in.BackendTrafficPolicies != nil { in, out := &in.BackendTrafficPolicies, &out.BackendTrafficPolicies - *out = make([]*apiv1alpha1.BackendTrafficPolicy, len(*in)) + *out = make([]*v1alpha1.BackendTrafficPolicy, len(*in)) for i := range *in { if (*in)[i] != nil { in, out := &(*in)[i], &(*out)[i] - *out = new(apiv1alpha1.BackendTrafficPolicy) + *out = new(v1alpha1.BackendTrafficPolicy) (*in).DeepCopyInto(*out) } } } if in.SecurityPolicies != nil { in, out := &in.SecurityPolicies, &out.SecurityPolicies - *out = make([]*apiv1alpha1.SecurityPolicy, len(*in)) + *out = make([]*v1alpha1.SecurityPolicy, len(*in)) for i := range *in { if (*in)[i] != nil { in, out := &(*in)[i], &(*out)[i] - *out = new(apiv1alpha1.SecurityPolicy) + *out = new(v1alpha1.SecurityPolicy) (*in).DeepCopyInto(*out) } } @@ -241,11 +252,11 @@ func (in *Resources) DeepCopyInto(out *Resources) { } if in.EnvoyExtensionPolicies != nil { in, out := &in.EnvoyExtensionPolicies, &out.EnvoyExtensionPolicies - *out = make([]*apiv1alpha1.EnvoyExtensionPolicy, len(*in)) + *out = make([]*v1alpha1.EnvoyExtensionPolicy, len(*in)) for i := range *in { if (*in)[i] != nil { in, out := &(*in)[i], &(*out)[i] - *out = new(apiv1alpha1.EnvoyExtensionPolicy) + *out = new(v1alpha1.EnvoyExtensionPolicy) (*in).DeepCopyInto(*out) } } @@ -259,11 +270,11 @@ func (in *Resources) DeepCopyInto(out *Resources) { } if in.Backends != nil { in, out := &in.Backends, &out.Backends - *out = make([]*apiv1alpha1.Backend, len(*in)) + *out = make([]*v1alpha1.Backend, len(*in)) for i := range *in { if (*in)[i] != nil { in, out := &(*in)[i], &(*out)[i] - *out = new(apiv1alpha1.Backend) + *out = new(v1alpha1.Backend) (*in).DeepCopyInto(*out) } } diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index 55bd54c915f..27a985456a4 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -123,6 +123,8 @@ func newGatewayAPIController(mgr manager.Manager, cfg *config.Server, su Updater type resourceMappings struct { // Map for storing namespaces for Route, Service and Gateway objects. allAssociatedNamespaces sets.Set[string] + // Map for storing EnvoyProxies' NamespacedNames attaching to Gateway or GatewayClass. + allAssociatedEnvoyProxies sets.Set[string] // Map for storing TLSRoutes' NamespacedNames attaching to various Gateway objects. allAssociatedTLSRoutes sets.Set[string] // Map for storing HTTPRoutes' NamespacedNames attaching to various Gateway objects. @@ -143,14 +145,15 @@ type resourceMappings struct { func newResourceMapping() *resourceMappings { return &resourceMappings{ - allAssociatedNamespaces: sets.New[string](), - allAssociatedTLSRoutes: sets.New[string](), - allAssociatedHTTPRoutes: sets.New[string](), - allAssociatedGRPCRoutes: sets.New[string](), - allAssociatedTCPRoutes: sets.New[string](), - allAssociatedUDPRoutes: sets.New[string](), - allAssociatedBackendRefs: sets.New[gwapiv1.BackendObjectReference](), - extensionRefFilters: map[utils.NamespacedNameWithGroupKind]unstructured.Unstructured{}, + allAssociatedNamespaces: sets.New[string](), + allAssociatedEnvoyProxies: sets.New[string](), + allAssociatedTLSRoutes: sets.New[string](), + allAssociatedHTTPRoutes: sets.New[string](), + allAssociatedGRPCRoutes: sets.New[string](), + allAssociatedTCPRoutes: sets.New[string](), + allAssociatedUDPRoutes: sets.New[string](), + allAssociatedBackendRefs: sets.New[gwapiv1.BackendObjectReference](), + extensionRefFilters: map[utils.NamespacedNameWithGroupKind]unstructured.Unstructured{}, } } @@ -193,6 +196,19 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques gwcResources = append(gwcResources, gwcResource) resourceMappings := newResourceMapping() + // Process the parametersRef of the accepted GatewayClass. + // This should run before processGateways and processBackendRefs + if managedGC.Spec.ParametersRef != nil && managedGC.DeletionTimestamp == nil { + if err := r.processGatewayClassParamsRef(ctx, managedGC, resourceMappings, gwcResource); err != nil { + msg := fmt.Sprintf("%s: %v", status.MsgGatewayClassInvalidParams, err) + if err := r.updateStatusForGatewayClass(ctx, managedGC, false, string(gwapiv1.GatewayClassReasonInvalidParameters), msg); err != nil { + r.log.Error(err, "unable to update GatewayClass status") + } + r.log.Error(err, "failed to process parametersRef for gatewayclass", "name", managedGC.Name) + return reconcile.Result{}, err + } + } + // Add all Gateways, their associated Routes, and referenced resources to the resourceTree if err = r.processGateways(ctx, managedGC, resourceMappings, gwcResource); err != nil { return reconcile.Result{}, err @@ -232,19 +248,6 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques return reconcile.Result{}, err } - // Process the parametersRef of the accepted GatewayClass. - // This should run before processBackendRefs - if managedGC.Spec.ParametersRef != nil && managedGC.DeletionTimestamp == nil { - if err := r.processParamsRef(ctx, managedGC, resourceMappings, gwcResource); err != nil { - msg := fmt.Sprintf("%s: %v", status.MsgGatewayClassInvalidParams, err) - if err := r.updateStatusForGatewayClass(ctx, managedGC, false, string(gwapiv1.GatewayClassReasonInvalidParameters), msg); err != nil { - r.log.Error(err, "unable to update GatewayClass status") - } - r.log.Error(err, "failed to process parametersRef for gatewayclass", "name", managedGC.Name) - return reconcile.Result{}, err - } - } - if err = r.processBackends(ctx, gwcResource); err != nil { return reconcile.Result{}, err } @@ -269,8 +272,8 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques gwcResource.Namespaces = append(gwcResource.Namespaces, namespace) } - if gwcResource.EnvoyProxy != nil && gwcResource.EnvoyProxy.Spec.MergeGateways != nil { - if *gwcResource.EnvoyProxy.Spec.MergeGateways { + if gwcResource.EnvoyProxyForGatewayClass != nil && gwcResource.EnvoyProxyForGatewayClass.Spec.MergeGateways != nil { + if *gwcResource.EnvoyProxyForGatewayClass.Spec.MergeGateways { r.mergeGateways.Insert(managedGC.Name) } else { r.mergeGateways.Delete(managedGC.Name) @@ -315,17 +318,17 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques } func (r *gatewayAPIReconciler) processEnvoyProxySecretRef(ctx context.Context, gwcResource *gatewayapi.Resources) { - if gwcResource.EnvoyProxy == nil || gwcResource.EnvoyProxy.Spec.BackendTLS == nil || gwcResource.EnvoyProxy.Spec.BackendTLS.ClientCertificateRef == nil { + if gwcResource.EnvoyProxyForGatewayClass == nil || gwcResource.EnvoyProxyForGatewayClass.Spec.BackendTLS == nil || gwcResource.EnvoyProxyForGatewayClass.Spec.BackendTLS.ClientCertificateRef == nil { return } - certRef := gwcResource.EnvoyProxy.Spec.BackendTLS.ClientCertificateRef + certRef := gwcResource.EnvoyProxyForGatewayClass.Spec.BackendTLS.ClientCertificateRef if refsSecret(certRef) { if err := r.processSecretRef( ctx, newResourceMapping(), gwcResource, gatewayapi.KindGateway, - gwcResource.EnvoyProxy.Namespace, + gwcResource.EnvoyProxyForGatewayClass.Namespace, gatewayapi.KindEnvoyProxy, *certRef); err != nil { r.log.Error(err, @@ -803,6 +806,10 @@ func (r *gatewayAPIReconciler) processGateways(ctx context.Context, managedGC *g r.log.Info("processing Gateway", "namespace", gtw.Namespace, "name", gtw.Name) resourceMap.allAssociatedNamespaces.Insert(gtw.Namespace) + if err := r.processGatewayParamsRef(ctx, >w, resourceMap, resourceTree); err != nil { + r.log.Error(err, "failed to process infrastructure.parametersRef for gateway", "namespace", gtw.Namespace, "name", gtw.Name) + } + for _, listener := range gtw.Spec.Listeners { listener := listener // Get Secret for gateway if it exists. @@ -1027,10 +1034,8 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M return err } - // Only enqueue EnvoyProxy objects that match this Envoy Gateway's GatewayClass. epPredicates := []predicate.TypedPredicate[*egv1a1.EnvoyProxy]{ &predicate.TypedGenerationChangedPredicate[*egv1a1.EnvoyProxy]{}, - predicate.NewTypedPredicateFuncs[*egv1a1.EnvoyProxy](r.hasManagedClass), } if r.namespaceLabel != nil { epPredicates = append(epPredicates, predicate.NewTypedPredicateFuncs(func(ep *egv1a1.EnvoyProxy) bool { @@ -1543,106 +1548,99 @@ func (r *gatewayAPIReconciler) enqueueClass(_ context.Context, _ client.Object) }}} } -func (r *gatewayAPIReconciler) hasManagedClass(ep *egv1a1.EnvoyProxy) bool { - // The EnvoyProxy must be in the same namespace as EG. - if ep.Namespace != r.namespace { - r.log.Info("envoyproxy namespace does not match Envoy Gateway's namespace", - "namespace", ep.Namespace, "name", ep.Name) - return false +// processGatewayParamsRef processes the infrastructure.parametersRef of the provided Gateway. +func (r *gatewayAPIReconciler) processGatewayParamsRef(ctx context.Context, gtw *gwapiv1.Gateway, resourceMap *resourceMappings, resourceTree *gatewayapi.Resources) error { + if gtw == nil || gtw.Spec.Infrastructure == nil || gtw.Spec.Infrastructure.ParametersRef == nil { + return nil } - gcList := new(gwapiv1.GatewayClassList) - err := r.client.List(context.TODO(), gcList) - if err != nil { - r.log.Error(err, "failed to list gatewayclasses") - return false + if resourceTree.EnvoyProxyForGatewayClass != nil && resourceTree.EnvoyProxyForGatewayClass.Spec.MergeGateways != nil && *resourceTree.EnvoyProxyForGatewayClass.Spec.MergeGateways { + return fmt.Errorf("infrastructure.parametersref must be nil when MergeGateways feature is enabled by gatewayclass") } - for i := range gcList.Items { - gc := gcList.Items[i] - // Reconcile the managed GatewayClass if it's referenced by the EnvoyProxy. - if r.hasMatchingController(&gc) && - classAccepted(&gc) && - classRefsEnvoyProxy(&gc, ep) { - return true + ref := gtw.Spec.Infrastructure.ParametersRef + if !(string(ref.Group) == egv1a1.GroupVersion.Group && + ref.Kind == egv1a1.KindEnvoyProxy && + len(ref.Name) > 0) { + return fmt.Errorf("unsupported parametersRef for gateway %s/%s", gtw.Namespace, gtw.Name) + } + + ep := new(egv1a1.EnvoyProxy) + if err := r.client.Get(ctx, types.NamespacedName{Namespace: gtw.Namespace, Name: ref.Name}, ep); err != nil { + return fmt.Errorf("failed to find envoyproxy %s/%s: %w", gtw.Namespace, ref.Name, err) + } + + if err := r.processEnvoyProxy(ep, resourceMap); err != nil { + return err + } + + if ep.Spec.BackendTLS != nil && ep.Spec.BackendTLS.ClientCertificateRef != nil { + certRef := ep.Spec.BackendTLS.ClientCertificateRef + if refsSecret(certRef) { + if err := r.processSecretRef( + ctx, + resourceMap, + resourceTree, + gatewayapi.KindGateway, + gtw.Namespace, + gtw.Name, + *certRef); err != nil { + r.log.Error(err, + "failed to process TLS SecretRef for gateway", + "gateway", utils.NamespacedName(gtw).String(), "secretRef", certRef) + } } } - return false + resourceTree.EnvoyProxiesForGateways = append(resourceTree.EnvoyProxiesForGateways, ep) + return nil } -// processParamsRef processes the parametersRef of the provided GatewayClass. -func (r *gatewayAPIReconciler) processParamsRef(ctx context.Context, gc *gwapiv1.GatewayClass, resourceMap *resourceMappings, resourceTree *gatewayapi.Resources) error { +// processGatewayClassParamsRef processes the parametersRef of the provided GatewayClass. +func (r *gatewayAPIReconciler) processGatewayClassParamsRef(ctx context.Context, gc *gwapiv1.GatewayClass, resourceMap *resourceMappings, resourceTree *gatewayapi.Resources) error { if !refsEnvoyProxy(gc) { return fmt.Errorf("unsupported parametersRef for gatewayclass %s", gc.Name) } - epList := new(egv1a1.EnvoyProxyList) - gcParametersRefNamespace := string(*gc.Spec.ParametersRef.Namespace) + ep := new(egv1a1.EnvoyProxy) + if err := r.client.Get(ctx, types.NamespacedName{Namespace: string(*gc.Spec.ParametersRef.Namespace), Name: gc.Spec.ParametersRef.Name}, ep); err != nil { + if kerrors.IsNotFound(err) { + return fmt.Errorf("envoyproxy referenced by gatewayclass is not found: %w", err) + } + return fmt.Errorf("failed to find envoyproxy %s/%s: %w", r.namespace, gc.Spec.ParametersRef.Name, err) + } - if err := r.client.List(ctx, epList, &client.ListOptions{Namespace: gcParametersRefNamespace}); err != nil { - return fmt.Errorf("failed to list envoyproxies in namespace %s: %w", gcParametersRefNamespace, err) + if err := r.processEnvoyProxy(ep, resourceMap); err != nil { + return err } + resourceTree.EnvoyProxyForGatewayClass = ep + return nil +} - if len(epList.Items) == 0 { - r.log.Info("no envoyproxies exist in", "namespace", gcParametersRefNamespace) +// processEnvoyProxy processes the parametersRef of the provided GatewayClass. +func (r *gatewayAPIReconciler) processEnvoyProxy(ep *egv1a1.EnvoyProxy, resourceMap *resourceMappings) error { + key := utils.NamespacedName(ep).String() + if resourceMap.allAssociatedEnvoyProxies.Has(key) { + r.log.Info("current EnvoyProxy has been processed already", "namespace", ep.Namespace, "name", ep.Name) return nil } - found := false - valid := false - var validationErr error - for i := range epList.Items { - ep := epList.Items[i] - r.log.Info("processing envoyproxy", "namespace", ep.Namespace, "name", ep.Name) - if classRefsEnvoyProxy(gc, &ep) { - found = true - if err := validation.ValidateEnvoyProxy(&ep); err != nil { - validationErr = fmt.Errorf("invalid envoyproxy: %w", err) - continue - } + r.log.Info("processing envoyproxy", "namespace", ep.Namespace, "name", ep.Name) - if ep.Spec.Telemetry != nil { - telemetry := ep.Spec.Telemetry - - if telemetry.AccessLog != nil { - for _, setting := range telemetry.AccessLog.Settings { - for _, sink := range setting.Sinks { - if sink.OpenTelemetry == nil { - continue - } - for _, backendRef := range sink.OpenTelemetry.BackendRefs { - backendNamespace := gatewayapi.NamespaceDerefOrAlpha(backendRef.Namespace, ep.Namespace) - resourceMap.allAssociatedBackendRefs.Insert(gwapiv1.BackendObjectReference{ - Group: backendRef.BackendObjectReference.Group, - Kind: backendRef.BackendObjectReference.Kind, - Namespace: gatewayapi.NamespacePtrV1Alpha2(backendNamespace), - Name: backendRef.Name, - }) - } - } - } - } + if err := validation.ValidateEnvoyProxy(ep); err != nil { + return fmt.Errorf("invalid envoyproxy: %w", err) + } - if telemetry.Metrics != nil { - for _, sink := range telemetry.Metrics.Sinks { - if sink.OpenTelemetry == nil { - continue - } - for _, backendRef := range sink.OpenTelemetry.BackendRefs { - backendNamespace := gatewayapi.NamespaceDerefOrAlpha(backendRef.Namespace, ep.Namespace) - resourceMap.allAssociatedBackendRefs.Insert(gwapiv1.BackendObjectReference{ - Group: backendRef.BackendObjectReference.Group, - Kind: backendRef.BackendObjectReference.Kind, - Namespace: gatewayapi.NamespacePtrV1Alpha2(backendNamespace), - Name: backendRef.Name, - }) - } - } - } + if ep.Spec.Telemetry != nil { + telemetry := ep.Spec.Telemetry - if telemetry.Tracing != nil { - for _, backendRef := range telemetry.Tracing.Provider.BackendRefs { + if telemetry.AccessLog != nil { + for _, setting := range telemetry.AccessLog.Settings { + for _, sink := range setting.Sinks { + if sink.OpenTelemetry == nil { + continue + } + for _, backendRef := range sink.OpenTelemetry.BackendRefs { backendNamespace := gatewayapi.NamespaceDerefOrAlpha(backendRef.Namespace, ep.Namespace) resourceMap.allAssociatedBackendRefs.Insert(gwapiv1.BackendObjectReference{ Group: backendRef.BackendObjectReference.Group, @@ -1650,25 +1648,43 @@ func (r *gatewayAPIReconciler) processParamsRef(ctx context.Context, gc *gwapiv1 Namespace: gatewayapi.NamespacePtrV1Alpha2(backendNamespace), Name: backendRef.Name, }) - } } } + } - valid = true - resourceTree.EnvoyProxy = &ep - break + if telemetry.Metrics != nil { + for _, sink := range telemetry.Metrics.Sinks { + if sink.OpenTelemetry == nil { + continue + } + for _, backendRef := range sink.OpenTelemetry.BackendRefs { + backendNamespace := gatewayapi.NamespaceDerefOrAlpha(backendRef.Namespace, ep.Namespace) + resourceMap.allAssociatedBackendRefs.Insert(gwapiv1.BackendObjectReference{ + Group: backendRef.BackendObjectReference.Group, + Kind: backendRef.BackendObjectReference.Kind, + Namespace: gatewayapi.NamespacePtrV1Alpha2(backendNamespace), + Name: backendRef.Name, + }) + } + } } - } - if !found { - return fmt.Errorf("failed to find envoyproxy referenced by gatewayclass: %s", gc.Name) - } + if telemetry.Tracing != nil { + for _, backendRef := range telemetry.Tracing.Provider.BackendRefs { + backendNamespace := gatewayapi.NamespaceDerefOrAlpha(backendRef.Namespace, ep.Namespace) + resourceMap.allAssociatedBackendRefs.Insert(gwapiv1.BackendObjectReference{ + Group: backendRef.BackendObjectReference.Group, + Kind: backendRef.BackendObjectReference.Kind, + Namespace: gatewayapi.NamespacePtrV1Alpha2(backendNamespace), + Name: backendRef.Name, + }) - if !valid { - return fmt.Errorf("invalid gatewayclass %s: %w", gc.Name, validationErr) + } + } } + resourceMap.allAssociatedEnvoyProxies.Insert(key) return nil } diff --git a/internal/provider/kubernetes/controller_test.go b/internal/provider/kubernetes/controller_test.go index edd8b53c703..e3b63360163 100644 --- a/internal/provider/kubernetes/controller_test.go +++ b/internal/provider/kubernetes/controller_test.go @@ -12,7 +12,6 @@ import ( "github.com/stretchr/testify/require" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" - "sigs.k8s.io/controller-runtime/pkg/client" fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" @@ -20,7 +19,6 @@ import ( "github.com/envoyproxy/gateway/internal/envoygateway" "github.com/envoyproxy/gateway/internal/envoygateway/config" "github.com/envoyproxy/gateway/internal/gatewayapi" - "github.com/envoyproxy/gateway/internal/gatewayapi/status" "github.com/envoyproxy/gateway/internal/logging" ) @@ -152,196 +150,7 @@ func TestRemoveGatewayClassFinalizer(t *testing.T) { } } -func TestHasManagedClass(t *testing.T) { - gcCtrlName := gwapiv1.GatewayController(egv1a1.GatewayControllerName) - - testCases := []struct { - name string - ep *egv1a1.EnvoyProxy - classes []*gwapiv1.GatewayClass - expected bool - }{ - { - name: "no matching gatewayclasses", - ep: &egv1a1.EnvoyProxy{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: config.DefaultNamespace, - Name: "test-envoyproxy", - }, - }, - classes: []*gwapiv1.GatewayClass{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "test-gc", - }, - Spec: gwapiv1.GatewayClassSpec{ - ControllerName: "SomeOtherController", - ParametersRef: &gwapiv1.ParametersReference{ - Group: gwapiv1.Group(egv1a1.GroupVersion.Group), - Kind: gwapiv1.Kind(egv1a1.KindEnvoyProxy), - Name: "test-envoyproxy", - Namespace: gatewayapi.NamespacePtr(config.DefaultNamespace), - }, - }, - Status: gwapiv1.GatewayClassStatus{ - Conditions: []metav1.Condition{ - { - Type: string(gwapiv1.GatewayClassConditionStatusAccepted), - Status: metav1.ConditionTrue, - }, - }, - SupportedFeatures: status.GatewaySupportedFeatures, - }, - }, - }, - expected: false, - }, - { - name: "match one gatewayclass", - ep: &egv1a1.EnvoyProxy{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: config.DefaultNamespace, - Name: "test-envoyproxy", - }, - }, - classes: []*gwapiv1.GatewayClass{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "test-gc", - }, - Spec: gwapiv1.GatewayClassSpec{ - ControllerName: gcCtrlName, - ParametersRef: &gwapiv1.ParametersReference{ - Group: gwapiv1.Group(egv1a1.GroupVersion.Group), - Kind: gwapiv1.Kind(egv1a1.KindEnvoyProxy), - Name: "test-envoyproxy", - Namespace: gatewayapi.NamespacePtr(config.DefaultNamespace), - }, - }, - Status: gwapiv1.GatewayClassStatus{ - Conditions: []metav1.Condition{ - { - Type: string(gwapiv1.GatewayClassConditionStatusAccepted), - Status: metav1.ConditionTrue, - }, - }, - SupportedFeatures: status.GatewaySupportedFeatures, - }, - }, - }, - expected: true, - }, - { - name: "envoyproxy in different namespace as eg", - ep: &egv1a1.EnvoyProxy{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: "not-eg-ns", - Name: "test-envoyproxy", - }, - }, - classes: []*gwapiv1.GatewayClass{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "test-gc", - }, - Spec: gwapiv1.GatewayClassSpec{ControllerName: gcCtrlName}, - }, - }, - expected: false, - }, - { - name: "multiple gatewayclasses one with accepted status", - ep: &egv1a1.EnvoyProxy{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: config.DefaultNamespace, - Name: "test-envoyproxy", - }, - }, - classes: []*gwapiv1.GatewayClass{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "test-gc1", - }, - Spec: gwapiv1.GatewayClassSpec{ - ControllerName: gcCtrlName, - ParametersRef: &gwapiv1.ParametersReference{ - Group: gwapiv1.Group(egv1a1.GroupVersion.Group), - Kind: gwapiv1.Kind(egv1a1.KindEnvoyProxy), - Name: "test-envoyproxy", - Namespace: gatewayapi.NamespacePtr(config.DefaultNamespace), - }, - }, - Status: gwapiv1.GatewayClassStatus{ - Conditions: []metav1.Condition{ - { - Type: string(gwapiv1.GatewayClassConditionStatusAccepted), - Status: metav1.ConditionTrue, - }, - }, - SupportedFeatures: status.GatewaySupportedFeatures, - }, - }, - { - ObjectMeta: metav1.ObjectMeta{ - Name: "test-gc2", - }, - Spec: gwapiv1.GatewayClassSpec{ - ControllerName: gcCtrlName, - ParametersRef: &gwapiv1.ParametersReference{ - Group: gwapiv1.Group(egv1a1.GroupVersion.Group), - Kind: gwapiv1.Kind(egv1a1.KindEnvoyProxy), - Name: "test-envoyproxy", - Namespace: gatewayapi.NamespacePtr(config.DefaultNamespace), - }, - }, - Status: gwapiv1.GatewayClassStatus{ - Conditions: []metav1.Condition{ - { - Type: string(gwapiv1.GatewayClassConditionStatusAccepted), - Status: metav1.ConditionFalse, - }, - }, - SupportedFeatures: status.GatewaySupportedFeatures, - }, - }, - }, - expected: true, - }, - } - - for i := range testCases { - tc := testCases[i] - - // Create the reconciler. - logger := logging.DefaultLogger(egv1a1.LogLevelInfo) - r := &gatewayAPIReconciler{ - log: logger, - classController: gcCtrlName, - namespace: config.DefaultNamespace, - } - - // Run the test cases. - t.Run(tc.name, func(t *testing.T) { - // Add the test case objects to the reconciler client. - objs := []client.Object{tc.ep} - for _, gc := range tc.classes { - objs = append(objs, gc) - } - - // Create the client. - r.client = fakeclient.NewClientBuilder(). - WithScheme(envoygateway.GetScheme()). - WithObjects(objs...). - Build() - - // Process the test case gatewayclasses. - results := r.hasManagedClass(tc.ep) - require.Equal(t, tc.expected, results) - }) - } -} - -func TestProcessParamsRef(t *testing.T) { +func TestProcessGatewayClassParamsRef(t *testing.T) { gcCtrlName := gwapiv1.GatewayController(egv1a1.GatewayControllerName) testCases := []struct { @@ -451,6 +260,7 @@ func TestProcessParamsRef(t *testing.T) { r := &gatewayAPIReconciler{ log: logger, classController: gcCtrlName, + namespace: config.DefaultNamespace, } // Run the test cases. @@ -468,11 +278,11 @@ func TestProcessParamsRef(t *testing.T) { // Process the test case gatewayclasses. resourceTree := gatewayapi.NewResources() resourceMap := newResourceMapping() - err := r.processParamsRef(context.Background(), tc.gc, resourceMap, resourceTree) + err := r.processGatewayClassParamsRef(context.Background(), tc.gc, resourceMap, resourceTree) if tc.expected { require.NoError(t, err) // Ensure the resource tree and map are as expected. - require.Equal(t, tc.ep, resourceTree.EnvoyProxy) + require.Equal(t, tc.ep, resourceTree.EnvoyProxyForGatewayClass) } else { require.Error(t, err) } diff --git a/internal/provider/kubernetes/kubernetes_test.go b/internal/provider/kubernetes/kubernetes_test.go index c0ca5d094bb..da58fcd4188 100644 --- a/internal/provider/kubernetes/kubernetes_test.go +++ b/internal/provider/kubernetes/kubernetes_test.go @@ -208,8 +208,8 @@ func testGatewayClassWithParamRef(ctx context.Context, t *testing.T, provider *P return false } - if res.EnvoyProxy != nil { - assert.Equal(t, res.EnvoyProxy.Spec, ep.Spec) + if res.EnvoyProxyForGatewayClass != nil { + assert.Equal(t, res.EnvoyProxyForGatewayClass.Spec, ep.Spec) return true }