Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

conformance: check HTTPRoute connectivity after deleting relevant ReferenceGrant #1853

Merged
merged 1 commit into from
May 16, 2023
Merged

conformance: check HTTPRoute connectivity after deleting relevant ReferenceGrant #1853

merged 1 commit into from
May 16, 2023

Conversation

pmalek
Copy link
Contributor

@pmalek pmalek commented Mar 20, 2023

What type of PR is this?

/kind test
/area conformance

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #1838

Does this PR introduce a user-facing change?:

HTTPRoute connectivity is in now enforced in conformance tests if a relevant ReferenceGrant gets deleted.

@k8s-ci-robot k8s-ci-robot added kind/test area/conformance cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Mar 20, 2023
@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Mar 20, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @pmalek. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Mar 20, 2023
This was referenced Mar 20, 2023
Closed
Merged
@shaneutt shaneutt added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 20, 2023
@shaneutt shaneutt added this to the v0.7.0 milestone Mar 20, 2023
shaneutt
shaneutt approved these changes Mar 21, 2023
View reviewed changes
Copy link
Member

@shaneutt shaneutt left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems correct ultimately, but I do want some feedback from other implementers before we merge so let's hold. I think the 503 is particularly going to draw some questions.

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 21, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pmalek, shaneutt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 21, 2023
sunjayBhatia
sunjayBhatia suggested changes Mar 22, 2023
View reviewed changes
Copy link
Member

@sunjayBhatia sunjayBhatia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you specify where in the spec we ask for a 503 specifically?

this section only specifies 500 return code:

gateway-api/apis/v1beta1/httproute_types.go

Lines 210 to 237 in cd1b6f5

// BackendRefs defines the backend(s) where matching requests should be
// sent.
//
// Failure behavior here depends on how many BackendRefs are specified and
// how many are invalid.
//
// If *all* entries in BackendRefs are invalid, and there are also no filters
// specified in this route rule, *all* traffic which matches this rule MUST
// receive a 500 status code.
//
// See the HTTPBackendRef definition for the rules about what makes a single
// HTTPBackendRef invalid.
//
// When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
// requests that would have otherwise been routed to an invalid backend. If
// multiple backends are specified, and some are invalid, the proportion of
// requests that would otherwise have been routed to an invalid backend
// MUST receive a 500 status code.
//
// For example, if two backends are specified with equal weights, and one is
// invalid, 50 percent of traffic must receive a 500. Implementations may
// choose how that 50 percent is determined.
//
// Support: Core for Kubernetes Service
//
// Support: Implementation-specific for any other resource
//
// Support for weight: Core

500 or 503 seem like they could work, but if we want a specific code we should specify it

@pmalek
Copy link
Contributor Author

pmalek commented Apr 3, 2023

can you specify where in the spec we ask for a 503 specifically?

this section only specifies 500 return code:

gateway-api/apis/v1beta1/httproute_types.go

Lines 210 to 237 in cd1b6f5

// BackendRefs defines the backend(s) where matching requests should be
// sent.
//
// Failure behavior here depends on how many BackendRefs are specified and
// how many are invalid.
//
// If *all* entries in BackendRefs are invalid, and there are also no filters
// specified in this route rule, *all* traffic which matches this rule MUST
// receive a 500 status code.
//
// See the HTTPBackendRef definition for the rules about what makes a single
// HTTPBackendRef invalid.
//
// When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
// requests that would have otherwise been routed to an invalid backend. If
// multiple backends are specified, and some are invalid, the proportion of
// requests that would otherwise have been routed to an invalid backend
// MUST receive a 500 status code.
//
// For example, if two backends are specified with equal weights, and one is
// invalid, 50 percent of traffic must receive a 500. Implementations may
// choose how that 50 percent is determined.
//
// Support: Core for Kubernetes Service
//
// Support: Implementation-specific for any other resource
//
// Support for weight: Core

500 or 503 seem like they could work, but if we want a specific code we should specify it

That might have been an incorrect assumption on my side which just felt "right".

I believe this should indeed be specified just as you mentioned. What would be the best course of action for this then? Should this change include that mention or does it have to go through a different process where maintainers comment on this idea?

@sunjayBhatia
Copy link
Member

That might have been an incorrect assumption on my side which just felt "right".

I believe this should indeed be specified just as you mentioned. What would be the best course of action for this then? Should this change include that mention or does it have to go through a different process where maintainers comment on this idea?

Not a maintainer, just a reviewer, but I am ok with making an API change along with the relevant test change as I think that keeps the justification for the test change bundled nicely. However, you may want to open an issue about the API spec change before making it just to make sure there's enough signal for people to discuss such a change

@pmalek pmalek mentioned this pull request Apr 3, 2023
Closed
@pmalek
Copy link
Contributor Author

pmalek commented Apr 3, 2023

@sunjayBhatia Got it. Created #1902 to track it.

@shaneutt shaneutt modified the milestones: v0.7.0, v0.7.1 Apr 6, 2023
@shaneutt shaneutt modified the milestones: v0.7.1, v0.8.0 Apr 28, 2023
@shaneutt
Copy link
Member

shaneutt commented May 3, 2023

@pmalek I think to move forward with this one, given some time has passed we need to make the appropriate spec change as noted in #1902 and signal that one as in progress. Let us know if you need any assistance!

@shaneutt shaneutt marked this pull request as draft May 3, 2023 12:16
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 3, 2023
@youngnick
Copy link
Contributor

I just commented on #1902, but it's actually really important for security to ensure that the result code is the same if the service doesn't exist or if there's no ReferenceGrant so that you can't use that difference to enumerate service names.

@pmalek pmalek force-pushed the conformance-check-httproute-after-refernce-grant-deletion branch from bae6e9c to 98689ce Compare May 11, 2023 16:49
@pmalek
Copy link
Contributor Author

pmalek commented May 11, 2023

@youngnick As per the discussion in #1902 I've updated the PR to use HTTP 500. PTAL

@pmalek pmalek marked this pull request as ready for review May 11, 2023 16:50
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 11, 2023
@k8s-ci-robot k8s-ci-robot requested a review from howardjohn May 11, 2023 16:51
@youngnick
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 16, 2023
@shaneutt shaneutt removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 16, 2023
@k8s-ci-robot k8s-ci-robot merged commit 5a4a6e3 into kubernetes-sigs:main May 16, 2023
@pmalek pmalek deleted the conformance-check-httproute-after-refernce-grant-deletion branch May 16, 2023 12:50
@pmalek pmalek mentioned this pull request Mar 28, 2024
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sunjayBhatia sunjayBhatia sunjayBhatia requested changes

@shaneutt shaneutt shaneutt approved these changes

@mikemorris mikemorris Awaiting requested review from mikemorris

@skriss skriss Awaiting requested review from skriss

@mlavacca mlavacca Awaiting requested review from mlavacca

@robscott robscott Awaiting requested review from robscott

@youngnick youngnick Awaiting requested review from youngnick

@arkodg arkodg Awaiting requested review from arkodg

@howardjohn howardjohn Awaiting requested review from howardjohn

Assignees

@youngnick youngnick

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/conformance cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/test lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
No open projects
Gateway API: The Road to GA
Status: Done
Milestone
v0.8.0
Development

Successfully merging this pull request may close these issues.

conformance: new test checking a standard condition on a Route that cannot route due to lacking ReferenceGrant
5 participants
@pmalek @k8s-ci-robot @sunjayBhatia @shaneutt @youngnick