Disallow route to attach to listener if not present in allowed routes.

[salonichf5]

Proposed changes

Write a clear and concise description that helps reviewers understand the purpose and impact of your changes. Use the
following format:

Problem: NGF allows all route kinds to attach to a listener regardless of the kinds specified in the listener AllowedRoutes.Kinds field

Solution: Add check to reject a route trying to attach to a listener which doesn't allow its kind.

Testing: Manual testing

1. Case 1: Gateway has a listener of type GRPCRoute, HTTPRoute Created with that listener

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gateway
spec:
  gatewayClassName: nginx
  listeners:
  - name: grpc
    port: 80
    protocol: HTTP
    hostname: "*.example.com"
    allowedRoutes:
      kinds:
        - kind: "GRPCRoute"
 ---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: coffee
spec:
  parentRefs:
  - name: gateway
    sectionName: grpc
  hostnames:
  - "cafe.example.com"
  rules:
  - backendRefs:
    - name: coffee
      port: 80

kubectl describe httproute coffee

Status:
  Parents:
    Conditions:
      Last Transition Time:  2024-07-30T23:36:19Z
      Message:               All references are resolved
      Observed Generation:   3
      Reason:                ResolvedRefs
      Status:                True
      Type:                  ResolvedRefs
      Last Transition Time:  2024-07-30T23:36:19Z
      Message:               Route is not allowed by any listener
      Observed Generation:   3
      Reason:                NotAllowedByListeners
      Status:                False
      Type:                  Accepted
    Controller Name:

2. Case 2: Gateway has a listener of type GRPCRoute, GRPC Created with that listener

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: same-namespace
spec:
  gatewayClassName: nginx
  listeners:
  - name: http
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: Same
      kinds:
        - kind: "GRPCRoute"
---
apiVersion: gateway.networking.k8s.io/v1
kind: GRPCRoute
metadata:
  name: exact-matching
spec:
  parentRefs:
  - name: same-namespace
    sectionName: http
  rules:
  - matches:
    - method:
        service: helloworld.Greeter
        method: SayHello
    backendRefs:
    - name: grpc-infra-backend-v1
      port: 8080

grpcurl -plaintext -proto grpc.proto -authority bar.com -d '{"name": "exact"}' ${GW_IP}:${GW_PORT} helloworld.Greeter/SayHello
Handling connection for 8080
{
  "message": "Hello exact"
}

kubectl describe grpcroute exact-matching
Name:         exact-matching
Namespace:    default
Labels:       <none>
Annotations:  <none>
.
.
.
      Last Transition Time:  2024-07-31T19:40:25Z
      Message:               The route is accepted
      Observed Generation:   2
      Reason:                Accepted
      Status:                True
      Type:                  Accepted
      Last Transition Time:  2024-07-31T19:40:25Z
      Message:               All references are resolved
      Observed Generation:   2
      Reason:                ResolvedRefs
      Status:                True
      Type:                  ResolvedRefs
    Controller Name:         gateway.nginx.org/nginx-gateway-controller

3. Gateway has a listener of type HTTPRoute, GRPCRoute not allowed to attach to that listener

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: same-namespace
spec:
  gatewayClassName: nginx
  listeners:
  - name: http
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: Same
      kinds:
        - kind: "HTTPRoute"
---
apiVersion: gateway.networking.k8s.io/v1
kind: GRPCRoute
metadata:
  name: exact-matching
spec:
  parentRefs:
  - name: same-namespace
    sectionName: http
  rules:
  - matches:
    - method:
        service: helloworld.Greeter
        method: SayHello
    backendRefs:
    - name: grpc-infra-backend-v1
      port: 8080

kubectl describe grpcroute exact-matching
Name:         exact-matching
.
.
.
      Last Transition Time:  2024-08-01T01:25:35Z
      Message:               All references are resolved
      Observed Generation:   2
      Reason:                ResolvedRefs
      Status:                True
      Type:                  ResolvedRefs
      Last Transition Time:  2024-08-01T01:25:35Z
      Message:               Route is not allowed by any listener
      Observed Generation:   2
      Reason:                NotAllowedByListeners
      Status:                False
      Type:                  Accepted
    Controller Name:         gateway.nginx.org/nginx-gateway-controller

Please focus on (optional): If you any specific areas where you would like reviewers to focus their attention or provide
specific feedback, add them here.

Closes #2299

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

[codecov]

Codecov Report

Attention: Patch coverage is 92.85714% with 2 lines in your changes missing coverage. Please review.

Project coverage is 87.74%. Comparing base (13ea272) to head (38538dc).

Files	Patch %	Lines
internal/mode/static/state/graph/route_common.go	88.23%	2 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2314   +/-   ##
=======================================
  Coverage   87.74%   87.74%           
=======================================
  Files          96       96           
  Lines        6813     6830   +17     
  Branches       50       50           
=======================================
+ Hits         5978     5993   +15     
- Misses        778      780    +2     
  Partials       57       57           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[kate-osborn]

@salonichf5

Case 1: Gateway has a listener of type GRPCRoute, HTTPRoute Created with that listener

Did you also check the opposite case: Gateway has a listener that allows HTTPRoute and a GRPCRoute tries to attach to that listener?

Also, did you make sure that the positive case still works. In other words, that routes can attach to listeners if they are allowed by the listener?

[salonichf5]

@salonichf5

Case 1: Gateway has a listener of type GRPCRoute, HTTPRoute Created with that listener

Did you also check the opposite case: Gateway has a listener that allows HTTPRoute and a GRPCRoute tries to attach to that listener?
Yes I did check.

Also, did you make sure that the positive case still works. In other words, that routes can attach to listeners if they are allowed by the listener?

Yes, let me add more examples in the description

[kate-osborn]

GRPCRoute

@salonichf5 looks like case #3 isn't working. The GRPCRoute should not be able to attach to a listener that only allows HTTPRoutes.

[kate-osborn]

Nice work, @salonichf5! Just a few small changes

[kate-osborn]

Just one small nit, but otherwise LGTM