From 059f0f78c0e9f9dbf1fa6041d0738a9063418d19 Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Wed, 30 Apr 2025 04:58:57 +0000 Subject: [PATCH 1/3] set OverlappingTLSConfig condition for merged Gateways Signed-off-by: Huabing (Robin) Zhao --- internal/gatewayapi/listener.go | 134 +++++--- internal/gatewayapi/listener_test.go | 43 +-- ...ostnames-and-certs-merged-gateways.in.yaml | 123 +++++++ ...stnames-and-certs-merged-gateways.out.yaml | 245 ++++++++++++++ ...rlapping-hostnames-merged-gateways.in.yaml | 125 ++++++++ ...lapping-hostnames-merged-gateways.out.yaml | 301 ++++++++++++++++++ 6 files changed, 902 insertions(+), 69 deletions(-) create mode 100644 internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.in.yaml create mode 100644 internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.out.yaml create mode 100644 internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.in.yaml create mode 100644 internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.out.yaml diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go index 9f2fb5de26..b6d5d813fe 100644 --- a/internal/gatewayapi/listener.go +++ b/internal/gatewayapi/listener.go @@ -176,30 +176,53 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource foundPorts[irKey] = append(foundPorts[irKey], servicePort) } } - - checkOverlappingTLSConfig(gateway) } + + t.checkOverlappingTLSConfig(gateways) } // checkOverlappingTLSConfig checks for overlapping hostnames and certificates between listeners and sets // the `OverlappingTLSConfig` condition if there are overlapping hostnames or certificates. -func checkOverlappingTLSConfig(gateway *GatewayContext) { - // Note: order of processing matters here. - // According to the Gateway API spec, If both hostname and certificate overlap, - // the controller SHOULD set the "OverlappingCertificates" Reason. - checkOverlappingHostnames(gateway) - checkOverlappingCertificates(gateway) -} - -func checkOverlappingHostnames(gateway *GatewayContext) { - httpsListeners := []*ListenerContext{} - for _, listener := range gateway.listeners { - if listener.Protocol == gwapiv1.HTTPSProtocolType { - httpsListeners = append(httpsListeners, listener) +func (t *Translator) checkOverlappingTLSConfig(gateways []*GatewayContext) { + // If merging gateways, check overlapping hostnames and certificates between listeners in all merged gateways. + if t.MergeGateways { + httpsListeners := []*ListenerContext{} + for _, gateway := range gateways { + for _, listener := range gateway.listeners { + if listener.Protocol == gwapiv1.HTTPSProtocolType { + httpsListeners = append(httpsListeners, listener) + } + } + } + // Note: order of processing matters here. + // According to the Gateway API spec, If both hostname and certificate overlap, + // the controller SHOULD set the "OverlappingCertificates" Reason. + checkOverlappingHostnames(httpsListeners) + checkOverlappingCertificates(httpsListeners) + } else { + // Check overlapping hostnames and certificates between listeners in each gateway. + for _, gateway := range gateways { + httpsListeners := []*ListenerContext{} + for _, listener := range gateway.listeners { + if listener.Protocol == gwapiv1.HTTPSProtocolType { + httpsListeners = append(httpsListeners, listener) + } + } + // Note: order of processing matters here. + // According to the Gateway API spec, If both hostname and certificate overlap, + // the controller SHOULD set the "OverlappingCertificates" Reason. + checkOverlappingHostnames(httpsListeners) + checkOverlappingCertificates(httpsListeners) } } +} +// checkOverlappingHostnames checks for overlapping hostnames between HTTPS listeners and sets +// the `OverlappingTLSConfig` condition if there are overlapping hostnames. +func checkOverlappingHostnames(httpsListeners []*ListenerContext) { type overlappingListener struct { + gateway1 *GatewayContext + gateway2 *GatewayContext listener1 string listener2 string hostname1 string @@ -220,12 +243,16 @@ func checkOverlappingHostnames(gateway *GatewayContext) { if isOverlappingHostname(httpsListeners[i].Hostname, httpsListeners[j].Hostname) { // Overlapping listeners can be more than two, we only report the first two for simplicity. overlappingListeners[i] = &overlappingListener{ + gateway1: httpsListeners[i].gateway, + gateway2: httpsListeners[j].gateway, listener1: string(httpsListeners[i].Name), listener2: string(httpsListeners[j].Name), hostname1: string(ptr.Deref(httpsListeners[i].Hostname, "")), hostname2: string(ptr.Deref(httpsListeners[j].Hostname, "")), } overlappingListeners[j] = &overlappingListener{ + gateway1: httpsListeners[j].gateway, + gateway2: httpsListeners[i].gateway, listener1: string(httpsListeners[j].Name), listener2: string(httpsListeners[i].Name), hostname1: string(ptr.Deref(httpsListeners[j].Hostname, "")), @@ -237,17 +264,33 @@ func checkOverlappingHostnames(gateway *GatewayContext) { for i, listener := range httpsListeners { if overlappingListeners[i] != nil { - status.SetGatewayListenerStatusCondition(gateway.Gateway, - listener.listenerStatusIdx, - gwapiv1.ListenerConditionOverlappingTLSConfig, - metav1.ConditionTrue, - gwapiv1.ListenerReasonOverlappingHostnames, - fmt.Sprintf( + var message string + gateway1 := overlappingListeners[i].gateway1 + gateway2 := overlappingListeners[i].gateway2 + if gateway1.Name == gateway2.Name && + gateway1.Namespace == gateway2.Namespace { + message = fmt.Sprintf( "The hostname %s overlaps with the hostname %s in listener %s. ALPN is set to HTTP/1.1 to prevent HTTP/2 connection coalescing", overlappingListeners[i].hostname1, overlappingListeners[i].hostname2, overlappingListeners[i].listener2, - ), + ) + } else { + message = fmt.Sprintf( + "The hostname %s overlaps with the hostname %s in listener %s of gateway %s. ALPN is set to HTTP/1.1 to prevent HTTP/2 connection coalescing", + overlappingListeners[i].hostname1, + overlappingListeners[i].hostname2, + overlappingListeners[i].listener2, + gateway2.GetName(), + ) + } + + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, + listener.listenerStatusIdx, + gwapiv1.ListenerConditionOverlappingTLSConfig, + metav1.ConditionTrue, + gwapiv1.ListenerReasonOverlappingHostnames, + message, ) if listener.httpIR != nil { listener.httpIR.TLSOverlaps = true @@ -256,15 +299,12 @@ func checkOverlappingHostnames(gateway *GatewayContext) { } } -func checkOverlappingCertificates(gateway *GatewayContext) { - httpsListeners := []*ListenerContext{} - for _, listener := range gateway.listeners { - if listener.Protocol == gwapiv1.HTTPSProtocolType { - httpsListeners = append(httpsListeners, listener) - } - } - +// checkOverlappingCertificates checks for overlapping certificates SANs between HTTPSlisteners and sets +// the `OverlappingTLSConfig` condition if there are overlapping certificates. +func checkOverlappingCertificates(httpsListeners []*ListenerContext) { type overlappingListener struct { + gateway1 *GatewayContext + gateway2 *GatewayContext listener1 string listener2 string san1 string @@ -288,12 +328,16 @@ func checkOverlappingCertificates(gateway *GatewayContext) { if overlappingCertificate != nil { // Overlapping listeners can be more than two, we only report the first two for simplicity. overlappingListeners[i] = &overlappingListener{ + gateway1: httpsListeners[i].gateway, + gateway2: httpsListeners[j].gateway, listener1: string(httpsListeners[i].Name), listener2: string(httpsListeners[j].Name), san1: overlappingCertificate.san1, san2: overlappingCertificate.san2, } overlappingListeners[j] = &overlappingListener{ + gateway1: httpsListeners[j].gateway, + gateway2: httpsListeners[i].gateway, listener1: string(httpsListeners[j].Name), listener2: string(httpsListeners[i].Name), san1: overlappingCertificate.san2, @@ -305,17 +349,33 @@ func checkOverlappingCertificates(gateway *GatewayContext) { for i, listener := range httpsListeners { if overlappingListeners[i] != nil { - status.SetGatewayListenerStatusCondition(gateway.Gateway, - listener.listenerStatusIdx, - gwapiv1.ListenerConditionOverlappingTLSConfig, - metav1.ConditionTrue, - gwapiv1.ListenerReasonOverlappingCertificates, - fmt.Sprintf( + var message string + gateway1 := overlappingListeners[i].gateway1 + gateway2 := overlappingListeners[i].gateway2 + if gateway1.Name == gateway2.Name && + gateway1.Namespace == gateway2.Namespace { + message = fmt.Sprintf( "The certificate san %s overlaps with the certificate san %s in listener %s. ALPN is set to HTTP/1.1 to prevent HTTP/2 connection coalescing", overlappingListeners[i].san1, overlappingListeners[i].san2, overlappingListeners[i].listener2, - ), + ) + } else { + message = fmt.Sprintf( + "The certificate san %s overlaps with the certificate san %s in listener %s of gateway %s. ALPN is set to HTTP/1.1 to prevent HTTP/2 connection coalescing", + overlappingListeners[i].san1, + overlappingListeners[i].san2, + overlappingListeners[i].listener2, + gateway2.GetName(), + ) + } + + status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, + listener.listenerStatusIdx, + gwapiv1.ListenerConditionOverlappingTLSConfig, + metav1.ConditionTrue, + gwapiv1.ListenerReasonOverlappingCertificates, + message, ) if listener.httpIR != nil { listener.httpIR.TLSOverlaps = true diff --git a/internal/gatewayapi/listener_test.go b/internal/gatewayapi/listener_test.go index cfdae67f37..f7a15cf7ec 100644 --- a/internal/gatewayapi/listener_test.go +++ b/internal/gatewayapi/listener_test.go @@ -306,30 +306,6 @@ func TestCheckOverlappingHostnames(t *testing.T) { 2: "*.example.com", }, }, - { - name: "non-HTTPS listeners", - gateway: &GatewayContext{ - listeners: []*ListenerContext{ - { - Listener: &gwapiv1.Listener{ - Name: "listener-1", - Protocol: gwapiv1.HTTPProtocolType, - Port: 80, - Hostname: ptr.To(gwapiv1.Hostname("example.com")), - }, - }, - { - Listener: &gwapiv1.Listener{ - Name: "listener-2", - Protocol: gwapiv1.HTTPProtocolType, - Port: 80, - Hostname: ptr.To(gwapiv1.Hostname("example.com")), - }, - }, - }, - }, - expected: map[int]string{}, - }, { name: "nil hostnames", gateway: &GatewayContext{ @@ -369,13 +345,14 @@ func TestCheckOverlappingHostnames(t *testing.T) { } for i := range tt.gateway.listeners { tt.gateway.listeners[i].listenerStatusIdx = i - tt.gateway.Status.Listeners[i] = gwapiv1.ListenerStatus{ - Name: tt.gateway.listeners[i].Name, + tt.gateway.listeners[i].gateway = tt.gateway + tt.gateway.Gateway.Status.Listeners[i] = gwapiv1.ListenerStatus{ + Name: tt.gateway.listeners[i].Listener.Name, Conditions: []metav1.Condition{}, } } - checkOverlappingHostnames(tt.gateway) + checkOverlappingHostnames(tt.gateway.listeners) // Verify the status conditions for idx, expectedHostname := range tt.expected { @@ -603,16 +580,18 @@ func TestCheckOverlappingCertificates(t *testing.T) { listeners: tt.listeners, } - // Initialize listener status indices - for i := range gateway.Status.Listeners { - gateway.Status.Listeners[i] = gwapiv1.ListenerStatus{ - Name: tt.listeners[i].Name, + // Initialize listener + for i := range gateway.Gateway.Status.Listeners { + gateway.Gateway.Status.Listeners[i] = gwapiv1.ListenerStatus{ + Name: tt.listeners[i].Listener.Name, Conditions: []metav1.Condition{}, } + gateway.listeners[i].listenerStatusIdx = i + gateway.listeners[i].gateway = gateway } // Process overlapping certificates - checkOverlappingCertificates(gateway) + checkOverlappingCertificates(tt.listeners) // Verify the status conditions for _, expected := range tt.expectedStatus { diff --git a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.in.yaml b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.in.yaml new file mode 100644 index 0000000000..7968edcac7 --- /dev/null +++ b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.in.yaml @@ -0,0 +1,123 @@ +envoyProxyForGatewayClass: + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + name: test + namespace: envoy-gateway-system + spec: + mergeGateways: true +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: https-1 + protocol: HTTPS + port: 443 + hostname: "*.example.com" # According to the Gateway API spec, If both hostname and certificate overlap, the controller SHOULD set the "OverlappingCertificates" Reason. + allowedRoutes: + namespaces: + from: All + tls: + mode: Terminate + certificateRefs: + - name: tls-secret-example-com + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-2 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: https-2 + protocol: HTTPS + port: 443 + hostname: "bar.example.com" + allowedRoutes: + namespaces: + from: All + tls: + mode: Terminate + certificateRefs: + - name: tls-secret-bar-example-com +secrets: + - apiVersion: v1 + kind: Secret + metadata: + namespace: envoy-gateway + name: tls-secret-example-com + type: kubernetes.io/tls + data: # foo.example.com *.example.com + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR3RENDQXFpZ0F3SUJBZ0lVVDRyelIreStHd1VzMm9ydExIZ0k1MzBKeG9Fd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdgpiVEFlRncweU5UQTBNakl3TWpVNU1UQmFGdzB6TlRBME1qQXdNalU1TVRCYU1EVXhGREFTQmdOVkJBTU1DMlp2CmJ5NWlZWEl1WTI5dE1SMHdHd1lEVlFRS0RCUmxlR0Z0Y0d4bElHOXlaMkZ1YVhwaGRHbHZiakNDQVNJd0RRWUoKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTE4wbnJNR1NZNjBPT0JuTFVaSGpCRFkxazhqWHA2RwppeG1RaFNOK3lZUi9VQWVqSmhCOVI3S2RuT3d0eGljTnozdUFtL0p0UTFKRUU0dW5xQnhVTU8ydWpvVXl4ZisrCjRnb2tFYmVpTlhNN0ptaklPOGxEWlJjcEhFTlE3eUNJL3d1cEZBcHgwNnVrNUtBSlpRMUlmVXhZWS9RRkJsc3cKdUx0TWozVlB6eDBJYjRIV1lHdGhXcDIzUWduMUdGUWVTOGMwZHdqWWNBTGtrTFdwWWdUZTZGT0VhR3hvUzdwTQpGbitvZnRFUjlxZCtDcnRDSXM5TzFtOW5MUU9UWGJDNU5nSzR1ZFdhMFBuYjJ6TEk4WjZsVHFRSTNSODE2NkxKCkVDQi9ZSlYzVmtMb2cxUmx0d0FrM3hrWHFnbVhTZUxILzY3MHh6MEx5OGZHQVpmejFMQVpkSXNDQXdFQUFhT0IKenpDQnpEQWRCZ05WSFE0RUZnUVUzbVFodVB2dVl1K0lmN0ZaM010eU9jMWdjQ1V3YUFZRFZSMGpCR0V3WDRBVQpXWmxKWFQ1bXlEVnlsUjlSS2JQQTAxTkVlcytoTWFRdk1DMHhGVEFUQmdOVkJBb01ER1Y0WVcxd2JHVWdTVzVqCkxqRVVNQklHQTFVRUF3d0xaWGhoYlhCc1pTNWpiMjJDRkJuNktuTlBhbm1Db1daVStNYmtwKzJScmN4dU1Bc0cKQTFVZER3UUVBd0lDL0RBcEJnTlZIUkVFSWpBZ2dnOW1iMjh1WlhoaGJYQnNaUzVqYjIyQ0RTb3VaWGhoYlhCcwpaUzVqYjIwd0NRWURWUjBTQkFJd0FEQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFIa2xEbzkvNnRLcDNFd3JSCnJjVStKOUtmUkFGajc5YU1DREpVb0NyM2J6RFIycXQ4ZzlsbDdFSzZaeEtFa0xzWkFlYzBxU0Z1QjBvbzVqZFEKM3VvT2hNK1JKTkZoTldFd3dHWmpMb0FlK2oxaXByN1A5ajdmdFNzck8ra3M3TVNMeTE2RW9IV2Q0eG00Rk5QZQpmUVpRYWhpTTdMYVFCdW5wdXlhZWtLdG5tU241RzlkSHpGeTVNelRSbFJyVWxhVzdVbDRUeExlOEROZ2ZpR2ZCCnpjcmpVK2l3RUJXeS94b3B2aDEzNmlybmV3NTg3RWt3dzQ3QXFhc3gvZStMK2NhSlYySGVMd0dSaE5xR2pIcjkKQ2dSVHpud3F5QjdtTVNXYStWaXBNSHlUVmRCNjRvYjZxbkdqTldvWXdRbUUraU0vL0VrTURzd2JVcTc2R1pKMApsWlRkTlE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ3pkSjZ6QmttT3REamcKWnkxR1I0d1EyTlpQSTE2ZWhvc1prSVVqZnNtRWYxQUhveVlRZlVleW5aenNMY1luRGM5N2dKdnliVU5TUkJPTApwNmdjVkREdHJvNkZNc1gvdnVJS0pCRzNvalZ6T3lab3lEdkpRMlVYS1J4RFVPOGdpUDhMcVJRS2NkT3JwT1NnCkNXVU5TSDFNV0dQMEJRWmJNTGk3VEk5MVQ4OGRDRytCMW1CcllWcWR0MElKOVJoVUhrdkhOSGNJMkhBQzVKQzEKcVdJRTN1aFRoR2hzYUV1NlRCWi9xSDdSRWZhbmZncTdRaUxQVHRadlp5MERrMTJ3dVRZQ3VMblZtdEQ1MjlzeQp5UEdlcFU2a0NOMGZOZXVpeVJBZ2YyQ1ZkMVpDNklOVVpiY0FKTjhaRjZvSmwwbml4Lyt1OU1jOUM4dkh4Z0dYCjg5U3dHWFNMQWdNQkFBRUNnZ0VBSmYrYW53UEV6WS9CdjFwNWpya1ZvbmVYb1hnMno5QmpZYzFsTTZma0djY3YKZGY2SXo5TUhQSDM5UFZGUDlQTUtyUGNGam1hdWE1djRtNGlyb3h2OHBFZGk3RGRkRDVNbW44a1ZhMUhRaVk3TAp5a0lqenJFVGxiemh2Q3RHQnhpYkVLZ0RrMWFZNEc1dzdxWXVuSXB0NVoyTnhKelB4TDFqVUYyY3Z0VmdZS0FPCjN2TWY1dENWbS9kL2JBT2xvWnVVc3ArSnc1ZTYvSFN3c3lEdjV2Y2dDQkRXRjFkTFFiYUxCelZDZGJBY0Fma1AKbFUzeGhZMVYyMGU2NmhBbU0veE53MzArSUhvTUlTUTFiQW9MOXVzN3NsTlYxT2ZNZk5hWC83WVdKWFVab1MzNwpyY1IvVXYwZlRtQkhPR3pwK25oaWpLRUlYU1ZESjNxK040amM4Ni9IeVFLQmdRRFhWbzNKSmlia0cvY1JBZ2pICkVqdWROMHJMSGJvVldPanN5ekZmaXg1MHJKTTYwMDJKZURicGdQeEt4ZUtFdGl4ZkVWQmU0eHdqNG9oK1ZubEIKT0dMU3BWcHRRVFRnRVprWXFvVU1iUDIyNHQ2cUZuSXZsTkkwZFJGWDUyS3I2L1FCS0EwWEk3K0I1bTV3Z2hLcgo4ZEQrMGRWNkZzMmxFT0NMWUJKck1weFNIUUtCZ1FEVlY0REVaUlFvVUo5UGRkb3IyK2IweFV2Y3JHeUJ1NlM2CjJZOFJuMzdWUVlBSThHUnlYRkcxTGxZaHpMOWNwd0tUR21SMVhPRTVkMC9mMStaU3h5TVc1d2FSaXU1b0dFK2cKUlNsMXBBdTNUdlEzM1BVNUJzNFhhcHBLOC9BZVk3cG1pd1JhYnRPSFlQa0FHMXNzL3k1d1NjVGUxQXZiWlpsTAo1TmgwdHZvZ3h3S0JnUUNtRkFJOFhlbG15czZ0Vm1WUXE1WkF0YkZBb0VleFNTWXo0cTdNb200MXpCZXRLZVRHCkhtb3pneUNSeHJiaVplSW8zQ0NoWGdXSkE2RUQxMHVqYW9xRkxiUmxTUUl2d2tMU1RFbGJBUUJZdWZiRE5aYVIKYmZVRk1qalRGQWo4MFhrYUh6cWhXeGZMWnQ1TWRYVlRHYWgzcjN3MnNqbWVranFzSThkdzE5TEtYUUtCZ0NoMQp3T0QrUG5WcTNOdklBUWxpV2dtL3hTUmp1dXhidHVFTTA1cEhBbG5WWXovT3YyNEUzaVliVkpCeWNUUlVKQ1BiCjFJT0JpdUZJSkdqU1hFY0VwejMzc0lJM3RBRWY0eklGQzlqWXRMUWVFQ2pzQ2NHMzdhdjVOcXZTV1k2WjRVY0QKUkY4V041MnNJVzBJd3lEa2dGMGhVR25tRXgyWHhodmptYjJBMmkwUEFvR0FUV1kzbXZRVWtZcmU5R0J0alVqYgpDWUx5Mm1VVElKbjVDcmhjTHMvMlh5MkNoVSt5MnhsT3pIcm1vanRIaHFFcnVCK0xyZkpBd3B3cGVRNmxyWnFQCjFGazVKT2c2bmV2U3lDcWF4SDZaenZRMXJ6VzAycm1IMUJrV1BiY0NwKy9VRTIrS3JselZtNHkvZ0ZoRGVGZlcKRUc5UzIzYndKME1JUmF0WVpFQm0wcWs9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + - apiVersion: v1 + kind: Secret + metadata: + namespace: envoy-gateway + name: tls-secret-bar-example-com + type: kubernetes.io/tls + data: # bar.example.com + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR0VENDQXAyZ0F3SUJBZ0lVU3hoK2piWnYwVHZLV1FSQU1IYncxS1RQWWNzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdgpiVEFlRncweU5UQTBNakl3TXpBek16bGFGdzB6TlRBME1qQXdNekF6TXpsYU1Ea3hHREFXQmdOVkJBTU1EMkpoCmNpNWxlR0Z0Y0d4bExtTnZiVEVkTUJzR0ExVUVDZ3dVWlhoaGJYQnNaU0J2Y21kaGJtbDZZWFJwYjI0d2dnRWkKTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEU0FGMjhvSGxQNkYrcXoydXFXcGRXd1dpRApEakRSbUREcFVZWUc0NDlHY2VVMm9tVmxWS2F2dGtBUTM0dFdqendrYzRTbHMxL1lJZWF1U3RhcGVmSGk5OEdECjB4bi8wenVBa3ZGQjhaMTJqeFFvYm92a1doZHFDdUhNMmNoV09ub0tXZXpjNFVkdTBVZkhmalNjQ3MxR3hhOXIKNEdpMFJSajkwOFNUTU1rQW5oRjBaaDdHSEQvM0l1eEx4UW5UMkZYd0F1OTV6V3JqMzRPRUFBZ2FoTXZhdlJmOAozc2dNSVdBZlpVUEk1TitCN1E3L0RwdjJ5TzVQYUtzZ2hpK1dVZ1E1ckFxNUtweHY4TDJhWisxQUFVTUJiREZGCmtYRTd0MFowSTI2NTJKZkV5SmorUDRMaURZRDR5OW9CelpPbHJlQ0lJcGd0dE9VS1YwRnFrQ0JYKzRVWkFnTUIKQUFHamdjQXdnYjB3SFFZRFZSME9CQllFRklPZTliL3BHUWtPd0Y2aGRKYk1nYXNtV1ZMQk1HZ0dBMVVkSXdSaApNRitBRkZtWlNWMCtac2cxY3BVZlVTbXp3Tk5UUkhyUG9UR2tMekF0TVJVd0V3WURWUVFLREF4bGVHRnRjR3hsCklFbHVZeTR4RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dGdoUVoraXB6VDJwNWdxRm1WUGpHNUtmdGthM00KYmpBTEJnTlZIUThFQkFNQ0F2d3dHZ1lEVlIwUkJCTXdFWUlQWW1GeUxtVjRZVzF3YkdVdVkyOXRNQWtHQTFVZApFZ1FDTUFBd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCcHIrMktZdXM2NHRsWUtiZHpoaGFMZU5UaHF1MzFhCldHMWFheDljdVdna2VIYUdsdFdkK082Q2IzQng5VTdlTmUvanVtZ3Q0RU9VRUhIaFJIa0NBem1MU21GLzMrM0gKNnVqUEM4eGdISkMvU3V6U3NPRENRTXRqMVg1bjBpT1JsWmU3Ni9KVy9zL1F2R0xzbkwyRXNHbnNVZE1Ca0dIdworOW9oSmp0RFI0Rzkxa0JwT1BGMXk4bXFsUnd5eUZkbkdGYlJvOGc1Vk1CajN3bnFQMTVja1JWam0vdmdlL2o3Ck9lOExwRHpFbVZkNy9ZWEFRWUxWNWU1cVJNSXlUcVlGV2FjcDN4Qm42NEZDNXFIZGlra0VyMlFpekNsZkRqSjQKSTc0L1hTTndabE4relhXdTRQME9wdldoVk0rZlhOUys1QlkxMGhDTXRtdFJtR2NDem9UVXVYaz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRFNBRjI4b0hsUDZGK3EKejJ1cVdwZFd3V2lERGpEUm1ERHBVWVlHNDQ5R2NlVTJvbVZsVkthdnRrQVEzNHRXanp3a2M0U2xzMS9ZSWVhdQpTdGFwZWZIaTk4R0QweG4vMHp1QWt2RkI4WjEyanhRb2JvdmtXaGRxQ3VITTJjaFdPbm9LV2V6YzRVZHUwVWZICmZqU2NDczFHeGE5cjRHaTBSUmo5MDhTVE1Na0FuaEYwWmg3R0hELzNJdXhMeFFuVDJGWHdBdTk1eldyajM0T0UKQUFnYWhNdmF2UmY4M3NnTUlXQWZaVVBJNU4rQjdRNy9EcHYyeU81UGFLc2doaStXVWdRNXJBcTVLcHh2OEwyYQpaKzFBQVVNQmJERkZrWEU3dDBaMEkyNjUySmZFeUpqK1A0TGlEWUQ0eTlvQnpaT2xyZUNJSXBndHRPVUtWMEZxCmtDQlgrNFVaQWdNQkFBRUNnZ0VBRnU0YlRpRm5uYVlON0NUQjZOUURlbUdiKzlOczJUWDVBVUQ1bFg3N2dnR2wKdVpWNTVOcWRhTXBKckkzOE5QTm02Y1FEVStTR0xwOWxCTnIvSFhwSFF6VXlXQ2FRekRKUWFQV2lpa1RMb01wMgp0UU45R3U0TGFIVFB1d0o4c1kycERjQkw4TUpZZm0wem5VRFdsY05JTHRZZkZYUm5lbWVoRnZZc25MWFMvTklTCjNvQllUVHZSSjR6d3kvZzIxemN2ZC9uWDhndHFuZ2N2bUxwLzNWSXF2ckVhK05CU2QweFhmWjZCNTMvdVJaUk0KcktXUzFqdzVUVlptOUh2NkhvanN1Y2lBdnlPOVlkTGpGQWVOeDNtdWttbVNwOWp3WjFXMWdCVU0rZ1ROUEdqMAo2WkNYTDJ5YUx5OWlsTFoxNzYvUzB0YlpBa0hJWDlzZzlYbWRiRHdQVVFLQmdRRDc4cVFDSEFhYnY2STBFS2xKCko5MUhBeGZNS3F5MXVWb2kvczZUWlZLQ05FTFkrMkhrdFJaaENLWk5kMVJqMzVpME5kSVFxeG9td2N2RHFnekkKWGdnYVhzUWhpQmRiV3NaTFBmcXVMV0RvNkFqMWZCaVlzL1dvZ05OemFDYllLVjliNktwWmRsTWFyRVArN20rLwpwZmgyZCtDOGJ0dm5MTUM4UXZvUkdTdHlVd0tCZ1FEVllRUm9sNTd0eW9nQlVoeGVHVHZ0blNxcytOei96NWNRCkdsNDVWRDlPb01KT3JZUHM4T29ncFh3bkw1VzIwbllMZWdZSzhkb0M0ZWhPUHYyc3JNMjdaUmZtb1BXZFV2bFYKRUtKcDVMWXNLV2pHcnQ3ZFlzTUVvVG9NejJtbmhnTGdqYnJwbVdJeHlrR3MyaGN2eWtWSG9BSjQwMzh0QjJQVgpza3hDMWt5Vll3S0JnUURxL0lzMW9IZ1ZhZTNhUzdQb2xITFEyYlNuYXlIOHVDeTJ1UnRvNURiSlUvOEpLNlZKClVCRFlYZDNtSUtjb0k1TGtlZEk4VTZtbmZsY1RYcFpmaHp4ZGhBZkFFcE5lVkZMZ09LV0hNTEhUYVI5NS9zMWUKRjNMSFA2aDRXaXJvcitYTjdqcDhDRjFJWW1WazczUnd0bGIvLzUwdmd1STlRa05kRThieWpadzFHd0tCZ0VHVwpBSFRscGNRUmJKeDdVSnpieEwvVWZ6bUxoT0pjUEdLR3VFK0d4YTYxV3dRejhVanpCQVBrMmJSeHUrTGw3Y0s1ClR3SXVOSVNPUzRsQmMxZVFCZXlEdGtUOVZJRjI3NHhtQUlYcjl0SzhKNmhxTjdaMGxOem5jYUJlWUd0TmxiVFAKMjVQUndZenNUaU9ESlgxYS90QjFMazFWTk5IeVk0MWJzSFVheVk5aEFvR0JBTmE2RTR1RWFFSnZQbFR1c3lITQp5NjVSQktPU0t2ZDU1ekZUenN3dXVSRjVob29SaDcvY2JIam1mL3dQYW5UY1N0TndUanpUemZvdTZDSU1qVTVuCmZ1NVZ6bHZnVDQ3SVV5Z2FPcUlKby9iQm9SYXlFSXl4RXRPVzdybXBRUWtnTjBUckV2dnk3SlAwS1M1SWNlUWYKdkhZOVAvUDU2OEVadTJhYURod2tiaHBhCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + - apiVersion: v1 + kind: Secret + metadata: + namespace: envoy-gateway + name: tls-secret-foo-bar-com + type: kubernetes.io/tls + data: # foo.bar.com + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMxakNDQWI0Q0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5UQTBNakV3T1RFNU1qWmFGdzB6TlRBMApNVGt3T1RFNU1qWmFNRFV4RkRBU0JnTlZCQU1NQzJadmJ5NWlZWEl1WTI5dE1SMHdHd1lEVlFRS0RCUmxlR0Z0CmNHeGxJRzl5WjJGdWFYcGhkR2x2YmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUIKQU5JZzRNWUMvVlV6ZVRMN3Z1ai9pSXNwYTVrd0dyZTFvVGVCd2JYTFk1dmlxRXlicjRraWRQbTVXaFdPdm9GTwpuK0t6QlIzdjRaT20vdzNzMllwTEJjdWtsa3FlQnYzN2kxZFpOOTBrRzR5YitDV01tT3Z3UXFPbkNDV1BvZHBTCitNL0JPbHk2VDRGQ09hT3MwRVFBeDIzb2hxU2h3U0hvVlNLVWdIWTBPTlpLaS8xTjZnVHExb252ajNSM1Z3WHoKb1N0VGl4ODFVUzN0RkZBcnUwaHlOSmJWV3dhMjhMczBLRDJUQlhDMWZTblV3U0VVUzBIQWlIRDFHeE9HT011Twp0SG96ZDkzUGlxNkFJQUIyZEZhdmI5Ujh3azdnU2ZrekV5SFlUT2NaVkFMdFd5Tmx6TnVDQ09uSDFkcWtISUpsClhMcTg5VVNDRDlLeFBoeVN2ODNFN0VrQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBWGJ1Z29EenYKVWYwQS91bTNJd1dKUksxWHZFN01jaVUxU08xUHhnOXZ0SXJPclFqZVQ3dGZzajAzQnJObjQxbWVPQkhESzNrdwp0ZHB6SUxoNjJEL1JwM0tPM2UxNDRtZGw4V1BmelBtdmJOdCtlWThNdEo0UlZMT0R4ZVEvTVhGVUQ3aFlXMklWCnJOVnY5aFJrZCt6QmpjSlppRmV0NTlzU2VxR3NZNFdQSnlQVk5sMHBDSlBSM3AwVEZhTm4rclRSUjVhdmVzY3cKRlhqTUpYUHpYRU5ZYXM3TVJxSitVaTZ6Sm9UdVVaTHBPTEtlOFNkeGtoU3IrdkdqYnNPT25yb1I0bXYrRmdvcwo4T1d4RHA4UnpRRUZyeDhBa0tkMzJrRGJCMS9ZWDA0Z3Z0dklzemUwdWx1SEIvY0NSd1ZGZG45WHdOZXVpRmFvCmVUK3BZNVZ1S1Nubkx3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRFNJT0RHQXYxVk0za3kKKzc3by80aUxLV3VaTUJxM3RhRTNnY0cxeTJPYjRxaE1tNitKSW5UNXVWb1ZqcjZCVHAvaXN3VWQ3K0dUcHY4Tgo3Tm1LU3dYTHBKWktuZ2I5KzR0WFdUZmRKQnVNbS9nbGpKanI4RUtqcHdnbGo2SGFVdmpQd1RwY3VrK0JRam1qCnJOQkVBTWR0Nklha29jRWg2RlVpbElCMk5EaldTb3Y5VGVvRTZ0YUo3NDkwZDFjRjg2RXJVNHNmTlZFdDdSUlEKSzd0SWNqU1cxVnNHdHZDN05DZzlrd1Z3dFgwcDFNRWhGRXRCd0lodzlSc1RoampManJSNk0zZmR6NHF1Z0NBQQpkblJXcjIvVWZNSk80RW41TXhNaDJFem5HVlFDN1ZzalpjemJnZ2pweDlYYXBCeUNaVnk2dlBWRWdnL1NzVDRjCmtyL054T3hKQWdNQkFBRUNnZ0VBSVZYZjh1bjBnTGpLeUlEUnQ2c2FZV0Z2MVh5aE1IWGJIckF5S0FJZFNsUzUKK0hWV2NyNEpxcmh5Qnl0L0k0cHlxUWRYajNsSDR5SENJdFpwYUp3Z1RqOU5MSWRIZXJHV1dJUXA3YVpWeklmTgo1VDhaMzR4ZE5oTkFvcHpYdzRnWU92VmZxZWhReHFQWCt4Um1jZk5oc0JrTWl6K3lJUXYzdmFXcmY1VW5VeTkwCnNvZGhGeVBRYzRVaDdHUGVxZkplU1BtN0xqZEdDQ21pbW9GaVpkV0N3cUdyR01PRzhaKytFZERjWkMyM0dtNVoKdUNEWU4rakkrdzZkTzRnejArUVFrYkhpdkVZSWVWb1d6ZDBwM3ExVjlHZFVTNW5XUFRDelREbU5BMFpIbTZBeQpiSTBCMjRJUC8zbzJuUVZ4M1Y5YjhwMURnTTJsYmxNbW5nWFBuUnFPeFFLQmdRRDFlU1pLeVNBNDZuT2dpeThSCk1USTU2dkNOajR6b2ZoaTR4UUozalJ3N1BtN1RnbDRrOTVuUXdpRDVrcExBYjBlc1JrVG1VMGdYWlVWd3NjVU0KTkZ2Y2tBTThrNlZ1WEpmd1dZOGRiamlTcUNoWkY1Nmp2cVh4MHdIbVlXU0dleitFWDFmT0ZZb1RHK050TkhPcwp0cXFZNzFWTWtjTzZ6K3ZZL3BNZHNCMFZmd0tCZ1FEYkk3VGovY3RkVFFKUDFrMndPcmRtb0tLMXFqQ1FzQWppCkU5RDRnVFJUTnNGeE9SWE9MR0VhRy9ZUktSdkpaOXVNdEloc2VObEkxMHl0RCtZVERnZUZhU2ZHaHFTZEhGYlYKOUJKRFZrelhxZ1ZCMGxOYldkOWh2ekdTV3NnMVVPeG5TQXVTZUk2MkVXYmhrSDdRR1U4N0JHem1rcWdkNkFxVgo2aWhlS08yeU53S0JnUUNlUHhpeGM1RmpQN21FME5WcDV1WXpNa01iYjJSdWFRUDA4WVNTbjVTSW1Nb0hibTdVCnRBNGo1MUlzc2hJTEhuSDlIRnZFaEFIZ216ZTEyOVJrOXNnVm0zMktxc0FtTW1qODJDK0wwSWVGL0FQdTAyeEEKc1dIM1VJbFVCSXN5cXZlYWxZQmNhY1JXWjA4cEVueFQ1bnA2RnloTk1WY1Y4bjVmcUZZYytIRDNid0tCZ1FDNgpmMjN3WnNzUGNYMlpNcHBWYy9NbnpXZ01VWFlaZlNkaU9Ga3RWTkNTVFZSZUpxWVBIQ2ZiajVaZ1Rtc09nbXdRCkdJak9RQjh6NWIra3ZaWWgrMXVkUjd3Sk1nZWdpa0RBdjRKWGVuZlZSeVpJT1ZhbHRSdnVWVWc3OVRUVVl6VisKUkl0TXNYdExLZzR6dzhTWkdDRWM2Z3hBUXVuKzRiODRqTnFrSUJNREN3S0JnQ295YkZIVUdzaUhUenFaOVIyZgpiaTlmT1JRNllUb25kaDRWZjUxUlFVOExtYWxFQkFydHNkYmh3Q01KdXlqR0Q1bTJWOUwyblUyd3hrak9kUkNQCk12dnRiVnBQRDFoWmI0dytlbjZuYzFITUtrZUxGSlljekRSZ0dlY2VwdHBWT3Q3czZUVGVKSWRsT1VPQU1ncTgKdk1mOEw4VzhDY1lLbXpNU3hrMkR0N3NuCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: envoy-gateway + name: httproute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + rules: + - matches: + - path: + value: "/" + backendRefs: + - name: service-1 + port: 8080 +services: + - apiVersion: v1 + kind: Service + metadata: + name: service-1 + namespace: envoy-gateway + spec: + clusterIP: 10.11.12.13 + ports: + - port: 8080 + name: http + protocol: TCP + targetPort: 8080 +endpointSlices: + - apiVersion: discovery.k8s.io/v1 + kind: EndpointSlice + metadata: + name: endpointslice-service-1 + namespace: envoy-gateway + labels: + kubernetes.io/service-name: service-1 + addressType: IPv4 + ports: + - name: http + protocol: TCP + port: 8080 + endpoints: + - addresses: + - "7.7.7.7" + conditions: + ready: true diff --git a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.out.yaml b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.out.yaml new file mode 100644 index 0000000000..c0e271476c --- /dev/null +++ b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.out.yaml @@ -0,0 +1,245 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.example.com' + name: https-1 + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - group: null + kind: null + name: tls-secret-example-com + mode: Terminate + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + - lastTransitionTime: null + message: The certificate san *.example.com overlaps with the certificate san + bar.example.com in listener https-2 of gateway gateway-2. ALPN is set to + HTTP/1.1 to prevent HTTP/2 connection coalescing + reason: OverlappingCertificates + status: "True" + type: OverlappingTLSConfig + name: https-1 + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-2 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: bar.example.com + name: https-2 + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - group: null + kind: null + name: tls-secret-bar-example-com + mode: Terminate + status: + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + - lastTransitionTime: null + message: The certificate san bar.example.com overlaps with the certificate + san *.example.com in listener https-1 of gateway gateway-1. ALPN is set + to HTTP/1.1 to prevent HTTP/2 connection coalescing + reason: OverlappingCertificates + status: "True" + type: OverlappingTLSConfig + name: https-2 + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway +infraIR: + envoy-gateway-class: + proxy: + config: + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + creationTimestamp: null + name: test + namespace: envoy-gateway-system + spec: + logging: {} + mergeGateways: true + status: {} + listeners: + - address: null + name: envoy-gateway/gateway-1/https-1 + ports: + - containerPort: 10443 + name: https-443 + protocol: HTTPS + servicePort: 443 + metadata: + labels: + gateway.envoyproxy.io/owning-gatewayclass: envoy-gateway-class + name: envoy-gateway-class +xdsIR: + envoy-gateway-class: + accessLog: + json: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.example.com' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: https-1 + name: envoy-gateway/gateway-1/https-1 + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10443 + routes: + - destination: + name: httproute/envoy-gateway/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + name: httproute/envoy-gateway/httproute-1/rule/0/backend/0 + protocol: HTTP + weight: 1 + hostname: '*.example.com' + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: envoy-gateway + name: httproute/envoy-gateway/httproute-1/rule/0/match/0/*_example_com + pathMatch: + distinct: false + name: "" + prefix: / + tls: + alpnProtocols: null + certificates: + - name: envoy-gateway/tls-secret-example-com + privateKey: '[redacted]' + serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR3RENDQXFpZ0F3SUJBZ0lVVDRyelIreStHd1VzMm9ydExIZ0k1MzBKeG9Fd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdgpiVEFlRncweU5UQTBNakl3TWpVNU1UQmFGdzB6TlRBME1qQXdNalU1TVRCYU1EVXhGREFTQmdOVkJBTU1DMlp2CmJ5NWlZWEl1WTI5dE1SMHdHd1lEVlFRS0RCUmxlR0Z0Y0d4bElHOXlaMkZ1YVhwaGRHbHZiakNDQVNJd0RRWUoKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTE4wbnJNR1NZNjBPT0JuTFVaSGpCRFkxazhqWHA2RwppeG1RaFNOK3lZUi9VQWVqSmhCOVI3S2RuT3d0eGljTnozdUFtL0p0UTFKRUU0dW5xQnhVTU8ydWpvVXl4ZisrCjRnb2tFYmVpTlhNN0ptaklPOGxEWlJjcEhFTlE3eUNJL3d1cEZBcHgwNnVrNUtBSlpRMUlmVXhZWS9RRkJsc3cKdUx0TWozVlB6eDBJYjRIV1lHdGhXcDIzUWduMUdGUWVTOGMwZHdqWWNBTGtrTFdwWWdUZTZGT0VhR3hvUzdwTQpGbitvZnRFUjlxZCtDcnRDSXM5TzFtOW5MUU9UWGJDNU5nSzR1ZFdhMFBuYjJ6TEk4WjZsVHFRSTNSODE2NkxKCkVDQi9ZSlYzVmtMb2cxUmx0d0FrM3hrWHFnbVhTZUxILzY3MHh6MEx5OGZHQVpmejFMQVpkSXNDQXdFQUFhT0IKenpDQnpEQWRCZ05WSFE0RUZnUVUzbVFodVB2dVl1K0lmN0ZaM010eU9jMWdjQ1V3YUFZRFZSMGpCR0V3WDRBVQpXWmxKWFQ1bXlEVnlsUjlSS2JQQTAxTkVlcytoTWFRdk1DMHhGVEFUQmdOVkJBb01ER1Y0WVcxd2JHVWdTVzVqCkxqRVVNQklHQTFVRUF3d0xaWGhoYlhCc1pTNWpiMjJDRkJuNktuTlBhbm1Db1daVStNYmtwKzJScmN4dU1Bc0cKQTFVZER3UUVBd0lDL0RBcEJnTlZIUkVFSWpBZ2dnOW1iMjh1WlhoaGJYQnNaUzVqYjIyQ0RTb3VaWGhoYlhCcwpaUzVqYjIwd0NRWURWUjBTQkFJd0FEQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFIa2xEbzkvNnRLcDNFd3JSCnJjVStKOUtmUkFGajc5YU1DREpVb0NyM2J6RFIycXQ4ZzlsbDdFSzZaeEtFa0xzWkFlYzBxU0Z1QjBvbzVqZFEKM3VvT2hNK1JKTkZoTldFd3dHWmpMb0FlK2oxaXByN1A5ajdmdFNzck8ra3M3TVNMeTE2RW9IV2Q0eG00Rk5QZQpmUVpRYWhpTTdMYVFCdW5wdXlhZWtLdG5tU241RzlkSHpGeTVNelRSbFJyVWxhVzdVbDRUeExlOEROZ2ZpR2ZCCnpjcmpVK2l3RUJXeS94b3B2aDEzNmlybmV3NTg3RWt3dzQ3QXFhc3gvZStMK2NhSlYySGVMd0dSaE5xR2pIcjkKQ2dSVHpud3F5QjdtTVNXYStWaXBNSHlUVmRCNjRvYjZxbkdqTldvWXdRbUUraU0vL0VrTURzd2JVcTc2R1pKMApsWlRkTlE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tlsOverlaps: true + - address: 0.0.0.0 + hostnames: + - bar.example.com + isHTTP2: false + metadata: + kind: Gateway + name: gateway-2 + namespace: envoy-gateway + sectionName: https-2 + name: envoy-gateway/gateway-2/https-2 + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10443 + tls: + alpnProtocols: null + certificates: + - name: envoy-gateway/tls-secret-bar-example-com + privateKey: '[redacted]' + serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR0VENDQXAyZ0F3SUJBZ0lVU3hoK2piWnYwVHZLV1FSQU1IYncxS1RQWWNzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdgpiVEFlRncweU5UQTBNakl3TXpBek16bGFGdzB6TlRBME1qQXdNekF6TXpsYU1Ea3hHREFXQmdOVkJBTU1EMkpoCmNpNWxlR0Z0Y0d4bExtTnZiVEVkTUJzR0ExVUVDZ3dVWlhoaGJYQnNaU0J2Y21kaGJtbDZZWFJwYjI0d2dnRWkKTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEU0FGMjhvSGxQNkYrcXoydXFXcGRXd1dpRApEakRSbUREcFVZWUc0NDlHY2VVMm9tVmxWS2F2dGtBUTM0dFdqendrYzRTbHMxL1lJZWF1U3RhcGVmSGk5OEdECjB4bi8wenVBa3ZGQjhaMTJqeFFvYm92a1doZHFDdUhNMmNoV09ub0tXZXpjNFVkdTBVZkhmalNjQ3MxR3hhOXIKNEdpMFJSajkwOFNUTU1rQW5oRjBaaDdHSEQvM0l1eEx4UW5UMkZYd0F1OTV6V3JqMzRPRUFBZ2FoTXZhdlJmOAozc2dNSVdBZlpVUEk1TitCN1E3L0RwdjJ5TzVQYUtzZ2hpK1dVZ1E1ckFxNUtweHY4TDJhWisxQUFVTUJiREZGCmtYRTd0MFowSTI2NTJKZkV5SmorUDRMaURZRDR5OW9CelpPbHJlQ0lJcGd0dE9VS1YwRnFrQ0JYKzRVWkFnTUIKQUFHamdjQXdnYjB3SFFZRFZSME9CQllFRklPZTliL3BHUWtPd0Y2aGRKYk1nYXNtV1ZMQk1HZ0dBMVVkSXdSaApNRitBRkZtWlNWMCtac2cxY3BVZlVTbXp3Tk5UUkhyUG9UR2tMekF0TVJVd0V3WURWUVFLREF4bGVHRnRjR3hsCklFbHVZeTR4RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dGdoUVoraXB6VDJwNWdxRm1WUGpHNUtmdGthM00KYmpBTEJnTlZIUThFQkFNQ0F2d3dHZ1lEVlIwUkJCTXdFWUlQWW1GeUxtVjRZVzF3YkdVdVkyOXRNQWtHQTFVZApFZ1FDTUFBd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFCcHIrMktZdXM2NHRsWUtiZHpoaGFMZU5UaHF1MzFhCldHMWFheDljdVdna2VIYUdsdFdkK082Q2IzQng5VTdlTmUvanVtZ3Q0RU9VRUhIaFJIa0NBem1MU21GLzMrM0gKNnVqUEM4eGdISkMvU3V6U3NPRENRTXRqMVg1bjBpT1JsWmU3Ni9KVy9zL1F2R0xzbkwyRXNHbnNVZE1Ca0dIdworOW9oSmp0RFI0Rzkxa0JwT1BGMXk4bXFsUnd5eUZkbkdGYlJvOGc1Vk1CajN3bnFQMTVja1JWam0vdmdlL2o3Ck9lOExwRHpFbVZkNy9ZWEFRWUxWNWU1cVJNSXlUcVlGV2FjcDN4Qm42NEZDNXFIZGlra0VyMlFpekNsZkRqSjQKSTc0L1hTTndabE4relhXdTRQME9wdldoVk0rZlhOUys1QlkxMGhDTXRtdFJtR2NDem9UVXVYaz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tlsOverlaps: true + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 diff --git a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.in.yaml b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.in.yaml new file mode 100644 index 0000000000..cce23cb9db --- /dev/null +++ b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.in.yaml @@ -0,0 +1,125 @@ +envoyProxyForGatewayClass: + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + name: test + namespace: envoy-gateway-system + spec: + mergeGateways: true +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: https-1 + protocol: HTTPS + port: 443 + hostname: foo.example.com + allowedRoutes: + namespaces: + from: All + tls: + mode: Terminate + certificateRefs: + - name: tls-secret-example-com + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-2 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: https-2 + protocol: HTTPS + port: 443 + hostname: "*.example.com" + allowedRoutes: + namespaces: + from: All + tls: + mode: Terminate + certificateRefs: + - name: tls-secret-example-com + - name: https-3 + protocol: HTTPS + port: 443 + hostname: "foo.bar.com" + allowedRoutes: + namespaces: + from: All + tls: + mode: Terminate + certificateRefs: + - name: tls-secret-foo-bar-com +secrets: + - apiVersion: v1 + kind: Secret + metadata: + namespace: envoy-gateway + name: tls-secret-example-com + type: kubernetes.io/tls + data: # *.example.com + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMyRENDQWNBQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5UQTBNakV3T1RFd05ETmFGdzB6TlRBMApNVGt3T1RFd05ETmFNRGN4RmpBVUJnTlZCQU1NRFNvdVpYaGhiWEJzWlM1amIyMHhIVEFiQmdOVkJBb01GR1Y0CllXMXdiR1VnYjNKbllXNXBlbUYwYVc5dU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0MKQVFFQXY0anl4TUh1YzQzMHdvWkk4M1JSMXVxU2gvbm9MVWVPdDZnMkNKaFVFYXNaeUNOMzN3bFRRRDE0SEhkSwpOb1k4SThWd1pOZFZCNGpjRzlnb3dDVmVQY3lqRzZPaGl1aUZNWnU2NzV6dWZEWnRlRTNEY3lTbFgrY2lSbVZZCkNuSmk3QkV3NlJMUUJ0bVV6WGxtYmRpVXE5djJwalVBL2R3ZnRLRHRZTHFrVytvTSt5MWg3cjRJV0JVK2RVcU0KcGtTem5VSCtKN1JoRkFsdytmRWlVSFRLemlCMkVtdjc3Mi91bS96NHdMWnJIeWNGbmc4L1FCM0JIUktXVTV4eQp3bWNTQ2xrVlMvWWNpMFVXcnR2eGhwck9wTUhQUGR2QkZ2M2NaWGNpUUJjb0ZNcGxsQzV0UURvdWJ0dEV1d3JpCi8rVktKWkUrSVl4ei9YeUd3Y3dJRnIzWG13SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBU3VLaE8KcGtwL1VSclphbEU0OUlnc0xkN3hSTlBhREVkQ1RWZ3Qvc3praUhnSDB1NDBVaVV6KzVzaDRpdlJOazRqTm1zRwprb3FwQlBVS3pvVmtrSTcxUWQ4bHh1VzF2dkxZMXVvM0RIS2svdDFpUWVZWWpERlk3YzUxVG1BT015WUdKTlhxCi9EbW84UWgzaFB1RnI3a29kUjBLSkJyc0RsMEhoWVBjUnpWOW1sQ2lrU1B4THJGTUNwZGx0QUw2UEprSVpucUgKc1g5dEtVZk1uYW5jMkpHZTZVTDE1ODBEV2xQTUcrMU1qRElCVXdxWWYzaWNKb0NYclAwbzNmckRKcTE2VnpidApkalRtVGswakx1bGkvQ2JCZzh4dWp4emo4bmRPcVNkd05kd091OWoxSmZ2Q0I1RjZ4S0VTenowOVo5TzlOZUM5CjMrd1pLTlRSOXVEdDRKNksKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQy9pUExFd2U1empmVEMKaGtqemRGSFc2cEtIK2VndFI0NjNxRFlJbUZRUnF4bklJM2ZmQ1ZOQVBYZ2NkMG8yaGp3anhYQmsxMVVIaU53YgoyQ2pBSlY0OXpLTWJvNkdLNklVeG03cnZuTzU4Tm0xNFRjTnpKS1ZmNXlKR1pWZ0tjbUxzRVREcEV0QUcyWlROCmVXWnQySlNyMi9hbU5RRDkzQiswb08xZ3VxUmI2Z3o3TFdIdXZnaFlGVDUxU295bVJMT2RRZjRudEdFVUNYRDUKOFNKUWRNck9JSFlTYS92dmIrNmIvUGpBdG1zZkp3V2VEejlBSGNFZEVwWlRuSExDWnhJS1dSVkw5aHlMUlJhdQoyL0dHbXM2a3djODkyOEVXL2R4bGR5SkFGeWdVeW1XVUxtMUFPaTV1MjBTN0N1TC81VW9sa1Q0aGpIUDlmSWJCCnpBZ1d2ZGViQWdNQkFBRUNnZ0VBVW1UV3pvYUFqZXdjeFF1Z1dUNktNREpqaTZRWldWVWxrMk1FcjRqYjdXZlYKNU85QkUweS9KK3pwZlJGaDl2ZWk2bDUyZmFMV1BMSUd3ZUdva2hQaEtTT2RiUGZrdDgxVDh1WERzbTBuZUg2dgpjK2U3OHczcUtFblZTRVF6YmZjTUQvSkxRSkJydGU2bW9RZWU1UlVjeTV1SnpMRVRkcUZaY0Vva0k0N1d3b1M3CnBUUkM1ZDdMRVJEYlcrQStDaXdmZ2dXdS9Kb25nUXN6SjB1OEJKUSt1dXBXc0FVR213c0JPQWxPTk96ZGE3cTMKMVl6endRck9mRDI1U2psZlYxWkNpZ3VuTzVwL3ZvbllhVkF6NE45T0I4Vk9uRnJKMm91YWFGWkNPUjZKTzl2MApTWVdZU0ZrS3duUlVyTUpac25mTWVjdCtPM3NmZXN5VHlPSG9DRElvb1FLQmdRRGxNdFVDODRNNkM5aHAxYURuCm9EM2VpVG1GNE1NTlI4aWVGdXVOY1AyQkRTS1lUREVEWmJqNTNEd0E5VGJvQlRoYUQwOS8zZ3VpWlo4cFo3K1kKWDlsMDM5R2xZSmdqV2tJUU9HZVFnQld6ZFpROXM3elRHeVZmL2g5SE5OU2l5VDBaS2ZyZ3U5UFU1aFY1bitnTApkYkw5UDVYNmxSWVRKL1hkMVprdkZ1Y0ZPd0tCZ1FEVjdxTmlMbGQ2Vmo2MDA1SHRaQXRCNVpTVjF5U21JZ0x3CldTbnJKdjE0cVhNMURERndsdlVkSHNqb0ZXdlU2UnNIQ0FyMEZ5cHY1MytCdDB0c3c1NFZHUUNJQUw2dWJXbjkKR3BpUUVndS9SRmRuTTFnNGY5RURZQyt4UGt0R2lvNEhORHVmaURsbzQ2bVEwV0oyNFZ3TVZNUit1TFp3NkRzdQp2SnhqNkFQUklRS0JnUUNRa29iUXJML2F6bnY5RGpiSHhFa2laUmEydnZicUdweU9NOUR6VUJGbjVOd3NpdXJqCnhMZHdUQjVCVUd3STRMb1IvTlJkeUxjNEFiZnF5em1NcVBFbkNzTlgrTjBlZDZGeVQ5SHIwUTlmT3N4K096RGgKVEo4L3RMRVFIbC8rS3NmeVpvdU1WSTRqSGRydjlCRFBvYmQ4alM1U2VOWUswVXNDV2VpZFRtbjgzd0tCZ1FDVgpCWXJpVlkyeU5tbXY1TUQrTUhaM0RNbVlKeW5zWUR6VDJBaVBPYlhQVzVwWkZZbEsrSnorRC9lN1UxQ3VHME1zCmZybkNsbkNGU3lsUzNxKzNyL3hxamVRRTJSLzZ1VlRmYnF0ZmtIS0daY0RNcnNPQmQrZk5CaSt5czhZVCtXZysKTkhCa0RLeVJHQ1dDTDVqN1hyaVVEbWhpTGFGSXZUeWNyZDN5NmlmZWdRS0JnQzRmUTVxcWpMREEycDJ1MGpjeQpwUjlVcTRMd2Y2VXlJNnB3UCtTRmd6Rmw4UmNFM3VnOERFRDVmRVNJUEhIeUFOeWtrd1RGdm01L0d5VGZTZ0g0Cko3bU9YQzgxZ0E1V3I1TWdWN2JOME5GdXkwNFRJT0NGNG9QUHhwM1h0OVNTQmpGekNsS1FYSkFpV0RXL1UyWXIKYlV6U3VNU2J1NmZtTFRtc09LR0VHY1hlCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + - apiVersion: v1 + kind: Secret + metadata: + namespace: envoy-gateway + name: tls-secret-foo-bar-com + type: kubernetes.io/tls + data: # foo.bar.com + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMxakNDQWI0Q0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5UQTBNakV3T1RFNU1qWmFGdzB6TlRBMApNVGt3T1RFNU1qWmFNRFV4RkRBU0JnTlZCQU1NQzJadmJ5NWlZWEl1WTI5dE1SMHdHd1lEVlFRS0RCUmxlR0Z0CmNHeGxJRzl5WjJGdWFYcGhkR2x2YmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUIKQU5JZzRNWUMvVlV6ZVRMN3Z1ai9pSXNwYTVrd0dyZTFvVGVCd2JYTFk1dmlxRXlicjRraWRQbTVXaFdPdm9GTwpuK0t6QlIzdjRaT20vdzNzMllwTEJjdWtsa3FlQnYzN2kxZFpOOTBrRzR5YitDV01tT3Z3UXFPbkNDV1BvZHBTCitNL0JPbHk2VDRGQ09hT3MwRVFBeDIzb2hxU2h3U0hvVlNLVWdIWTBPTlpLaS8xTjZnVHExb252ajNSM1Z3WHoKb1N0VGl4ODFVUzN0RkZBcnUwaHlOSmJWV3dhMjhMczBLRDJUQlhDMWZTblV3U0VVUzBIQWlIRDFHeE9HT011Twp0SG96ZDkzUGlxNkFJQUIyZEZhdmI5Ujh3azdnU2ZrekV5SFlUT2NaVkFMdFd5Tmx6TnVDQ09uSDFkcWtISUpsClhMcTg5VVNDRDlLeFBoeVN2ODNFN0VrQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBWGJ1Z29EenYKVWYwQS91bTNJd1dKUksxWHZFN01jaVUxU08xUHhnOXZ0SXJPclFqZVQ3dGZzajAzQnJObjQxbWVPQkhESzNrdwp0ZHB6SUxoNjJEL1JwM0tPM2UxNDRtZGw4V1BmelBtdmJOdCtlWThNdEo0UlZMT0R4ZVEvTVhGVUQ3aFlXMklWCnJOVnY5aFJrZCt6QmpjSlppRmV0NTlzU2VxR3NZNFdQSnlQVk5sMHBDSlBSM3AwVEZhTm4rclRSUjVhdmVzY3cKRlhqTUpYUHpYRU5ZYXM3TVJxSitVaTZ6Sm9UdVVaTHBPTEtlOFNkeGtoU3IrdkdqYnNPT25yb1I0bXYrRmdvcwo4T1d4RHA4UnpRRUZyeDhBa0tkMzJrRGJCMS9ZWDA0Z3Z0dklzemUwdWx1SEIvY0NSd1ZGZG45WHdOZXVpRmFvCmVUK3BZNVZ1S1Nubkx3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRFNJT0RHQXYxVk0za3kKKzc3by80aUxLV3VaTUJxM3RhRTNnY0cxeTJPYjRxaE1tNitKSW5UNXVWb1ZqcjZCVHAvaXN3VWQ3K0dUcHY4Tgo3Tm1LU3dYTHBKWktuZ2I5KzR0WFdUZmRKQnVNbS9nbGpKanI4RUtqcHdnbGo2SGFVdmpQd1RwY3VrK0JRam1qCnJOQkVBTWR0Nklha29jRWg2RlVpbElCMk5EaldTb3Y5VGVvRTZ0YUo3NDkwZDFjRjg2RXJVNHNmTlZFdDdSUlEKSzd0SWNqU1cxVnNHdHZDN05DZzlrd1Z3dFgwcDFNRWhGRXRCd0lodzlSc1RoampManJSNk0zZmR6NHF1Z0NBQQpkblJXcjIvVWZNSk80RW41TXhNaDJFem5HVlFDN1ZzalpjemJnZ2pweDlYYXBCeUNaVnk2dlBWRWdnL1NzVDRjCmtyL054T3hKQWdNQkFBRUNnZ0VBSVZYZjh1bjBnTGpLeUlEUnQ2c2FZV0Z2MVh5aE1IWGJIckF5S0FJZFNsUzUKK0hWV2NyNEpxcmh5Qnl0L0k0cHlxUWRYajNsSDR5SENJdFpwYUp3Z1RqOU5MSWRIZXJHV1dJUXA3YVpWeklmTgo1VDhaMzR4ZE5oTkFvcHpYdzRnWU92VmZxZWhReHFQWCt4Um1jZk5oc0JrTWl6K3lJUXYzdmFXcmY1VW5VeTkwCnNvZGhGeVBRYzRVaDdHUGVxZkplU1BtN0xqZEdDQ21pbW9GaVpkV0N3cUdyR01PRzhaKytFZERjWkMyM0dtNVoKdUNEWU4rakkrdzZkTzRnejArUVFrYkhpdkVZSWVWb1d6ZDBwM3ExVjlHZFVTNW5XUFRDelREbU5BMFpIbTZBeQpiSTBCMjRJUC8zbzJuUVZ4M1Y5YjhwMURnTTJsYmxNbW5nWFBuUnFPeFFLQmdRRDFlU1pLeVNBNDZuT2dpeThSCk1USTU2dkNOajR6b2ZoaTR4UUozalJ3N1BtN1RnbDRrOTVuUXdpRDVrcExBYjBlc1JrVG1VMGdYWlVWd3NjVU0KTkZ2Y2tBTThrNlZ1WEpmd1dZOGRiamlTcUNoWkY1Nmp2cVh4MHdIbVlXU0dleitFWDFmT0ZZb1RHK050TkhPcwp0cXFZNzFWTWtjTzZ6K3ZZL3BNZHNCMFZmd0tCZ1FEYkk3VGovY3RkVFFKUDFrMndPcmRtb0tLMXFqQ1FzQWppCkU5RDRnVFJUTnNGeE9SWE9MR0VhRy9ZUktSdkpaOXVNdEloc2VObEkxMHl0RCtZVERnZUZhU2ZHaHFTZEhGYlYKOUJKRFZrelhxZ1ZCMGxOYldkOWh2ekdTV3NnMVVPeG5TQXVTZUk2MkVXYmhrSDdRR1U4N0JHem1rcWdkNkFxVgo2aWhlS08yeU53S0JnUUNlUHhpeGM1RmpQN21FME5WcDV1WXpNa01iYjJSdWFRUDA4WVNTbjVTSW1Nb0hibTdVCnRBNGo1MUlzc2hJTEhuSDlIRnZFaEFIZ216ZTEyOVJrOXNnVm0zMktxc0FtTW1qODJDK0wwSWVGL0FQdTAyeEEKc1dIM1VJbFVCSXN5cXZlYWxZQmNhY1JXWjA4cEVueFQ1bnA2RnloTk1WY1Y4bjVmcUZZYytIRDNid0tCZ1FDNgpmMjN3WnNzUGNYMlpNcHBWYy9NbnpXZ01VWFlaZlNkaU9Ga3RWTkNTVFZSZUpxWVBIQ2ZiajVaZ1Rtc09nbXdRCkdJak9RQjh6NWIra3ZaWWgrMXVkUjd3Sk1nZWdpa0RBdjRKWGVuZlZSeVpJT1ZhbHRSdnVWVWc3OVRUVVl6VisKUkl0TXNYdExLZzR6dzhTWkdDRWM2Z3hBUXVuKzRiODRqTnFrSUJNREN3S0JnQ295YkZIVUdzaUhUenFaOVIyZgpiaTlmT1JRNllUb25kaDRWZjUxUlFVOExtYWxFQkFydHNkYmh3Q01KdXlqR0Q1bTJWOUwyblUyd3hrak9kUkNQCk12dnRiVnBQRDFoWmI0dytlbjZuYzFITUtrZUxGSlljekRSZ0dlY2VwdHBWT3Q3czZUVGVKSWRsT1VPQU1ncTgKdk1mOEw4VzhDY1lLbXpNU3hrMkR0N3NuCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: envoy-gateway + name: httproute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + rules: + - matches: + - path: + value: "/" + backendRefs: + - name: service-1 + port: 8080 +services: + - apiVersion: v1 + kind: Service + metadata: + name: service-1 + namespace: envoy-gateway + spec: + clusterIP: 10.11.12.13 + ports: + - port: 8080 + name: http + protocol: TCP + targetPort: 8080 +endpointSlices: + - apiVersion: discovery.k8s.io/v1 + kind: EndpointSlice + metadata: + name: endpointslice-service-1 + namespace: envoy-gateway + labels: + kubernetes.io/service-name: service-1 + addressType: IPv4 + ports: + - name: http + protocol: TCP + port: 8080 + endpoints: + - addresses: + - "7.7.7.7" + conditions: + ready: true diff --git a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.out.yaml b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.out.yaml new file mode 100644 index 0000000000..e16d4dba08 --- /dev/null +++ b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.out.yaml @@ -0,0 +1,301 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: foo.example.com + name: https-1 + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - group: null + kind: null + name: tls-secret-example-com + mode: Terminate + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + - lastTransitionTime: null + message: The hostname foo.example.com overlaps with the hostname *.example.com + in listener https-2 of gateway gateway-2. ALPN is set to HTTP/1.1 to prevent + HTTP/2 connection coalescing + reason: OverlappingHostnames + status: "True" + type: OverlappingTLSConfig + name: https-1 + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-2 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.example.com' + name: https-2 + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - group: null + kind: null + name: tls-secret-example-com + mode: Terminate + - allowedRoutes: + namespaces: + from: All + hostname: foo.bar.com + name: https-3 + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - group: null + kind: null + name: tls-secret-foo-bar-com + mode: Terminate + status: + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + - lastTransitionTime: null + message: The hostname *.example.com overlaps with the hostname foo.example.com + in listener https-1 of gateway gateway-1. ALPN is set to HTTP/1.1 to prevent + HTTP/2 connection coalescing + reason: OverlappingHostnames + status: "True" + type: OverlappingTLSConfig + name: https-2 + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: https-3 + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway +infraIR: + envoy-gateway-class: + proxy: + config: + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + creationTimestamp: null + name: test + namespace: envoy-gateway-system + spec: + logging: {} + mergeGateways: true + status: {} + listeners: + - address: null + name: envoy-gateway/gateway-1/https-1 + ports: + - containerPort: 10443 + name: https-443 + protocol: HTTPS + servicePort: 443 + metadata: + labels: + gateway.envoyproxy.io/owning-gatewayclass: envoy-gateway-class + name: envoy-gateway-class +xdsIR: + envoy-gateway-class: + accessLog: + json: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - foo.example.com + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: https-1 + name: envoy-gateway/gateway-1/https-1 + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10443 + routes: + - destination: + name: httproute/envoy-gateway/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + name: httproute/envoy-gateway/httproute-1/rule/0/backend/0 + protocol: HTTP + weight: 1 + hostname: foo.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: envoy-gateway + name: httproute/envoy-gateway/httproute-1/rule/0/match/0/foo_example_com + pathMatch: + distinct: false + name: "" + prefix: / + tls: + alpnProtocols: null + certificates: + - name: envoy-gateway/tls-secret-example-com + privateKey: '[redacted]' + serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMyRENDQWNBQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5UQTBNakV3T1RFd05ETmFGdzB6TlRBMApNVGt3T1RFd05ETmFNRGN4RmpBVUJnTlZCQU1NRFNvdVpYaGhiWEJzWlM1amIyMHhIVEFiQmdOVkJBb01GR1Y0CllXMXdiR1VnYjNKbllXNXBlbUYwYVc5dU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0MKQVFFQXY0anl4TUh1YzQzMHdvWkk4M1JSMXVxU2gvbm9MVWVPdDZnMkNKaFVFYXNaeUNOMzN3bFRRRDE0SEhkSwpOb1k4SThWd1pOZFZCNGpjRzlnb3dDVmVQY3lqRzZPaGl1aUZNWnU2NzV6dWZEWnRlRTNEY3lTbFgrY2lSbVZZCkNuSmk3QkV3NlJMUUJ0bVV6WGxtYmRpVXE5djJwalVBL2R3ZnRLRHRZTHFrVytvTSt5MWg3cjRJV0JVK2RVcU0KcGtTem5VSCtKN1JoRkFsdytmRWlVSFRLemlCMkVtdjc3Mi91bS96NHdMWnJIeWNGbmc4L1FCM0JIUktXVTV4eQp3bWNTQ2xrVlMvWWNpMFVXcnR2eGhwck9wTUhQUGR2QkZ2M2NaWGNpUUJjb0ZNcGxsQzV0UURvdWJ0dEV1d3JpCi8rVktKWkUrSVl4ei9YeUd3Y3dJRnIzWG13SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBU3VLaE8KcGtwL1VSclphbEU0OUlnc0xkN3hSTlBhREVkQ1RWZ3Qvc3praUhnSDB1NDBVaVV6KzVzaDRpdlJOazRqTm1zRwprb3FwQlBVS3pvVmtrSTcxUWQ4bHh1VzF2dkxZMXVvM0RIS2svdDFpUWVZWWpERlk3YzUxVG1BT015WUdKTlhxCi9EbW84UWgzaFB1RnI3a29kUjBLSkJyc0RsMEhoWVBjUnpWOW1sQ2lrU1B4THJGTUNwZGx0QUw2UEprSVpucUgKc1g5dEtVZk1uYW5jMkpHZTZVTDE1ODBEV2xQTUcrMU1qRElCVXdxWWYzaWNKb0NYclAwbzNmckRKcTE2VnpidApkalRtVGswakx1bGkvQ2JCZzh4dWp4emo4bmRPcVNkd05kd091OWoxSmZ2Q0I1RjZ4S0VTenowOVo5TzlOZUM5CjMrd1pLTlRSOXVEdDRKNksKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tlsOverlaps: true + - address: 0.0.0.0 + hostnames: + - '*.example.com' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-2 + namespace: envoy-gateway + sectionName: https-2 + name: envoy-gateway/gateway-2/https-2 + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10443 + tls: + alpnProtocols: null + certificates: + - name: envoy-gateway/tls-secret-example-com + privateKey: '[redacted]' + serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMyRENDQWNBQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5UQTBNakV3T1RFd05ETmFGdzB6TlRBMApNVGt3T1RFd05ETmFNRGN4RmpBVUJnTlZCQU1NRFNvdVpYaGhiWEJzWlM1amIyMHhIVEFiQmdOVkJBb01GR1Y0CllXMXdiR1VnYjNKbllXNXBlbUYwYVc5dU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0MKQVFFQXY0anl4TUh1YzQzMHdvWkk4M1JSMXVxU2gvbm9MVWVPdDZnMkNKaFVFYXNaeUNOMzN3bFRRRDE0SEhkSwpOb1k4SThWd1pOZFZCNGpjRzlnb3dDVmVQY3lqRzZPaGl1aUZNWnU2NzV6dWZEWnRlRTNEY3lTbFgrY2lSbVZZCkNuSmk3QkV3NlJMUUJ0bVV6WGxtYmRpVXE5djJwalVBL2R3ZnRLRHRZTHFrVytvTSt5MWg3cjRJV0JVK2RVcU0KcGtTem5VSCtKN1JoRkFsdytmRWlVSFRLemlCMkVtdjc3Mi91bS96NHdMWnJIeWNGbmc4L1FCM0JIUktXVTV4eQp3bWNTQ2xrVlMvWWNpMFVXcnR2eGhwck9wTUhQUGR2QkZ2M2NaWGNpUUJjb0ZNcGxsQzV0UURvdWJ0dEV1d3JpCi8rVktKWkUrSVl4ei9YeUd3Y3dJRnIzWG13SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBU3VLaE8KcGtwL1VSclphbEU0OUlnc0xkN3hSTlBhREVkQ1RWZ3Qvc3praUhnSDB1NDBVaVV6KzVzaDRpdlJOazRqTm1zRwprb3FwQlBVS3pvVmtrSTcxUWQ4bHh1VzF2dkxZMXVvM0RIS2svdDFpUWVZWWpERlk3YzUxVG1BT015WUdKTlhxCi9EbW84UWgzaFB1RnI3a29kUjBLSkJyc0RsMEhoWVBjUnpWOW1sQ2lrU1B4THJGTUNwZGx0QUw2UEprSVpucUgKc1g5dEtVZk1uYW5jMkpHZTZVTDE1ODBEV2xQTUcrMU1qRElCVXdxWWYzaWNKb0NYclAwbzNmckRKcTE2VnpidApkalRtVGswakx1bGkvQ2JCZzh4dWp4emo4bmRPcVNkd05kd091OWoxSmZ2Q0I1RjZ4S0VTenowOVo5TzlOZUM5CjMrd1pLTlRSOXVEdDRKNksKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tlsOverlaps: true + - address: 0.0.0.0 + hostnames: + - foo.bar.com + isHTTP2: false + metadata: + kind: Gateway + name: gateway-2 + namespace: envoy-gateway + sectionName: https-3 + name: envoy-gateway/gateway-2/https-3 + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10443 + tls: + alpnProtocols: null + certificates: + - name: envoy-gateway/tls-secret-foo-bar-com + privateKey: '[redacted]' + serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMxakNDQWI0Q0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5UQTBNakV3T1RFNU1qWmFGdzB6TlRBMApNVGt3T1RFNU1qWmFNRFV4RkRBU0JnTlZCQU1NQzJadmJ5NWlZWEl1WTI5dE1SMHdHd1lEVlFRS0RCUmxlR0Z0CmNHeGxJRzl5WjJGdWFYcGhkR2x2YmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUIKQU5JZzRNWUMvVlV6ZVRMN3Z1ai9pSXNwYTVrd0dyZTFvVGVCd2JYTFk1dmlxRXlicjRraWRQbTVXaFdPdm9GTwpuK0t6QlIzdjRaT20vdzNzMllwTEJjdWtsa3FlQnYzN2kxZFpOOTBrRzR5YitDV01tT3Z3UXFPbkNDV1BvZHBTCitNL0JPbHk2VDRGQ09hT3MwRVFBeDIzb2hxU2h3U0hvVlNLVWdIWTBPTlpLaS8xTjZnVHExb252ajNSM1Z3WHoKb1N0VGl4ODFVUzN0RkZBcnUwaHlOSmJWV3dhMjhMczBLRDJUQlhDMWZTblV3U0VVUzBIQWlIRDFHeE9HT011Twp0SG96ZDkzUGlxNkFJQUIyZEZhdmI5Ujh3azdnU2ZrekV5SFlUT2NaVkFMdFd5Tmx6TnVDQ09uSDFkcWtISUpsClhMcTg5VVNDRDlLeFBoeVN2ODNFN0VrQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBWGJ1Z29EenYKVWYwQS91bTNJd1dKUksxWHZFN01jaVUxU08xUHhnOXZ0SXJPclFqZVQ3dGZzajAzQnJObjQxbWVPQkhESzNrdwp0ZHB6SUxoNjJEL1JwM0tPM2UxNDRtZGw4V1BmelBtdmJOdCtlWThNdEo0UlZMT0R4ZVEvTVhGVUQ3aFlXMklWCnJOVnY5aFJrZCt6QmpjSlppRmV0NTlzU2VxR3NZNFdQSnlQVk5sMHBDSlBSM3AwVEZhTm4rclRSUjVhdmVzY3cKRlhqTUpYUHpYRU5ZYXM3TVJxSitVaTZ6Sm9UdVVaTHBPTEtlOFNkeGtoU3IrdkdqYnNPT25yb1I0bXYrRmdvcwo4T1d4RHA4UnpRRUZyeDhBa0tkMzJrRGJCMS9ZWDA0Z3Z0dklzemUwdWx1SEIvY0NSd1ZGZG45WHdOZXVpRmFvCmVUK3BZNVZ1S1Nubkx3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 From 0c13e8930abd653afa09ef5c77a9ed121cf4d0ea Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Fri, 9 May 2025 02:37:07 +0000 Subject: [PATCH 2/3] fix lint Signed-off-by: Huabing (Robin) Zhao --- internal/gatewayapi/listener_test.go | 10 +++++----- ...apping-hostnames-and-certs-merged-gateways.out.yaml | 1 + ...with-overlapping-hostnames-merged-gateways.out.yaml | 1 + 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/internal/gatewayapi/listener_test.go b/internal/gatewayapi/listener_test.go index f7a15cf7ec..601d22f7a6 100644 --- a/internal/gatewayapi/listener_test.go +++ b/internal/gatewayapi/listener_test.go @@ -346,8 +346,8 @@ func TestCheckOverlappingHostnames(t *testing.T) { for i := range tt.gateway.listeners { tt.gateway.listeners[i].listenerStatusIdx = i tt.gateway.listeners[i].gateway = tt.gateway - tt.gateway.Gateway.Status.Listeners[i] = gwapiv1.ListenerStatus{ - Name: tt.gateway.listeners[i].Listener.Name, + tt.gateway.Status.Listeners[i] = gwapiv1.ListenerStatus{ + Name: tt.gateway.listeners[i].Name, Conditions: []metav1.Condition{}, } } @@ -581,9 +581,9 @@ func TestCheckOverlappingCertificates(t *testing.T) { } // Initialize listener - for i := range gateway.Gateway.Status.Listeners { - gateway.Gateway.Status.Listeners[i] = gwapiv1.ListenerStatus{ - Name: tt.listeners[i].Listener.Name, + for i := range gateway.Status.Listeners { + gateway.Status.Listeners[i] = gwapiv1.ListenerStatus{ + Name: tt.listeners[i].Name, Conditions: []metav1.Condition{}, } gateway.listeners[i].listenerStatusIdx = i diff --git a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.out.yaml b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.out.yaml index c0e271476c..4cd0f5bb35 100644 --- a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.out.yaml @@ -168,6 +168,7 @@ infraIR: labels: gateway.envoyproxy.io/owning-gatewayclass: envoy-gateway-class name: envoy-gateway-class + namespace: envoy-gateway-system xdsIR: envoy-gateway-class: accessLog: diff --git a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.out.yaml b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.out.yaml index e16d4dba08..a876a2bc49 100644 --- a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.out.yaml @@ -204,6 +204,7 @@ infraIR: labels: gateway.envoyproxy.io/owning-gatewayclass: envoy-gateway-class name: envoy-gateway-class + namespace: envoy-gateway-system xdsIR: envoy-gateway-class: accessLog: From 937a5bfce0ea5beca5195f7e4e8b795351dc89c3 Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Fri, 9 May 2025 02:45:06 +0000 Subject: [PATCH 3/3] minor change Signed-off-by: Huabing (Robin) Zhao --- ...hostnames-and-certs-merged-gateways.in.yaml | 2 +- ...ostnames-and-certs-merged-gateways.out.yaml | 10 +++++----- ...erlapping-hostnames-merged-gateways.in.yaml | 4 ++-- ...rlapping-hostnames-merged-gateways.out.yaml | 18 +++++++++--------- 4 files changed, 17 insertions(+), 17 deletions(-) diff --git a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.in.yaml b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.in.yaml index 7968edcac7..7c204bac59 100644 --- a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.in.yaml +++ b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.in.yaml @@ -34,7 +34,7 @@ gateways: spec: gatewayClassName: envoy-gateway-class listeners: - - name: https-2 + - name: https-1 protocol: HTTPS port: 443 hostname: "bar.example.com" diff --git a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.out.yaml b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.out.yaml index 4cd0f5bb35..f768e82020 100644 --- a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.out.yaml @@ -42,7 +42,7 @@ gateways: type: ResolvedRefs - lastTransitionTime: null message: The certificate san *.example.com overlaps with the certificate san - bar.example.com in listener https-2 of gateway gateway-2. ALPN is set to + bar.example.com in listener https-1 of gateway gateway-2. ALPN is set to HTTP/1.1 to prevent HTTP/2 connection coalescing reason: OverlappingCertificates status: "True" @@ -66,7 +66,7 @@ gateways: namespaces: from: All hostname: bar.example.com - name: https-2 + name: https-1 port: 443 protocol: HTTPS tls: @@ -101,7 +101,7 @@ gateways: reason: OverlappingCertificates status: "True" type: OverlappingTLSConfig - name: https-2 + name: https-1 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute @@ -226,8 +226,8 @@ xdsIR: kind: Gateway name: gateway-2 namespace: envoy-gateway - sectionName: https-2 - name: envoy-gateway/gateway-2/https-2 + sectionName: https-1 + name: envoy-gateway/gateway-2/https-1 path: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true diff --git a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.in.yaml b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.in.yaml index cce23cb9db..d6ebccb289 100644 --- a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.in.yaml +++ b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.in.yaml @@ -34,7 +34,7 @@ gateways: spec: gatewayClassName: envoy-gateway-class listeners: - - name: https-2 + - name: https-1 protocol: HTTPS port: 443 hostname: "*.example.com" @@ -45,7 +45,7 @@ gateways: mode: Terminate certificateRefs: - name: tls-secret-example-com - - name: https-3 + - name: https-2 protocol: HTTPS port: 443 hostname: "foo.bar.com" diff --git a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.out.yaml b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.out.yaml index a876a2bc49..0bb6b6492d 100644 --- a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.out.yaml @@ -42,7 +42,7 @@ gateways: type: ResolvedRefs - lastTransitionTime: null message: The hostname foo.example.com overlaps with the hostname *.example.com - in listener https-2 of gateway gateway-2. ALPN is set to HTTP/1.1 to prevent + in listener https-1 of gateway gateway-2. ALPN is set to HTTP/1.1 to prevent HTTP/2 connection coalescing reason: OverlappingHostnames status: "True" @@ -66,7 +66,7 @@ gateways: namespaces: from: All hostname: '*.example.com' - name: https-2 + name: https-1 port: 443 protocol: HTTPS tls: @@ -79,7 +79,7 @@ gateways: namespaces: from: All hostname: foo.bar.com - name: https-3 + name: https-2 port: 443 protocol: HTTPS tls: @@ -114,7 +114,7 @@ gateways: reason: OverlappingHostnames status: "True" type: OverlappingTLSConfig - name: https-2 + name: https-1 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute @@ -137,7 +137,7 @@ gateways: reason: ResolvedRefs status: "True" type: ResolvedRefs - name: https-3 + name: https-2 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute @@ -262,8 +262,8 @@ xdsIR: kind: Gateway name: gateway-2 namespace: envoy-gateway - sectionName: https-2 - name: envoy-gateway/gateway-2/https-2 + sectionName: https-1 + name: envoy-gateway/gateway-2/https-1 path: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true @@ -283,8 +283,8 @@ xdsIR: kind: Gateway name: gateway-2 namespace: envoy-gateway - sectionName: https-3 - name: envoy-gateway/gateway-2/https-3 + sectionName: https-2 + name: envoy-gateway/gateway-2/https-2 path: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true