Skip to content
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion internal/gatewayapi/clienttrafficpolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -316,7 +316,7 @@ func resolveCTPolicyTargetRef(
message := fmt.Sprintf("No section name %s found for %s", *sectionName, key.String())

return gateway.GatewayContext, &status.PolicyResolveError{
Reason: gwapiv1a2.PolicyReasonInvalid,
Reason: gwapiv1a2.PolicyReasonTargetNotFound,
Message: message,
}
}
Expand Down
20 changes: 20 additions & 0 deletions internal/gatewayapi/securitypolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -398,6 +398,26 @@ func resolveSecurityPolicyGatewayTargetRef(
return nil, nil
}

// If sectionName is set, make sure its valid
if target.SectionName != nil {
Comment thread
shawnh2 marked this conversation as resolved.
found := false
for _, l := range gateway.listeners {
if l.Name == *target.SectionName {
found = true
break
}
}
if !found {
message := fmt.Sprintf("No section name %s found for Gateway %s",
string(*target.SectionName), key.String())

return gateway.GatewayContext, &status.PolicyResolveError{
Reason: gwapiv1a2.PolicyReasonTargetNotFound,
Message: message,
}
}
}

if target.SectionName == nil {
// Check if another policy targeting the same Gateway exists
if gateway.attached {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ clientTrafficPolicies:
conditions:
- lastTransitionTime: null
message: No section name foo-bar found for envoy-gateway/gateway-3
reason: Invalid
reason: TargetNotFound
status: "False"
type: Accepted
controllerName: gateway.envoyproxy.io/gatewayclass-controller
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
namespace: envoy-gateway
name: gateway-1
spec:
gatewayClassName: envoy-gateway-class
listeners:
- name: listener-1
protocol: HTTP
port: 80
hostname: listener-1.gateway-1.envoyproxy.io
allowedRoutes:
namespaces:
from: All
httpRoutes:
- apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: default
name: httproute-1
spec:
hostnames:
- listener-1.gateway-1.envoyproxy.io
parentRefs:
- namespace: envoy-gateway
name: gateway-1
sectionName: listener-1
rules:
- matches:
- path:
value: "/foo"
backendRefs:
- name: service-1
port: 8080
securityPolicies:
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
namespace: envoy-gateway
name: policy-for-gateway-1
spec:
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: gateway-1
sectionName: not-found-section-name
cors:
allowHeaders:
- "x-gateway-1"
Original file line number Diff line number Diff line change
@@ -0,0 +1,187 @@
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
creationTimestamp: null
name: gateway-1
namespace: envoy-gateway
spec:
gatewayClassName: envoy-gateway-class
listeners:
- allowedRoutes:
namespaces:
from: All
hostname: listener-1.gateway-1.envoyproxy.io
name: listener-1
port: 80
protocol: HTTP
status:
listeners:
- attachedRoutes: 1
conditions:
- lastTransitionTime: null
message: Sending translated listener configuration to the data plane
reason: Programmed
status: "True"
type: Programmed
- lastTransitionTime: null
message: Listener has been successfully translated
reason: Accepted
status: "True"
type: Accepted
- lastTransitionTime: null
message: Listener references have been resolved
reason: ResolvedRefs
status: "True"
type: ResolvedRefs
name: listener-1
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- group: gateway.networking.k8s.io
kind: GRPCRoute
httpRoutes:
- apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
creationTimestamp: null
name: httproute-1
namespace: default
spec:
hostnames:
- listener-1.gateway-1.envoyproxy.io
parentRefs:
- name: gateway-1
namespace: envoy-gateway
sectionName: listener-1
rules:
- backendRefs:
- name: service-1
port: 8080
matches:
- path:
value: /foo
status:
parents:
- conditions:
- lastTransitionTime: null
message: Route is accepted
reason: Accepted
status: "True"
type: Accepted
- lastTransitionTime: null
message: Resolved all the Object references for the Route
reason: ResolvedRefs
status: "True"
type: ResolvedRefs
controllerName: gateway.envoyproxy.io/gatewayclass-controller
parentRef:
name: gateway-1
namespace: envoy-gateway
sectionName: listener-1
infraIR:
envoy-gateway/gateway-1:
proxy:
listeners:
- address: null
name: envoy-gateway/gateway-1/listener-1
ports:
- containerPort: 10080
name: http-80
protocol: HTTP
servicePort: 80
metadata:
labels:
gateway.envoyproxy.io/owning-gateway-name: gateway-1
gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
ownerReference:
kind: GatewayClass
name: envoy-gateway-class
name: envoy-gateway/gateway-1
namespace: envoy-gateway-system
securityPolicies:
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
creationTimestamp: null
name: policy-for-gateway-1
namespace: envoy-gateway
spec:
cors:
allowHeaders:
- x-gateway-1
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: gateway-1
sectionName: not-found-section-name
status:
ancestors:
- ancestorRef:
group: gateway.networking.k8s.io
kind: Gateway
name: gateway-1
namespace: envoy-gateway
sectionName: not-found-section-name
conditions:
- lastTransitionTime: null
message: No section name not-found-section-name found for Gateway envoy-gateway/gateway-1
reason: TargetNotFound
status: "False"
type: Accepted
controllerName: gateway.envoyproxy.io/gatewayclass-controller
xdsIR:
envoy-gateway/gateway-1:
accessLog:
json:
- path: /dev/stdout
http:
- address: 0.0.0.0
hostnames:
- listener-1.gateway-1.envoyproxy.io
isHTTP2: false
metadata:
kind: Gateway
name: gateway-1
namespace: envoy-gateway
sectionName: listener-1
name: envoy-gateway/gateway-1/listener-1
path:
escapedSlashesAction: UnescapeAndRedirect
mergeSlashes: true
port: 10080
routes:
- destination:
metadata:
kind: HTTPRoute
name: httproute-1
namespace: default
name: httproute/default/httproute-1/rule/0
settings:
- addressType: IP
endpoints:
- host: 7.7.7.7
port: 8080
metadata:
name: service-1
namespace: default
sectionName: "8080"
name: httproute/default/httproute-1/rule/0/backend/0
protocol: HTTP
weight: 1
hostname: listener-1.gateway-1.envoyproxy.io
isHTTP2: false
metadata:
kind: HTTPRoute
name: httproute-1
namespace: default
name: httproute/default/httproute-1/rule/0/match/0/listener-1_gateway-1_envoyproxy_io
pathMatch:
distinct: false
name: ""
prefix: /foo
readyListener:
address: 0.0.0.0
ipFamily: IPv4
path: /ready
port: 19003
Loading