diff --git a/VERSION b/VERSION index cd180246b3..2e7bd91085 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v1.5.0-rc.2 +v1.5.0 diff --git a/api/v1alpha1/envoygateway_helpers.go b/api/v1alpha1/envoygateway_helpers.go index 05a58fcbdc..f33875ce0c 100644 --- a/api/v1alpha1/envoygateway_helpers.go +++ b/api/v1alpha1/envoygateway_helpers.go @@ -109,6 +109,16 @@ func (e *EnvoyGateway) GatewayNamespaceMode() bool { *e.Provider.Kubernetes.Deploy.Type == KubernetesDeployModeTypeGatewayNamespace } +// TopologyInjectorDisabled checks whether the provided EnvoyGateway disables TopologyInjector +func (e *EnvoyGateway) TopologyInjectorDisabled() bool { + if e.Provider != nil && + e.Provider.Kubernetes != nil && + e.Provider.Kubernetes.TopologyInjector != nil { + return ptr.Deref(e.Provider.Kubernetes.TopologyInjector.Disable, false) + } + return false +} + // defaultRuntimeFlags are the default runtime flags for Envoy Gateway. var defaultRuntimeFlags = map[RuntimeFlag]bool{ XDSNameSchemeV2: false, diff --git a/api/v1alpha1/ratelimit_types.go b/api/v1alpha1/ratelimit_types.go index d3cd36bca2..acf55c9ca7 100644 --- a/api/v1alpha1/ratelimit_types.go +++ b/api/v1alpha1/ratelimit_types.go @@ -285,9 +285,9 @@ type RateLimitValue struct { } // RateLimitUnit specifies the intervals for setting rate limits. -// Valid RateLimitUnit values are "Second", "Minute", "Hour", and "Day". +// Valid RateLimitUnit values are "Second", "Minute", "Hour", "Day", "Month" and "Year". // -// +kubebuilder:validation:Enum=Second;Minute;Hour;Day +// +kubebuilder:validation:Enum=Second;Minute;Hour;Day;Month;Year type RateLimitUnit string // RateLimitUnit constants. @@ -303,4 +303,10 @@ const ( // RateLimitUnitDay specifies the rate limit interval to be 1 day. RateLimitUnitDay RateLimitUnit = "Day" + + // RateLimitUnitMonth specifies the rate limit interval to be 1 month. + RateLimitUnitMonth RateLimitUnit = "Month" + + // RateLimitUnitYear specifies the rate limit interval to be 1 year. + RateLimitUnitYear RateLimitUnit = "Year" ) diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index 213212f4db..52ba07a082 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -231,7 +231,7 @@ type KubernetesContainerSpec struct { // Image specifies the EnvoyProxy container image to be used including a tag, instead of the default image. // This field is mutually exclusive with ImageRepository. // - // +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9._/-]+:[a-zA-Z0-9._-]+$')",message="Image must include a tag and allowed characters only (e.g., 'repo:tag')." + // +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9._/-]+(:[a-zA-Z0-9._-]+)?(@sha256:[a-z0-9]+)?$')",message="Image must include a tag and allowed characters only (e.g., 'repo:tag')." // +optional Image *string `json:"image,omitempty"` diff --git a/charts/gateway-crds-helm/Chart.yaml b/charts/gateway-crds-helm/Chart.yaml index 4c2095aa7a..72b321dba8 100644 --- a/charts/gateway-crds-helm/Chart.yaml +++ b/charts/gateway-crds-helm/Chart.yaml @@ -1,24 +1,25 @@ apiVersion: v2 name: gateway-crds-helm -description: A Helm chart for Kubernetes - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. +description: A Helm chart for Envoy Gateway CRDs type: application -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: v0.0.0-latest +appVersion: "latest" +icon: https://raw.githubusercontent.com/envoyproxy/gateway/main/site/assets/icons/logo.svg + +maintainers: + - name: envoy-gateway-steering-committee + url: https://github.com/envoyproxy/gateway/blob/main/GOVERNANCE.md + - name: envoy-gateway-maintainers + url: https://github.com/envoyproxy/gateway/blob/main/CODEOWNERS + +keywords: + - gateway-api + - envoyproxy + - envoy-gateway + - eg + +home: https://gateway.envoyproxy.io/ -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "1.16.0" +sources: + - https://github.com/envoyproxy/gateway diff --git a/charts/gateway-crds-helm/README.md b/charts/gateway-crds-helm/README.md index a729d50b2d..e54913a3d8 100644 --- a/charts/gateway-crds-helm/README.md +++ b/charts/gateway-crds-helm/README.md @@ -1,8 +1,21 @@ # gateway-crds-helm -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) +![Version: v0.0.0-latest](https://img.shields.io/badge/Version-v0.0.0--latest-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square) -A Helm chart for Kubernetes +A Helm chart for Envoy Gateway CRDs + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| envoy-gateway-steering-committee | | | +| envoy-gateway-maintainers | | | + +## Source Code + +* ## Usage diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index 2e7ce17d4e..1bec67423c 100644 --- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -1031,12 +1031,14 @@ spec: unit: description: |- RateLimitUnit specifies the intervals for setting rate limits. - Valid RateLimitUnit values are "Second", "Minute", "Hour", and "Day". + Valid RateLimitUnit values are "Second", "Minute", "Hour", "Day", "Month" and "Year". enum: - Second - Minute - Hour - Day + - Month + - Year type: string required: - requests @@ -1280,12 +1282,14 @@ spec: unit: description: |- RateLimitUnit specifies the intervals for setting rate limits. - Valid RateLimitUnit values are "Second", "Minute", "Hour", and "Day". + Valid RateLimitUnit values are "Second", "Minute", "Hour", "Day", "Month" and "Year". enum: - Second - Minute - Hour - Day + - Month + - Year type: string required: - requests diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml index 004ea44c93..e5e0dcee63 100644 --- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -614,7 +614,7 @@ spec: x-kubernetes-validations: - message: Image must include a tag and allowed characters only (e.g., 'repo:tag'). - rule: self.matches('^[a-zA-Z0-9._/-]+:[a-zA-Z0-9._-]+$') + rule: self.matches('^[a-zA-Z0-9._/-]+(:[a-zA-Z0-9._-]+)?(@sha256:[a-z0-9]+)?$') imageRepository: description: |- ImageRepository specifies the container image repository to be used without specifying a tag. @@ -4459,7 +4459,7 @@ spec: x-kubernetes-validations: - message: Image must include a tag and allowed characters only (e.g., 'repo:tag'). - rule: self.matches('^[a-zA-Z0-9._/-]+:[a-zA-Z0-9._-]+$') + rule: self.matches('^[a-zA-Z0-9._/-]+(:[a-zA-Z0-9._-]+)?(@sha256:[a-z0-9]+)?$') imageRepository: description: |- ImageRepository specifies the container image repository to be used without specifying a tag. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index 1200bdf0c3..b81d397d62 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -1030,12 +1030,14 @@ spec: unit: description: |- RateLimitUnit specifies the intervals for setting rate limits. - Valid RateLimitUnit values are "Second", "Minute", "Hour", and "Day". + Valid RateLimitUnit values are "Second", "Minute", "Hour", "Day", "Month" and "Year". enum: - Second - Minute - Hour - Day + - Month + - Year type: string required: - requests @@ -1279,12 +1281,14 @@ spec: unit: description: |- RateLimitUnit specifies the intervals for setting rate limits. - Valid RateLimitUnit values are "Second", "Minute", "Hour", and "Day". + Valid RateLimitUnit values are "Second", "Minute", "Hour", "Day", "Month" and "Year". enum: - Second - Minute - Hour - Day + - Month + - Year type: string required: - requests diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 7d99356073..4a8675fdba 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -613,7 +613,7 @@ spec: x-kubernetes-validations: - message: Image must include a tag and allowed characters only (e.g., 'repo:tag'). - rule: self.matches('^[a-zA-Z0-9._/-]+:[a-zA-Z0-9._-]+$') + rule: self.matches('^[a-zA-Z0-9._/-]+(:[a-zA-Z0-9._-]+)?(@sha256:[a-z0-9]+)?$') imageRepository: description: |- ImageRepository specifies the container image repository to be used without specifying a tag. @@ -4458,7 +4458,7 @@ spec: x-kubernetes-validations: - message: Image must include a tag and allowed characters only (e.g., 'repo:tag'). - rule: self.matches('^[a-zA-Z0-9._/-]+:[a-zA-Z0-9._-]+$') + rule: self.matches('^[a-zA-Z0-9._/-]+(:[a-zA-Z0-9._-]+)?(@sha256:[a-z0-9]+)?$') imageRepository: description: |- ImageRepository specifies the container image repository to be used without specifying a tag. diff --git a/examples/envoy-ext-auth/Dockerfile b/examples/envoy-ext-auth/Dockerfile index 5966950814..fa3ccbfe4d 100644 --- a/examples/envoy-ext-auth/Dockerfile +++ b/examples/envoy-ext-auth/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.4 AS builder +FROM golang:1.24.6 AS builder ARG GO_LDFLAGS="" diff --git a/examples/envoy-ext-auth/go.mod b/examples/envoy-ext-auth/go.mod index c9f1ed6584..8e6237f15c 100644 --- a/examples/envoy-ext-auth/go.mod +++ b/examples/envoy-ext-auth/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway-grcp-ext-auth -go 1.24.4 +go 1.24.6 require ( github.com/envoyproxy/go-control-plane/envoy v1.32.4 diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 7a265fb79d..9a01121bb6 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -1,6 +1,6 @@ module github.com/exampleorg/envoygateway-extension -go 1.24.4 +go 1.24.6 require ( github.com/envoyproxy/gateway v1.3.1 diff --git a/examples/grpc-ext-proc/Dockerfile b/examples/grpc-ext-proc/Dockerfile index 1ed6430ec3..05a387bcf6 100644 --- a/examples/grpc-ext-proc/Dockerfile +++ b/examples/grpc-ext-proc/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.4 AS builder +FROM golang:1.24.6 AS builder ARG GO_LDFLAGS="" diff --git a/examples/grpc-ext-proc/go.mod b/examples/grpc-ext-proc/go.mod index afb804c86f..6f03773f19 100644 --- a/examples/grpc-ext-proc/go.mod +++ b/examples/grpc-ext-proc/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway-grpc-ext-proc -go 1.24.4 +go 1.24.6 require ( github.com/envoyproxy/go-control-plane/envoy v1.32.4 diff --git a/examples/preserve-case-backend/Dockerfile b/examples/preserve-case-backend/Dockerfile index 734637564b..99f8486502 100644 --- a/examples/preserve-case-backend/Dockerfile +++ b/examples/preserve-case-backend/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.4 AS builder +FROM golang:1.24.6 AS builder ARG GO_LDFLAGS="" diff --git a/examples/preserve-case-backend/go.mod b/examples/preserve-case-backend/go.mod index 2e6b968d8b..f6deb55adf 100644 --- a/examples/preserve-case-backend/go.mod +++ b/examples/preserve-case-backend/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway-preserve-case-backend -go 1.24.4 +go 1.24.6 require github.com/valyala/fasthttp v1.64.0 diff --git a/examples/simple-extension-server/Dockerfile b/examples/simple-extension-server/Dockerfile index 4c3f88c160..9a0f01e76c 100644 --- a/examples/simple-extension-server/Dockerfile +++ b/examples/simple-extension-server/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.4 AS builder +FROM golang:1.24.6 AS builder ARG GO_LDFLAGS="" diff --git a/examples/simple-extension-server/go.mod b/examples/simple-extension-server/go.mod index ae99dc0cfc..3d5ca39a5c 100644 --- a/examples/simple-extension-server/go.mod +++ b/examples/simple-extension-server/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway-simple-extension-server -go 1.24.4 +go 1.24.6 require ( github.com/envoyproxy/gateway v1.4.2 diff --git a/examples/static-file-server/Dockerfile b/examples/static-file-server/Dockerfile index 8c715b1f29..a0c1bddb1d 100644 --- a/examples/static-file-server/Dockerfile +++ b/examples/static-file-server/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.4 AS builder +FROM golang:1.24.6 AS builder ARG GO_LDFLAGS="" diff --git a/examples/static-file-server/go.mod b/examples/static-file-server/go.mod index 9018de8794..d544e4d171 100644 --- a/examples/static-file-server/go.mod +++ b/examples/static-file-server/go.mod @@ -1,3 +1,3 @@ module github.com/envoyproxy/static-file-server -go 1.24.4 +go 1.24.6 diff --git a/go.mod b/go.mod index b4b06e99e8..11b7a1bd17 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway -go 1.24.4 +go 1.24.6 // Replace the otelgrpc version because of k8s.io/client-go v0.33.3 replace go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 => go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0 @@ -21,7 +21,7 @@ require ( github.com/envoyproxy/go-control-plane v0.13.5-0.20250622153809-434b6986176d github.com/envoyproxy/go-control-plane/contrib v1.32.5-0.20250430092421-68a532e11403 github.com/envoyproxy/go-control-plane/envoy v1.32.5-0.20250622153809-434b6986176d - github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 + github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20250805143705-d51f8590a549 github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7 github.com/evanphx/json-patch v5.9.11+incompatible github.com/evanphx/json-patch/v5 v5.9.11 diff --git a/go.sum b/go.sum index 23672b7127..19ff1864b8 100644 --- a/go.sum +++ b/go.sum @@ -317,8 +317,8 @@ github.com/envoyproxy/go-control-plane/contrib v1.32.5-0.20250430092421-68a532e1 github.com/envoyproxy/go-control-plane/contrib v1.32.5-0.20250430092421-68a532e11403/go.mod h1:Xkwx/TGvEKRCL2mitdiuQWOD1ECvfM5krWWVo2vI2Zk= github.com/envoyproxy/go-control-plane/envoy v1.32.5-0.20250622153809-434b6986176d h1:mbxMT8XP3hEorIeTp4Yvcz5qKzE2n2q4IMU3SxuikaQ= github.com/envoyproxy/go-control-plane/envoy v1.32.5-0.20250622153809-434b6986176d/go.mod h1:09qwbGVuSWWAyN5t/b3iyVfz5+z8QWGrzkoqm/8SbEs= -github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 h1:/G9QYbddjL25KvtKTv3an9lx6VBE2cnb8wp1vEGNYGI= -github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4= +github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20250805143705-d51f8590a549 h1:5K0vH5H4dtCIO8+w/yq6vDaMcGn9RoPrHfmPAFAztwU= +github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20250805143705-d51f8590a549/go.mod h1:KxtyvDAPIEkqUUvF9ooo5gSGVOtQ08wUTnQe5LsJC6c= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfUKS7KJ7spH3d86P8= github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU= diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index 466c48cd2f..cec1825257 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -1127,14 +1127,6 @@ xds: useRemoteAddress: true name: default/eg/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: eg - namespace: default - sectionName: http name: default/eg/http perConnectionBufferLimitBytes: 32768 - activeState: @@ -1247,14 +1239,6 @@ xds: useRemoteAddress: true name: default/eg/grpc maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: eg - namespace: default - sectionName: grpc name: default/eg/grpc perConnectionBufferLimitBytes: 32768 - activeState: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json index 0e0d7dae9b..84d7174948 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json @@ -978,20 +978,6 @@ "name": "default/eg/http" }, "maxConnectionsToAcceptPerSocketEvent": 1, - "metadata": { - "filterMetadata": { - "envoy-gateway": { - "resources": [ - { - "kind": "Gateway", - "name": "eg", - "namespace": "default", - "sectionName": "http" - } - ] - } - } - }, "name": "default/eg/http", "perConnectionBufferLimitBytes": 32768 } @@ -1144,20 +1130,6 @@ "name": "default/eg/grpc" }, "maxConnectionsToAcceptPerSocketEvent": 1, - "metadata": { - "filterMetadata": { - "envoy-gateway": { - "resources": [ - { - "kind": "Gateway", - "name": "eg", - "namespace": "default", - "sectionName": "grpc" - } - ] - } - } - }, "name": "default/eg/grpc", "perConnectionBufferLimitBytes": 32768 } diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml index 2b6d629a8e..2bf22747eb 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml @@ -580,14 +580,6 @@ xds: useRemoteAddress: true name: default/eg/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: eg - namespace: default - sectionName: http name: default/eg/http perConnectionBufferLimitBytes: 32768 - activeState: @@ -700,14 +692,6 @@ xds: useRemoteAddress: true name: default/eg/grpc maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: eg - namespace: default - sectionName: grpc name: default/eg/grpc perConnectionBufferLimitBytes: 32768 - activeState: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml index 407c87e4e9..c0fa7da7c8 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml @@ -143,14 +143,6 @@ xds: useRemoteAddress: true name: default/eg/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: eg - namespace: default - sectionName: http name: default/eg/http perConnectionBufferLimitBytes: 32768 - activeState: @@ -263,14 +255,6 @@ xds: useRemoteAddress: true name: default/eg/grpc maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: eg - namespace: default - sectionName: grpc name: default/eg/grpc perConnectionBufferLimitBytes: 32768 - activeState: diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json index 2ef1bfccad..300d0c8f6d 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json @@ -689,20 +689,6 @@ "name": "envoy-gateway-system/eg/http" }, "maxConnectionsToAcceptPerSocketEvent": 1, - "metadata": { - "filterMetadata": { - "envoy-gateway": { - "resources": [ - { - "kind": "Gateway", - "name": "eg", - "namespace": "envoy-gateway-system", - "sectionName": "http" - } - ] - } - } - }, "name": "envoy-gateway-system/eg/http", "perConnectionBufferLimitBytes": 32768 } diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml index 97e8af982d..55673a986f 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml @@ -418,14 +418,6 @@ xds: useRemoteAddress: true name: envoy-gateway-system/eg/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: eg - namespace: envoy-gateway-system - sectionName: http name: envoy-gateway-system/eg/http perConnectionBufferLimitBytes: 32768 - '@type': type.googleapis.com/envoy.admin.v3.RoutesConfigDump diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml index 9e33881f16..6eeb127d70 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml @@ -163,13 +163,5 @@ xds: useRemoteAddress: true name: envoy-gateway-system/eg/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: eg - namespace: envoy-gateway-system - sectionName: http name: envoy-gateway-system/eg/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml index 6f1a6b9d6f..d8bd72e73f 100644 --- a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml @@ -353,14 +353,6 @@ xds: useRemoteAddress: true name: envoy-gateway-system/eg/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: eg - namespace: envoy-gateway-system - sectionName: http name: envoy-gateway-system/eg/http perConnectionBufferLimitBytes: 32768 - '@type': type.googleapis.com/envoy.admin.v3.RoutesConfigDump diff --git a/internal/cmd/egctl/translate_test.go b/internal/cmd/egctl/translate_test.go index f7c401a9a0..bcca5377b4 100644 --- a/internal/cmd/egctl/translate_test.go +++ b/internal/cmd/egctl/translate_test.go @@ -22,7 +22,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/yaml" - "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/utils/field" "github.com/envoyproxy/gateway/internal/utils/file" "github.com/envoyproxy/gateway/internal/utils/test" @@ -377,7 +376,6 @@ func TestTranslate(t *testing.T) { opts := []cmp.Option{ cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime"), - cmpopts.IgnoreFields(resource.Resources{}, "serviceMap"), } require.Empty(t, cmp.Diff(want, got, opts...)) diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index 07d926a9b6..494ef2d3d4 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -42,19 +42,7 @@ func (t *Translator) ProcessBackendTrafficPolicies(resources *resource.Resources res := make([]*egv1a1.BackendTrafficPolicy, 0, len(resources.BackendTrafficPolicies)) backendTrafficPolicies := resources.BackendTrafficPolicies - - // Initially, backendTrafficPolicies sort by creation timestamp - // or sort alphabetically by “{namespace}/{name}” if multiple policies share same timestamp. - sort.Slice(backendTrafficPolicies, func(i, j int) bool { - if backendTrafficPolicies[i].CreationTimestamp.Equal(&(backendTrafficPolicies[j].CreationTimestamp)) { - policyKeyI := fmt.Sprintf("%s/%s", backendTrafficPolicies[i].Namespace, backendTrafficPolicies[i].Name) - policyKeyJ := fmt.Sprintf("%s/%s", backendTrafficPolicies[j].Namespace, backendTrafficPolicies[j].Name) - return policyKeyI < policyKeyJ - } - // Not identical CreationTimestamps - - return backendTrafficPolicies[i].CreationTimestamp.Before(&(backendTrafficPolicies[j].CreationTimestamp)) - }) + // BackendTrafficPolicies are already sorted by the provider layer // First build a map out of the routes and gateways for faster lookup since users might have thousands of routes or more. routeMap := map[policyTargetRouteKey]*policyRouteTargetContext{} diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go index d3c59cc724..f7727a73ba 100644 --- a/internal/gatewayapi/clienttrafficpolicy.go +++ b/internal/gatewayapi/clienttrafficpolicy.go @@ -45,19 +45,7 @@ func (t *Translator) ProcessClientTrafficPolicies( var res []*egv1a1.ClientTrafficPolicy clientTrafficPolicies := resources.ClientTrafficPolicies - - // Initially, clientTrafficPolicies sort by creation timestamp - // or sort alphabetically by “{namespace}/{name}” if multiple policies share same timestamp. - sort.Slice(clientTrafficPolicies, func(i, j int) bool { - if clientTrafficPolicies[i].CreationTimestamp.Equal(&(clientTrafficPolicies[j].CreationTimestamp)) { - policyKeyI := fmt.Sprintf("%s/%s", clientTrafficPolicies[i].Namespace, clientTrafficPolicies[i].Name) - policyKeyJ := fmt.Sprintf("%s/%s", clientTrafficPolicies[j].Namespace, clientTrafficPolicies[j].Name) - return policyKeyI < policyKeyJ - } - // Not identical CreationTimestamps - - return clientTrafficPolicies[i].CreationTimestamp.Before(&(clientTrafficPolicies[j].CreationTimestamp)) - }) + // ClientTrafficPolicies are already sorted by the provider layer policyMap := make(map[types.NamespacedName]sets.Set[string]) diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index c6986f847d..c1e23b2a50 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -42,19 +42,7 @@ func (t *Translator) ProcessEnvoyExtensionPolicies(envoyExtensionPolicies []*egv xdsIR resource.XdsIRMap, ) []*egv1a1.EnvoyExtensionPolicy { var res []*egv1a1.EnvoyExtensionPolicy - - // Initially, policies sort by creation timestamp - // or sort alphabetically by “{namespace}/{name}” if multiple gateways share same timestamp. - sort.Slice(envoyExtensionPolicies, func(i, j int) bool { - if envoyExtensionPolicies[i].CreationTimestamp.Equal(&(envoyExtensionPolicies[j].CreationTimestamp)) { - policyKeyI := fmt.Sprintf("%s/%s", envoyExtensionPolicies[i].Namespace, envoyExtensionPolicies[i].Name) - policyKeyJ := fmt.Sprintf("%s/%s", envoyExtensionPolicies[j].Namespace, envoyExtensionPolicies[j].Name) - return policyKeyI < policyKeyJ - } - // Not identical CreationTimestamps - - return envoyExtensionPolicies[i].CreationTimestamp.Before(&(envoyExtensionPolicies[j].CreationTimestamp)) - }) + // EnvoyExtensionPolicies are already sorted by the provider layer // First build a map out of the routes and gateways for faster lookup since users might have thousands of routes or more. routeMap := map[policyTargetRouteKey]*policyRouteTargetContext{} diff --git a/internal/gatewayapi/envoypatchpolicy.go b/internal/gatewayapi/envoypatchpolicy.go index 1934168b1e..310efc02fa 100644 --- a/internal/gatewayapi/envoypatchpolicy.go +++ b/internal/gatewayapi/envoypatchpolicy.go @@ -7,7 +7,6 @@ package gatewayapi import ( "fmt" - "sort" "k8s.io/apimachinery/pkg/types" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" @@ -20,22 +19,7 @@ import ( ) func (t *Translator) ProcessEnvoyPatchPolicies(envoyPatchPolicies []*egv1a1.EnvoyPatchPolicy, xdsIR resource.XdsIRMap) { - // Initially, envoyPatchPolicies sort by priority - // if the priority is equal, they sort based on creation timestamp - // or sort alphabetically by “{namespace}/{name}” if multiple policies share same timestamp. - sort.Slice(envoyPatchPolicies, func(i, j int) bool { - if envoyPatchPolicies[i].Spec.Priority == envoyPatchPolicies[j].Spec.Priority { - if envoyPatchPolicies[i].CreationTimestamp.Equal(&(envoyPatchPolicies[j].CreationTimestamp)) { - policyKeyI := fmt.Sprintf("%s/%s", envoyPatchPolicies[i].Namespace, envoyPatchPolicies[i].Name) - policyKeyJ := fmt.Sprintf("%s/%s", envoyPatchPolicies[j].Namespace, envoyPatchPolicies[j].Name) - return policyKeyI < policyKeyJ - } - // Not identical CreationTimestamps - return envoyPatchPolicies[i].CreationTimestamp.Before(&(envoyPatchPolicies[j].CreationTimestamp)) - } - // Not identical Priorities - return envoyPatchPolicies[i].Spec.Priority < envoyPatchPolicies[j].Spec.Priority - }) + // EnvoyPatchPolicies are already sorted by the provider layer (priority, then timestamp, then name) for _, policy := range envoyPatchPolicies { var ( diff --git a/internal/gatewayapi/extensionserverpolicy.go b/internal/gatewayapi/extensionserverpolicy.go index b6e7fbb700..d10fb8116a 100644 --- a/internal/gatewayapi/extensionserverpolicy.go +++ b/internal/gatewayapi/extensionserverpolicy.go @@ -9,7 +9,6 @@ import ( "encoding/json" "errors" "fmt" - "sort" "strings" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -28,21 +27,7 @@ func (t *Translator) ProcessExtensionServerPolicies(policies []unstructured.Unst xdsIR resource.XdsIRMap, ) ([]unstructured.Unstructured, error) { res := []unstructured.Unstructured{} - - // Initially, policies sort by creation timestamp - // or sort alphabetically by “{namespace}/{name}” if multiple gateways share same timestamp. - sort.Slice(policies, func(i, j int) bool { - tsI := policies[i].GetCreationTimestamp() - tsJ := policies[j].GetCreationTimestamp() - if tsI.Equal(&tsJ) { - policyKeyI := fmt.Sprintf("%s/%s", policies[i].GetNamespace(), policies[i].GetName()) - policyKeyJ := fmt.Sprintf("%s/%s", policies[j].GetNamespace(), policies[j].GetName()) - return policyKeyI < policyKeyJ - } - // Not identical CreationTimestamps - - return tsI.Before(&tsJ) - }) + // ExtensionServerPolicies are already sorted by the provider layer // First build a map out of the gateways for faster lookup gatewayMap := map[types.NamespacedName]*policyGatewayTargetContext{} diff --git a/internal/gatewayapi/resource/load.go b/internal/gatewayapi/resource/load.go index 5f14f45d5e..6c327f16ef 100644 --- a/internal/gatewayapi/resource/load.go +++ b/internal/gatewayapi/resource/load.go @@ -42,6 +42,13 @@ func LoadResourcesFromYAMLBytes(yamlBytes []byte, addMissingResources bool) (*Re return nil, err } + // Sort to: + // 1. ensure identical resources are not retranslated + // and updates are avoided by the watchable layer + // 2. ensure gateway-api layer receives resources in order + // which impacts translation output + r.Sort() + return r, nil } diff --git a/internal/gatewayapi/resource/load_test.go b/internal/gatewayapi/resource/load_test.go index 3fe0083661..05d6133edd 100644 --- a/internal/gatewayapi/resource/load_test.go +++ b/internal/gatewayapi/resource/load_test.go @@ -62,7 +62,6 @@ func TestLoadAllSupportedResourcesFromYAMLBytes(t *testing.T) { mustUnmarshal(t, outFile, want) opts := []cmp.Option{ - cmpopts.IgnoreFields(Resources{}, "serviceMap"), cmpopts.EquateEmpty(), } require.Empty(t, cmp.Diff(want, got, opts...)) diff --git a/internal/gatewayapi/resource/resource.go b/internal/gatewayapi/resource/resource.go index 6304c8385f..623f8357c1 100644 --- a/internal/gatewayapi/resource/resource.go +++ b/internal/gatewayapi/resource/resource.go @@ -6,15 +6,13 @@ package resource import ( - "cmp" - "reflect" + "fmt" + "sort" - "golang.org/x/exp/slices" certificatesv1b1 "k8s.io/api/certificates/v1beta1" corev1 "k8s.io/api/core/v1" discoveryv1 "k8s.io/api/discovery/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/apimachinery/pkg/types" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3" @@ -68,8 +66,6 @@ type Resources struct { HTTPRouteFilters []*egv1a1.HTTPRouteFilter `json:"httpFilters,omitempty" yaml:"httpFilters,omitempty"` ClusterTrustBundles []*certificatesv1b1.ClusterTrustBundle `json:"clusterTrustBundles,omitempty" yaml:"clusterTrustBundles,omitempty"` - - serviceMap map[types.NamespacedName]*corev1.Service } func NewResources() *Resources { @@ -118,19 +114,13 @@ func (r *Resources) GetEnvoyProxy(namespace, name string) *egv1a1.EnvoyProxy { } // GetService returns the Service with the given namespace and name. -// This function creates a HashMap of Services for faster lookup when it's called for the first time. -// Subsequent calls will use the HashMap for lookup. -// Note: -// - This function is not thread-safe. -// - This function should be called after all the Services are added to the Resources. func (r *Resources) GetService(namespace, name string) *corev1.Service { - if r.serviceMap == nil { - r.serviceMap = make(map[types.NamespacedName]*corev1.Service) - for _, svc := range r.Services { - r.serviceMap[types.NamespacedName{Namespace: svc.Namespace, Name: svc.Name}] = svc + for _, svc := range r.Services { + if svc.Namespace == namespace && svc.Name == name { + return svc } } - return r.serviceMap[types.NamespacedName{Namespace: namespace, Name: name}] + return nil } // GetServiceByLabels returns the Service matching the given labels and namespace target. @@ -235,18 +225,270 @@ func (c *ControllerResources) DeepCopy() *ControllerResources { return &out } -// Equal implements the Comparable interface used by watchable.DeepEqual to skip unnecessary updates. -func (c *ControllerResources) Equal(y *ControllerResources) bool { - // Deep copy to avoid modifying the original ordering. - c = c.DeepCopy() - c.sort() - y = y.DeepCopy() - y.sort() - return reflect.DeepEqual(c, y) +func (c ControllerResources) Sort() { + // Top level sort based on gatewayClass contents + // Sort gatewayClass based on timestamp. + // Initially, sort by creation timestamp + // or sort alphabetically by “{namespace}/{name}” if multiple gatewayclasses share same timestamp. + sort.Slice(c, func(i, j int) bool { + if c[i].GatewayClass.CreationTimestamp.Equal(&(c[j].GatewayClass.CreationTimestamp)) { + return c[i].GatewayClass.Name < c[j].GatewayClass.Name + } + // Not identical CreationTimestamps + return c[i].GatewayClass.CreationTimestamp.Before(&(c[j].GatewayClass.CreationTimestamp)) + }) + + // Then, run Sort for each item + for idx := range c { + c[idx].Sort() + } } -func (c *ControllerResources) sort() { - slices.SortFunc(*c, func(c1, c2 *Resources) int { - return cmp.Compare(c1.GatewayClass.Name, c2.GatewayClass.Name) +func (r *Resources) Sort() { + // Sort gateways based on timestamp. + // Initially, gateways sort by creation timestamp + // or sort alphabetically by “{namespace}/{name}” if multiple gateways share same timestamp. + sort.Slice(r.Gateways, func(i, j int) bool { + if r.Gateways[i].CreationTimestamp.Equal(&(r.Gateways[j].CreationTimestamp)) { + gatewayKeyI := fmt.Sprintf("%s/%s", r.Gateways[i].Namespace, r.Gateways[i].Name) + gatewayKeyJ := fmt.Sprintf("%s/%s", r.Gateways[j].Namespace, r.Gateways[j].Name) + return gatewayKeyI < gatewayKeyJ + } + // Not identical CreationTimestamps + + return r.Gateways[i].CreationTimestamp.Before(&(r.Gateways[j].CreationTimestamp)) + }) + + // Sort HTTPRoutes by creation timestamp, then namespace/name + sort.Slice(r.HTTPRoutes, func(i, j int) bool { + if r.HTTPRoutes[i].CreationTimestamp.Equal(&(r.HTTPRoutes[j].CreationTimestamp)) { + keyI := fmt.Sprintf("%s/%s", r.HTTPRoutes[i].Namespace, r.HTTPRoutes[i].Name) + keyJ := fmt.Sprintf("%s/%s", r.HTTPRoutes[j].Namespace, r.HTTPRoutes[j].Name) + return keyI < keyJ + } + return r.HTTPRoutes[i].CreationTimestamp.Before(&(r.HTTPRoutes[j].CreationTimestamp)) + }) + + // Sort GRPCRoutes by creation timestamp, then namespace/name + sort.Slice(r.GRPCRoutes, func(i, j int) bool { + if r.GRPCRoutes[i].CreationTimestamp.Equal(&(r.GRPCRoutes[j].CreationTimestamp)) { + keyI := fmt.Sprintf("%s/%s", r.GRPCRoutes[i].Namespace, r.GRPCRoutes[i].Name) + keyJ := fmt.Sprintf("%s/%s", r.GRPCRoutes[j].Namespace, r.GRPCRoutes[j].Name) + return keyI < keyJ + } + return r.GRPCRoutes[i].CreationTimestamp.Before(&(r.GRPCRoutes[j].CreationTimestamp)) + }) + + // Sort TLSRoutes by creation timestamp, then namespace/name + sort.Slice(r.TLSRoutes, func(i, j int) bool { + if r.TLSRoutes[i].CreationTimestamp.Equal(&(r.TLSRoutes[j].CreationTimestamp)) { + keyI := fmt.Sprintf("%s/%s", r.TLSRoutes[i].Namespace, r.TLSRoutes[i].Name) + keyJ := fmt.Sprintf("%s/%s", r.TLSRoutes[j].Namespace, r.TLSRoutes[j].Name) + return keyI < keyJ + } + return r.TLSRoutes[i].CreationTimestamp.Before(&(r.TLSRoutes[j].CreationTimestamp)) + }) + + // Sort TCPRoutes by creation timestamp, then namespace/name + sort.Slice(r.TCPRoutes, func(i, j int) bool { + if r.TCPRoutes[i].CreationTimestamp.Equal(&(r.TCPRoutes[j].CreationTimestamp)) { + keyI := fmt.Sprintf("%s/%s", r.TCPRoutes[i].Namespace, r.TCPRoutes[i].Name) + keyJ := fmt.Sprintf("%s/%s", r.TCPRoutes[j].Namespace, r.TCPRoutes[j].Name) + return keyI < keyJ + } + return r.TCPRoutes[i].CreationTimestamp.Before(&(r.TCPRoutes[j].CreationTimestamp)) + }) + + // Sort UDPRoutes by creation timestamp, then namespace/name + sort.Slice(r.UDPRoutes, func(i, j int) bool { + if r.UDPRoutes[i].CreationTimestamp.Equal(&(r.UDPRoutes[j].CreationTimestamp)) { + keyI := fmt.Sprintf("%s/%s", r.UDPRoutes[i].Namespace, r.UDPRoutes[i].Name) + keyJ := fmt.Sprintf("%s/%s", r.UDPRoutes[j].Namespace, r.UDPRoutes[j].Name) + return keyI < keyJ + } + return r.UDPRoutes[i].CreationTimestamp.Before(&(r.UDPRoutes[j].CreationTimestamp)) + }) + + // Sort ReferenceGrants by creation timestamp, then namespace/name + sort.Slice(r.ReferenceGrants, func(i, j int) bool { + if r.ReferenceGrants[i].CreationTimestamp.Equal(&(r.ReferenceGrants[j].CreationTimestamp)) { + keyI := fmt.Sprintf("%s/%s", r.ReferenceGrants[i].Namespace, r.ReferenceGrants[i].Name) + keyJ := fmt.Sprintf("%s/%s", r.ReferenceGrants[j].Namespace, r.ReferenceGrants[j].Name) + return keyI < keyJ + } + return r.ReferenceGrants[i].CreationTimestamp.Before(&(r.ReferenceGrants[j].CreationTimestamp)) + }) + + // Sort Namespaces by creation timestamp, then name + sort.Slice(r.Namespaces, func(i, j int) bool { + if r.Namespaces[i].CreationTimestamp.Equal(&(r.Namespaces[j].CreationTimestamp)) { + return r.Namespaces[i].Name < r.Namespaces[j].Name + } + return r.Namespaces[i].CreationTimestamp.Before(&(r.Namespaces[j].CreationTimestamp)) + }) + + // Sort Services by creation timestamp, then namespace/name + sort.Slice(r.Services, func(i, j int) bool { + if r.Services[i].CreationTimestamp.Equal(&(r.Services[j].CreationTimestamp)) { + keyI := fmt.Sprintf("%s/%s", r.Services[i].Namespace, r.Services[i].Name) + keyJ := fmt.Sprintf("%s/%s", r.Services[j].Namespace, r.Services[j].Name) + return keyI < keyJ + } + return r.Services[i].CreationTimestamp.Before(&(r.Services[j].CreationTimestamp)) + }) + + // Sort ServiceImports by creation timestamp, then namespace/name + sort.Slice(r.ServiceImports, func(i, j int) bool { + if r.ServiceImports[i].CreationTimestamp.Equal(&(r.ServiceImports[j].CreationTimestamp)) { + keyI := fmt.Sprintf("%s/%s", r.ServiceImports[i].Namespace, r.ServiceImports[i].Name) + keyJ := fmt.Sprintf("%s/%s", r.ServiceImports[j].Namespace, r.ServiceImports[j].Name) + return keyI < keyJ + } + return r.ServiceImports[i].CreationTimestamp.Before(&(r.ServiceImports[j].CreationTimestamp)) + }) + + // Sort EndpointSlices by creation timestamp, then namespace/name + sort.Slice(r.EndpointSlices, func(i, j int) bool { + if r.EndpointSlices[i].CreationTimestamp.Equal(&(r.EndpointSlices[j].CreationTimestamp)) { + keyI := fmt.Sprintf("%s/%s", r.EndpointSlices[i].Namespace, r.EndpointSlices[i].Name) + keyJ := fmt.Sprintf("%s/%s", r.EndpointSlices[j].Namespace, r.EndpointSlices[j].Name) + return keyI < keyJ + } + return r.EndpointSlices[i].CreationTimestamp.Before(&(r.EndpointSlices[j].CreationTimestamp)) + }) + + // Sort Secrets by creation timestamp, then namespace/name + sort.Slice(r.Secrets, func(i, j int) bool { + if r.Secrets[i].CreationTimestamp.Equal(&(r.Secrets[j].CreationTimestamp)) { + keyI := fmt.Sprintf("%s/%s", r.Secrets[i].Namespace, r.Secrets[i].Name) + keyJ := fmt.Sprintf("%s/%s", r.Secrets[j].Namespace, r.Secrets[j].Name) + return keyI < keyJ + } + return r.Secrets[i].CreationTimestamp.Before(&(r.Secrets[j].CreationTimestamp)) + }) + + // Sort ConfigMaps by creation timestamp, then namespace/name + sort.Slice(r.ConfigMaps, func(i, j int) bool { + if r.ConfigMaps[i].CreationTimestamp.Equal(&(r.ConfigMaps[j].CreationTimestamp)) { + keyI := fmt.Sprintf("%s/%s", r.ConfigMaps[i].Namespace, r.ConfigMaps[i].Name) + keyJ := fmt.Sprintf("%s/%s", r.ConfigMaps[j].Namespace, r.ConfigMaps[j].Name) + return keyI < keyJ + } + return r.ConfigMaps[i].CreationTimestamp.Before(&(r.ConfigMaps[j].CreationTimestamp)) + }) + + // Sort EnvoyPatchPolicies by priority first, then creation timestamp, then namespace/name + sort.Slice(r.EnvoyPatchPolicies, func(i, j int) bool { + if r.EnvoyPatchPolicies[i].Spec.Priority == r.EnvoyPatchPolicies[j].Spec.Priority { + if r.EnvoyPatchPolicies[i].CreationTimestamp.Equal(&(r.EnvoyPatchPolicies[j].CreationTimestamp)) { + keyI := fmt.Sprintf("%s/%s", r.EnvoyPatchPolicies[i].Namespace, r.EnvoyPatchPolicies[i].Name) + keyJ := fmt.Sprintf("%s/%s", r.EnvoyPatchPolicies[j].Namespace, r.EnvoyPatchPolicies[j].Name) + return keyI < keyJ + } + return r.EnvoyPatchPolicies[i].CreationTimestamp.Before(&(r.EnvoyPatchPolicies[j].CreationTimestamp)) + } + return r.EnvoyPatchPolicies[i].Spec.Priority < r.EnvoyPatchPolicies[j].Spec.Priority + }) + + // Sort ClientTrafficPolicies by creation timestamp, then namespace/name + sort.Slice(r.ClientTrafficPolicies, func(i, j int) bool { + if r.ClientTrafficPolicies[i].CreationTimestamp.Equal(&(r.ClientTrafficPolicies[j].CreationTimestamp)) { + keyI := fmt.Sprintf("%s/%s", r.ClientTrafficPolicies[i].Namespace, r.ClientTrafficPolicies[i].Name) + keyJ := fmt.Sprintf("%s/%s", r.ClientTrafficPolicies[j].Namespace, r.ClientTrafficPolicies[j].Name) + return keyI < keyJ + } + return r.ClientTrafficPolicies[i].CreationTimestamp.Before(&(r.ClientTrafficPolicies[j].CreationTimestamp)) + }) + + // Sort BackendTrafficPolicies by creation timestamp, then namespace/name + sort.Slice(r.BackendTrafficPolicies, func(i, j int) bool { + if r.BackendTrafficPolicies[i].CreationTimestamp.Equal(&(r.BackendTrafficPolicies[j].CreationTimestamp)) { + keyI := fmt.Sprintf("%s/%s", r.BackendTrafficPolicies[i].Namespace, r.BackendTrafficPolicies[i].Name) + keyJ := fmt.Sprintf("%s/%s", r.BackendTrafficPolicies[j].Namespace, r.BackendTrafficPolicies[j].Name) + return keyI < keyJ + } + return r.BackendTrafficPolicies[i].CreationTimestamp.Before(&(r.BackendTrafficPolicies[j].CreationTimestamp)) + }) + + // Sort SecurityPolicies by creation timestamp, then namespace/name + sort.Slice(r.SecurityPolicies, func(i, j int) bool { + if r.SecurityPolicies[i].CreationTimestamp.Equal(&(r.SecurityPolicies[j].CreationTimestamp)) { + keyI := fmt.Sprintf("%s/%s", r.SecurityPolicies[i].Namespace, r.SecurityPolicies[i].Name) + keyJ := fmt.Sprintf("%s/%s", r.SecurityPolicies[j].Namespace, r.SecurityPolicies[j].Name) + return keyI < keyJ + } + return r.SecurityPolicies[i].CreationTimestamp.Before(&(r.SecurityPolicies[j].CreationTimestamp)) + }) + + // Sort BackendTLSPolicies by creation timestamp, then namespace/name + sort.Slice(r.BackendTLSPolicies, func(i, j int) bool { + if r.BackendTLSPolicies[i].CreationTimestamp.Equal(&(r.BackendTLSPolicies[j].CreationTimestamp)) { + keyI := fmt.Sprintf("%s/%s", r.BackendTLSPolicies[i].Namespace, r.BackendTLSPolicies[i].Name) + keyJ := fmt.Sprintf("%s/%s", r.BackendTLSPolicies[j].Namespace, r.BackendTLSPolicies[j].Name) + return keyI < keyJ + } + return r.BackendTLSPolicies[i].CreationTimestamp.Before(&(r.BackendTLSPolicies[j].CreationTimestamp)) + }) + + // Sort EnvoyExtensionPolicies by creation timestamp, then namespace/name + sort.Slice(r.EnvoyExtensionPolicies, func(i, j int) bool { + if r.EnvoyExtensionPolicies[i].CreationTimestamp.Equal(&(r.EnvoyExtensionPolicies[j].CreationTimestamp)) { + keyI := fmt.Sprintf("%s/%s", r.EnvoyExtensionPolicies[i].Namespace, r.EnvoyExtensionPolicies[i].Name) + keyJ := fmt.Sprintf("%s/%s", r.EnvoyExtensionPolicies[j].Namespace, r.EnvoyExtensionPolicies[j].Name) + return keyI < keyJ + } + return r.EnvoyExtensionPolicies[i].CreationTimestamp.Before(&(r.EnvoyExtensionPolicies[j].CreationTimestamp)) + }) + + // Sort Backends by creation timestamp, then namespace/name + sort.Slice(r.Backends, func(i, j int) bool { + if r.Backends[i].CreationTimestamp.Equal(&(r.Backends[j].CreationTimestamp)) { + keyI := fmt.Sprintf("%s/%s", r.Backends[i].Namespace, r.Backends[i].Name) + keyJ := fmt.Sprintf("%s/%s", r.Backends[j].Namespace, r.Backends[j].Name) + return keyI < keyJ + } + return r.Backends[i].CreationTimestamp.Before(&(r.Backends[j].CreationTimestamp)) + }) + + // Sort HTTPRouteFilters by creation timestamp, then namespace/name + sort.Slice(r.HTTPRouteFilters, func(i, j int) bool { + if r.HTTPRouteFilters[i].CreationTimestamp.Equal(&(r.HTTPRouteFilters[j].CreationTimestamp)) { + keyI := fmt.Sprintf("%s/%s", r.HTTPRouteFilters[i].Namespace, r.HTTPRouteFilters[i].Name) + keyJ := fmt.Sprintf("%s/%s", r.HTTPRouteFilters[j].Namespace, r.HTTPRouteFilters[j].Name) + return keyI < keyJ + } + return r.HTTPRouteFilters[i].CreationTimestamp.Before(&(r.HTTPRouteFilters[j].CreationTimestamp)) + }) + + // Sort ClusterTrustBundles by creation timestamp, then name (cluster-scoped) + sort.Slice(r.ClusterTrustBundles, func(i, j int) bool { + if r.ClusterTrustBundles[i].CreationTimestamp.Equal(&(r.ClusterTrustBundles[j].CreationTimestamp)) { + return r.ClusterTrustBundles[i].Name < r.ClusterTrustBundles[j].Name + } + return r.ClusterTrustBundles[i].CreationTimestamp.Before(&(r.ClusterTrustBundles[j].CreationTimestamp)) + }) + + // Sort ExtensionRefFilters by creation timestamp, then namespace/name (unstructured resources) + sort.Slice(r.ExtensionRefFilters, func(i, j int) bool { + tsI := r.ExtensionRefFilters[i].GetCreationTimestamp() + tsJ := r.ExtensionRefFilters[j].GetCreationTimestamp() + if tsI.Equal(&tsJ) { + keyI := fmt.Sprintf("%s/%s", r.ExtensionRefFilters[i].GetNamespace(), r.ExtensionRefFilters[i].GetName()) + keyJ := fmt.Sprintf("%s/%s", r.ExtensionRefFilters[j].GetNamespace(), r.ExtensionRefFilters[j].GetName()) + return keyI < keyJ + } + return tsI.Before(&tsJ) + }) + + // Sort ExtensionServerPolicies by creation timestamp, then namespace/name (unstructured resources) + sort.Slice(r.ExtensionServerPolicies, func(i, j int) bool { + tsI := r.ExtensionServerPolicies[i].GetCreationTimestamp() + tsJ := r.ExtensionServerPolicies[j].GetCreationTimestamp() + if tsI.Equal(&tsJ) { + keyI := fmt.Sprintf("%s/%s", r.ExtensionServerPolicies[i].GetNamespace(), r.ExtensionServerPolicies[i].GetName()) + keyJ := fmt.Sprintf("%s/%s", r.ExtensionServerPolicies[j].GetNamespace(), r.ExtensionServerPolicies[j].GetName()) + return keyI < keyJ + } + return tsI.Before(&tsJ) }) } diff --git a/internal/gatewayapi/resource/resource_test.go b/internal/gatewayapi/resource/resource_test.go index f5758b4319..1db2e0f607 100644 --- a/internal/gatewayapi/resource/resource_test.go +++ b/internal/gatewayapi/resource/resource_test.go @@ -121,7 +121,11 @@ func TestEqualXds(t *testing.T) { for _, tc := range tests { t.Run(tc.desc, func(t *testing.T) { - require.Equal(t, tc.equal, cmp.Equal(tc.a, tc.b)) + tc.a.Sort() + tc.b.Sort() + diff := cmp.Diff(tc.a, tc.b) + got := diff == "" + require.Equal(t, tc.equal, got) }) } } diff --git a/internal/gatewayapi/resource/testdata/all-resources.out.yaml b/internal/gatewayapi/resource/testdata/all-resources.out.yaml index 69ac8ade73..b629510405 100644 --- a/internal/gatewayapi/resource/testdata/all-resources.out.yaml +++ b/internal/gatewayapi/resource/testdata/all-resources.out.yaml @@ -286,14 +286,14 @@ namespaces: kind: Namespace metadata: creationTimestamp: null - name: envoy-gateway-system + name: default spec: {} status: {} - apiVersion: v1 kind: Namespace metadata: creationTimestamp: null - name: default + name: envoy-gateway-system spec: {} status: {} - apiVersion: v1 @@ -334,18 +334,18 @@ secrets: kind: Secret metadata: creationTimestamp: null - name: secret-with-data-and-string-data + name: secret-with-data namespace: default - stringData: - secret: literal value - apiVersion: v1 data: .secret-file: dmFsdWUtMg0KDQo= kind: Secret metadata: creationTimestamp: null - name: secret-with-data + name: secret-with-data-and-string-data namespace: default + stringData: + secret: literal value - apiVersion: v1 kind: Secret metadata: diff --git a/internal/gatewayapi/resource/zz_generated.deepcopy.go b/internal/gatewayapi/resource/zz_generated.deepcopy.go index 7bc2f9f960..23d6033ca8 100644 --- a/internal/gatewayapi/resource/zz_generated.deepcopy.go +++ b/internal/gatewayapi/resource/zz_generated.deepcopy.go @@ -15,7 +15,6 @@ import ( corev1 "k8s.io/api/core/v1" discoveryv1 "k8s.io/api/discovery/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/gateway-api/apis/v1" "sigs.k8s.io/gateway-api/apis/v1alpha2" "sigs.k8s.io/gateway-api/apis/v1alpha3" @@ -303,22 +302,6 @@ func (in *Resources) DeepCopyInto(out *Resources) { } } } - if in.serviceMap != nil { - in, out := &in.serviceMap, &out.serviceMap - *out = make(map[types.NamespacedName]*corev1.Service, len(*in)) - for key, val := range *in { - var outVal *corev1.Service - if val == nil { - (*out)[key] = nil - } else { - inVal := (*in)[key] - in, out := &inVal, &outVal - *out = new(corev1.Service) - (*in).DeepCopyInto(*out) - } - (*out)[key] = outVal - } - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Resources. diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index fa517eea67..4fde9fcaef 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -8,7 +8,6 @@ package gatewayapi import ( "fmt" "net" - "sort" "strconv" "strings" "time" @@ -55,19 +54,7 @@ type RoutesTranslator interface { func (t *Translator) ProcessHTTPRoutes(httpRoutes []*gwapiv1.HTTPRoute, gateways []*GatewayContext, resources *resource.Resources, xdsIR resource.XdsIRMap) []*HTTPRouteContext { var relevantHTTPRoutes []*HTTPRouteContext - // Initially, httpRoutes sort by creation timestamp - // or sort alphabetically by “{namespace}/{name}” if multiple routes share same timestamp. - // Later on, additional sorting based on matcher type and match length may occur. - sort.Slice(httpRoutes, func(i, j int) bool { - if httpRoutes[i].CreationTimestamp.Equal(&(httpRoutes[j].CreationTimestamp)) { - routeKeyI := fmt.Sprintf("%s/%s", httpRoutes[i].Namespace, httpRoutes[i].Name) - routeKeyJ := fmt.Sprintf("%s/%s", httpRoutes[j].Namespace, httpRoutes[j].Name) - return routeKeyI < routeKeyJ - } - // Not identical CreationTimestamps - - return httpRoutes[i].CreationTimestamp.Before(&(httpRoutes[j].CreationTimestamp)) - }) + // HTTPRoutes are already sorted by the provider layer for _, h := range httpRoutes { if h == nil { @@ -97,19 +84,7 @@ func (t *Translator) ProcessHTTPRoutes(httpRoutes []*gwapiv1.HTTPRoute, gateways func (t *Translator) ProcessGRPCRoutes(grpcRoutes []*gwapiv1.GRPCRoute, gateways []*GatewayContext, resources *resource.Resources, xdsIR resource.XdsIRMap) []*GRPCRouteContext { var relevantGRPCRoutes []*GRPCRouteContext - // Initially, grpcRoutes sort by creation timestamp - // or sort alphabetically by “{namespace}/{name}” if multiple routes share same timestamp. - // Later on, additional sorting based on matcher type and match length may occur. - sort.Slice(grpcRoutes, func(i, j int) bool { - if grpcRoutes[i].CreationTimestamp.Equal(&(grpcRoutes[j].CreationTimestamp)) { - routeKeyI := fmt.Sprintf("%s/%s", grpcRoutes[i].Namespace, grpcRoutes[i].Name) - routeKeyJ := fmt.Sprintf("%s/%s", grpcRoutes[j].Namespace, grpcRoutes[j].Name) - return routeKeyI < routeKeyJ - } - // Not identical CreationTimestamps - - return grpcRoutes[i].CreationTimestamp.Before(&(grpcRoutes[j].CreationTimestamp)) - }) + // GRPCRoutes are already sorted by the provider layer for _, g := range grpcRoutes { if g == nil { @@ -941,19 +916,7 @@ func filterEGPrefix(in map[string]string) map[string]string { func (t *Translator) ProcessTLSRoutes(tlsRoutes []*gwapiv1a2.TLSRoute, gateways []*GatewayContext, resources *resource.Resources, xdsIR resource.XdsIRMap) []*TLSRouteContext { var relevantTLSRoutes []*TLSRouteContext - - // Initially, tlsRoutes sort by creation timestamp - // or sort alphabetically by “{namespace}/{name}” if multiple routes share same timestamp. - sort.Slice(tlsRoutes, func(i, j int) bool { - if tlsRoutes[i].CreationTimestamp.Equal(&(tlsRoutes[j].CreationTimestamp)) { - routeKeyI := fmt.Sprintf("%s/%s", tlsRoutes[i].Namespace, tlsRoutes[i].Name) - routeKeyJ := fmt.Sprintf("%s/%s", tlsRoutes[j].Namespace, tlsRoutes[j].Name) - return routeKeyI < routeKeyJ - } - // Not identical CreationTimestamps - - return tlsRoutes[i].CreationTimestamp.Before(&(tlsRoutes[j].CreationTimestamp)) - }) + // TLSRoutes are already sorted by the provider layer for _, tls := range tlsRoutes { if tls == nil { @@ -1100,19 +1063,7 @@ func (t *Translator) ProcessUDPRoutes(udpRoutes []*gwapiv1a2.UDPRoute, gateways xdsIR resource.XdsIRMap, ) []*UDPRouteContext { var relevantUDPRoutes []*UDPRouteContext - - // Initially, udpRoutes sort by creation timestamp - // or sort alphabetically by “{namespace}/{name}” if multiple routes share same timestamp. - sort.Slice(udpRoutes, func(i, j int) bool { - if udpRoutes[i].CreationTimestamp.Equal(&(udpRoutes[j].CreationTimestamp)) { - routeKeyI := fmt.Sprintf("%s/%s", udpRoutes[i].Namespace, udpRoutes[i].Name) - routeKeyJ := fmt.Sprintf("%s/%s", udpRoutes[j].Namespace, udpRoutes[j].Name) - return routeKeyI < routeKeyJ - } - // Not identical CreationTimestamps - - return udpRoutes[i].CreationTimestamp.Before(&(udpRoutes[j].CreationTimestamp)) - }) + // UDPRoutes are already sorted by the provider layer for _, u := range udpRoutes { if u == nil { @@ -1263,19 +1214,7 @@ func (t *Translator) ProcessTCPRoutes(tcpRoutes []*gwapiv1a2.TCPRoute, gateways xdsIR resource.XdsIRMap, ) []*TCPRouteContext { var relevantTCPRoutes []*TCPRouteContext - - // Initially, tcpRoutes sort by creation timestamp - // or sort alphabetically by “{namespace}/{name}” if multiple routes share same timestamp. - sort.Slice(tcpRoutes, func(i, j int) bool { - if tcpRoutes[i].CreationTimestamp.Equal(&(tcpRoutes[j].CreationTimestamp)) { - routeKeyI := fmt.Sprintf("%s/%s", tcpRoutes[i].Namespace, tcpRoutes[i].Name) - routeKeyJ := fmt.Sprintf("%s/%s", tcpRoutes[j].Namespace, tcpRoutes[j].Name) - return routeKeyI < routeKeyJ - } - // Not identical CreationTimestamps - - return tcpRoutes[i].CreationTimestamp.Before(&(tcpRoutes[j].CreationTimestamp)) - }) + // TCPRoutes are already sorted by the provider layer for _, tcp := range tcpRoutes { if tcp == nil { diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index a070d5bdc8..86686d15fd 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -58,19 +58,7 @@ func (t *Translator) ProcessSecurityPolicies(securityPolicies []*egv1a1.Security xdsIR resource.XdsIRMap, ) []*egv1a1.SecurityPolicy { var res []*egv1a1.SecurityPolicy - - // Initially, policies sort by creation timestamp - // or sort alphabetically by “{namespace}/{name}” if multiple policies share same timestamp. - sort.Slice(securityPolicies, func(i, j int) bool { - if securityPolicies[i].CreationTimestamp.Equal(&(securityPolicies[j].CreationTimestamp)) { - policyKeyI := fmt.Sprintf("%s/%s", securityPolicies[i].Namespace, securityPolicies[i].Name) - policyKeyJ := fmt.Sprintf("%s/%s", securityPolicies[j].Namespace, securityPolicies[j].Name) - return policyKeyI < policyKeyJ - } - // Not identical CreationTimestamps - - return securityPolicies[i].CreationTimestamp.Before(&(securityPolicies[j].CreationTimestamp)) - }) + // SecurityPolicies are already sorted by the provider layer // First build a map out of the routes and gateways for faster lookup since users might have thousands of routes or more. // For gateways this probably isn't quite as necessary. diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml index 3b9eed9e45..a1e60fc1a5 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml @@ -68,7 +68,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-btls + name: gateway-btls2 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -77,7 +77,7 @@ gateways: namespaces: from: All name: http - port: 80 + port: 81 protocol: HTTP status: listeners: @@ -108,7 +108,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-btls2 + name: gateway-btls namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -117,7 +117,7 @@ gateways: namespaces: from: All name: http - port: 81 + port: 80 protocol: HTTP status: listeners: diff --git a/internal/gatewayapi/testdata/backendtlspolicy-status-conditions-truncated.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-status-conditions-truncated.out.yaml index 609b9c584e..21c0b7cb87 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-status-conditions-truncated.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-status-conditions-truncated.out.yaml @@ -416,7 +416,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-10 + name: gateway-2 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -456,7 +456,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-11 + name: gateway-3 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -496,7 +496,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-12 + name: gateway-4 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -536,7 +536,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-13 + name: gateway-5 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -576,7 +576,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-14 + name: gateway-6 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -616,7 +616,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-15 + name: gateway-7 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -656,7 +656,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-16 + name: gateway-8 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -696,7 +696,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-17 + name: gateway-9 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -736,7 +736,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-18 + name: gateway-10 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -776,7 +776,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-2 + name: gateway-11 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -816,7 +816,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-3 + name: gateway-12 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -856,7 +856,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-4 + name: gateway-13 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -896,7 +896,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-5 + name: gateway-14 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -936,7 +936,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-6 + name: gateway-15 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -976,7 +976,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-7 + name: gateway-16 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1016,7 +1016,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-8 + name: gateway-17 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1056,7 +1056,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-9 + name: gateway-18 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions-truncated.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions-truncated.out.yaml index 135a8fa715..543a9435eb 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions-truncated.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions-truncated.out.yaml @@ -223,13 +223,13 @@ backendTrafficPolicies: kind: BackendTrafficPolicy metadata: creationTimestamp: null - name: target-httproute-with-accepted-truncated-ancestors + name: target-httproute-with-attachment-conflict-truncated-ancestors namespace: envoy-gateway spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute - name: httproute-1 + name: httproute-2 status: ancestors: - ancestorRef: @@ -239,9 +239,10 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -251,9 +252,10 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -263,9 +265,10 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -275,9 +278,10 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -287,9 +291,10 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -299,9 +304,10 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -311,9 +317,10 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -323,9 +330,10 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -335,9 +343,10 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -347,9 +356,10 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -359,9 +369,10 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -371,9 +382,10 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -383,9 +395,10 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -395,9 +408,10 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -407,9 +421,10 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -419,9 +434,10 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted - lastTransitionTime: null message: 'Ancestors have been aggregated because the number of policy ancestors @@ -434,13 +450,13 @@ backendTrafficPolicies: kind: BackendTrafficPolicy metadata: creationTimestamp: null - name: target-httproute-with-attachment-conflict-truncated-ancestors + name: target-httproute-with-accepted-truncated-ancestors namespace: envoy-gateway spec: - targetRefs: - - group: gateway.networking.k8s.io + targetRef: + group: gateway.networking.k8s.io kind: HTTPRoute - name: httproute-2 + name: httproute-1 status: ancestors: - ancestorRef: @@ -450,10 +466,9 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -463,10 +478,9 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -476,10 +490,9 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -489,10 +502,9 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -502,10 +514,9 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -515,10 +526,9 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -528,10 +538,9 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -541,10 +550,9 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -554,10 +562,9 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -567,10 +574,9 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -580,10 +586,9 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -593,10 +598,9 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -606,10 +610,9 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -619,10 +622,9 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -632,10 +634,9 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -645,10 +646,9 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another BackendTrafficPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted - lastTransitionTime: null message: 'Ancestors have been aggregated because the number of policy ancestors @@ -702,7 +702,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-10 + name: gateway-2 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -742,7 +742,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-11 + name: gateway-3 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -782,7 +782,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-12 + name: gateway-4 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -822,7 +822,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-13 + name: gateway-5 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -862,7 +862,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-14 + name: gateway-6 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -902,7 +902,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-15 + name: gateway-7 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -942,7 +942,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-16 + name: gateway-8 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -982,7 +982,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-17 + name: gateway-9 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1022,7 +1022,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-18 + name: gateway-10 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1062,7 +1062,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-2 + name: gateway-11 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1102,7 +1102,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-3 + name: gateway-12 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1142,7 +1142,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-4 + name: gateway-13 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1182,7 +1182,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-5 + name: gateway-14 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1222,7 +1222,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-6 + name: gateway-15 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1262,7 +1262,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-7 + name: gateway-16 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1302,7 +1302,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-8 + name: gateway-17 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1342,7 +1342,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-9 + name: gateway-18 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml index 11cc134921..a58cf6c335 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml @@ -3,7 +3,7 @@ backendTrafficPolicies: kind: BackendTrafficPolicy metadata: creationTimestamp: null - name: also-target-httproute-in-gateway-1 + name: target-httproute-in-gateway-1 namespace: envoy-gateway spec: targetRef: @@ -28,64 +28,51 @@ backendTrafficPolicies: kind: BackendTrafficPolicy metadata: creationTimestamp: null - name: not-same-namespace-httproute + name: also-target-httproute-in-gateway-1 namespace: envoy-gateway spec: targetRef: group: gateway.networking.k8s.io kind: HTTPRoute - name: not-same-namespace-httproute - status: - ancestors: null -- apiVersion: gateway.envoyproxy.io/v1alpha1 - kind: BackendTrafficPolicy - metadata: - creationTimestamp: null - name: target-grpcroute-in-gateway-2 - namespace: envoy-gateway - spec: - targetRef: - group: gateway.networking.k8s.io - kind: GRPCRoute - name: grpcroute-1 + name: httproute-1 status: ancestors: - ancestorRef: group: gateway.networking.k8s.io kind: Gateway - name: gateway-2 + name: gateway-1 namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-1, another BackendTrafficPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: BackendTrafficPolicy metadata: creationTimestamp: null - name: target-httproute-in-gateway-1 + name: target-grpcroute-in-gateway-2 namespace: envoy-gateway spec: targetRef: group: gateway.networking.k8s.io - kind: HTTPRoute - name: httproute-1 + kind: GRPCRoute + name: grpcroute-1 status: ancestors: - ancestorRef: group: gateway.networking.k8s.io kind: Gateway - name: gateway-1 + name: gateway-2 namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-1, another BackendTrafficPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - apiVersion: gateway.envoyproxy.io/v1alpha1 @@ -105,13 +92,13 @@ backendTrafficPolicies: kind: BackendTrafficPolicy metadata: creationTimestamp: null - name: not-same-namespace-gateway + name: not-same-namespace-httproute namespace: envoy-gateway spec: targetRef: group: gateway.networking.k8s.io - kind: Gateway - name: not-same-namespace-gateway + kind: HTTPRoute + name: not-same-namespace-httproute status: ancestors: null - apiVersion: gateway.envoyproxy.io/v1alpha1 @@ -184,47 +171,20 @@ backendTrafficPolicies: name: unknown-gateway status: ancestors: null -gateways: -- apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy metadata: creationTimestamp: null name: not-same-namespace-gateway - namespace: another-namespace + namespace: envoy-gateway spec: - gatewayClassName: envoy-gateway-class - listeners: - - allowedRoutes: - namespaces: - from: Same - name: http - port: 80 - protocol: HTTP + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: not-same-namespace-gateway status: - listeners: - - attachedRoutes: 0 - conditions: - - lastTransitionTime: null - message: Sending translated listener configuration to the data plane - reason: Programmed - status: "True" - type: Programmed - - lastTransitionTime: null - message: Listener has been successfully translated - reason: Accepted - status: "True" - type: Accepted - - lastTransitionTime: null - message: Listener references have been resolved - reason: ResolvedRefs - status: "True" - type: ResolvedRefs - name: http - supportedKinds: - - group: gateway.networking.k8s.io - kind: HTTPRoute - - group: gateway.networking.k8s.io - kind: GRPCRoute + ancestors: null +gateways: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway metadata: @@ -356,6 +316,46 @@ gateways: supportedKinds: - group: gateway.networking.k8s.io kind: TCPRoute +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + creationTimestamp: null + name: not-same-namespace-gateway + namespace: another-namespace + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: Same + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute grpcRoutes: - apiVersion: gateway.networking.k8s.io/v1alpha2 kind: GRPCRoute @@ -398,12 +398,12 @@ httpRoutes: kind: HTTPRoute metadata: creationTimestamp: null - name: not-same-namespace-httproute - namespace: another-namespace + name: httproute-1 + namespace: envoy-gateway spec: parentRefs: - - name: not-same-namespace-gateway - namespace: another-namespace + - name: gateway-1 + namespace: envoy-gateway rules: - backendRefs: - name: service-1 @@ -415,9 +415,9 @@ httpRoutes: parents: - conditions: - lastTransitionTime: null - message: No listeners included by this parent ref allowed this attachment. - reason: NotAllowedByListeners - status: "False" + message: Route is accepted + reason: Accepted + status: "True" type: Accepted - lastTransitionTime: null message: Resolved all the Object references for the Route @@ -426,18 +426,18 @@ httpRoutes: type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: - name: not-same-namespace-gateway - namespace: another-namespace + name: gateway-1 + namespace: envoy-gateway - apiVersion: gateway.networking.k8s.io/v1beta1 kind: HTTPRoute metadata: creationTimestamp: null - name: httproute-1 - namespace: envoy-gateway + name: not-same-namespace-httproute + namespace: another-namespace spec: parentRefs: - - name: gateway-1 - namespace: envoy-gateway + - name: not-same-namespace-gateway + namespace: another-namespace rules: - backendRefs: - name: service-1 @@ -449,9 +449,9 @@ httpRoutes: parents: - conditions: - lastTransitionTime: null - message: Route is accepted - reason: Accepted - status: "True" + message: No listeners included by this parent ref allowed this attachment. + reason: NotAllowedByListeners + status: "False" type: Accepted - lastTransitionTime: null message: Resolved all the Object references for the Route @@ -460,8 +460,8 @@ httpRoutes: type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: - name: gateway-1 - namespace: envoy-gateway + name: not-same-namespace-gateway + namespace: another-namespace infraIR: another-namespace/not-same-namespace-gateway: proxy: diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml index 9cd4988698..461042c4c8 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml @@ -3,26 +3,26 @@ backendTrafficPolicies: kind: BackendTrafficPolicy metadata: creationTimestamp: null - name: policy-for-grpcroute + name: policy-for-route namespace: default spec: faultInjection: abort: - grpcStatus: 14 + httpStatus: 500 percentage: 100 delay: fixedDelay: 5.4s percentage: 80 targetRef: group: gateway.networking.k8s.io - kind: GRPCRoute - name: grpcroute-1 + kind: HTTPRoute + name: httproute-1 status: ancestors: - ancestorRef: group: gateway.networking.k8s.io kind: Gateway - name: gateway-1 + name: gateway-2 namespace: envoy-gateway sectionName: http conditions: @@ -36,26 +36,26 @@ backendTrafficPolicies: kind: BackendTrafficPolicy metadata: creationTimestamp: null - name: policy-for-route + name: policy-for-grpcroute namespace: default spec: faultInjection: abort: - httpStatus: 500 + grpcStatus: 14 percentage: 100 delay: fixedDelay: 5.4s percentage: 80 targetRef: group: gateway.networking.k8s.io - kind: HTTPRoute - name: httproute-1 + kind: GRPCRoute + name: grpcroute-1 status: ancestors: - ancestorRef: group: gateway.networking.k8s.io kind: Gateway - name: gateway-2 + name: gateway-1 namespace: envoy-gateway sectionName: http conditions: diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-endpointoverride-loadbalancer-multiple-mixed.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-endpointoverride-loadbalancer-multiple-mixed.out.yaml index 107b0fbacd..ed2d15b437 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-endpointoverride-loadbalancer-multiple-mixed.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-endpointoverride-loadbalancer-multiple-mixed.out.yaml @@ -181,6 +181,7 @@ xdsIR: - host: 7.7.7.7 port: 8080 metadata: + kind: Service name: service-1 namespace: default sectionName: "8080" diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-endpointoverride-loadbalancer-single-header.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-endpointoverride-loadbalancer-single-header.out.yaml index d0e166f7cc..3ea22053f2 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-endpointoverride-loadbalancer-single-header.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-endpointoverride-loadbalancer-single-header.out.yaml @@ -181,6 +181,7 @@ xdsIR: - host: 7.7.7.7 port: 8080 metadata: + kind: Service name: service-1 namespace: default sectionName: "8080" diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-endpointoverride-loadbalancer.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-endpointoverride-loadbalancer.out.yaml index 9cae1a04ff..8970c4a7bb 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-endpointoverride-loadbalancer.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-endpointoverride-loadbalancer.out.yaml @@ -219,6 +219,7 @@ xdsIR: - host: 7.7.7.7 port: 8080 metadata: + kind: Service name: service-2 namespace: default sectionName: "8080" @@ -250,6 +251,7 @@ xdsIR: - host: 7.7.7.7 port: 8080 metadata: + kind: Service name: service-1 namespace: default sectionName: "8080" diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml index 5f679cf771..9983ff868d 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml @@ -3,61 +3,44 @@ backendTrafficPolicies: kind: BackendTrafficPolicy metadata: creationTimestamp: null - name: policy-for-grpc-route - namespace: default - spec: - healthCheck: - active: - healthyThreshold: 1 - interval: 3s - timeout: 1s - type: GRPC - unhealthyThreshold: 3 - targetRef: - group: gateway.networking.k8s.io - kind: GRPCRoute - name: grpcroute-2 - status: - ancestors: - - ancestorRef: - group: gateway.networking.k8s.io - kind: Gateway - name: gateway-1 - namespace: envoy-gateway - sectionName: http - conditions: - - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" - type: Accepted - controllerName: gateway.envoyproxy.io/gatewayclass-controller -- apiVersion: gateway.envoyproxy.io/v1alpha1 - kind: BackendTrafficPolicy - metadata: - creationTimestamp: null - name: policy-for-grpc-route-3 + name: policy-for-route-1 namespace: default spec: healthCheck: active: - grpc: - service: foo-service - healthyThreshold: 1 - interval: 3s + healthyThreshold: 3 + http: + expectedResponse: + text: pong + type: Text + expectedStatuses: + - 200 + - 201 + hostname: foo.bar + method: GET + path: /healthz + interval: 5s timeout: 1s - type: GRPC + type: HTTP unhealthyThreshold: 3 + passive: + baseEjectionTime: 150s + consecutive5XxErrors: 5 + consecutiveGatewayErrors: 0 + consecutiveLocalOriginFailures: 5 + interval: 1s + maxEjectionPercent: 100 + splitExternalLocalOriginErrors: false targetRef: group: gateway.networking.k8s.io - kind: GRPCRoute - name: grpcroute-3 + kind: HTTPRoute + name: httproute-1 status: ancestors: - ancestorRef: group: gateway.networking.k8s.io kind: Gateway - name: gateway-1 + name: gateway-2 namespace: envoy-gateway sectionName: http conditions: @@ -71,7 +54,7 @@ backendTrafficPolicies: kind: BackendTrafficPolicy metadata: creationTimestamp: null - name: policy-for-route-1 + name: policy-for-route-4 namespace: default spec: healthCheck: @@ -81,28 +64,16 @@ backendTrafficPolicies: expectedResponse: text: pong type: Text - expectedStatuses: - - 200 - - 201 - hostname: foo.bar method: GET path: /healthz interval: 5s timeout: 1s type: HTTP unhealthyThreshold: 3 - passive: - baseEjectionTime: 150s - consecutive5XxErrors: 5 - consecutiveGatewayErrors: 0 - consecutiveLocalOriginFailures: 5 - interval: 1s - maxEjectionPercent: 100 - splitExternalLocalOriginErrors: false targetRef: group: gateway.networking.k8s.io kind: HTTPRoute - name: httproute-1 + name: httproute-4 status: ancestors: - ancestorRef: @@ -218,26 +189,22 @@ backendTrafficPolicies: kind: BackendTrafficPolicy metadata: creationTimestamp: null - name: policy-for-route-4 + name: policy-for-route-5 namespace: default spec: healthCheck: active: - healthyThreshold: 3 - http: - expectedResponse: - text: pong - type: Text - method: GET - path: /healthz - interval: 5s - timeout: 1s - type: HTTP - unhealthyThreshold: 3 + healthyThreshold: 2 + initialJitter: 15s + interval: 30s + tcp: {} + timeout: 10s + type: TCP + unhealthyThreshold: 2 targetRef: group: gateway.networking.k8s.io kind: HTTPRoute - name: httproute-4 + name: httproute-5 status: ancestors: - ancestorRef: @@ -257,28 +224,61 @@ backendTrafficPolicies: kind: BackendTrafficPolicy metadata: creationTimestamp: null - name: policy-for-route-5 + name: policy-for-grpc-route namespace: default spec: healthCheck: active: - healthyThreshold: 2 - initialJitter: 15s - interval: 30s - tcp: {} - timeout: 10s - type: TCP - unhealthyThreshold: 2 + healthyThreshold: 1 + interval: 3s + timeout: 1s + type: GRPC + unhealthyThreshold: 3 targetRef: group: gateway.networking.k8s.io - kind: HTTPRoute - name: httproute-5 + kind: GRPCRoute + name: grpcroute-2 status: ancestors: - ancestorRef: group: gateway.networking.k8s.io kind: Gateway - name: gateway-2 + name: gateway-1 + namespace: envoy-gateway + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: policy-for-grpc-route-3 + namespace: default + spec: + healthCheck: + active: + grpc: + service: foo-service + healthyThreshold: 1 + interval: 3s + timeout: 1s + type: GRPC + unhealthyThreshold: 3 + targetRef: + group: gateway.networking.k8s.io + kind: GRPCRoute + name: grpcroute-3 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 namespace: envoy-gateway sectionName: http conditions: @@ -462,7 +462,7 @@ grpcRoutes: kind: GRPCRoute metadata: creationTimestamp: null - name: grpcroute-2 + name: grpcroute-3 namespace: default spec: parentRefs: @@ -471,7 +471,7 @@ grpcRoutes: sectionName: http rules: - backendRefs: - - name: service-2 + - name: service-3 port: 8080 status: parents: @@ -495,7 +495,7 @@ grpcRoutes: kind: GRPCRoute metadata: creationTimestamp: null - name: grpcroute-3 + name: grpcroute-2 namespace: default spec: parentRefs: @@ -504,7 +504,7 @@ grpcRoutes: sectionName: http rules: - backendRefs: - - name: service-3 + - name: service-2 port: 8080 status: parents: @@ -828,32 +828,33 @@ xdsIR: - destination: metadata: kind: GRPCRoute - name: grpcroute-2 + name: grpcroute-3 namespace: default - name: grpcroute/default/grpcroute-2/rule/0 + name: grpcroute/default/grpcroute-3/rule/0 settings: - addressType: IP endpoints: - host: 7.7.7.7 port: 8080 metadata: - name: service-2 + name: service-3 namespace: default sectionName: "8080" - name: grpcroute/default/grpcroute-2/rule/0/backend/0 + name: grpcroute/default/grpcroute-3/rule/0/backend/0 protocol: GRPC weight: 1 hostname: '*' isHTTP2: true metadata: kind: GRPCRoute - name: grpcroute-2 + name: grpcroute-3 namespace: default - name: grpcroute/default/grpcroute-2/rule/0/match/-1/* + name: grpcroute/default/grpcroute-3/rule/0/match/-1/* traffic: healthCheck: active: - grpc: {} + grpc: + service: foo-service healthyThreshold: 1 interval: 3s timeout: 1s @@ -861,33 +862,32 @@ xdsIR: - destination: metadata: kind: GRPCRoute - name: grpcroute-3 + name: grpcroute-2 namespace: default - name: grpcroute/default/grpcroute-3/rule/0 + name: grpcroute/default/grpcroute-2/rule/0 settings: - addressType: IP endpoints: - host: 7.7.7.7 port: 8080 metadata: - name: service-3 + name: service-2 namespace: default sectionName: "8080" - name: grpcroute/default/grpcroute-3/rule/0/backend/0 + name: grpcroute/default/grpcroute-2/rule/0/backend/0 protocol: GRPC weight: 1 hostname: '*' isHTTP2: true metadata: kind: GRPCRoute - name: grpcroute-3 + name: grpcroute-2 namespace: default - name: grpcroute/default/grpcroute-3/rule/0/match/-1/* + name: grpcroute/default/grpcroute-2/rule/0/match/-1/* traffic: healthCheck: active: - grpc: - service: foo-service + grpc: {} healthyThreshold: 1 interval: 3s timeout: 1s diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-proxyprotocol-legacy-mixed.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-proxyprotocol-legacy-mixed.out.yaml index 94497b8635..0b641c23b7 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-proxyprotocol-legacy-mixed.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-proxyprotocol-legacy-mixed.out.yaml @@ -3,20 +3,22 @@ clientTrafficPolicies: kind: ClientTrafficPolicy metadata: creationTimestamp: null - name: target-gateway-legacy-only + name: target-gateway-precedence-test namespace: envoy-gateway spec: - enableProxyProtocol: true + enableProxyProtocol: false + proxyProtocol: + optional: true targetRef: group: gateway.networking.k8s.io kind: Gateway - name: gateway-legacy-only + name: gateway-precedence-test status: ancestors: - ancestorRef: group: gateway.networking.k8s.io kind: Gateway - name: gateway-legacy-only + name: gateway-precedence-test namespace: envoy-gateway conditions: - lastTransitionTime: null @@ -29,21 +31,20 @@ clientTrafficPolicies: kind: ClientTrafficPolicy metadata: creationTimestamp: null - name: target-gateway-new-api-only + name: target-gateway-legacy-only namespace: envoy-gateway spec: - proxyProtocol: - optional: false + enableProxyProtocol: true targetRef: group: gateway.networking.k8s.io kind: Gateway - name: gateway-new-api-only + name: gateway-legacy-only status: ancestors: - ancestorRef: group: gateway.networking.k8s.io kind: Gateway - name: gateway-new-api-only + name: gateway-legacy-only namespace: envoy-gateway conditions: - lastTransitionTime: null @@ -56,22 +57,21 @@ clientTrafficPolicies: kind: ClientTrafficPolicy metadata: creationTimestamp: null - name: target-gateway-precedence-test + name: target-gateway-new-api-only namespace: envoy-gateway spec: - enableProxyProtocol: false proxyProtocol: - optional: true + optional: false targetRef: group: gateway.networking.k8s.io kind: Gateway - name: gateway-precedence-test + name: gateway-new-api-only status: ancestors: - ancestorRef: group: gateway.networking.k8s.io kind: Gateway - name: gateway-precedence-test + name: gateway-new-api-only namespace: envoy-gateway conditions: - lastTransitionTime: null @@ -85,7 +85,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-legacy-only + name: gateway-precedence-test namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -93,12 +93,12 @@ gateways: - allowedRoutes: namespaces: from: Same - name: tcp-1 - port: 9090 - protocol: TCP + name: http-1 + port: 80 + protocol: HTTP status: listeners: - - attachedRoutes: 1 + - attachedRoutes: 0 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane @@ -115,15 +115,17 @@ gateways: reason: ResolvedRefs status: "True" type: ResolvedRefs - name: tcp-1 + name: http-1 supportedKinds: - group: gateway.networking.k8s.io - kind: TCPRoute + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: creationTimestamp: null - name: gateway-new-api-only + name: gateway-legacy-only namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -131,12 +133,12 @@ gateways: - allowedRoutes: namespaces: from: Same - name: http-2 - port: 8080 - protocol: HTTP + name: tcp-1 + port: 9090 + protocol: TCP status: listeners: - - attachedRoutes: 0 + - attachedRoutes: 1 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane @@ -153,17 +155,15 @@ gateways: reason: ResolvedRefs status: "True" type: ResolvedRefs - name: http-2 + name: tcp-1 supportedKinds: - group: gateway.networking.k8s.io - kind: HTTPRoute - - group: gateway.networking.k8s.io - kind: GRPCRoute + kind: TCPRoute - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: creationTimestamp: null - name: gateway-precedence-test + name: gateway-new-api-only namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -171,8 +171,8 @@ gateways: - allowedRoutes: namespaces: from: Same - name: http-1 - port: 80 + name: http-2 + port: 8080 protocol: HTTP status: listeners: @@ -193,7 +193,7 @@ gateways: reason: ResolvedRefs status: "True" type: ResolvedRefs - name: http-1 + name: http-2 supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions-truncated.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions-truncated.out.yaml index b1d3f1c11e..b053bf086f 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions-truncated.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions-truncated.out.yaml @@ -584,7 +584,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-10 + name: gateway-2 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -624,7 +624,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-11 + name: gateway-3 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -664,7 +664,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-12 + name: gateway-4 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -704,7 +704,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-13 + name: gateway-5 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -744,7 +744,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-14 + name: gateway-6 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -784,7 +784,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-15 + name: gateway-7 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -824,7 +824,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-16 + name: gateway-8 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -864,7 +864,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-17 + name: gateway-9 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -904,7 +904,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-18 + name: gateway-10 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -944,7 +944,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-2 + name: gateway-11 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -984,7 +984,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-3 + name: gateway-12 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1024,7 +1024,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-4 + name: gateway-13 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1064,7 +1064,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-5 + name: gateway-14 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1104,7 +1104,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-6 + name: gateway-15 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1144,7 +1144,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-7 + name: gateway-16 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1184,7 +1184,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-8 + name: gateway-17 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1224,7 +1224,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-9 + name: gateway-18 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml index c67cacd615..6e77d17577 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml @@ -1,31 +1,4 @@ clientTrafficPolicies: -- apiVersion: gateway.envoyproxy.io/v1alpha1 - kind: ClientTrafficPolicy - metadata: - creationTimestamp: null - name: not-found-section-name - namespace: envoy-gateway - spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: gateway-3 - sectionName: foo-bar - status: - ancestors: - - ancestorRef: - group: gateway.networking.k8s.io - kind: Gateway - name: gateway-3 - namespace: envoy-gateway - sectionName: foo-bar - conditions: - - lastTransitionTime: null - message: No section name foo-bar found for Gateway envoy-gateway/gateway-3 - reason: TargetNotFound - status: "False" - type: Accepted - controllerName: gateway.envoyproxy.io/gatewayclass-controller - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: ClientTrafficPolicy metadata: @@ -112,15 +85,29 @@ clientTrafficPolicies: kind: ClientTrafficPolicy metadata: creationTimestamp: null - name: not-same-namespace-with-gateway + name: not-found-section-name namespace: envoy-gateway spec: targetRef: group: gateway.networking.k8s.io kind: Gateway - name: not-same-namespace-gateway + name: gateway-3 + sectionName: foo-bar status: - ancestors: null + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-3 + namespace: envoy-gateway + sectionName: foo-bar + conditions: + - lastTransitionTime: null + message: No section name foo-bar found for Gateway envoy-gateway/gateway-3 + reason: TargetNotFound + status: "False" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: ClientTrafficPolicy metadata: @@ -216,6 +203,19 @@ clientTrafficPolicies: name: unknown-gateway status: ancestors: null +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: ClientTrafficPolicy + metadata: + creationTimestamp: null + name: not-same-namespace-with-gateway + namespace: envoy-gateway + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: not-same-namespace-gateway + status: + ancestors: null gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions-truncated.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions-truncated.out.yaml index 5332b0453c..ef6f102ee2 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions-truncated.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions-truncated.out.yaml @@ -223,13 +223,13 @@ envoyExtensionPolicies: kind: EnvoyExtensionPolicy metadata: creationTimestamp: null - name: target-httproute-with-accepted-truncated-ancestors + name: target-httproute-with-attachment-conflict-truncated-ancestors namespace: envoy-gateway spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute - name: httproute-1 + name: httproute-2 status: ancestors: - ancestorRef: @@ -239,9 +239,10 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -251,9 +252,10 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -263,9 +265,10 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -275,9 +278,10 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -287,9 +291,10 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -299,9 +304,10 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -311,9 +317,10 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -323,9 +330,10 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -335,9 +343,10 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -347,9 +356,10 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -359,9 +369,10 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -371,9 +382,10 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -383,9 +395,10 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -395,9 +408,10 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -407,9 +421,10 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -419,9 +434,10 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted - lastTransitionTime: null message: 'Ancestors have been aggregated because the number of policy ancestors @@ -434,13 +450,13 @@ envoyExtensionPolicies: kind: EnvoyExtensionPolicy metadata: creationTimestamp: null - name: target-httproute-with-attachment-conflict-truncated-ancestors + name: target-httproute-with-accepted-truncated-ancestors namespace: envoy-gateway spec: - targetRefs: - - group: gateway.networking.k8s.io + targetRef: + group: gateway.networking.k8s.io kind: HTTPRoute - name: httproute-2 + name: httproute-1 status: ancestors: - ancestorRef: @@ -450,10 +466,9 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -463,10 +478,9 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -476,10 +490,9 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -489,10 +502,9 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -502,10 +514,9 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -515,10 +526,9 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -528,10 +538,9 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -541,10 +550,9 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -554,10 +562,9 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -567,10 +574,9 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -580,10 +586,9 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -593,10 +598,9 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -606,10 +610,9 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -619,10 +622,9 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -632,10 +634,9 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -645,10 +646,9 @@ envoyExtensionPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another EnvoyExtensionPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted - lastTransitionTime: null message: 'Ancestors have been aggregated because the number of policy ancestors @@ -702,7 +702,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-10 + name: gateway-2 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -742,7 +742,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-11 + name: gateway-3 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -782,7 +782,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-12 + name: gateway-4 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -822,7 +822,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-13 + name: gateway-5 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -862,7 +862,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-14 + name: gateway-6 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -902,7 +902,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-15 + name: gateway-7 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -942,7 +942,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-16 + name: gateway-8 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -982,7 +982,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-17 + name: gateway-9 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1022,7 +1022,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-18 + name: gateway-10 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1062,7 +1062,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-2 + name: gateway-11 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1102,7 +1102,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-3 + name: gateway-12 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1142,7 +1142,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-4 + name: gateway-13 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1182,7 +1182,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-5 + name: gateway-14 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1222,7 +1222,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-6 + name: gateway-15 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1262,7 +1262,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-7 + name: gateway-16 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1302,7 +1302,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-8 + name: gateway-17 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1342,7 +1342,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-9 + name: gateway-18 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml index ef54e8f3eb..d013002c7e 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml @@ -3,7 +3,7 @@ envoyExtensionPolicies: kind: EnvoyExtensionPolicy metadata: creationTimestamp: null - name: also-target-httproute-in-gateway-1 + name: target-httproute-in-gateway-1 namespace: envoy-gateway spec: targetRef: @@ -28,64 +28,51 @@ envoyExtensionPolicies: kind: EnvoyExtensionPolicy metadata: creationTimestamp: null - name: not-same-namespace-httproute + name: also-target-httproute-in-gateway-1 namespace: envoy-gateway spec: targetRef: group: gateway.networking.k8s.io kind: HTTPRoute - name: not-same-namespace-httproute - status: - ancestors: null -- apiVersion: gateway.envoyproxy.io/v1alpha1 - kind: EnvoyExtensionPolicy - metadata: - creationTimestamp: null - name: target-grpcroute-in-gateway-2 - namespace: envoy-gateway - spec: - targetRef: - group: gateway.networking.k8s.io - kind: GRPCRoute - name: grpcroute-1 + name: httproute-1 status: ancestors: - ancestorRef: group: gateway.networking.k8s.io kind: Gateway - name: gateway-2 + name: gateway-1 namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-1, another EnvoyExtensionPolicy + has already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyExtensionPolicy metadata: creationTimestamp: null - name: target-httproute-in-gateway-1 + name: target-grpcroute-in-gateway-2 namespace: envoy-gateway spec: targetRef: group: gateway.networking.k8s.io - kind: HTTPRoute - name: httproute-1 + kind: GRPCRoute + name: grpcroute-1 status: ancestors: - ancestorRef: group: gateway.networking.k8s.io kind: Gateway - name: gateway-1 + name: gateway-2 namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-1, another EnvoyExtensionPolicy - has already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - apiVersion: gateway.envoyproxy.io/v1alpha1 @@ -105,13 +92,13 @@ envoyExtensionPolicies: kind: EnvoyExtensionPolicy metadata: creationTimestamp: null - name: not-same-namespace-gateway + name: not-same-namespace-httproute namespace: envoy-gateway spec: targetRef: group: gateway.networking.k8s.io - kind: Gateway - name: not-same-namespace-gateway + kind: HTTPRoute + name: not-same-namespace-httproute status: ancestors: null - apiVersion: gateway.envoyproxy.io/v1alpha1 @@ -184,47 +171,20 @@ envoyExtensionPolicies: name: unknown-gateway status: ancestors: null -gateways: -- apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyExtensionPolicy metadata: creationTimestamp: null name: not-same-namespace-gateway - namespace: another-namespace + namespace: envoy-gateway spec: - gatewayClassName: envoy-gateway-class - listeners: - - allowedRoutes: - namespaces: - from: Same - name: http - port: 80 - protocol: HTTP + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: not-same-namespace-gateway status: - listeners: - - attachedRoutes: 0 - conditions: - - lastTransitionTime: null - message: Sending translated listener configuration to the data plane - reason: Programmed - status: "True" - type: Programmed - - lastTransitionTime: null - message: Listener has been successfully translated - reason: Accepted - status: "True" - type: Accepted - - lastTransitionTime: null - message: Listener references have been resolved - reason: ResolvedRefs - status: "True" - type: ResolvedRefs - name: http - supportedKinds: - - group: gateway.networking.k8s.io - kind: HTTPRoute - - group: gateway.networking.k8s.io - kind: GRPCRoute + ancestors: null +gateways: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway metadata: @@ -356,6 +316,46 @@ gateways: supportedKinds: - group: gateway.networking.k8s.io kind: TCPRoute +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + creationTimestamp: null + name: not-same-namespace-gateway + namespace: another-namespace + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: Same + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute grpcRoutes: - apiVersion: gateway.networking.k8s.io/v1alpha2 kind: GRPCRoute @@ -398,12 +398,12 @@ httpRoutes: kind: HTTPRoute metadata: creationTimestamp: null - name: not-same-namespace-httproute - namespace: another-namespace + name: httproute-1 + namespace: envoy-gateway spec: parentRefs: - - name: not-same-namespace-gateway - namespace: another-namespace + - name: gateway-1 + namespace: envoy-gateway rules: - backendRefs: - name: service-1 @@ -415,9 +415,9 @@ httpRoutes: parents: - conditions: - lastTransitionTime: null - message: No listeners included by this parent ref allowed this attachment. - reason: NotAllowedByListeners - status: "False" + message: Route is accepted + reason: Accepted + status: "True" type: Accepted - lastTransitionTime: null message: Resolved all the Object references for the Route @@ -426,18 +426,18 @@ httpRoutes: type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: - name: not-same-namespace-gateway - namespace: another-namespace + name: gateway-1 + namespace: envoy-gateway - apiVersion: gateway.networking.k8s.io/v1beta1 kind: HTTPRoute metadata: creationTimestamp: null - name: httproute-1 - namespace: envoy-gateway + name: not-same-namespace-httproute + namespace: another-namespace spec: parentRefs: - - name: gateway-1 - namespace: envoy-gateway + - name: not-same-namespace-gateway + namespace: another-namespace rules: - backendRefs: - name: service-1 @@ -449,9 +449,9 @@ httpRoutes: parents: - conditions: - lastTransitionTime: null - message: Route is accepted - reason: Accepted - status: "True" + message: No listeners included by this parent ref allowed this attachment. + reason: NotAllowedByListeners + status: "False" type: Accepted - lastTransitionTime: null message: Resolved all the Object references for the Route @@ -460,8 +460,8 @@ httpRoutes: type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: - name: gateway-1 - namespace: envoy-gateway + name: not-same-namespace-gateway + namespace: another-namespace infraIR: another-namespace/not-same-namespace-gateway: proxy: diff --git a/internal/gatewayapi/testdata/envoypatchpolicy-valid-merge-gateways.out.yaml b/internal/gatewayapi/testdata/envoypatchpolicy-valid-merge-gateways.out.yaml index cc35cb7f67..6ed5b7c521 100644 --- a/internal/gatewayapi/testdata/envoypatchpolicy-valid-merge-gateways.out.yaml +++ b/internal/gatewayapi/testdata/envoypatchpolicy-valid-merge-gateways.out.yaml @@ -79,10 +79,10 @@ xdsIR: - name: envoy-gateway-gateway-1-http operation: op: replace - path: /ignore_global_conn_limit - value: "true" + path: /per_connection_buffer_limit_bytes + value: "1024" type: type.googleapis.com/envoy.config.listener.v3.Listener - name: edit-ignore-global-limit + name: edit-conn-buffer-bytes namespace: envoy-gateway status: ancestors: @@ -101,10 +101,10 @@ xdsIR: - name: envoy-gateway-gateway-1-http operation: op: replace - path: /per_connection_buffer_limit_bytes - value: "1024" + path: /ignore_global_conn_limit + value: "true" type: type.googleapis.com/envoy.config.listener.v3.Listener - name: edit-conn-buffer-bytes + name: edit-ignore-global-limit namespace: envoy-gateway status: ancestors: diff --git a/internal/gatewayapi/testdata/envoypatchpolicy-valid.out.yaml b/internal/gatewayapi/testdata/envoypatchpolicy-valid.out.yaml index 59d64e660a..93155c0ccd 100644 --- a/internal/gatewayapi/testdata/envoypatchpolicy-valid.out.yaml +++ b/internal/gatewayapi/testdata/envoypatchpolicy-valid.out.yaml @@ -69,10 +69,10 @@ xdsIR: - name: envoy-gateway-gateway-1-http operation: op: replace - path: /ignore_global_conn_limit - value: "true" + path: /per_connection_buffer_limit_bytes + value: "1024" type: type.googleapis.com/envoy.config.listener.v3.Listener - name: edit-ignore-global-limit + name: edit-conn-buffer-bytes namespace: envoy-gateway status: ancestors: @@ -93,10 +93,10 @@ xdsIR: - name: envoy-gateway-gateway-1-http operation: op: replace - path: /per_connection_buffer_limit_bytes - value: "1024" + path: /ignore_global_conn_limit + value: "true" type: type.googleapis.com/envoy.config.listener.v3.Listener - name: edit-conn-buffer-bytes + name: edit-ignore-global-limit namespace: envoy-gateway status: ancestors: diff --git a/internal/gatewayapi/testdata/extensions/httproute-with-custom-backend-mixed-multiple.out.yaml b/internal/gatewayapi/testdata/extensions/httproute-with-custom-backend-mixed-multiple.out.yaml index 0462d3e050..1a96f003f8 100644 --- a/internal/gatewayapi/testdata/extensions/httproute-with-custom-backend-mixed-multiple.out.yaml +++ b/internal/gatewayapi/testdata/extensions/httproute-with-custom-backend-mixed-multiple.out.yaml @@ -169,6 +169,7 @@ xdsIR: - host: 7.7.7.7 port: 8080 metadata: + kind: Service name: service-1 namespace: default sectionName: "8080" @@ -231,6 +232,7 @@ xdsIR: - host: 7.7.7.7 port: 8080 metadata: + kind: Service name: service-2 namespace: default sectionName: "8080" diff --git a/internal/gatewayapi/testdata/extensions/httproute-with-custom-backend-mixed.out.yaml b/internal/gatewayapi/testdata/extensions/httproute-with-custom-backend-mixed.out.yaml index 45342445e2..a5b5e3db18 100644 --- a/internal/gatewayapi/testdata/extensions/httproute-with-custom-backend-mixed.out.yaml +++ b/internal/gatewayapi/testdata/extensions/httproute-with-custom-backend-mixed.out.yaml @@ -161,6 +161,7 @@ xdsIR: - host: 7.7.7.7 port: 8080 metadata: + kind: Service name: service-1 namespace: default sectionName: "8080" @@ -207,6 +208,7 @@ xdsIR: - host: 7.7.7.7 port: 8080 metadata: + kind: Service name: service-2 namespace: default sectionName: "8080" diff --git a/internal/gatewayapi/testdata/gateway-namespace-mode-infra-httproute.out.yaml b/internal/gatewayapi/testdata/gateway-namespace-mode-infra-httproute.out.yaml index 4507655c60..abeb51acf8 100644 --- a/internal/gatewayapi/testdata/gateway-namespace-mode-infra-httproute.out.yaml +++ b/internal/gatewayapi/testdata/gateway-namespace-mode-infra-httproute.out.yaml @@ -317,6 +317,7 @@ xdsIR: - host: 7.7.7.7 port: 8080 metadata: + kind: Service name: service-1 namespace: default sectionName: "8080" @@ -372,6 +373,7 @@ xdsIR: - host: 7.7.7.7 port: 8080 metadata: + kind: Service name: service-2 namespace: default sectionName: "8080" @@ -398,6 +400,16 @@ xdsIR: accessLog: json: - path: /dev/stdout + globalResources: + proxyServiceCluster: + name: test-ns/gateway-3 + settings: + - metadata: + name: gateway-3 + namespace: test-ns + sectionName: "8080" + name: test-ns/gateway-3 + protocol: TCP http: - address: 0.0.0.0 externalPort: 80 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.out.yaml index bbdb1f4df6..d1fde15677 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.out.yaml @@ -32,8 +32,7 @@ gateways: conditions: - lastTransitionTime: null message: Secret envoy-gateway/tls-secret-ecdsa-2 public key algorithm must - be unique, matched certificate FQDN [foo.bar.com] has a conflicting algorithm - [ECDSA]. + be unique, certificate domain foo.bar.com has a conflicting algorithm [ECDSA]. reason: InvalidCertificateRef status: "False" type: ResolvedRefs diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-no-valid-certificate-for-fqdn.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-no-valid-certificate-for-fqdn.out.yaml deleted file mode 100644 index a28e3dc648..0000000000 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-no-valid-certificate-for-fqdn.out.yaml +++ /dev/null @@ -1,117 +0,0 @@ -gateways: -- apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - metadata: - creationTimestamp: null - name: gateway-1 - namespace: envoy-gateway - spec: - gatewayClassName: envoy-gateway-class - listeners: - - allowedRoutes: - namespaces: - from: All - hostname: example.com - name: tls - port: 443 - protocol: HTTPS - tls: - certificateRefs: - - group: null - kind: null - name: tls-secret-1 - mode: Terminate - status: - listeners: - - attachedRoutes: 1 - conditions: - - lastTransitionTime: null - message: Secret envoy-gateway/tls-secret-1 must contain valid tls.crt and - tls.key, hostname example.com does not match Common Name or DNS Names in - the certificate tls.crt. - reason: InvalidCertificateRef - status: "False" - type: ResolvedRefs - - lastTransitionTime: null - message: Listener is invalid, see other Conditions for details. - reason: Invalid - status: "False" - type: Programmed - name: tls - supportedKinds: - - group: gateway.networking.k8s.io - kind: HTTPRoute - - group: gateway.networking.k8s.io - kind: GRPCRoute -httpRoutes: -- apiVersion: gateway.networking.k8s.io/v1 - kind: HTTPRoute - metadata: - creationTimestamp: null - name: httproute-1 - namespace: default - spec: - parentRefs: - - name: gateway-1 - namespace: envoy-gateway - rules: - - backendRefs: - - name: service-1 - port: 8080 - matches: - - path: - value: / - status: - parents: - - conditions: - - lastTransitionTime: null - message: There are no ready listeners for this parent ref - reason: NoReadyListeners - status: "False" - type: Accepted - - lastTransitionTime: null - message: Resolved all the Object references for the Route - reason: ResolvedRefs - status: "True" - type: ResolvedRefs - controllerName: gateway.envoyproxy.io/gatewayclass-controller - parentRef: - name: gateway-1 - namespace: envoy-gateway -infraIR: - envoy-gateway/gateway-1: - proxy: - metadata: - labels: - gateway.envoyproxy.io/owning-gateway-name: gateway-1 - gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway - ownerReference: - kind: GatewayClass - name: envoy-gateway-class - name: envoy-gateway/gateway-1 - namespace: envoy-gateway-system -xdsIR: - envoy-gateway/gateway-1: - accessLog: - json: - - path: /dev/stdout - globalResources: - proxyServiceCluster: - name: envoy-gateway/gateway-1 - settings: - - addressType: IP - endpoints: - - host: 7.6.5.4 - port: 8080 - zone: zone1 - metadata: - name: envoy-envoy-gateway-gateway-1-196ae069 - namespace: envoy-gateway-system - sectionName: "8080" - name: envoy-gateway/gateway-1 - protocol: TCP - readyListener: - address: 0.0.0.0 - ipFamily: IPv4 - path: /ready - port: 19003 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-no-valid-certificate-for-fqdn.in.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-configuration-sni-san-mismatch-allowed.in.yaml similarity index 100% rename from internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-no-valid-certificate-for-fqdn.in.yaml rename to internal/gatewayapi/testdata/gateway-with-listener-with-tls-configuration-sni-san-mismatch-allowed.in.yaml diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-configuration-sni-san-mismatch-allowed.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-configuration-sni-san-mismatch-allowed.out.yaml new file mode 100644 index 0000000000..1ebb9fc1a5 --- /dev/null +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-configuration-sni-san-mismatch-allowed.out.yaml @@ -0,0 +1,180 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: example.com + name: tls + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - group: null + kind: null + name: tls-secret-1 + mode: Terminate + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: tls + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/tls + ports: + - containerPort: 10443 + name: https-443 + protocol: HTTPS + servicePort: 443 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/gateway-1 + namespace: envoy-gateway-system +xdsIR: + envoy-gateway/gateway-1: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + name: envoy-gateway/gateway-1 + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + name: envoy-envoy-gateway-gateway-1-196ae069 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-1 + protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 443 + hostnames: + - example.com + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: tls + name: envoy-gateway/gateway-1/tls + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10443 + routes: + - destination: + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + metadata: + name: service-1 + namespace: default + sectionName: "8080" + name: httproute/default/httproute-1/rule/0/backend/0 + protocol: HTTP + weight: 1 + hostname: example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/example_com + pathMatch: + distinct: false + name: "" + prefix: / + tls: + alpnProtocols: null + certificates: + - certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= + name: envoy-gateway/tls-secret-1 + privateKey: '[redacted]' + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-and-core-backendrefs.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-and-core-backendrefs.out.yaml index cced11f524..2fbcf9e012 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-and-core-backendrefs.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-and-core-backendrefs.out.yaml @@ -98,7 +98,7 @@ httpRoutes: kind: HTTPRoute metadata: creationTimestamp: null - name: httproute-fqdn + name: httproute-static namespace: default spec: parentRefs: @@ -109,16 +109,16 @@ httpRoutes: - backendRefs: - group: gateway.envoyproxy.io kind: Backend - name: backend-fqdn - - name: service-fqdn + name: backend-ip + - name: service-ip port: 8080 - group: multicluster.x-k8s.io kind: ServiceImport - name: service-import-fqdn + name: service-import-ip port: 8081 matches: - path: - value: /2 + value: /1 status: parents: - conditions: @@ -141,7 +141,7 @@ httpRoutes: kind: HTTPRoute metadata: creationTimestamp: null - name: httproute-static + name: httproute-fqdn namespace: default spec: parentRefs: @@ -152,16 +152,16 @@ httpRoutes: - backendRefs: - group: gateway.envoyproxy.io kind: Backend - name: backend-ip - - name: service-ip + name: backend-fqdn + - name: service-fqdn port: 8080 - group: multicluster.x-k8s.io kind: ServiceImport - name: service-import-ip + name: service-import-fqdn port: 8081 matches: - path: - value: /1 + value: /2 status: parents: - conditions: @@ -240,109 +240,109 @@ xdsIR: - destination: metadata: kind: HTTPRoute - name: httproute-fqdn + name: httproute-static namespace: default - name: httproute/default/httproute-fqdn/rule/0 + name: httproute/default/httproute-static/rule/0 settings: - - addressType: FQDN + - addressType: IP endpoints: - - host: primary.foo.com - port: 3000 + - host: 1.1.1.1 + port: 3001 metadata: kind: Backend - name: backend-fqdn + name: backend-ip namespace: default - name: httproute/default/httproute-fqdn/rule/0/backend/0 + name: httproute/default/httproute-static/rule/0/backend/0 protocol: HTTP weight: 1 - - addressType: FQDN + - addressType: IP endpoints: - - host: bar.foo + - host: 4.3.2.1 port: 8080 metadata: kind: Service - name: service-fqdn + name: service-ip namespace: default sectionName: "8080" - name: httproute/default/httproute-fqdn/rule/0/backend/1 + name: httproute/default/httproute-static/rule/0/backend/1 protocol: HTTP weight: 1 - - addressType: FQDN + - addressType: IP endpoints: - - host: foo.bar - port: 8080 + - host: 1.2.3.4 + port: 8081 metadata: kind: ServiceImport - name: service-import-fqdn + name: service-import-ip namespace: default sectionName: "8081" - name: httproute/default/httproute-fqdn/rule/0/backend/2 + name: httproute/default/httproute-static/rule/0/backend/2 protocol: HTTP weight: 1 hostname: '*' isHTTP2: false metadata: kind: HTTPRoute - name: httproute-fqdn + name: httproute-static namespace: default - name: httproute/default/httproute-fqdn/rule/0/match/0/* + name: httproute/default/httproute-static/rule/0/match/0/* pathMatch: distinct: false name: "" - prefix: /2 + prefix: /1 - destination: metadata: kind: HTTPRoute - name: httproute-static + name: httproute-fqdn namespace: default - name: httproute/default/httproute-static/rule/0 + name: httproute/default/httproute-fqdn/rule/0 settings: - - addressType: IP + - addressType: FQDN endpoints: - - host: 1.1.1.1 - port: 3001 + - host: primary.foo.com + port: 3000 metadata: kind: Backend - name: backend-ip + name: backend-fqdn namespace: default - name: httproute/default/httproute-static/rule/0/backend/0 + name: httproute/default/httproute-fqdn/rule/0/backend/0 protocol: HTTP weight: 1 - - addressType: IP + - addressType: FQDN endpoints: - - host: 4.3.2.1 + - host: bar.foo port: 8080 metadata: kind: Service - name: service-ip + name: service-fqdn namespace: default sectionName: "8080" - name: httproute/default/httproute-static/rule/0/backend/1 + name: httproute/default/httproute-fqdn/rule/0/backend/1 protocol: HTTP weight: 1 - - addressType: IP + - addressType: FQDN endpoints: - - host: 1.2.3.4 - port: 8081 + - host: foo.bar + port: 8080 metadata: kind: ServiceImport - name: service-import-ip + name: service-import-fqdn namespace: default sectionName: "8081" - name: httproute/default/httproute-static/rule/0/backend/2 + name: httproute/default/httproute-fqdn/rule/0/backend/2 protocol: HTTP weight: 1 hostname: '*' isHTTP2: false metadata: kind: HTTPRoute - name: httproute-static + name: httproute-fqdn namespace: default - name: httproute/default/httproute-static/rule/0/match/0/* + name: httproute/default/httproute-fqdn/rule/0/match/0/* pathMatch: distinct: false name: "" - prefix: /1 + prefix: /2 readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-mixed-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-mixed-address-type.out.yaml index 66b838b980..6cb8adf67e 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-mixed-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-mixed-address-type.out.yaml @@ -165,7 +165,7 @@ httpRoutes: kind: HTTPRoute metadata: creationTimestamp: null - name: httproute-2 + name: httproute-3 namespace: default spec: parentRefs: @@ -176,10 +176,10 @@ httpRoutes: - backendRefs: - group: gateway.envoyproxy.io kind: Backend - name: backend-mixed-uds-fqdn + name: backend-mixed-ip-fqdn matches: - path: - value: /2 + value: /3 status: parents: - conditions: @@ -203,7 +203,7 @@ httpRoutes: kind: HTTPRoute metadata: creationTimestamp: null - name: httproute-3 + name: httproute-2 namespace: default spec: parentRefs: @@ -214,10 +214,10 @@ httpRoutes: - backendRefs: - group: gateway.envoyproxy.io kind: Backend - name: backend-mixed-ip-fqdn + name: backend-mixed-uds-fqdn matches: - path: - value: /3 + value: /2 status: parents: - conditions: @@ -313,26 +313,26 @@ xdsIR: isHTTP2: false metadata: kind: HTTPRoute - name: httproute-2 + name: httproute-3 namespace: default - name: httproute/default/httproute-2/rule/0/match/0/* + name: httproute/default/httproute-3/rule/0/match/0/* pathMatch: distinct: false name: "" - prefix: /2 + prefix: /3 - directResponse: statusCode: 500 hostname: '*' isHTTP2: false metadata: kind: HTTPRoute - name: httproute-3 + name: httproute-2 namespace: default - name: httproute/default/httproute-3/rule/0/match/0/* + name: httproute/default/httproute-2/rule/0/match/0/* pathMatch: distinct: false name: "" - prefix: /3 + prefix: /2 readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml index 29e6d10d4c..52a7abfc0b 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml @@ -174,7 +174,7 @@ httpRoutes: kind: HTTPRoute metadata: creationTimestamp: null - name: httproute-2 + name: httproute-3 namespace: default spec: parentRefs: @@ -185,10 +185,10 @@ httpRoutes: - backendRefs: - group: gateway.envoyproxy.io kind: Backend - name: backend-ip + name: backend-fqdn matches: - path: - value: /2 + value: /3 status: parents: - conditions: @@ -211,7 +211,7 @@ httpRoutes: kind: HTTPRoute metadata: creationTimestamp: null - name: httproute-3 + name: httproute-2 namespace: default spec: parentRefs: @@ -222,10 +222,10 @@ httpRoutes: - backendRefs: - group: gateway.envoyproxy.io kind: Backend - name: backend-fqdn + name: backend-ip matches: - path: - value: /3 + value: /2 status: parents: - conditions: @@ -393,61 +393,61 @@ xdsIR: - destination: metadata: kind: HTTPRoute - name: httproute-2 + name: httproute-3 namespace: default - name: httproute/default/httproute-2/rule/0 + name: httproute/default/httproute-3/rule/0 settings: - - addressType: IP + - addressType: FQDN endpoints: - - host: 1.1.1.1 - port: 3001 + - host: primary.foo.com + port: 3000 metadata: kind: Backend - name: backend-ip + name: backend-fqdn namespace: default - name: httproute/default/httproute-2/rule/0/backend/0 + name: httproute/default/httproute-3/rule/0/backend/0 protocol: HTTP weight: 1 hostname: '*' isHTTP2: false metadata: kind: HTTPRoute - name: httproute-2 + name: httproute-3 namespace: default - name: httproute/default/httproute-2/rule/0/match/0/* + name: httproute/default/httproute-3/rule/0/match/0/* pathMatch: distinct: false name: "" - prefix: /2 + prefix: /3 - destination: metadata: kind: HTTPRoute - name: httproute-3 + name: httproute-2 namespace: default - name: httproute/default/httproute-3/rule/0 + name: httproute/default/httproute-2/rule/0 settings: - - addressType: FQDN + - addressType: IP endpoints: - - host: primary.foo.com - port: 3000 + - host: 1.1.1.1 + port: 3001 metadata: kind: Backend - name: backend-fqdn + name: backend-ip namespace: default - name: httproute/default/httproute-3/rule/0/backend/0 + name: httproute/default/httproute-2/rule/0/backend/0 protocol: HTTP weight: 1 hostname: '*' isHTTP2: false metadata: kind: HTTPRoute - name: httproute-3 + name: httproute-2 namespace: default - name: httproute/default/httproute-3/rule/0/match/0/* + name: httproute/default/httproute-2/rule/0/match/0/* pathMatch: distinct: false name: "" - prefix: /3 + prefix: /2 - directResponse: statusCode: 500 hostname: '*' diff --git a/internal/gatewayapi/testdata/httproute-default-order-by-creation-date-and-route-name.out.yaml b/internal/gatewayapi/testdata/httproute-default-order-by-creation-date-and-route-name.out.yaml index 9187db9c87..eebadea67a 100644 --- a/internal/gatewayapi/testdata/httproute-default-order-by-creation-date-and-route-name.out.yaml +++ b/internal/gatewayapi/testdata/httproute-default-order-by-creation-date-and-route-name.out.yaml @@ -44,8 +44,8 @@ httpRoutes: - apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: - creationTimestamp: "2025-07-10T20:43:53Z" - name: httproute-5 + creationTimestamp: "2025-07-12T20:47:53Z" + name: httproute-default namespace: default spec: hostnames: @@ -61,14 +61,7 @@ httpRoutes: matches: - path: type: PathPrefix - value: /route5 - - backendRefs: - - name: service-2 - port: 8080 - matches: - - path: - type: PathPrefix - value: /123 + value: / status: parents: - conditions: @@ -91,7 +84,7 @@ httpRoutes: kind: HTTPRoute metadata: creationTimestamp: "2025-07-12T20:47:53Z" - name: httproute-1 + name: httproute-3 namespace: default spec: hostnames: @@ -107,21 +100,7 @@ httpRoutes: matches: - path: type: PathPrefix - value: /route1 - - backendRefs: - - name: service-2 - port: 8080 - matches: - - path: - type: PathPrefix - value: /foobar - - backendRefs: - - name: service-3 - port: 8080 - matches: - - path: - type: PathPrefix - value: /bar + value: /route3 status: parents: - conditions: @@ -144,7 +123,7 @@ httpRoutes: kind: HTTPRoute metadata: creationTimestamp: "2025-07-12T20:47:53Z" - name: httproute-3 + name: httproute-1 namespace: default spec: hostnames: @@ -160,7 +139,21 @@ httpRoutes: matches: - path: type: PathPrefix - value: /route3 + value: /route1 + - backendRefs: + - name: service-2 + port: 8080 + matches: + - path: + type: PathPrefix + value: /foobar + - backendRefs: + - name: service-3 + port: 8080 + matches: + - path: + type: PathPrefix + value: /bar status: parents: - conditions: @@ -182,8 +175,8 @@ httpRoutes: - apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: - creationTimestamp: "2025-07-12T20:47:53Z" - name: httproute-default + creationTimestamp: "2025-07-10T20:43:53Z" + name: httproute-5 namespace: default spec: hostnames: @@ -199,7 +192,14 @@ httpRoutes: matches: - path: type: PathPrefix - value: / + value: /route5 + - backendRefs: + - name: service-2 + port: 8080 + matches: + - path: + type: PathPrefix + value: /123 status: parents: - conditions: @@ -370,9 +370,9 @@ xdsIR: - destination: metadata: kind: HTTPRoute - name: httproute-5 + name: httproute-3 namespace: default - name: httproute/default/httproute-5/rule/0 + name: httproute/default/httproute-3/rule/0 settings: - addressType: IP endpoints: @@ -382,20 +382,20 @@ xdsIR: name: service-1 namespace: default sectionName: "8080" - name: httproute/default/httproute-5/rule/0/backend/0 + name: httproute/default/httproute-3/rule/0/backend/0 protocol: HTTP weight: 1 hostname: gateway.envoyproxy.io isHTTP2: false metadata: kind: HTTPRoute - name: httproute-5 + name: httproute-3 namespace: default - name: httproute/default/httproute-5/rule/0/match/0/gateway_envoyproxy_io + name: httproute/default/httproute-3/rule/0/match/0/gateway_envoyproxy_io pathMatch: distinct: false name: "" - prefix: /route5 + prefix: /route3 - destination: metadata: kind: HTTPRoute @@ -457,9 +457,9 @@ xdsIR: - destination: metadata: kind: HTTPRoute - name: httproute-3 + name: httproute-5 namespace: default - name: httproute/default/httproute-3/rule/0 + name: httproute/default/httproute-5/rule/0 settings: - addressType: IP endpoints: @@ -469,20 +469,20 @@ xdsIR: name: service-1 namespace: default sectionName: "8080" - name: httproute/default/httproute-3/rule/0/backend/0 + name: httproute/default/httproute-5/rule/0/backend/0 protocol: HTTP weight: 1 hostname: gateway.envoyproxy.io isHTTP2: false metadata: kind: HTTPRoute - name: httproute-3 + name: httproute-5 namespace: default - name: httproute/default/httproute-3/rule/0/match/0/gateway_envoyproxy_io + name: httproute/default/httproute-5/rule/0/match/0/gateway_envoyproxy_io pathMatch: distinct: false name: "" - prefix: /route3 + prefix: /route5 - destination: metadata: kind: HTTPRoute @@ -546,61 +546,61 @@ xdsIR: - destination: metadata: kind: HTTPRoute - name: httproute-5 + name: httproute-1 namespace: default - name: httproute/default/httproute-5/rule/1 + name: httproute/default/httproute-1/rule/2 settings: - addressType: IP endpoints: - host: 7.7.7.7 port: 8080 metadata: - name: service-2 + name: service-3 namespace: default sectionName: "8080" - name: httproute/default/httproute-5/rule/1/backend/0 + name: httproute/default/httproute-1/rule/2/backend/0 protocol: HTTP weight: 1 hostname: gateway.envoyproxy.io isHTTP2: false metadata: kind: HTTPRoute - name: httproute-5 + name: httproute-1 namespace: default - name: httproute/default/httproute-5/rule/1/match/0/gateway_envoyproxy_io + name: httproute/default/httproute-1/rule/2/match/0/gateway_envoyproxy_io pathMatch: distinct: false name: "" - prefix: /123 + prefix: /bar - destination: metadata: kind: HTTPRoute - name: httproute-1 + name: httproute-5 namespace: default - name: httproute/default/httproute-1/rule/2 + name: httproute/default/httproute-5/rule/1 settings: - addressType: IP endpoints: - host: 7.7.7.7 port: 8080 metadata: - name: service-3 + name: service-2 namespace: default sectionName: "8080" - name: httproute/default/httproute-1/rule/2/backend/0 + name: httproute/default/httproute-5/rule/1/backend/0 protocol: HTTP weight: 1 hostname: gateway.envoyproxy.io isHTTP2: false metadata: kind: HTTPRoute - name: httproute-1 + name: httproute-5 namespace: default - name: httproute/default/httproute-1/rule/2/match/0/gateway_envoyproxy_io + name: httproute/default/httproute-5/rule/1/match/0/gateway_envoyproxy_io pathMatch: distinct: false name: "" - prefix: /bar + prefix: /123 - destination: metadata: kind: HTTPRoute diff --git a/internal/gatewayapi/testdata/httproute-order-by-creation-date.out.yaml b/internal/gatewayapi/testdata/httproute-order-by-creation-date.out.yaml index 9d8b357c28..e56365b365 100644 --- a/internal/gatewayapi/testdata/httproute-order-by-creation-date.out.yaml +++ b/internal/gatewayapi/testdata/httproute-order-by-creation-date.out.yaml @@ -44,9 +44,9 @@ httpRoutes: - apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: - creationTimestamp: "2025-04-04T20:47:53Z" - name: httproute-4 - namespace: test-ns2 + creationTimestamp: "2025-07-01T20:47:53Z" + name: httproute-3 + namespace: default spec: hostnames: - gateway.envoyproxy.io @@ -56,12 +56,12 @@ httpRoutes: sectionName: http rules: - backendRefs: - - name: test-service + - name: service-1 port: 8080 matches: - path: type: PathPrefix - value: /route4 + value: /route3 status: parents: - conditions: @@ -83,8 +83,8 @@ httpRoutes: - apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: - creationTimestamp: "2025-07-01T20:47:53Z" - name: httproute-3 + creationTimestamp: "2025-07-02T10:47:53Z" + name: httproute-1 namespace: default spec: hostnames: @@ -100,7 +100,14 @@ httpRoutes: matches: - path: type: PathPrefix - value: /route3 + value: /route1 + - backendRefs: + - name: service-2 + port: 8080 + matches: + - path: + type: PathPrefix + value: /foobar status: parents: - conditions: @@ -122,9 +129,9 @@ httpRoutes: - apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: - creationTimestamp: "2025-07-02T10:47:53Z" - name: httproute-1 - namespace: default + creationTimestamp: "2025-07-03T20:47:53Z" + name: httproute-2 + namespace: test-ns spec: hostnames: - gateway.envoyproxy.io @@ -134,19 +141,12 @@ httpRoutes: sectionName: http rules: - backendRefs: - - name: service-1 - port: 8080 - matches: - - path: - type: PathPrefix - value: /route1 - - backendRefs: - - name: service-2 + - name: test-service port: 8080 matches: - path: type: PathPrefix - value: /foobar + value: /route2 status: parents: - conditions: @@ -168,9 +168,9 @@ httpRoutes: - apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: - creationTimestamp: "2025-07-03T20:47:53Z" - name: httproute-2 - namespace: test-ns + creationTimestamp: "2025-04-04T20:47:53Z" + name: httproute-4 + namespace: test-ns2 spec: hostnames: - gateway.envoyproxy.io @@ -185,7 +185,7 @@ httpRoutes: matches: - path: type: PathPrefix - value: /route2 + value: /route4 status: parents: - conditions: @@ -261,36 +261,6 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - metadata: - kind: HTTPRoute - name: httproute-4 - namespace: test-ns2 - name: httproute/test-ns2/httproute-4/rule/0 - settings: - - addressType: IP - endpoints: - - host: 8.8.8.8 - port: 8080 - metadata: - kind: Service - name: test-service - namespace: test-ns2 - sectionName: "8080" - name: httproute/test-ns2/httproute-4/rule/0/backend/0 - protocol: HTTP - weight: 1 - hostname: gateway.envoyproxy.io - isHTTP2: false - metadata: - kind: HTTPRoute - name: httproute-4 - namespace: test-ns2 - name: httproute/test-ns2/httproute-4/rule/0/match/0/gateway_envoyproxy_io - pathMatch: - distinct: false - name: "" - prefix: /route4 - destination: metadata: kind: HTTPRoute @@ -408,6 +378,36 @@ xdsIR: distinct: false name: "" prefix: /route2 + - destination: + metadata: + kind: HTTPRoute + name: httproute-4 + namespace: test-ns2 + name: httproute/test-ns2/httproute-4/rule/0 + settings: + - addressType: IP + endpoints: + - host: 8.8.8.8 + port: 8080 + metadata: + kind: Service + name: test-service + namespace: test-ns2 + sectionName: "8080" + name: httproute/test-ns2/httproute-4/rule/0/backend/0 + protocol: HTTP + weight: 1 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-4 + namespace: test-ns2 + name: httproute/test-ns2/httproute-4/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /route4 readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml b/internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml index c9e04c9364..cb5ce12761 100644 --- a/internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml @@ -95,7 +95,7 @@ httpRoutes: kind: HTTPRoute metadata: creationTimestamp: null - name: direct-response-too-long + name: direct-response-with-value-not-found namespace: default spec: parentRefs: @@ -107,25 +107,24 @@ httpRoutes: - extensionRef: group: gateway.envoyproxy.io kind: HTTPRouteFilter - name: direct-response-too-long + name: direct-response-value-ref-not-found type: ExtensionRef matches: - path: type: PathPrefix - value: /too-long + value: /value-ref-not-found status: parents: - conditions: - lastTransitionTime: null - message: 'Invalid filter HTTPRouteFilter: response.body size 4097 greater - than the max size 4096' + message: 'Unable to translate HTTPRouteFilter: default/direct-response-value-ref-not-found' reason: UnsupportedValue status: "False" type: Accepted - lastTransitionTime: null - message: Resolved all the Object references for the Route - reason: ResolvedRefs - status: "True" + message: 'Unable to translate HTTPRouteFilter: default/direct-response-value-ref-not-found' + reason: BackendNotFound + status: "False" type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: @@ -136,7 +135,7 @@ httpRoutes: kind: HTTPRoute metadata: creationTimestamp: null - name: direct-response-with-value-not-found + name: direct-response-too-long namespace: default spec: parentRefs: @@ -148,24 +147,25 @@ httpRoutes: - extensionRef: group: gateway.envoyproxy.io kind: HTTPRouteFilter - name: direct-response-value-ref-not-found + name: direct-response-too-long type: ExtensionRef matches: - path: type: PathPrefix - value: /value-ref-not-found + value: /too-long status: parents: - conditions: - lastTransitionTime: null - message: 'Unable to translate HTTPRouteFilter: default/direct-response-value-ref-not-found' + message: 'Invalid filter HTTPRouteFilter: response.body size 4097 greater + than the max size 4096' reason: UnsupportedValue status: "False" type: Accepted - lastTransitionTime: null - message: 'Unable to translate HTTPRouteFilter: default/direct-response-value-ref-not-found' - reason: BackendNotFound - status: "False" + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: diff --git a/internal/gatewayapi/testdata/httproute-with-multi-gateways-with-same-name.out.yaml b/internal/gatewayapi/testdata/httproute-with-multi-gateways-with-same-name.out.yaml index e6a97841e4..c82e841f5d 100644 --- a/internal/gatewayapi/testdata/httproute-with-multi-gateways-with-same-name.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-multi-gateways-with-same-name.out.yaml @@ -4,7 +4,7 @@ gateways: metadata: creationTimestamp: null name: gateway-1 - namespace: default + namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class listeners: @@ -16,7 +16,7 @@ gateways: protocol: HTTP status: listeners: - - attachedRoutes: 1 + - attachedRoutes: 0 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane @@ -44,7 +44,7 @@ gateways: metadata: creationTimestamp: null name: gateway-1 - namespace: envoy-gateway + namespace: default spec: gatewayClassName: envoy-gateway-class listeners: @@ -56,7 +56,7 @@ gateways: protocol: HTTP status: listeners: - - attachedRoutes: 0 + - attachedRoutes: 1 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.out.yaml index daf5461c08..965549a901 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.out.yaml @@ -45,7 +45,7 @@ httpRoutes: kind: HTTPRoute metadata: creationTimestamp: null - name: httproute-header-and-backend-host-rewrites + name: httproute-invalid-header namespace: default spec: hostnames: @@ -62,21 +62,16 @@ httpRoutes: - extensionRef: group: gateway.envoyproxy.io kind: HTTPRouteFilter - name: valid-header - type: ExtensionRef - - extensionRef: - group: gateway.envoyproxy.io - kind: HTTPRouteFilter - name: valid-header + name: invalid-header type: ExtensionRef matches: - path: - value: /header-and-backend + value: /invalid-header status: parents: - conditions: - lastTransitionTime: null - message: Cannot configure multiple urlRewrite filters for a single HTTPRouteRule + message: Header must be set when rewrite path type is "Header" reason: UnsupportedValue status: "False" type: Accepted @@ -94,7 +89,7 @@ httpRoutes: kind: HTTPRoute metadata: creationTimestamp: null - name: httproute-invalid-header + name: httproute-multiple-host-rewrites-1 namespace: default spec: hostnames: @@ -111,16 +106,19 @@ httpRoutes: - extensionRef: group: gateway.envoyproxy.io kind: HTTPRouteFilter - name: invalid-header + name: valid-header type: ExtensionRef + - type: URLRewrite + urlRewrite: + hostname: rewrite.com matches: - path: - value: /invalid-header + value: /ext-first status: parents: - conditions: - lastTransitionTime: null - message: Header must be set when rewrite path type is "Header" + message: Cannot configure multiple urlRewrite filters for a single HTTPRouteRule reason: UnsupportedValue status: "False" type: Accepted @@ -138,7 +136,7 @@ httpRoutes: kind: HTTPRoute metadata: creationTimestamp: null - name: httproute-multiple-header-host-rewrites + name: httproute-multiple-path-rewrites-2 namespace: default spec: hostnames: @@ -152,19 +150,17 @@ httpRoutes: - name: service-1 port: 8080 filters: + - type: URLRewrite + urlRewrite: + hostname: rewrite.com - extensionRef: group: gateway.envoyproxy.io kind: HTTPRouteFilter name: valid-header type: ExtensionRef - - extensionRef: - group: gateway.envoyproxy.io - kind: HTTPRouteFilter - name: valid-header-2 - type: ExtensionRef matches: - path: - value: /two-headers + value: /inline-first status: parents: - conditions: @@ -204,16 +200,16 @@ httpRoutes: - extensionRef: group: gateway.envoyproxy.io kind: HTTPRouteFilter - name: valid-backend + name: valid-header type: ExtensionRef - extensionRef: group: gateway.envoyproxy.io kind: HTTPRouteFilter - name: valid-backend-2 + name: valid-header-2 type: ExtensionRef matches: - path: - value: /two-backends + value: /two-headers status: parents: - conditions: @@ -236,7 +232,7 @@ httpRoutes: kind: HTTPRoute metadata: creationTimestamp: null - name: httproute-multiple-host-rewrites-1 + name: httproute-multiple-header-host-rewrites namespace: default spec: hostnames: @@ -253,14 +249,16 @@ httpRoutes: - extensionRef: group: gateway.envoyproxy.io kind: HTTPRouteFilter - name: valid-header + name: valid-backend + type: ExtensionRef + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-backend-2 type: ExtensionRef - - type: URLRewrite - urlRewrite: - hostname: rewrite.com matches: - path: - value: /ext-first + value: /two-backends status: parents: - conditions: @@ -283,7 +281,7 @@ httpRoutes: kind: HTTPRoute metadata: creationTimestamp: null - name: httproute-multiple-path-rewrites-2 + name: httproute-header-and-backend-host-rewrites namespace: default spec: hostnames: @@ -297,9 +295,11 @@ httpRoutes: - name: service-1 port: 8080 filters: - - type: URLRewrite - urlRewrite: - hostname: rewrite.com + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-header + type: ExtensionRef - extensionRef: group: gateway.envoyproxy.io kind: HTTPRouteFilter @@ -307,7 +307,7 @@ httpRoutes: type: ExtensionRef matches: - path: - value: /inline-first + value: /header-and-backend status: parents: - conditions: diff --git a/internal/gatewayapi/testdata/securitypolicy-status-conditions-truncated.out.yaml b/internal/gatewayapi/testdata/securitypolicy-status-conditions-truncated.out.yaml index 944b880545..fe6b02f656 100644 --- a/internal/gatewayapi/testdata/securitypolicy-status-conditions-truncated.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-status-conditions-truncated.out.yaml @@ -43,7 +43,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-10 + name: gateway-2 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -83,7 +83,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-11 + name: gateway-3 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -123,7 +123,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-12 + name: gateway-4 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -163,7 +163,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-13 + name: gateway-5 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -203,7 +203,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-14 + name: gateway-6 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -243,7 +243,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-15 + name: gateway-7 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -283,7 +283,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-16 + name: gateway-8 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -323,7 +323,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-17 + name: gateway-9 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -363,7 +363,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-18 + name: gateway-10 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -403,7 +403,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-2 + name: gateway-11 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -443,7 +443,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-3 + name: gateway-12 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -483,7 +483,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-4 + name: gateway-13 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -523,7 +523,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-5 + name: gateway-14 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -563,7 +563,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-6 + name: gateway-15 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -603,7 +603,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-7 + name: gateway-16 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -643,7 +643,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-8 + name: gateway-17 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -683,7 +683,7 @@ gateways: kind: Gateway metadata: creationTimestamp: null - name: gateway-9 + name: gateway-18 namespace: envoy-gateway spec: gatewayClassName: envoy-gateway-class @@ -1970,13 +1970,13 @@ securityPolicies: kind: SecurityPolicy metadata: creationTimestamp: null - name: target-httproute-with-accepted-truncated-ancestors + name: target-httproute-with-attachment-conflict-truncated-ancestors namespace: envoy-gateway spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute - name: httproute-1 + name: httproute-2 status: ancestors: - ancestorRef: @@ -1986,9 +1986,10 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has + already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -1998,9 +1999,10 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has + already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2010,9 +2012,10 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has + already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2022,9 +2025,10 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has + already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2034,9 +2038,10 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has + already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2046,9 +2051,10 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has + already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2058,9 +2064,10 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has + already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2070,9 +2077,10 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has + already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2082,9 +2090,10 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has + already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2094,9 +2103,10 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has + already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2106,9 +2116,10 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has + already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2118,9 +2129,10 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has + already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2130,9 +2142,10 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has + already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2142,9 +2155,10 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has + already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2154,9 +2168,10 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has + already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2166,9 +2181,10 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has + already attached to it + reason: Conflicted + status: "False" type: Accepted - lastTransitionTime: null message: 'Ancestors have been aggregated because the number of policy ancestors @@ -2181,13 +2197,13 @@ securityPolicies: kind: SecurityPolicy metadata: creationTimestamp: null - name: target-httproute-with-attachment-conflict-truncated-ancestors + name: target-httproute-with-accepted-truncated-ancestors namespace: envoy-gateway spec: - targetRefs: - - group: gateway.networking.k8s.io + targetRef: + group: gateway.networking.k8s.io kind: HTTPRoute - name: httproute-2 + name: httproute-1 status: ancestors: - ancestorRef: @@ -2197,10 +2213,9 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has - already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2210,10 +2225,9 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has - already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2223,10 +2237,9 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has - already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2236,10 +2249,9 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has - already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2249,10 +2261,9 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has - already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2262,10 +2273,9 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has - already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2275,10 +2285,9 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has - already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2288,10 +2297,9 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has - already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2301,10 +2309,9 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has - already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2314,10 +2321,9 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has - already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2327,10 +2333,9 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has - already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2340,10 +2345,9 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has - already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2353,10 +2357,9 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has - already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2366,10 +2369,9 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has - already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2379,10 +2381,9 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has - already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: @@ -2392,10 +2393,9 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-2, another SecurityPolicy has - already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted - lastTransitionTime: null message: 'Ancestors have been aggregated because the number of policy ancestors diff --git a/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml index 18deec7203..d4e2a2af4a 100644 --- a/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml @@ -255,9 +255,13 @@ securityPolicies: kind: SecurityPolicy metadata: creationTimestamp: null - name: also-target-httproute-in-gateway-1 + name: target-httproute-in-gateway-1 namespace: envoy-gateway spec: + cors: + allowOrigins: + - http://*.example.com + maxAge: 1000s targetRef: group: gateway.networking.k8s.io kind: HTTPRoute @@ -280,36 +284,33 @@ securityPolicies: kind: SecurityPolicy metadata: creationTimestamp: null - name: target-grpcroute-in-gateway-2 + name: also-target-httproute-in-gateway-1 namespace: envoy-gateway spec: - cors: - allowOrigins: - - http://*.example.com - maxAge: 1000s targetRef: group: gateway.networking.k8s.io - kind: GRPCRoute - name: grpcroute-1 + kind: HTTPRoute + name: httproute-1 status: ancestors: - ancestorRef: group: gateway.networking.k8s.io kind: Gateway - name: gateway-2 + name: gateway-1 namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: Unable to target HTTPRoute httproute-1, another SecurityPolicy has + already attached to it + reason: Conflicted + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: SecurityPolicy metadata: creationTimestamp: null - name: target-httproute-in-gateway-1 + name: target-grpcroute-in-gateway-2 namespace: envoy-gateway spec: cors: @@ -318,21 +319,20 @@ securityPolicies: maxAge: 1000s targetRef: group: gateway.networking.k8s.io - kind: HTTPRoute - name: httproute-1 + kind: GRPCRoute + name: grpcroute-1 status: ancestors: - ancestorRef: group: gateway.networking.k8s.io kind: Gateway - name: gateway-1 + name: gateway-2 namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Unable to target HTTPRoute httproute-1, another SecurityPolicy has - already attached to it - reason: Conflicted - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - apiVersion: gateway.envoyproxy.io/v1alpha1 @@ -453,7 +453,13 @@ xdsIR: distinct: false name: "" prefix: / - security: {} + security: + cors: + allowOrigins: + - distinct: false + name: "" + safeRegex: http://.*\.example\.com + maxAge: 16m40s readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-local-jwks.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-local-jwks.out.yaml index 4ea604b714..254581dace 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt-local-jwks.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-local-jwks.out.yaml @@ -296,7 +296,7 @@ securityPolicies: kind: SecurityPolicy metadata: creationTimestamp: null - name: securitypolicy-with-jwt-local-jwks-valueref-missing-configmap + name: securitypolicy-with-jwt-local-jwks-valueref-missing-key namespace: default spec: jwt: @@ -307,12 +307,12 @@ securityPolicies: valueRef: group: "" kind: ConfigMap - name: example3-jwks + name: example2-jwks name: example2 targetRef: group: gateway.networking.k8s.io kind: HTTPRoute - name: httproute-4 + name: httproute-3 status: ancestors: - ancestorRef: @@ -323,16 +323,16 @@ securityPolicies: sectionName: http conditions: - lastTransitionTime: null - message: 'JWT: local JWKS ConfigMap default/example3-jwks not found.' - reason: Invalid - status: "False" + message: Policy has been accepted. + reason: Accepted + status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: SecurityPolicy metadata: creationTimestamp: null - name: securitypolicy-with-jwt-local-jwks-valueref-missing-key + name: securitypolicy-with-jwt-local-jwks-valueref-missing-configmap namespace: default spec: jwt: @@ -343,12 +343,12 @@ securityPolicies: valueRef: group: "" kind: ConfigMap - name: example2-jwks + name: example3-jwks name: example2 targetRef: group: gateway.networking.k8s.io kind: HTTPRoute - name: httproute-3 + name: httproute-4 status: ancestors: - ancestorRef: @@ -359,9 +359,9 @@ securityPolicies: sectionName: http conditions: - lastTransitionTime: null - message: Policy has been accepted. - reason: Accepted - status: "True" + message: 'JWT: local JWKS ConfigMap default/example3-jwks not found.' + reason: Invalid + status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller xdsIR: diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml index 7f0d4acc75..49e5b480de 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml @@ -182,16 +182,16 @@ securityPolicies: kind: SecurityPolicy metadata: creationTimestamp: null - name: policy-no-client-secret-key + name: policy-non-exist-secretRef namespace: default + uid: b8284d0f-de82-4c65-b204-96a0d3f258a1 spec: oidc: clientID: client1.apps.googleusercontent.com clientSecret: group: null kind: null - name: client3-secret - namespace: default + name: client1-secret provider: authorizationEndpoint: https://accounts.google.com/o/oauth2/v2/auth issuer: https://accounts.google.com @@ -199,17 +199,17 @@ securityPolicies: targetRef: group: gateway.networking.k8s.io kind: Gateway - name: gateway-3 + name: gateway-1 status: ancestors: - ancestorRef: group: gateway.networking.k8s.io kind: Gateway - name: gateway-3 + name: gateway-1 namespace: default conditions: - lastTransitionTime: null - message: 'OIDC: client secret not found in secret default/client3-secret.' + message: 'OIDC: secret default/client1-secret does not exist.' reason: Invalid status: "False" type: Accepted @@ -255,16 +255,16 @@ securityPolicies: kind: SecurityPolicy metadata: creationTimestamp: null - name: policy-non-exist-secretRef + name: policy-no-client-secret-key namespace: default - uid: b8284d0f-de82-4c65-b204-96a0d3f258a1 spec: oidc: clientID: client1.apps.googleusercontent.com clientSecret: group: null kind: null - name: client1-secret + name: client3-secret + namespace: default provider: authorizationEndpoint: https://accounts.google.com/o/oauth2/v2/auth issuer: https://accounts.google.com @@ -272,17 +272,17 @@ securityPolicies: targetRef: group: gateway.networking.k8s.io kind: Gateway - name: gateway-1 + name: gateway-3 status: ancestors: - ancestorRef: group: gateway.networking.k8s.io kind: Gateway - name: gateway-1 + name: gateway-3 namespace: default conditions: - lastTransitionTime: null - message: 'OIDC: secret default/client1-secret does not exist.' + message: 'OIDC: client secret not found in secret default/client3-secret.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/tls.go b/internal/gatewayapi/tls.go index 74857b15ae..9d7d864fce 100644 --- a/internal/gatewayapi/tls.go +++ b/internal/gatewayapi/tls.go @@ -12,17 +12,16 @@ import ( "time" corev1 "k8s.io/api/core/v1" - gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" ) // validateTLSSecretData ensures the cert and key provided in a secret // is not malformed and can be properly parsed -func validateTLSSecretsData(secrets []*corev1.Secret, host *gwapiv1.Hostname) ([]*x509.Certificate, error) { +func validateTLSSecretsData(secrets []*corev1.Secret) ([]*x509.Certificate, error) { var publicKeyAlgorithm string var certs []*x509.Certificate var parseErr error - pkaSecretSet := make(map[string][]string) + pkaSecretSet := make(map[string]string) for _, secret := range secrets { certData := secret.Data[corev1.TLSCertKey] @@ -48,18 +47,29 @@ func validateTLSSecretsData(secrets []*corev1.Secret, host *gwapiv1.Hostname) ([ return nil, fmt.Errorf("%s/%s must contain valid %s and %s, unable to decode pem data in %s", secret.Namespace, secret.Name, corev1.TLSCertKey, corev1.TLSPrivateKeyKey, corev1.TLSPrivateKeyKey) } - matchedFQDN, err := verifyHostname(cert, host) - if err != nil { - return nil, fmt.Errorf("%s/%s must contain valid %s and %s, hostname %s does not match Common Name or DNS Names in the certificate %s", secret.Namespace, secret.Name, corev1.TLSCertKey, corev1.TLSPrivateKeyKey, string(*host), corev1.TLSCertKey) + // SNI and SAN/Cert Domain mismatch is allowed + // Consider converting this into a warning once + // https://github.com/envoyproxy/gateway/issues/6717 is in + + // Extract certificate domains (SANs or CN) for uniqueness checking + var certDomains []string + if len(cert.DNSNames) > 0 { + certDomains = cert.DNSNames + } else if cert.Subject.CommonName != "" { + certDomains = []string{cert.Subject.CommonName} } - pkaSecretKey := fmt.Sprintf("%s/%s", publicKeyAlgorithm, matchedFQDN) - // Check whether the public key algorithm and matched certificate FQDN in the referenced secrets are unique. - if matchedFQDN, ok := pkaSecretSet[pkaSecretKey]; ok { - return nil, fmt.Errorf("%s/%s public key algorithm must be unique, matched certificate FQDN %s has a conflicting algorithm [%s]", - secret.Namespace, secret.Name, matchedFQDN, publicKeyAlgorithm) + // Check uniqueness for each domain in the certificate with this algorithm + for _, domain := range certDomains { + pkaSecretKey := fmt.Sprintf("%s/%s", publicKeyAlgorithm, domain) + + // Check whether the public key algorithm and certificate domain are unique + if _, ok := pkaSecretSet[pkaSecretKey]; ok { + return nil, fmt.Errorf("%s/%s public key algorithm must be unique, certificate domain %s has a conflicting algorithm [%s]", + secret.Namespace, secret.Name, domain, publicKeyAlgorithm) + } + pkaSecretSet[pkaSecretKey] = domain } - pkaSecretSet[pkaSecretKey] = matchedFQDN switch keyBlock.Type { case "PRIVATE KEY": @@ -86,26 +96,6 @@ func validateTLSSecretsData(secrets []*corev1.Secret, host *gwapiv1.Hostname) ([ return certs, parseErr } -// verifyHostname checks if the listener Hostname matches any domain in the certificate, returns a list of matched hosts. -func verifyHostname(cert *x509.Certificate, host *gwapiv1.Hostname) ([]string, error) { - var matchedHosts []string - - listenerContext := ListenerContext{ - Listener: &gwapiv1.Listener{Hostname: host}, - } - if len(cert.DNSNames) > 0 { - matchedHosts = computeHosts(cert.DNSNames, &listenerContext) - } else { - matchedHosts = computeHosts([]string{cert.Subject.CommonName}, &listenerContext) - } - - if len(matchedHosts) > 0 { - return matchedHosts, nil - } - - return nil, x509.HostnameError{Certificate: cert, Host: string(*host)} -} - func validateCertificate(data []byte) error { block, _ := pem.Decode(data) if block == nil { diff --git a/internal/gatewayapi/tls_test.go b/internal/gatewayapi/tls_test.go index 07e68e5f5a..901bbe2685 100644 --- a/internal/gatewayapi/tls_test.go +++ b/internal/gatewayapi/tls_test.go @@ -149,20 +149,13 @@ func TestValidateTLSSecretsData(t *testing.T) { Domain: "*", ExpectedErr: errors.New("test/secret must contain valid tls.crt and tls.key, FOO key format found in tls.key, supported formats are PKCS1, PKCS8 or EC"), }, - { - Name: "invalid-domain-cert", - CertFile: "rsa-cert-san.pem", - KeyFile: "rsa-pkcs8-san.key", - Domain: "*.example.com", - ExpectedErr: errors.New("test/secret must contain valid tls.crt and tls.key, hostname *.example.com does not match Common Name or DNS Names in the certificate tls.crt"), - }, } for _, tc := range testCases { t.Run(tc.Name, func(t *testing.T) { secrets := createTestSecrets(t, tc.CertFile, tc.KeyFile) require.NotNil(t, secrets) - _, err := validateTLSSecretsData(secrets, &tc.Domain) + _, err := validateTLSSecretsData(secrets) if tc.ExpectedErr == nil { require.NoError(t, err) } else { diff --git a/internal/gatewayapi/translator.go b/internal/gatewayapi/translator.go index c17c84460b..e19e24348d 100644 --- a/internal/gatewayapi/translator.go +++ b/internal/gatewayapi/translator.go @@ -7,8 +7,6 @@ package gatewayapi import ( "errors" - "fmt" - "sort" "golang.org/x/exp/maps" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -169,19 +167,7 @@ func (t *Translator) Translate(resources *resource.Resources) (*TranslateResult, // Get Gateways belonging to our GatewayClass. acceptedGateways, failedGateways := t.GetRelevantGateways(resources) - // Sort gateways based on timestamp. - // Initially, acceptedGateways sort by creation timestamp - // or sort alphabetically by “{namespace}/{name}” if multiple gateways share same timestamp. - sort.Slice(acceptedGateways, func(i, j int) bool { - if acceptedGateways[i].CreationTimestamp.Equal(&(acceptedGateways[j].CreationTimestamp)) { - gatewayKeyI := fmt.Sprintf("%s/%s", acceptedGateways[i].Namespace, acceptedGateways[i].Name) - gatewayKeyJ := fmt.Sprintf("%s/%s", acceptedGateways[j].Namespace, acceptedGateways[j].Name) - return gatewayKeyI < gatewayKeyJ - } - // Not identical CreationTimestamps - - return acceptedGateways[i].CreationTimestamp.Before(&(acceptedGateways[j].CreationTimestamp)) - }) + // Gateways are already sorted by the provider layer // Build IR maps. xdsIR, infraIR := t.InitIRs(acceptedGateways) diff --git a/internal/gatewayapi/translator_test.go b/internal/gatewayapi/translator_test.go index 11b2a73312..40293977c8 100644 --- a/internal/gatewayapi/translator_test.go +++ b/internal/gatewayapi/translator_test.go @@ -373,8 +373,15 @@ func TestTranslate(t *testing.T) { } else { for _, g := range resources.Gateways { gSvc := svc - // Matches proxy.ExpectedResourceHashedName() - gSvc.Name = fmt.Sprintf("%s-%s", config.EnvoyPrefix, utils.GetHashedName(fmt.Sprintf("%s/%s", g.Namespace, g.Name), 48)) + if gatewayNamespaceMode { + // In gateway namespace mode, the service name is the same as the gateway name + // and the namespace is the gateway namespace. + gSvc.Name = g.Name + gSvc.Namespace = g.Namespace + } else { + gSvc.Name = fmt.Sprintf("%s-%s", config.EnvoyPrefix, utils.GetHashedName(fmt.Sprintf("%s/%s", g.Namespace, g.Name), 48)) + } + gSvc.Labels[OwningGatewayNameLabel] = g.Name gSvc.Labels[OwningGatewayNamespaceLabel] = g.Namespace gEndPtSlice := endPtSlice @@ -416,7 +423,6 @@ func TestTranslate(t *testing.T) { opts := []cmp.Option{ cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime"), - cmpopts.IgnoreFields(resource.Resources{}, "serviceMap"), cmp.Transformer("ClearXdsEqual", xdsWithoutEqual), cmpopts.IgnoreTypes(ir.PrivateBytes{}), cmpopts.EquateEmpty(), @@ -695,7 +701,6 @@ func TestTranslateWithExtensionKinds(t *testing.T) { opts := []cmp.Option{ cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime"), - cmpopts.IgnoreFields(resource.Resources{}, "serviceMap"), } require.Empty(t, cmp.Diff(want, got, opts...)) }) diff --git a/internal/gatewayapi/validate.go b/internal/gatewayapi/validate.go index c0f324dc9f..76f30f76a0 100644 --- a/internal/gatewayapi/validate.go +++ b/internal/gatewayapi/validate.go @@ -460,7 +460,7 @@ func (t *Translator) validateTerminateModeAndGetTLSSecrets(listener *ListenerCon secrets = append(secrets, secret) } - certs, err := validateTLSSecretsData(secrets, listener.Hostname) + certs, err := validateTLSSecretsData(secrets) if err != nil { status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, diff --git a/internal/infrastructure/host/proxy_infra.go b/internal/infrastructure/host/proxy_infra.go index 229fdcd1c3..690ffc1736 100644 --- a/internal/infrastructure/host/proxy_infra.go +++ b/internal/infrastructure/host/proxy_infra.go @@ -73,7 +73,9 @@ func (i *Infra) CreateOrUpdateProxyInfra(ctx context.Context, infra *ir.Infra) e AdminServerPort: ptr.To(int32(0)), StatsServerPort: ptr.To(int32(0)), } - + if i.EnvoyGateway != nil { + bootstrapConfigOptions.TopologyInjectorDisabled = i.EnvoyGateway.TopologyInjectorDisabled() + } args, err := common.BuildProxyArgs(proxyInfra, proxyConfig.Spec.Shutdown, bootstrapConfigOptions, proxyName, false) if err != nil { return err diff --git a/internal/infrastructure/kubernetes/proxy/resource.go b/internal/infrastructure/kubernetes/proxy/resource.go index ace4dcba0a..285b5bb5d1 100644 --- a/internal/infrastructure/kubernetes/proxy/resource.go +++ b/internal/infrastructure/kubernetes/proxy/resource.go @@ -77,6 +77,7 @@ func enablePrometheus(infra *ir.ProxyInfra) bool { func expectedProxyContainers(infra *ir.ProxyInfra, containerSpec *egv1a1.KubernetesContainerSpec, shutdownConfig *egv1a1.ShutdownConfig, shutdownManager *egv1a1.ShutdownManager, + topologyInjectorDisabled bool, controllerNamespace, dnsDomain string, gatewayNamespaceMode bool, ) ([]corev1.Container, error) { ports := make([]corev1.ContainerPort, 0, 2) @@ -101,6 +102,7 @@ func expectedProxyContainers(infra *ir.ProxyInfra, } maxHeapSizeBytes := calculateMaxHeapSizeBytes(containerSpec.Resources) + // Get the default Bootstrap bootstrapConfigOptions := &bootstrap.RenderBootstrapConfigOptions{ ProxyMetrics: proxyMetrics, @@ -108,8 +110,9 @@ func expectedProxyContainers(infra *ir.ProxyInfra, Certificate: filepath.Join("/sds", common.SdsCertFilename), TrustedCA: filepath.Join("/sds", common.SdsCAFilename), }, - MaxHeapSizeBytes: maxHeapSizeBytes, - XdsServerHost: ptr.To(fmt.Sprintf("%s.%s.svc.%s.", config.EnvoyGatewayServiceName, controllerNamespace, dnsDomain)), + MaxHeapSizeBytes: maxHeapSizeBytes, + XdsServerHost: ptr.To(fmt.Sprintf("%s.%s.svc.%s.", config.EnvoyGatewayServiceName, controllerNamespace, dnsDomain)), + TopologyInjectorDisabled: topologyInjectorDisabled, } args, err := common.BuildProxyArgs(infra, shutdownConfig, bootstrapConfigOptions, fmt.Sprintf("$(%s)", envoyPodEnvVar), gatewayNamespaceMode) diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider.go b/internal/infrastructure/kubernetes/proxy/resource_provider.go index a7c1739778..e4fada02a7 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider.go @@ -62,6 +62,8 @@ type ResourceRender struct { ShutdownManager *egv1a1.ShutdownManager + TopologyInjectorDisabled bool + GatewayNamespaceMode bool // ownerReferenceUID store the uid of its owner reference. Key is the kind of owner resource. @@ -86,13 +88,14 @@ func NewResourceRender(ctx context.Context, kubeInfra KubernetesInfraProvider, i } return &ResourceRender{ - envoyNamespace: kubeInfra.GetResourceNamespace(infra), - controllerNamespace: kubeInfra.GetControllerNamespace(), - DNSDomain: kubeInfra.GetDNSDomain(), - infra: infra.GetProxyInfra(), - ShutdownManager: kubeInfra.GetEnvoyGateway().GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().ShutdownManager, - GatewayNamespaceMode: kubeInfra.GetEnvoyGateway().GatewayNamespaceMode(), - ownerReferenceUID: ownerReference, + envoyNamespace: kubeInfra.GetResourceNamespace(infra), + controllerNamespace: kubeInfra.GetControllerNamespace(), + DNSDomain: kubeInfra.GetDNSDomain(), + infra: infra.GetProxyInfra(), + ShutdownManager: kubeInfra.GetEnvoyGateway().GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().ShutdownManager, + TopologyInjectorDisabled: kubeInfra.GetEnvoyGateway().TopologyInjectorDisabled(), + GatewayNamespaceMode: kubeInfra.GetEnvoyGateway().GatewayNamespaceMode(), + ownerReferenceUID: ownerReference, }, nil } @@ -366,7 +369,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { } // Get expected bootstrap configurations rendered ProxyContainers - containers, err := expectedProxyContainers(r.infra, deploymentConfig.Container, proxyConfig.Spec.Shutdown, r.ShutdownManager, r.ControllerNamespace(), r.DNSDomain, r.GatewayNamespaceMode) + containers, err := expectedProxyContainers(r.infra, deploymentConfig.Container, proxyConfig.Spec.Shutdown, r.ShutdownManager, r.TopologyInjectorDisabled, r.ControllerNamespace(), r.DNSDomain, r.GatewayNamespaceMode) if err != nil { return nil, err } @@ -456,7 +459,7 @@ func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) { } // Get expected bootstrap configurations rendered ProxyContainers - containers, err := expectedProxyContainers(r.infra, daemonSetConfig.Container, proxyConfig.Spec.Shutdown, r.ShutdownManager, r.ControllerNamespace(), r.DNSDomain, r.GatewayNamespaceMode) + containers, err := expectedProxyContainers(r.infra, daemonSetConfig.Container, proxyConfig.Spec.Shutdown, r.ShutdownManager, r.TopologyInjectorDisabled, r.ControllerNamespace(), r.DNSDomain, r.GatewayNamespaceMode) if err != nil { return nil, err } diff --git a/internal/ir/infra.go b/internal/ir/infra.go index f4c95bd335..ef793f399e 100644 --- a/internal/ir/infra.go +++ b/internal/ir/infra.go @@ -6,13 +6,10 @@ package ir import ( - "cmp" "encoding/json" "errors" "fmt" - "reflect" - "golang.org/x/exp/slices" utilerrors "k8s.io/apimachinery/pkg/util/errors" "sigs.k8s.io/yaml" @@ -249,20 +246,3 @@ func (p *ProxyInfra) ObjectName() string { } return "envoy-" + p.Name } - -// Equal implements the Comparable interface used by watchable.DeepEqual to skip unnecessary updates. -func (p *ProxyInfra) Equal(y *ProxyInfra) bool { - // Deep copy to avoid modifying the original ordering. - p = p.DeepCopy() - p.sort() - y = y.DeepCopy() - y.sort() - return reflect.DeepEqual(p, y) -} - -// sort ensures the listeners are in a consistent order. -func (p *ProxyInfra) sort() { - slices.SortFunc(p.Listeners, func(l1, l2 *ProxyListener) int { - return cmp.Compare(l1.Name, l2.Name) - }) -} diff --git a/internal/ir/infra_test.go b/internal/ir/infra_test.go index 92781e06c6..ce5fd4d577 100644 --- a/internal/ir/infra_test.go +++ b/internal/ir/infra_test.go @@ -8,7 +8,6 @@ package ir import ( "testing" - "github.com/google/go-cmp/cmp" "github.com/stretchr/testify/require" ) @@ -208,35 +207,3 @@ func TestObjectName(t *testing.T) { }) } } - -func TestEqualInfra(t *testing.T) { - tests := []struct { - desc string - a *ProxyInfra - b *ProxyInfra - equal bool - }{ - { - desc: "out of order proxy listeners are equal", - a: &ProxyInfra{ - Listeners: []*ProxyListener{ - {Name: "listener-1"}, - {Name: "listener-2"}, - }, - }, - b: &ProxyInfra{ - Listeners: []*ProxyListener{ - {Name: "listener-2"}, - {Name: "listener-1"}, - }, - }, - equal: true, - }, - } - - for _, tc := range tests { - t.Run(tc.desc, func(t *testing.T) { - require.Equal(t, tc.equal, cmp.Equal(tc.a, tc.b)) - }) - } -} diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 4b6f242882..b7514a535d 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -6,7 +6,6 @@ package ir import ( - "cmp" "crypto/tls" "crypto/x509" "encoding" @@ -15,10 +14,8 @@ import ( "fmt" "net/http" "net/netip" - "reflect" "time" - "golang.org/x/exp/slices" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -165,34 +162,6 @@ type Xds struct { ExtensionServerPolicies []*UnstructuredRef `json:"extensionServerPolicies,omitempty" yaml:"extensionServerPolicies,omitempty"` } -// Equal implements the Comparable interface used by watchable.DeepEqual to skip unnecessary updates. -func (x *Xds) Equal(y *Xds) bool { - // Deep copy to avoid modifying the original ordering. - x = x.DeepCopy() - x.sort() - y = y.DeepCopy() - y.sort() - return reflect.DeepEqual(x, y) -} - -// sort ensures the listeners are in a consistent order. -func (x *Xds) sort() { - slices.SortFunc(x.HTTP, func(l1, l2 *HTTPListener) int { - return cmp.Compare(l1.Name, l2.Name) - }) - for _, l := range x.HTTP { - slices.SortFunc(l.Routes, func(r1, r2 *HTTPRoute) int { - return cmp.Compare(r1.Name, r2.Name) - }) - } - slices.SortFunc(x.TCP, func(l1, l2 *TCPListener) int { - return cmp.Compare(l1.Name, l2.Name) - }) - slices.SortFunc(x.UDP, func(l1, l2 *UDPListener) int { - return cmp.Compare(l1.Name, l2.Name) - }) -} - // Validate the fields within the Xds structure. func (x *Xds) Validate() error { var errs error diff --git a/internal/ir/xds_test.go b/internal/ir/xds_test.go index 429e35ef22..073529e33f 100644 --- a/internal/ir/xds_test.go +++ b/internal/ir/xds_test.go @@ -11,7 +11,6 @@ import ( "testing" "time" - "github.com/google/go-cmp/cmp" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" @@ -755,80 +754,6 @@ func TestValidateTLSListenerConfig(t *testing.T) { } } -func TestEqualXds(t *testing.T) { - tests := []struct { - desc string - a *Xds - b *Xds - equal bool - }{ - { - desc: "out of order tcp listeners are equal", - a: &Xds{ - TCP: []*TCPListener{ - {CoreListenerDetails: CoreListenerDetails{Name: "listener-1"}}, - {CoreListenerDetails: CoreListenerDetails{Name: "listener-2"}}, - }, - }, - b: &Xds{ - TCP: []*TCPListener{ - {CoreListenerDetails: CoreListenerDetails{Name: "listener-2"}}, - {CoreListenerDetails: CoreListenerDetails{Name: "listener-1"}}, - }, - }, - equal: true, - }, - { - desc: "out of order http routes are equal", - a: &Xds{ - HTTP: []*HTTPListener{ - { - CoreListenerDetails: CoreListenerDetails{Name: "listener-1"}, - Routes: []*HTTPRoute{ - {Name: "route-1"}, - {Name: "route-2"}, - }, - }, - }, - }, - b: &Xds{ - HTTP: []*HTTPListener{ - { - CoreListenerDetails: CoreListenerDetails{Name: "listener-1"}, - Routes: []*HTTPRoute{ - {Name: "route-2"}, - {Name: "route-1"}, - }, - }, - }, - }, - equal: true, - }, - { - desc: "out of order udp listeners are equal", - a: &Xds{ - UDP: []*UDPListener{ - {CoreListenerDetails: CoreListenerDetails{Name: "listener-1"}}, - {CoreListenerDetails: CoreListenerDetails{Name: "listener-2"}}, - }, - }, - b: &Xds{ - UDP: []*UDPListener{ - {CoreListenerDetails: CoreListenerDetails{Name: "listener-2"}}, - {CoreListenerDetails: CoreListenerDetails{Name: "listener-1"}}, - }, - }, - equal: true, - }, - } - - for _, tc := range tests { - t.Run(tc.desc, func(t *testing.T) { - require.Equal(t, tc.equal, cmp.Equal(tc.a, tc.b)) - }) - } -} - func TestValidateUDPListener(t *testing.T) { tests := []struct { name string diff --git a/internal/message/watchutil_test.go b/internal/message/watchutil_test.go index 6e6472d14f..bc6b10c9c2 100644 --- a/internal/message/watchutil_test.go +++ b/internal/message/watchutil_test.go @@ -12,8 +12,10 @@ import ( "github.com/stretchr/testify/assert" "github.com/telepresenceio/watchable" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" - "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/message" ) @@ -91,42 +93,147 @@ func TestHandleSubscriptionAlreadyInitialized(t *testing.T) { assert.Equal(t, 1, deleteCalls) } -func TestXdsIRUpdates(t *testing.T) { +func TestControllerResourceUpdate(t *testing.T) { tests := []struct { - desc string - xx []*ir.Xds - updates int + desc string + resources []*resource.ControllerResources + updates int }{ { - desc: "HTTP listener order change skips update", - xx: []*ir.Xds{ + desc: "Resource order change skips update", + resources: []*resource.ControllerResources{ { - HTTP: []*ir.HTTPListener{ - {CoreListenerDetails: ir.CoreListenerDetails{Name: "listener-1"}}, - {CoreListenerDetails: ir.CoreListenerDetails{Name: "listener-2"}}, + { + GatewayClass: &gwapiv1.GatewayClass{ObjectMeta: metav1.ObjectMeta{Name: "class-1"}}, + }, + { + GatewayClass: &gwapiv1.GatewayClass{ObjectMeta: metav1.ObjectMeta{Name: "class-2"}}, }, }, { - HTTP: []*ir.HTTPListener{ - {CoreListenerDetails: ir.CoreListenerDetails{Name: "listener-2"}}, - {CoreListenerDetails: ir.CoreListenerDetails{Name: "listener-1"}}, + { + GatewayClass: &gwapiv1.GatewayClass{ObjectMeta: metav1.ObjectMeta{Name: "class-2"}}, + }, + { + GatewayClass: &gwapiv1.GatewayClass{ObjectMeta: metav1.ObjectMeta{Name: "class-1"}}, }, }, }, updates: 1, }, { - desc: "Additional HTTP listener triggers update", - xx: []*ir.Xds{ + desc: "Additional resource triggers update", + resources: []*resource.ControllerResources{ + { + { + GatewayClass: &gwapiv1.GatewayClass{ObjectMeta: metav1.ObjectMeta{Name: "class-1"}}, + }, + }, { - HTTP: []*ir.HTTPListener{ - {CoreListenerDetails: ir.CoreListenerDetails{Name: "listener-1"}}, + { + GatewayClass: &gwapiv1.GatewayClass{ObjectMeta: metav1.ObjectMeta{Name: "class-1"}}, + }, + { + GatewayClass: &gwapiv1.GatewayClass{ObjectMeta: metav1.ObjectMeta{Name: "class-2"}}, }, }, + }, + updates: 2, + }, + { + desc: "Multiple Gateways in Resources struct with order change skips update", + resources: []*resource.ControllerResources{ { - HTTP: []*ir.HTTPListener{ - {CoreListenerDetails: ir.CoreListenerDetails{Name: "listener-1"}}, - {CoreListenerDetails: ir.CoreListenerDetails{Name: "listener-2"}}, + { + GatewayClass: &gwapiv1.GatewayClass{ObjectMeta: metav1.ObjectMeta{Name: "class-1"}}, + Gateways: []*gwapiv1.Gateway{ + {ObjectMeta: metav1.ObjectMeta{Name: "gateway-1", Namespace: "default"}}, + {ObjectMeta: metav1.ObjectMeta{Name: "gateway-2", Namespace: "default"}}, + }, + }, + { + GatewayClass: &gwapiv1.GatewayClass{ObjectMeta: metav1.ObjectMeta{Name: "class-2"}}, + Gateways: []*gwapiv1.Gateway{ + {ObjectMeta: metav1.ObjectMeta{Name: "gateway-3", Namespace: "system"}}, + }, + }, + }, + { + { + GatewayClass: &gwapiv1.GatewayClass{ObjectMeta: metav1.ObjectMeta{Name: "class-2"}}, + Gateways: []*gwapiv1.Gateway{ + {ObjectMeta: metav1.ObjectMeta{Name: "gateway-3", Namespace: "system"}}, + }, + }, + { + GatewayClass: &gwapiv1.GatewayClass{ObjectMeta: metav1.ObjectMeta{Name: "class-1"}}, + Gateways: []*gwapiv1.Gateway{ + {ObjectMeta: metav1.ObjectMeta{Name: "gateway-2", Namespace: "default"}}, + {ObjectMeta: metav1.ObjectMeta{Name: "gateway-1", Namespace: "default"}}, + }, + }, + }, + }, + updates: 1, + }, + { + desc: "Multiple Gateways with Gateway change triggers update", + resources: []*resource.ControllerResources{ + { + { + GatewayClass: &gwapiv1.GatewayClass{ObjectMeta: metav1.ObjectMeta{Name: "class-1"}}, + Gateways: []*gwapiv1.Gateway{ + {ObjectMeta: metav1.ObjectMeta{Name: "gateway-1", Namespace: "default"}}, + }, + }, + }, + { + { + GatewayClass: &gwapiv1.GatewayClass{ObjectMeta: metav1.ObjectMeta{Name: "class-1"}}, + Gateways: []*gwapiv1.Gateway{ + {ObjectMeta: metav1.ObjectMeta{Name: "gateway-1", Namespace: "default"}}, + {ObjectMeta: metav1.ObjectMeta{Name: "gateway-2", Namespace: "default"}}, + }, + }, + }, + }, + updates: 2, + }, + { + desc: "Multiple Resources with varying Gateway counts", + resources: []*resource.ControllerResources{ + { + { + GatewayClass: &gwapiv1.GatewayClass{ObjectMeta: metav1.ObjectMeta{Name: "class-1"}}, + Gateways: []*gwapiv1.Gateway{ + {ObjectMeta: metav1.ObjectMeta{Name: "gateway-1", Namespace: "default"}}, + {ObjectMeta: metav1.ObjectMeta{Name: "gateway-2", Namespace: "default"}}, + {ObjectMeta: metav1.ObjectMeta{Name: "gateway-3", Namespace: "test"}}, + }, + }, + { + GatewayClass: &gwapiv1.GatewayClass{ObjectMeta: metav1.ObjectMeta{Name: "class-2"}}, + Gateways: []*gwapiv1.Gateway{ + {ObjectMeta: metav1.ObjectMeta{Name: "gateway-4", Namespace: "system"}}, + {ObjectMeta: metav1.ObjectMeta{Name: "gateway-5", Namespace: "system"}}, + }, + }, + }, + { + { + GatewayClass: &gwapiv1.GatewayClass{ObjectMeta: metav1.ObjectMeta{Name: "class-1"}}, + Gateways: []*gwapiv1.Gateway{ + {ObjectMeta: metav1.ObjectMeta{Name: "gateway-1", Namespace: "default"}}, + {ObjectMeta: metav1.ObjectMeta{Name: "gateway-2", Namespace: "default"}}, + {ObjectMeta: metav1.ObjectMeta{Name: "gateway-3", Namespace: "test"}}, + {ObjectMeta: metav1.ObjectMeta{Name: "gateway-6", Namespace: "test"}}, + }, + }, + { + GatewayClass: &gwapiv1.GatewayClass{ObjectMeta: metav1.ObjectMeta{Name: "class-2"}}, + Gateways: []*gwapiv1.Gateway{ + {ObjectMeta: metav1.ObjectMeta{Name: "gateway-4", Namespace: "system"}}, + }, }, }, }, @@ -136,28 +243,29 @@ func TestXdsIRUpdates(t *testing.T) { for _, tc := range tests { t.Run(tc.desc, func(t *testing.T) { ctx := context.Background() - m := new(message.XdsIR) + m := &message.ProviderResources{} - snapshotC := m.Subscribe(ctx) + snapshotC := m.GatewayAPIResources.Subscribe(ctx) endCtx, end := context.WithCancel(ctx) - m.Store("start", &ir.Xds{}) + m.GatewayAPIResources.Store("start", &resource.ControllerResources{}) go func() { <-endCtx.Done() - for _, x := range tc.xx { - m.Store("test", x) + for _, r := range tc.resources { + r.Sort() + m.GatewayAPIResources.Store("test", r) } - m.Store("end", &ir.Xds{}) + m.GatewayAPIResources.Store("end", &resource.ControllerResources{}) }() updates := 0 - message.HandleSubscription(message.Metadata{Runner: "demo", Message: "demo"}, snapshotC, func(u message.Update[string, *ir.Xds], errChans chan error) { + message.HandleSubscription(message.Metadata{Runner: "demo", Message: "demo"}, snapshotC, func(u message.Update[string, *resource.ControllerResources], errChans chan error) { end() if u.Key == "test" { updates += 1 } if u.Key == "end" { - m.Close() + m.GatewayAPIResources.Close() } }) assert.Equal(t, tc.updates, updates) diff --git a/internal/provider/file/file_test.go b/internal/provider/file/file_test.go index 89db93f763..1e8ab2ff53 100644 --- a/internal/provider/file/file_test.go +++ b/internal/provider/file/file_test.go @@ -84,6 +84,10 @@ func newFileProviderConfig(paths []string) (*config.Server, error) { }, }, } + cfg.EnvoyGateway.ExtensionAPIs = &egv1a1.ExtensionAPISettings{ + EnableBackend: true, + EnableEnvoyPatchPolicy: true, + } return cfg, nil } @@ -290,7 +294,6 @@ func mustUnmarshal(t *testing.T, path string, out interface{}) { func cmpResources(t *testing.T, x, y interface{}) { opts := []cmp.Option{ - cmpopts.IgnoreFields(resource.Resources{}, "serviceMap"), cmpopts.IgnoreFields(metav1.ObjectMeta{}, "ResourceVersion"), cmpopts.EquateEmpty(), } diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index c806496f0d..cd486b36c3 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -218,6 +218,20 @@ func (r *gatewayAPIReconciler) subscribeToResources(ctx context.Context) { r.subscriptions.extensionPolicyStatuses = r.resources.ExtensionPolicyStatuses.Subscribe(ctx) } +func (r *gatewayAPIReconciler) backendAPIDisabled() bool { + // we didn't check if the backend CRD exists every time for performance, + // please make sure r.backendCRDExists is setting correctly before calling this + if !r.backendCRDExists { + return true + } + + if r.envoyGateway == nil || r.envoyGateway.ExtensionAPIs == nil { + return true + } + + return !r.envoyGateway.ExtensionAPIs.EnableBackend +} + func byNamespaceSelectorEnabled(eg *egv1a1.EnvoyGateway) bool { if eg.Provider == nil || eg.Provider.Kubernetes == nil || @@ -508,6 +522,13 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques } } + // Sort before storing to: + // 1. ensure identical resources are not retranslated + // and updates are avoided by the watchable layer + // 2. ensure gateway-api layer receives resources in order + // which impacts translation output + gwcResources.Sort() + // Store the Gateway Resources for the GatewayClass. // The Store is triggered even when there are no Gateways associated to the // GatewayClass. This would happen in case the last Gateway is removed and the @@ -626,8 +647,8 @@ func (r *gatewayAPIReconciler) processBackendRefs(ctx context.Context, gwcResour endpointSliceLabelKey = mcsapiv1a1.LabelServiceName case egv1a1.KindBackend: - if !r.backendCRDExists { - r.log.V(6).Info("skipping Backend processing as Backend CRD is not installed") + if r.backendAPIDisabled() { + r.log.V(6).Info("skipping Backend processing as Backend API is disabled.") continue } backend := new(egv1a1.Backend) @@ -1467,6 +1488,11 @@ func (r *gatewayAPIReconciler) processGateways(ctx context.Context, managedGC *g } func (r *gatewayAPIReconciler) processServiceCluster(resourceName string, resourceMap *resourceMappings) { + // Skip processing if topology injector is disabled + if r.envoyGateway != nil && r.envoyGateway.TopologyInjectorDisabled() { + return + } + proxySvcName := proxy.ExpectedResourceHashedName(resourceName) resourceMap.allAssociatedBackendRefs.Insert(gwapiv1.BackendObjectReference{ Kind: ptr.To(gwapiv1.Kind("Service")), @@ -1856,10 +1882,16 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M return err } + // we didn't check if the backend CRD exists every time for performance, + // please make sure r.backendCRDExists is setting correctly before calling this r.backendCRDExists = r.crdExists(mgr, resource.KindBackend, egv1a1.GroupVersion.String()) - if !r.backendCRDExists { - r.log.Info("Backend CRD not found, skipping Backend watch") - } else if r.envoyGateway.ExtensionAPIs != nil && r.envoyGateway.ExtensionAPIs.EnableBackend { + if r.backendAPIDisabled() { + if !r.backendCRDExists { + r.log.Info("Backend CRD not found, skipping Backend watch") + } else { + r.log.Info("Backend API disabled, skipping Backend watch") + } + } else { // Watch Backend CRUDs and process affected *Route objects. backendPredicates := []predicate.TypedPredicate[*egv1a1.Backend]{ predicate.TypedGenerationChangedPredicate[*egv1a1.Backend]{}, diff --git a/internal/provider/kubernetes/controller_test.go b/internal/provider/kubernetes/controller_test.go index 956481c6be..523940bb46 100644 --- a/internal/provider/kubernetes/controller_test.go +++ b/internal/provider/kubernetes/controller_test.go @@ -1247,6 +1247,21 @@ func TestProcessSecurityPolicyObjectRefs(t *testing.T) { } } +func newGatewayAPIReconciler(logger logging.Logger) *gatewayAPIReconciler { + return &gatewayAPIReconciler{ + log: logger, + classController: "some-gateway-class", + backendCRDExists: true, + envoyGateway: &egv1a1.EnvoyGateway{ + EnvoyGatewaySpec: egv1a1.EnvoyGatewaySpec{ + ExtensionAPIs: &egv1a1.ExtensionAPISettings{ + EnableBackend: true, + }, + }, + }, + } +} + func TestProcessBackendRefs(t *testing.T) { ns := "default" ctb := test.GetClusterTrustBundle("fake-ctb") @@ -1341,12 +1356,7 @@ func TestProcessBackendRefs(t *testing.T) { objs := []client.Object{tc.backend, ctb, secret, cm} logger := logging.DefaultLogger(os.Stdout, egv1a1.LogLevelInfo) - r := &gatewayAPIReconciler{ - log: logger, - classController: "some-gateway-class", - backendCRDExists: true, - } - + r := newGatewayAPIReconciler(logger) r.client = fakeclient.NewClientBuilder(). WithScheme(envoygateway.GetScheme()). WithObjects(objs...). diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go index d3dc5e31ae..b4c19b4d6c 100644 --- a/internal/provider/kubernetes/predicates.go +++ b/internal/provider/kubernetes/predicates.go @@ -197,7 +197,7 @@ func (r *gatewayAPIReconciler) validateSecretForReconcile(obj client.Object) boo } func (r *gatewayAPIReconciler) validateClusterTrustBundleForReconcile(ctb *certificatesv1b1.ClusterTrustBundle) bool { - if r.backendCRDExists { + if !r.backendAPIDisabled() { if r.isBackendReferencingClusterTrustBundle(ctb) { return true } @@ -942,6 +942,11 @@ func (r *gatewayAPIReconciler) isRouteReferencingHTTPRouteFilter(nsName *types.N // isProxyServiceCluster returns true if the provided labels reference an owning Gateway or GatewayClass func (r *gatewayAPIReconciler) isProxyServiceCluster(labels map[string]string) bool { + // Skip processing if topology injector is disabled + if r.envoyGateway != nil && r.envoyGateway.TopologyInjectorDisabled() { + return false + } + if gtw := r.findOwningGateway(context.Background(), labels); gtw != nil { return true } diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go index 6d1035e518..61125e80a4 100644 --- a/internal/provider/kubernetes/predicates_test.go +++ b/internal/provider/kubernetes/predicates_test.go @@ -1559,6 +1559,13 @@ func TestValidateClusterTrustBundleForReconcile(t *testing.T) { backendCRDExists: true, bTLSPolicyCRDExists: true, ctpCRDExists: true, + envoyGateway: &egv1a1.EnvoyGateway{ + EnvoyGatewaySpec: egv1a1.EnvoyGatewaySpec{ + ExtensionAPIs: &egv1a1.ExtensionAPISettings{ + EnableBackend: true, + }, + }, + }, } for _, tc := range testCases { diff --git a/internal/utils/ratelimit/unit.go b/internal/utils/ratelimit/unit.go index 94c8c7f6fb..3ee12170e3 100644 --- a/internal/utils/ratelimit/unit.go +++ b/internal/utils/ratelimit/unit.go @@ -24,6 +24,10 @@ func UnitToSeconds(unit egv1a1.RateLimitUnit) int64 { seconds = 60 * 60 case egv1a1.RateLimitUnitDay: seconds = 60 * 60 * 24 + case egv1a1.RateLimitUnitMonth: + seconds = 60 * 60 * 24 * 30 + case egv1a1.RateLimitUnitYear: + seconds = 60 * 60 * 24 * 365 } return seconds } diff --git a/internal/xds/bootstrap/bootstrap.go b/internal/xds/bootstrap/bootstrap.go index 3986dcf341..65d989a40e 100644 --- a/internal/xds/bootstrap/bootstrap.go +++ b/internal/xds/bootstrap/bootstrap.go @@ -99,6 +99,8 @@ type bootstrapParameters struct { GatewayNamespaceMode bool // ServiceClusterName is the generated name of the Envoy ServiceCluster. ServiceClusterName string + // TopologyInjectorDisabled controls whether to render the local cluster for use with zone aware routing + TopologyInjectorDisabled bool } type serverParameters struct { @@ -136,16 +138,17 @@ type overloadManagerParameters struct { } type RenderBootstrapConfigOptions struct { - IPFamily *egv1a1.IPFamily - ProxyMetrics *egv1a1.ProxyMetrics - SdsConfig SdsConfigPath - ServiceClusterName *string - XdsServerHost *string - XdsServerPort *int32 - AdminServerPort *int32 - StatsServerPort *int32 - MaxHeapSizeBytes uint64 - GatewayNamespaceMode bool + IPFamily *egv1a1.IPFamily + ProxyMetrics *egv1a1.ProxyMetrics + SdsConfig SdsConfigPath + ServiceClusterName *string + XdsServerHost *string + XdsServerPort *int32 + AdminServerPort *int32 + StatsServerPort *int32 + MaxHeapSizeBytes uint64 + GatewayNamespaceMode bool + TopologyInjectorDisabled bool } type SdsConfigPath struct { @@ -307,6 +310,7 @@ func GetRenderedBootstrapConfig(opts *RenderBootstrapConfigOptions) (string, err if opts.ServiceClusterName != nil { cfg.parameters.ServiceClusterName = *opts.ServiceClusterName } + cfg.parameters.TopologyInjectorDisabled = opts.TopologyInjectorDisabled } if err := cfg.render(); err != nil { diff --git a/internal/xds/bootstrap/bootstrap.yaml.tpl b/internal/xds/bootstrap/bootstrap.yaml.tpl index c951174c5d..f3458b6a66 100644 --- a/internal/xds/bootstrap/bootstrap.yaml.tpl +++ b/internal/xds/bootstrap/bootstrap.yaml.tpl @@ -171,6 +171,7 @@ static_resources: address: {{ $sink.Address }} port_value: {{ $sink.Port }} {{- end }} + {{- if not .TopologyInjectorDisabled }} - connect_timeout: 10s eds_cluster_config: eds_config: @@ -188,6 +189,7 @@ static_resources: min_cluster_size: '1' name: {{ .ServiceClusterName }} type: EDS + {{- end }} - connect_timeout: 10s load_assignment: cluster_name: xds_cluster diff --git a/internal/xds/translator/metadata.go b/internal/xds/translator/metadata.go index 41233ebdba..6ee726c258 100644 --- a/internal/xds/translator/metadata.go +++ b/internal/xds/translator/metadata.go @@ -27,23 +27,8 @@ func buildXdsMetadata(metadata *ir.ResourceMetadata) *corev3.Metadata { return nil } - return buildXdsMetadataFromMultiple([]*ir.ResourceMetadata{metadata}) -} - -func buildXdsMetadataFromMultiple(metadata []*ir.ResourceMetadata) *corev3.Metadata { - if metadata == nil { - return nil - } - resourcesList := &structpb.ListValue{} - for _, md := range metadata { - if md != nil { - resourcesList.Values = append(resourcesList.Values, buildResourceMetadata(md)) - } - } - if len(resourcesList.Values) == 0 { - return nil - } + resourcesList.Values = append(resourcesList.Values, buildResourceMetadata(metadata)) return &corev3.Metadata{ FilterMetadata: map[string]*structpb.Struct{ diff --git a/internal/xds/translator/testdata/in/ratelimit-config/month-year-rule.yaml b/internal/xds/translator/testdata/in/ratelimit-config/month-year-rule.yaml new file mode 100644 index 0000000000..56d705b405 --- /dev/null +++ b/internal/xds/translator/testdata/in/ratelimit-config/month-year-rule.yaml @@ -0,0 +1,47 @@ +name: "first-listener" +address: "0.0.0.0" +port: 10080 +hostnames: +- "*" +path: + mergeSlashes: true + escapedSlashesAction: UnescapeAndRedirect +routes: +- name: "first-route" + traffic: + rateLimit: + global: + rules: + - headerMatches: + - name: "x-user-id" + exact: "one" + limit: + requests: 5 + unit: month + pathMatch: + exact: "foo/bar" + destination: + name: "first-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 +- name: "second-route" + traffic: + rateLimit: + global: + rules: + - headerMatches: + - name: "x-user-id" + exact: "two" + limit: + requests: 1 + unit: year + pathMatch: + exact: "foo/foo" + destination: + name: "second-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 diff --git a/internal/xds/translator/testdata/out/ratelimit-config/month-year-rule.yaml b/internal/xds/translator/testdata/out/ratelimit-config/month-year-rule.yaml new file mode 100644 index 0000000000..60bd7ecffb --- /dev/null +++ b/internal/xds/translator/testdata/out/ratelimit-config/month-year-rule.yaml @@ -0,0 +1,37 @@ +name: first-listener +domain: first-listener +descriptors: + - key: first-route + value: first-route + rate_limit: null + descriptors: + - key: rule-0-match-0 + value: rule-0-match-0 + rate_limit: + requests_per_unit: 5 + unit: MONTH + unlimited: false + name: "" + replaces: [] + descriptors: [] + shadow_mode: false + detailed_metric: false + shadow_mode: false + detailed_metric: false + - key: second-route + value: second-route + rate_limit: null + descriptors: + - key: rule-0-match-0 + value: rule-0-match-0 + rate_limit: + requests_per_unit: 1 + unit: YEAR + unlimited: false + name: "" + replaces: [] + descriptors: [] + shadow_mode: false + detailed_metric: false + shadow_mode: false + detailed_metric: false diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.listeners.yaml index 5bc6484861..58471e8de1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.listeners.yaml @@ -345,13 +345,5 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-1 - namespace: envoy-gateway - sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml index 998f503038..261038728f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml @@ -75,13 +75,5 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-1 - namespace: envoy-gateway - sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml index 998f503038..261038728f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml @@ -75,13 +75,5 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-1 - namespace: envoy-gateway - sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml index 41a1c3abc8..7f609a90d1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml @@ -45,13 +45,5 @@ useRemoteAddress: true name: default/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-1 - namespace: default - sectionName: http name: default/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/btp-telemetry.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/btp-telemetry.listeners.yaml index be40ad3cb0..4d0fe90c54 100644 --- a/internal/xds/translator/testdata/out/xds-ir/btp-telemetry.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/btp-telemetry.listeners.yaml @@ -31,13 +31,5 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-1 - namespace: envoy-gateway - sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/compression.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/compression.listeners.yaml index 90876bb592..e0bba0b836 100644 --- a/internal/xds/translator/testdata/out/xds-ir/compression.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/compression.listeners.yaml @@ -47,13 +47,5 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-1 - namespace: envoy-gateway - sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/credential-injection-backend-filter.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/credential-injection-backend-filter.listeners.yaml index be40ad3cb0..4d0fe90c54 100644 --- a/internal/xds/translator/testdata/out/xds-ir/credential-injection-backend-filter.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/credential-injection-backend-filter.listeners.yaml @@ -31,13 +31,5 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-1 - namespace: envoy-gateway - sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/credential-injection.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/credential-injection.listeners.yaml index c9dbe4269e..7a127ec768 100644 --- a/internal/xds/translator/testdata/out/xds-ir/credential-injection.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/credential-injection.listeners.yaml @@ -59,13 +59,5 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-1 - namespace: envoy-gateway - sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-response.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-response.listeners.yaml index 7ac2f81044..79224eb3d4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/custom-response.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/custom-response.listeners.yaml @@ -167,13 +167,5 @@ useRemoteAddress: true name: default/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-1 - namespace: default - sectionName: http name: default/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/dns-lookup-family.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/dns-lookup-family.listeners.yaml index 4de7e41ca8..584a9f8d68 100644 --- a/internal/xds/translator/testdata/out/xds-ir/dns-lookup-family.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/dns-lookup-family.listeners.yaml @@ -177,13 +177,5 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-1 - namespace: envoy-gateway - sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml index 41a1c3abc8..7f609a90d1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml @@ -45,13 +45,5 @@ useRemoteAddress: true name: default/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-1 - namespace: default - sectionName: http name: default/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-connect-proxy.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-connect-proxy.listeners.yaml index be40ad3cb0..4d0fe90c54 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-connect-proxy.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-connect-proxy.listeners.yaml @@ -31,13 +31,5 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-1 - namespace: envoy-gateway - sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-connect-terminate.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-connect-terminate.listeners.yaml index be40ad3cb0..4d0fe90c54 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-connect-terminate.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-connect-terminate.listeners.yaml @@ -31,13 +31,5 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-1 - namespace: envoy-gateway - sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-dynamic-resolver.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-dynamic-resolver.listeners.yaml index 1d2eb71e64..f869509943 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-dynamic-resolver.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-dynamic-resolver.listeners.yaml @@ -67,13 +67,5 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-1 - namespace: envoy-gateway - sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml index dfae8da1b1..a5bc288824 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml @@ -31,15 +31,5 @@ useRemoteAddress: true name: first-listener maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - annotations: - foo: bar - kind: Gateway - name: first-gateway - namespace: first-gateway - sectionName: first-listener name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-upgrade-spdy.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-upgrade-spdy.listeners.yaml index be40ad3cb0..4d0fe90c54 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-upgrade-spdy.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-upgrade-spdy.listeners.yaml @@ -31,13 +31,5 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-1 - namespace: envoy-gateway - sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-upgrade-websocket-spdy.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-upgrade-websocket-spdy.listeners.yaml index be40ad3cb0..4d0fe90c54 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-upgrade-websocket-spdy.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-upgrade-websocket-spdy.listeners.yaml @@ -31,13 +31,5 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-1 - namespace: envoy-gateway - sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.listeners.yaml index f14e70b86e..672ec20c19 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.listeners.yaml @@ -63,13 +63,5 @@ useRemoteAddress: true name: default/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-1 - namespace: default - sectionName: http name: default/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-overlapping-tls-config.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-overlapping-tls-config.listeners.yaml index bc14dec8de..5c88ff3986 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-overlapping-tls-config.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-overlapping-tls-config.listeners.yaml @@ -96,18 +96,6 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-1 - namespace: envoy-gateway - sectionName: https-1 - - kind: Gateway - name: gateway-1 - namespace: envoy-gateway - sectionName: https-2 name: envoy-gateway/gateway-1/https-1 perConnectionBufferLimitBytes: 32768 - address: @@ -164,13 +152,5 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-1 - namespace: envoy-gateway - sectionName: https-3 name: envoy-gateway/gateway-1/https-3 perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/request-buffer.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/request-buffer.listeners.yaml index 3448386e4d..1b5504bd87 100644 --- a/internal/xds/translator/testdata/out/xds-ir/request-buffer.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/request-buffer.listeners.yaml @@ -36,14 +36,6 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-1 - namespace: envoy-gateway - sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 - address: @@ -84,13 +76,5 @@ useRemoteAddress: true name: envoy-gateway/gateway-2/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-2 - namespace: envoy-gateway - sectionName: http name: envoy-gateway/gateway-2/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml index c89b24ad99..61573e5b44 100644 --- a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml @@ -103,13 +103,5 @@ useRemoteAddress: true name: envoy-gateway/gateway-1/http maxConnectionsToAcceptPerSocketEvent: 1 - metadata: - filterMetadata: - envoy-gateway: - resources: - - kind: Gateway - name: gateway-1 - namespace: envoy-gateway - sectionName: http name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index 5d68a43253..f79bbd6618 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -276,7 +276,6 @@ func (t *Translator) processHTTPListenerXdsTranslation( // The XDS translation is done in a best-effort manner, so we collect all // errors and return them at the end. var ( - ownerGatewayListeners = make(map[string][]*ir.ResourceMetadata) // The set of Gateway HTTPListeners that own the xDS Listener http3EnabledListeners = make(map[listenerKey]*ir.HTTP3Settings) // Map to track HTTP3 settings for listeners by address and port errs error ) @@ -402,12 +401,6 @@ func (t *Translator) processHTTPListenerXdsTranslation( } } - // Collect the metadata for the HTTPListener. - ownerGatewayListeners[tcpXDSListener.Name] = append(ownerGatewayListeners[tcpXDSListener.Name], httpListener.Metadata) - if http3Enabled { - ownerGatewayListeners[quicXDSListener.Name] = append(ownerGatewayListeners[quicXDSListener.Name], httpListener.Metadata) - } - // Add the secrets referenced by the listener's TLS configuration to the // resource version table. // 1:1 between IR TLSListenerConfig and xDS Secret @@ -482,14 +475,6 @@ func (t *Translator) processHTTPListenerXdsTranslation( } } - // Add the owner Gateway Listeners to the xDS listeners' metadata. - for listenerName, ownerGatewayListeners := range ownerGatewayListeners { - xdsListener := findXdsListener(tCtx, listenerName) - if xdsListener != nil { - xdsListener.Metadata = buildXdsMetadataFromMultiple(ownerGatewayListeners) - } - } - return errs } diff --git a/release-notes/v1.5.0.yaml b/release-notes/v1.5.0.yaml new file mode 100644 index 0000000000..4c36db5cf6 --- /dev/null +++ b/release-notes/v1.5.0.yaml @@ -0,0 +1,83 @@ +date: August 8, 2025 + +# Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs. +breaking changes: | + Use gateway name as proxy fleet name for gateway namespace mode. + Endpoints that are absent from service discovery are removed even if their active health checks succeed. + The xDS listener name are now renamed based on its listening port and protocol, instead of the Gateway name and section name. This breaks existing EnvoyPatchPolicies and ExtensionManagers as they depend on the old naming scheme. This change is guarded by the `XDSNameSchemeV2` runtime flag. This flag is disabled by default in v1.5, and it will be enabled in v1.6. We recommend users to migrate their EnvoyPatchPolicies and ExtensionManagers to use the new listener names before v1.6. Visit https://gateway.envoyproxy.io/tasks/extensibility/envoy-patch-policy/#xds-name-scheme-v2 to view the new naming scheme. + Removed `xds-translator` and `xds-server` values from the `runner` label in `watchable_subscribe_total`. Use `xds` instead. + Accessloggers of type ALS now have http2 enabled on the cluster by default. + +# Updates addressing vulnerabilities, security flaws, or compliance requirements. +security updates: | + Disable automountServiceAccountToken for proxy and ratelimit deployments and serviceAccounts. + +# New features or capabilities added in this release. +new features: | + Added support for setting `initialJitter` in the BackendTrafficPolicy active health check. + Add an option to OIDC authentication to bypass it and defer to JWT when the request contains an "Authorization: Bearer ..." header. + Added support for configuring Subject Alternative Names (SANs) for upstream TLS validation via `BackendTLSPolicy.validation.subjectAltNames`. + Added support for local rate limit header. + Added XDS metadata for clusters and endpoints from xRoutes and referenced backend resources (Backend, Service, ServiceImport). + Added support for setting ownerreference to infra resources when enable gateway namespace mode. + Added support for configuring hostname in active HTTP healthchecks. + Added support for configuring maxConnectionsToAcceptPerSocketEvent in listener via ClientTrafficPolicy. + Added support for setting GatewayClass ownerreference to infra resources when all cases except gateway namespace mode. + Added support for setting previous priorities retry predicate. + Added support for using extension server policies to in PostTranslateModify hook. + Added support for configuring cluster stat name for HTTPRoute and GRPCRoute in EnvoyProxy CRD. + Added support for configuring `SameSite` attribute for Oauth cookies for OIDC authentication. + Added support for configuring the cache sync period for K8s provider. + Added support for fallback to first key when load ca certificate from Secret or ConfigMap. + Added support for configuring user provided name to generated HorizontalPodAutoscaler and PodDisruptionBudget resources. + Added support for client certificate validation (SPKI, hash, SAN) in ClientTrafficPolicy. + Added support for OIDC RP initialized logout. If the end session endpoint is explicitly specified or discovered from the issuer's well-known url, the end session endpoint will be invoked when the user logs out. + Added support for specifying deployment annotations through the helm chart. + Added support for customizing the name of the ServiceAccount used by the Proxy. + Added support for custom backendRefs via extension server using PostClusterModify hook. + Added support for SecurityPolicy and EnvoyExtensionPolicy to target ServiceImport via BackendRefs. + Added metric `watchable_publish_total` counting store events in watchable message queues. + Added support for forwarding client ID header and sanitizing API keys for API Key authentication in SecurityPolicy. + Added support for using ClusterTrustBundle as CA. + Added support for using Secret as a source of the OIDC client ID. + Added support for listeners and routes in PostTranslateModifyHook extension hook. + Added admin console support with web UI for the Envoy Gateway admin server. + Added support for configuring Zone Aware Routing via BackendTrafficPolicy. + Added support for endpoint override policy based on Header. + Added rate limiting support for month and year periods. + Introduce validation strictness levels for Lua scripts in EnvoyExtensionPolicies. + Extends BackendTLSSettings support to all Backend types. + Enhanced route rule support in SecurityPolicy target. + +bug fixes: | + Fixed issue where WASM cache init failure caused routes with WASM-less EnvoyExtensionPolicies to have 500 direct responses. + Fixed issue which UDP listeners were not created in the Envoy proxy config when Gateway was created. + Keep ALPN configuration for listeners with overlapping certificates when ALPN is explicitly set in ClientTrafficPolicy. + Fixed issue that switch on wrong SubjectAltNameType enum value in BackendTLSPolicy. + Fixed issue that BackendTLSPolicy should not reference ConfigMap or Secret across namespace. + Fixed bug in certificate SANs overlap detection in listeners. + Fixed issue where EnvoyExtensionPolicy ExtProc body processing mode is set to FullDuplexStreamed, but trailers were not sent. + Fixed validation issue where EnvoyExtensionPolicy ExtProc failOpen is true, and body processing mode FullDuplexStreamed is not rejected. + Add ConfigMap indexers for EnvoyExtensionPolicies to reconcile Lua changes + Fixed issue that default accesslog format not working. + Fixed validation errors when the rateLimit url for Redis in the EnvoyGateway API includes multiple comma separated hosts. + Fixes addresses in status of DualStack NodePort Gateways. + Fixed issue that not able to override the prometheus annotation in EnvoyProxy CRD. + Skipped ExtProc, Wasm, and ExtAuth when they are configured FailOpen and the configuration is invalid, e.g. missing backendRefs or invalid port. + Fixed issue that failed to update policy status when there are more than 16 ancestors. + Fixed race condition in watchable.Map Snapshot subscription. + Fixed issue where HTTPRoutes with sessionPersistence caused the Envoy listeners to drain. + Fixed deployment creation blocking when EnvoyProxy secret is missing. + Increased earlyRequestHeaders limit from 16 to 64. + +# Enhancements that improve performance. +performance improvements: | + Reduced xDS cluster DNS lookups for improved performance. + Combined xds-translator and xds-server runners into xds runner reducing memory by upto 25% + Removed custom Equal functions for watchable types by pre sorting Gateway API resources in the provider layer + +# Deprecated features or APIs. +deprecations: | + +# Other notable changes not covered by the above sections. +Other changes: | diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 3c7539e52e..25a018542f 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -4272,7 +4272,7 @@ _Appears in:_ _Underlying type:_ _string_ RateLimitUnit specifies the intervals for setting rate limits. -Valid RateLimitUnit values are "Second", "Minute", "Hour", and "Day". +Valid RateLimitUnit values are "Second", "Minute", "Hour", "Day", "Month" and "Year". _Appears in:_ - [RateLimitValue](#ratelimitvalue) @@ -4283,6 +4283,8 @@ _Appears in:_ | `Minute` | RateLimitUnitMinute specifies the rate limit interval to be 1 minute.
| | `Hour` | RateLimitUnitHour specifies the rate limit interval to be 1 hour.
| | `Day` | RateLimitUnitDay specifies the rate limit interval to be 1 day.
| +| `Month` | RateLimitUnitMonth specifies the rate limit interval to be 1 month.
| +| `Year` | RateLimitUnitYear specifies the rate limit interval to be 1 year.
| #### RateLimitValue diff --git a/site/content/en/latest/install/gateway-crds-helm-api.md b/site/content/en/latest/install/gateway-crds-helm-api.md index febf9f9bd5..b331653392 100644 --- a/site/content/en/latest/install/gateway-crds-helm-api.md +++ b/site/content/en/latest/install/gateway-crds-helm-api.md @@ -2,9 +2,22 @@ title = "Gateway Crds Helm Chart" +++ -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) +![Version: v0.0.0-latest](https://img.shields.io/badge/Version-v0.0.0--latest-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square) -A Helm chart for Kubernetes +A Helm chart for Envoy Gateway CRDs + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| envoy-gateway-steering-committee | | | +| envoy-gateway-maintainers | | | + +## Source Code + +* ## Values diff --git a/site/content/en/latest/install/install-egctl.md b/site/content/en/latest/install/install-egctl.md index cbd8238574..72081ce79b 100644 --- a/site/content/en/latest/install/install-egctl.md +++ b/site/content/en/latest/install/install-egctl.md @@ -22,7 +22,7 @@ The Envoy Gateway project provides two ways to fetch and install egctl. These ar Every [release](https://github.com/envoyproxy/gateway/releases) of egctl provides binary releases for a variety of OSes. These binary versions can be manually downloaded and installed. 1. Download your [desired version](https://github.com/envoyproxy/gateway/releases) -2. Unpack it (tar -zxvf egctl_latest_linux_amd64.tar.gz) +2. Unpack it (tar -zxvf egctl_{{< yaml-version >}}_linux_amd64.tar.gz) 3. Find the egctl binary in the unpacked directory, and move it to its desired destination (mv bin/linux/amd64/egctl /usr/local/bin/egctl) From there, you should be able to run: `egctl help`. @@ -41,15 +41,12 @@ chmod +x get-egctl.sh # get help info of the bash get-egctl.sh --help - -# install the latest development version of egctl -bash VERSION=latest get-egctl.sh ``` Yes, you can just use the below command if you want to live on the edge. ```shell -curl -fsSL https://gateway.envoyproxy.io/get-egctl.sh | VERSION=latest bash +curl -fsSL https://gateway.envoyproxy.io/get-egctl.sh | VERSION={{< yaml-version >}} bash ``` {{% /tab %}} diff --git a/site/content/en/latest/tasks/extensibility/_index.md b/site/content/en/latest/tasks/extensibility/_index.md index 664c734aec..3079bb6844 100644 --- a/site/content/en/latest/tasks/extensibility/_index.md +++ b/site/content/en/latest/tasks/extensibility/_index.md @@ -3,3 +3,16 @@ title: "Extensibility" weight: 4 description: This section includes Extensibility tasks. --- + +Envoy Gateway provides several ways to extend its functionality beyond the built-in features. + +## Extension Options + +**Need access to Envoy Proxy features not available through the API ?** +- [Envoy Patch Policy](envoy-patch-policy) - Directly modify Envoy xDS configuration +- [Extension Server](extension-server) - Build external services to transform xDS configuration + +**Want to add custom processing logic?** +- [WASM Extensions](wasm) - Run WebAssembly modules for high-performance custom logic +- [External Processing](ext-proc) - Call external gRPC services during request processing +- [Lua Extensions](lua) - Write lightweight scripting extensions diff --git a/site/content/en/latest/tasks/operations/gateway-namespace-mode.md b/site/content/en/latest/tasks/operations/gateway-namespace-mode.md index 3c5d841bf6..892794132c 100644 --- a/site/content/en/latest/tasks/operations/gateway-namespace-mode.md +++ b/site/content/en/latest/tasks/operations/gateway-namespace-mode.md @@ -2,14 +2,6 @@ title: "Gateway Namespace Mode" --- -{{% alert title="Notice" color="warning" %}} - -Gateway Namespace Mode is currently an **alpha** feature. We recommend against using it in production workloads until it reaches beta status. - -For status updates or to provide feedback, please follow our [GitHub issues](https://github.com/envoyproxy/gateway/issues). - -{{% /alert %}} - ## Overview In standard deployment mode, Envoy Gateway creates all data plane resources in the controller namespace (typically `envoy-gateway-system`). diff --git a/site/content/en/latest/tasks/operations/graceful-shutdown.md b/site/content/en/latest/tasks/operations/graceful-shutdown.md new file mode 100644 index 0000000000..3f6bc08f20 --- /dev/null +++ b/site/content/en/latest/tasks/operations/graceful-shutdown.md @@ -0,0 +1,91 @@ +--- +title: "Graceful Shutdown and Hitless Upgrades" +--- + +Envoy Gateway enables zero-downtime deployments through graceful connection draining during pod termination. + +## Overview + +The shutdown manager sidecar coordinates graceful connection draining during pod termination, providing: + +- Zero-downtime rolling updates +- Configurable drain timeouts +- Automatic health check failure to remove pods from load balancer rotation + +### Shutdown Process + +1. Kubernetes sends SIGTERM to the pod +2. Shutdown manager fails health checks via `/healthcheck/fail` + - This causes Kubernetes readiness probes to fail + - External load balancers and services stop routing new traffic to the pod + - Existing connections continue to be served while draining +3. Connection monitoring begins, polling `server.total_connections` +4. Process exits when connections reach zero or drain timeout is exceeded + +## Configuration + +Graceful shutdown behavior includes default values that can be overridden using the EnvoyProxy resource. The EnvoyProxy resource can be referenced in two ways: +1. **Gateway-level**: Referenced from a Gateway via `infrastructure.parametersRef` +2. **GatewayClass-level**: Referenced from a GatewayClass via `parametersRef` + +**Default Values:** +- `drainTimeout`: 60 seconds - Maximum time for connection draining +- `minDrainDuration`: 10 seconds - Minimum wait before allowing exit + +{{< tabpane text=true >}} +{{% tab header="Gateway-Level Configuration" %}} + +```yaml +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: eg +spec: + gatewayClassName: eg + infrastructure: + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: graceful-shutdown-config + listeners: + - name: http + port: 80 + protocol: HTTP +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyProxy +metadata: + name: graceful-shutdown-config +spec: + shutdown: + drainTimeout: "90s" # Override default 60s + minDrainDuration: "15s" # Override default 10s +``` + +{{% /tab %}} +{{% tab header="GatewayClass-Level Configuration" %}} + +```yaml +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: eg +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: graceful-shutdown-config +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyProxy +metadata: + name: graceful-shutdown-config +spec: + shutdown: + drainTimeout: "90s" # Override default 60s + minDrainDuration: "15s" # Override default 10s +``` + +{{% /tab %}} +{{< /tabpane >}} diff --git a/site/content/en/latest/tasks/security/backend-tls.md b/site/content/en/latest/tasks/security/backend-tls.md index 8da5195aa4..866e22cb50 100644 --- a/site/content/en/latest/tasks/security/backend-tls.md +++ b/site/content/en/latest/tasks/security/backend-tls.md @@ -59,12 +59,35 @@ Store the cert/key in a Secret: kubectl create secret tls example-cert --key=www.example.com.key --cert=www.example.com.crt ``` -Store the CA Cert in another Secret: +Store the CA Cert in different ways: + +{{< tabpane text=true >}} +{{% tab header="ConfigMap" %}} ```shell kubectl create configmap example-ca --from-file=ca.crt ``` +{{% /tab %}} + +{{% tab header="ClusterTrustBundle" %}} + +Save and apply the following resource to your cluster: + +```shell +apiVersion: certificates.k8s.io/v1beta1 +kind: ClusterTrustBundle +metadata: + name: example-ca +spec: + trustBundle: | + [content from ca.crt] +``` + +{{% /tab %}} + +{{< /tabpane >}} + ## Setup TLS on the backend Patch the existing quickstart backend to enable TLS. The patch will mount the TLS certificate secret into the backend as volume. @@ -159,7 +182,7 @@ Note: SectionName is an optional field that specifies the name of the port in th If the target is a [Backend] resource, the `sectionName` field should be set to the port number of the backend. {{< tabpane text=true >}} -{{% tab header="Apply from stdin" %}} +{{% tab header="ConfigMap" %}} ```shell cat < | | `Hour` | RateLimitUnitHour specifies the rate limit interval to be 1 hour.
| | `Day` | RateLimitUnitDay specifies the rate limit interval to be 1 day.
| +| `Month` | RateLimitUnitMonth specifies the rate limit interval to be 1 month.
| +| `Year` | RateLimitUnitYear specifies the rate limit interval to be 1 year.
| #### RateLimitValue diff --git a/site/content/en/v1.4/install/install-egctl.md b/site/content/en/v1.4/install/install-egctl.md index cbd8238574..72081ce79b 100644 --- a/site/content/en/v1.4/install/install-egctl.md +++ b/site/content/en/v1.4/install/install-egctl.md @@ -22,7 +22,7 @@ The Envoy Gateway project provides two ways to fetch and install egctl. These ar Every [release](https://github.com/envoyproxy/gateway/releases) of egctl provides binary releases for a variety of OSes. These binary versions can be manually downloaded and installed. 1. Download your [desired version](https://github.com/envoyproxy/gateway/releases) -2. Unpack it (tar -zxvf egctl_latest_linux_amd64.tar.gz) +2. Unpack it (tar -zxvf egctl_{{< yaml-version >}}_linux_amd64.tar.gz) 3. Find the egctl binary in the unpacked directory, and move it to its desired destination (mv bin/linux/amd64/egctl /usr/local/bin/egctl) From there, you should be able to run: `egctl help`. @@ -41,15 +41,12 @@ chmod +x get-egctl.sh # get help info of the bash get-egctl.sh --help - -# install the latest development version of egctl -bash VERSION=latest get-egctl.sh ``` Yes, you can just use the below command if you want to live on the edge. ```shell -curl -fsSL https://gateway.envoyproxy.io/get-egctl.sh | VERSION=latest bash +curl -fsSL https://gateway.envoyproxy.io/get-egctl.sh | VERSION={{< yaml-version >}} bash ``` {{% /tab %}} diff --git a/site/go.mod b/site/go.mod index 91bba45182..841bb671f2 100644 --- a/site/go.mod +++ b/site/go.mod @@ -1,6 +1,6 @@ module github.com/google/docsy-example -go 1.24.4 +go 1.24.6 require ( github.com/FortAwesome/Font-Awesome v0.0.0-20241216213156-af620534bfc3 // indirect diff --git a/test/cel-validation/envoyproxy_test.go b/test/cel-validation/envoyproxy_test.go index 0f7bf5d6bd..5ec5f57bd3 100644 --- a/test/cel-validation/envoyproxy_test.go +++ b/test/cel-validation/envoyproxy_test.go @@ -1616,7 +1616,7 @@ func TestEnvoyProxyProvider(t *testing.T) { wantErrors: []string{}, }, { - desc: "valid: imageRepository set without tag, image not set", + desc: "valid: image set with digest, imageRepository not set", mutate: func(envoy *egv1a1.EnvoyProxy) { envoy.Spec = egv1a1.EnvoyProxySpec{ Provider: &egv1a1.EnvoyProxyProvider{ @@ -1624,7 +1624,7 @@ func TestEnvoyProxyProvider(t *testing.T) { Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ EnvoyDeployment: &egv1a1.KubernetesDeploymentSpec{ Container: &egv1a1.KubernetesContainerSpec{ - ImageRepository: ptr.To("envoyproxy/envoy"), + Image: ptr.To("envoyproxy/envoy:v1.2.3@sha256:da99c47f08546492d19973920dc76334c592f59ad5b732a514320d959db9fa40"), }, }, }, @@ -1634,7 +1634,7 @@ func TestEnvoyProxyProvider(t *testing.T) { wantErrors: []string{}, }, { - desc: "invalid: both image and imageRepository set", + desc: "valid: image with sha256, imageRepository not set", mutate: func(envoy *egv1a1.EnvoyProxy) { envoy.Spec = egv1a1.EnvoyProxySpec{ Provider: &egv1a1.EnvoyProxyProvider{ @@ -1642,18 +1642,17 @@ func TestEnvoyProxyProvider(t *testing.T) { Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ EnvoyDeployment: &egv1a1.KubernetesDeploymentSpec{ Container: &egv1a1.KubernetesContainerSpec{ - Image: ptr.To("envoyproxy/envoy:v1.2.3"), - ImageRepository: ptr.To("envoyproxy/envoy"), + Image: ptr.To("envoyproxy/envoy@sha256:da99c47f08546492d19973920dc76334c592f59ad5b732a514320d959db9fa40"), }, }, }, }, } }, - wantErrors: []string{"Either image or imageRepository can be set."}, + wantErrors: []string{}, }, { - desc: "invalid: image set without tag", + desc: "valid: image set without tag", mutate: func(envoy *egv1a1.EnvoyProxy) { envoy.Spec = egv1a1.EnvoyProxySpec{ Provider: &egv1a1.EnvoyProxyProvider{ @@ -1668,7 +1667,44 @@ func TestEnvoyProxyProvider(t *testing.T) { }, } }, - wantErrors: []string{"Image must include a tag and allowed characters only (e.g., 'repo:tag')."}, + wantErrors: []string{}, + }, + { + desc: "valid: imageRepository set without tag, image not set", + mutate: func(envoy *egv1a1.EnvoyProxy) { + envoy.Spec = egv1a1.EnvoyProxySpec{ + Provider: &egv1a1.EnvoyProxyProvider{ + Type: egv1a1.ProviderTypeKubernetes, + Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ + EnvoyDeployment: &egv1a1.KubernetesDeploymentSpec{ + Container: &egv1a1.KubernetesContainerSpec{ + ImageRepository: ptr.To("envoyproxy/envoy"), + }, + }, + }, + }, + } + }, + wantErrors: []string{}, + }, + { + desc: "invalid: both image and imageRepository set", + mutate: func(envoy *egv1a1.EnvoyProxy) { + envoy.Spec = egv1a1.EnvoyProxySpec{ + Provider: &egv1a1.EnvoyProxyProvider{ + Type: egv1a1.ProviderTypeKubernetes, + Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ + EnvoyDeployment: &egv1a1.KubernetesDeploymentSpec{ + Container: &egv1a1.KubernetesContainerSpec{ + Image: ptr.To("envoyproxy/envoy:v1.2.3"), + ImageRepository: ptr.To("envoyproxy/envoy"), + }, + }, + }, + }, + } + }, + wantErrors: []string{"Either image or imageRepository can be set."}, }, { desc: "invalid: image ends with colon", diff --git a/test/helm/gateway-crds-helm/all.out.yaml b/test/helm/gateway-crds-helm/all.out.yaml index 575b0950c9..31bdd8db58 100644 --- a/test/helm/gateway-crds-helm/all.out.yaml +++ b/test/helm/gateway-crds-helm/all.out.yaml @@ -18674,12 +18674,14 @@ spec: unit: description: |- RateLimitUnit specifies the intervals for setting rate limits. - Valid RateLimitUnit values are "Second", "Minute", "Hour", and "Day". + Valid RateLimitUnit values are "Second", "Minute", "Hour", "Day", "Month" and "Year". enum: - Second - Minute - Hour - Day + - Month + - Year type: string required: - requests @@ -18923,12 +18925,14 @@ spec: unit: description: |- RateLimitUnit specifies the intervals for setting rate limits. - Valid RateLimitUnit values are "Second", "Minute", "Hour", and "Day". + Valid RateLimitUnit values are "Second", "Minute", "Hour", "Day", "Month" and "Year". enum: - Second - Minute - Hour - Day + - Month + - Year type: string required: - requests @@ -24543,7 +24547,7 @@ spec: x-kubernetes-validations: - message: Image must include a tag and allowed characters only (e.g., 'repo:tag'). - rule: self.matches('^[a-zA-Z0-9._/-]+:[a-zA-Z0-9._-]+$') + rule: self.matches('^[a-zA-Z0-9._/-]+(:[a-zA-Z0-9._-]+)?(@sha256:[a-z0-9]+)?$') imageRepository: description: |- ImageRepository specifies the container image repository to be used without specifying a tag. @@ -28388,7 +28392,7 @@ spec: x-kubernetes-validations: - message: Image must include a tag and allowed characters only (e.g., 'repo:tag'). - rule: self.matches('^[a-zA-Z0-9._/-]+:[a-zA-Z0-9._-]+$') + rule: self.matches('^[a-zA-Z0-9._/-]+(:[a-zA-Z0-9._-]+)?(@sha256:[a-z0-9]+)?$') imageRepository: description: |- ImageRepository specifies the container image repository to be used without specifying a tag. diff --git a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml index ed85e8407f..09101b2de0 100644 --- a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml +++ b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml @@ -1362,12 +1362,14 @@ spec: unit: description: |- RateLimitUnit specifies the intervals for setting rate limits. - Valid RateLimitUnit values are "Second", "Minute", "Hour", and "Day". + Valid RateLimitUnit values are "Second", "Minute", "Hour", "Day", "Month" and "Year". enum: - Second - Minute - Hour - Day + - Month + - Year type: string required: - requests @@ -1611,12 +1613,14 @@ spec: unit: description: |- RateLimitUnit specifies the intervals for setting rate limits. - Valid RateLimitUnit values are "Second", "Minute", "Hour", and "Day". + Valid RateLimitUnit values are "Second", "Minute", "Hour", "Day", "Month" and "Year". enum: - Second - Minute - Hour - Day + - Month + - Year type: string required: - requests @@ -7231,7 +7235,7 @@ spec: x-kubernetes-validations: - message: Image must include a tag and allowed characters only (e.g., 'repo:tag'). - rule: self.matches('^[a-zA-Z0-9._/-]+:[a-zA-Z0-9._-]+$') + rule: self.matches('^[a-zA-Z0-9._/-]+(:[a-zA-Z0-9._-]+)?(@sha256:[a-z0-9]+)?$') imageRepository: description: |- ImageRepository specifies the container image repository to be used without specifying a tag. @@ -11076,7 +11080,7 @@ spec: x-kubernetes-validations: - message: Image must include a tag and allowed characters only (e.g., 'repo:tag'). - rule: self.matches('^[a-zA-Z0-9._/-]+:[a-zA-Z0-9._-]+$') + rule: self.matches('^[a-zA-Z0-9._/-]+(:[a-zA-Z0-9._-]+)?(@sha256:[a-z0-9]+)?$') imageRepository: description: |- ImageRepository specifies the container image repository to be used without specifying a tag.