From 5c95f5c298447326fbb0445737022568e1c798f4 Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 11 Feb 2026 00:19:45 +0800 Subject: [PATCH 1/2] commit testdata Signed-off-by: zirain --- .../clienttrafficpolicy-http3.out.yaml | 6 +- .../gateway-with-attached-routes.in.yaml | 131 +++ .../gateway-with-attached-routes.out.yaml | 491 +++++++++++ ...allowed-routes-kind-and-supported.out.yaml | 6 +- ...-listener-with-multiple-tcproutes.out.yaml | 2 +- ...-listener-with-multiple-udproutes.out.yaml | 2 +- ...listeners-on-same-tcp-or-tls-port.out.yaml | 2 +- ...th-two-listeners-on-same-udp-port.out.yaml | 2 +- ...ith-tcproutes-without-sectionname.out.yaml | 4 +- ...ith-udproutes-without-sectionname.out.yaml | 4 +- ...to-gateway-with-wildcard-hostname.out.yaml | 2 +- ...route-invalid-no-matching-listener.in.yaml | 237 ++++++ ...oute-invalid-no-matching-listener.out.yaml | 787 ++++++++++++++++++ ...th-tls-terminate-invalid-hostname.out.yaml | 2 +- 14 files changed, 1662 insertions(+), 16 deletions(-) create mode 100644 internal/gatewayapi/testdata/gateway-with-attached-routes.in.yaml create mode 100644 internal/gatewayapi/testdata/gateway-with-attached-routes.out.yaml create mode 100644 internal/gatewayapi/testdata/tlsroute-invalid-no-matching-listener.in.yaml create mode 100644 internal/gatewayapi/testdata/tlsroute-invalid-no-matching-listener.out.yaml diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml index d0548d1b5e..3dcec29a7d 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml @@ -79,7 +79,7 @@ gateways: mode: Terminate status: listeners: - - attachedRoutes: 2 + - attachedRoutes: 0 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane @@ -109,7 +109,7 @@ gateways: kind: HTTPRoute - group: gateway.networking.k8s.io kind: GRPCRoute - - attachedRoutes: 2 + - attachedRoutes: 1 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane @@ -139,7 +139,7 @@ gateways: kind: HTTPRoute - group: gateway.networking.k8s.io kind: GRPCRoute - - attachedRoutes: 2 + - attachedRoutes: 1 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane diff --git a/internal/gatewayapi/testdata/gateway-with-attached-routes.in.yaml b/internal/gatewayapi/testdata/gateway-with-attached-routes.in.yaml new file mode 100644 index 0000000000..68960b4ec1 --- /dev/null +++ b/internal/gatewayapi/testdata/gateway-with-attached-routes.in.yaml @@ -0,0 +1,131 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-with-one-attached-route + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + port: 80 + protocol: HTTP + allowedRoutes: + kinds: + - kind: HTTPRoute + namespaces: + from: Same + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-with-two-attached-routes + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + port: 80 + protocol: HTTP + hostname: "foo.example.com" + allowedRoutes: + kinds: + - kind: HTTPRoute + namespaces: + from: Same + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: unresolved-gateway-with-one-attached-unresolved-route + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: tls + port: 443 + protocol: HTTPS + allowedRoutes: + kinds: + - kind: HTTPRoute + namespaces: + from: Same + tls: + certificateRefs: + - group: "" + kind: Secret + name: does-not-exist + mode: Terminate +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: http-route-1 + namespace: envoy-gateway + spec: + parentRefs: + - kind: Gateway + name: gateway-with-one-attached-route + namespace: envoy-gateway + rules: + - backendRefs: + - name: infra-backend-v1 + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: http-route-2 + namespace: envoy-gateway + spec: + parentRefs: + - kind: Gateway + name: gateway-with-two-attached-routes + namespace: envoy-gateway + rules: + - backendRefs: + - name: infra-backend-v1 + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: http-route-3 + namespace: envoy-gateway + spec: + parentRefs: + - kind: Gateway + name: gateway-with-two-attached-routes + namespace: envoy-gateway + rules: + - backendRefs: + - name: infra-backend-v1 + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: http-route-not-accepted + namespace: envoy-gateway + spec: + hostnames: + # mismatched hostname here (listener hostname is foo.example.com) triggers NoMatchingListenerHostname reason + - "not-accepted.test.com" + parentRefs: + - kind: Gateway + name: gateway-with-two-attached-routes + namespace: envoy-gateway + rules: + - backendRefs: + - name: infra-backend-v1 + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: HTTPRoute + metadata: + name: http-route-4 + namespace: envoy-gateway + spec: + parentRefs: + - kind: Gateway + name: unresolved-gateway-with-one-attached-unresolved-route + namespace: envoy-gateway + sectionName: tls + rules: + - backendRefs: + - name: does-not-exist + port: 8080 diff --git a/internal/gatewayapi/testdata/gateway-with-attached-routes.out.yaml b/internal/gatewayapi/testdata/gateway-with-attached-routes.out.yaml new file mode 100644 index 0000000000..b2cdb8f7df --- /dev/null +++ b/internal/gatewayapi/testdata/gateway-with-attached-routes.out.yaml @@ -0,0 +1,491 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-with-one-attached-route + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + kinds: + - kind: HTTPRoute + namespaces: + from: Same + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - kind: HTTPRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-with-two-attached-routes + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + kinds: + - kind: HTTPRoute + namespaces: + from: Same + hostname: foo.example.com + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 2 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - kind: HTTPRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: unresolved-gateway-with-one-attached-unresolved-route + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + kinds: + - kind: HTTPRoute + namespaces: + from: Same + name: tls + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - group: "" + kind: Secret + name: does-not-exist + mode: Terminate + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: 'No valid secrets exist: certificate refs 0: Secret envoy-gateway/does-not-exist + does not exist.' + reason: InvalidCertificateRef + status: "False" + type: ResolvedRefs + - lastTransitionTime: null + message: Listener is invalid, see other Conditions for details. + reason: Invalid + status: "False" + type: Programmed + name: tls + supportedKinds: + - kind: HTTPRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: http-route-1 + namespace: envoy-gateway + spec: + parentRefs: + - kind: Gateway + name: gateway-with-one-attached-route + namespace: envoy-gateway + rules: + - backendRefs: + - name: infra-backend-v1 + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: 'Failed to process route rule 0 backendRef 0: service envoy-gateway/infra-backend-v1 + not found.' + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + kind: Gateway + name: gateway-with-one-attached-route + namespace: envoy-gateway +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: http-route-2 + namespace: envoy-gateway + spec: + parentRefs: + - kind: Gateway + name: gateway-with-two-attached-routes + namespace: envoy-gateway + rules: + - backendRefs: + - name: infra-backend-v1 + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: 'Failed to process route rule 0 backendRef 0: service envoy-gateway/infra-backend-v1 + not found.' + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + kind: Gateway + name: gateway-with-two-attached-routes + namespace: envoy-gateway +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: http-route-3 + namespace: envoy-gateway + spec: + parentRefs: + - kind: Gateway + name: gateway-with-two-attached-routes + namespace: envoy-gateway + rules: + - backendRefs: + - name: infra-backend-v1 + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: 'Failed to process route rule 0 backendRef 0: service envoy-gateway/infra-backend-v1 + not found.' + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + kind: Gateway + name: gateway-with-two-attached-routes + namespace: envoy-gateway +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: http-route-not-accepted + namespace: envoy-gateway + spec: + hostnames: + - not-accepted.test.com + parentRefs: + - kind: Gateway + name: gateway-with-two-attached-routes + namespace: envoy-gateway + rules: + - backendRefs: + - name: infra-backend-v1 + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: There were no hostname intersections between the HTTPRoute and this + parent ref's Listener(s). + reason: NoMatchingListenerHostname + status: "False" + type: Accepted + - lastTransitionTime: null + message: 'Failed to process route rule 0 backendRef 0: service envoy-gateway/infra-backend-v1 + not found.' + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + kind: Gateway + name: gateway-with-two-attached-routes + namespace: envoy-gateway +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: HTTPRoute + metadata: + name: http-route-4 + namespace: envoy-gateway + spec: + parentRefs: + - kind: Gateway + name: unresolved-gateway-with-one-attached-unresolved-route + namespace: envoy-gateway + sectionName: tls + rules: + - backendRefs: + - name: does-not-exist + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: There are no ready listeners for this parent ref + reason: NoReadyListeners + status: "False" + type: Accepted + - lastTransitionTime: null + message: 'Failed to process route rule 0 backendRef 0: service envoy-gateway/does-not-exist + not found.' + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + kind: Gateway + name: unresolved-gateway-with-one-attached-unresolved-route + namespace: envoy-gateway + sectionName: tls +infraIR: + envoy-gateway/gateway-with-one-attached-route: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-with-one-attached-route/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-with-one-attached-route + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/gateway-with-one-attached-route + namespace: envoy-gateway-system + envoy-gateway/gateway-with-two-attached-routes: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-with-two-attached-routes/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-with-two-attached-routes + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/gateway-with-two-attached-routes + namespace: envoy-gateway-system + envoy-gateway/unresolved-gateway-with-one-attached-unresolved-route: + proxy: + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: unresolved-gateway-with-one-attached-unresolved-route + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/unresolved-gateway-with-one-attached-unresolved-route + namespace: envoy-gateway-system +xdsIR: + envoy-gateway/gateway-with-one-attached-route: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-with-one-attached-route-f0ed6fc6 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-with-one-attached-route + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-with-one-attached-route-f0ed6fc6 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-with-one-attached-route + protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 80 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-with-one-attached-route + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-with-one-attached-route/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - directResponse: + statusCode: 500 + hostname: '*' + isHTTP2: false + metadata: + kind: HTTPRoute + name: http-route-1 + namespace: envoy-gateway + name: httproute/envoy-gateway/http-route-1/rule/0/match/-1/* + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 + envoy-gateway/gateway-with-two-attached-routes: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-with-two-attached-routes-c54cdc4a + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-with-two-attached-routes + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-with-two-attached-routes-c54cdc4a + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-with-two-attached-routes + protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 80 + hostnames: + - foo.example.com + isHTTP2: false + metadata: + kind: Gateway + name: gateway-with-two-attached-routes + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-with-two-attached-routes/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - directResponse: + statusCode: 500 + hostname: foo.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: http-route-2 + namespace: envoy-gateway + name: httproute/envoy-gateway/http-route-2/rule/0/match/-1/foo_example_com + - directResponse: + statusCode: 500 + hostname: foo.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: http-route-3 + namespace: envoy-gateway + name: httproute/envoy-gateway/http-route-3/rule/0/match/-1/foo_example_com + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 + envoy-gateway/unresolved-gateway-with-one-attached-unresolved-route: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + metadata: + kind: Service + name: envoy-envoy-gateway-unresolved-gateway-with-one-attach-59942f55 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/unresolved-gateway-with-one-attached-unresolved-route + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + kind: Service + name: envoy-envoy-gateway-unresolved-gateway-with-one-attach-59942f55 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/unresolved-gateway-with-one-attached-unresolved-route + protocol: TCP + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind-and-supported.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind-and-supported.out.yaml index e3eee27117..ad9f652f5d 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind-and-supported.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind-and-supported.out.yaml @@ -19,7 +19,7 @@ gateways: protocol: HTTP status: listeners: - - attachedRoutes: 0 + - attachedRoutes: 1 conditions: - lastTransitionTime: null message: FooRoute is not supported, kind must be one of [HTTPRoute] @@ -55,8 +55,8 @@ httpRoutes: parents: - conditions: - lastTransitionTime: null - message: No listeners included by this parent ref allowed this attachment. - reason: NotAllowedByListeners + message: There are no ready listeners for this parent ref + reason: NoReadyListeners status: "False" type: Accepted - lastTransitionTime: null diff --git a/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml b/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml index 951884110d..8d9375f98d 100644 --- a/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml @@ -15,7 +15,7 @@ gateways: protocol: TCP status: listeners: - - attachedRoutes: 2 + - attachedRoutes: 1 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane diff --git a/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-udproutes.out.yaml b/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-udproutes.out.yaml index 74fe03fc43..8fbda91ec0 100644 --- a/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-udproutes.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-udproutes.out.yaml @@ -15,7 +15,7 @@ gateways: protocol: UDP status: listeners: - - attachedRoutes: 2 + - attachedRoutes: 1 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml index e32cc2cbd0..f255acbcf4 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml @@ -42,7 +42,7 @@ gateways: supportedKinds: - group: gateway.networking.k8s.io kind: TCPRoute - - attachedRoutes: 1 + - attachedRoutes: 0 conditions: - lastTransitionTime: null message: Listener must have TLS set when protocol is TLS. diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml index f858c8d772..afc8fb45a6 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml @@ -42,7 +42,7 @@ gateways: supportedKinds: - group: gateway.networking.k8s.io kind: UDPRoute - - attachedRoutes: 1 + - attachedRoutes: 0 conditions: - lastTransitionTime: null message: Only one UDP listener is allowed in a given port diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml index d56a562491..9f60e87a9e 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml @@ -21,7 +21,7 @@ gateways: protocol: TCP status: listeners: - - attachedRoutes: 2 + - attachedRoutes: 1 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane @@ -42,7 +42,7 @@ gateways: supportedKinds: - group: gateway.networking.k8s.io kind: TCPRoute - - attachedRoutes: 2 + - attachedRoutes: 1 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-without-sectionname.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-without-sectionname.out.yaml index a981731751..03c54a5995 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-without-sectionname.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-without-sectionname.out.yaml @@ -21,7 +21,7 @@ gateways: protocol: UDP status: listeners: - - attachedRoutes: 2 + - attachedRoutes: 1 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane @@ -42,7 +42,7 @@ gateways: supportedKinds: - group: gateway.networking.k8s.io kind: UDPRoute - - attachedRoutes: 2 + - attachedRoutes: 1 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane diff --git a/internal/gatewayapi/testdata/httproute-with-non-matching-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-non-matching-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml index d13104bed8..57753dbc0b 100644 --- a/internal/gatewayapi/testdata/httproute-with-non-matching-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-non-matching-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml @@ -16,7 +16,7 @@ gateways: protocol: HTTP status: listeners: - - attachedRoutes: 1 + - attachedRoutes: 0 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane diff --git a/internal/gatewayapi/testdata/tlsroute-invalid-no-matching-listener.in.yaml b/internal/gatewayapi/testdata/tlsroute-invalid-no-matching-listener.in.yaml new file mode 100644 index 0000000000..42b04404ec --- /dev/null +++ b/internal/gatewayapi/testdata/tlsroute-invalid-no-matching-listener.in.yaml @@ -0,0 +1,237 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-tlsroute-tls-passthrough-only + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: tls-passthrough + protocol: TLS + port: 443 + allowedRoutes: + namespaces: + from: Same + tls: + mode: Passthrough + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-tlsroute-http-only + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: Same + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-tlsroute-tcproute-only + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: tls-passthrough + protocol: TLS + port: 443 + allowedRoutes: + namespaces: + from: Same + kinds: + - kind: TCPRoute + group: gateway.networking.k8s.io + tls: + mode: Passthrough + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-tlsroute-https-only + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: https + port: 443 + protocol: HTTPS + allowedRoutes: + namespaces: + from: Same + tls: + mode: Terminate + certificateRefs: + - name: tls-secret-1 + namespace: envoy-gateway + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-tls-exact-hostname + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: tls + port: 443 + protocol: TLS + hostname: "www.example.com" + allowedRoutes: + namespaces: + from: Same + kinds: + - kind: TLSRoute + tls: + mode: Passthrough + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-tls-wildcard-hostname + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: tls + port: 443 + protocol: TLS + hostname: "*.example.com" + allowedRoutes: + namespaces: + from: Same + kinds: + - kind: TLSRoute + group: gateway.networking.k8s.io + tls: + mode: Passthrough +tlsRoutes: + - apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: TLSRoute + metadata: + name: tlsroute-not-allowed-protocol-http + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-tlsroute-http-only + hostnames: + - tls.example.com + rules: + - backendRefs: + - name: tls-backend + port: 8443 + - apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: TLSRoute + metadata: + name: tlsroute-not-allowed-kind + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-tlsroute-tcproute-only + hostnames: + - tls.example.com + rules: + - backendRefs: + - name: tls-backend + port: 8443 + - apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: TLSRoute + metadata: + name: tlsroute-not-allowed-protocol-https + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-tlsroute-https-only + hostnames: + - tls.example.com + rules: + - backendRefs: + - name: tls-backend + port: 8443 + - apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: TLSRoute + metadata: + name: tlsroute-no-matching-section-name + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-tlsroute-tls-passthrough-only + sectionName: nonexistent-listener + hostnames: + - tls.example.com + rules: + - backendRefs: + - name: tls-backend + port: 8443 + - apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: TLSRoute + metadata: + name: tlsroute-hostname-mismatch-1 + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-tls-exact-hostname + hostnames: + - "www.nomatch.com" + - "*.nomatch.com" + rules: + - backendRefs: + - name: tls-backend + port: 8443 + - apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: TLSRoute + metadata: + name: tlsroute-hostname-mismatch-2 + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-tls-wildcard-hostname + hostnames: + - "www.different.com" + - "*.different.com" + rules: + - backendRefs: + - name: tls-backend + port: 8443 +secrets: + - apiVersion: v1 + kind: Secret + metadata: + namespace: envoy-gateway + name: tls-secret-1 + type: kubernetes.io/tls + data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K +services: + - apiVersion: v1 + kind: Service + metadata: + name: tls-backend + namespace: envoy-gateway + spec: + clusterIP: 10.11.12.13 + ports: + - port: 8443 + name: https + protocol: TCP + targetPort: 8443 +endpointSlices: + - apiVersion: discovery.k8s.io/v1 + kind: EndpointSlice + metadata: + name: tls-backend + namespace: envoy-gateway + labels: + kubernetes.io/service-name: tls-backend + addressType: IPv4 + ports: + - name: https + protocol: TCP + port: 8443 + endpoints: + - addresses: + - "10.244.0.11" + conditions: + ready: true diff --git a/internal/gatewayapi/testdata/tlsroute-invalid-no-matching-listener.out.yaml b/internal/gatewayapi/testdata/tlsroute-invalid-no-matching-listener.out.yaml new file mode 100644 index 0000000000..45d05142fb --- /dev/null +++ b/internal/gatewayapi/testdata/tlsroute-invalid-no-matching-listener.out.yaml @@ -0,0 +1,787 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-tlsroute-tls-passthrough-only + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: Same + name: tls-passthrough + port: 443 + protocol: TLS + tls: + mode: Passthrough + status: + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: tls-passthrough + supportedKinds: + - group: gateway.networking.k8s.io + kind: TLSRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-tlsroute-http-only + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: Same + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-tlsroute-tcproute-only + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + kinds: + - group: gateway.networking.k8s.io + kind: TCPRoute + namespaces: + from: Same + name: tls-passthrough + port: 443 + protocol: TLS + tls: + mode: Passthrough + status: + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: TCPRoute is not supported, kind must be one of [TLSRoute] + reason: InvalidRouteKinds + status: "False" + type: ResolvedRefs + - lastTransitionTime: null + message: Listener is invalid, see other Conditions for details. + reason: Invalid + status: "False" + type: Programmed + name: tls-passthrough + supportedKinds: [] +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-tlsroute-https-only + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: Same + name: https + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - group: null + kind: null + name: tls-secret-1 + namespace: envoy-gateway + mode: Terminate + status: + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: https + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-tls-exact-hostname + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + kinds: + - kind: TLSRoute + namespaces: + from: Same + hostname: www.example.com + name: tls + port: 443 + protocol: TLS + tls: + mode: Passthrough + status: + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: tls + supportedKinds: + - kind: TLSRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-tls-wildcard-hostname + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + kinds: + - group: gateway.networking.k8s.io + kind: TLSRoute + namespaces: + from: Same + hostname: '*.example.com' + name: tls + port: 443 + protocol: TLS + tls: + mode: Passthrough + status: + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: tls + supportedKinds: + - group: gateway.networking.k8s.io + kind: TLSRoute +infraIR: + envoy-gateway/gateway-tls-exact-hostname: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-tls-exact-hostname/tls + ports: + - containerPort: 10443 + name: tls-443 + protocol: TLS + servicePort: 443 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-tls-exact-hostname + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/gateway-tls-exact-hostname + namespace: envoy-gateway-system + envoy-gateway/gateway-tls-wildcard-hostname: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-tls-wildcard-hostname/tls + ports: + - containerPort: 10443 + name: tls-443 + protocol: TLS + servicePort: 443 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-tls-wildcard-hostname + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/gateway-tls-wildcard-hostname + namespace: envoy-gateway-system + envoy-gateway/gateway-tlsroute-http-only: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-tlsroute-http-only/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-tlsroute-http-only + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/gateway-tlsroute-http-only + namespace: envoy-gateway-system + envoy-gateway/gateway-tlsroute-https-only: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-tlsroute-https-only/https + ports: + - containerPort: 10443 + name: https-443 + protocol: HTTPS + servicePort: 443 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-tlsroute-https-only + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/gateway-tlsroute-https-only + namespace: envoy-gateway-system + envoy-gateway/gateway-tlsroute-tcproute-only: + proxy: + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-tlsroute-tcproute-only + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/gateway-tlsroute-tcproute-only + namespace: envoy-gateway-system + envoy-gateway/gateway-tlsroute-tls-passthrough-only: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-tlsroute-tls-passthrough-only/tls-passthrough + ports: + - containerPort: 10443 + name: tls-443 + protocol: TLS + servicePort: 443 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-tlsroute-tls-passthrough-only + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/gateway-tlsroute-tls-passthrough-only + namespace: envoy-gateway-system +tlsRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: TLSRoute + metadata: + name: tlsroute-not-allowed-protocol-http + namespace: envoy-gateway + spec: + hostnames: + - tls.example.com + parentRefs: + - name: gateway-tlsroute-http-only + rules: + - backendRefs: + - name: tls-backend + port: 8443 + status: + parents: + - conditions: + - lastTransitionTime: null + message: No listeners included by this parent ref allowed this attachment. + reason: NotAllowedByListeners + status: "False" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-tlsroute-http-only +- apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: TLSRoute + metadata: + name: tlsroute-not-allowed-kind + namespace: envoy-gateway + spec: + hostnames: + - tls.example.com + parentRefs: + - name: gateway-tlsroute-tcproute-only + rules: + - backendRefs: + - name: tls-backend + port: 8443 + status: + parents: + - conditions: + - lastTransitionTime: null + message: No listeners included by this parent ref allowed this attachment. + reason: NotAllowedByListeners + status: "False" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-tlsroute-tcproute-only +- apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: TLSRoute + metadata: + name: tlsroute-not-allowed-protocol-https + namespace: envoy-gateway + spec: + hostnames: + - tls.example.com + parentRefs: + - name: gateway-tlsroute-https-only + rules: + - backendRefs: + - name: tls-backend + port: 8443 + status: + parents: + - conditions: + - lastTransitionTime: null + message: No listeners included by this parent ref allowed this attachment. + reason: NotAllowedByListeners + status: "False" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-tlsroute-https-only +- apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: TLSRoute + metadata: + name: tlsroute-no-matching-section-name + namespace: envoy-gateway + spec: + hostnames: + - tls.example.com + parentRefs: + - name: gateway-tlsroute-tls-passthrough-only + sectionName: nonexistent-listener + rules: + - backendRefs: + - name: tls-backend + port: 8443 + status: + parents: + - conditions: + - lastTransitionTime: null + message: No listeners match this parent ref + reason: NoMatchingParent + status: "False" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-tlsroute-tls-passthrough-only + sectionName: nonexistent-listener +- apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: TLSRoute + metadata: + name: tlsroute-hostname-mismatch-1 + namespace: envoy-gateway + spec: + hostnames: + - www.nomatch.com + - '*.nomatch.com' + parentRefs: + - name: gateway-tls-exact-hostname + rules: + - backendRefs: + - name: tls-backend + port: 8443 + status: + parents: + - conditions: + - lastTransitionTime: null + message: There were no hostname intersections between the TLSRoute and this + parent ref's Listener(s). + reason: NoMatchingListenerHostname + status: "False" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-tls-exact-hostname +- apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: TLSRoute + metadata: + name: tlsroute-hostname-mismatch-2 + namespace: envoy-gateway + spec: + hostnames: + - www.different.com + - '*.different.com' + parentRefs: + - name: gateway-tls-wildcard-hostname + rules: + - backendRefs: + - name: tls-backend + port: 8443 + status: + parents: + - conditions: + - lastTransitionTime: null + message: There were no hostname intersections between the TLSRoute and this + parent ref's Listener(s). + reason: NoMatchingListenerHostname + status: "False" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-tls-wildcard-hostname +xdsIR: + envoy-gateway/gateway-tls-exact-hostname: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-tls-exact-hostname-5ccc95e9 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-tls-exact-hostname + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-tls-exact-hostname-5ccc95e9 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-tls-exact-hostname + protocol: TCP + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 + tcp: + - address: 0.0.0.0 + externalPort: 443 + metadata: + kind: Gateway + name: gateway-tls-exact-hostname + namespace: envoy-gateway + sectionName: tls + name: envoy-gateway/gateway-tls-exact-hostname/tls + port: 10443 + envoy-gateway/gateway-tls-wildcard-hostname: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-tls-wildcard-hostname-90a4fdc8 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-tls-wildcard-hostname + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-tls-wildcard-hostname-90a4fdc8 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-tls-wildcard-hostname + protocol: TCP + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 + tcp: + - address: 0.0.0.0 + externalPort: 443 + metadata: + kind: Gateway + name: gateway-tls-wildcard-hostname + namespace: envoy-gateway + sectionName: tls + name: envoy-gateway/gateway-tls-wildcard-hostname/tls + port: 10443 + envoy-gateway/gateway-tlsroute-http-only: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-tlsroute-http-only-f8771668 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-tlsroute-http-only + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-tlsroute-http-only-f8771668 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-tlsroute-http-only + protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 80 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-tlsroute-http-only + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-tlsroute-http-only/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 + envoy-gateway/gateway-tlsroute-https-only: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-tlsroute-https-only-d05b9162 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-tlsroute-https-only + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-tlsroute-https-only-d05b9162 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-tlsroute-https-only + protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 443 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-tlsroute-https-only + namespace: envoy-gateway + sectionName: https + name: envoy-gateway/gateway-tlsroute-https-only/https + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10443 + tls: + alpnProtocols: null + certificates: + - certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= + name: envoy-gateway/tls-secret-1 + privateKey: '[redacted]' + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 + envoy-gateway/gateway-tlsroute-tcproute-only: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-tlsroute-tcproute-only-54b16df4 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-tlsroute-tcproute-only + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-tlsroute-tcproute-only-54b16df4 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-tlsroute-tcproute-only + protocol: TCP + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 + envoy-gateway/gateway-tlsroute-tls-passthrough-only: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-tlsroute-tls-passthrough-o-92dd85f5 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-tlsroute-tls-passthrough-only + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-tlsroute-tls-passthrough-o-92dd85f5 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-tlsroute-tls-passthrough-only + protocol: TCP + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 + tcp: + - address: 0.0.0.0 + externalPort: 443 + metadata: + kind: Gateway + name: gateway-tlsroute-tls-passthrough-only + namespace: envoy-gateway + sectionName: tls-passthrough + name: envoy-gateway/gateway-tlsroute-tls-passthrough-only/tls-passthrough + port: 10443 diff --git a/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-invalid-hostname.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-invalid-hostname.out.yaml index e895d94432..ff076452c0 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-invalid-hostname.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-tls-terminate-invalid-hostname.out.yaml @@ -22,7 +22,7 @@ gateways: mode: Terminate status: listeners: - - attachedRoutes: 1 + - attachedRoutes: 0 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane From 15a9479133cf581e9fa57375aade0b7a6980f9b1 Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 11 Feb 2026 01:57:15 +0800 Subject: [PATCH 2/2] update Signed-off-by: zirain --- internal/gatewayapi/contexts.go | 9 +- internal/gatewayapi/route.go | 61 ++++++------ ...with-unsupported-extension-filter.out.yaml | 14 +++ .../gateway-with-attached-routes.out.yaml | 6 +- ...with-tcproute-with-multiple-rules.out.yaml | 2 +- ...with-udproute-with-multiple-rules.out.yaml | 2 +- ...th-two-listeners-on-same-udp-port.out.yaml | 2 +- .../httproute-filter-match-matrix.out.yaml | 80 ++++++++++++++++ ...tproute-with-credential-injection.out.yaml | 13 +++ ...header-filter-empty-header-values.out.yaml | 20 ++++ ...-with-header-filter-empty-headers.out.yaml | 20 ++++ ...ader-filter-invalid-header-values.out.yaml | 20 ++++ ...ith-header-filter-invalid-headers.out.yaml | 58 ++++++++++++ ...th-header-filter-no-valid-headers.out.yaml | 14 +++ ...direct-filter-invalid-filter-type.out.yaml | 14 +++ ...th-redirect-filter-invalid-scheme.out.yaml | 14 +++ ...th-redirect-filter-invalid-status.out.yaml | 14 +++ ...header-filter-empty-header-values.out.yaml | 20 ++++ ...ponse-header-filter-empty-headers.out.yaml | 20 ++++ ...ader-filter-invalid-header-values.out.yaml | 20 ++++ ...nse-header-filter-invalid-headers.out.yaml | 58 ++++++++++++ ...se-header-filter-no-valid-headers.out.yaml | 14 +++ ...rlrewrite-filter-invalid-hostname.out.yaml | 14 +++ ...e-filter-invalid-multiple-filters.out.yaml | 20 ++++ ...lrewrite-filter-invalid-path-type.out.yaml | 17 ++++ ...th-urlrewrite-filter-invalid-path.out.yaml | 14 +++ ...th-urlrewrite-filter-missing-path.out.yaml | 14 +++ ...ilter-regex-match-replace-invalid.out.yaml | 83 ++++++++++++++++ ...rlrewrite-hostname-filter-invalid.out.yaml | 94 +++++++++++++++++++ ...oute-invalid-no-matching-listener.out.yaml | 15 +-- 30 files changed, 715 insertions(+), 51 deletions(-) diff --git a/internal/gatewayapi/contexts.go b/internal/gatewayapi/contexts.go index 66dbce04ba..fedd984809 100644 --- a/internal/gatewayapi/contexts.go +++ b/internal/gatewayapi/contexts.go @@ -129,6 +129,12 @@ func (l *ListenerContext) SetSupportedKinds(kinds ...gwapiv1.RouteGroupKind) { } } +// IncrementAttachedRoutes increments the number of attached routes for the listener in the status. +// +// xref: https://github.com/kubernetes-sigs/gateway-api/issues/2402 +// Namely: +// - AttachedRoutes should be set on Listeners that are valid or invalid +// - The count of AttachedRoutes should include Routes that are valid or invalid func (l *ListenerContext) IncrementAttachedRoutes() { if l.isFromXListenerSet() { l.xListenerSet.Status.Listeners[l.xListenerSetStatusIdx].AttachedRoutes++ @@ -155,7 +161,8 @@ func (l *ListenerContext) AllowsKind(kind gwapiv1.RouteGroupKind) bool { } for _, allowed := range supportedKinds { - if GroupDerefOr(allowed.Group, "") == GroupDerefOr(kind.Group, "") && + // The default group is "gateway.networking.k8s.io" + if GroupDerefOr(allowed.Group, "gateway.networking.k8s.io") == GroupDerefOr(kind.Group, "gateway.networking.k8s.io") && allowed.Kind == kind.Kind { return true } diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index 36215ce253..fe1f1b5a8f 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -179,12 +179,6 @@ func (t *Translator) processHTTPRouteParentRefs(httpRoute *HTTPRouteContext, res "Resolved all the Object references for the Route", ) } - - // Skip parent refs that did not accept the route - if parentRef.HasCondition(httpRoute, gwapiv1.RouteConditionAccepted, metav1.ConditionFalse) { - continue - } - hasHostnameIntersection := t.processHTTPRouteParentRefListener(httpRoute, routeRoutes, parentRef, xdsIR) if !hasHostnameIntersection { routeStatus := GetRouteStatus(httpRoute) @@ -198,6 +192,11 @@ func (t *Translator) processHTTPRouteParentRefs(httpRoute *HTTPRouteContext, res ) } + // Skip parent refs that did not accept the route + if parentRef.HasCondition(httpRoute, gwapiv1.RouteConditionAccepted, metav1.ConditionFalse) { + continue + } + // If no negative conditions have been set, the route is considered "Accepted=True". if parentRef.HTTPRoute != nil && len(parentRef.HTTPRoute.Status.Parents[parentRef.routeParentStatusIdx].Conditions) == 0 { @@ -211,7 +210,6 @@ func (t *Translator) processHTTPRouteParentRefs(httpRoute *HTTPRouteContext, res "Route is accepted", ) } - } } @@ -1248,14 +1246,18 @@ func (t *Translator) processGRPCRouteMethodRegularExpression(method *gwapiv1.GRP } func (t *Translator) processHTTPRouteParentRefListener(route RouteContext, routeRoutes []*ir.HTTPRoute, parentRef *RouteParentContext, xdsIR resource.XdsIRMap) bool { - var hasHostnameIntersection bool - + // need to check hostname intersection if there are listeners + hasHostnameIntersection := len(parentRef.listeners) == 0 for _, listener := range parentRef.listeners { hosts := computeHosts(GetHostnames(route), listener) if len(hosts) == 0 { continue } hasHostnameIntersection = true + listener.IncrementAttachedRoutes() + if !listener.IsReady() { + continue + } var perHostRoutes []*ir.HTTPRoute for _, host := range hosts { @@ -1412,19 +1414,18 @@ func (t *Translator) processTLSRouteParentRefs(tlsRoute *TLSRouteContext, resour ) } - // Skip parent refs that did not accept the route - if parentRef.HasCondition(tlsRoute, gwapiv1.RouteConditionAccepted, metav1.ConditionFalse) { - continue - } - - var hasHostnameIntersection bool + // need to check hostname intersection if there are listeners + hasHostnameIntersection := len(parentRef.listeners) == 0 for _, listener := range parentRef.listeners { hosts := computeHosts(GetHostnames(tlsRoute), listener) if len(hosts) == 0 { continue } - hasHostnameIntersection = true + listener.IncrementAttachedRoutes() + if !listener.IsReady() { + continue + } irKey := t.getIRKey(listener.gateway.Gateway) gwXdsIR := xdsIR[irKey] @@ -1462,7 +1463,6 @@ func (t *Translator) processTLSRouteParentRefs(tlsRoute *TLSRouteContext, resour Metadata: buildResourceMetadata(tlsRoute, nil), } irListener.Routes = append(irListener.Routes, irRoute) - } } @@ -1478,6 +1478,11 @@ func (t *Translator) processTLSRouteParentRefs(tlsRoute *TLSRouteContext, resour ) } + // Skip parent refs that did not accept the route + if parentRef.HasCondition(tlsRoute, gwapiv1.RouteConditionAccepted, metav1.ConditionFalse) { + continue + } + // If no negative conditions have been set, the route is considered "Accepted=True". if parentRef.TLSRoute != nil && len(parentRef.TLSRoute.Status.Parents[parentRef.routeParentStatusIdx].Conditions) == 0 { @@ -1591,9 +1596,10 @@ func (t *Translator) processUDPRouteParentRefs(udpRoute *UDPRouteContext, resour accepted := false for _, listener := range parentRef.listeners { // only one route is allowed for a UDP listener - if listener.AttachedRoutes() > 1 { + if listener.AttachedRoutes() >= 1 { continue } + listener.IncrementAttachedRoutes() if !listener.IsReady() { continue } @@ -1741,12 +1747,14 @@ func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resour accepted := false for _, listener := range parentRef.listeners { // only one route is allowed for a TCP listener - if listener.AttachedRoutes() > 1 { + if listener.AttachedRoutes() >= 1 { continue } if !listener.IsReady() { continue } + listener.IncrementAttachedRoutes() + accepted = true irKey := t.getIRKey(listener.gateway.Gateway) @@ -1774,9 +1782,7 @@ func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resour } irListener.Routes = append(irListener.Routes, irRoute) - } - } // If no negative conditions have been set, the route is considered "Accepted=True". @@ -2237,16 +2243,7 @@ func (t *Translator) processAllowedListenersForParentRefs( ) continue } - - // Its safe to increment AttachedRoutes since we've found a valid parentRef - // and the listener allows this Route kind - - // Theoretically there should only be one parent ref per - // Route that attaches to a given Listener, so fine to just increment here, but we - // might want to check to ensure we're not double-counting. - for _, listener := range allowedListeners { - listener.IncrementAttachedRoutes() - } + parentRefCtx.SetListeners(allowedListeners...) if !HasReadyListener(selectedListeners) { routeStatus := GetRouteStatus(routeContext) @@ -2261,8 +2258,6 @@ func (t *Translator) processAllowedListenersForParentRefs( continue } - parentRefCtx.SetListeners(allowedListeners...) - routeStatus := GetRouteStatus(routeContext) status.SetRouteStatusCondition(routeStatus, parentRefCtx.routeParentStatusIdx, diff --git a/internal/gatewayapi/testdata/extensions/httproute-with-unsupported-extension-filter.out.yaml b/internal/gatewayapi/testdata/extensions/httproute-with-unsupported-extension-filter.out.yaml index 9cc9e1a5da..00d44f90ac 100644 --- a/internal/gatewayapi/testdata/extensions/httproute-with-unsupported-extension-filter.out.yaml +++ b/internal/gatewayapi/testdata/extensions/httproute-with-unsupported-extension-filter.out.yaml @@ -142,6 +142,20 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/gateway-with-attached-routes.out.yaml b/internal/gatewayapi/testdata/gateway-with-attached-routes.out.yaml index b2cdb8f7df..09c3d3be73 100644 --- a/internal/gatewayapi/testdata/gateway-with-attached-routes.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-attached-routes.out.yaml @@ -291,8 +291,7 @@ infraIR: envoy-gateway/gateway-with-one-attached-route: proxy: listeners: - - address: null - name: envoy-gateway/gateway-with-one-attached-route/http + - name: envoy-gateway/gateway-with-one-attached-route/http ports: - containerPort: 10080 name: http-80 @@ -310,8 +309,7 @@ infraIR: envoy-gateway/gateway-with-two-attached-routes: proxy: listeners: - - address: null - name: envoy-gateway/gateway-with-two-attached-routes/http + - name: envoy-gateway/gateway-with-two-attached-routes/http ports: - containerPort: 10080 name: http-80 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-rules.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-rules.out.yaml index fb70831782..c1c7ee2d83 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-rules.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-rules.out.yaml @@ -15,7 +15,7 @@ gateways: protocol: TCP status: listeners: - - attachedRoutes: 1 + - attachedRoutes: 0 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-rules.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-rules.out.yaml index fd12c14be0..e70a4f6537 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-rules.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-rules.out.yaml @@ -15,7 +15,7 @@ gateways: protocol: UDP status: listeners: - - attachedRoutes: 1 + - attachedRoutes: 0 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml index afc8fb45a6..f858c8d772 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml @@ -42,7 +42,7 @@ gateways: supportedKinds: - group: gateway.networking.k8s.io kind: UDPRoute - - attachedRoutes: 0 + - attachedRoutes: 1 conditions: - lastTransitionTime: null message: Only one UDP listener is allowed in a given port diff --git a/internal/gatewayapi/testdata/httproute-filter-match-matrix.out.yaml b/internal/gatewayapi/testdata/httproute-filter-match-matrix.out.yaml index 0cfdc4b039..c56020ab00 100644 --- a/internal/gatewayapi/testdata/httproute-filter-match-matrix.out.yaml +++ b/internal/gatewayapi/testdata/httproute-filter-match-matrix.out.yaml @@ -263,6 +263,26 @@ xdsIR: distinct: false name: "" prefix: /foo + - cookieMatches: + - distinct: false + exact: xxx + name: cookie-3 + - distinct: false + exact: yyy + name: cookie-4 + directResponse: + statusCode: 500 + hostname: '*' + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/1/* + pathMatch: + distinct: false + name: "" + prefix: /baz - cookieMatches: - distinct: false exact: xxx @@ -300,6 +320,26 @@ xdsIR: distinct: false name: "" prefix: /foo + - cookieMatches: + - distinct: false + exact: xxx + name: cookie-1 + - distinct: false + name: cookie-2 + safeRegex: foo.* + directResponse: + statusCode: 500 + hostname: '*' + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/* + pathMatch: + distinct: false + name: "" + prefix: /baz - cookieMatches: - distinct: false exact: xxx @@ -337,6 +377,26 @@ xdsIR: name: httproute-1 namespace: default name: httproute/default/httproute-1/rule/0/match/3/* + - cookieMatches: + - distinct: false + exact: xxx + name: cookie-3 + - distinct: false + exact: yyy + name: cookie-4 + directResponse: + statusCode: 500 + headerMatches: + - distinct: false + exact: baz + name: header1 + hostname: '*' + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/3/* - cookieMatches: - distinct: false exact: xxx @@ -374,6 +434,26 @@ xdsIR: name: httproute-1 namespace: default name: httproute/default/httproute-1/rule/0/match/2/* + - cookieMatches: + - distinct: false + exact: xxx + name: cookie-1 + - distinct: false + name: cookie-2 + safeRegex: foo.* + directResponse: + statusCode: 500 + headerMatches: + - distinct: false + exact: baz + name: header1 + hostname: '*' + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/2/* - cookieMatches: - distinct: false exact: xxx diff --git a/internal/gatewayapi/testdata/httproute-with-credential-injection.out.yaml b/internal/gatewayapi/testdata/httproute-with-credential-injection.out.yaml index 278778957b..eaf02f6ec5 100644 --- a/internal/gatewayapi/testdata/httproute-with-credential-injection.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-credential-injection.out.yaml @@ -269,6 +269,19 @@ xdsIR: distinct: false name: "" prefix: /bar + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /foo readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml index 6618ec5071..fce3c7feb6 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml @@ -148,6 +148,26 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - addRequestHeaders: + - addIfAbsent: false + append: false + name: example-header-1 + value: + - dummy + directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-empty-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-empty-headers.out.yaml index ce8c8ec5b2..a342083f63 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-empty-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-empty-headers.out.yaml @@ -151,6 +151,26 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - addRequestHeaders: + - addIfAbsent: false + append: true + name: good-header + value: + - some-value + directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-invalid-header-values.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-invalid-header-values.out.yaml index 9f554967ac..8689e572b9 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-invalid-header-values.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-invalid-header-values.out.yaml @@ -149,6 +149,26 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - addRequestHeaders: + - addIfAbsent: false + append: true + name: example-header-2 + value: + - dummy + directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-invalid-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-invalid-headers.out.yaml index 7ff61abd0d..74d17f4123 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-invalid-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-invalid-headers.out.yaml @@ -241,6 +241,64 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - addRequestHeaders: + - addIfAbsent: false + append: false + name: good-header + value: + - some-value + directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /foo + - addRequestHeaders: + - addIfAbsent: false + append: false + name: good-header + value: + - some-value + directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /bar + - addRequestHeaders: + - addIfAbsent: false + append: false + name: good-header + value: + - some-value + directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-3 + namespace: default + name: httproute/default/httproute-3/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /baz readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-no-valid-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-no-valid-headers.out.yaml index 380954b2c9..aa714df8cc 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-no-valid-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-no-valid-headers.out.yaml @@ -145,6 +145,20 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-filter-type.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-filter-type.out.yaml index 58ba1fed36..a07ea6bada 100644 --- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-filter-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-filter-type.out.yaml @@ -144,6 +144,20 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.out.yaml index 918df8335a..f388247843 100644 --- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.out.yaml @@ -141,6 +141,20 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.out.yaml index 7fb49c4baa..f8d93e96c4 100644 --- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.out.yaml @@ -140,6 +140,20 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml index 52fe00869a..684156d45c 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml @@ -148,6 +148,26 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - addResponseHeaders: + - addIfAbsent: false + append: false + name: example-header-1 + value: + - dummy + directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-headers.out.yaml index c6aba27d74..47be315848 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-headers.out.yaml @@ -151,6 +151,26 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - addResponseHeaders: + - addIfAbsent: false + append: true + name: good-header + value: + - some-value + directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-invalid-header-values.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-invalid-header-values.out.yaml index 27771a1cad..57c6b4238a 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-invalid-header-values.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-invalid-header-values.out.yaml @@ -149,6 +149,26 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - addResponseHeaders: + - addIfAbsent: false + append: true + name: example-header-2 + value: + - dummy + directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-invalid-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-invalid-headers.out.yaml index 71d4a5ca56..d87f643ab6 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-invalid-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-invalid-headers.out.yaml @@ -239,6 +239,64 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - addResponseHeaders: + - addIfAbsent: false + append: false + name: good-header + value: + - some-value + directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /foo + - addResponseHeaders: + - addIfAbsent: false + append: false + name: good-header + value: + - some-value + directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /bar + - addResponseHeaders: + - addIfAbsent: false + append: false + name: good-header + value: + - some-value + directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-3 + namespace: default + name: httproute/default/httproute-3/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /baz readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-valid-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-valid-headers.out.yaml index 93255f6727..34124cf683 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-valid-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-valid-headers.out.yaml @@ -145,6 +145,20 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-hostname.out.yaml index 4c840dddc5..8144890d55 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-hostname.out.yaml @@ -148,6 +148,20 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-multiple-filters.out.yaml index 86550e0c18..3a5cf7e963 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-multiple-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-multiple-filters.out.yaml @@ -150,6 +150,26 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / + urlRewrite: + host: + name: rewrite.com + path: + fullReplace: null + prefixMatchReplace: /rewrite readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path-type.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path-type.out.yaml index 6561d2a9e7..a6810abae1 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path-type.out.yaml @@ -146,6 +146,23 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / + urlRewrite: + host: + name: rewrite.com readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path.out.yaml index 7de5ef4554..ca6066678c 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path.out.yaml @@ -145,6 +145,20 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-missing-path.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-missing-path.out.yaml index 37c6c193ee..199bf3d19c 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-missing-path.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-missing-path.out.yaml @@ -143,6 +143,20 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.out.yaml index a36c686ec0..83252a8775 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.out.yaml @@ -375,6 +375,89 @@ xdsIR: mergeSlashes: true port: 10080 routes: + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-invalid-pattern + namespace: default + name: httproute/default/httproute-invalid-pattern/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /invalid-pattern + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-missing-pattern + namespace: default + name: httproute/default/httproute-missing-pattern/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /missing-pattern + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-multiple-path-rewrites-2 + namespace: default + name: httproute/default/httproute-multiple-path-rewrites-2/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /inline-first + urlRewrite: + path: + fullReplace: null + prefixMatchReplace: /rewrite + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-multiple-path-rewrites-1 + namespace: default + name: httproute/default/httproute-multiple-path-rewrites-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /ext-first + urlRewrite: + path: + fullReplace: null + prefixMatchReplace: null + regexMatchReplace: + pattern: .* + substitution: foo + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-multiple-regex-path-rewrites + namespace: default + name: httproute/default/httproute-multiple-regex-path-rewrites/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /two-regex + urlRewrite: + path: + fullReplace: null + prefixMatchReplace: null + regexMatchReplace: + pattern: .* + substitution: foo - directResponse: statusCode: 500 hostname: gateway.envoyproxy.io diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.out.yaml index 2a2f5ffb01..6439820f45 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.out.yaml @@ -380,6 +380,100 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-header-and-backend-host-rewrites + namespace: default + name: httproute/default/httproute-header-and-backend-host-rewrites/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /header-and-backend + urlRewrite: + host: + header: my-host + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-invalid-header + namespace: default + name: httproute/default/httproute-invalid-header/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /invalid-header + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-multiple-path-rewrites-2 + namespace: default + name: httproute/default/httproute-multiple-path-rewrites-2/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /inline-first + urlRewrite: + host: + name: rewrite.com + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-multiple-header-host-rewrites + namespace: default + name: httproute/default/httproute-multiple-header-host-rewrites/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /two-backends + urlRewrite: + host: + backend: true + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-multiple-header-host-rewrites + namespace: default + name: httproute/default/httproute-multiple-header-host-rewrites/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /two-headers + urlRewrite: + host: + header: my-host + - directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-multiple-host-rewrites-1 + namespace: default + name: httproute/default/httproute-multiple-host-rewrites-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /ext-first + urlRewrite: + host: + header: my-host readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/tlsroute-invalid-no-matching-listener.out.yaml b/internal/gatewayapi/testdata/tlsroute-invalid-no-matching-listener.out.yaml index 45d05142fb..0aa71aa947 100644 --- a/internal/gatewayapi/testdata/tlsroute-invalid-no-matching-listener.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-invalid-no-matching-listener.out.yaml @@ -246,8 +246,7 @@ infraIR: envoy-gateway/gateway-tls-exact-hostname: proxy: listeners: - - address: null - name: envoy-gateway/gateway-tls-exact-hostname/tls + - name: envoy-gateway/gateway-tls-exact-hostname/tls ports: - containerPort: 10443 name: tls-443 @@ -265,8 +264,7 @@ infraIR: envoy-gateway/gateway-tls-wildcard-hostname: proxy: listeners: - - address: null - name: envoy-gateway/gateway-tls-wildcard-hostname/tls + - name: envoy-gateway/gateway-tls-wildcard-hostname/tls ports: - containerPort: 10443 name: tls-443 @@ -284,8 +282,7 @@ infraIR: envoy-gateway/gateway-tlsroute-http-only: proxy: listeners: - - address: null - name: envoy-gateway/gateway-tlsroute-http-only/http + - name: envoy-gateway/gateway-tlsroute-http-only/http ports: - containerPort: 10080 name: http-80 @@ -303,8 +300,7 @@ infraIR: envoy-gateway/gateway-tlsroute-https-only: proxy: listeners: - - address: null - name: envoy-gateway/gateway-tlsroute-https-only/https + - name: envoy-gateway/gateway-tlsroute-https-only/https ports: - containerPort: 10443 name: https-443 @@ -333,8 +329,7 @@ infraIR: envoy-gateway/gateway-tlsroute-tls-passthrough-only: proxy: listeners: - - address: null - name: envoy-gateway/gateway-tlsroute-tls-passthrough-only/tls-passthrough + - name: envoy-gateway/gateway-tlsroute-tls-passthrough-only/tls-passthrough ports: - containerPort: 10443 name: tls-443