diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go index 551f02f7d0..0e1d436107 100644 --- a/internal/gatewayapi/listener.go +++ b/internal/gatewayapi/listener.go @@ -103,10 +103,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource t.validateHostName(listener) // Process conditions and check if the listener is ready - isReady := t.validateListenerConditions(listener) - if !isReady { - continue - } + t.validateListenerConditions(listener) address := netutils.IPv4ListenerAddress ipFamily := getEnvoyIPFamily(gateway.envoyProxy) diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml index 202b73b417..9a6715deba 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml @@ -508,6 +508,12 @@ infraIR: name: http-80 protocol: HTTP servicePort: 80 + - name: envoy-gateway/gateway-2/https + ports: + - containerPort: 10443 + name: https-443 + protocol: HTTPS + servicePort: 443 - name: envoy-gateway/gateway-2/tcp ports: - containerPort: 10053 @@ -729,6 +735,57 @@ xdsIR: namespace: envoy-gateway name: grpcroute/envoy-gateway/grpcroute-1/rule/0/match/0/* traffic: {} + - address: 0.0.0.0 + externalPort: 443 + hostnames: + - '*' + isHTTP2: true + metadata: + kind: Gateway + name: gateway-2 + namespace: envoy-gateway + sectionName: https + name: envoy-gateway/gateway-2/https + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10443 + routes: + - destination: + metadata: + kind: GRPCRoute + name: grpcroute-1 + namespace: envoy-gateway + name: grpcroute/envoy-gateway/grpcroute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + metadata: + kind: Service + name: service-1 + namespace: envoy-gateway + sectionName: "8080" + name: grpcroute/envoy-gateway/grpcroute-1/rule/0/backend/0 + protocol: GRPC + weight: 1 + headerMatches: + - distinct: false + exact: foo + name: magic + hostname: '*' + isHTTP2: true + metadata: + kind: GRPCRoute + name: grpcroute-1 + namespace: envoy-gateway + policies: + - kind: BackendTrafficPolicy + name: target-grpcroute-in-gateway-2 + namespace: envoy-gateway + name: grpcroute/envoy-gateway/grpcroute-1/rule/0/match/0/* + traffic: {} readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml index 1ba3538640..2bc276eb75 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml @@ -453,6 +453,12 @@ infraIR: name: http-80 protocol: HTTP servicePort: 80 + - name: envoy-gateway/gateway-2/https + ports: + - containerPort: 10443 + name: https-443 + protocol: HTTPS + servicePort: 443 - name: envoy-gateway/gateway-2/tcp ports: - containerPort: 10053 @@ -592,6 +598,21 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + - address: 0.0.0.0 + externalPort: 443 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-2 + namespace: envoy-gateway + sectionName: https + name: envoy-gateway/gateway-2/https + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10443 readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml index ea3f536fe1..f21466c0d1 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml @@ -508,6 +508,12 @@ infraIR: name: http-80 protocol: HTTP servicePort: 80 + - name: envoy-gateway/gateway-2/https + ports: + - containerPort: 10443 + name: https-443 + protocol: HTTPS + servicePort: 443 - name: envoy-gateway/gateway-2/tcp ports: - containerPort: 10053 @@ -721,6 +727,53 @@ xdsIR: name: grpcroute-1 namespace: envoy-gateway name: grpcroute/envoy-gateway/grpcroute-1/rule/0/match/0/* + - address: 0.0.0.0 + externalPort: 443 + hostnames: + - '*' + isHTTP2: true + metadata: + kind: Gateway + name: gateway-2 + namespace: envoy-gateway + sectionName: https + name: envoy-gateway/gateway-2/https + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10443 + routes: + - destination: + metadata: + kind: GRPCRoute + name: grpcroute-1 + namespace: envoy-gateway + name: grpcroute/envoy-gateway/grpcroute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + metadata: + kind: Service + name: service-1 + namespace: envoy-gateway + sectionName: "8080" + name: grpcroute/envoy-gateway/grpcroute-1/rule/0/backend/0 + protocol: GRPC + weight: 1 + envoyExtensions: {} + headerMatches: + - distinct: false + exact: foo + name: magic + hostname: '*' + isHTTP2: true + metadata: + kind: GRPCRoute + name: grpcroute-1 + namespace: envoy-gateway + name: grpcroute/envoy-gateway/grpcroute-1/rule/0/match/0/* readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-namespaces-selector.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-namespaces-selector.out.yaml index fb1bca1c0e..448a43fbbb 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-namespaces-selector.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-namespaces-selector.out.yaml @@ -78,6 +78,13 @@ httpRoutes: infraIR: envoy-gateway/gateway-1: proxy: + listeners: + - name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -113,6 +120,22 @@ xdsIR: sectionName: "8080" name: envoy-gateway/gateway-1 protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 80 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-group.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-group.out.yaml index d6eddedd1d..974e0038e3 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-group.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-group.out.yaml @@ -69,6 +69,13 @@ httpRoutes: infraIR: envoy-gateway/gateway-1: proxy: + listeners: + - name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -104,6 +111,22 @@ xdsIR: sectionName: "8080" name: envoy-gateway/gateway-1 protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 80 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind-and-supported.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind-and-supported.out.yaml index e3eee27117..adf012d422 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind-and-supported.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind-and-supported.out.yaml @@ -71,6 +71,13 @@ httpRoutes: infraIR: envoy-gateway/gateway-1: proxy: + listeners: + - name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -106,6 +113,22 @@ xdsIR: sectionName: "8080" name: envoy-gateway/gateway-1 protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 80 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind.out.yaml index 891bdd8a8b..802c3db1c0 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind.out.yaml @@ -69,6 +69,13 @@ httpRoutes: infraIR: envoy-gateway/gateway-1: proxy: + listeners: + - name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -104,6 +111,22 @@ xdsIR: sectionName: "8080" name: envoy-gateway/gateway-1 protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 80 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.out.yaml index 8a474483bb..0127e45fe8 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.out.yaml @@ -38,6 +38,13 @@ gateways: infraIR: envoy-gateway/gateway-1: proxy: + listeners: + - name: envoy-gateway/gateway-1/tls + ports: + - containerPort: 10080 + name: tls-80 + protocol: TLS + servicePort: 80 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -109,3 +116,13 @@ xdsIR: ipFamily: IPv4 path: /ready port: 19003 + tcp: + - address: 0.0.0.0 + externalPort: 80 + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: tls + name: envoy-gateway/gateway-1/tls + port: 10080 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.out.yaml index 3886a7ff40..5a8e559912 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.out.yaml @@ -168,6 +168,12 @@ infraIR: name: https-8443 protocol: HTTPS servicePort: 8443 + - name: envoy-gateway/gateway-1/tls-all-invalid-cert + ports: + - containerPort: 8444 + name: https-8444 + protocol: HTTPS + servicePort: 8444 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -308,6 +314,52 @@ xdsIR: - certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVVTZ0F3SUJBZ0lVU2l2SkdURHdva1M3aGVZLzJjc1JzejR2SkIwd0NnWUlLb1pJemowRUF3SXcKRmpFVU1CSUdBMVVFQXd3TFptOXZMbUpoY2k1amIyMHdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVdNUlF3RWdZRFZRUUREQXRtYjI4dVltRnlMbU52YlRCMk1CQUdCeXFHU000OUFnRUdCU3VCCkJBQWlBMklBQkZ2cnZSZWJhYVd1UzZNQUVJZDZ3WmZPS3Z1Q1R5VU1PbFpKcUZDRjlUa3pNWWw4Q2lvZnluT3QKQ3JzMHZ2YTlrZC9QMkpNR0JKcWdZZXZid290clJpMTJxTG5IMDQvam9HSWpqVE9LbzNJb2ZyK0ZrOHdMdkFlMwpPMVpLdFI5c3pxTlRNRkV3SFFZRFZSME9CQllFRklLczFRRm5vRHQ5K3Fva1I0T0RXYk16MWYrUE1COEdBMVVkCkl3UVlNQmFBRklLczFRRm5vRHQ5K3Fva1I0T0RXYk16MWYrUE1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0NnWUkKS29aSXpqMEVBd0lEWndBd1pBSXdIMzF0SHlmVVAwNFhIcGJXR2UxWjFJYUJaQndJdGg1NURVNGhqZlB1OG0rSgpXdjdiVzh6VFNnd0xpcW9yZmN1bkFqQTBnaE5KQkExWDJYdElLRG1sM3M3L1Z4OEZKY1MwNHZwQ2hoK2xBYkxTCnZlYWEyOFIzVExFWTNVK1FUWEkvd0lrPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== name: envoy-gateway/tls-secret-ecdsa-2 privateKey: '[redacted]' + - address: 0.0.0.0 + externalPort: 8444 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: tls-all-invalid-cert + name: envoy-gateway/gateway-1/tls-all-invalid-cert + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 8444 + routes: + - destination: + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + metadata: + kind: Service + name: service-1 + namespace: default + sectionName: "8080" + name: httproute/default/httproute-1/rule/0/backend/0 + protocol: HTTP + weight: 1 + hostname: '*' + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/* + pathMatch: + distinct: false + name: "" + prefix: / readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.out.yaml index e6aaa0af27..20b05952f9 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.out.yaml @@ -77,6 +77,13 @@ httpRoutes: infraIR: envoy-gateway/gateway-1: proxy: + listeners: + - name: envoy-gateway/gateway-1/tls + ports: + - containerPort: 10443 + name: https-443 + protocol: HTTPS + servicePort: 443 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -112,6 +119,22 @@ xdsIR: sectionName: "8080" name: envoy-gateway/gateway-1 protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 443 + hostnames: + - foo.com + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: tls + name: envoy-gateway/gateway-1/tls + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10443 readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-no-certificate-refs.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-no-certificate-refs.out.yaml index 08b2c9ae80..a7deb77f33 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-no-certificate-refs.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-no-certificate-refs.out.yaml @@ -72,6 +72,13 @@ httpRoutes: infraIR: envoy-gateway/gateway-1: proxy: + listeners: + - name: envoy-gateway/gateway-1/tls + ports: + - containerPort: 10443 + name: https-443 + protocol: HTTPS + servicePort: 443 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -107,6 +114,22 @@ xdsIR: sectionName: "8080" name: envoy-gateway/gateway-1 protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 443 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: tls + name: envoy-gateway/gateway-1/tls + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10443 readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-does-not-exist.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-does-not-exist.out.yaml index e34ffacdae..15b0c82bdc 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-does-not-exist.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-does-not-exist.out.yaml @@ -77,6 +77,13 @@ httpRoutes: infraIR: envoy-gateway/gateway-1: proxy: + listeners: + - name: envoy-gateway/gateway-1/tls + ports: + - containerPort: 10443 + name: https-443 + protocol: HTTPS + servicePort: 443 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -112,6 +119,22 @@ xdsIR: sectionName: "8080" name: envoy-gateway/gateway-1 protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 443 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: tls + name: envoy-gateway/gateway-1/tls + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10443 readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-in-other-namespace.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-in-other-namespace.out.yaml index c896a01e5f..d17af94e08 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-in-other-namespace.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-in-other-namespace.out.yaml @@ -78,6 +78,13 @@ httpRoutes: infraIR: envoy-gateway/gateway-1: proxy: + listeners: + - name: envoy-gateway/gateway-1/tls + ports: + - containerPort: 10443 + name: https-443 + protocol: HTTPS + servicePort: 443 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -113,6 +120,22 @@ xdsIR: sectionName: "8080" name: envoy-gateway/gateway-1 protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 443 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: tls + name: envoy-gateway/gateway-1/tls + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10443 readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-is-not-valid.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-is-not-valid.out.yaml index d0e4fd6e3e..9a93f23617 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-is-not-valid.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-is-not-valid.out.yaml @@ -77,6 +77,13 @@ httpRoutes: infraIR: envoy-gateway/gateway-1: proxy: + listeners: + - name: envoy-gateway/gateway-1/tls + ports: + - containerPort: 10443 + name: https-443 + protocol: HTTPS + servicePort: 443 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -112,6 +119,22 @@ xdsIR: sectionName: "8080" name: envoy-gateway/gateway-1 protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 443 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: tls + name: envoy-gateway/gateway-1/tls + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10443 readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-missing-allowed-namespaces-selector.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-missing-allowed-namespaces-selector.out.yaml index ed93a40205..6a6d592e4f 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-missing-allowed-namespaces-selector.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-missing-allowed-namespaces-selector.out.yaml @@ -71,6 +71,13 @@ httpRoutes: infraIR: envoy-gateway/gateway-1: proxy: + listeners: + - name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -106,6 +113,22 @@ xdsIR: sectionName: "8080" name: envoy-gateway/gateway-1 protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 80 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tcp-with-hostname.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tcp-with-hostname.out.yaml index eee30d760d..1e3bf50365 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tcp-with-hostname.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tcp-with-hostname.out.yaml @@ -35,6 +35,13 @@ gateways: infraIR: envoy-gateway/gateway-1: proxy: + listeners: + - name: envoy-gateway/gateway-1/tcp + ports: + - containerPort: 10080 + name: tcp-80 + protocol: TCP + servicePort: 80 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -75,3 +82,13 @@ xdsIR: ipFamily: IPv4 path: /ready port: 19003 + tcp: + - address: 0.0.0.0 + externalPort: 80 + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: tcp + name: envoy-gateway/gateway-1/tcp + port: 10080 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-udp-with-hostname.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-udp-with-hostname.out.yaml index cdc8155dc4..f3d7139fc7 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-udp-with-hostname.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-udp-with-hostname.out.yaml @@ -35,6 +35,13 @@ gateways: infraIR: envoy-gateway/gateway-1: proxy: + listeners: + - name: envoy-gateway/gateway-1/udp + ports: + - containerPort: 10080 + name: udp-80 + protocol: UDP + servicePort: 80 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -75,3 +82,13 @@ xdsIR: ipFamily: IPv4 path: /ready port: 19003 + udp: + - address: 0.0.0.0 + externalPort: 80 + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: udp + name: envoy-gateway/gateway-1/udp + port: 10080 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-unsupported-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-unsupported-protocol.out.yaml index 1765434059..4672cbedfb 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-unsupported-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-unsupported-protocol.out.yaml @@ -71,6 +71,13 @@ httpRoutes: infraIR: envoy-gateway/gateway-1: proxy: + listeners: + - name: envoy-gateway/gateway-1/unsupported + ports: + - containerPort: 10080 + name: "-80" + protocol: "" + servicePort: 80 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml index e32cc2cbd0..00a10f29be 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml @@ -70,6 +70,12 @@ infraIR: name: tcp-162 protocol: TCP servicePort: 162 + - name: envoy-gateway/gateway-1/tcp2 + ports: + - containerPort: 10162 + name: tls-162 + protocol: TLS + servicePort: 162 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -176,3 +182,12 @@ xdsIR: name: tcproute-1 namespace: default name: tcproute/default/tcproute-1 + - address: 0.0.0.0 + externalPort: 162 + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: tcp2 + name: envoy-gateway/gateway-1/tcp2 + port: 10162 diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml index f858c8d772..cac7a60a43 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml @@ -175,3 +175,12 @@ xdsIR: protocol: UDP weight: 1 name: udproute/default/udproute-1 + - address: 0.0.0.0 + externalPort: 162 + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: udp2 + name: envoy-gateway/gateway-1/udp2 + port: 10162 diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-http-and-tlsroute-same-hostname-and-port.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-http-and-tlsroute-same-hostname-and-port.out.yaml index 20c4241d1a..d3502d7e87 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-http-and-tlsroute-same-hostname-and-port.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-http-and-tlsroute-same-hostname-and-port.out.yaml @@ -106,6 +106,13 @@ httpRoutes: infraIR: envoy-gateway/gateway-1: proxy: + listeners: + - name: envoy-gateway/gateway-1/http-1 + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -172,8 +179,34 @@ xdsIR: sectionName: "8080" name: envoy-gateway/gateway-1 protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 80 + hostnames: + - foo.com + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http-1 + name: envoy-gateway/gateway-1/http-1 + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 readyListener: address: 0.0.0.0 ipFamily: IPv4 path: /ready port: 19003 + tcp: + - address: 0.0.0.0 + externalPort: 80 + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: tls-1 + name: envoy-gateway/gateway-1/tls-1 + port: 10080 diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-and-hostname.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-and-hostname.out.yaml index ecb8190327..bf25ca88e4 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-and-hostname.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-and-hostname.out.yaml @@ -106,6 +106,13 @@ httpRoutes: infraIR: envoy-gateway/gateway-1: proxy: + listeners: + - name: envoy-gateway/gateway-1/http-1 + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -141,6 +148,37 @@ xdsIR: sectionName: "8080" name: envoy-gateway/gateway-1 protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 80 + hostnames: + - foo.com + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http-1 + name: envoy-gateway/gateway-1/http-1 + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + - address: 0.0.0.0 + externalPort: 80 + hostnames: + - foo.com + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http-2 + name: envoy-gateway/gateway-1/http-2 + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-and-incompatible-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-and-incompatible-protocol.out.yaml index 173f868a62..1687e4cc5c 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-and-incompatible-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-and-incompatible-protocol.out.yaml @@ -106,6 +106,13 @@ httpRoutes: infraIR: envoy-gateway/gateway-1: proxy: + listeners: + - name: envoy-gateway/gateway-1/http-1 + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -141,6 +148,37 @@ xdsIR: sectionName: "8080" name: envoy-gateway/gateway-1 protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 80 + hostnames: + - foo.com + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http-1 + name: envoy-gateway/gateway-1/http-1 + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + - address: 0.0.0.0 + externalPort: 80 + hostnames: + - bar.com + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http-2 + name: envoy-gateway/gateway-1/http-2 + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/merge-invalid-multiple-gateways.out.yaml b/internal/gatewayapi/testdata/merge-invalid-multiple-gateways.out.yaml index 62feeaf7b5..72e06f3cf5 100644 --- a/internal/gatewayapi/testdata/merge-invalid-multiple-gateways.out.yaml +++ b/internal/gatewayapi/testdata/merge-invalid-multiple-gateways.out.yaml @@ -171,6 +171,21 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + - address: 0.0.0.0 + externalPort: 80 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-2 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-2/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml index 82c93cfe5b..766cf60ab8 100644 --- a/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml @@ -228,6 +228,12 @@ infraIR: name: http-80 protocol: HTTP servicePort: 80 + - name: envoy-gateway/gateway-2/https + ports: + - containerPort: 10443 + name: https-443 + protocol: HTTPS + servicePort: 443 - name: envoy-gateway/gateway-2/tcp ports: - containerPort: 10053 @@ -544,6 +550,42 @@ xdsIR: name: "" safeRegex: http://.*\.example\.com maxAge: 16m40s + - address: 0.0.0.0 + externalPort: 443 + hostnames: + - '*' + isHTTP2: true + metadata: + kind: Gateway + name: gateway-2 + namespace: envoy-gateway + sectionName: https + name: envoy-gateway/gateway-2/https + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10443 + routes: + - directResponse: + statusCode: 500 + headerMatches: + - distinct: false + exact: foo + name: magic + hostname: '*' + isHTTP2: true + metadata: + kind: GRPCRoute + name: grpcroute-1 + namespace: envoy-gateway + name: grpcroute/envoy-gateway/grpcroute-1/rule/0/match/0/* + security: + cors: + allowOrigins: + - distinct: false + name: "" + safeRegex: http://.*\.example\.com + maxAge: 16m40s readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/tlsroute-invalid-no-matching-listener.in.yaml b/internal/gatewayapi/testdata/tlsroute-invalid-no-matching-listener.in.yaml new file mode 100644 index 0000000000..b15e16043b --- /dev/null +++ b/internal/gatewayapi/testdata/tlsroute-invalid-no-matching-listener.in.yaml @@ -0,0 +1,126 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-tlsroute-tls-passthrough-only + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: tls-passthrough + protocol: TLS + port: 443 + allowedRoutes: + namespaces: + from: Same + tls: + mode: Passthrough + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-tlsroute-http-only + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: Same + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-tlsroute-tcproute-only + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: tls-passthrough + protocol: TLS + port: 443 + allowedRoutes: + namespaces: + from: Same + kinds: + - kind: TCPRoute + tls: + mode: Passthrough + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-tlsroute-https-only + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: https + port: 443 + protocol: HTTPS + allowedRoutes: + namespaces: + from: Same + tls: + mode: Terminate + certificateRefs: + - name: tls-secret-1 + namespace: envoy-gateway +tlsRoutes: + - apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: TLSRoute + metadata: + name: tlsroute-not-allowed-protocol-http + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-tlsroute-http-only + hostnames: + - tls.example.com + rules: + - backendRefs: + - name: service-1 + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: TLSRoute + metadata: + name: tlsroute-not-allowed-kind + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-tlsroute-tcproute-only + hostnames: + - tls.example.com + rules: + - backendRefs: + - name: service-1 + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: TLSRoute + metadata: + name: tlsroute-not-allowed-protocol-https + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-tlsroute-https-only + hostnames: + - tls.example.com + rules: + - backendRefs: + - name: service-1 + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: TLSRoute + metadata: + name: tlsroute-no-matching-section-name + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-tlsroute-tls-passthrough-only + sectionName: nonexistent-listener + hostnames: + - tls.example.com + rules: + - backendRefs: + - name: service-1 + port: 8080 diff --git a/internal/gatewayapi/testdata/tlsroute-invalid-no-matching-listener.out.yaml b/internal/gatewayapi/testdata/tlsroute-invalid-no-matching-listener.out.yaml new file mode 100644 index 0000000000..0ca7dd2f5e --- /dev/null +++ b/internal/gatewayapi/testdata/tlsroute-invalid-no-matching-listener.out.yaml @@ -0,0 +1,524 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-tlsroute-tls-passthrough-only + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: Same + name: tls-passthrough + port: 443 + protocol: TLS + tls: + mode: Passthrough + status: + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: tls-passthrough + supportedKinds: + - group: gateway.networking.k8s.io + kind: TLSRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-tlsroute-http-only + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: Same + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-tlsroute-tcproute-only + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + kinds: + - kind: TCPRoute + namespaces: + from: Same + name: tls-passthrough + port: 443 + protocol: TLS + tls: + mode: Passthrough + status: + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: TCPRoute is not supported, kind must be one of [TLSRoute] + reason: InvalidRouteKinds + status: "False" + type: ResolvedRefs + - lastTransitionTime: null + message: Listener is invalid, see other Conditions for details. + reason: Invalid + status: "False" + type: Programmed + name: tls-passthrough + supportedKinds: [] +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-tlsroute-https-only + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: Same + name: https + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - group: null + kind: null + name: tls-secret-1 + namespace: envoy-gateway + mode: Terminate + status: + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: 'No valid secrets exist: certificate refs 0: Secret envoy-gateway/tls-secret-1 + does not exist.' + reason: InvalidCertificateRef + status: "False" + type: ResolvedRefs + - lastTransitionTime: null + message: Listener is invalid, see other Conditions for details. + reason: Invalid + status: "False" + type: Programmed + name: https + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +infraIR: + envoy-gateway/gateway-tlsroute-http-only: + proxy: + listeners: + - name: envoy-gateway/gateway-tlsroute-http-only/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-tlsroute-http-only + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/gateway-tlsroute-http-only + namespace: envoy-gateway-system + envoy-gateway/gateway-tlsroute-https-only: + proxy: + listeners: + - name: envoy-gateway/gateway-tlsroute-https-only/https + ports: + - containerPort: 10443 + name: https-443 + protocol: HTTPS + servicePort: 443 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-tlsroute-https-only + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/gateway-tlsroute-https-only + namespace: envoy-gateway-system + envoy-gateway/gateway-tlsroute-tcproute-only: + proxy: + listeners: + - name: envoy-gateway/gateway-tlsroute-tcproute-only/tls-passthrough + ports: + - containerPort: 10443 + name: tls-443 + protocol: TLS + servicePort: 443 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-tlsroute-tcproute-only + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/gateway-tlsroute-tcproute-only + namespace: envoy-gateway-system + envoy-gateway/gateway-tlsroute-tls-passthrough-only: + proxy: + listeners: + - name: envoy-gateway/gateway-tlsroute-tls-passthrough-only/tls-passthrough + ports: + - containerPort: 10443 + name: tls-443 + protocol: TLS + servicePort: 443 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-tlsroute-tls-passthrough-only + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + ownerReference: + kind: GatewayClass + name: envoy-gateway-class + name: envoy-gateway/gateway-tlsroute-tls-passthrough-only + namespace: envoy-gateway-system +tlsRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: TLSRoute + metadata: + name: tlsroute-not-allowed-protocol-http + namespace: envoy-gateway + spec: + hostnames: + - tls.example.com + parentRefs: + - name: gateway-tlsroute-http-only + rules: + - backendRefs: + - name: service-1 + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: No listeners included by this parent ref allowed this attachment. + reason: NotAllowedByListeners + status: "False" + type: Accepted + - lastTransitionTime: null + message: service envoy-gateway/service-1 not found + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-tlsroute-http-only +- apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: TLSRoute + metadata: + name: tlsroute-not-allowed-kind + namespace: envoy-gateway + spec: + hostnames: + - tls.example.com + parentRefs: + - name: gateway-tlsroute-tcproute-only + rules: + - backendRefs: + - name: service-1 + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: No listeners included by this parent ref allowed this attachment. + reason: NotAllowedByListeners + status: "False" + type: Accepted + - lastTransitionTime: null + message: service envoy-gateway/service-1 not found + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-tlsroute-tcproute-only +- apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: TLSRoute + metadata: + name: tlsroute-not-allowed-protocol-https + namespace: envoy-gateway + spec: + hostnames: + - tls.example.com + parentRefs: + - name: gateway-tlsroute-https-only + rules: + - backendRefs: + - name: service-1 + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: No listeners included by this parent ref allowed this attachment. + reason: NotAllowedByListeners + status: "False" + type: Accepted + - lastTransitionTime: null + message: service envoy-gateway/service-1 not found + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-tlsroute-https-only +- apiVersion: gateway.networking.k8s.io/v1alpha3 + kind: TLSRoute + metadata: + name: tlsroute-no-matching-section-name + namespace: envoy-gateway + spec: + hostnames: + - tls.example.com + parentRefs: + - name: gateway-tlsroute-tls-passthrough-only + sectionName: nonexistent-listener + rules: + - backendRefs: + - name: service-1 + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: No listeners match this parent ref + reason: NoMatchingParent + status: "False" + type: Accepted + - lastTransitionTime: null + message: service envoy-gateway/service-1 not found + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-tlsroute-tls-passthrough-only + sectionName: nonexistent-listener +xdsIR: + envoy-gateway/gateway-tlsroute-http-only: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-tlsroute-http-only-f8771668 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-tlsroute-http-only + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-tlsroute-http-only-f8771668 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-tlsroute-http-only + protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 80 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-tlsroute-http-only + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-tlsroute-http-only/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 + envoy-gateway/gateway-tlsroute-https-only: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-tlsroute-https-only-d05b9162 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-tlsroute-https-only + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-tlsroute-https-only-d05b9162 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-tlsroute-https-only + protocol: TCP + http: + - address: 0.0.0.0 + externalPort: 443 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-tlsroute-https-only + namespace: envoy-gateway + sectionName: https + name: envoy-gateway/gateway-tlsroute-https-only/https + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10443 + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 + envoy-gateway/gateway-tlsroute-tcproute-only: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-tlsroute-tcproute-only-54b16df4 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-tlsroute-tcproute-only + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-tlsroute-tcproute-only-54b16df4 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-tlsroute-tcproute-only + protocol: TCP + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 + tcp: + - address: 0.0.0.0 + externalPort: 443 + metadata: + kind: Gateway + name: gateway-tlsroute-tcproute-only + namespace: envoy-gateway + sectionName: tls-passthrough + name: envoy-gateway/gateway-tlsroute-tcproute-only/tls-passthrough + port: 10443 + envoy-gateway/gateway-tlsroute-tls-passthrough-only: + accessLog: + json: + - path: /dev/stdout + globalResources: + proxyServiceCluster: + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-tlsroute-tls-passthrough-o-92dd85f5 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-tlsroute-tls-passthrough-only + settings: + - addressType: IP + endpoints: + - host: 7.6.5.4 + port: 8080 + zone: zone1 + metadata: + kind: Service + name: envoy-envoy-gateway-gateway-tlsroute-tls-passthrough-o-92dd85f5 + namespace: envoy-gateway-system + sectionName: "8080" + name: envoy-gateway/gateway-tlsroute-tls-passthrough-only + protocol: TCP + readyListener: + address: 0.0.0.0 + ipFamily: IPv4 + path: /ready + port: 19003 + tcp: + - address: 0.0.0.0 + externalPort: 443 + metadata: + kind: Gateway + name: gateway-tlsroute-tls-passthrough-only + namespace: envoy-gateway + sectionName: tls-passthrough + name: envoy-gateway/gateway-tlsroute-tls-passthrough-only/tls-passthrough + port: 10443 diff --git a/internal/gatewayapi/testdata/tlsroute-not-attaching-to-gateway-with-no-mode.out.yaml b/internal/gatewayapi/testdata/tlsroute-not-attaching-to-gateway-with-no-mode.out.yaml index 5a7b2c7289..f7221094bd 100644 --- a/internal/gatewayapi/testdata/tlsroute-not-attaching-to-gateway-with-no-mode.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-not-attaching-to-gateway-with-no-mode.out.yaml @@ -36,6 +36,13 @@ gateways: infraIR: envoy-gateway/gateway-1: proxy: + listeners: + - name: envoy-gateway/gateway-1/tls + ports: + - containerPort: 10090 + name: tls-90 + protocol: TLS + servicePort: 90 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -107,3 +114,13 @@ xdsIR: ipFamily: IPv4 path: /ready port: 19003 + tcp: + - address: 0.0.0.0 + externalPort: 90 + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: tls + name: envoy-gateway/gateway-1/tls + port: 10090 diff --git a/internal/gatewayapi/testdata/tlsroute-with-listener-both-passthrough-and-cert-data.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-listener-both-passthrough-and-cert-data.out.yaml index 95283df48a..2071d1d5b9 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-listener-both-passthrough-and-cert-data.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-listener-both-passthrough-and-cert-data.out.yaml @@ -41,6 +41,13 @@ gateways: infraIR: envoy-gateway/gateway-1: proxy: + listeners: + - name: envoy-gateway/gateway-1/tls + ports: + - containerPort: 10090 + name: tls-90 + protocol: TLS + servicePort: 90 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -112,3 +119,13 @@ xdsIR: ipFamily: IPv4 path: /ready port: 19003 + tcp: + - address: 0.0.0.0 + externalPort: 90 + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: tls + name: envoy-gateway/gateway-1/tls + port: 10090 diff --git a/internal/gatewayapi/testdata/xlistenerset-conflict-listeners.out.yaml b/internal/gatewayapi/testdata/xlistenerset-conflict-listeners.out.yaml index 3e789adc66..642591d693 100644 --- a/internal/gatewayapi/testdata/xlistenerset-conflict-listeners.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-conflict-listeners.out.yaml @@ -83,6 +83,18 @@ infraIR: name: http-80 protocol: HTTP servicePort: 80 + - name: gateway-xls/composite-gateway/conflict-listener + ports: + - containerPort: 8888 + name: http-8888 + protocol: HTTP + servicePort: 8888 + - name: gateway-xls/composite-gateway/gateway-xls/conflict-listener-from-same-xls/conflict-listener-1 + ports: + - containerPort: 8089 + name: http-8089 + protocol: HTTP + servicePort: 8089 - name: gateway-xls/composite-gateway/gateway-xls/conflict-listener-from-two-xlss/good-listener ports: - containerPort: 8090 @@ -399,6 +411,66 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + - address: 0.0.0.0 + externalPort: 8888 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: composite-gateway + namespace: gateway-xls + sectionName: conflict-listener + name: gateway-xls/composite-gateway/conflict-listener + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 8888 + - address: 0.0.0.0 + externalPort: 8089 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: composite-gateway + namespace: gateway-xls + sectionName: conflict-listener-1 + name: gateway-xls/composite-gateway/gateway-xls/conflict-listener-from-same-xls/conflict-listener-1 + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 8089 + - address: 0.0.0.0 + externalPort: 8089 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: composite-gateway + namespace: gateway-xls + sectionName: conflict-listener-2 + name: gateway-xls/composite-gateway/gateway-xls/conflict-listener-from-same-xls/conflict-listener-2 + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 8089 + - address: 0.0.0.0 + externalPort: 8089 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: composite-gateway + namespace: gateway-xls + sectionName: conflict-listener + name: gateway-xls/composite-gateway/gateway-xls/conflict-listener-from-two-xlss/conflict-listener + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 8089 - address: 0.0.0.0 externalPort: 8090 hostnames: @@ -414,6 +486,21 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8090 + - address: 0.0.0.0 + externalPort: 8888 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: composite-gateway + namespace: gateway-xls + sectionName: conflict-listener + name: gateway-xls/composite-gateway/gateway-xls/listener-conflict-with-gateway/conflict-listener + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 8888 - address: 0.0.0.0 externalPort: 8091 hostnames: diff --git a/internal/gatewayapi/testdata/xlistenerset-https-tls-misuses-gateway-namespace.out.yaml b/internal/gatewayapi/testdata/xlistenerset-https-tls-misuses-gateway-namespace.out.yaml index 6b4e1bc695..b515de1f72 100644 --- a/internal/gatewayapi/testdata/xlistenerset-https-tls-misuses-gateway-namespace.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-https-tls-misuses-gateway-namespace.out.yaml @@ -91,6 +91,12 @@ infraIR: name: http-80 protocol: HTTP servicePort: 80 + - name: gateway/composite-gateway/xls/https-xls/extra-https-same-ns + ports: + - containerPort: 8443 + name: https-8443 + protocol: HTTPS + servicePort: 8443 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: composite-gateway @@ -201,6 +207,21 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + - address: 0.0.0.0 + externalPort: 8443 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: composite-gateway + namespace: gateway + sectionName: extra-https-same-ns + name: gateway/composite-gateway/xls/https-xls/extra-https-same-ns + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 8443 readyListener: address: 0.0.0.0 ipFamily: IPv4 diff --git a/internal/gatewayapi/testdata/xlistenerset-invalid.out.yaml b/internal/gatewayapi/testdata/xlistenerset-invalid.out.yaml index 99b8af9ccf..64f25ee967 100644 --- a/internal/gatewayapi/testdata/xlistenerset-invalid.out.yaml +++ b/internal/gatewayapi/testdata/xlistenerset-invalid.out.yaml @@ -199,12 +199,30 @@ infraIR: name: http-80 protocol: HTTP servicePort: 80 + - name: gateway-xls/composite-gateway/gateway-xls/same-namespace-invalid/invalid-one + ports: + - containerPort: 8085 + name: "-8085" + protocol: "" + servicePort: 8085 + - name: gateway-xls/composite-gateway/gateway-xls/same-namespace-invalid/invalid-two + ports: + - containerPort: 8086 + name: "-8086" + protocol: "" + servicePort: 8086 - name: gateway-xls/composite-gateway/gateway-xls/same-namespace-mixed/mixed-valid ports: - containerPort: 8087 name: http-8087 protocol: HTTP servicePort: 8087 + - name: gateway-xls/composite-gateway/gateway-xls/same-namespace-mixed/mixed-invalid + ports: + - containerPort: 8088 + name: "-8088" + protocol: "" + servicePort: 8088 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: composite-gateway diff --git a/internal/gatewayapi/validate.go b/internal/gatewayapi/validate.go index 3722d51cc5..752208b1f5 100644 --- a/internal/gatewayapi/validate.go +++ b/internal/gatewayapi/validate.go @@ -275,7 +275,7 @@ func (t *Translator) validateBackendRefBackend( return nil } -func (t *Translator) validateListenerConditions(listener *ListenerContext) (isReady bool) { +func (t *Translator) validateListenerConditions(listener *ListenerContext) { lConditions := listener.GetConditions() if len(lConditions) == 0 { listener.SetCondition(gwapiv1.ListenerConditionProgrammed, metav1.ConditionTrue, gwapiv1.ListenerReasonProgrammed, @@ -284,7 +284,7 @@ func (t *Translator) validateListenerConditions(listener *ListenerContext) (isRe "Listener has been successfully translated") listener.SetCondition(gwapiv1.ListenerConditionResolvedRefs, metav1.ConditionTrue, gwapiv1.ListenerReasonResolvedRefs, "Listener references have been resolved") - return true + return } // Edge case: only one condition which is ResolvedRefs=False, Reason=PartiallyInvalidCertificateRef @@ -295,7 +295,7 @@ func (t *Translator) validateListenerConditions(listener *ListenerContext) (isRe "Listener has been successfully translated") listener.SetCondition(gwapiv1.ListenerConditionProgrammed, metav1.ConditionTrue, gwapiv1.ListenerReasonProgrammed, "Sending translated listener configuration to the data plane") - return true + return } // Any condition on the listener apart from Programmed=true indicates an error. @@ -311,6 +311,8 @@ func (t *Translator) validateListenerConditions(listener *ListenerContext) (isRe } } // set "Programmed: false" if it's not set already. + // xref: https://github.com/kubernetes-sigs/gateway-api/issues/4425 + // Invalid Listener shouldn't block IR if !hasProgrammedCond { listener.SetCondition( gwapiv1.ListenerConditionProgrammed, @@ -329,9 +331,8 @@ func (t *Translator) validateListenerConditions(listener *ListenerContext) (isRe ) } // skip computing IR - return false + return } - return true } func (t *Translator) validateAllowedNamespaces(listener *ListenerContext) {