From a858547262525136c6a7e92c15328c5a3e5c0df5 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Mon, 23 Oct 2023 18:43:18 -0700 Subject: [PATCH] feat BackendTrafficPolicy (#2053) * feat BackendTrafficPolicy Takes PR https://github.com/envoyproxy/gateway/pull/1961 forward Signed-off-by: Arko Dasgupta * lint Signed-off-by: Arko Dasgupta * k8s status Signed-off-by: Arko Dasgupta * k8s watch Signed-off-by: Arko Dasgupta * Update site/content/en/latest/design/backend-traffic-policy.md Co-authored-by: zirain Signed-off-by: Arko Dasgupta * Update site/content/en/latest/design/backend-traffic-policy.md Co-authored-by: zirain Signed-off-by: Arko Dasgupta --------- Signed-off-by: Arko Dasgupta Signed-off-by: Arko Dasgupta Co-authored-by: zirain --- api/v1alpha1/backendtrafficpolicy_types.go | 71 ++++ api/v1alpha1/zz_generated.deepcopy.go | 113 +++++- ....envoyproxy.io_backendtrafficpolicies.yaml | 187 +++++++++ charts/gateway-helm/templates/_rbac.tpl | 2 + internal/gatewayapi/backendtrafficpolicy.go | 248 +++++++++++ internal/gatewayapi/clienttrafficpolicy.go | 6 +- internal/gatewayapi/resource.go | 68 ++-- internal/gatewayapi/runner/runner.go | 5 + ...endtrafficpolicy-status-conditions.in.yaml | 133 ++++++ ...ndtrafficpolicy-status-conditions.out.yaml | 384 ++++++++++++++++++ internal/gatewayapi/translator.go | 23 +- internal/gatewayapi/zz_generated.deepcopy.go | 11 + internal/message/types.go | 5 +- internal/provider/kubernetes/controller.go | 56 +++ internal/status/backendtrafficpolicy.go | 20 + internal/status/status.go | 6 + site/content/en/latest/api/extension_types.md | 51 +++ .../latest/design/backend-traffic-policy.md | 155 +++++++ .../en/latest/design/client-traffic-policy.md | 12 +- 19 files changed, 1507 insertions(+), 49 deletions(-) create mode 100644 api/v1alpha1/backendtrafficpolicy_types.go create mode 100644 charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml create mode 100644 internal/gatewayapi/backendtrafficpolicy.go create mode 100644 internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.in.yaml create mode 100644 internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml create mode 100644 internal/status/backendtrafficpolicy.go create mode 100644 site/content/en/latest/design/backend-traffic-policy.md diff --git a/api/v1alpha1/backendtrafficpolicy_types.go b/api/v1alpha1/backendtrafficpolicy_types.go new file mode 100644 index 00000000000..45272825845 --- /dev/null +++ b/api/v1alpha1/backendtrafficpolicy_types.go @@ -0,0 +1,71 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" +) + +const ( + // KindBackendTrafficPolicy is the name of the BackendTrafficPolicy kind. + KindBackendTrafficPolicy = "BackendTrafficPolicy" +) + +// +kubebuilder:object:root=true +// +kubebuilder:resource:shortName=btpolicy +// +kubebuilder:subresource:status +// +kubebuilder:subresource:overrideStrategy +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Accepted")].reason` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +// BackendTrafficPolicy allows the user to configure the behavior of the connection +// between the downstream client and Envoy Proxy listener. +type BackendTrafficPolicy struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // spec defines the desired state of BackendTrafficPolicy. + Spec BackendTrafficPolicySpec `json:"spec"` + + // status defines the current status of BackendTrafficPolicy. + Status BackendTrafficPolicyStatus `json:"status,omitempty"` +} + +// spec defines the desired state of BackendTrafficPolicy. +type BackendTrafficPolicySpec struct { + + // +kubebuilder:validation:XValidation:rule="self.kind == 'Gateway' || self.kind == 'HTTPRoute' || self.kind == 'GRPCRoute' || self.kind == 'UDPRoute' || self.kind == 'TCPRoute' || self.kind == 'TLSRoute'", message="this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute" + // + // targetRef is the name of the resource this policy + // is being attached to. + // This Policy and the TargetRef MUST be in the same namespace + // for this Policy to have effect and be applied to the Gateway. + TargetRef gwapiv1a2.PolicyTargetReferenceWithSectionName `json:"targetRef"` +} + +// BackendTrafficPolicyStatus defines the state of BackendTrafficPolicy +type BackendTrafficPolicyStatus struct { + // Conditions describe the current conditions of the BackendTrafficPolicy. + // + // +optional + // +listType=map + // +listMapKey=type + // +kubebuilder:validation:MaxItems=8 + Conditions []metav1.Condition `json:"conditions,omitempty"` +} + +// +kubebuilder:object:root=true +// BackendTrafficPolicyList contains a list of BackendTrafficPolicy resources. +type BackendTrafficPolicyList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []BackendTrafficPolicy `json:"items"` +} + +func init() { + SchemeBuilder.Register(&BackendTrafficPolicy{}, &BackendTrafficPolicyList{}) +} diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 90aea0d0055..c9b8600c45f 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -12,9 +12,9 @@ package v1alpha1 import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" - "sigs.k8s.io/gateway-api/apis/v1" + apisv1 "sigs.k8s.io/gateway-api/apis/v1" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. @@ -97,6 +97,103 @@ func (in *AuthenticationFilterSpec) DeepCopy() *AuthenticationFilterSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BackendTrafficPolicy) DeepCopyInto(out *BackendTrafficPolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTrafficPolicy. +func (in *BackendTrafficPolicy) DeepCopy() *BackendTrafficPolicy { + if in == nil { + return nil + } + out := new(BackendTrafficPolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *BackendTrafficPolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BackendTrafficPolicyList) DeepCopyInto(out *BackendTrafficPolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]BackendTrafficPolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTrafficPolicyList. +func (in *BackendTrafficPolicyList) DeepCopy() *BackendTrafficPolicyList { + if in == nil { + return nil + } + out := new(BackendTrafficPolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *BackendTrafficPolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BackendTrafficPolicySpec) DeepCopyInto(out *BackendTrafficPolicySpec) { + *out = *in + in.TargetRef.DeepCopyInto(&out.TargetRef) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTrafficPolicySpec. +func (in *BackendTrafficPolicySpec) DeepCopy() *BackendTrafficPolicySpec { + if in == nil { + return nil + } + out := new(BackendTrafficPolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BackendTrafficPolicyStatus) DeepCopyInto(out *BackendTrafficPolicyStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTrafficPolicyStatus. +func (in *BackendTrafficPolicyStatus) DeepCopy() *BackendTrafficPolicyStatus { + if in == nil { + return nil + } + out := new(BackendTrafficPolicyStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClaimToHeader) DeepCopyInto(out *ClaimToHeader) { *out = *in @@ -197,7 +294,7 @@ func (in *ClientTrafficPolicyStatus) DeepCopyInto(out *ClientTrafficPolicyStatus *out = *in if in.Conditions != nil { in, out := &in.Conditions, &out.Conditions - *out = make([]metav1.Condition, len(*in)) + *out = make([]v1.Condition, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } @@ -646,7 +743,7 @@ func (in *EnvoyPatchPolicyStatus) DeepCopyInto(out *EnvoyPatchPolicyStatus) { *out = *in if in.Conditions != nil { in, out := &in.Conditions, &out.Conditions - *out = make([]metav1.Condition, len(*in)) + *out = make([]v1.Condition, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } @@ -1616,7 +1713,7 @@ func (in *RateLimit) DeepCopyInto(out *RateLimit) { in.Backend.DeepCopyInto(&out.Backend) if in.Timeout != nil { in, out := &in.Timeout, &out.Timeout - *out = new(metav1.Duration) + *out = new(v1.Duration) **out = **in } } @@ -1819,7 +1916,7 @@ func (in *RedisTLSSettings) DeepCopyInto(out *RedisTLSSettings) { *out = *in if in.CertificateRef != nil { in, out := &in.CertificateRef, &out.CertificateRef - *out = new(v1.SecretObjectReference) + *out = new(apisv1.SecretObjectReference) (*in).DeepCopyInto(*out) } } @@ -1899,12 +1996,12 @@ func (in *TCPKeepalive) DeepCopyInto(out *TCPKeepalive) { } if in.IdleTime != nil { in, out := &in.IdleTime, &out.IdleTime - *out = new(v1.Duration) + *out = new(apisv1.Duration) **out = **in } if in.Interval != nil { in, out := &in.Interval, &out.Interval - *out = new(v1.Duration) + *out = new(apisv1.Duration) **out = **in } } diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml new file mode 100644 index 00000000000..fa4d0b93bd9 --- /dev/null +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -0,0 +1,187 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: backendtrafficpolicies.gateway.envoyproxy.io +spec: + group: gateway.envoyproxy.io + names: + kind: BackendTrafficPolicy + listKind: BackendTrafficPolicyList + plural: backendtrafficpolicies + shortNames: + - btpolicy + singular: backendtrafficpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Accepted")].reason + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: BackendTrafficPolicy allows the user to configure the behavior + of the connection between the downstream client and Envoy Proxy listener. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: spec defines the desired state of BackendTrafficPolicy. + properties: + targetRef: + description: targetRef is the name of the resource this policy is + being attached to. This Policy and the TargetRef MUST be in the + same namespace for this Policy to have effect and be applied to + the Gateway. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. When + unspecified, the local namespace is inferred. Even when policy + targets a resource in a different namespace, it MUST only apply + to traffic originating from the same namespace as the policy. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + sectionName: + description: "SectionName is the name of a section within the + target resource. When unspecified, this targetRef targets the + entire resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name * + Service: Port Name \n If a SectionName is specified, but does + not exist on the targeted object, the Policy must fail to attach, + and the policy implementation should record a `ResolvedRefs` + or similar Condition in the Policy's status." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + x-kubernetes-validations: + - message: this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute + rule: self.kind == 'Gateway' || self.kind == 'HTTPRoute' || self.kind + == 'GRPCRoute' || self.kind == 'UDPRoute' || self.kind == 'TCPRoute' + || self.kind == 'TLSRoute' + required: + - targetRef + type: object + status: + description: status defines the current status of BackendTrafficPolicy. + properties: + conditions: + description: Conditions describe the current conditions of the BackendTrafficPolicy. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/gateway-helm/templates/_rbac.tpl b/charts/gateway-helm/templates/_rbac.tpl index e71c103cc06..5d0c4cc846c 100644 --- a/charts/gateway-helm/templates/_rbac.tpl +++ b/charts/gateway-helm/templates/_rbac.tpl @@ -67,6 +67,7 @@ resources: - authenticationfilters - envoypatchpolicies - clienttrafficpolicies +- backendtrafficpolicies - ratelimitfilters verbs: - get @@ -82,6 +83,7 @@ apiGroups: resources: - envoypatchpolicies/status - clienttrafficpolicies/status +- backendtrafficpolicies/status verbs: - update {{- end }} diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go new file mode 100644 index 00000000000..3d42c103e7c --- /dev/null +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -0,0 +1,248 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package gatewayapi + +import ( + "fmt" + "sort" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + gwv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + gwv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/status" + "github.com/envoyproxy/gateway/internal/utils/ptr" +) + +type policyTargetRouteKey struct { + Kind string + Namespace string + Name string +} + +type policyRouteTargetContext struct { + RouteContext + attached bool +} + +type policyGatewayTargetContext struct { + *GatewayContext + attached bool +} + +func ProcessBackendTrafficPolicies(backendTrafficPolicies []*egv1a1.BackendTrafficPolicy, + gateways []*GatewayContext, + routes []RouteContext, + xdsIR XdsIRMap) []*egv1a1.BackendTrafficPolicy { + var res []*egv1a1.BackendTrafficPolicy + + // Sort based on timestamp + sort.Slice(backendTrafficPolicies, func(i, j int) bool { + return backendTrafficPolicies[i].CreationTimestamp.Before(&(backendTrafficPolicies[j].CreationTimestamp)) + }) + + // First build a map out of the routes and gateways for faster lookup since users might have thousands of routes or more. + // For gateways this probably isn't quite as necessary. + routeMap := map[policyTargetRouteKey]*policyRouteTargetContext{} + for _, route := range routes { + key := policyTargetRouteKey{ + Kind: string(GetRouteType(route)), + Name: route.GetName(), + Namespace: route.GetNamespace(), + } + routeMap[key] = &policyRouteTargetContext{RouteContext: route} + } + gatewayMap := map[types.NamespacedName]*policyGatewayTargetContext{} + for _, gw := range gateways { + key := types.NamespacedName{ + Name: gw.GetName(), + Namespace: gw.GetNamespace(), + } + gatewayMap[key] = &policyGatewayTargetContext{GatewayContext: gw} + } + + // Translate + // 1. First translate Policies targeting xRoutes + // 2.. Finally, the policies targeting Gateways + + // Process the policies targeting xRoutes + for _, policy := range backendTrafficPolicies { + if policy.Spec.TargetRef.Kind != KindGateway { + policy := policy.DeepCopy() + res = append(res, policy) + + // Negative statuses have already been assigned so its safe to skip + route := resolveBTPolicyRouteTargetRef(policy, routeMap) + if route == nil { + continue + } + + translateBackendTrafficPolicy(policy, xdsIR) + + // Set Accepted=True + status.SetBackendTrafficPolicyCondition(policy, + gwv1a2.PolicyConditionAccepted, + metav1.ConditionTrue, + gwv1a2.PolicyReasonAccepted, + "BackendTrafficPolicy has been accepted.", + ) + } + } + + // Process the policies targeting Gateways with a section name + for _, policy := range backendTrafficPolicies { + if policy.Spec.TargetRef.Kind == KindGateway { + policy := policy.DeepCopy() + res = append(res, policy) + + // Negative statuses have already been assigned so its safe to skip + gatewayKey := resolveBTPolicyGatewayTargetRef(policy, gatewayMap) + if gatewayKey == nil { + continue + } + + translateBackendTrafficPolicy(policy, xdsIR) + + // Set Accepted=True + status.SetBackendTrafficPolicyCondition(policy, + gwv1a2.PolicyConditionAccepted, + metav1.ConditionTrue, + gwv1a2.PolicyReasonAccepted, + "BackendTrafficPolicy has been accepted.", + ) + } + } + + return res +} + +func resolveBTPolicyGatewayTargetRef(policy *egv1a1.BackendTrafficPolicy, gateways map[types.NamespacedName]*policyGatewayTargetContext) *GatewayContext { + targetNs := policy.Spec.TargetRef.Namespace + // If empty, default to namespace of policy + if targetNs == nil { + targetNs = ptr.To(gwv1b1.Namespace(policy.Namespace)) + } + + // Ensure Policy and target are in the same namespace + if policy.Namespace != string(*targetNs) { + + message := fmt.Sprintf("Namespace:%s TargetRef.Namespace:%s, BackendTrafficPolicy can only target a resource in the same namespace.", + policy.Namespace, *targetNs) + status.SetBackendTrafficPolicyCondition(policy, + gwv1a2.PolicyConditionAccepted, + metav1.ConditionFalse, + gwv1a2.PolicyReasonInvalid, + message, + ) + return nil + } + + // Find the Gateway + key := types.NamespacedName{ + Name: string(policy.Spec.TargetRef.Name), + Namespace: string(*targetNs), + } + gateway, ok := gateways[key] + + // Gateway not found + if !ok { + message := fmt.Sprintf("Gateway:%s not found.", policy.Spec.TargetRef.Name) + + status.SetBackendTrafficPolicyCondition(policy, + gwv1a2.PolicyConditionAccepted, + metav1.ConditionFalse, + gwv1a2.PolicyReasonTargetNotFound, + message, + ) + return nil + } + + // Check if another policy targeting the same Gateway exists + if gateway.attached { + message := "Unable to target Gateway, another BackendTrafficPolicy has already attached to it" + + status.SetBackendTrafficPolicyCondition(policy, + gwv1a2.PolicyConditionAccepted, + metav1.ConditionFalse, + gwv1a2.PolicyReasonConflicted, + message, + ) + return nil + } + + // Set context and save + gateway.attached = true + gateways[key] = gateway + + return gateway.GatewayContext +} + +func resolveBTPolicyRouteTargetRef(policy *egv1a1.BackendTrafficPolicy, routes map[policyTargetRouteKey]*policyRouteTargetContext) RouteContext { + targetNs := policy.Spec.TargetRef.Namespace + // If empty, default to namespace of policy + if targetNs == nil { + targetNs = ptr.To(gwv1b1.Namespace(policy.Namespace)) + } + + // Ensure Policy and target are in the same namespace + if policy.Namespace != string(*targetNs) { + + message := fmt.Sprintf("Namespace:%s TargetRef.Namespace:%s, BackendTrafficPolicy can only target a resource in the same namespace.", + policy.Namespace, *targetNs) + status.SetBackendTrafficPolicyCondition(policy, + gwv1a2.PolicyConditionAccepted, + metav1.ConditionFalse, + gwv1a2.PolicyReasonInvalid, + message, + ) + return nil + } + + // Check if the route exists + key := policyTargetRouteKey{ + Kind: string(policy.Spec.TargetRef.Kind), + Name: string(policy.Spec.TargetRef.Name), + Namespace: string(*targetNs), + } + route, ok := routes[key] + + // Route not found + if !ok { + message := fmt.Sprintf("%s/%s/%s not found.", policy.Spec.TargetRef.Kind, string(*targetNs), policy.Spec.TargetRef.Name) + + status.SetBackendTrafficPolicyCondition(policy, + gwv1a2.PolicyConditionAccepted, + metav1.ConditionFalse, + gwv1a2.PolicyReasonTargetNotFound, + message, + ) + return nil + } + + // Check if another policy targeting the same xRoute exists + if route.attached { + message := fmt.Sprintf("Unable to target %s, another BackendTrafficPolicy has already attached to it", string(policy.Spec.TargetRef.Kind)) + + status.SetBackendTrafficPolicyCondition(policy, + gwv1a2.PolicyConditionAccepted, + metav1.ConditionFalse, + gwv1a2.PolicyReasonConflicted, + message, + ) + return nil + } + + // Set context and save + route.attached = true + routes[key] = route + + return route.RouteContext +} +func translateBackendTrafficPolicy(policy *egv1a1.BackendTrafficPolicy, xdsIR XdsIRMap) { + // TODO +} diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go index 8e9fea6d77c..3eb1f6ffe2c 100644 --- a/internal/gatewayapi/clienttrafficpolicy.go +++ b/internal/gatewayapi/clienttrafficpolicy.go @@ -54,7 +54,7 @@ func ProcessClientTrafficPolicies(clientTrafficPolicies []*egv1a1.ClientTrafficP policy := policy.DeepCopy() res = append(res, policy) - gateway := getGatewayTargetRef(policy, gateways) + gateway := resolveCTPolicyTargetRef(policy, gateways) // Negative statuses have already been assigned so its safe to skip if gateway == nil { @@ -112,7 +112,7 @@ func ProcessClientTrafficPolicies(clientTrafficPolicies []*egv1a1.ClientTrafficP policy := policy.DeepCopy() res = append(res, policy) - gateway := getGatewayTargetRef(policy, gateways) + gateway := resolveCTPolicyTargetRef(policy, gateways) // Negative statuses have already been assigned so its safe to skip if gateway == nil { @@ -184,7 +184,7 @@ func ProcessClientTrafficPolicies(clientTrafficPolicies []*egv1a1.ClientTrafficP return res } -func getGatewayTargetRef(policy *egv1a1.ClientTrafficPolicy, gateways []*GatewayContext) *GatewayContext { +func resolveCTPolicyTargetRef(policy *egv1a1.ClientTrafficPolicy, gateways []*GatewayContext) *GatewayContext { targetNs := policy.Spec.TargetRef.Namespace // If empty, default to namespace of policy if targetNs == nil { diff --git a/internal/gatewayapi/resource.go b/internal/gatewayapi/resource.go index 6379590686d..6b0e87303d7 100644 --- a/internal/gatewayapi/resource.go +++ b/internal/gatewayapi/resource.go @@ -27,43 +27,45 @@ type InfraIRMap map[string]*ir.Infra type Resources struct { // This field is only used for marshalling/unmarshalling purposes and is not used by // the translator - GatewayClass *gwapiv1.GatewayClass `json:"gatewayClass,omitempty" yaml:"gatewayClass,omitempty"` - Gateways []*gwapiv1.Gateway `json:"gateways,omitempty" yaml:"gateways,omitempty"` - HTTPRoutes []*gwapiv1.HTTPRoute `json:"httpRoutes,omitempty" yaml:"httpRoutes,omitempty"` - GRPCRoutes []*gwapiv1a2.GRPCRoute `json:"grpcRoutes,omitempty" yaml:"grpcRoutes,omitempty"` - TLSRoutes []*gwapiv1a2.TLSRoute `json:"tlsRoutes,omitempty" yaml:"tlsRoutes,omitempty"` - TCPRoutes []*gwapiv1a2.TCPRoute `json:"tcpRoutes,omitempty" yaml:"tcpRoutes,omitempty"` - UDPRoutes []*gwapiv1a2.UDPRoute `json:"udpRoutes,omitempty" yaml:"udpRoutes,omitempty"` - ReferenceGrants []*gwapiv1b1.ReferenceGrant `json:"referenceGrants,omitempty" yaml:"referenceGrants,omitempty"` - Namespaces []*v1.Namespace `json:"namespaces,omitempty" yaml:"namespaces,omitempty"` - Services []*v1.Service `json:"services,omitempty" yaml:"services,omitempty"` - ServiceImports []*mcsapi.ServiceImport `json:"serviceImports,omitempty" yaml:"serviceImports,omitempty"` - EndpointSlices []*discoveryv1.EndpointSlice `json:"endpointSlices,omitempty" yaml:"endpointSlices,omitempty"` - Secrets []*v1.Secret `json:"secrets,omitempty" yaml:"secrets,omitempty"` - AuthenticationFilters []*egv1a1.AuthenticationFilter `json:"authenticationFilters,omitempty" yaml:"authenticationFilters,omitempty"` - RateLimitFilters []*egv1a1.RateLimitFilter `json:"rateLimitFilters,omitempty" yaml:"rateLimitFilters,omitempty"` - EnvoyProxy *egv1a1.EnvoyProxy `json:"envoyProxy,omitempty" yaml:"envoyProxy,omitempty"` - ExtensionRefFilters []unstructured.Unstructured `json:"extensionRefFilters,omitempty" yaml:"extensionRefFilters,omitempty"` - EnvoyPatchPolicies []*egv1a1.EnvoyPatchPolicy `json:"envoyPatchPolicies,omitempty" yaml:"envoyPatchPolicies,omitempty"` - ClientTrafficPolicies []*egv1a1.ClientTrafficPolicy `json:"clientTrafficPolicies,omitempty" yaml:"clientTrafficPolicies,omitempty"` + GatewayClass *gwapiv1.GatewayClass `json:"gatewayClass,omitempty" yaml:"gatewayClass,omitempty"` + Gateways []*gwapiv1.Gateway `json:"gateways,omitempty" yaml:"gateways,omitempty"` + HTTPRoutes []*gwapiv1.HTTPRoute `json:"httpRoutes,omitempty" yaml:"httpRoutes,omitempty"` + GRPCRoutes []*gwapiv1a2.GRPCRoute `json:"grpcRoutes,omitempty" yaml:"grpcRoutes,omitempty"` + TLSRoutes []*gwapiv1a2.TLSRoute `json:"tlsRoutes,omitempty" yaml:"tlsRoutes,omitempty"` + TCPRoutes []*gwapiv1a2.TCPRoute `json:"tcpRoutes,omitempty" yaml:"tcpRoutes,omitempty"` + UDPRoutes []*gwapiv1a2.UDPRoute `json:"udpRoutes,omitempty" yaml:"udpRoutes,omitempty"` + ReferenceGrants []*gwapiv1b1.ReferenceGrant `json:"referenceGrants,omitempty" yaml:"referenceGrants,omitempty"` + Namespaces []*v1.Namespace `json:"namespaces,omitempty" yaml:"namespaces,omitempty"` + Services []*v1.Service `json:"services,omitempty" yaml:"services,omitempty"` + ServiceImports []*mcsapi.ServiceImport `json:"serviceImports,omitempty" yaml:"serviceImports,omitempty"` + EndpointSlices []*discoveryv1.EndpointSlice `json:"endpointSlices,omitempty" yaml:"endpointSlices,omitempty"` + Secrets []*v1.Secret `json:"secrets,omitempty" yaml:"secrets,omitempty"` + AuthenticationFilters []*egv1a1.AuthenticationFilter `json:"authenticationFilters,omitempty" yaml:"authenticationFilters,omitempty"` + RateLimitFilters []*egv1a1.RateLimitFilter `json:"rateLimitFilters,omitempty" yaml:"rateLimitFilters,omitempty"` + EnvoyProxy *egv1a1.EnvoyProxy `json:"envoyProxy,omitempty" yaml:"envoyProxy,omitempty"` + ExtensionRefFilters []unstructured.Unstructured `json:"extensionRefFilters,omitempty" yaml:"extensionRefFilters,omitempty"` + EnvoyPatchPolicies []*egv1a1.EnvoyPatchPolicy `json:"envoyPatchPolicies,omitempty" yaml:"envoyPatchPolicies,omitempty"` + ClientTrafficPolicies []*egv1a1.ClientTrafficPolicy `json:"clientTrafficPolicies,omitempty" yaml:"clientTrafficPolicies,omitempty"` + BackendTrafficPolicies []*egv1a1.BackendTrafficPolicy `json:"backendTrafficPolicies,omitempty" yaml:"backendTrafficPolicies,omitempty"` } func NewResources() *Resources { return &Resources{ - Gateways: []*gwapiv1.Gateway{}, - HTTPRoutes: []*gwapiv1.HTTPRoute{}, - GRPCRoutes: []*gwapiv1a2.GRPCRoute{}, - TLSRoutes: []*gwapiv1a2.TLSRoute{}, - Services: []*v1.Service{}, - EndpointSlices: []*discoveryv1.EndpointSlice{}, - Secrets: []*v1.Secret{}, - ReferenceGrants: []*gwapiv1b1.ReferenceGrant{}, - Namespaces: []*v1.Namespace{}, - RateLimitFilters: []*egv1a1.RateLimitFilter{}, - AuthenticationFilters: []*egv1a1.AuthenticationFilter{}, - ExtensionRefFilters: []unstructured.Unstructured{}, - EnvoyPatchPolicies: []*egv1a1.EnvoyPatchPolicy{}, - ClientTrafficPolicies: []*egv1a1.ClientTrafficPolicy{}, + Gateways: []*gwapiv1.Gateway{}, + HTTPRoutes: []*gwapiv1.HTTPRoute{}, + GRPCRoutes: []*gwapiv1a2.GRPCRoute{}, + TLSRoutes: []*gwapiv1a2.TLSRoute{}, + Services: []*v1.Service{}, + EndpointSlices: []*discoveryv1.EndpointSlice{}, + Secrets: []*v1.Secret{}, + ReferenceGrants: []*gwapiv1b1.ReferenceGrant{}, + Namespaces: []*v1.Namespace{}, + RateLimitFilters: []*egv1a1.RateLimitFilter{}, + AuthenticationFilters: []*egv1a1.AuthenticationFilter{}, + ExtensionRefFilters: []unstructured.Unstructured{}, + EnvoyPatchPolicies: []*egv1a1.EnvoyPatchPolicy{}, + ClientTrafficPolicies: []*egv1a1.ClientTrafficPolicy{}, + BackendTrafficPolicies: []*egv1a1.BackendTrafficPolicy{}, } } diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go index 2ac63fc6221..9a89ba48eb4 100644 --- a/internal/gatewayapi/runner/runner.go +++ b/internal/gatewayapi/runner/runner.go @@ -152,6 +152,11 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { key := utils.NamespacedName(clientTrafficPolicy) r.ProviderResources.ClientTrafficPolicyStatuses.Store(key, &clientTrafficPolicy.Status) } + for _, backendTrafficPolicy := range result.BackendTrafficPolicies { + backendTrafficPolicy := backendTrafficPolicy + key := utils.NamespacedName(backendTrafficPolicy) + r.ProviderResources.BackendTrafficPolicyStatuses.Store(key, &backendTrafficPolicy.Status) + } }, ) diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.in.yaml new file mode 100644 index 00000000000..ddd71197828 --- /dev/null +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.in.yaml @@ -0,0 +1,133 @@ +backendTrafficPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + namespace: envoy-gateway + name: target-gateway-1 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + namespace: envoy-gateway + name: target-gateway-1-as-well + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + namespace: envoy-gateway + name: target-httproute-in-gateway-1 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + namespace: envoy-gateway +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + namespace: envoy-gateway + name: also-target-httproute-in-gateway-1 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + namespace: envoy-gateway +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + namespace: envoy-gateway + name: target-grpcroute-in-gateway-2 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: GRPCRoute + name: grpcroute-1 + namespace: envoy-gateway +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: HTTPRoute + metadata: + namespace: envoy-gateway + name: httproute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + rules: + - matches: + - path: + value: "/" + backendRefs: + - name: service-1 + port: 8080 +grpcRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: GRPCRoute + metadata: + namespace: envoy-gateway + name: grpcroute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-2 + rules: + - matches: + - headers: + - type: Exact + name: magic + value: foo + backendRefs: + - name: service-1 + port: 8080 +gateways: +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: Same +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-2 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: Same + - name: https + protocol: HTTPS + port: 443 + allowedRoutes: + namespaces: + from: Same + - name: tcp + protocol: TCP + port: 53 + allowedRoutes: + namespaces: + from: Same diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml new file mode 100644 index 00000000000..b2d814f29da --- /dev/null +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml @@ -0,0 +1,384 @@ +backendTrafficPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: target-httproute-in-gateway-1 + namespace: envoy-gateway + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + namespace: envoy-gateway + status: + conditions: + - lastTransitionTime: null + message: BackendTrafficPolicy has been accepted. + reason: Accepted + status: "True" + type: Accepted +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: also-target-httproute-in-gateway-1 + namespace: envoy-gateway + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + namespace: envoy-gateway + status: + conditions: + - lastTransitionTime: null + message: Unable to target HTTPRoute, another BackendTrafficPolicy has already + attached to it + reason: Conflicted + status: "False" + type: Accepted +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: target-grpcroute-in-gateway-2 + namespace: envoy-gateway + spec: + targetRef: + group: gateway.networking.k8s.io + kind: GRPCRoute + name: grpcroute-1 + namespace: envoy-gateway + status: + conditions: + - lastTransitionTime: null + message: BackendTrafficPolicy has been accepted. + reason: Accepted + status: "True" + type: Accepted +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: target-gateway-1 + namespace: envoy-gateway + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + status: + conditions: + - lastTransitionTime: null + message: BackendTrafficPolicy has been accepted. + reason: Accepted + status: "True" + type: Accepted +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: target-gateway-1-as-well + namespace: envoy-gateway + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + status: + conditions: + - lastTransitionTime: null + message: Unable to target Gateway, another BackendTrafficPolicy has already + attached to it + reason: Conflicted + status: "False" + type: Accepted +gateways: +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + infrastructure: {} + listeners: + - allowedRoutes: + namespaces: + from: Same + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-2 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + infrastructure: {} + listeners: + - allowedRoutes: + namespaces: + from: Same + name: http + port: 80 + protocol: HTTP + - allowedRoutes: + namespaces: + from: Same + name: https + port: 443 + protocol: HTTPS + - allowedRoutes: + namespaces: + from: Same + name: tcp + port: 53 + protocol: TCP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Listener must have TLS set when protocol is HTTPS. + reason: Invalid + status: "False" + type: Programmed + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: https + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: tcp + supportedKinds: + - group: gateway.networking.k8s.io + kind: TCPRoute +grpcRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: GRPCRoute + metadata: + creationTimestamp: null + name: grpcroute-1 + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-2 + namespace: envoy-gateway + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - headers: + - name: magic + type: Exact + value: foo + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Service envoy-gateway/service-1 not found + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-2 + namespace: envoy-gateway +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Service envoy-gateway/service-1 not found + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: "" + ports: + - containerPort: 10080 + name: http + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 + envoy-gateway/gateway-2: + proxy: + listeners: + - address: "" + ports: + - containerPort: 10080 + name: http + protocol: HTTP + servicePort: 80 + - containerPort: 10053 + name: tcp + protocol: TCP + servicePort: 53 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-2 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-2 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + name: envoy-gateway/gateway-1/http + port: 10080 + routes: + - backendWeights: + invalid: 1 + valid: 0 + directResponse: + statusCode: 500 + hostname: '*' + name: httproute/envoy-gateway/httproute-1/rule/0/match/0/* + pathMatch: + distinct: false + name: "" + prefix: / + envoy-gateway/gateway-2: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: true + name: envoy-gateway/gateway-2/http + port: 10080 + routes: + - backendWeights: + invalid: 1 + valid: 0 + directResponse: + statusCode: 500 + headerMatches: + - distinct: false + exact: foo + name: magic + hostname: '*' + name: grpcroute/envoy-gateway/grpcroute-1/rule/0/match/0/* diff --git a/internal/gatewayapi/translator.go b/internal/gatewayapi/translator.go index 35bb6cc3fec..ae8279a8d4c 100644 --- a/internal/gatewayapi/translator.go +++ b/internal/gatewayapi/translator.go @@ -98,6 +98,7 @@ func newTranslateResult(gateways []*GatewayContext, tcpRoutes []*TCPRouteContext, udpRoutes []*UDPRouteContext, clientTrafficPolicies []*egv1a1.ClientTrafficPolicy, + backendTrafficPolicies []*egv1a1.BackendTrafficPolicy, xdsIR XdsIRMap, infraIR InfraIRMap) *TranslateResult { translateResult := &TranslateResult{ XdsIR: xdsIR, @@ -124,6 +125,7 @@ func newTranslateResult(gateways []*GatewayContext, } translateResult.ClientTrafficPolicies = append(translateResult.ClientTrafficPolicies, clientTrafficPolicies...) + translateResult.BackendTrafficPolicies = append(translateResult.BackendTrafficPolicies, backendTrafficPolicies...) return translateResult } @@ -162,10 +164,29 @@ func (t *Translator) Translate(resources *Resources) *TranslateResult { // Process all relevant UDPRoutes. udpRoutes := t.ProcessUDPRoutes(resources.UDPRoutes, gateways, resources, xdsIR) + // Process BackendTrafficPolicies + routes := []RouteContext{} + for _, h := range httpRoutes { + routes = append(routes, h) + } + for _, g := range grpcRoutes { + routes = append(routes, g) + } + for _, t := range tlsRoutes { + routes = append(routes, t) + } + for _, t := range tcpRoutes { + routes = append(routes, t) + } + for _, u := range udpRoutes { + routes = append(routes, u) + } + backendTrafficPolicies := ProcessBackendTrafficPolicies(resources.BackendTrafficPolicies, gateways, routes, xdsIR) + // Sort xdsIR based on the Gateway API spec sortXdsIRMap(xdsIR) - return newTranslateResult(gateways, httpRoutes, grpcRoutes, tlsRoutes, tcpRoutes, udpRoutes, clientTrafficPolicies, xdsIR, infraIR) + return newTranslateResult(gateways, httpRoutes, grpcRoutes, tlsRoutes, tcpRoutes, udpRoutes, clientTrafficPolicies, backendTrafficPolicies, xdsIR, infraIR) } // GetRelevantGateways returns GatewayContexts, containing a copy of the original diff --git a/internal/gatewayapi/zz_generated.deepcopy.go b/internal/gatewayapi/zz_generated.deepcopy.go index 5fa57b08656..6e5d0fa0529 100644 --- a/internal/gatewayapi/zz_generated.deepcopy.go +++ b/internal/gatewayapi/zz_generated.deepcopy.go @@ -216,6 +216,17 @@ func (in *Resources) DeepCopyInto(out *Resources) { } } } + if in.BackendTrafficPolicies != nil { + in, out := &in.BackendTrafficPolicies, &out.BackendTrafficPolicies + *out = make([]*apiv1alpha1.BackendTrafficPolicy, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(apiv1alpha1.BackendTrafficPolicy) + (*in).DeepCopyInto(*out) + } + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Resources. diff --git a/internal/message/types.go b/internal/message/types.go index 4500ebf3950..78cf3002bd0 100644 --- a/internal/message/types.go +++ b/internal/message/types.go @@ -78,8 +78,9 @@ func (s *GatewayAPIStatuses) Close() { // PolicyStatuses contains policy related resources statuses type PolicyStatuses struct { - ClientTrafficPolicyStatuses watchable.Map[types.NamespacedName, *egv1a1.ClientTrafficPolicyStatus] - EnvoyPatchPolicyStatuses watchable.Map[types.NamespacedName, *egv1a1.EnvoyPatchPolicyStatus] + ClientTrafficPolicyStatuses watchable.Map[types.NamespacedName, *egv1a1.ClientTrafficPolicyStatus] + BackendTrafficPolicyStatuses watchable.Map[types.NamespacedName, *egv1a1.BackendTrafficPolicyStatus] + EnvoyPatchPolicyStatuses watchable.Map[types.NamespacedName, *egv1a1.EnvoyPatchPolicyStatus] } func (p *PolicyStatuses) Close() { diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index 6798aa026d6..006a168d5fa 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -308,6 +308,21 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques } + // Add all BackendTrafficPolicies + backendTrafficPolicies := egv1a1.BackendTrafficPolicyList{} + if err := r.client.List(ctx, &backendTrafficPolicies); err != nil { + return reconcile.Result{}, fmt.Errorf("error listing BackendTrafficPolicies: %v", err) + } + + for _, policy := range backendTrafficPolicies.Items { + policy := policy + // Discard Status to reduce memory consumption in watchable + // It will be recomputed by the gateway-api layer + policy.Status = egv1a1.BackendTrafficPolicyStatus{} + resourceTree.BackendTrafficPolicies = append(resourceTree.BackendTrafficPolicies, &policy) + + } + // For this particular Gateway, and all associated objects, check whether the // namespace exists. Add to the resourceTree. for ns := range resourceMap.allAssociatedNamespaces { @@ -1269,6 +1284,33 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context) { r.log.Info("clientTrafficPolicy status subscriber shutting down") }() + // BackendTrafficPolicy object status updater + go func() { + message.HandleSubscription(r.resources.BackendTrafficPolicyStatuses.Subscribe(ctx), + func(update message.Update[types.NamespacedName, *egv1a1.BackendTrafficPolicyStatus]) { + // skip delete updates. + if update.Delete { + return + } + key := update.Key + val := update.Value + r.statusUpdater.Send(status.Update{ + NamespacedName: key, + Resource: new(egv1a1.BackendTrafficPolicy), + Mutator: status.MutatorFunc(func(obj client.Object) client.Object { + t, ok := obj.(*egv1a1.BackendTrafficPolicy) + if !ok { + panic(fmt.Sprintf("unsupported object type %T", obj)) + } + tCopy := t.DeepCopy() + tCopy.Status = *val + return tCopy + }), + }) + }, + ) + r.log.Info("backendTrafficPolicy status subscriber shutting down") + }() } // watchResources watches gateway api resources. @@ -1569,6 +1611,20 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M return err } + // Watch BackendTrafficPolicy + btpPredicates := []predicate.Predicate{predicate.GenerationChangedPredicate{}} + if len(r.namespaceLabels) != 0 { + btpPredicates = append(btpPredicates, predicate.NewPredicateFuncs(r.hasMatchingNamespaceLabels)) + } + + if err := c.Watch( + source.Kind(mgr.GetCache(), &egv1a1.BackendTrafficPolicy{}), + handler.EnqueueRequestsFromMapFunc(r.enqueueClass), + btpPredicates..., + ); err != nil { + return err + } + r.log.Info("Watching gatewayAPI related objects") // Watch any additional GVKs from the registered extension. diff --git a/internal/status/backendtrafficpolicy.go b/internal/status/backendtrafficpolicy.go new file mode 100644 index 00000000000..22b8ad2f5f5 --- /dev/null +++ b/internal/status/backendtrafficpolicy.go @@ -0,0 +1,20 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package status + +import ( + "time" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + gwv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" +) + +func SetBackendTrafficPolicyCondition(c *egv1a1.BackendTrafficPolicy, conditionType gwv1a2.PolicyConditionType, status metav1.ConditionStatus, reason gwv1a2.PolicyConditionReason, message string) { + cond := newCondition(string(conditionType), status, string(reason), message, time.Now(), c.Generation) + c.Status.Conditions = MergeConditions(c.Status.Conditions, cond) +} diff --git a/internal/status/status.go b/internal/status/status.go index cd7df4110da..0a86125cabf 100644 --- a/internal/status/status.go +++ b/internal/status/status.go @@ -226,6 +226,12 @@ func isStatusEqual(objA, objB interface{}) bool { return true } } + case *egv1a1.BackendTrafficPolicy: + if b, ok := objB.(*egv1a1.BackendTrafficPolicy); ok { + if cmp.Equal(a.Status, b.Status, opts) { + return true + } + } } return false diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 41cccc4cfd8..1f3545304b6 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -15,6 +15,8 @@ API group. ### Resource Types - [AuthenticationFilter](#authenticationfilter) +- [BackendTrafficPolicy](#backendtrafficpolicy) +- [BackendTrafficPolicyList](#backendtrafficpolicylist) - [ClientTrafficPolicy](#clienttrafficpolicy) - [ClientTrafficPolicyList](#clienttrafficpolicylist) - [EnvoyGateway](#envoygateway) @@ -67,6 +69,55 @@ _Appears in:_ +#### BackendTrafficPolicy + + + +BackendTrafficPolicy allows the user to configure the behavior of the connection between the downstream client and Envoy Proxy listener. + +_Appears in:_ +- [BackendTrafficPolicyList](#backendtrafficpolicylist) + +| Field | Description | +| --- | --- | +| `apiVersion` _string_ | `gateway.envoyproxy.io/v1alpha1` +| `kind` _string_ | `BackendTrafficPolicy` +| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | +| `spec` _[BackendTrafficPolicySpec](#backendtrafficpolicyspec)_ | spec defines the desired state of BackendTrafficPolicy. | + + +#### BackendTrafficPolicyList + + + +BackendTrafficPolicyList contains a list of BackendTrafficPolicy resources. + + + +| Field | Description | +| --- | --- | +| `apiVersion` _string_ | `gateway.envoyproxy.io/v1alpha1` +| `kind` _string_ | `BackendTrafficPolicyList` +| `metadata` _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#listmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | +| `items` _[BackendTrafficPolicy](#backendtrafficpolicy) array_ | | + + +#### BackendTrafficPolicySpec + + + +spec defines the desired state of BackendTrafficPolicy. + +_Appears in:_ +- [BackendTrafficPolicy](#backendtrafficpolicy) + +| Field | Description | +| --- | --- | +| `targetRef` _[PolicyTargetReferenceWithSectionName](#policytargetreferencewithsectionname)_ | targetRef is the name of the resource this policy is being attached to. This Policy and the TargetRef MUST be in the same namespace for this Policy to have effect and be applied to the Gateway. | + + + + #### BootstrapType _Underlying type:_ `string` diff --git a/site/content/en/latest/design/backend-traffic-policy.md b/site/content/en/latest/design/backend-traffic-policy.md new file mode 100644 index 00000000000..3cc0709b946 --- /dev/null +++ b/site/content/en/latest/design/backend-traffic-policy.md @@ -0,0 +1,155 @@ +--- +title: "BackendTrafficPolicy" +--- + +## Overview + +This design document introduces the `BackendTrafficPolicy` API allowing users to configure +the behavior for how the Envoy Proxy server communicates with upstream backend services/endpoints. + +## Goals + +- Add an API definition to hold settings for configuring behavior of the connection between the backend services +and Envoy Proxy listener. + +## Non Goals + +- Define the API configuration fields in this API. + +## Implementation + +`BackendTrafficPolicy` is an implied hierarchy type API that can be used to extend [Gateway API][]. +It can target either a `Gateway`, or an xRoute (`HTTPRoute`/`GRPCRoute`/etc.). When targeting a `Gateway`, +it will apply the configured settings within ght `BackendTrafficPolicy` to all children xRoute resources of that `Gateway`. +If a `BackendTrafficPolicy` targets an xRoute and a different `BackendTrafficPolicy` targets the `Gateway` that route belongs to, +then the configuration from the policy that is targeting the xRoute resource will win in a conflict. + +### Example + +Here is an example highlighting how a user can configure this API. + +```yaml +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: GatewayClass +metadata: + name: eg +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: Gateway +metadata: + name: eg + namespace: default +spec: + gatewayClassName: eg + listeners: + - name: http + protocol: HTTP + port: 80 +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: ipv4-route + namespace: default +spec: + parentRefs: + - name: eg + hostnames: + - "www.foo.example.com" + rules: + - backendRefs: + - group: "" + kind: Service + name: ipv4-service + port: 3000 + weight: 1 + matches: + - path: + type: PathPrefix + value: / +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: ipv6-route + namespace: default +spec: + parentRefs: + - name: eg + hostnames: + - "www.bar.example.com" + rules: + - backendRefs: + - group: "" + kind: Service + name: ipv6-service + port: 3000 + weight: 1 + matches: + - path: + type: PathPrefix + value: / +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: default-ipv-policy + namespace: default +spec: + protocols: + enableIPv6: false + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: eg + namespace: default +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: ipv6-support-policy + namespace: default +spec: + protocols: + enableIPv6: true + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: ipv6-route + namespace: default +``` + +## Features / API Fields + +Here is a list of some features that can be included in this API. Note that this list is not exhaustive. + +- Protocol configuration +- Circuit breaking +- Retries +- Keep alive probes +- Health checking +- Load balancing + +## Design Decisions + +- This API will only support a single `targetRef` and can bind to only a `Gateway` or xRoute (`HTTPRoute`/`GRPCRoute`/etc.) resource. +- This API resource MUST be part of same namespace as the resource it targets. +- There can be only be ONE policy resource attached to a specific `Listener` (section) within a `Gateway` +- If the policy targets a resource but cannot attach to it, this information should be reflected +in the Policy Status field using the `Conflicted=True` condition. +- If multiple polices target the same resource, the oldest resource (based on creation timestamp) will +attach to the Gateway Listeners, the others will not. +- If Policy A has a `targetRef` that includes a `sectionName` i.e. +it targets a specific Listener within a `Gateway` and Policy B has a `targetRef` that targets the same +entire Gateway then + - Policy A will be applied/attached to the specific Listener defined in the `targetRef.SectionName` + - Policy B will be applied to the remaining Listeners within the Gateway. Policy B will have an additional + status condition `Overridden=True`. + +## Alternatives + +- The project can indefintely wait for these configuration parameters to be part of the [Gateway API][]. + +[Gateway API]: https://gateway-api.sigs.k8s.io/ diff --git a/site/content/en/latest/design/client-traffic-policy.md b/site/content/en/latest/design/client-traffic-policy.md index 65edd4130c4..fab62b92078 100644 --- a/site/content/en/latest/design/client-traffic-policy.md +++ b/site/content/en/latest/design/client-traffic-policy.md @@ -8,17 +8,21 @@ This design document introduces the `ClientTrafficPolicy` API allowing system ad the behavior for how the Envoy Proxy server behaves with downstream clients. ## Goals + * Add an API definition to hold settings for configuring behavior of the connection between the downstream client and Envoy Proxy listener. ## Non Goals + * Define the API configuration fields in this API. ## Implementation + `ClientTrafficPolicy` is a [Direct Policy Attachment][] type API that can be used to extend [Gateway API][] to define configuration that affect the connection between the downstream client and Envoy Proxy listener. ### Example + Here is an example highlighting how a user can configure this API. ``` @@ -78,13 +82,16 @@ spec: ``` ## Features / API Fields + Here is a list of features that can be included in this API + * Downstream ProxyProtocol * Downstream Keep Alives * IP Blocking * Downstream HTTP3 ## Design Decisions + * This API will only support a single `targetRef` and can bind to only a `Gateway` resource. * This API resource MUST be part of same namespace as the `Gateway` resource * There can be only be ONE policy resource attached to a specific `Listener` (section) within a `Gateway` @@ -92,7 +99,7 @@ Here is a list of features that can be included in this API in the Policy Status field using the `Conflicted=True` condition. * If multiple polices target the same resource, the oldest resource (based on creation timestamp) will attach to the Gateway Listeners, the others will not. -* If Policy A has a `targetRef` that includes a `sectionName` i.e. +* If Policy A has a `targetRef` that includes a `sectionName` i.e. it targets a specific Listener within a `Gateway` and Policy B has a `targetRef` that targets the same entire Gateway then * Policy A will be applied/attached to the specific Listener defined in the `targetRef.SectionName` @@ -100,7 +107,8 @@ entire Gateway then status condition `Overridden=True`. ## Alternatives + * The project can indefintely wait for these configuration parameters to be part of the [Gateway API]. -[Direct Policy Attachment]: https://gateway-api.sigs.k8s.io/references/policy-attachment/#direct-policy-attachment +[Direct Policy Attachment]: https://gateway-api.sigs.k8s.io/references/policy-attachment/#direct-policy-attachment [Gateway API]: https://gateway-api.sigs.k8s.io/