addressed review comments

Signed-off-by: tanujd11 <[email protected]>

api/v1alpha1/clienttrafficpolicy_types.go

@@ -59,10 +59,15 @@ type ClientTrafficPolicySpec struct {
 	//
 	// +optional
 	EnableProxyProtocol *bool `json:"enableProxyProtocol,omitempty"`
-	// EnableHTTP3 enables HTTP/3 support on the listener.
-	// Disabled by default.
+	// HTTP3Settings provides HTTP/3 configuration on the listener.
 	// +optional
-	EnableHTTP3 bool `json:"enableHTTP3,omitempty"`
+	HTTP3Settings *HTTP3Settings `json:"http3Settings,omitempty"`
+}
+
+type HTTP3Settings struct {
+	// Enabled enables HTTP/3 support on the listener.
+	// Disabled by default.
+	Enabled bool `json:"enabled,omitempty"`
 }
 
 // ClientTrafficPolicyStatus defines the state of ClientTrafficPolicy

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml

@@ -50,6 +50,14 @@ spec:
                   Proxy Protocol must be present when this field is set, else the
                   connection is closed.
                 type: boolean
+              http3Settings:
+                description: HTTP3Settings provides HTTP/3 configuration on the listener.
+                properties:
+                  enabled:
+                    description: Enabled enables HTTP/3 support on the listener. Disabled
+                      by default.
+                    type: boolean
+                type: object
               targetRef:
                 description: TargetRef is the name of the Gateway resource this policy
                   is being attached to. This Policy and the TargetRef MUST be in the

internal/gatewayapi/clienttrafficpolicy.go

@@ -293,16 +293,22 @@ func (t *Translator) translateClientTrafficPolicyForListener(policySpec *egv1a1.
 		translateListenerProxyProtocol(policySpec.EnableProxyProtocol, httpIR)
 		// enable http3 if set and TLS is enabled
 		if httpIR.TLS != nil {
-			httpIR.EnableHTTP3 = policySpec.EnableHTTP3
-			var proxyListenerIR *ir.ProxyListener
-			for _, proxyListener := range infraIR[irKey].Proxy.Listeners {
-				if proxyListener.Name == irListenerName {
-					proxyListenerIR = proxyListener
-					break
+			if policySpec.HTTP3Settings != nil {
+				httpIR.HTTP3Settings = &ir.HTTP3Settings{
+					Enabled: policySpec.HTTP3Settings.Enabled,
+				}
+				var proxyListenerIR *ir.ProxyListener
+				for _, proxyListener := range infraIR[irKey].Proxy.Listeners {
+					if proxyListener.Name == irListenerName {
+						proxyListenerIR = proxyListener
+						break
+					}
+				}
+				if proxyListenerIR != nil {
+					proxyListenerIR.HTTP3Settings = &ir.HTTP3Settings{
+						Enabled: policySpec.HTTP3Settings.Enabled,
+					}
 				}
-			}
-			if proxyListenerIR != nil {
-				proxyListenerIR.EnableHTTP3 = policySpec.EnableHTTP3
 			}
 		}
 	}

internal/gatewayapi/testdata/clienttrafficpolicy-http3.in.yaml

@@ -5,7 +5,8 @@ clientTrafficPolicies:
     namespace: envoy-gateway
     name: target-gateway-1
   spec:
-    enableHTTP3: true
+    http3Settings: 
+      enabled: true
     targetRef:
       group: gateway.networking.k8s.io
       kind: Gateway

internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml

@@ -6,7 +6,8 @@ clientTrafficPolicies:
     name: target-gateway-1
     namespace: envoy-gateway
   spec:
-    enableHTTP3: true
+    http3Settings:
+      enabled: true
     targetRef:
       group: gateway.networking.k8s.io
       kind: Gateway
@@ -106,7 +107,8 @@ infraIR:
     proxy:
       listeners:
       - address: ""
-        enableHTTP3: true
+        http3Settings:
+          enabled: true
         name: envoy-gateway/gateway-1/tls
         ports:
         - containerPort: 10443
@@ -125,9 +127,10 @@ xdsIR:
       - path: /dev/stdout
     http:
     - address: 0.0.0.0
-      enableHTTP3: true
       hostnames:
       - '*'
+      http3Settings:
+        enabled: true
       isHTTP2: false
       name: envoy-gateway/gateway-1/tls
       port: 10443
@@ -141,6 +144,7 @@ xdsIR:
           - endpoints:
             - host: 7.7.7.7
               port: 8080
+            protocol: HTTP
             weight: 1
         hostname: '*'
         name: httproute/default/httproute-1/rule/0/match/0/*

internal/gatewayapi/testdata/clienttrafficpolicy-proxyprotocol.out.yaml

@@ -95,11 +95,15 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http-1
         ports:
         - containerPort: 10080
           name: http-1
           protocol: HTTP
           servicePort: 80
+      - address: ""
+        name: envoy-gateway/gateway-1/http-2
+        ports:
         - containerPort: 8080
           name: http-2
           protocol: HTTP

internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml

@@ -121,6 +121,7 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http
         ports:
         - containerPort: 10080
           name: http

internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml

@@ -44,6 +44,7 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: default/gateway-1/http
         ports:
         - containerPort: 10080
           name: http

internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml

@@ -124,6 +124,7 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: default/gateway-1/http
         ports:
         - containerPort: 10080
           name: http
@@ -138,6 +139,7 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: default/gateway-2/http
         ports:
         - containerPort: 10080
           name: http
@@ -152,6 +154,7 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: default/gateway-3/http
         ports:
         - containerPort: 10080
           name: http

internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml

@@ -155,6 +155,7 @@ infraIR:
     proxy:
       listeners:
       - address: ""
+        name: envoy-gateway/gateway-1/http
         ports:
         - containerPort: 10080
           name: http

internal/infrastructure/kubernetes/proxy/resource_provider.go

@@ -82,7 +82,7 @@ func (r *ResourceRender) Service() (*corev1.Service, error) {
 			ports = append(ports, p)
 
 			if port.Protocol == ir.HTTPSProtocolType {
-				if listener.EnableHTTP3 {
+				if listener.HTTP3Settings != nil && listener.HTTP3Settings.Enabled {
 					p := corev1.ServicePort{
 						Name:       ExpectedResourceHashedName(port.Name + "-h3"),
 						Protocol:   corev1.ProtocolUDP,

internal/ir/infra.go

@@ -58,8 +58,15 @@ type ProxyListener struct {
 	Address string `json:"address" yaml:"address"`
 	// Ports define network ports of the listener.
 	Ports []ListenerPort `json:"ports,omitempty" yaml:"ports,omitempty"`
-	// EnableHTTP3 enables HTTP/3 support.
-	EnableHTTP3 bool `json:"enableHTTP3,omitempty" yaml:"enableHTTP3,omitempty"`
+	// HTTP3Settings provides HTTP/3 configuration on the listener.
+	// +optional
+	HTTP3Settings *HTTP3Settings `json:"http3Settings,omitempty"`
+}
+
+type HTTP3Settings struct {
+	// Enabled enables HTTP/3 support on the listener.
+	// Disabled by default.
+	Enabled bool `json:"enabled,omitempty"`
 }
 
 // ListenerPort defines a network port of a listener.

internal/ir/xds.go

@@ -186,8 +186,9 @@ type HTTPListener struct {
 	TCPKeepalive *TCPKeepalive `json:"tcpKeepalive,omitempty" yaml:"tcpKeepalive,omitempty"`
 	// EnableProxyProtocol enables the listener to interpret proxy protocol header
 	EnableProxyProtocol bool `json:"enableProxyProtocol,omitempty" yaml:"enableProxyProtocol,omitempty"`
-	// EnableHTTP3 is set to true to enable downstream HTTP3 support
-	EnableHTTP3 bool `json:"enableHTTP3,omitempty" yaml:"enableHTTP3,omitempty"`
+	// HTTP3Settings provides HTTP/3 configuration on the listener.
+	// +optional
+	HTTP3Settings *HTTP3Settings `json:"http3Settings,omitempty"`
 }
 
 // Validate the fields within the HTTPListener structure

internal/xds/translator/listener.go

@@ -346,7 +346,7 @@ func buildDownstreamQUICTransportSocket(tlsConfigs []*ir.TLSListenerConfig) (*co
 			CommonTlsContext: &tlsv3.CommonTlsContext{
 				AlpnProtocols: []string{"h3"},
 			},
-			RequireClientCertificate: &wrappers.BoolValue{Value: true},
+			RequireClientCertificate: &wrappers.BoolValue{Value: false},
 		},
 	}
 

internal/xds/translator/testdata/in/xds-ir/http3.yaml

@@ -1,6 +1,7 @@
 http:
 - address: 0.0.0.0
-  enableHTTP3: true
+  http3Settings: 
+    enabled: true
   hostnames:
   - '*'
   isHTTP2: false

internal/xds/translator/testdata/out/xds-ir/http3.endpoints.yaml

@@ -8,4 +8,5 @@
             portValue: 8080
       loadBalancingWeight: 1
     loadBalancingWeight: 1
-    locality: {}
+    locality:
+      region: httproute/default/httproute-1/rule/0/backend/0

internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml

@@ -45,7 +45,7 @@
               sdsConfig:
                 ads: {}
                 resourceApiVersion: V3
-          requireClientCertificate: true
+          requireClientCertificate: false
   name: envoy-gateway/gateway-1/tls-quic
   udpListenerConfig:
     downstreamSocketConfig: {}

internal/xds/translator/translator.go

@@ -125,9 +125,10 @@ func (t *Translator) processHTTPListenerXdsTranslation(
 		// Search for an existing listener, if it does not exist, create one.
 		xdsListener := findXdsListenerByHostPort(tCtx, httpListener.Address, httpListener.Port, corev3.SocketAddress_TCP)
 		var quicXDSListener *listenerv3.Listener
+		enabledHTTP3 := httpListener.HTTP3Settings != nil && httpListener.HTTP3Settings.Enabled 
 		if xdsListener == nil {
 			xdsListener = buildXdsTCPListener(httpListener.Name, httpListener.Address, httpListener.Port, httpListener.TCPKeepalive, accessLog)
-			if httpListener.EnableHTTP3 {
+			if enabledHTTP3 {
 				quicXDSListener = buildXdsQuicListener(httpListener.Name, httpListener.Address, httpListener.Port, accessLog)
 				if err := tCtx.AddXdsResource(resourcev3.ListenerType, quicXDSListener); err != nil {
 					return err
@@ -161,7 +162,7 @@ func (t *Translator) processHTTPListenerXdsTranslation(
 			if err := t.addXdsHTTPFilterChain(xdsListener, httpListener, accessLog, tracing, false); err != nil {
 				return err
 			}
-			if httpListener.EnableHTTP3 {
+			if enabledHTTP3 {
 				if err := t.addXdsHTTPFilterChain(quicXDSListener, httpListener, accessLog, tracing, true); err != nil {
 					return err
 				}
@@ -247,7 +248,7 @@ func (t *Translator) processHTTPListenerXdsTranslation(
 				}
 			}
 
-			if httpListener.EnableHTTP3 {
+			if enabledHTTP3 {
 				http3AltSvcHeader := buildHTTP3AltSvcHeader(int(httpListener.Port))
 				if xdsRoute.ResponseHeadersToAdd == nil {
 					xdsRoute.ResponseHeadersToAdd = make([]*corev3.HeaderValueOption, 0)

site/content/en/latest/api/extension_types.md

@@ -187,7 +187,7 @@ _Appears in:_
 | `targetRef` _[PolicyTargetReferenceWithSectionName](#policytargetreferencewithsectionname)_ | TargetRef is the name of the Gateway resource this policy is being attached to. This Policy and the TargetRef MUST be in the same namespace for this Policy to have effect and be applied to the Gateway. TargetRef |
 | `tcpKeepalive` _[TCPKeepalive](#tcpkeepalive)_ | TcpKeepalive settings associated with the downstream client connection. If defined, sets SO_KEEPALIVE on the listener socket to enable TCP Keepalives. Disabled by default. |
 | `enableProxyProtocol` _boolean_ | EnableProxyProtocol interprets the ProxyProtocol header and adds the Client Address into the X-Forwarded-For header. Note Proxy Protocol must be present when this field is set, else the connection is closed. |
-| `enableHTTP3` _boolean_ | EnableHTTP3 enables HTTP/3 support on the listener. Disabled by default. |
+| `http3Settings` _[HTTP3Settings](#http3settings)_ | HTTP3Settings provides HTTP/3 configuration on the listener. |
 
 
 
@@ -833,6 +833,20 @@ _Appears in:_
 | `kind` _string_ |  |
 
 
+#### HTTP3Settings
+
+
+
+
+
+_Appears in:_
+- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
+
+| Field | Description |
+| --- | --- |
+| `enabled` _boolean_ | Enabled enables HTTP/3 support on the listener. Disabled by default. |
+
+
 #### HeaderMatch