Merge branch 'main' of github.com:envoyproxy/gateway into skip-policy…

…-target-not-found

.github/workflows/build_and_test.yaml

@@ -12,7 +12,6 @@ on:
     - "release/v*"
     paths-ignore:
     - "**/*.png"
-    - 'site/**'
 
 permissions:
   contents: read

.gitignore

@@ -31,3 +31,6 @@ vendor/
 
 # values.yaml file is generated from its template counterpart.
 charts/gateway-helm/values.yaml
+
+# VIM
+.*.swp

internal/cmd/egctl/translate.go

@@ -27,6 +27,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/util/sets"
 	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 	gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
 
@@ -849,21 +850,19 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*gatewayap
 			if provided, found := providedServiceMap[key]; !found {
 				resources.Services = append(resources.Services, service)
 			} else {
-				providedPorts := map[string]bool{}
+				providedPorts := sets.NewString()
 				for _, port := range provided.Spec.Ports {
-					providedPorts[fmt.Sprintf("%s-%d", port.Protocol, port.Port)] = true
+					portKey := fmt.Sprintf("%s-%d", port.Protocol, port.Port)
+					providedPorts.Insert(portKey)
 				}
 
 				for _, port := range service.Spec.Ports {
-					protocol := port.Protocol
-					port := port.Port
-					name := fmt.Sprintf("%s-%d", protocol, port)
-
-					if _, found := providedPorts[name]; !found {
+					name := fmt.Sprintf("%s-%d", port.Protocol, port.Port)
+					if !providedPorts.Has(name) {
 						servicePort := v1.ServicePort{
 							Name:     name,
-							Protocol: protocol,
-							Port:     port,
+							Protocol: port.Protocol,
+							Port:     port.Port,
 						}
 						provided.Spec.Ports = append(provided.Spec.Ports, servicePort)
 					}

internal/gatewayapi/backendtlspolicy.go

@@ -6,6 +6,7 @@
 package gatewayapi
 
 import (
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/gateway-api/apis/v1alpha2"
 )
 
@@ -25,7 +26,7 @@ func (t *Translator) ProcessBackendTLSPoliciesAncestorRef(backendTLSPolicies []*
 					gw := gwContext.Gateway
 					if gw.Name == string(status.AncestorRef.Name) && gw.Namespace == NamespaceDerefOrAlpha(status.AncestorRef.Namespace, "default") {
 						for _, lis := range gw.Spec.Listeners {
-							if lis.Name == *status.AncestorRef.SectionName {
+							if lis.Name == ptr.Deref(status.AncestorRef.SectionName, "") {
 								exist = true
 							}
 						}

internal/gatewayapi/backendtrafficpolicy.go

@@ -809,14 +809,15 @@ func (t *Translator) buildHTTPActiveHealthChecker(h *egv1a1.HTTPActiveHealthChec
 		*irHTTP.Method = strings.ToUpper(*irHTTP.Method)
 	}
 
-	var irStatuses []ir.HTTPStatus
 	// deduplicate http statuses
-	statusSet := make(map[egv1a1.HTTPStatus]bool, len(h.ExpectedStatuses))
+	statusSet := sets.NewInt()
 	for _, r := range h.ExpectedStatuses {
-		if _, ok := statusSet[r]; !ok {
-			statusSet[r] = true
-			irStatuses = append(irStatuses, ir.HTTPStatus(r))
-		}
+		statusSet.Insert(int(r))
+	}
+	irStatuses := make([]ir.HTTPStatus, 0, statusSet.Len())
+
+	for _, r := range statusSet.List() {
+		irStatuses = append(irStatuses, ir.HTTPStatus(r))
 	}
 	irHTTP.ExpectedStatuses = irStatuses
 
@@ -1142,27 +1143,27 @@ func (t *Translator) buildRetry(policy *egv1a1.BackendTrafficPolicy) *ir.Retry {
 }
 
 func makeIrStatusSet(in []egv1a1.HTTPStatus) []ir.HTTPStatus {
-	var irStatuses []ir.HTTPStatus
-	// deduplicate http statuses
-	statusSet := make(map[egv1a1.HTTPStatus]bool, len(in))
+	statusSet := sets.NewInt()
 	for _, r := range in {
-		if _, ok := statusSet[r]; !ok {
-			statusSet[r] = true
-			irStatuses = append(irStatuses, ir.HTTPStatus(r))
-		}
+		statusSet.Insert(int(r))
+	}
+	irStatuses := make([]ir.HTTPStatus, 0, statusSet.Len())
+
+	for _, r := range statusSet.List() {
+		irStatuses = append(irStatuses, ir.HTTPStatus(r))
 	}
 	return irStatuses
 }
 
 func makeIrTriggerSet(in []egv1a1.TriggerEnum) []ir.TriggerEnum {
-	var irTriggers []ir.TriggerEnum
-	// deduplicate http statuses
-	triggerSet := make(map[egv1a1.TriggerEnum]bool, len(in))
+	triggerSet := sets.NewString()
 	for _, r := range in {
-		if _, ok := triggerSet[r]; !ok {
-			triggerSet[r] = true
-			irTriggers = append(irTriggers, ir.TriggerEnum(r))
-		}
+		triggerSet.Insert(string(r))
+	}
+	irTriggers := make([]ir.TriggerEnum, 0, triggerSet.Len())
+
+	for _, r := range triggerSet.List() {
+		irTriggers = append(irTriggers, ir.TriggerEnum(r))
 	}
 	return irTriggers
 }

internal/gatewayapi/backendtrafficpolicy_test.go

@@ -7,9 +7,13 @@ package gatewayapi
 
 import (
 	"math"
+	"reflect"
 	"testing"
 
 	"github.com/stretchr/testify/require"
+
+	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
+	"github.com/envoyproxy/gateway/internal/ir"
 )
 
 func TestInt64ToUint32(t *testing.T) {
@@ -50,3 +54,57 @@ func TestInt64ToUint32(t *testing.T) {
 		})
 	}
 }
+
+func TestMakeIrStatusSet(t *testing.T) {
+	tests := []struct {
+		name string
+		in   []egv1a1.HTTPStatus
+		want []ir.HTTPStatus
+	}{
+		{
+			name: "no duplicates",
+			in:   []egv1a1.HTTPStatus{200, 404},
+			want: []ir.HTTPStatus{200, 404},
+		},
+		{
+			name: "with duplicates",
+			in:   []egv1a1.HTTPStatus{200, 404, 200},
+			want: []ir.HTTPStatus{200, 404},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := makeIrStatusSet(tt.in); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("makeIrStatusSet() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestMakeIrTriggerSet(t *testing.T) {
+	tests := []struct {
+		name string
+		in   []egv1a1.TriggerEnum
+		want []ir.TriggerEnum
+	}{
+		{
+			name: "no duplicates",
+			in:   []egv1a1.TriggerEnum{"5xx", "reset"},
+			want: []ir.TriggerEnum{"5xx", "reset"},
+		},
+		{
+			name: "with duplicates",
+			in:   []egv1a1.TriggerEnum{"5xx", "reset", "5xx"},
+			want: []ir.TriggerEnum{"5xx", "reset"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := makeIrTriggerSet(tt.in); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("makeIrTriggerSet() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

internal/gatewayapi/route.go

@@ -1382,7 +1382,13 @@ func getBackendTLSBundle(policies []*gwapiv1a1.BackendTLSPolicy, configmaps []*c
 		return nil, nil
 	}
 
-	tlsBundle := &ir.TLSUpstreamConfig{}
+	tlsBundle := &ir.TLSUpstreamConfig{
+		SNI:                 string(backendTLSPolicy.Spec.TLS.Hostname),
+		UseSystemTrustStore: ptr.Deref(backendTLSPolicy.Spec.TLS.WellKnownCACerts, "") == gwapiv1a1.WellKnownCACertSystem,
+	}
+	if tlsBundle.UseSystemTrustStore {
+		return tlsBundle, nil
+	}
 
 	caRefMap := make(map[string]string)
 
@@ -1408,12 +1414,10 @@ func getBackendTLSBundle(policies []*gwapiv1a1.BackendTLSPolicy, configmaps []*c
 	if ca == "" {
 		return nil, fmt.Errorf("no ca found in referred configmaps")
 	}
-
-	tlsBundle.CACertificate.Certificate = []byte(ca)
-
-	tlsBundle.CACertificate.Name = fmt.Sprintf("%s/%s-ca", backendTLSPolicy.Name, backendTLSPolicy.Namespace)
-
-	tlsBundle.SNI = string(backendTLSPolicy.Spec.TLS.Hostname)
+	tlsBundle.CACertificate = &ir.TLSCACertificate{
+		Certificate: []byte(ca),
+		Name:        fmt.Sprintf("%s/%s-ca", backendTLSPolicy.Name, backendTLSPolicy.Namespace),
+	}
 
 	return tlsBundle, nil
 }

internal/gatewayapi/runner/runner.go

@@ -10,6 +10,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/sets"
 	v1 "sigs.k8s.io/gateway-api/apis/v1"
 
 	"github.com/envoyproxy/gateway/api/v1alpha1"
@@ -356,23 +357,10 @@ func (r *Runner) deleteAllStatusKeys() {
 // based on the difference between the current keys and the
 // new keys parameters passed to the function.
 func getIRKeysToDelete(curKeys, newKeys []string) []string {
-	var delKeys []string
-	remaining := make(map[string]bool)
+	curSet := sets.NewString(curKeys...)
+	newSet := sets.NewString(newKeys...)
 
-	// Add all current keys to the remaining map
-	for _, key := range curKeys {
-		remaining[key] = true
-	}
-
-	// Delete newKeys from the remaining map
-	// to get keys that need to be deleted
-	for _, key := range newKeys {
-		delete(remaining, key)
-	}
-
-	for key := range remaining {
-		delKeys = append(delKeys, key)
-	}
+	delSet := curSet.Difference(newSet)
 
-	return delKeys
+	return delSet.List()
 }

internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml

@@ -155,10 +155,10 @@ xdsIR:
               port: 8080
             protocol: HTTP
             tls:
-              CACertificate:
+              caCertificate:
                 certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
                 name: policy-btls/policies-ca
-              SNI: example.com
+              sni: example.com
             weight: 1
         hostname: '*'
         isHTTP2: false

internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml

@@ -154,10 +154,10 @@ xdsIR:
               port: 8080
             protocol: HTTP
             tls:
-              CACertificate:
+              caCertificate:
                 certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
                 name: policy-btls/default-ca
-              SNI: example.com
+              sni: example.com
             weight: 1
         hostname: '*'
         isHTTP2: false