feat(translator): implement backend API

[guydc]

What this PR does / why we need it:
Implements backend API

• Support translation of fqdn, ip and unix endpoints in IR and XDS
• Support H2C upstream application protocol hint
• Support HTTPRoute and EnvoyExtensionPolicy references to Backend
• Extend BackendTLSPolicy translation tests for HTTPRoute and Backend use cases
• Minor refactor of test manifests and translation to increase code reuse

Which issue(s) this PR fixes:
Fixes #2997
Relates to #36

[codecov]

Codecov Report

Attention: Patch coverage is 65.94595% with 126 lines in your changes missing coverage. Please review.

Project coverage is 68.14%. Comparing base (3712659) to head (baf0840).

Files	Patch %	Lines
internal/provider/kubernetes/controller.go	18.18%	38 Missing and 7 partials ⚠️
internal/gatewayapi/validate.go	80.21%	14 Missing and 4 partials ⚠️
internal/gatewayapi/status/backend.go	0.00%	13 Missing ⚠️
internal/provider/kubernetes/predicates.go	0.00%	11 Missing ⚠️
internal/provider/kubernetes/status_updater.go	0.00%	6 Missing ⚠️
internal/gatewayapi/envoyextensionpolicy.go	54.54%	4 Missing and 1 partial ⚠️
internal/ir/xds.go	58.33%	4 Missing and 1 partial ⚠️
internal/provider/kubernetes/helpers.go	0.00%	5 Missing ⚠️
internal/gatewayapi/backend.go	88.23%	2 Missing and 2 partials ⚠️
internal/gatewayapi/ext_service.go	80.00%	2 Missing and 2 partials ⚠️
... and 5 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3495      +/-   ##
==========================================
+ Coverage   68.12%   68.14%   +0.02%     
==========================================
  Files         165      167       +2     
  Lines       20122    20370     +248     
==========================================
+ Hits        13708    13882     +174     
- Misses       5416     5487      +71     
- Partials      998     1001       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[guydc]

/retest

[arkodg]

can we move this out of switch to make it common amongst all backend types ?

[guydc]

The condition is slightly different for Backend vs. the native K8s resources (depending on EndpointRouting toggle) and so is the message. I'll split the validation and status update.

[arkodg]

Suggested change

	"The Backend was accepted Envoy Gateway", time.Now(), be.Generation)
	"The Backend was accepted by Envoy Gateway", time.Now(), be.Generation)

Suggested change

	"The Backend was accepted Envoy Gateway", time.Now(), be.Generation)
	"The Backend was accepted Envoy Gateway", time.Now(), be.Generation)

[arkodg]

do we need the "Envoy Gateway" suffix?

[arkodg]

ObservedGeneration predicate ? we haven't added the ObjectMeta yet so it won't work
the issue I see here is constant reconciling -

• reconcile backend
• translate backend and update status
• translate again (may be stopped by watchable layer which checks for equality)

[arkodg]

gateway/internal/gatewayapi/resource.go

Line 172 in 44330ef

return reflect.DeepEqual(c, y)

[guydc]

Can you elaborate on why TypedGenerationChangedPredicate won't work here?

[arkodg]

nvm it will, took a look at the struct

gateway/api/v1alpha1/backend_types.go

Line 43 in 6f30397

metav1.ObjectMeta `json:"metadata,omitempty"`

and you've added ObjectMeta, so should work, lets add it

[guydc]

/retest

[arkodg]

LGTM thanks for implementing this and making it easier to route to non k8s endpoints !

can we document the remaining items (disallowing localhost , other xRoute backend) as subtasks ?

[guydc]

/retest

[liorokman]

Looking at this carefully again, I think maybe it would make sense to rename the IPv4 field in BackendEndpoint to IP since using IPv6 addresses would probably already just work.

[liorokman]

Even though the field is called "ipv4", I think IPv6 addresses would still work here. netip.ParseAddr has no issue with IPv6 addresses.

[guydc]

This is enforced with CEL at the moment:

gateway/api/v1alpha1/backend_types.go

Line 84 in 7f2038f

// +kubebuilder:validation:Pattern=`^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$`

[liorokman]

Even though the field is called IPv4, there's nothing that really prevents IPv6 addresses from being specified here as far as I can tell.

Consider also rejecting the IPv6 localhost address ? ::1 ?

[liorokman]

Also, localhost on Linux systems is not just 127.0.0.1. It's 127.0.0.1/8, which means that this check is wrong.

The correct way to check this would be to check if the provided address is contained in 127.0.0.0/8, not to string-compare to 127.0.0.1.

[guydc]

yea, good point, we just discussed this in slack. I'll update the validation to comply with the K8s one for EP Slices that checks for the entire range.

[liorokman]

If the intent is to prevent localhost from being the target, in case of an FQDN the better approach would be to try to resolve the hostname and see that it doesn't resolve to the localhost.

[liorokman]

What would happen if somebody were to use an IP in the FQDN field of BackendEndpoint? I think it would just work, except that it would be possible to use 127.0.0.1 or ::1 here.

[guydc]

If the intent is to prevent localhost from being the target, in case of an FQDN the better approach would be to try to resolve the hostname and see that it doesn't resolve to the localhost.

Users can change the DNS record this after the resource is accepted. Then, it becomes a race with the next translation until the config is rejected. So, it's still possible that there's a time window where localhost routing is possible.

We discussed this concern here: #3063 (comment). I'm not sure that there really is a good solution for that. The compromise is to enforce validations equivalent to what K8s allows in EP slices, and make users aware of the risk...

[guydc]

What would happen if somebody were to use an IP in the FQDN field of BackendEndpoint?

There's a CEL validation that will probably reject IPv6 Addresses (as ":" is nto supported). But, IPv4 addresses are actually accepted by this validation. I'll add additional programatic validations.

gateway/api/v1alpha1/backend_types.go

Line 103 in 7f2038f

// +kubebuilder:validation:Pattern=`^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$`

[guydc]

/retest

[shawnh2]

a non-blocking comment:

gateway/internal/provider/kubernetes/status_updater.go

Line 196 in eaa685d

func isStatusEqual(objA, objB interface{}) bool {

and

gateway/internal/provider/kubernetes/status_updater.go

Line 311 in eaa685d

func kindOf(obj interface{}) string {

can also need a update.

[guydc]

good catch, thanks, done!

[shawnh2]

need a break here?

[shawnh2]

instead of string, can we return an error here? then we can use error.Error() to retrieve the string of this error later.

[guydc]

IP:

• API Changed from IPv4/IPv6 => IP for future use, as suggested
• IPv6 still not supported and rejected in validation (CEL, Controller).
• Validate that target is not in the entire loopback range, for both xRoute and non-xRoute

FQDN:

• Fix CEL validation to not support wildcards
• Add controller validation that FQDN is not an IP address and has at least two segments, for both xRoute and non-xRoute

[zhaohuabing]

This one is huge :-)

It would be easier to review and quicker to merge if it could be split into multiple PRs.

[zhaohuabing]

This one is huge :-)

It would be easier to review and quicker to merge if it were split into multiple PRs.

I don’t mean this one, as it’s already under review, but in the future, it might be helpful to split large PRs into multiple smaller ones for easier and quicker reviews.

[shawnh2]

why not use the simple if..else for this boolean ?