Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix attached routes confromance test #2548

Merged
merged 1 commit into from
Nov 2, 2023

Conversation

frankbu
Copy link
Contributor

@frankbu frankbu commented Oct 31, 2023

What type of PR is this?

/kind bug
/area conformance

What this PR does / why we need it:

The spec does not say that a route with invalid backendRef and/or a parentRef to a gateway that is not "Programmed" should have the "Accepted" condition set to "False" (i.e., there is no corresponding route condition reason). All the spec is clear about is that the "ResolvedRefs" condition should be "False".

So, the conformance test should only be checking for the latter, not both conditions.

Which issue(s) this PR fixes:

Fixes #

Does this PR introduce a user-facing change?:

Fixed GatewayWithAttachedRoutes conformance test to not check that the HTTPRoute status includes an "Accepted: False" condition because this is not required by the specification.

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. area/conformance do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Oct 31, 2023
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. release-note-none Denotes a PR that doesn't merit a release note. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Oct 31, 2023
Copy link
Contributor

@michaelbeaumont michaelbeaumont left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ran into this as well, I think we can be explicit in the spec that Accepted is unrelated to both the parent listener's status and the ResolvedRefs condition.

Copy link
Member

@sunjayBhatia sunjayBhatia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as pointed out here, looks like this test sets up an HTTPRoute with a nonexistent backend and the assertions made on its status conflict with an existing test: https://github.com/kubernetes-sigs/gateway-api/pull/2535/files#r1378444675

Regarding this particular HTTPRoute we can:

IMO for completeness we should keep the invalid HTTPRoute and also ensure that the Gateway in this test counts a fully valid HTTPRoute as being attached

Copy link
Contributor

@arkodg arkodg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there's nothing the spec defining this, so shouldnt be enforced in the conformance test.
Envoy Gateway defines its own reason for this case NoReadyListeners

      - lastTransitionTime: "2023-10-27T01:38:14Z"
        message: There are no ready listeners for this parent ref
        observedGeneration: 1
        reason: NoReadyListeners
        status: "False"
        type: Accepted
      - lastTransitionTime: "2023-10-27T01:38:14Z"

it might make sense to add a similar reason upstream to improve debuggability for the end user

The listener is not ready in this case because the cert is invalid

      - lastTransitionTime: "2023-10-27T01:38:14Z"
        message: Secret gateway-conformance-infra/does-not-exist does not exist.
        observedGeneration: 2
        reason: InvalidCertificateRef
        status: "False"
        type: ResolvedRefs
      - lastTransitionTime: "2023-10-27T01:38:14Z"
        message: Listener is invalid, see other Conditions for details.
        observedGeneration: 2
        reason: Invalid
        status: "False"
        type: Programmed

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: arkodg, frankbu, michaelbeaumont

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 1, 2023
@sunjayBhatia
Copy link
Member

there's nothing the spec defining this, so shouldnt be enforced in the conformance test. Envoy Gateway defines its own reason for this case NoReadyListeners

yeah, the Accepted condition documentation is pretty light:

// This condition indicates whether the route has been accepted or rejected
// by a Gateway, and why.

I tend to think of the Accepted condition here for routes with the context from how the Gateway/Listener version is documented in mind:

// This condition indicates that the listener is syntactically and
// semantically valid, and that all features used in the listener's spec are
// supported.

particularly the idea that the resource is syntactically and semantically valid means to me it should be Accepted=True but possibly Programmed=False due to the fact that the parent Listener has an invalid Secret

/cc @youngnick

since this is a bit more about ambiguity on the Accepted Condition

@sunjayBhatia
Copy link
Member

regardless, this test is testing the AttachedRoutes count and the assertion on the HTTPRoute status is a secondary one basically to establish the test scenario/invariant

this change reduces some of the strength of the invariant assertions, but that seems ok, ultimately we want to make sure the AttachedRoutes count is correct

I still think we should also add and account for a fully valid HTTPRoute being attached to this "invalid" Gateway Listener for completeness

@frankbu
Copy link
Contributor Author

frankbu commented Nov 1, 2023

I still think we should also add and account for a fully valid HTTPRoute being attached to this "invalid" Gateway Listener for completeness

That sounds reasonable but only AFTER we clarify the expectations of accepted. Right now, the test shows that as far as the Gateway is concerned, the route with a valid parentRef gets attached to an invalid gateway, even if the route is also invalid. The only thing that might change if the route is valid is the accepted condition on the route, but the test is currently punting on checking accepted completely, since it isn't clear from the spec what it should be in the broken backendRef case.

@youngnick
Copy link
Contributor

I think that this PR is good for now - we do need to further clarify what Accepted means though, and this probably means releasing a 1.0.1, sigh.

@sunjayBhatia
Copy link
Member

I still think we should also add and account for a fully valid HTTPRoute being attached to this "invalid" Gateway Listener for completeness

That sounds reasonable but only AFTER we clarify the expectations of accepted. Right now, the test shows that as far as the Gateway is concerned, the route with a valid parentRef gets attached to an invalid gateway, even if the route is also invalid. The only thing that might change if the route is valid is the accepted condition on the route, but the test is currently punting on checking accepted completely, since it isn't clear from the spec what it should be in the broken backendRef case.

just to get rid of any ambiguity then, maybe it is best to make the HTTPRoute in this test a fully valid one, and we can cover the case where an HTTPRoute is still counted when invalid once that spec clarification happens

@frankbu
Copy link
Contributor Author

frankbu commented Nov 1, 2023

just to get rid of any ambiguity then, maybe it is best to make the HTTPRoute in this test a fully valid one, and we can cover the case where an HTTPRoute is still counted when invalid once that spec clarification happens

Personally, I would leave the test as is for now. It very clearly shows that an invalid route attached to an invalid gateway counts as an attached route, which the spec is very clear about: Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set for Listeners with condition Accepted: false and MUST count successfully attached Routes that may themselves have Accepted: false conditions.

Given the invalid -> invalid example, it's more obvious that a valid route -> invalid gateway would then also count. If we start by showing valid -> invalid works, I would say it is more ambiguous about what happens if the route is also invalid. As you said in your earlier comment this test is about attachedRoutes, the Accepted condition on the route (true or false) is a secondary concern, which I think the conformance test can more thoroughly check in the future, when we agree on the details.

@arkodg
Copy link
Contributor

arkodg commented Nov 2, 2023

/lgtm
Will raise a follow up issue to track a better definition for the Route accepted status

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 2, 2023
@arkodg
Copy link
Contributor

arkodg commented Nov 2, 2023

@frankbu can you add a Release Note in the PR Description ?

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Nov 2, 2023
@k8s-ci-robot k8s-ci-robot merged commit 51c32c3 into kubernetes-sigs:main Nov 2, 2023
3 checks passed
@robscott
Copy link
Member

robscott commented Nov 2, 2023

/cherry-pick release-1.0

@k8s-infra-cherrypick-robot
Copy link
Contributor

@robscott: new pull request created: #2562

In response to this:

/cherry-pick release-1.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@frankbu frankbu deleted the attached-routes branch November 10, 2023 22:03
jenshu pushed a commit to k8sgateway/k8sgateway that referenced this pull request Jan 18, 2024
soloio-bulldozer bot added a commit to k8sgateway/k8sgateway that referenced this pull request Feb 1, 2024
* Sketch controller (#45)

* controller sketch

* controllers

* helper functions, indexers

* maincompile

* main

* wip

* query

* gen-cli

* query secrets

* example-code

* git mv edge2/ gateway2

* cleanup

* cleanup2

* cleanup3

* Improve CI for gateway-main (#46)

* rename .github to disable github actions

* change cloudbuild.yaml to prevent build-bot running

* change query to have object in the args (#47)

* change query to have object in the args

To confirm that we use the right "from" field, ask for the whole object in the query args, and not just the ns

* use obj and infer gk

* fix comment

comments are bad

* singular

* some tests for query (#49)

* some tests for query

* more tests and pr comments

* more tests and fixes

* mroe test

* build + docker +helm + comformance (#51)

* ability to deploy to kind so we can run conformance

not yet working

* helming around, accepting status for gw class

* set observed generation on condition

* don't create gw for conformance test

* minor changes

* cleanup

* separate cp and dp

* cleanup

* allow more than one ports

* pr comments

* controlPlane.enabled

* fix makefile

* Gw main/ listener translation (#61)

* solo gw stubs

* wip: translator

* wip: http gwv2 translation

* wip: listener tx complete, ready for vhost + validation

* merge http filter chain

* finish core listener tx; stub vhost tx

* remove unused

* Auto provision gateway resources (#62)

* initial code to create GW

* auto provision by default
add ports to deployer

* fixes and some PR comments

* fix event filtering

* write addresses to gw; need to add tests

* only reconcile gw when generation changes

* support provisioning with different releases

* try approach 2 for statues

* env test for status setting

* pr comments

* update to v1 (#63)

* fix gw route query to make sure the http routes match (#64)

* fix gw route query to make sure the http routes match

* add and pass ci

* more ci

* make in g2 dir

* naming

* naming

* xds syncer (#60)

Co-authored-by: Eitan Yarmush <[email protected]>

* Initial validate (#67)

* solo gw stubs

* wip: translator

* wip: http gwv2 translation

* wip: listener tx complete, ready for vhost + validation

* merge http filter chain

* wip: initial impl of GW/Listener validation

* wip: working sketch of reporter; passing tests

* wip: begin testing for conditions

* simplify condition type on reporter

* add status checks to tests

* move listener validation back to listener package

* add gateway structure to report impl

* use ListenerStatus api type

* add support for allowedRoutes

* cleaup

* add tests for explicit allowedRoutes

* cleanup and reorg

* correctly track invalid listeners & routes

* more cleanup

* todo

---------

Co-authored-by: Scott Weiss <[email protected]>

* Gw main/translation httproute (#65)

* solo gw stubs

* wip: translator

* wip: http gwv2 translation

* wip: listener tx complete, ready for vhost + validation

* merge http filter chain

* finish core listener tx; stub vhost tx

* remove unused

* wip: route translator

* http route translator, fixes for http listener

* clean up todos

* Stub Out Endpoints and Upstream Discovery (#59)

* Add simple uds transslator

* goimports -w .

* format plugin

* update kube plugin to export a function that our new discvoery can rely on

* add stubs for translator for discovery

* add placeholder for legacy impl

* formatting

* simplify code

* add changelog

* query part 2 (#66)

* query part 2

* add parentref

* add conditions

* compile fix

* compile fix after merge

* simple secrets reconciler (#68)

* first pass route validation, handle nil hostnames on listeners (#70)

* create ListenerCondition type

* fix unnecessary guard on map access (go-static)

* add initial route validation

* handle empty/nil hostnames on listeners

* Gw main/translation yaml test (#72)

* testing and fixes for http translation

* get test passing

* nit

* fix import cycle, gofmt

* remove workaround

* add a server to tie everything together (#71)

* add a server to tie everything together

* more wiring

* enabled devmode

* de-pike

* Eitanya/single translation (#74)

* single translation spot

* compiles and runs

* fix compile issue in tests

* Eitanya/route sorting (#75)

* initial route-sorting

* tests are passing

* update golden

* swapped it all to use the httpRoute and idx as fallbacks

* also check NS/NAME

* oops

* move sortable to separate package

* initial sync status (#78)

* first drop working listener status

* handle gateway top-level conditions

* make xds work (#77)

* make xds work
main bug is there were 2 caches

* use envoy-gloo; use unprivileged port

* use rc2 for conformance to work

* pr comments

* tidy

* add no conflicts to healthy listeners (#79)

* add no conflicts to healthy listeners

* add resolvedrefs to healthy listeners

* add per-conditionType logic for missing conditions

* ssl termination (#76)

* ssl termination

* add ssl secret validation

* add ssl secret validation

* Eitanya/check v2 (#73)

* gateway checking is done

* compiles

* route status code

* with v1 changes

* a couple more changes

* remove ingress/knative

* also apply CRDs with glooctl

* pike

* install/uninstall work

* oops

* fix conditions for Gateway Class

* change back protocol on svc

* removed default gateway from the chart

* default to LB

* oops

* fix env tests with svc status hack due to LB

* naming

* use index func logic

* check for existence of the CRDs

* upped template to v1, changed logic to be more permissinve

* gatewayName

* simple version of port translation (#83)

* Sync route status (#82)

* init route report

* cleanup

* switch to per-parentRef reporting on routes

* report on route-parent relationship errors

* sync route status

* cleanup

* don't checkout gw repo for tests (#84)

* don't checkout gw repo for tests

* add conformance build tag; simplify kind

* fmt

* rename helm-chart (#80)

* rename helm-chart

* rename folder

* change dir name

* updated values/versions

* add labels so that glooctl version works

* make new commands more flexible

* file for CRDs, add programmed condition

* bad comment

* change version to alpha1 instead

* comments

* rename the gateway class name

* use standar

* use relative dir

* attached routes (#87)

* Fixes statuses temporarily (#88)

* re-add glooctl proxy commands

* various status fixes

* report tls errors on listeners (#86)

* report tls errors on listeners

* check specific errors on cert validation

* fix make (#89)

* more ci (#90)

* dont pre-check secret ref (#91)

* first translator plugin: header modifier (#85)

* implement plugin arch, w/ header modifier

* fix compile

* fix test

* redirect plugin

* add plugin

* add unit tests

* whoops

* rename compoenents to official naming scheme (#92)

* rename compoenents to official naming scheme

* fix unit tests

---------

Co-authored-by: Yuval Kohavi <[email protected]>

* make conformance-GatewayWithAttachedRoutes passing (#93)

* make conformance-GatewayWithAttachedRoutes passing

* set status for listener with meta

* fix reason

* update to ghcr (#94)

* set gwNs for ML and reverse cert/key for TLS validation (#96)

* Revert "rename compoenents to official naming scheme (#92)" (#97)

This reverts commit b79b0e2.

* fix header order and match type (#102)

* support all hostnames (#98)

* i think this was a bad merge (#99)

* i think this was a bad merge

* fix test

* fix conformance-HTTPRouteInvalidNonExistentBackendRef (#100)

* listeners with more than one port are working now (#101)

* add unknown kind error if kind not in scheme (#103)

Co-authored-by: Lawrence G <[email protected]>

* gw semantics (#104)

* fix edge case (#106)

* fix empty backedRef with filters (#107)

* testing release on tag (#105)

* update release-1.0.0 (that includes kubernetes-sigs/gateway-api#2548) (#108)

* version fixes (#109)

* release glooctl

* oops

* Makefile

* no windows

* add https redirect hopefully

* url rewrite basic

* fix redirect and run conformnce

* add more conformance tests

* upload SHA

* use proper rewrite

* change regex

* works

* fix Makefile phony targets

* Gloo Gateway v2 readme (#8866)

* Gloo Gateway v2 readme

* added quickstart instructions

* added notes

* Update README.md

* some fixes

* Add files via upload

* Update README.md

* Update README.md

* fixed the ordering and added local HTTPBIN

* switched to local file

* Update README.md

---------

Co-authored-by: Eitan Yarmush <[email protected]>

* make README even simpler

* Logo and description update (#8872)

* Add files via upload

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* remove old flags from glooctl (#8871)

* Logo update (#8878)

* Add files via upload

* Add files via upload

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Revert to proxy ir (#8945)

* Adding quickstart for Helm (#8884)

* Adding quickstart for Helm

* Update README.md

* add logs

patch modified off PR (#8886) as we no longer want the native translation
updates.

Co-authored-by: Eitan Yarmush <[email protected]>
Co-authored-by: Lawrence Gadban <[email protected]>

* fix no match (#8879)

* Add Request Mirror Gateway API Filter (#8890)

Updated for Gloo Edge Proxy IR

---------

Co-authored-by: Yuval Kohavi <[email protected]>

* add logs from previous PR #8892

* first drop of status cleanup (#8889)

* use types.NN for GatewayReports

* consolidate report creation

* reduce visibility of GatewayReport fields

* extract status building from syncer

* more narrowing viz, add Getters, first unit test for status building

* factor out condition boilerplate, more tests

* fix missed compile issue in translator tests

* add basic test for LastTransitionTime

* better testing

* cleanup

* Update projects/gateway2/reports/status.go

Co-authored-by: Eitan Yarmush <[email protected]>

* consolidate reporting components

---------

Co-authored-by: Eitan Yarmush <[email protected]>
Co-authored-by: Yuval Kohavi <[email protected]>

* add label helper to helm templates

extracted from previous PR: make go test ./... work again (#8907)
above PR also fixed the CLI tests (e.g. glooctl check) to work with
GGv2. TODO has been added to add this back in later, but did not want to
take this on as the existing patches remove the v1 tests.

* refactor route status

cherry-pick of refactor route status (#8912)

* add missed conformance args from orig. PR (#8890)

* kick ci

---------

Co-authored-by: Nadine Spies <[email protected]>
Co-authored-by: Yuval Kohavi <[email protected]>
Co-authored-by: Eitan Yarmush <[email protected]>

* add RoutePlugins (#9021)

* wip: working RouteOptions as ExtensionRef

* add new format for extensionplugins

* extract extensionplugins to a discrete registry

* review feedback

* cleaup

* cleanup

* condense filter/plugin apply

* move routeoptions extension plugin to correct package structure

* cleanup

* introduce RoutePlugins with the impl for HTTPFilterPlugins

* remove extensionRef for now

* package structure re-org

* remove RouteOptions work for now

* localize httpfilterpluginregistry

* convert filterplugins to RoutePlugins

* generalize PluginRegistry (#9025)

* generalize PluginRegistry

* commentary

* add compile-time type assertions for plugins

* update name of RoutePlugin method

* use full type definition for base plugin interface

* track generation at report time (#8996)

* cleanup

* track generation at report time

* use common buildRoutesPerHost() for http & https

* enforce reports must be initialized for translated object

* handle missing reports gracefully

* commentary

* chore: reduce plugins visibility

* add RouteOption route plugin (#9040)

* add RouteOption route plugin

* cleanup

* commentary

* graceful & correct error handling

* reenable gh workflows

* add back some files

* remove changelogs

* revert changelogs

* remove changelogs for now

* add back cli stuff

* add back deleted stuff

* fix lint errors

* add back ingress

* docs gen

* v1 vs v2

* skip gateway2 for now

* fix?

* try reverting

* remove cl

* add back portredirect

* only set port redirect if not 0

* merge from main

* add translation mode

* more descriptive

* use new flag

* add field to test proxy

* remove new field from Proxy

* use label

* remove cl

* delete file

* add labels to test

* revert changelogs

* try again

* fix changelogs

* Adding changelog file to new location

* Deleting changelog file from old location

* codegen

* add back knative delete func

* change port_redirect to UInt32Value

* Adding changelog file to new location

* Deleting changelog file from old location

* some cleanup

* use context

* Update README.md

---------

Co-authored-by: Yuval Kohavi <[email protected]>
Co-authored-by: Sam Heilbron <[email protected]>
Co-authored-by: ilackarms <[email protected]>
Co-authored-by: Eitan Yarmush <[email protected]>
Co-authored-by: Lawrence G <[email protected]>
Co-authored-by: Nadine Spies <[email protected]>
Co-authored-by: soloio-bulldozer[bot] <48420018+soloio-bulldozer[bot]@users.noreply.github.com>
Co-authored-by: changelog-bot <changelog-bot>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/conformance cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants