From 9d49777defa9024b28de1e975284a444effa29bd Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Mon, 16 Oct 2023 18:08:33 -0700 Subject: [PATCH] Refactor IR creation for TLSRoute Takes forward PR https://github.com/envoyproxy/gateway/pull/1798 Fixes: https://github.com/envoyproxy/gateway/issues/1635 Signed-off-by: Arko Dasgupta --- .../translate/out/default-resources.all.yaml | 63 ++-------- .../out/from-gateway-api-to-xds.all.json | 93 ++------------ .../out/from-gateway-api-to-xds.all.yaml | 63 ++-------- .../out/from-gateway-api-to-xds.cluster.yaml | 8 +- .../out/from-gateway-api-to-xds.endpoint.yaml | 8 +- .../out/from-gateway-api-to-xds.listener.yaml | 47 +------ internal/gatewayapi/clienttrafficpolicy.go | 2 +- internal/gatewayapi/helpers.go | 14 +-- internal/gatewayapi/listener.go | 11 +- internal/gatewayapi/route.go | 60 +++++---- ...ndtrafficpolicy-status-conditions.out.yaml | 4 + ...nttrafficpolicy-status-conditions.out.yaml | 4 + ...way-with-addresses-with-ipaddress.out.yaml | 4 + ...route-with-mismatch-port-protocol.out.yaml | 4 + ...h-tcproute-with-multiple-backends.out.yaml | 4 + ...with-tcproute-with-multiple-rules.out.yaml | 4 + ...ith-tls-terminate-and-passthrough.out.yaml | 28 +++-- ...-listener-with-unmatched-tcproute.out.yaml | 4 + ...-listener-with-multiple-tcproutes.out.yaml | 22 ++-- ...listeners-on-same-tcp-or-tls-port.out.yaml | 22 ++-- ...-with-same-port-http-tcp-protocol.out.yaml | 22 ++-- ...s-with-tcproutes-with-sectionname.out.yaml | 44 ++++--- ...ith-tcproutes-without-sectionname.out.yaml | 44 ++++--- .../securitypolicy-status-conditions.out.yaml | 4 + ...teway-with-listener-tls-terminate.out.yaml | 30 ++--- .../tlsroute-attaching-to-gateway.out.yaml | 28 +++-- .../testdata/tlsroute-multiple.out.yaml | 56 ++++----- ...her-namespace-allowed-by-refgrant.out.yaml | 28 +++-- .../tlsroute-with-empty-hostname.out.yaml | 28 +++-- ...oute-with-empty-listener-hostname.out.yaml | 28 +++-- internal/ir/xds.go | 35 +++++- internal/ir/xds_test.go | 115 +++++++++++------- internal/ir/zz_generated.deepcopy.go | 42 +++++-- internal/xds/translator/listener.go | 14 +-- .../xds-ir/multiple-listeners-same-port.yaml | 44 ++++--- .../multiple-simple-tcp-route-same-port.yaml | 98 ++++++++------- .../testdata/in/xds-ir/tcp-route-complex.yaml | 32 ++--- .../in/xds-ir/tcp-route-invalid-endpoint.yaml | 18 +-- .../testdata/in/xds-ir/tcp-route-invalid.yaml | 20 +-- .../testdata/in/xds-ir/tcp-route-simple.yaml | 20 +-- .../in/xds-ir/tcp-route-tls-terminate.yaml | 30 ++--- .../in/xds-ir/tcp-route-weighted-backend.yaml | 54 ++++---- .../in/xds-ir/tls-route-passthrough.yaml | 28 +++-- .../listener-tcp-keepalive.clusters.yaml | 28 ----- .../listener-tcp-keepalive.endpoints.yaml | 24 ---- .../listener-tcp-keepalive.listeners.yaml | 21 ---- ...ultiple-listeners-same-port.listeners.yaml | 18 --- ...-simple-tcp-route-same-port.endpoints.yaml | 2 +- ...-simple-tcp-route-same-port.listeners.yaml | 33 +---- .../xds-ir/tcp-route-complex.listeners.yaml | 18 +-- .../xds-ir/tcp-route-simple.listeners.yaml | 9 +- .../tcp-route-tls-terminate.listeners.yaml | 2 +- .../tcp-route-weighted-backend.listeners.yaml | 18 +-- .../tls-route-passthrough.listeners.yaml | 16 +-- internal/xds/translator/translator.go | 40 +++--- 55 files changed, 679 insertions(+), 881 deletions(-) diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index 83d2c82e6d88..016ea0f8bd91 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -616,7 +616,7 @@ xds: region: grpcroute/default/backend/rule/0/backend/0 - endpointConfig: '@type': type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment - clusterName: tlsroute/default/backend/rule/-1 + clusterName: tcproute/default/backend/rule/-1 endpoints: - lbEndpoints: - endpoint: @@ -627,10 +627,10 @@ xds: loadBalancingWeight: 1 loadBalancingWeight: 1 locality: - region: tlsroute/default/backend/rule/-1/backend/0 + region: tcproute/default/backend/rule/-1/backend/0 - endpointConfig: '@type': type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment - clusterName: tcproute/default/backend/rule/-1 + clusterName: tlsroute/default/backend/rule/-1 endpoints: - lbEndpoints: - endpoint: @@ -641,7 +641,7 @@ xds: loadBalancingWeight: 1 loadBalancingWeight: 1 locality: - region: tcproute/default/backend/rule/-1/backend/0 + region: tlsroute/default/backend/rule/-1/backend/0 - endpointConfig: '@type': type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment clusterName: udproute/default/backend/rule/-1 @@ -705,9 +705,9 @@ xds: edsConfig: ads: {} resourceApiVersion: V3 - serviceName: tlsroute/default/backend/rule/-1 + serviceName: tcproute/default/backend/rule/-1 lbPolicy: LEAST_REQUEST - name: tlsroute/default/backend/rule/-1 + name: tcproute/default/backend/rule/-1 outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS @@ -721,9 +721,9 @@ xds: edsConfig: ads: {} resourceApiVersion: V3 - serviceName: tcproute/default/backend/rule/-1 + serviceName: tlsroute/default/backend/rule/-1 lbPolicy: LEAST_REQUEST - name: tcproute/default/backend/rule/-1 + name: tlsroute/default/backend/rule/-1 outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS @@ -886,31 +886,8 @@ xds: address: socketAddress: address: 0.0.0.0 - portValue: 8443 - filterChains: - - filterChainMatch: - serverNames: - - foo.com - filters: - - name: envoy.filters.network.tcp_proxy - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - accessLog: - - name: envoy.access_loggers.file - typedConfig: - '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog - logFormat: - textFormatSource: - inlineString: | - {"start_time":"%START_TIME%","method":"%REQ(:METHOD)%","x-envoy-origin-path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","response_code_details":"%RESPONSE_CODE_DETAILS%","connection_termination_details":"%CONNECTION_TERMINATION_DETAILS%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","duration":"%DURATION%","x-envoy-upstream-service-time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","x-forwarded-for":"%REQ(X-FORWARDED-FOR)%","user-agent":"%REQ(USER-AGENT)%","x-request-id":"%REQ(X-REQUEST-ID)%",":authority":"%REQ(:AUTHORITY)%","upstream_host":"%UPSTREAM_HOST%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","requested_server_name":"%REQUESTED_SERVER_NAME%","route_name":"%ROUTE_NAME%"} - path: /dev/stdout - cluster: tlsroute/default/backend/rule/-1 - statPrefix: passthrough - listenerFilters: - - name: envoy.filters.listener.tls_inspector - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector - name: default/eg/tls-passthrough/backend + portValue: 1234 + name: default/eg/tcp perConnectionBufferLimitBytes: 32768 - activeState: listener: @@ -931,24 +908,8 @@ xds: address: socketAddress: address: 0.0.0.0 - portValue: 1234 - filterChains: - - filters: - - name: envoy.filters.network.tcp_proxy - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - accessLog: - - name: envoy.access_loggers.file - typedConfig: - '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog - logFormat: - textFormatSource: - inlineString: | - {"start_time":"%START_TIME%","method":"%REQ(:METHOD)%","x-envoy-origin-path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","response_code_details":"%RESPONSE_CODE_DETAILS%","connection_termination_details":"%CONNECTION_TERMINATION_DETAILS%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","duration":"%DURATION%","x-envoy-upstream-service-time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","x-forwarded-for":"%REQ(X-FORWARDED-FOR)%","user-agent":"%REQ(USER-AGENT)%","x-request-id":"%REQ(X-REQUEST-ID)%",":authority":"%REQ(:AUTHORITY)%","upstream_host":"%UPSTREAM_HOST%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","requested_server_name":"%REQUESTED_SERVER_NAME%","route_name":"%ROUTE_NAME%"} - path: /dev/stdout - cluster: tcproute/default/backend/rule/-1 - statPrefix: tcp - name: default/eg/tcp/backend + portValue: 8443 + name: default/eg/tls-passthrough perConnectionBufferLimitBytes: 32768 - activeState: listener: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json index 1e461964bbf8..9f43d637e29d 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json @@ -272,7 +272,7 @@ { "endpointConfig": { "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", - "clusterName": "tlsroute/default/backend/rule/-1", + "clusterName": "tcproute/default/backend/rule/-1", "endpoints": [ { "lbEndpoints": [ @@ -290,7 +290,7 @@ ], "loadBalancingWeight": 1, "locality": { - "region": "tlsroute/default/backend/rule/-1/backend/0" + "region": "tcproute/default/backend/rule/-1/backend/0" } } ] @@ -299,7 +299,7 @@ { "endpointConfig": { "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", - "clusterName": "tcproute/default/backend/rule/-1", + "clusterName": "tlsroute/default/backend/rule/-1", "endpoints": [ { "lbEndpoints": [ @@ -317,7 +317,7 @@ ], "loadBalancingWeight": 1, "locality": { - "region": "tcproute/default/backend/rule/-1/backend/0" + "region": "tlsroute/default/backend/rule/-1/backend/0" } } ] @@ -420,10 +420,10 @@ "ads": {}, "resourceApiVersion": "V3" }, - "serviceName": "tlsroute/default/backend/rule/-1" + "serviceName": "tcproute/default/backend/rule/-1" }, "lbPolicy": "LEAST_REQUEST", - "name": "tlsroute/default/backend/rule/-1", + "name": "tcproute/default/backend/rule/-1", "outlierDetection": {}, "perConnectionBufferLimitBytes": 32768, "type": "EDS" @@ -442,10 +442,10 @@ "ads": {}, "resourceApiVersion": "V3" }, - "serviceName": "tcproute/default/backend/rule/-1" + "serviceName": "tlsroute/default/backend/rule/-1" }, "lbPolicy": "LEAST_REQUEST", - "name": "tcproute/default/backend/rule/-1", + "name": "tlsroute/default/backend/rule/-1", "outlierDetection": {}, "perConnectionBufferLimitBytes": 32768, "type": "EDS" @@ -701,51 +701,10 @@ "address": { "socketAddress": { "address": "0.0.0.0", - "portValue": 8443 + "portValue": 1234 } }, - "filterChains": [ - { - "filterChainMatch": { - "serverNames": [ - "foo.com" - ] - }, - "filters": [ - { - "name": "envoy.filters.network.tcp_proxy", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", - "accessLog": [ - { - "name": "envoy.access_loggers.file", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog", - "logFormat": { - "textFormatSource": { - "inlineString": "{\"start_time\":\"%START_TIME%\",\"method\":\"%REQ(:METHOD)%\",\"x-envoy-origin-path\":\"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%\",\"protocol\":\"%PROTOCOL%\",\"response_code\":\"%RESPONSE_CODE%\",\"response_flags\":\"%RESPONSE_FLAGS%\",\"response_code_details\":\"%RESPONSE_CODE_DETAILS%\",\"connection_termination_details\":\"%CONNECTION_TERMINATION_DETAILS%\",\"upstream_transport_failure_reason\":\"%UPSTREAM_TRANSPORT_FAILURE_REASON%\",\"bytes_received\":\"%BYTES_RECEIVED%\",\"bytes_sent\":\"%BYTES_SENT%\",\"duration\":\"%DURATION%\",\"x-envoy-upstream-service-time\":\"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%\",\"x-forwarded-for\":\"%REQ(X-FORWARDED-FOR)%\",\"user-agent\":\"%REQ(USER-AGENT)%\",\"x-request-id\":\"%REQ(X-REQUEST-ID)%\",\":authority\":\"%REQ(:AUTHORITY)%\",\"upstream_host\":\"%UPSTREAM_HOST%\",\"upstream_cluster\":\"%UPSTREAM_CLUSTER%\",\"upstream_local_address\":\"%UPSTREAM_LOCAL_ADDRESS%\",\"downstream_local_address\":\"%DOWNSTREAM_LOCAL_ADDRESS%\",\"downstream_remote_address\":\"%DOWNSTREAM_REMOTE_ADDRESS%\",\"requested_server_name\":\"%REQUESTED_SERVER_NAME%\",\"route_name\":\"%ROUTE_NAME%\"}\n" - } - }, - "path": "/dev/stdout" - } - } - ], - "cluster": "tlsroute/default/backend/rule/-1", - "statPrefix": "passthrough" - } - } - ] - } - ], - "listenerFilters": [ - { - "name": "envoy.filters.listener.tls_inspector", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector" - } - } - ], - "name": "default/eg/tls-passthrough/backend", + "name": "default/eg/tcp", "perConnectionBufferLimitBytes": 32768 } } @@ -778,38 +737,10 @@ "address": { "socketAddress": { "address": "0.0.0.0", - "portValue": 1234 + "portValue": 8443 } }, - "filterChains": [ - { - "filters": [ - { - "name": "envoy.filters.network.tcp_proxy", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", - "accessLog": [ - { - "name": "envoy.access_loggers.file", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog", - "logFormat": { - "textFormatSource": { - "inlineString": "{\"start_time\":\"%START_TIME%\",\"method\":\"%REQ(:METHOD)%\",\"x-envoy-origin-path\":\"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%\",\"protocol\":\"%PROTOCOL%\",\"response_code\":\"%RESPONSE_CODE%\",\"response_flags\":\"%RESPONSE_FLAGS%\",\"response_code_details\":\"%RESPONSE_CODE_DETAILS%\",\"connection_termination_details\":\"%CONNECTION_TERMINATION_DETAILS%\",\"upstream_transport_failure_reason\":\"%UPSTREAM_TRANSPORT_FAILURE_REASON%\",\"bytes_received\":\"%BYTES_RECEIVED%\",\"bytes_sent\":\"%BYTES_SENT%\",\"duration\":\"%DURATION%\",\"x-envoy-upstream-service-time\":\"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%\",\"x-forwarded-for\":\"%REQ(X-FORWARDED-FOR)%\",\"user-agent\":\"%REQ(USER-AGENT)%\",\"x-request-id\":\"%REQ(X-REQUEST-ID)%\",\":authority\":\"%REQ(:AUTHORITY)%\",\"upstream_host\":\"%UPSTREAM_HOST%\",\"upstream_cluster\":\"%UPSTREAM_CLUSTER%\",\"upstream_local_address\":\"%UPSTREAM_LOCAL_ADDRESS%\",\"downstream_local_address\":\"%DOWNSTREAM_LOCAL_ADDRESS%\",\"downstream_remote_address\":\"%DOWNSTREAM_REMOTE_ADDRESS%\",\"requested_server_name\":\"%REQUESTED_SERVER_NAME%\",\"route_name\":\"%ROUTE_NAME%\"}\n" - } - }, - "path": "/dev/stdout" - } - } - ], - "cluster": "tcproute/default/backend/rule/-1", - "statPrefix": "tcp" - } - } - ] - } - ], - "name": "default/eg/tcp/backend", + "name": "default/eg/tls-passthrough", "perConnectionBufferLimitBytes": 32768 } } diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml index 5c5b27e97f91..3469d7b53b1c 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml @@ -149,7 +149,7 @@ xds: region: grpcroute/default/backend/rule/0/backend/0 - endpointConfig: '@type': type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment - clusterName: tlsroute/default/backend/rule/-1 + clusterName: tcproute/default/backend/rule/-1 endpoints: - lbEndpoints: - endpoint: @@ -160,10 +160,10 @@ xds: loadBalancingWeight: 1 loadBalancingWeight: 1 locality: - region: tlsroute/default/backend/rule/-1/backend/0 + region: tcproute/default/backend/rule/-1/backend/0 - endpointConfig: '@type': type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment - clusterName: tcproute/default/backend/rule/-1 + clusterName: tlsroute/default/backend/rule/-1 endpoints: - lbEndpoints: - endpoint: @@ -174,7 +174,7 @@ xds: loadBalancingWeight: 1 loadBalancingWeight: 1 locality: - region: tcproute/default/backend/rule/-1/backend/0 + region: tlsroute/default/backend/rule/-1/backend/0 - endpointConfig: '@type': type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment clusterName: udproute/default/backend/rule/-1 @@ -238,9 +238,9 @@ xds: edsConfig: ads: {} resourceApiVersion: V3 - serviceName: tlsroute/default/backend/rule/-1 + serviceName: tcproute/default/backend/rule/-1 lbPolicy: LEAST_REQUEST - name: tlsroute/default/backend/rule/-1 + name: tcproute/default/backend/rule/-1 outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS @@ -254,9 +254,9 @@ xds: edsConfig: ads: {} resourceApiVersion: V3 - serviceName: tcproute/default/backend/rule/-1 + serviceName: tlsroute/default/backend/rule/-1 lbPolicy: LEAST_REQUEST - name: tcproute/default/backend/rule/-1 + name: tlsroute/default/backend/rule/-1 outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS @@ -419,31 +419,8 @@ xds: address: socketAddress: address: 0.0.0.0 - portValue: 8443 - filterChains: - - filterChainMatch: - serverNames: - - foo.com - filters: - - name: envoy.filters.network.tcp_proxy - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - accessLog: - - name: envoy.access_loggers.file - typedConfig: - '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog - logFormat: - textFormatSource: - inlineString: | - {"start_time":"%START_TIME%","method":"%REQ(:METHOD)%","x-envoy-origin-path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","response_code_details":"%RESPONSE_CODE_DETAILS%","connection_termination_details":"%CONNECTION_TERMINATION_DETAILS%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","duration":"%DURATION%","x-envoy-upstream-service-time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","x-forwarded-for":"%REQ(X-FORWARDED-FOR)%","user-agent":"%REQ(USER-AGENT)%","x-request-id":"%REQ(X-REQUEST-ID)%",":authority":"%REQ(:AUTHORITY)%","upstream_host":"%UPSTREAM_HOST%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","requested_server_name":"%REQUESTED_SERVER_NAME%","route_name":"%ROUTE_NAME%"} - path: /dev/stdout - cluster: tlsroute/default/backend/rule/-1 - statPrefix: passthrough - listenerFilters: - - name: envoy.filters.listener.tls_inspector - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector - name: default/eg/tls-passthrough/backend + portValue: 1234 + name: default/eg/tcp perConnectionBufferLimitBytes: 32768 - activeState: listener: @@ -464,24 +441,8 @@ xds: address: socketAddress: address: 0.0.0.0 - portValue: 1234 - filterChains: - - filters: - - name: envoy.filters.network.tcp_proxy - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - accessLog: - - name: envoy.access_loggers.file - typedConfig: - '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog - logFormat: - textFormatSource: - inlineString: | - {"start_time":"%START_TIME%","method":"%REQ(:METHOD)%","x-envoy-origin-path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","response_code_details":"%RESPONSE_CODE_DETAILS%","connection_termination_details":"%CONNECTION_TERMINATION_DETAILS%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","duration":"%DURATION%","x-envoy-upstream-service-time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","x-forwarded-for":"%REQ(X-FORWARDED-FOR)%","user-agent":"%REQ(USER-AGENT)%","x-request-id":"%REQ(X-REQUEST-ID)%",":authority":"%REQ(:AUTHORITY)%","upstream_host":"%UPSTREAM_HOST%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","requested_server_name":"%REQUESTED_SERVER_NAME%","route_name":"%ROUTE_NAME%"} - path: /dev/stdout - cluster: tcproute/default/backend/rule/-1 - statPrefix: tcp - name: default/eg/tcp/backend + portValue: 8443 + name: default/eg/tls-passthrough perConnectionBufferLimitBytes: 32768 - activeState: listener: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml index 57fee13d4acd..1a6833c208a9 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml @@ -49,9 +49,9 @@ xds: edsConfig: ads: {} resourceApiVersion: V3 - serviceName: tlsroute/default/backend/rule/-1 + serviceName: tcproute/default/backend/rule/-1 lbPolicy: LEAST_REQUEST - name: tlsroute/default/backend/rule/-1 + name: tcproute/default/backend/rule/-1 outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS @@ -65,9 +65,9 @@ xds: edsConfig: ads: {} resourceApiVersion: V3 - serviceName: tcproute/default/backend/rule/-1 + serviceName: tlsroute/default/backend/rule/-1 lbPolicy: LEAST_REQUEST - name: tcproute/default/backend/rule/-1 + name: tlsroute/default/backend/rule/-1 outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.endpoint.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.endpoint.yaml index 76b49b6fa243..04b9540b977c 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.endpoint.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.endpoint.yaml @@ -32,7 +32,7 @@ xds: region: grpcroute/default/backend/rule/0/backend/0 - endpointConfig: '@type': type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment - clusterName: tlsroute/default/backend/rule/-1 + clusterName: tcproute/default/backend/rule/-1 endpoints: - lbEndpoints: - endpoint: @@ -43,10 +43,10 @@ xds: loadBalancingWeight: 1 loadBalancingWeight: 1 locality: - region: tlsroute/default/backend/rule/-1/backend/0 + region: tcproute/default/backend/rule/-1/backend/0 - endpointConfig: '@type': type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment - clusterName: tcproute/default/backend/rule/-1 + clusterName: tlsroute/default/backend/rule/-1 endpoints: - lbEndpoints: - endpoint: @@ -57,7 +57,7 @@ xds: loadBalancingWeight: 1 loadBalancingWeight: 1 locality: - region: tcproute/default/backend/rule/-1/backend/0 + region: tlsroute/default/backend/rule/-1/backend/0 - endpointConfig: '@type': type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment clusterName: udproute/default/backend/rule/-1 diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml index ae7fce949cf6..40ce62c20ad3 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml @@ -143,31 +143,8 @@ xds: address: socketAddress: address: 0.0.0.0 - portValue: 8443 - filterChains: - - filterChainMatch: - serverNames: - - foo.com - filters: - - name: envoy.filters.network.tcp_proxy - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - accessLog: - - name: envoy.access_loggers.file - typedConfig: - '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog - logFormat: - textFormatSource: - inlineString: | - {"start_time":"%START_TIME%","method":"%REQ(:METHOD)%","x-envoy-origin-path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","response_code_details":"%RESPONSE_CODE_DETAILS%","connection_termination_details":"%CONNECTION_TERMINATION_DETAILS%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","duration":"%DURATION%","x-envoy-upstream-service-time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","x-forwarded-for":"%REQ(X-FORWARDED-FOR)%","user-agent":"%REQ(USER-AGENT)%","x-request-id":"%REQ(X-REQUEST-ID)%",":authority":"%REQ(:AUTHORITY)%","upstream_host":"%UPSTREAM_HOST%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","requested_server_name":"%REQUESTED_SERVER_NAME%","route_name":"%ROUTE_NAME%"} - path: /dev/stdout - cluster: tlsroute/default/backend/rule/-1 - statPrefix: passthrough - listenerFilters: - - name: envoy.filters.listener.tls_inspector - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector - name: default/eg/tls-passthrough/backend + portValue: 1234 + name: default/eg/tcp perConnectionBufferLimitBytes: 32768 - activeState: listener: @@ -188,24 +165,8 @@ xds: address: socketAddress: address: 0.0.0.0 - portValue: 1234 - filterChains: - - filters: - - name: envoy.filters.network.tcp_proxy - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - accessLog: - - name: envoy.access_loggers.file - typedConfig: - '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog - logFormat: - textFormatSource: - inlineString: | - {"start_time":"%START_TIME%","method":"%REQ(:METHOD)%","x-envoy-origin-path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","response_code_details":"%RESPONSE_CODE_DETAILS%","connection_termination_details":"%CONNECTION_TERMINATION_DETAILS%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","duration":"%DURATION%","x-envoy-upstream-service-time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","x-forwarded-for":"%REQ(X-FORWARDED-FOR)%","user-agent":"%REQ(USER-AGENT)%","x-request-id":"%REQ(X-REQUEST-ID)%",":authority":"%REQ(:AUTHORITY)%","upstream_host":"%UPSTREAM_HOST%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","requested_server_name":"%REQUESTED_SERVER_NAME%","route_name":"%ROUTE_NAME%"} - path: /dev/stdout - cluster: tcproute/default/backend/rule/-1 - statPrefix: tcp - name: default/eg/tcp/backend + portValue: 8443 + name: default/eg/tls-passthrough perConnectionBufferLimitBytes: 32768 - activeState: listener: diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go index 3eb1f6ffe2cb..4e369bb2926c 100644 --- a/internal/gatewayapi/clienttrafficpolicy.go +++ b/internal/gatewayapi/clienttrafficpolicy.go @@ -275,7 +275,7 @@ func translateClientTrafficPolicyForListener(policySpec *egv1a1.ClientTrafficPol // TODO: Support TLSRoute and TCPRoute once // https://github.com/envoyproxy/gateway/issues/1635 is completed - irListenerName := irHTTPListenerName(l) + irListenerName := irListenerName(l) var httpIR *ir.HTTPListener for _, http := range gwXdsIR.HTTP { if http.Name == irListenerName { diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go index 1c5392262a9d..8a7b184966f9 100644 --- a/internal/gatewayapi/helpers.go +++ b/internal/gatewayapi/helpers.go @@ -361,18 +361,10 @@ func irStringKey(gatewayNs, gatewayName string) string { return fmt.Sprintf("%s/%s", gatewayNs, gatewayName) } -func irHTTPListenerName(listener *ListenerContext) string { +func irListenerName(listener *ListenerContext) string { return fmt.Sprintf("%s/%s/%s", listener.gateway.Namespace, listener.gateway.Name, listener.Name) } -func irTLSListenerName(listener *ListenerContext, tlsRoute *TLSRouteContext) string { - return fmt.Sprintf("%s/%s/%s/%s", listener.gateway.Namespace, listener.gateway.Name, listener.Name, tlsRoute.Name) -} - -func irTCPListenerName(listener *ListenerContext, tcpRoute *TCPRouteContext) string { - return fmt.Sprintf("%s/%s/%s/%s", listener.gateway.Namespace, listener.gateway.Name, listener.Name, tcpRoute.Name) -} - func irUDPListenerName(listener *ListenerContext, udpRoute *UDPRouteContext) string { return fmt.Sprintf("%s/%s/%s/%s", listener.gateway.Namespace, listener.gateway.Name, listener.Name, udpRoute.Name) } @@ -385,6 +377,10 @@ func irRouteName(route RouteContext, ruleIdx, matchIdx int) string { return fmt.Sprintf("%s/rule/%d/match/%d", irRoutePrefix(route), ruleIdx, matchIdx) } +func irTCPRouteName(route RouteContext) string { + return fmt.Sprintf("%s/%s/%s", strings.ToLower(string(GetRouteType(route))), route.GetNamespace(), route.GetName()) +} + func irRouteDestinationName(route RouteContext, ruleIdx int) string { return fmt.Sprintf("%s/rule/%d", irRoutePrefix(route), ruleIdx) } diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go index e24d58f7fbd3..6d1b41e59e2a 100644 --- a/internal/gatewayapi/listener.go +++ b/internal/gatewayapi/listener.go @@ -100,7 +100,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap switch listener.Protocol { case gwapiv1.HTTPProtocolType, gwapiv1.HTTPSProtocolType: irListener := &ir.HTTPListener{ - Name: irHTTPListenerName(listener), + Name: irListenerName(listener), Address: "0.0.0.0", Port: uint32(containerPort), TLS: irTLSConfigs(listener.tlsSecrets), @@ -114,6 +114,13 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap irListener.Hostnames = append(irListener.Hostnames, "*") } xdsIR[irKey].HTTP = append(xdsIR[irKey].HTTP, irListener) + case gwapiv1.TCPProtocolType, gwapiv1.TLSProtocolType: + irListener := &ir.TCPListener{ + Name: irListenerName(listener), + Address: "0.0.0.0", + Port: uint32(containerPort), + } + xdsIR[irKey].TCP = append(xdsIR[irKey].TCP, irListener) } // Add the listener to the Infra IR. Infra IR ports must have a unique port number per layer-4 protocol @@ -136,7 +143,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap infraPortName := string(listener.Name) if t.MergeGateways { - infraPortName = irHTTPListenerName(listener) + infraPortName = irListenerName(listener) } infraPort := ir.ListenerPort{ diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index fc79ddb790ce..2e26d6c69325 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -565,7 +565,8 @@ func (t *Translator) processHTTPRouteParentRefListener(route RouteContext, route } } irKey := t.getIRKey(listener.gateway) - irListener := xdsIR[irKey].GetHTTPListener(irHTTPListenerName(listener)) + irListener := xdsIR[irKey].GetHTTPListener(irListenerName(listener)) + if irListener != nil { if GetRouteType(route) == KindGRPCRoute { irListener.IsHTTP2 = true @@ -656,24 +657,22 @@ func (t *Translator) processTLSRouteParentRefs(tlsRoute *TLSRouteContext, resour irKey := t.getIRKey(listener.gateway) - containerPort := servicePortToContainerPort(int32(listener.Port)) - // Create the TCP Listener while parsing the TLSRoute since - // the listener directly links to a routeDestination. - irListener := &ir.TCPListener{ - Name: irTLSListenerName(listener, tlsRoute), - Address: "0.0.0.0", - Port: uint32(containerPort), - TLS: &ir.TLS{Passthrough: &ir.TLSInspectorConfig{ - SNIs: hosts, - }}, - Destination: &ir.RouteDestination{ - Name: irRouteDestinationName(tlsRoute, -1 /*rule index*/), - Settings: destSettings, - }, - } gwXdsIR := xdsIR[irKey] - gwXdsIR.TCP = append(gwXdsIR.TCP, irListener) + irListener := gwXdsIR.GetTCPListener(irListenerName(listener)) + if irListener != nil { + irRoute := &ir.TCPRoute{ + Name: irTCPRouteName(tlsRoute), + TLS: &ir.TLS{Passthrough: &ir.TLSInspectorConfig{ + SNIs: hosts, + }}, + Destination: &ir.RouteDestination{ + Name: irRouteDestinationName(tlsRoute, -1 /*rule index*/), + Settings: destSettings, + }, + } + irListener.Routes = append(irListener.Routes, irRoute) + } } if !hasHostnameIntersection { @@ -920,21 +919,20 @@ func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resour accepted = true irKey := t.getIRKey(listener.gateway) - containerPort := servicePortToContainerPort(int32(listener.Port)) - // Create the TCP Listener while parsing the TCPRoute since - // the listener directly links to a routeDestination. - irListener := &ir.TCPListener{ - Name: irTCPListenerName(listener, tcpRoute), - Address: "0.0.0.0", - Port: uint32(containerPort), - Destination: &ir.RouteDestination{ - Name: irRouteDestinationName(tcpRoute, -1 /*rule index*/), - Settings: destSettings, - }, - TLS: &ir.TLS{Terminate: irTLSConfigs(listener.tlsSecrets)}, - } gwXdsIR := xdsIR[irKey] - gwXdsIR.TCP = append(gwXdsIR.TCP, irListener) + irListener := gwXdsIR.GetTCPListener(irListenerName(listener)) + if irListener != nil { + irRoute := &ir.TCPRoute{ + Name: irTCPRouteName(tcpRoute), + Destination: &ir.RouteDestination{ + Name: irRouteDestinationName(tcpRoute, -1 /*rule index*/), + Settings: destSettings, + }, + TLS: &ir.TLS{Terminate: irTLSConfigs(listener.tlsSecrets)}, + } + irListener.Routes = append(irListener.Routes, irRoute) + + } } diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml index d8fe370ea6af..01dbd2a4daf0 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml @@ -380,3 +380,7 @@ xdsIR: name: magic hostname: '*' name: grpcroute/envoy-gateway/grpcroute-1/rule/0/match/0/* + tcp: + - address: 0.0.0.0 + name: envoy-gateway/gateway-2/tcp + port: 10053 diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml index 413b622c7435..60c3d9cb62ec 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml @@ -312,3 +312,7 @@ xdsIR: isHTTP2: false name: envoy-gateway/gateway-2/http port: 10080 + tcp: + - address: 0.0.0.0 + name: envoy-gateway/gateway-2/tcp + port: 10053 diff --git a/internal/gatewayapi/testdata/gateway-with-addresses-with-ipaddress.out.yaml b/internal/gatewayapi/testdata/gateway-with-addresses-with-ipaddress.out.yaml index 160fdae760ea..75f9ec61d61f 100644 --- a/internal/gatewayapi/testdata/gateway-with-addresses-with-ipaddress.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-addresses-with-ipaddress.out.yaml @@ -64,3 +64,7 @@ xdsIR: accessLog: text: - path: /dev/stdout + tcp: + - address: 0.0.0.0 + name: envoy-gateway/gateway-1/tcp + port: 10080 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml index b3adde9cae1f..6c4088e8a441 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml @@ -89,3 +89,7 @@ xdsIR: accessLog: text: - path: /dev/stdout + tcp: + - address: 0.0.0.0 + name: envoy-gateway/gateway-1/tcp + port: 10162 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-backends.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-backends.out.yaml index 010f8b932346..c7319445fb82 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-backends.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-backends.out.yaml @@ -93,3 +93,7 @@ xdsIR: accessLog: text: - path: /dev/stdout + tcp: + - address: 0.0.0.0 + name: envoy-gateway/gateway-1/tcp + port: 10080 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-rules.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-rules.out.yaml index 074594d2e877..0011ec5ac075 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-rules.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-rules.out.yaml @@ -94,3 +94,7 @@ xdsIR: accessLog: text: - path: /dev/stdout + tcp: + - address: 0.0.0.0 + name: envoy-gateway/gateway-1/tcp + port: 10080 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml index 3c16278e7d37..3aec94b9cf1c 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml @@ -198,17 +198,19 @@ xdsIR: serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K tcp: - address: 0.0.0.0 - destination: - name: tlsroute/default/tlsroute-1/rule/-1 - settings: - - endpoints: - - host: 7.7.7.7 - port: 8080 - protocol: HTTPS - weight: 1 - name: envoy-gateway/gateway-1/tls-passthrough/tlsroute-1 + name: envoy-gateway/gateway-1/tls-passthrough port: 10090 - tls: - passthrough: - snis: - - foo.bar.com + routes: + - destination: + name: tlsroute/default/tlsroute-1/rule/-1 + settings: + - endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTPS + weight: 1 + name: tlsroute/default/tlsroute-1 + tls: + passthrough: + snis: + - foo.bar.com diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-tcproute.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-tcproute.out.yaml index 16f687f3ce2a..81326a838387 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-tcproute.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-tcproute.out.yaml @@ -57,3 +57,7 @@ xdsIR: accessLog: text: - path: /dev/stdout + tcp: + - address: 0.0.0.0 + name: envoy-gateway/gateway-1/tcp + port: 10080 diff --git a/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml b/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml index 58a4352f7251..47c17d295a75 100644 --- a/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml @@ -122,14 +122,16 @@ xdsIR: - path: /dev/stdout tcp: - address: 0.0.0.0 - destination: - name: tcproute/default/tcproute-1/rule/-1 - settings: - - endpoints: - - host: 7.7.7.7 - port: 8163 - protocol: TCP - weight: 1 - name: envoy-gateway/gateway-1/tcp/tcproute-1 + name: envoy-gateway/gateway-1/tcp port: 10162 - tls: {} + routes: + - destination: + name: tcproute/default/tcproute-1/rule/-1 + settings: + - endpoints: + - host: 7.7.7.7 + port: 8163 + protocol: TCP + weight: 1 + name: tcproute/default/tcproute-1 + tls: {} diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml index 3937ab6d28a1..a335c3016475 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml @@ -120,14 +120,16 @@ xdsIR: - path: /dev/stdout tcp: - address: 0.0.0.0 - destination: - name: tcproute/default/tcproute-1/rule/-1 - settings: - - endpoints: - - host: 7.7.7.7 - port: 8163 - protocol: TCP - weight: 1 - name: envoy-gateway/gateway-1/tcp1/tcproute-1 + name: envoy-gateway/gateway-1/tcp1 port: 10162 - tls: {} + routes: + - destination: + name: tcproute/default/tcproute-1/rule/-1 + settings: + - endpoints: + - host: 7.7.7.7 + port: 8163 + protocol: TCP + weight: 1 + name: tcproute/default/tcproute-1 + tls: {} diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml index 79634a364826..b64bc6ce660d 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml @@ -185,14 +185,16 @@ xdsIR: prefix: / tcp: - address: 0.0.0.0 - destination: - name: tcproute/default/tcproute-1/rule/-1 - settings: - - endpoints: - - host: 7.7.7.7 - port: 8163 - protocol: TCP - weight: 1 - name: envoy-gateway/gateway-1/tcp/tcproute-1 + name: envoy-gateway/gateway-1/tcp port: 10080 - tls: {} + routes: + - destination: + name: tcproute/default/tcproute-1/rule/-1 + settings: + - endpoints: + - host: 7.7.7.7 + port: 8163 + protocol: TCP + weight: 1 + name: tcproute/default/tcproute-1 + tls: {} diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-with-sectionname.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-with-sectionname.out.yaml index df1b7a0ae3d2..841c0bd3767f 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-with-sectionname.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-with-sectionname.out.yaml @@ -157,26 +157,30 @@ xdsIR: - path: /dev/stdout tcp: - address: 0.0.0.0 - destination: - name: tcproute/default/tcproute-1/rule/-1 - settings: - - endpoints: - - host: 7.7.7.7 - port: 8163 - protocol: TCP - weight: 1 - name: envoy-gateway/gateway-1/tcp1/tcproute-1 + name: envoy-gateway/gateway-1/tcp1 port: 10162 - tls: {} + routes: + - destination: + name: tcproute/default/tcproute-1/rule/-1 + settings: + - endpoints: + - host: 7.7.7.7 + port: 8163 + protocol: TCP + weight: 1 + name: tcproute/default/tcproute-1 + tls: {} - address: 0.0.0.0 - destination: - name: tcproute/default/tcproute-2/rule/-1 - settings: - - endpoints: - - host: 7.7.7.7 - port: 8163 - protocol: TCP - weight: 1 - name: envoy-gateway/gateway-1/tcp2/tcproute-2 + name: envoy-gateway/gateway-1/tcp2 port: 10163 - tls: {} + routes: + - destination: + name: tcproute/default/tcproute-2/rule/-1 + settings: + - endpoints: + - host: 7.7.7.7 + port: 8163 + protocol: TCP + weight: 1 + name: tcproute/default/tcproute-2 + tls: {} diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml index c31ac5dc002b..2ace6813c802 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml @@ -153,26 +153,30 @@ xdsIR: - path: /dev/stdout tcp: - address: 0.0.0.0 - destination: - name: tcproute/default/tcproute-1/rule/-1 - settings: - - endpoints: - - host: 7.7.7.7 - port: 8163 - protocol: TCP - weight: 1 - name: envoy-gateway/gateway-1/tcp1/tcproute-1 + name: envoy-gateway/gateway-1/tcp1 port: 10161 - tls: {} + routes: + - destination: + name: tcproute/default/tcproute-1/rule/-1 + settings: + - endpoints: + - host: 7.7.7.7 + port: 8163 + protocol: TCP + weight: 1 + name: tcproute/default/tcproute-1 + tls: {} - address: 0.0.0.0 - destination: - name: tcproute/default/tcproute-1/rule/-1 - settings: - - endpoints: - - host: 7.7.7.7 - port: 8163 - protocol: TCP - weight: 1 - name: envoy-gateway/gateway-1/tcp2/tcproute-1 + name: envoy-gateway/gateway-1/tcp2 port: 10162 - tls: {} + routes: + - destination: + name: tcproute/default/tcproute-1/rule/-1 + settings: + - endpoints: + - host: 7.7.7.7 + port: 8163 + protocol: TCP + weight: 1 + name: tcproute/default/tcproute-1 + tls: {} diff --git a/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml index 4a2610a0084b..b68d87b50e1b 100755 --- a/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml @@ -380,3 +380,7 @@ xdsIR: name: magic hostname: '*' name: grpcroute/envoy-gateway/grpcroute-1/rule/0/match/0/* + tcp: + - address: 0.0.0.0 + name: envoy-gateway/gateway-2/tcp + port: 10053 diff --git a/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml b/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml index aea8b733cab3..2d48b1097dba 100644 --- a/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml +++ b/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml @@ -97,18 +97,20 @@ xdsIR: - path: /dev/stdout tcp: - address: 0.0.0.0 - destination: - name: tcproute/default/tcproute-1/rule/-1 - settings: - - endpoints: - - host: 7.7.7.7 - port: 8080 - protocol: TCP - weight: 1 - name: envoy-gateway/gateway-1/tls/tcproute-1 + name: envoy-gateway/gateway-1/tls port: 10090 - tls: - terminate: - - name: envoy-gateway-tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K - serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + routes: + - destination: + name: tcproute/default/tcproute-1/rule/-1 + settings: + - endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: TCP + weight: 1 + name: tcproute/default/tcproute-1 + tls: + terminate: + - name: envoy-gateway-tls-secret-1 + privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K diff --git a/internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.out.yaml b/internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.out.yaml index af83c0f97df3..6a0b48d2b507 100644 --- a/internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.out.yaml @@ -94,17 +94,19 @@ xdsIR: - path: /dev/stdout tcp: - address: 0.0.0.0 - destination: - name: tlsroute/default/tlsroute-1/rule/-1 - settings: - - endpoints: - - host: 7.7.7.7 - port: 8080 - protocol: HTTPS - weight: 1 - name: envoy-gateway/gateway-1/tls/tlsroute-1 + name: envoy-gateway/gateway-1/tls port: 10090 - tls: - passthrough: - snis: - - foo.com + routes: + - destination: + name: tlsroute/default/tlsroute-1/rule/-1 + settings: + - endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTPS + weight: 1 + name: tlsroute/default/tlsroute-1 + tls: + passthrough: + snis: + - foo.com diff --git a/internal/gatewayapi/testdata/tlsroute-multiple.out.yaml b/internal/gatewayapi/testdata/tlsroute-multiple.out.yaml index bf5d7a8b744a..00162afd1f98 100644 --- a/internal/gatewayapi/testdata/tlsroute-multiple.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-multiple.out.yaml @@ -128,32 +128,32 @@ xdsIR: - path: /dev/stdout tcp: - address: 0.0.0.0 - destination: - name: tlsroute/default/tlsroute-1/rule/-1 - settings: - - endpoints: - - host: 7.7.7.7 - port: 8080 - protocol: HTTPS - weight: 1 - name: envoy-gateway/gateway-1/tls/tlsroute-1 + name: envoy-gateway/gateway-1/tls port: 10091 - tls: - passthrough: - snis: - - foo.com - - address: 0.0.0.0 - destination: - name: tlsroute/default/tlsroute-2/rule/-1 - settings: - - endpoints: - - host: 7.7.7.7 - port: 8080 - protocol: HTTPS - weight: 1 - name: envoy-gateway/gateway-1/tls/tlsroute-2 - port: 10091 - tls: - passthrough: - snis: - - bar.com + routes: + - destination: + name: tlsroute/default/tlsroute-1/rule/-1 + settings: + - endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTPS + weight: 1 + name: tlsroute/default/tlsroute-1 + tls: + passthrough: + snis: + - foo.com + - destination: + name: tlsroute/default/tlsroute-2/rule/-1 + settings: + - endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTPS + weight: 1 + name: tlsroute/default/tlsroute-2 + tls: + passthrough: + snis: + - bar.com diff --git a/internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml index 014d9dff690c..615482497990 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml @@ -95,17 +95,19 @@ xdsIR: - path: /dev/stdout tcp: - address: 0.0.0.0 - destination: - name: tlsroute/default/tlsroute-1/rule/-1 - settings: - - endpoints: - - host: 7.7.7.7 - port: 8080 - protocol: HTTPS - weight: 1 - name: envoy-gateway/gateway-1/tls/tlsroute-1 + name: envoy-gateway/gateway-1/tls port: 10090 - tls: - passthrough: - snis: - - foo.com + routes: + - destination: + name: tlsroute/default/tlsroute-1/rule/-1 + settings: + - endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTPS + weight: 1 + name: tlsroute/default/tlsroute-1 + tls: + passthrough: + snis: + - foo.com diff --git a/internal/gatewayapi/testdata/tlsroute-with-empty-hostname.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-empty-hostname.out.yaml index 19779d07c21a..7b1f2f4633c5 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-empty-hostname.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-empty-hostname.out.yaml @@ -93,17 +93,19 @@ xdsIR: - path: /dev/stdout tcp: - address: 0.0.0.0 - destination: - name: tlsroute/default/tlsroute-1/rule/-1 - settings: - - endpoints: - - host: 7.7.7.7 - port: 8080 - protocol: HTTPS - weight: 1 - name: envoy-gateway/gateway-1/tls/tlsroute-1 + name: envoy-gateway/gateway-1/tls port: 10091 - tls: - passthrough: - snis: - - '*' + routes: + - destination: + name: tlsroute/default/tlsroute-1/rule/-1 + settings: + - endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTPS + weight: 1 + name: tlsroute/default/tlsroute-1 + tls: + passthrough: + snis: + - '*' diff --git a/internal/gatewayapi/testdata/tlsroute-with-empty-listener-hostname.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-empty-listener-hostname.out.yaml index bd87196bc86e..c3b955ce22da 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-empty-listener-hostname.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-empty-listener-hostname.out.yaml @@ -95,17 +95,19 @@ xdsIR: - path: /dev/stdout tcp: - address: 0.0.0.0 - destination: - name: tlsroute/default/tlsroute-1/rule/-1 - settings: - - endpoints: - - host: 7.7.7.7 - port: 8080 - protocol: HTTPS - weight: 1 - name: envoy-gateway/gateway-1/tls/tlsroute-1 + name: envoy-gateway/gateway-1/tls port: 10091 - tls: - passthrough: - snis: - - foo.com + routes: + - destination: + name: tlsroute/default/tlsroute-1/rule/-1 + settings: + - endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTPS + weight: 1 + name: tlsroute/default/tlsroute-1 + tls: + passthrough: + snis: + - foo.com diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 2c5179d9d237..17cd86271f3a 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -27,10 +27,10 @@ var ( ErrListenerAddressInvalid = errors.New("field Address must be a valid IP address") ErrListenerPortInvalid = errors.New("field Port specified is invalid") ErrHTTPListenerHostnamesEmpty = errors.New("field Hostnames must be specified with at least a single hostname entry") - ErrTCPListenerSNIsEmpty = errors.New("field SNIs must be specified with at least a single server name entry") + ErrTCPRouteSNIsEmpty = errors.New("field SNIs must be specified with at least a single server name entry") ErrTLSServerCertEmpty = errors.New("field ServerCertificate must be specified") ErrTLSPrivateKey = errors.New("field PrivateKey must be specified") - ErrHTTPRouteNameEmpty = errors.New("field Name must be specified") + ErrRouteNameEmpty = errors.New("field Name must be specified") ErrHTTPRouteHostnameEmpty = errors.New("field Hostname must be specified") ErrDestinationNameEmpty = errors.New("field Name must be specified") ErrDestEndpointHostInvalid = errors.New("field Address must be a valid IP address") @@ -357,7 +357,7 @@ type OIDC struct { func (h HTTPRoute) Validate() error { var errs error if h.Name == "" { - errs = multierror.Append(errs, ErrHTTPRouteNameEmpty) + errs = multierror.Append(errs, ErrRouteNameEmpty) } if h.Hostname == "" { errs = multierror.Append(errs, ErrHTTPRouteHostnameEmpty) @@ -739,12 +739,21 @@ type TCPListener struct { Address string `json:"address" yaml:"address"` // Port on which the service can be expected to be accessed by clients. Port uint32 `json:"port" yaml:"port"` + // Routes associated with TCP traffic to the listener. + Routes []*TCPRoute `json:"routes,omitempty" yaml:"routes,omitempty"` + // TCPKeepalive configuration for the listener + TCPKeepalive *TCPKeepalive `json:"tcpKeepalive,omitempty" yaml:"tcpKeepalive,omitempty"` +} + +// TCPRoute holds the route information associated with the TCP Route +// +k8s:deepcopy-gen=true +type TCPRoute struct { + // Name of the TCPRoute. + Name string `json:"name" yaml:"name"` // TLS holds information for configuring TLS on a listener TLS *TLS `json:"tls,omitempty" yaml:"tls,omitempty"` // Destinations associated with TCP traffic to the service. Destination *RouteDestination `json:"destination,omitempty" yaml:"destination,omitempty"` - // TCPKeepalive configuration for the listener - TCPKeepalive *TCPKeepalive `json:"tcpKeepalive,omitempty" yaml:"tcpKeepalive,omitempty"` } // TLS holds information for configuring TLS on a listener @@ -769,6 +778,20 @@ func (h TCPListener) Validate() error { if h.Port == 0 { errs = multierror.Append(errs, ErrListenerPortInvalid) } + for _, route := range h.Routes { + if err := route.Validate(); err != nil { + errs = multierror.Append(errs, err) + } + } + return errs +} + +func (h TCPRoute) Validate() error { + var errs error + if h.Name == "" { + errs = multierror.Append(errs, ErrRouteNameEmpty) + } + if h.TLS != nil && h.TLS.Passthrough != nil { if err := h.TLS.Passthrough.Validate(); err != nil { errs = multierror.Append(errs, err) @@ -805,7 +828,7 @@ type TLSInspectorConfig struct { func (t TLSInspectorConfig) Validate() error { var errs error if len(t.SNIs) == 0 { - errs = multierror.Append(errs, ErrTCPListenerSNIsEmpty) + errs = multierror.Append(errs, ErrTCPRouteSNIsEmpty) } return errs } diff --git a/internal/ir/xds_test.go b/internal/ir/xds_test.go index 2fb249ddcba5..c4fdba7f6df3 100644 --- a/internal/ir/xds_test.go +++ b/internal/ir/xds_test.go @@ -59,19 +59,18 @@ var ( Routes: []*HTTPRoute{&weightedInvalidBackendsHTTPRoute}, } - // TCPListener - happyTCPListenerTLSPassthrough = TCPListener{ + // TCPRoute + happyTCPRoute = TCPRoute{ Name: "happy", - Address: "0.0.0.0", - Port: 80, + Destination: &happyRouteDestination, + } + happyTCPRouteTLSPassthrough = TCPRoute{ + Name: "happy-tls-passthrough", TLS: &TLS{Passthrough: &TLSInspectorConfig{SNIs: []string{"example.com"}}}, Destination: &happyRouteDestination, } - - happyTCPListenerTLSTerminate = TCPListener{ - Name: "happy", - Address: "0.0.0.0", - Port: 80, + happyTCPRouteTLSTermination = TCPRoute{ + Name: "happy-tls-termination", TLS: &TLS{Terminate: []*TLSListenerConfig{{ Name: "happy", ServerCertificate: []byte("server-cert"), @@ -79,29 +78,11 @@ var ( }}}, Destination: &happyRouteDestination, } - - emptySNITCPListenerTLSPassthrough = TCPListener{ - Name: "empty-sni", - Address: "0.0.0.0", - Port: 80, - Destination: &happyRouteDestination, - } - invalidNameTCPListenerTLSPassthrough = TCPListener{ - Address: "0.0.0.0", - Port: 80, - TLS: &TLS{Passthrough: &TLSInspectorConfig{SNIs: []string{"example.com"}}}, + invalidNameTCPRoute = TCPRoute{ Destination: &happyRouteDestination, } - invalidAddrTCPListenerTLSPassthrough = TCPListener{ - Name: "invalid-addr", - Address: "1.0.0", - Port: 80, - TLS: &TLS{Passthrough: &TLSInspectorConfig{SNIs: []string{"example.com"}}}, - Destination: &happyRouteDestination, - } - invalidSNITCPListenerTLSPassthrough = TCPListener{ - Address: "0.0.0.0", - Port: 80, + invalidSNITCPRoute = TCPRoute{ + Name: "invalid-sni-route", TLS: &TLS{Passthrough: &TLSInspectorConfig{SNIs: []string{}}}, Destination: &happyRouteDestination, } @@ -483,7 +464,7 @@ func TestValidateXds(t *testing.T) { { name: "happy tls passthrough", input: Xds{ - TCP: []*TCPListener{&happyTCPListenerTLSPassthrough}, + TCP: []*TCPListener{&happyTCPRouteTLSPassthrough}, }, want: nil, }, @@ -589,30 +570,25 @@ func TestValidateTCPListener(t *testing.T) { want []error }{ { - name: "tls passthrough happy", - input: happyTCPListenerTLSPassthrough, + name: "happy", + input: happyTCPListener, want: nil, }, { - name: "tcp empty SNIs", - input: emptySNITCPListenerTLSPassthrough, + name: "happy with route", + input: happyTCPListenerWithRoute, want: nil, }, { - name: "tls passthrough invalid name", - input: invalidNameTCPListenerTLSPassthrough, + name: "invalid name", + input: invalidNameTCPListener, want: []error{ErrListenerNameEmpty}, }, { - name: "tls passthrough invalid addr", - input: invalidAddrTCPListenerTLSPassthrough, + name: "invalid addr", + input: invalidAddrTCPListener, want: []error{ErrListenerAddressInvalid}, }, - { - name: "tls passthrough empty SNIs", - input: invalidSNITCPListenerTLSPassthrough, - want: []error{ErrTCPListenerSNIsEmpty}, - }, } for _, test := range tests { test := test @@ -806,7 +782,7 @@ func TestValidateHTTPRoute(t *testing.T) { }, Destination: &happyRouteDestination, }, - want: []error{ErrHTTPRouteNameEmpty}, + want: []error{ErrRouteNameEmpty}, }, { name: "invalid hostname", @@ -836,7 +812,7 @@ func TestValidateHTTPRoute(t *testing.T) { HeaderMatches: []*StringMatch{ptrTo(StringMatch{})}, Destination: &happyRouteDestination, }, - want: []error{ErrHTTPRouteNameEmpty, ErrStringMatchConditionInvalid}, + want: []error{ErrRouteNameEmpty, ErrStringMatchConditionInvalid}, }, { name: "redirect-httproute", @@ -938,6 +914,53 @@ func TestValidateHTTPRoute(t *testing.T) { } } +func TestValidateTCPRoute(t *testing.T) { + tests := []struct { + name string + input TCPRoute + want []error + }{ + { + name: "happy", + input: happyTCPRoute, + want: nil, + }, + { + name: "tls passthrough happy", + input: happyTCPRouteTLSPassthrough, + want: nil, + }, + { + name: "tls terminatation happy", + input: happyTCPRouteTLSTermination, + want: nil, + }, + { + name: "invalid name", + input: invalidNameTCPRoute, + want: []error{ErrRouteNameEmpty}, + }, + { + name: "invalid sni", + input: invalidSNITCPRoute, + want: []error{ErrTCPRouteSNIsEmpty}, + }, + } + for _, test := range tests { + test := test + t.Run(test.name, func(t *testing.T) { + if test.want == nil { + require.NoError(t, test.input.Validate()) + } else { + got := test.input.Validate() + for _, w := range test.want { + assert.ErrorContains(t, got, w.Error()) + } + } + }) + } +} + func TestValidateRouteDestination(t *testing.T) { tests := []struct { name string diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index edf7e1146cfa..32138c31847e 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -1038,6 +1038,37 @@ func (in *TCPKeepalive) DeepCopy() *TCPKeepalive { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TCPListener) DeepCopyInto(out *TCPListener) { + *out = *in + if in.Routes != nil { + in, out := &in.Routes, &out.Routes + *out = make([]*TCPRoute, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(TCPRoute) + (*in).DeepCopyInto(*out) + } + } + } + if in.TCPKeepalive != nil { + in, out := &in.TCPKeepalive, &out.TCPKeepalive + *out = new(TCPKeepalive) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPListener. +func (in *TCPListener) DeepCopy() *TCPListener { + if in == nil { + return nil + } + out := new(TCPListener) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TCPRoute) DeepCopyInto(out *TCPRoute) { *out = *in if in.TLS != nil { in, out := &in.TLS, &out.TLS @@ -1049,19 +1080,14 @@ func (in *TCPListener) DeepCopyInto(out *TCPListener) { *out = new(RouteDestination) (*in).DeepCopyInto(*out) } - if in.TCPKeepalive != nil { - in, out := &in.TCPKeepalive, &out.TCPKeepalive - *out = new(TCPKeepalive) - (*in).DeepCopyInto(*out) - } } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPListener. -func (in *TCPListener) DeepCopy() *TCPListener { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPRoute. +func (in *TCPRoute) DeepCopy() *TCPRoute { if in == nil { return nil } - out := new(TCPListener) + out := new(TCPRoute) in.DeepCopyInto(out) return out } diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go index 1a118f56426d..664cba6218cd 100644 --- a/internal/xds/translator/listener.go +++ b/internal/xds/translator/listener.go @@ -216,13 +216,13 @@ func findXdsHTTPRouteConfigName(xdsListener *listenerv3.Listener) string { return "" } -func addXdsTCPFilterChain(xdsListener *listenerv3.Listener, irListener *ir.TCPListener, clusterName string, accesslog *ir.AccessLog) error { - if irListener == nil { +func addXdsTCPFilterChain(xdsListener *listenerv3.Listener, irRoute *ir.TCPRoute, accesslog *ir.AccessLog) error { + if irRoute == nil { return errors.New("tcp listener is nil") } - isTLSPassthrough := irListener.TLS != nil && irListener.TLS.Passthrough != nil - isTLSTerminate := irListener.TLS != nil && irListener.TLS.Terminate != nil + isTLSPassthrough := irRoute.TLS != nil && irRoute.TLS.Passthrough != nil + isTLSTerminate := irRoute.TLS != nil && irRoute.TLS.Terminate != nil statPrefix := "tcp" if isTLSPassthrough { statPrefix = "passthrough" @@ -236,7 +236,7 @@ func addXdsTCPFilterChain(xdsListener *listenerv3.Listener, irListener *ir.TCPLi AccessLog: buildXdsAccessLog(accesslog, false), StatPrefix: statPrefix, ClusterSpecifier: &tcpv3.TcpProxy_Cluster{ - Cluster: clusterName, + Cluster: irRoute.Destination.Name, }, } mgrAny, err := anypb.New(mgr) @@ -254,13 +254,13 @@ func addXdsTCPFilterChain(xdsListener *listenerv3.Listener, irListener *ir.TCPLi } if isTLSPassthrough { - if err := addServerNamesMatch(xdsListener, filterChain, irListener.TLS.Passthrough.SNIs); err != nil { + if err := addServerNamesMatch(xdsListener, filterChain, irRoute.TLS.Passthrough.SNIs); err != nil { return err } } if isTLSTerminate { - tSocket, err := buildXdsDownstreamTLSSocket(irListener.TLS.Terminate) + tSocket, err := buildXdsDownstreamTLSSocket(irRoute.TLS.Terminate) if err != nil { return err } diff --git a/internal/xds/translator/testdata/in/xds-ir/multiple-listeners-same-port.yaml b/internal/xds/translator/testdata/in/xds-ir/multiple-listeners-same-port.yaml index 40af29afaed8..8754927f0fff 100644 --- a/internal/xds/translator/testdata/in/xds-ir/multiple-listeners-same-port.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/multiple-listeners-same-port.yaml @@ -71,26 +71,30 @@ tcp: - name: "fifth-listener" address: "0.0.0.0" port: 10080 - tls: - passthrough: - snis: - - bar.com - destination: - name: "tcp-route-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 + routes: + - name: "fifth-route" + tls: + passthrough: + snis: + - bar.com + destination: + name: "tcp-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 - name: "sixth-listener" address: "0.0.0.0" port: 10080 - tls: - passthrough: - snis: - - bar.net - destination: - name: "tls-route-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 + routes: + - name: "sixth-route" + tls: + passthrough: + snis: + - bar.net + destination: + name: "tls-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 diff --git a/internal/xds/translator/testdata/in/xds-ir/multiple-simple-tcp-route-same-port.yaml b/internal/xds/translator/testdata/in/xds-ir/multiple-simple-tcp-route-same-port.yaml index fca8012cd106..c9469b7d818c 100644 --- a/internal/xds/translator/testdata/in/xds-ir/multiple-simple-tcp-route-same-port.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/multiple-simple-tcp-route-same-port.yaml @@ -1,56 +1,66 @@ tcp: -- name: "tcp-route-simple" +- name: "tcp-listener-simple" address: "0.0.0.0" port: 10080 - destination: - name: "tcp-route-simple-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 - - host: "5.6.7.8" - port: 50001 -- name: "tcp-route-simple-1" + routes: + - name: "tcp-route-simple" + destination: + name: "tcp-route-simple-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - host: "5.6.7.8" + port: 50001 +- name: "tcp-listener-simple-1" address: "0.0.0.0" port: 10080 - destination: - name: "tcp-route-simple-1-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 - - host: "5.6.7.8" - port: 50001 -- name: "tcp-route-simple-2" + routes: + - name: "tcp-route-simple-1" + destination: + name: "tcp-route-simple-1-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - host: "5.6.7.8" + port: 50001 +- name: "tcp-listener-simple-2" address: "0.0.0.0" port: 10080 - destination: - name: "tcp-route-simple-2-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 - - host: "5.6.7.8" - port: 50001 -- name: "tcp-route-simple-3" + routes: + - name: "tcp-route-simple-2" + destination: + name: "tcp-route-simple-2-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - host: "5.6.7.8" + port: 50001 +- name: "tcp-listener-simple-3" address: "0.0.0.0" port: 10080 - destination: - name: "tcp-route-simple-3-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 - - host: "5.6.7.8" - port: 50001 -- name: "tcp-route-simple-4" + routes: + - name: "tcp-route-simple-3" + destination: + name: "tcp-route-simple-3-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - host: "5.6.7.8" + port: 50001 +- name: "tcp-listener-simple-4" address: "0.0.0.0" port: 10080 - destination: - name: "tcp-route-simple-4-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 - - host: "5.6.7.8" + routes: + - name: "tcp-route-simple-4" + destination: + name: "tcp-route-simple-4-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - host: "5.6.7.8" port: 50001 diff --git a/internal/xds/translator/testdata/in/xds-ir/tcp-route-complex.yaml b/internal/xds/translator/testdata/in/xds-ir/tcp-route-complex.yaml index 05ac886693e7..d7c85f58853a 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tcp-route-complex.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tcp-route-complex.yaml @@ -1,18 +1,20 @@ tcp: -- name: "tcp-route-complex" +- name: "tcp-listener-complex" address: "0.0.0.0" port: 10080 - tls: - passthrough: - snis: - - foo.com - - bar.com - - example.com - destination: - name: "tcp-route-complex-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 - - host: "5.6.7.8" - port: 50001 + routes: + - name: "tcp-route-complex" + tls: + passthrough: + snis: + - foo.com + - bar.com + - example.com + destination: + name: "tcp-route-complex-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - host: "5.6.7.8" + port: 50001 diff --git a/internal/xds/translator/testdata/in/xds-ir/tcp-route-invalid-endpoint.yaml b/internal/xds/translator/testdata/in/xds-ir/tcp-route-invalid-endpoint.yaml index 3885afa4fd92..9c84994abfd4 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tcp-route-invalid-endpoint.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tcp-route-invalid-endpoint.yaml @@ -1,11 +1,13 @@ tcp: -- name: "tcp-route-simple" +- name: "tcp-listener-simple" address: "0.0.0.0" port: 10080 - destination: - name: "tcp-route-simple-dest" - settings: - - endpoints: - - port: 50000 - - host: "5.6.7.8" - port: 50001 + routes: + - name: "tcp-route-simple" + destination: + name: "tcp-route-simple-dest" + settings: + - endpoints: + - port: 50000 + - host: "5.6.7.8" + port: 50001 diff --git a/internal/xds/translator/testdata/in/xds-ir/tcp-route-invalid.yaml b/internal/xds/translator/testdata/in/xds-ir/tcp-route-invalid.yaml index d14b325d3dc6..d694b2c7e48b 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tcp-route-invalid.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tcp-route-invalid.yaml @@ -1,12 +1,14 @@ tcp: -- name: "tcp-route-invalid" +- name: "tcp-listener-invalid" address: "" port: 10080 - destination: - name: "tcp-route-invalid-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 - - host: "5.6.7.8" - port: 50001 + routes: + - name: "tcp-route-invalid" + destination: + name: "tcp-route-invalid-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - host: "5.6.7.8" + port: 50001 diff --git a/internal/xds/translator/testdata/in/xds-ir/tcp-route-simple.yaml b/internal/xds/translator/testdata/in/xds-ir/tcp-route-simple.yaml index f79cebf3e67c..58f1ec038929 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tcp-route-simple.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tcp-route-simple.yaml @@ -1,12 +1,14 @@ tcp: -- name: "tcp-route-simple" +- name: "tcp-listener-simple" address: "0.0.0.0" port: 10080 - destination: - name: "tcp-route-simple-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 - - host: "5.6.7.8" - port: 50001 + routes: + - name: "tcp-route-simple" + destination: + name: "tcp-route-simple-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - host: "5.6.7.8" + port: 50001 diff --git a/internal/xds/translator/testdata/in/xds-ir/tcp-route-tls-terminate.yaml b/internal/xds/translator/testdata/in/xds-ir/tcp-route-tls-terminate.yaml index bcd02eb8712c..cbb418391e3b 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tcp-route-tls-terminate.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tcp-route-tls-terminate.yaml @@ -1,17 +1,19 @@ tcp: -- name: "tls-terminate" +- name: "tls-listener-erminate" address: "0.0.0.0" port: 10080 - tls: - terminate: - - Name: envoy-gateway-tls-secret-1 - PrivateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K - ServerCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - destination: - name: "tls-terminate-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 - - host: "5.6.7.8" - port: 50001 + routes: + - name: "tls-route-terminate" + tls: + terminate: + - Name: envoy-gateway-tls-secret-1 + PrivateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + ServerCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQVpBQ0NRREVNZ1lZblFyQ29EQU5CZ2txaGtpRzl3MEJBUXNGQURBV01SUXdFZ1lEVlFRRERBdG0KYjI4dVltRnlMbU52YlRBZUZ3MHlNekF4TURVeE16UXpNalJhRncweU5EQXhNRFV4TXpRek1qUmFNQll4RkRBUwpCZ05WQkFNTUMyWnZieTVpWVhJdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFuZEh6d21wS2NUSUViamhGZ2RXd1RSTjc1Y3A4b3VsWnhMMUdydlI2SXc3ejdqaTBSNFcvTm85bkdmOU0KWVAyQ1JqaXN6NTFtd3hTeGVCcm9jTGVBK21reGkxK2lEdk5kQytyU0x4MTN6RUxTQ25xYnVzUHM3bUdmSlpxOAo5TGhlbmx5bzQzaDVjYTZINUxqTXd1L1JHVWlGMzFYck5yaVlGQlB2RTJyQitkd24vTkVrUTRoOFJxcXlwcmtuCkYvcWM5Sk1ZQVlGRld1VkNwa0lFbmRYMUN5dlFOT2FkZmN2cmd6dDV2SmwwT2kxQWdyaU5hWGJFUEdudWY3STQKcXBCSEdVWE5lMVdsOVdlVklxS1g0T2FFWERWQzZGQzdHOHptZWVMVzFBa1lFVm5pcFg2b1NCK0JjL1NIVlZOaApzQkxSbXRuc3pmTnRUMlFyZCttcGt4ODBaUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1VKOElDCkJveUVqT3V3enBHYVJoR044QjRqT1B6aHVDT0V0ZDM3UzAybHUwN09IenlCdmJzVEd6S3dCZ0x5bVdmR2tINEIKajdDTHNwOEZ6TkhLWnVhQmdwblo5SjZETE9Od2ZXZTJBWXA3TGRmT0tWQlVkTVhRaU9tN2pKOUhob0Ntdk1ONwpic2pjaFdKb013ckZmK3dkQUthdHowcUFQeWhMeWUvRnFtaVZ4a09SWmF3K1Q5bURaK0g0OXVBU2d1SnVOTXlRClY2RXlYNmd0Z1dxMzc2SHZhWE1TLzNoYW1Zb1ZXWEk1TXhpUE9ZeG5BQmtKQjRTQ2dJUmVqYkpmVmFRdG9RNGEKejAyaVVMZW5ESUllUU9Zb2JLY01CWGYxQjRQQVFtc2VocVZJYnpzUUNHaTU0VkRyczZiWmQvN0pzMXpDcHBncwpKaUQ1SXFNaktXRHdxN2FLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + destination: + name: "tls-terminate-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - host: "5.6.7.8" + port: 50001 diff --git a/internal/xds/translator/testdata/in/xds-ir/tcp-route-weighted-backend.yaml b/internal/xds/translator/testdata/in/xds-ir/tcp-route-weighted-backend.yaml index 0bd5ac621a93..269c4dd99068 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tcp-route-weighted-backend.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tcp-route-weighted-backend.yaml @@ -1,29 +1,31 @@ tcp: -- name: "tcp-route-weighted-backend" +- name: "tcp-listener-weighted-backend" address: "0.0.0.0" port: 10080 - tls: - passthrough: - snis: - - foo.com - - bar.com - - example.com - destination: - name: "tcp-route-weighted-backend-dest" - settings: - - endpoints: - - host: "1.1.1.1" - port: 50001 - weight: 20 - - endpoints: - - host: "2.2.2.2" - port: 50002 - weight: 40 - - endpoints: - - host: "3.3.3.3" - port: 50003 - weight: 20 - - endpoints: - - host: "4.4.4.4" - port: 50004 - weight: 20 + routes: + - name: "tcp-route-weighted-backend" + tls: + passthrough: + snis: + - foo.com + - bar.com + - example.com + destination: + name: "tcp-route-weighted-backend-dest" + settings: + - endpoints: + - host: "1.1.1.1" + port: 50001 + weight: 20 + - endpoints: + - host: "2.2.2.2" + port: 50002 + weight: 40 + - endpoints: + - host: "3.3.3.3" + port: 50003 + weight: 20 + - endpoints: + - host: "4.4.4.4" + port: 50004 + weight: 20 diff --git a/internal/xds/translator/testdata/in/xds-ir/tls-route-passthrough.yaml b/internal/xds/translator/testdata/in/xds-ir/tls-route-passthrough.yaml index 1d33d64cc91d..570014662e53 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tls-route-passthrough.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tls-route-passthrough.yaml @@ -1,16 +1,18 @@ tcp: -- name: "tls-passthrough" +- name: "tls-listener-passthrough" address: "0.0.0.0" port: 10080 - tls: - passthrough: - snis: - - foo.com - destination: - name: "tls-passthrough-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 - - host: "5.6.7.8" - port: 50001 + routes: + - name: "tls-route-passthrough" + tls: + passthrough: + snis: + - foo.com + destination: + name: "tls-passthrough-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - host: "5.6.7.8" + port: 50001 diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml index 1bcfa8d1104e..abfeaa163294 100755 --- a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml @@ -26,31 +26,3 @@ outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS -- commonLbConfig: - localityWeightedLbConfig: {} - connectTimeout: 10s - dnsLookupFamily: V4_ONLY - edsClusterConfig: - edsConfig: - ads: {} - resourceApiVersion: V3 - serviceName: tls-route-dest - lbPolicy: LEAST_REQUEST - name: tls-route-dest - outlierDetection: {} - perConnectionBufferLimitBytes: 32768 - type: EDS -- commonLbConfig: - localityWeightedLbConfig: {} - connectTimeout: 10s - dnsLookupFamily: V4_ONLY - edsClusterConfig: - edsConfig: - ads: {} - resourceApiVersion: V3 - serviceName: tcp-route-dest - lbPolicy: LEAST_REQUEST - name: tcp-route-dest - outlierDetection: {} - perConnectionBufferLimitBytes: 32768 - type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.endpoints.yaml index 5b4fe89e58cd..de95bf555b94 100755 --- a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.endpoints.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.endpoints.yaml @@ -22,27 +22,3 @@ loadBalancingWeight: 1 locality: region: second-route-dest/backend/0 -- clusterName: tls-route-dest - endpoints: - - lbEndpoints: - - endpoint: - address: - socketAddress: - address: 1.2.3.4 - portValue: 50000 - loadBalancingWeight: 1 - loadBalancingWeight: 1 - locality: - region: tls-route-dest/backend/0 -- clusterName: tcp-route-dest - endpoints: - - lbEndpoints: - - endpoint: - address: - socketAddress: - address: 1.2.3.4 - portValue: 50000 - loadBalancingWeight: 1 - loadBalancingWeight: 1 - locality: - region: tcp-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml index 093345869702..73800d621e8e 100755 --- a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml @@ -90,20 +90,6 @@ socketAddress: address: 0.0.0.0 portValue: 10082 - filterChains: - - filterChainMatch: - serverNames: - - bar.com - filters: - - name: envoy.filters.network.tcp_proxy - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - cluster: tls-route-dest - statPrefix: passthrough - listenerFilters: - - name: envoy.filters.listener.tls_inspector - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector name: third-listener perConnectionBufferLimitBytes: 32768 socketOptions: @@ -115,13 +101,6 @@ socketAddress: address: 0.0.0.0 portValue: 10083 - filterChains: - - filters: - - name: envoy.filters.network.tcp_proxy - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - cluster: tcp-route-dest - statPrefix: tcp name: fourth-listener perConnectionBufferLimitBytes: 32768 socketOptions: diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml index 632271fe590f..cf2201d054a1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml @@ -114,24 +114,6 @@ sdsConfig: ads: {} resourceApiVersion: V3 - - filterChainMatch: - serverNames: - - bar.com - filters: - - name: envoy.filters.network.tcp_proxy - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - cluster: tcp-route-dest - statPrefix: passthrough - - filterChainMatch: - serverNames: - - bar.net - filters: - - name: envoy.filters.network.tcp_proxy - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - cluster: tls-route-dest - statPrefix: passthrough listenerFilters: - name: envoy.filters.listener.tls_inspector typedConfig: diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.endpoints.yaml index 8d9b5f2277df..4faf21420c23 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.endpoints.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.endpoints.yaml @@ -83,7 +83,7 @@ address: socketAddress: address: 5.6.7.8 - portValue: 50001 + portValue: 0 loadBalancingWeight: 1 loadBalancingWeight: 1 locality: diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.listeners.yaml index 663e7b989088..47218d0add01 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.listeners.yaml @@ -2,36 +2,5 @@ socketAddress: address: 0.0.0.0 portValue: 10080 - filterChains: - - filters: - - name: envoy.filters.network.tcp_proxy - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - cluster: tcp-route-simple-dest - statPrefix: tcp - - filters: - - name: envoy.filters.network.tcp_proxy - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - cluster: tcp-route-simple-1-dest - statPrefix: tcp - - filters: - - name: envoy.filters.network.tcp_proxy - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - cluster: tcp-route-simple-2-dest - statPrefix: tcp - - filters: - - name: envoy.filters.network.tcp_proxy - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - cluster: tcp-route-simple-3-dest - statPrefix: tcp - - filters: - - name: envoy.filters.network.tcp_proxy - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - cluster: tcp-route-simple-4-dest - statPrefix: tcp - name: tcp-route-simple + name: tcp-listener-simple perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.listeners.yaml index fb16f3e53ae1..d7885ccedd42 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.listeners.yaml @@ -2,21 +2,5 @@ socketAddress: address: 0.0.0.0 portValue: 10080 - filterChains: - - filterChainMatch: - serverNames: - - foo.com - - bar.com - - example.com - filters: - - name: envoy.filters.network.tcp_proxy - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - cluster: tcp-route-complex-dest - statPrefix: passthrough - listenerFilters: - - name: envoy.filters.listener.tls_inspector - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector - name: tcp-route-complex + name: tcp-listener-complex perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.listeners.yaml index ee24bc19f558..47218d0add01 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.listeners.yaml @@ -2,12 +2,5 @@ socketAddress: address: 0.0.0.0 portValue: 10080 - filterChains: - - filters: - - name: envoy.filters.network.tcp_proxy - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - cluster: tcp-route-simple-dest - statPrefix: tcp - name: tcp-route-simple + name: tcp-listener-simple perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml index cb355428d860..4beb5323a75f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml @@ -22,5 +22,5 @@ sdsConfig: ads: {} resourceApiVersion: V3 - name: tls-terminate + name: tls-listener-erminate perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.listeners.yaml index 75d5b912e49a..033b7194a8b8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.listeners.yaml @@ -2,21 +2,5 @@ socketAddress: address: 0.0.0.0 portValue: 10080 - filterChains: - - filterChainMatch: - serverNames: - - foo.com - - bar.com - - example.com - filters: - - name: envoy.filters.network.tcp_proxy - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - cluster: tcp-route-weighted-backend-dest - statPrefix: passthrough - listenerFilters: - - name: envoy.filters.listener.tls_inspector - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector - name: tcp-route-weighted-backend + name: tcp-listener-weighted-backend perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml index f2f1197f943f..45808be66da3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml @@ -2,19 +2,5 @@ socketAddress: address: 0.0.0.0 portValue: 10080 - filterChains: - - filterChainMatch: - serverNames: - - foo.com - filters: - - name: envoy.filters.network.tcp_proxy - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy - cluster: tls-passthrough-dest - statPrefix: passthrough - listenerFilters: - - name: envoy.filters.listener.tls_inspector - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector - name: tls-passthrough + name: tls-listener-passthrough perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index e65e8cac08a2..ed08aebadf67 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -264,24 +264,6 @@ func (t *Translator) processHTTPListenerXdsTranslation(tCtx *types.ResourceVersi func processTCPListenerXdsTranslation(tCtx *types.ResourceVersionTable, tcpListeners []*ir.TCPListener, accesslog *ir.AccessLog) error { for _, tcpListener := range tcpListeners { - // 1:1 between IR TCPListener and xDS Cluster - if err := addXdsCluster(tCtx, &xdsClusterArgs{ - name: tcpListener.Destination.Name, - settings: tcpListener.Destination.Settings, - tSocket: nil, - endpointType: Static, - }); err != nil && !errors.Is(err, ErrXdsClusterExists) { - return err - } - - if tcpListener.TLS != nil && tcpListener.TLS.Terminate != nil { - for _, s := range tcpListener.TLS.Terminate { - secret := buildXdsDownstreamTLSSecret(s) - if err := tCtx.AddXdsResource(resourcev3.SecretType, secret); err != nil { - return err - } - } - } // Search for an existing listener, if it does not exist, create one. xdsListener := findXdsListenerByHostPort(tCtx, tcpListener.Address, tcpListener.Port, corev3.SocketAddress_TCP) if xdsListener == nil { @@ -291,8 +273,26 @@ func processTCPListenerXdsTranslation(tCtx *types.ResourceVersionTable, tcpListe } } - if err := addXdsTCPFilterChain(xdsListener, tcpListener, tcpListener.Destination.Name, accesslog); err != nil { - return err + for _, route := range tcpListener.Routes { + if err := addXdsCluster(tCtx, &xdsClusterArgs{ + name: route.Destination.Name, + settings: route.Destination.Settings, + tSocket: nil, + endpointType: Static, + }); err != nil && !errors.Is(err, ErrXdsClusterExists) { + return err + } + if route.TLS != nil && route.TLS.Terminate != nil { + for _, s := range route.TLS.Terminate { + secret := buildXdsDownstreamTLSSecret(s) + if err := tCtx.AddXdsResource(resourcev3.SecretType, secret); err != nil { + return err + } + if err := addXdsTCPFilterChain(xdsListener, route, accesslog); err != nil { + return err + } + } + } } } return nil