[release/v1.0] Cherry-pick fixes into v1.0 (#3127)

* Run certgen when upgrading (#2934) run certgen when upgrading Signed-off-by: huabing zhao <zhaohuabing@gmail.com> (cherry picked from commit 62ecf15) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * Fix: nil secret in resourceversiontable (#2982) * fix nil secret in resourceversiontable Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * check secrets in the xds result Signed-off-by: huabing zhao <zhaohuabing@gmail.com> --------- Signed-off-by: huabing zhao <zhaohuabing@gmail.com> (cherry picked from commit e880439) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix: add missing http filters to the http filter chain (#2970) * fix: add missing http filters to the http filter chain Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * refactor Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix lint Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * add comments Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * remove refactor Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * remove refactor Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix gen Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix lint Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: huabing zhao <zhaohuabing@gmail.com> Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> (cherry picked from commit f699edf) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix: allow websockets in url rewrite (#3022) allow websockets in url rewrite Signed-off-by: Jesse Haka <haka.jesse@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> (cherry picked from commit 3d51933) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * Set host for http health checker explicitly to avoid using the cluster name as host header for http health checking request. (#3057) * Set host for http health checker explictly to avoid using the cluster name as host header for http health checking request Signed-off-by: lemonlinger <lemonlinger@gmail.com> * fix broken tests Signed-off-by: lemonlinger <lemonlinger@gmail.com> * fix health-check test case in xds translation Signed-off-by: lemonlinger <lemonlinger@gmail.com> * Simplify code and concise comments Signed-off-by: lemonlinger <lemonlinger@gmail.com> --------- Signed-off-by: lemonlinger <lemonlinger@gmail.com> (cherry picked from commit 8f450a9) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix: do not create infra resources when missing translated listeners (#3043) * fix: do not create infra resources when missing translated listeners Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * remove empty line Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * skip infra creation on empty listeners and log it Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> --------- Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> (cherry picked from commit 36d7141) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * Fix: double slashes in redirect URL (#2998) * fix: double trailing splashs in redirect URL Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * add e2e tests Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix lint Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix test Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix test Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix test Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix test Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * add e2e tests Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix test Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * revert Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * use regex rewrite to generate the redirect url Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * use regex rewrite to generate the redirect url Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * use regex rewrite to generate the redirect url Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * remove comments Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * extract method Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * address comments Signed-off-by: huabing zhao <zhaohuabing@gmail.com> --------- Signed-off-by: huabing zhao <zhaohuabing@gmail.com> (cherry picked from commit ceb697f) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix: Allow Policy to attach to multiple http listeners (#2967) * Fixing the clienttrafficpolicy validation. Signed-off-by: Lior Okman <lior.okman@sap.com> * Make SecurityPolicy validate correctly. Signed-off-by: Lior Okman <lior.okman@sap.com> * Reverted the SecurityPolicy validation - handled differently via another feature. Signed-off-by: Lior Okman <lior.okman@sap.com> * Updated the tests to reflect that this validation isn't required for SecurityPolicy Signed-off-by: Lior Okman <lior.okman@sap.com> * Added some comments to explain the validation being performed. Signed-off-by: Lior Okman <lior.okman@sap.com> * Updated the error message as requested in the review. Signed-off-by: Lior Okman <lior.okman@sap.com> --------- Signed-off-by: Lior Okman <lior.okman@sap.com> (cherry picked from commit f9409e4) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix: set path prefix for http ext auth service (#3018) Signed-off-by: huabing zhao <zhaohuabing@gmail.com> (cherry picked from commit 2882b7c) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * Change route sorting order to Exact > RegularExpression > PathPrefix (#2579) * Change route sorting order to Exact > RegularExpression > PathPrefix kubernetes-sigs/gateway-api#1770 kubernetes-sigs/gateway-api#1855 Signed-off-by: Stéphane Cottin <stephane.cottin@vixns.com> (cherry picked from commit 11f56fd) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix: infraIR duplicate port translation for merged gateways (#3061) * fix: duplicate port translation for merged gateways Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * refactor to map Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * rename map Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * add seperate testcase Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> --------- Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> (cherry picked from commit 29946b0) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * translator: set SpawnUpstreamSpan to true (#3102) * translator: set SpawnUpstreamSpan to true Signed-off-by: zirain <zirain2009@gmail.com> * update Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit 635ebfc) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix: rate limit doesn't work with two(and more) listeners (#3085) * fix: rate limit doesn't work with two listeners Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * add e2e test for rate limit on multiple listeners Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * address comments Signed-off-by: huabing zhao <zhaohuabing@gmail.com> --------- Signed-off-by: huabing zhao <zhaohuabing@gmail.com> Co-authored-by: Xunzhuo <bitliu@tencent.com> (cherry picked from commit a5bedbc) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * rerun make testdata Signed-off-by: Arko Dasgupta <arko@tetrate.io> --------- Signed-off-by: huabing zhao <zhaohuabing@gmail.com> Signed-off-by: Arko Dasgupta <arko@tetrate.io> Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Jesse Haka <haka.jesse@gmail.com> Signed-off-by: lemonlinger <lemonlinger@gmail.com> Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> Signed-off-by: Lior Okman <lior.okman@sap.com> Signed-off-by: Stéphane Cottin <stephane.cottin@vixns.com> Signed-off-by: zirain <zirain2009@gmail.com> Co-authored-by: Huabing Zhao <zhaohuabing@gmail.com> Co-authored-by: Jesse Haka <haka.jesse@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: Meng <lemonlinger@gmail.com> Co-authored-by: Karol Szwaj <karol.szwaj@gmail.com> Co-authored-by: Lior Okman <lior.okman@sap.com> Co-authored-by: vixns <stephane.cottin@vixns.com> Co-authored-by: Xunzhuo <bitliu@tencent.com>
envoyproxy · Apr 8, 2024 · 5a15902 · 5a15902
1 parent 2d6f940
commit 5a15902
Show file tree

Hide file tree

Showing 54 changed files with 2,298 additions and 139 deletions.
diff --git a/charts/gateway-helm/templates/certgen.yaml b/charts/gateway-helm/templates/certgen.yaml
@@ -6,7 +6,7 @@ metadata:
   labels:
   {{- include "eg.labels" . | nindent 4 }}
   annotations:
-    "helm.sh/hook": pre-install
+    "helm.sh/hook": pre-install, pre-upgrade
   {{- if .Values.certgen.job.annotations }}
     {{- toYaml .Values.certgen.job.annotations | nindent 4 -}}
   {{- end }}

diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go
@@ -350,6 +350,8 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen
 					r.LoadBalancer = lb
 					r.ProxyProtocol = pp
 					r.HealthCheck = hc
+					// Update the Host field in HealthCheck, now that we have access to the Route Hostname.
+					r.HealthCheck.SetHTTPHostIfAbsent(r.Hostname)
 					r.CircuitBreaker = cb
 					r.FaultInjection = fi
 					r.TCPKeepalive = ka
@@ -459,7 +461,10 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back
 			}
 			if r.HealthCheck == nil {
 				r.HealthCheck = hc
+				// Update the Host field in HealthCheck, now that we have access to the Route Hostname.
+				r.HealthCheck.SetHTTPHostIfAbsent(r.Hostname)
 			}
+
 			if r.CircuitBreaker == nil {
 				r.CircuitBreaker = cb
 			}

diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go
@@ -124,7 +124,7 @@ func (t *Translator) ProcessClientTrafficPolicies(resources *Resources,
 				// It must exist since we've already finished processing the gateways
 				gwXdsIR := xdsIR[irKey]
 				if string(l.Name) == section {
-					err = validatePortOverlapForClientTrafficPolicy(l, gwXdsIR)
+					err = validatePortOverlapForClientTrafficPolicy(l, gwXdsIR, false)
 					if err == nil {
 						err = t.translateClientTrafficPolicyForListener(policy, l, xdsIR, infraIR, resources)
 					}
@@ -234,7 +234,7 @@ func (t *Translator) ProcessClientTrafficPolicies(resources *Resources,
 				irKey := t.getIRKey(l.gateway)
 				// It must exist since we've already finished processing the gateways
 				gwXdsIR := xdsIR[irKey]
-				if err := validatePortOverlapForClientTrafficPolicy(l, gwXdsIR); err != nil {
+				if err := validatePortOverlapForClientTrafficPolicy(l, gwXdsIR, true); err != nil {
 					errs = errors.Join(errs, err)
 				} else if err := t.translateClientTrafficPolicyForListener(policy, l, xdsIR, infraIR, resources); err != nil {
 					errs = errors.Join(errs, err)
@@ -312,7 +312,7 @@ func resolveCTPolicyTargetRef(policy *egv1a1.ClientTrafficPolicy, gateways map[t
 	return gateway.GatewayContext, nil
 }
 
-func validatePortOverlapForClientTrafficPolicy(l *ListenerContext, xds *ir.Xds) error {
+func validatePortOverlapForClientTrafficPolicy(l *ListenerContext, xds *ir.Xds, attachedToGateway bool) error {
 	// Find Listener IR
 	// TODO: Support TLSRoute and TCPRoute once
 	// https://github.com/envoyproxy/gateway/issues/1635 is completed
@@ -328,8 +328,29 @@ func validatePortOverlapForClientTrafficPolicy(l *ListenerContext, xds *ir.Xds)
 
 	// IR must exist since we're past validation
 	if httpIR != nil {
+		// Get a list of all other non-TLS listeners on this Gateway that share a port with
+		// the listener in question.
 		if sameListeners := listenersWithSameHTTPPort(xds, httpIR); len(sameListeners) != 0 {
-			return fmt.Errorf("affects additional listeners: %s", strings.Join(sameListeners, ", "))
+			if attachedToGateway {
+				// If this policy is attached to an entire gateway and the mergeGateways feature
+				// is turned on, validate that all the listeners affected by this policy originated
+				// from the same Gateway resource. The name of the Gateway from which this listener
+				// originated is part of the listener's name by construction.
+				gatewayName := irListenerName[0:strings.LastIndex(irListenerName, "/")]
+				conflictingListeners := []string{}
+				for _, currName := range sameListeners {
+					if strings.Index(currName, gatewayName) != 0 {
+						conflictingListeners = append(conflictingListeners, currName)
+					}
+				}
+				if len(conflictingListeners) != 0 {
+					return fmt.Errorf("ClientTrafficPolicy is being applied to multiple http (non https) listeners (%s) on the same port, which is not allowed", strings.Join(conflictingListeners, ", "))
+				}
+			} else {
+				// If this policy is attached to a specific listener, any other listeners in the list
+				// would be affected by this policy but should not be, so this policy can't be accepted.
+				return fmt.Errorf("ClientTrafficPolicy is being applied to multiple http (non https) listeners (%s) on the same port, which is not allowed", strings.Join(sameListeners, ", "))
+			}
 		}
 	}
 	return nil

diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go
@@ -24,6 +24,8 @@ type ListenersTranslator interface {
 }
 
 func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap, infraIR InfraIRMap, resources *Resources) {
+	// Infra IR proxy ports must be unique.
+	foundPorts := make(map[string][]*protocolPort)
 	t.validateConflictedLayer7Listeners(gateways)
 	t.validateConflictedLayer4Listeners(gateways, gwapiv1.TCPProtocolType, gwapiv1.TLSProtocolType)
 	t.validateConflictedLayer4Listeners(gateways, gwapiv1.UDPProtocolType)
@@ -35,8 +37,6 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap
 	// and compute status for each, and add valid ones
 	// to the Xds IR.
 	for _, gateway := range gateways {
-		// Infra IR proxy ports must be unique.
-		var foundPorts []*protocolPort
 		irKey := t.getIRKey(gateway.Gateway)
 
 		if resources.EnvoyProxy != nil {
@@ -93,7 +93,6 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap
 			if !isReady {
 				continue
 			}
-
 			// Add the listener to the Xds IR
 			servicePort := &protocolPort{protocol: listener.Protocol, port: int32(listener.Port)}
 			containerPort := servicePortToContainerPort(servicePort.port)
@@ -122,42 +121,46 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap
 
 			// Add the listener to the Infra IR. Infra IR ports must have a unique port number per layer-4 protocol
 			// (TCP or UDP).
-			if !containsPort(foundPorts, servicePort) {
-				foundPorts = append(foundPorts, servicePort)
-				var proto ir.ProtocolType
-				switch listener.Protocol {
-				case gwapiv1.HTTPProtocolType:
-					proto = ir.HTTPProtocolType
-				case gwapiv1.HTTPSProtocolType:
-					proto = ir.HTTPSProtocolType
-				case gwapiv1.TLSProtocolType:
-					proto = ir.TLSProtocolType
-				case gwapiv1.TCPProtocolType:
-					proto = ir.TCPProtocolType
-				case gwapiv1.UDPProtocolType:
-					proto = ir.UDPProtocolType
-				}
+			if !containsPort(foundPorts[irKey], servicePort) {
+				t.processInfraIRListener(listener, infraIR, irKey, servicePort)
+				foundPorts[irKey] = append(foundPorts[irKey], servicePort)
+			}
+		}
+	}
+}
 
-				infraPortName := string(listener.Name)
-				if t.MergeGateways {
-					infraPortName = irHTTPListenerName(listener)
-				}
-				infraPort := ir.ListenerPort{
-					Name:          infraPortName,
-					Protocol:      proto,
-					ServicePort:   servicePort.port,
-					ContainerPort: containerPort,
-				}
+func (t *Translator) processInfraIRListener(listener *ListenerContext, infraIR InfraIRMap, irKey string, servicePort *protocolPort) {
+	var proto ir.ProtocolType
+	switch listener.Protocol {
+	case gwapiv1.HTTPProtocolType:
+		proto = ir.HTTPProtocolType
+	case gwapiv1.HTTPSProtocolType:
+		proto = ir.HTTPSProtocolType
+	case gwapiv1.TLSProtocolType:
+		proto = ir.TLSProtocolType
+	case gwapiv1.TCPProtocolType:
+		proto = ir.TCPProtocolType
+	case gwapiv1.UDPProtocolType:
+		proto = ir.UDPProtocolType
+	}
 
-				proxyListener := &ir.ProxyListener{
-					Name:  irHTTPListenerName(listener),
-					Ports: []ir.ListenerPort{infraPort},
-				}
+	infraPortName := string(listener.Name)
+	if t.MergeGateways {
+		infraPortName = irHTTPListenerName(listener)
+	}
+	infraPort := ir.ListenerPort{
+		Name:          infraPortName,
+		Protocol:      proto,
+		ServicePort:   servicePort.port,
+		ContainerPort: servicePortToContainerPort(servicePort.port),
+	}
 
-				infraIR[irKey].Proxy.Listeners = append(infraIR[irKey].Proxy.Listeners, proxyListener)
-			}
-		}
+	proxyListener := &ir.ProxyListener{
+		Name:  irHTTPListenerName(listener),
+		Ports: []ir.ListenerPort{infraPort},
 	}
+
+	infraIR[irKey].Proxy.Listeners = append(infraIR[irKey].Proxy.Listeners, proxyListener)
 }
 
 func processAccessLog(envoyproxy *egv1a1.EnvoyProxy) *ir.AccessLog {

diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
@@ -134,12 +134,7 @@ func (t *Translator) ProcessSecurityPolicies(securityPolicies []*egv1a1.Security
 				continue
 			}
 
-			err := validatePortOverlapForSecurityPolicyRoute(xdsIR, targetedRoute)
-			if err == nil {
-				err = t.translateSecurityPolicyForRoute(policy, targetedRoute, resources, xdsIR)
-			}
-
-			if err != nil {
+			if err := t.translateSecurityPolicyForRoute(policy, targetedRoute, resources, xdsIR); err != nil {
 				status.SetTranslationErrorForPolicyAncestors(&policy.Status,
 					parentGateways,
 					t.GatewayControllerName,
@@ -191,15 +186,7 @@ func (t *Translator) ProcessSecurityPolicies(securityPolicies []*egv1a1.Security
 				continue
 			}
 
-			irKey := t.getIRKey(targetedGateway.Gateway)
-			// Should exist since we've validated this
-			xds := xdsIR[irKey]
-			err := validatePortOverlapForSecurityPolicyGateway(xds)
-			if err == nil {
-				err = t.translateSecurityPolicyForGateway(policy, targetedGateway, resources, xdsIR)
-			}
-
-			if err != nil {
+			if err := t.translateSecurityPolicyForGateway(policy, targetedGateway, resources, xdsIR); err != nil {
 				status.SetTranslationErrorForPolicyAncestors(&policy.Status,
 					parentGateways,
 					t.GatewayControllerName,
@@ -407,23 +394,6 @@ func (t *Translator) translateSecurityPolicyForRoute(
 	return errs
 }
 
-func validatePortOverlapForSecurityPolicyRoute(xds XdsIRMap, route RouteContext) error {
-	var errs error
-	prefix := irRoutePrefix(route)
-	for _, ir := range xds {
-		for _, http := range ir.HTTP {
-			for _, r := range http.Routes {
-				if strings.HasPrefix(r.Name, prefix) {
-					if sameListeners := listenersWithSameHTTPPort(ir, http); len(sameListeners) != 0 {
-						errs = errors.Join(errs, fmt.Errorf("affects multiple listeners: %s", strings.Join(sameListeners, ", ")))
-					}
-				}
-			}
-		}
-	}
-	return errs
-}
-
 func (t *Translator) translateSecurityPolicyForGateway(
 	policy *egv1a1.SecurityPolicy, gateway *GatewayContext,
 	resources *Resources, xdsIR XdsIRMap) error {
@@ -516,20 +486,6 @@ func (t *Translator) translateSecurityPolicyForGateway(
 	return errs
 }
 
-func validatePortOverlapForSecurityPolicyGateway(xds *ir.Xds) error {
-	affectedListeners := []string{}
-	for _, http := range xds.HTTP {
-		if sameListeners := listenersWithSameHTTPPort(xds, http); len(sameListeners) != 0 {
-			affectedListeners = append(affectedListeners, sameListeners...)
-		}
-	}
-
-	if len(affectedListeners) > 0 {
-		return fmt.Errorf("affects multiple listeners: %s", strings.Join(affectedListeners, ", "))
-	}
-	return nil
-}
-
 func (t *Translator) buildCORS(cors *egv1a1.CORS) *ir.CORS {
 	var allowOrigins []*ir.StringMatch
 

diff --git a/internal/gatewayapi/sort.go b/internal/gatewayapi/sort.go
@@ -18,33 +18,33 @@ func (x XdsIRRoutes) Swap(i, j int) { x[i], x[j] = x[j], x[i] }
 func (x XdsIRRoutes) Less(i, j int) bool {
 
 	// 1. Sort based on path match type
-	// Exact > PathPrefix > RegularExpression
+	// Exact > RegularExpression > PathPrefix
 	if x[i].PathMatch != nil && x[i].PathMatch.Exact != nil {
 		if x[j].PathMatch != nil {
-			if x[j].PathMatch.Prefix != nil {
+			if x[j].PathMatch.SafeRegex != nil {
 				return false
 			}
-			if x[j].PathMatch.SafeRegex != nil {
+			if x[j].PathMatch.Prefix != nil {
 				return false
 			}
 		}
 	}
-	if x[i].PathMatch != nil && x[i].PathMatch.Prefix != nil {
+	if x[i].PathMatch != nil && x[i].PathMatch.SafeRegex != nil {
 		if x[j].PathMatch != nil {
 			if x[j].PathMatch.Exact != nil {
 				return true
 			}
-			if x[j].PathMatch.SafeRegex != nil {
+			if x[j].PathMatch.Prefix != nil {
 				return false
 			}
 		}
 	}
-	if x[i].PathMatch != nil && x[i].PathMatch.SafeRegex != nil {
+	if x[i].PathMatch != nil && x[i].PathMatch.Prefix != nil {
 		if x[j].PathMatch != nil {
 			if x[j].PathMatch.Exact != nil {
 				return true
 			}
-			if x[j].PathMatch.Prefix != nil {
+			if x[j].PathMatch.SafeRegex != nil {
 				return true
 			}
 		}
@@ -96,12 +96,12 @@ func pathMatchCount(pathMatch *ir.StringMatch) int {
 		if pathMatch.Exact != nil {
 			return len(*pathMatch.Exact)
 		}
-		if pathMatch.Prefix != nil {
-			return len(*pathMatch.Prefix)
-		}
 		if pathMatch.SafeRegex != nil {
 			return len(*pathMatch.SafeRegex)
 		}
+		if pathMatch.Prefix != nil {
+			return len(*pathMatch.Prefix)
+		}
 	}
 	return 0
 }
diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml
@@ -496,6 +496,7 @@ xdsIR:
               expectedStatuses:
               - 200
               - 300
+              host: '*'
               method: GET
               path: /healthz
             interval: 3s
@@ -624,6 +625,7 @@ xdsIR:
               expectedStatuses:
               - 200
               - 201
+              host: gateway.envoyproxy.io
               method: GET
               path: /healthz
             interval: 5s

diff --git a/internal/gatewayapi/testdata/conflicting-policies.out.yaml b/internal/gatewayapi/testdata/conflicting-policies.out.yaml
@@ -23,7 +23,8 @@ clientTrafficPolicies:
         namespace: default
       conditions:
       - lastTransitionTime: null
-        message: 'Affects additional listeners: default/gateway-1/http'
+        message: ClientTrafficPolicy is being applied to multiple http (non https)
+          listeners (default/gateway-1/http) on the same port, which is not allowed
         reason: Invalid
         status: "False"
         type: Accepted
@@ -217,13 +218,6 @@ infraIR:
           name: default/gateway-1/http
           protocol: HTTP
           servicePort: 80
-      - address: null
-        name: default/mfqjpuycbgjrtdww/http
-        ports:
-        - containerPort: 10080
-          name: default/mfqjpuycbgjrtdww/http
-          protocol: HTTP
-          servicePort: 80
       metadata:
         labels:
           gateway.envoyproxy.io/owning-gatewayclass: envoy-gateway-class
@@ -261,9 +255,9 @@ securityPolicies:
         namespace: default
       conditions:
       - lastTransitionTime: null
-        message: 'Affects multiple listeners: default/mfqjpuycbgjrtdww/http, default/gateway-1/http'
-        reason: Invalid
-        status: "False"
+        message: Policy has been accepted.
+        reason: Accepted
+        status: "True"
         type: Accepted
       controllerName: gateway.envoyproxy.io/gatewayclass-controller
 xdsIR:
@@ -314,6 +308,20 @@ xdsIR:
       - backendWeights:
           invalid: 0
           valid: 0
+        cors:
+          allowCredentials: true
+          allowMethods:
+          - PUT
+          - GET
+          - POST
+          - DELETE
+          - PATCH
+          - OPTIONS
+          allowOrigins:
+          - distinct: false
+            name: ""
+            safeRegex: http://.*\.foo\.com
+          maxAge: 10m0s
         destination:
           name: httproute/default/mfqjpuycbgjrtdww/rule/0
           settings: