Merge branch 'main' into ctp-for-tcp

Signed-off-by: Dingkang Li <dingkang1743@gmail.com>

api/v1alpha1/loadbalancer_types.go

@@ -57,15 +57,14 @@ const (
 //
 // +kubebuilder:validation:XValidation:rule="self.type == 'Header' ? has(self.header) : !has(self.header)",message="If consistent hash type is header, the header field must be set."
 type ConsistentHash struct {
-	// Valid Type values are  "SourceIP".
+	// ConsistentHashType defines the type of input to hash on. Valid Type values are "SourceIP" or "Header".
 	//
 	// +unionDiscriminator
 	Type ConsistentHashType `json:"type"`
 
 	// Header configures the header hash policy when the consistent hash type is set to Header.
 	//
 	// +optional
-	// +notImplementedHide
 	Header *Header `json:"header,omitempty"`
 }
 

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml

@@ -423,7 +423,8 @@ spec:
                         - name
                         type: object
                       type:
-                        description: Valid Type values are  "SourceIP".
+                        description: ConsistentHashType defines the type of input
+                          to hash on. Valid Type values are "SourceIP" or "Header".
                         enum:
                         - SourceIP
                         - Header

go.mod

@@ -1,6 +1,6 @@
 module github.com/envoyproxy/gateway
 
-go 1.22.2
+go 1.22.3
 
 require (
 	fortio.org/fortio v1.63.7

internal/cmd/egctl/status.go

@@ -34,7 +34,7 @@ var (
 
 	supportedXPolicyTypes = []string{
 		gatewayapi.KindBackendTLSPolicy, gatewayapi.KindBackendTrafficPolicy, gatewayapi.KindClientTrafficPolicy,
-		gatewayapi.KindSecurityPolicy, gatewayapi.KindEnvoyPatchPolicy,
+		gatewayapi.KindSecurityPolicy, gatewayapi.KindEnvoyPatchPolicy, gatewayapi.KindEnvoyExtensionPolicy,
 	}
 
 	supportedAllTypes = []string{
@@ -238,6 +238,14 @@ func runStatus(ctx context.Context, cli client.Client, inputResourceType, namesp
 		resourcesList = &epp
 		resourceKind = gatewayapi.KindEnvoyPatchPolicy
 
+	case "eep", "envoyextensionpolicy":
+		eep := egv1a1.EnvoyExtensionPolicyList{}
+		if err := cli.List(ctx, &eep, client.InNamespace(namespace)); err != nil {
+			return err
+		}
+		resourcesList = &eep
+		resourceKind = gatewayapi.KindEnvoyExtensionPolicy
+
 	case "sp", "securitypolicy":
 		sp := egv1a1.SecurityPolicyList{}
 		if err := cli.List(ctx, &sp, client.InNamespace(namespace)); err != nil {

internal/gatewayapi/backendtrafficpolicy.go

@@ -764,11 +764,7 @@ func (t *Translator) buildLoadBalancer(policy *egv1a1.BackendTrafficPolicy) *ir.
 	switch policy.Spec.LoadBalancer.Type {
 	case egv1a1.ConsistentHashLoadBalancerType:
 		lb = &ir.LoadBalancer{
-			ConsistentHash: &ir.ConsistentHash{},
-		}
-		if policy.Spec.LoadBalancer.ConsistentHash != nil &&
-			policy.Spec.LoadBalancer.ConsistentHash.Type == egv1a1.SourceIPConsistentHashType {
-			lb.ConsistentHash.SourceIP = ptr.To(true)
+			ConsistentHash: t.buildConsistentHashLoadBalancer(policy),
 		}
 	case egv1a1.LeastRequestLoadBalancerType:
 		lb = &ir.LoadBalancer{}
@@ -805,6 +801,23 @@ func (t *Translator) buildLoadBalancer(policy *egv1a1.BackendTrafficPolicy) *ir.
 	return lb
 }
 
+func (t *Translator) buildConsistentHashLoadBalancer(policy *egv1a1.BackendTrafficPolicy) *ir.ConsistentHash {
+	switch policy.Spec.LoadBalancer.ConsistentHash.Type {
+	case egv1a1.SourceIPConsistentHashType:
+		return &ir.ConsistentHash{
+			SourceIP: ptr.To(true),
+		}
+	case egv1a1.HeaderConsistentHashType:
+		return &ir.ConsistentHash{
+			Header: &ir.Header{
+				Name: policy.Spec.LoadBalancer.ConsistentHash.Header.Name,
+			},
+		}
+	default:
+		return &ir.ConsistentHash{}
+	}
+}
+
 func (t *Translator) buildProxyProtocol(policy *egv1a1.BackendTrafficPolicy) *ir.ProxyProtocol {
 	var pp *ir.ProxyProtocol
 	switch policy.Spec.ProxyProtocol.Version {

internal/gatewayapi/listener.go

@@ -29,7 +29,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap
 	// Infra IR proxy ports must be unique.
 	foundPorts := make(map[string][]*protocolPort)
 	t.validateConflictedLayer7Listeners(gateways)
-	t.validateConflictedLayer4Listeners(gateways, gwapiv1.TCPProtocolType, gwapiv1.TLSProtocolType)
+	t.validateConflictedLayer4Listeners(gateways, gwapiv1.TCPProtocolType)
 	t.validateConflictedLayer4Listeners(gateways, gwapiv1.UDPProtocolType)
 	if t.MergeGateways {
 		t.validateConflictedMergedListeners(gateways)

internal/gatewayapi/route.go

@@ -793,7 +793,7 @@ func (t *Translator) processTLSRouteParentRefs(tlsRoute *TLSRouteContext, resour
 			if irListener != nil {
 				irRoute := &ir.TCPRoute{
 					Name: irTCPRouteName(tlsRoute),
-					TLS: &ir.TLS{Passthrough: &ir.TLSInspectorConfig{
+					TLS: &ir.TLS{TLSInspectorConfig: &ir.TLSInspectorConfig{
 						SNIs: hosts,
 					}},
 					Destination: &ir.RouteDestination{
@@ -1095,6 +1095,12 @@ func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resour
 
 				if irListener.TLS != nil {
 					irRoute.TLS = &ir.TLS{Terminate: irListener.TLS}
+
+					if listener.Hostname != nil {
+						irRoute.TLS.TLSInspectorConfig = &ir.TLSInspectorConfig{
+							SNIs: []string{string(*listener.Hostname)},
+						}
+					}
 				}
 
 				irListener.Routes = append(irListener.Routes, irRoute)

internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml

@@ -222,6 +222,6 @@ xdsIR:
             weight: 1
         name: tlsroute/default/tlsroute-1
         tls:
-          passthrough:
+          inspector:
             snis:
             - foo.bar.com

internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml

@@ -45,11 +45,6 @@ gateways:
         kind: TCPRoute
     - attachedRoutes: 1
       conditions:
-      - lastTransitionTime: null
-        message: Only one TCP/TLS listener is allowed in a given port
-        reason: ProtocolConflict
-        status: "True"
-        type: Conflicted
       - lastTransitionTime: null
         message: Listener must have TLS set when protocol is TLS.
         reason: Invalid

internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.in.yaml

@@ -19,6 +19,19 @@ gateways:
           allowedRoutes:
             namespaces:
               from: All
+        - name: tls-hostname
+          hostname: "foo.bar.com"
+          protocol: TLS
+          port: 90
+          tls:
+            certificateRefs:
+              - group: ""
+                kind: Secret
+                name: tls-secret-1
+            mode: Terminate
+          allowedRoutes:
+            namespaces:
+              from: All
 tcpRoutes:
   - apiVersion: gateway.networking.k8s.io/v1alpha2
     kind: TCPRoute
@@ -29,10 +42,25 @@ tcpRoutes:
       parentRefs:
         - namespace: envoy-gateway
           name: gateway-1
+          sectionName: tls
       rules:
         - backendRefs:
             - name: service-1
               port: 8080
+  - apiVersion: gateway.networking.k8s.io/v1alpha2
+    kind: TCPRoute
+    metadata:
+      namespace: default
+      name: tcproute-2
+    spec:
+      parentRefs:
+        - namespace: envoy-gateway
+          name: gateway-1
+          sectionName: tls-hostname
+      rules:
+        - backendRefs:
+            - name: service-2
+              port: 8080
 
 secrets:
   - apiVersion: v1