From 3877aa4318b038aaa6b9b80e0b08b8e129130891 Mon Sep 17 00:00:00 2001 From: sh2 Date: Wed, 15 May 2024 05:13:02 +0800 Subject: [PATCH 1/7] doc: update EG control-plane metrics design & usage (#3346) * comment polish and doc update Signed-off-by: shawnh2 * fix doc lint Signed-off-by: shawnh2 * revert go file changes Signed-off-by: shawnh2 * add eg cp metrics usage doc Signed-off-by: shawnh2 * update prometheus metrics usage doc Signed-off-by: shawnh2 --------- Signed-off-by: shawnh2 --- .../en/contributions/design/eg-metrics.md | 12 +- .../{accesslog.md => proxy-accesslog.md} | 8 +- .../design/{metrics.md => proxy-metrics.md} | 8 +- .../design/{tracing.md => proxy-tracing.md} | 2 +- .../observability/gateway-observability.md | 182 ++++++++++++++++++ .../observability/proxy-observability.md | 4 +- .../en/latest/tasks/security/threat-model.md | 4 +- .../en/v1.0.1/tasks/security/threat-model.md | 4 +- 8 files changed, 208 insertions(+), 16 deletions(-) rename site/content/en/contributions/design/{accesslog.md => proxy-accesslog.md} (96%) rename site/content/en/contributions/design/{metrics.md => proxy-metrics.md} (91%) rename site/content/en/contributions/design/{tracing.md => proxy-tracing.md} (99%) create mode 100644 site/content/en/latest/tasks/observability/gateway-observability.md diff --git a/site/content/en/contributions/design/eg-metrics.md b/site/content/en/contributions/design/eg-metrics.md index 0ca0e7229ec..6b27bbac756 100644 --- a/site/content/en/contributions/design/eg-metrics.md +++ b/site/content/en/contributions/design/eg-metrics.md @@ -6,7 +6,7 @@ title: "Control Plane Observability: Metrics" This document aims to cover all aspects of envoy gateway control plane metrics observability. {{% alert title="Note" color="secondary" %}} -**Data plane** observability (while important) is outside of scope for this document. For dataplane observability, refer to [here](../metrics). +**Data plane** observability (while important) is outside of scope for this document. For data plane observability, refer to [here](./proxy-metrics). {{% /alert %}} ## Current State @@ -100,7 +100,7 @@ New APIs will be added to Envoy Gateway config, which are used to manage Control ### EnvoyGatewayTelemetry -``` go +```go // EnvoyGatewayTelemetry defines telemetry configurations for envoy gateway control plane. // Control plane will focus on metrics observability telemetry and tracing telemetry later. type EnvoyGatewayTelemetry struct { @@ -113,7 +113,7 @@ type EnvoyGatewayTelemetry struct { > Prometheus will be exposed on 0.0.0.0:19001, which is not supported to be configured yet. -``` go +```go // EnvoyGatewayMetrics defines control plane push/pull metrics configurations. type EnvoyGatewayMetrics struct { // Sinks defines the metric sinks where metrics are sent to. @@ -162,7 +162,7 @@ type EnvoyGatewayPrometheusProvider struct { + The following is an example to disable prometheus metric. -``` yaml +```yaml apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyGateway gateway: @@ -180,7 +180,7 @@ telemetry: + The following is an example to send metric via Open Telemetry sink to OTEL gRPC Collector. -``` yaml +```yaml apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyGateway gateway: @@ -202,7 +202,7 @@ telemetry: + The following is an example to disable prometheus metric and send metric via Open Telemetry sink to OTEL HTTP Collector at the same time. -``` yaml +```yaml apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyGateway gateway: diff --git a/site/content/en/contributions/design/accesslog.md b/site/content/en/contributions/design/proxy-accesslog.md similarity index 96% rename from site/content/en/contributions/design/accesslog.md rename to site/content/en/contributions/design/proxy-accesslog.md index a229d5f6eff..7557e97ad2a 100644 --- a/site/content/en/contributions/design/accesslog.md +++ b/site/content/en/contributions/design/proxy-accesslog.md @@ -1,10 +1,14 @@ --- -title: "Observability: Accesslog" +title: "Data Plane Observability: Accesslog" --- ## Overview -Envoy supports extensible accesslog to different sinks, File, gRPC etc. Envoy supports customizable access log formats using predefined fields as well as arbitrary HTTP request and response headers. Envoy supports several built-in access log filters and extension filters that are registered at runtime. +Envoy supports extensible accesslog to different sinks, File, gRPC etc. + +Envoy supports customizable access log formats using predefined fields as well as arbitrary HTTP request and response headers. + +Envoy supports several built-in access log filters and extension filters that are registered at runtime. Envoy Gateway leverages [Gateway API][] for configuring managed Envoy proxies. Gateway API defines core, extended, and implementation-specific API [support levels][] for implementers such as Envoy Gateway to expose features. Since accesslog is not covered by `Core` or `Extended` APIs, EG should provide an easy to config access log formats and sinks per `EnvoyProxy`. diff --git a/site/content/en/contributions/design/metrics.md b/site/content/en/contributions/design/proxy-metrics.md similarity index 91% rename from site/content/en/contributions/design/metrics.md rename to site/content/en/contributions/design/proxy-metrics.md index 78b05eea98e..7ae2f7b30ef 100644 --- a/site/content/en/contributions/design/metrics.md +++ b/site/content/en/contributions/design/proxy-metrics.md @@ -1,7 +1,13 @@ --- -title: "Observability: Metrics" +title: "Data Plane Observability: Metrics" --- +This document aims to cover all aspects of envoy gateway data plane metrics observability. + +{{% alert title="Note" color="secondary" %}} +**Control plane** observability (while important) is outside of scope for this document. For control plane observability, refer to [here](./eg-metrics). +{{% /alert %}} + ## Overview Envoy provide robust platform for metrics, Envoy support three different kinds of stats: counter, gauges, histograms. diff --git a/site/content/en/contributions/design/tracing.md b/site/content/en/contributions/design/proxy-tracing.md similarity index 99% rename from site/content/en/contributions/design/tracing.md rename to site/content/en/contributions/design/proxy-tracing.md index a2790690fa6..d3542f3b74d 100644 --- a/site/content/en/contributions/design/tracing.md +++ b/site/content/en/contributions/design/proxy-tracing.md @@ -1,5 +1,5 @@ --- -title: "Observability: Tracing" +title: "Data Plane Observability: Tracing" --- ## Overview diff --git a/site/content/en/latest/tasks/observability/gateway-observability.md b/site/content/en/latest/tasks/observability/gateway-observability.md new file mode 100644 index 00000000000..6409dcee599 --- /dev/null +++ b/site/content/en/latest/tasks/observability/gateway-observability.md @@ -0,0 +1,182 @@ +--- +title: "Gateway Observability" +--- + +Envoy Gateway provides observability for the ControlPlane and the underlying EnvoyProxy instances. +This task show you how to config gateway control-plane observability, includes metrics. + +## Prerequisites + +Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. +Before proceeding, you should be able to query the example backend using HTTP. + +[OpenTelemetry Collector](https://opentelemetry.io/docs/collector/) offers a vendor-agnostic implementation of how to receive, process and export telemetry data. +Install OTel-Collector: + +```shell +helm repo add open-telemetry https://open-telemetry.github.io/opentelemetry-helm-charts +helm repo update +helm upgrade --install otel-collector open-telemetry/opentelemetry-collector -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/otel-collector/helm-values.yaml -n monitoring --create-namespace --version 0.60.0 +``` + +## Metrics + +The default installation of Envoy Gateway installs a default [EnvoyGateway][] configuration and attaches it +using a `ConfigMap`. In this section, we will update this resource to enable various ways to retrieve metrics +from Envoy Gateway. + +### Retrieve Prometheus Metrics from Envoy Gateway + +By default, prometheus metric is enabled. You can directly retrieve metrics from Envoy Gateway: + +```shell +export ENVOY_POD_NAME=$(kubectl get pod -n envoy-gateway-system --selector=control-plane=envoy-gateway,app.kubernetes.io/instance=eg -o jsonpath='{.items[0].metadata.name}') +kubectl port-forward pod/$ENVOY_POD_NAME -n envoy-gateway-system 19001:19001 + +# check metrics +curl localhost:19001/metrics +``` + +The following is an example to disable prometheus metric for Envoy Gateway. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +After updating the `ConfigMap`, you will need to restart the `envoy-gateway` deployment so the configuration kicks in: + +```shell +kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system +``` + +### Enable Open Telemetry sink in Envoy Gateway + +The following is an example to send metric via Open Telemetry sink to OTEL gRPC Collector. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +After updating the `ConfigMap`, you will need to restart the `envoy-gateway` deployment so the configuration kicks in: + +```shell +kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system +``` + +Verify OTel-Collector metrics: + +```shell +export OTEL_POD_NAME=$(kubectl get pod -n monitoring --selector=app.kubernetes.io/name=opentelemetry-collector -o jsonpath='{.items[0].metadata.name}') +kubectl port-forward pod/$OTEL_POD_NAME -n monitoring 19001:19001 + +# check metrics +curl localhost:19001/metrics +``` + +[EnvoyGateway]: ../../api/extension_types#envoygateway diff --git a/site/content/en/latest/tasks/observability/proxy-observability.md b/site/content/en/latest/tasks/observability/proxy-observability.md index 5a1800ff39b..90cab919325 100644 --- a/site/content/en/latest/tasks/observability/proxy-observability.md +++ b/site/content/en/latest/tasks/observability/proxy-observability.md @@ -59,7 +59,7 @@ export ENVOY_POD_NAME=$(kubectl get pod -n envoy-gateway-system --selector=gatew kubectl port-forward pod/$ENVOY_POD_NAME -n envoy-gateway-system 19001:19001 # check metrics -curl localhost:19001/stats/prometheus | grep "default/backend/rule/0/match/0-www" +curl localhost:19001/stats/prometheus | grep "default/backend/rule/0" ``` You can disable metrics by setting the `telemetry.metrics.prometheus.disable` to `true` in the `EnvoyProxy` CRD. @@ -82,7 +82,7 @@ export OTEL_POD_NAME=$(kubectl get pod -n monitoring --selector=app.kubernetes.i kubectl port-forward pod/$OTEL_POD_NAME -n monitoring 19001:19001 # check metrics -curl localhost:19001/metrics | grep "default/backend/rule/0/match/0-www" +curl localhost:19001/metrics | grep "default/backend/rule/0" ``` ## Logs diff --git a/site/content/en/latest/tasks/security/threat-model.md b/site/content/en/latest/tasks/security/threat-model.md index fcf8643e184..cd5927e8d98 100644 --- a/site/content/en/latest/tasks/security/threat-model.md +++ b/site/content/en/latest/tasks/security/threat-model.md @@ -528,7 +528,7 @@ When considering internal threat actors, we chose to follow the [security model] **Threat**: Threat actors establish persistence and move laterally through the cluster unnoticed. - **Recommendation**: Configure [access logging](../../../contributions/design/accesslog) in the EnvoyProxy. Use [ProxyAccessLogFormatType](../../api/extension_types#proxyaccesslogformattype) (Text or JSON) to specify the log format and ensure that the logs are sent to the desired sink types by setting the [ProxyAccessLogSinkType](https://gateway.envoyproxy.io/latest/api/extension_types/#proxyaccesslogsinktype). Make use of [FileEnvoyProxyAccessLog](https://gateway.envoyproxy.io/latest/api/extension_types/#fileenvoyproxyaccesslog) or [OpenTelemetryEnvoyProxyAccessLog](https://gateway.envoyproxy.io/latest/api/extension_types/#opentelemetryenvoyproxyaccesslog) to configure File and OpenTelemetry sinks, respectively. If the settings aren\'t defined, the default format is sent to stdout. + **Recommendation**: Configure [access logging](../../../contributions/design/proxy-accesslog) in the EnvoyProxy. Use [ProxyAccessLogFormatType](../../api/extension_types#proxyaccesslogformattype) (Text or JSON) to specify the log format and ensure that the logs are sent to the desired sink types by setting the [ProxyAccessLogSinkType](https://gateway.envoyproxy.io/latest/api/extension_types/#proxyaccesslogsinktype). Make use of [FileEnvoyProxyAccessLog](https://gateway.envoyproxy.io/latest/api/extension_types/#fileenvoyproxyaccesslog) or [OpenTelemetryEnvoyProxyAccessLog](https://gateway.envoyproxy.io/latest/api/extension_types/#opentelemetryenvoyproxyaccesslog) to configure File and OpenTelemetry sinks, respectively. If the settings aren\'t defined, the default format is sent to stdout. Additionally, consider leveraging a central logging mechanism such as [Fluentd](https://github.com/fluent/fluentd) to enhance visibility into access activity and enable effective incident response (IR). @@ -612,7 +612,7 @@ Set runAsUser and runAsGroup security context options to specific UIDs (e.g., ru |EGTM-011|EGTM-GW-003|Gateway API| There is a risk that a gateway owner (or someone with the ability to set namespace labels) maliciously or accidentally binds routes across namespace boundaries, potentially compromising the confidentiality and integrity of traffic in a multitenant scenario.

| If a Route Binding within a Gateway Listener is configured based on a custom label, it could allow a malicious internal actor with the ability to label namespaces to change the set of namespaces supported by the Gateway

|Low| Consider the use of custom admission control to restrict what labels can be set on namespaces through tooling such as [Kubewarden](https://kyverno.io/policies/pod-security/), [Kyverno](https://github.com/kubewarden), and [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper). Route binding should follow the Kubernetes Gateway API security model, as shown [here](https://gateway-api.sigs.k8s.io/concepts/security-model/#1-route-binding), to connect gateways in different namespaces. | |EGTM-013|EGTM-GW-005|Gateway API| There is a risk that an unauthorised actor deploys an unauthorised GatewayClass due to GatewayClass namespace validation not being configured, leading to non-compliance with business and security requirements.

| Unauthorised deployment of Gateway resource via GatewayClass template which crosses namespace trust boundaries.

|Low| Leverage GatewayClass namespace validation to limit the namespaces where GatewayClasses can be run through a tool such as using [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper). Reference pull request \#[24](https://github.com/open-policy-agent/gatekeeper-library/pull/24) within gatekeeper-library which outlines how to add GatewayClass namespace validation through a GatewayClassNamespaces API resource kind within the constraints.gatekeeper.sh/v1beta1 apiGroup. | |EGTM-015|EGTM-CS-007|Container Security| There is a risk that threat actors could exploit ServiceAccount tokens for illegitimate authentication, thereby leading to privilege escalation and the undermining of gateway API resources\' integrity, confidentiality, and availability.

| The threat arises from threat actors impersonating the envoy-gateway ServiceAccount through the replay of ServiceAccount tokens, thereby achieving escalated privileges and gaining unauthorised access to Kubernetes resources.

|Low| Limit the creation of ServiceAccounts to only when necessary, specifically refraining from using default service account tokens, especially for high-privilege service accounts. For legacy clusters running Kubernetes version 1.21 or earlier, note that ServiceAccount tokens are long-lived by default. To disable the automatic mounting of the service account token, set automountServiceAccountToken: false in the PodSpec. | -|EGTM-016|EGTM-EG-004|Envoy Gateway| There is a risk that threat actors establish persistence and move laterally through the cluster unnoticed due to limited visibility into access and application-level activity.

| Threat actors establish persistence and move laterally through the cluster unnoticed.

|Low| Configure [access logging](../../../contributions/design/accesslog) in the EnvoyProxy. Use [ProxyAccessLogFormatType](../../api/extension_types#proxyaccesslogformattype) (Text or JSON) to specify the log format and ensure that the logs are sent to the desired sink types by setting the [ProxyAccessLogSinkType](https://gateway.envoyproxy.io/latest/api/extension_types/#proxyaccesslogsinktype). Make use of [FileEnvoyProxyAccessLog](https://gateway.envoyproxy.io/latest/api/extension_types/#fileenvoyproxyaccesslog) or [OpenTelemetryEnvoyProxyAccessLog](https://gateway.envoyproxy.io/latest/api/extension_types/#opentelemetryenvoyproxyaccesslog) to configure File and OpenTelemetry sinks, respectively. If the settings aren\'t defined, the default format is sent to stdout.

Additionally, consider leveraging a central logging mechanism such as [Fluentd](https://github.com/fluent/fluentd) to enhance visibility into access activity and enable effective incident response (IR). | +|EGTM-016|EGTM-EG-004|Envoy Gateway| There is a risk that threat actors establish persistence and move laterally through the cluster unnoticed due to limited visibility into access and application-level activity.

| Threat actors establish persistence and move laterally through the cluster unnoticed.

|Low| Configure [access logging](../../../contributions/design/proxy-accesslog) in the EnvoyProxy. Use [ProxyAccessLogFormatType](../../api/extension_types#proxyaccesslogformattype) (Text or JSON) to specify the log format and ensure that the logs are sent to the desired sink types by setting the [ProxyAccessLogSinkType](https://gateway.envoyproxy.io/latest/api/extension_types/#proxyaccesslogsinktype). Make use of [FileEnvoyProxyAccessLog](https://gateway.envoyproxy.io/latest/api/extension_types/#fileenvoyproxyaccesslog) or [OpenTelemetryEnvoyProxyAccessLog](https://gateway.envoyproxy.io/latest/api/extension_types/#opentelemetryenvoyproxyaccesslog) to configure File and OpenTelemetry sinks, respectively. If the settings aren\'t defined, the default format is sent to stdout.

Additionally, consider leveraging a central logging mechanism such as [Fluentd](https://github.com/fluent/fluentd) to enhance visibility into access activity and enable effective incident response (IR). | |EGTM-017|EGTM-EG-005|Envoy Gateway| There is a risk that an insider misconfigures an envoy gateway component and goes unnoticed due to a low-touch logging configuration (via default) which responsible stakeholders are not aptly aware of or have immediate access to.

| The threat emerges from an insider misconfiguring an Envoy Gateway component without detection.

|Low| Configure the logging level of the Envoy Gateway using the \'level\' field in [EnvoyGatewayLogging](https://gateway.envoyproxy.io/latest/api/extension_types/#envoygatewaylogging). Ensure the appropriate logging levels are set for relevant components such as \'gateway-api\', \'xds-translator\', or \'global-ratelimit\'. If left unspecified, the logging level defaults to \"info\", which may not provide sufficient detail for security monitoring.

Employ a centralised logging mechanism, like [Fluentd](https://github.com/fluent/fluentd), to enhance visibility into application-level activity and to enable efficient incident response. | |EGTM-021|EGTM-EG-006|Envoy Gateway| There is a risk that the admin interface is exposed without valid business reason, increasing the attack surface.

| Exposed admin interfaces give internal attackers the option to affect production traffic in unauthorised ways, and the option to exploit any vulnerabilities which may be present in the admin interface (e.g. by orchestrating malicious GET requests to the admin interface through CSRF, compromising Envoy Proxy global configuration or shutting off the service entirely (e.g., /quitquitquit).

|Low| The Envoy Proxy admin interface is only exposed to localhost, meaning that it is secure by default. However, due to the risk of misconfiguration, this recommendation is included.

Due to the importance of the admin interface, it is recommended to ensure that Envoy Proxies have not been accidentally misconfigured to expose the admin interface to untrusted networks. | |EGTM-025 | EGTM-CS-011 | Container Security | The presence of a vulnerability, be it in the kernel or another system component, when coupled with containers running as root, could enable a threat actor to escape the container, thereby compromising the confidentiality, integrity, or availability of cluster resources. | The Envoy Proxy container's root-user configuration can be leveraged by an attacker to escalate privileges, execute a container breakout, and traverse across trust boundaries. | Low | By default, Envoy Gateway deployments do not use root users. Nonetheless, in case a custom image or deployment manifest is to be used, make sure Envoy Proxy pods run as a non-root user with a high UID within the container. Set runAsUser and runAsGroup security context options to specific UIDs (e.g., runAsUser: 1000 & runAsGroup: 3000) to ensure the container operates with the stipulated non-root user and group ID. If using helm chart deployment, define the user and group ID in the values.yaml file or via the command line during helm install / upgrade. | diff --git a/site/content/en/v1.0.1/tasks/security/threat-model.md b/site/content/en/v1.0.1/tasks/security/threat-model.md index 79a69b482c6..c1bba3f9726 100644 --- a/site/content/en/v1.0.1/tasks/security/threat-model.md +++ b/site/content/en/v1.0.1/tasks/security/threat-model.md @@ -528,7 +528,7 @@ When considering internal threat actors, we chose to follow the [security model] **Threat**: Threat actors establish persistence and move laterally through the cluster unnoticed. - **Recommendation**: Configure [access logging](../../../contributions/design/accesslog) in the EnvoyProxy. Use [ProxyAccessLogFormatType](../../api/extension_types#proxyaccesslogformattype) (Text or JSON) to specify the log format and ensure that the logs are sent to the desired sink types by setting the [ProxyAccessLogSinkType](https://gateway.envoyproxy.io/latest/api/extension_types/#proxyaccesslogsinktype). Make use of [FileEnvoyProxyAccessLog](https://gateway.envoyproxy.io/latest/api/extension_types/#fileenvoyproxyaccesslog) or [OpenTelemetryEnvoyProxyAccessLog](https://gateway.envoyproxy.io/latest/api/extension_types/#opentelemetryenvoyproxyaccesslog) to configure File and OpenTelemetry sinks, respectively. If the settings aren\'t defined, the default format is sent to stdout. + **Recommendation**: Configure [access logging](../../../contributions/design/proxy-accesslog) in the EnvoyProxy. Use [ProxyAccessLogFormatType](../../api/extension_types#proxyaccesslogformattype) (Text or JSON) to specify the log format and ensure that the logs are sent to the desired sink types by setting the [ProxyAccessLogSinkType](https://gateway.envoyproxy.io/latest/api/extension_types/#proxyaccesslogsinktype). Make use of [FileEnvoyProxyAccessLog](https://gateway.envoyproxy.io/latest/api/extension_types/#fileenvoyproxyaccesslog) or [OpenTelemetryEnvoyProxyAccessLog](https://gateway.envoyproxy.io/latest/api/extension_types/#opentelemetryenvoyproxyaccesslog) to configure File and OpenTelemetry sinks, respectively. If the settings aren\'t defined, the default format is sent to stdout. Additionally, consider leveraging a central logging mechanism such as [Fluentd](https://github.com/fluent/fluentd) to enhance visibility into access activity and enable effective incident response (IR). @@ -612,7 +612,7 @@ Set runAsUser and runAsGroup security context options to specific UIDs (e.g., ru |EGTM-011|EGTM-GW-003|Gateway API| There is a risk that a gateway owner (or someone with the ability to set namespace labels) maliciously or accidentally binds routes across namespace boundaries, potentially compromising the confidentiality and integrity of traffic in a multitenant scenario.

| If a Route Binding within a Gateway Listener is configured based on a custom label, it could allow a malicious internal actor with the ability to label namespaces to change the set of namespaces supported by the Gateway

|Low| Consider the use of custom admission control to restrict what labels can be set on namespaces through tooling such as [Kubewarden](https://kyverno.io/policies/pod-security/), [Kyverno](https://github.com/kubewarden), and [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper). Route binding should follow the Kubernetes Gateway API security model, as shown [here](https://gateway-api.sigs.k8s.io/concepts/security-model/#1-route-binding), to connect gateways in different namespaces. | |EGTM-013|EGTM-GW-005|Gateway API| There is a risk that an unauthorised actor deploys an unauthorised GatewayClass due to GatewayClass namespace validation not being configured, leading to non-compliance with business and security requirements.

| Unauthorised deployment of Gateway resource via GatewayClass template which crosses namespace trust boundaries.

|Low| Leverage GatewayClass namespace validation to limit the namespaces where GatewayClasses can be run through a tool such as using [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper). Reference pull request \#[24](https://github.com/open-policy-agent/gatekeeper-library/pull/24) within gatekeeper-library which outlines how to add GatewayClass namespace validation through a GatewayClassNamespaces API resource kind within the constraints.gatekeeper.sh/v1beta1 apiGroup. | |EGTM-015|EGTM-CS-007|Container Security| There is a risk that threat actors could exploit ServiceAccount tokens for illegitimate authentication, thereby leading to privilege escalation and the undermining of gateway API resources\' integrity, confidentiality, and availability.

| The threat arises from threat actors impersonating the envoy-gateway ServiceAccount through the replay of ServiceAccount tokens, thereby achieving escalated privileges and gaining unauthorised access to Kubernetes resources.

|Low| Limit the creation of ServiceAccounts to only when necessary, specifically refraining from using default service account tokens, especially for high-privilege service accounts. For legacy clusters running Kubernetes version 1.21 or earlier, note that ServiceAccount tokens are long-lived by default. To disable the automatic mounting of the service account token, set automountServiceAccountToken: false in the PodSpec. | -|EGTM-016|EGTM-EG-004|Envoy Gateway| There is a risk that threat actors establish persistence and move laterally through the cluster unnoticed due to limited visibility into access and application-level activity.

| Threat actors establish persistence and move laterally through the cluster unnoticed.

|Low| Configure [access logging](../../../contributions/design/accesslog) in the EnvoyProxy. Use [ProxyAccessLogFormatType](../../api/extension_types#proxyaccesslogformattype) (Text or JSON) to specify the log format and ensure that the logs are sent to the desired sink types by setting the [ProxyAccessLogSinkType](https://gateway.envoyproxy.io/latest/api/extension_types/#proxyaccesslogsinktype). Make use of [FileEnvoyProxyAccessLog](https://gateway.envoyproxy.io/latest/api/extension_types/#fileenvoyproxyaccesslog) or [OpenTelemetryEnvoyProxyAccessLog](https://gateway.envoyproxy.io/latest/api/extension_types/#opentelemetryenvoyproxyaccesslog) to configure File and OpenTelemetry sinks, respectively. If the settings aren\'t defined, the default format is sent to stdout.

Additionally, consider leveraging a central logging mechanism such as [Fluentd](https://github.com/fluent/fluentd) to enhance visibility into access activity and enable effective incident response (IR). | +|EGTM-016|EGTM-EG-004|Envoy Gateway| There is a risk that threat actors establish persistence and move laterally through the cluster unnoticed due to limited visibility into access and application-level activity.

| Threat actors establish persistence and move laterally through the cluster unnoticed.

|Low| Configure [access logging](../../../contributions/design/proxy-accesslog) in the EnvoyProxy. Use [ProxyAccessLogFormatType](../../api/extension_types#proxyaccesslogformattype) (Text or JSON) to specify the log format and ensure that the logs are sent to the desired sink types by setting the [ProxyAccessLogSinkType](https://gateway.envoyproxy.io/latest/api/extension_types/#proxyaccesslogsinktype). Make use of [FileEnvoyProxyAccessLog](https://gateway.envoyproxy.io/latest/api/extension_types/#fileenvoyproxyaccesslog) or [OpenTelemetryEnvoyProxyAccessLog](https://gateway.envoyproxy.io/latest/api/extension_types/#opentelemetryenvoyproxyaccesslog) to configure File and OpenTelemetry sinks, respectively. If the settings aren\'t defined, the default format is sent to stdout.

Additionally, consider leveraging a central logging mechanism such as [Fluentd](https://github.com/fluent/fluentd) to enhance visibility into access activity and enable effective incident response (IR). | |EGTM-017|EGTM-EG-005|Envoy Gateway| There is a risk that an insider misconfigures an envoy gateway component and goes unnoticed due to a low-touch logging configuration (via default) which responsible stakeholders are not aptly aware of or have immediate access to.

| The threat emerges from an insider misconfiguring an Envoy Gateway component without detection.

|Low| Configure the logging level of the Envoy Gateway using the \'level\' field in [EnvoyGatewayLogging](https://gateway.envoyproxy.io/latest/api/extension_types/#envoygatewaylogging). Ensure the appropriate logging levels are set for relevant components such as \'gateway-api\', \'xds-translator\', or \'global-ratelimit\'. If left unspecified, the logging level defaults to \"info\", which may not provide sufficient detail for security monitoring.

Employ a centralised logging mechanism, like [Fluentd](https://github.com/fluent/fluentd), to enhance visibility into application-level activity and to enable efficient incident response. | |EGTM-021|EGTM-EG-006|Envoy Gateway| There is a risk that the admin interface is exposed without valid business reason, increasing the attack surface.

| Exposed admin interfaces give internal attackers the option to affect production traffic in unauthorised ways, and the option to exploit any vulnerabilities which may be present in the admin interface (e.g. by orchestrating malicious GET requests to the admin interface through CSRF, compromising Envoy Proxy global configuration or shutting off the service entirely (e.g., /quitquitquit).

|Low| The Envoy Proxy admin interface is only exposed to localhost, meaning that it is secure by default. However, due to the risk of misconfiguration, this recommendation is included.

Due to the importance of the admin interface, it is recommended to ensure that Envoy Proxies have not been accidentally misconfigured to expose the admin interface to untrusted networks. | |EGTM-025 | EGTM-CS-011 | Container Security | The presence of a vulnerability, be it in the kernel or another system component, when coupled with containers running as root, could enable a threat actor to escape the container, thereby compromising the confidentiality, integrity, or availability of cluster resources. | The Envoy Proxy container's root-user configuration can be leveraged by an attacker to escalate privileges, execute a container breakout, and traverse across trust boundaries. | Low | By default, Envoy Gateway deployments do not use root users. Nonetheless, in case a custom image or deployment manifest is to be used, make sure Envoy Proxy pods run as a non-root user with a high UID within the container. Set runAsUser and runAsGroup security context options to specific UIDs (e.g., runAsUser: 1000 & runAsGroup: 3000) to ensure the container operates with the stipulated non-root user and group ID. If using helm chart deployment, define the user and group ID in the values.yaml file or via the command line during helm install / upgrade. | From 4cf85c3aa4ef605ec904dfb48769cdc6fd5f7971 Mon Sep 17 00:00:00 2001 From: Dingkang Li Date: Wed, 15 May 2024 06:00:11 +0800 Subject: [PATCH 2/7] feat(api): add consistent hash table size api (#3348) * Add consistent hash table size api Signed-off-by: Dingkang Li * Set consistent hash table size's minimum as the smallest prime number: 2 Signed-off-by: Dingkang Li * Comment tableSize api as notImplementedHide Signed-off-by: Dingkang Li --------- Signed-off-by: Dingkang Li --- api/v1alpha1/loadbalancer_types.go | 9 +++++++++ api/v1alpha1/zz_generated.deepcopy.go | 5 +++++ .../gateway.envoyproxy.io_backendtrafficpolicies.yaml | 8 ++++++++ 3 files changed, 22 insertions(+) diff --git a/api/v1alpha1/loadbalancer_types.go b/api/v1alpha1/loadbalancer_types.go index 795390bb525..d4912aebd4a 100644 --- a/api/v1alpha1/loadbalancer_types.go +++ b/api/v1alpha1/loadbalancer_types.go @@ -66,6 +66,15 @@ type ConsistentHash struct { // // +optional Header *Header `json:"header,omitempty"` + + // The table size for consistent hashing, must be prime number limited to 5000011. + // + // +kubebuilder:validation:Minimum=2 + // +kubebuilder:validation:Maximum=5000011 + // +kubebuilder:default=65537 + // +optional + // +notImplementedHide + TableSize *uint64 `json:"tableSize,omitempty"` } // Header defines the header hashing configuration for consistent hash based diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 5dc25960173..c584ae2d62a 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -783,6 +783,11 @@ func (in *ConsistentHash) DeepCopyInto(out *ConsistentHash) { *out = new(Header) **out = **in } + if in.TableSize != nil { + in, out := &in.TableSize, &out.TableSize + *out = new(uint64) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConsistentHash. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index 6f5b369ce73..37aabbbefc1 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -422,6 +422,14 @@ spec: required: - name type: object + tableSize: + default: 65537 + description: The table size for consistent hashing, must be + prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer type: description: ConsistentHashType defines the type of input to hash on. Valid Type values are "SourceIP" or "Header". From 20d9089637ce0754b9e983c32c40412978d4e2cf Mon Sep 17 00:00:00 2001 From: YuLuo Date: Wed, 15 May 2024 09:16:55 +0800 Subject: [PATCH 3/7] docs: update helm install docs (#3370) * docs: update helm install docs Signed-off-by: yuluo-yx * docs: move helm chart readme docs position Signed-off-by: yuluo-yx --------- Signed-off-by: yuluo-yx --- site/content/en/latest/install/install-helm.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/site/content/en/latest/install/install-helm.md b/site/content/en/latest/install/install-helm.md index 69efd45390c..903abe50964 100644 --- a/site/content/en/latest/install/install-helm.md +++ b/site/content/en/latest/install/install-helm.md @@ -61,7 +61,11 @@ consideration when debugging. ## Helm chart customizations -Some of the quick ways of using the helm install command for envoy gateway installation are below. +Some of the quick ways of using the helm install command for envoy gateway installation are below. + +{{% alert title="Helm Chart Values" color="primary" %}} +If you want to know all the available fields inside the values.yaml file, please see the [Helm Chart Values](../api). +{{% /alert %}} ### Increase the replicas @@ -114,10 +118,6 @@ You can use the below command to install the envoy gateway using values.yaml fil helm install eg oci://docker.io/envoyproxy/gateway-helm --version v0.0.0-latest -n envoy-gateway-system --create-namespace -f values.yaml ``` -{{% alert title="Helm Chart Values" color="primary" %}} -If you want to know all the available fields inside the values.yaml file, please see the [Helm Chart Values](../api). -{{% /alert %}} - ## Open Ports These are the ports used by Envoy Gateway and the managed Envoy Proxy. From 94747efe8ec9da1e283e6a59b7fc63b9f01cec65 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 May 2024 11:22:43 +0800 Subject: [PATCH 4/7] build(deps): bump github.com/golangci/golangci-lint from 1.58.0 to 1.58.1 in /tools/src/golangci-lint (#3378) build(deps): bump github.com/golangci/golangci-lint Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.58.0 to 1.58.1. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](https://github.com/golangci/golangci-lint/compare/v1.58.0...v1.58.1) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/src/golangci-lint/go.mod | 10 +++++----- tools/src/golangci-lint/go.sum | 24 ++++++++++++------------ 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/tools/src/golangci-lint/go.mod b/tools/src/golangci-lint/go.mod index c4185482bf1..45f2ecfe20c 100644 --- a/tools/src/golangci-lint/go.mod +++ b/tools/src/golangci-lint/go.mod @@ -2,12 +2,12 @@ module local go 1.22.3 -require github.com/golangci/golangci-lint v1.58.0 +require github.com/golangci/golangci-lint v1.58.1 require ( 4d63.com/gocheckcompilerdirectives v1.2.1 // indirect 4d63.com/gochecknoglobals v0.2.1 // indirect - github.com/4meepo/tagalign v1.3.3 // indirect + github.com/4meepo/tagalign v1.3.4 // indirect github.com/Abirdcfly/dupword v0.0.14 // indirect github.com/Antonboom/errname v0.1.13 // indirect github.com/Antonboom/nilnil v0.1.8 // indirect @@ -48,7 +48,7 @@ require ( github.com/firefart/nonamedreturns v1.0.5 // indirect github.com/fsnotify/fsnotify v1.5.4 // indirect github.com/fzipp/gocyclo v0.6.0 // indirect - github.com/ghostiam/protogetter v0.3.5 // indirect + github.com/ghostiam/protogetter v0.3.6 // indirect github.com/go-critic/go-critic v0.11.3 // indirect github.com/go-toolsmith/astcast v1.1.0 // indirect github.com/go-toolsmith/astcopy v1.1.0 // indirect @@ -176,9 +176,9 @@ require ( golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect golang.org/x/mod v0.17.0 // indirect golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.19.0 // indirect + golang.org/x/sys v0.20.0 // indirect golang.org/x/text v0.14.0 // indirect - golang.org/x/tools v0.20.0 // indirect + golang.org/x/tools v0.21.0 // indirect google.golang.org/protobuf v1.33.0 // indirect gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect gopkg.in/ini.v1 v1.67.0 // indirect diff --git a/tools/src/golangci-lint/go.sum b/tools/src/golangci-lint/go.sum index e0f706803b2..ad72e8906a2 100644 --- a/tools/src/golangci-lint/go.sum +++ b/tools/src/golangci-lint/go.sum @@ -35,8 +35,8 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= -github.com/4meepo/tagalign v1.3.3 h1:ZsOxcwGD/jP4U/aw7qeWu58i7dwYemfy5Y+IF1ACoNw= -github.com/4meepo/tagalign v1.3.3/go.mod h1:Q9c1rYMZJc9dPRkbQPpcBNCLEmY2njbAsXhQOZFE2dE= +github.com/4meepo/tagalign v1.3.4 h1:P51VcvBnf04YkHzjfclN6BbsopfJR5rxs1n+5zHt+w8= +github.com/4meepo/tagalign v1.3.4/go.mod h1:M+pnkHH2vG8+qhE5bVc/zeP7HS/j910Fwa9TUSyZVI0= github.com/Abirdcfly/dupword v0.0.14 h1:3U4ulkc8EUo+CaT105/GJ1BQwtgyj6+VaBVbAX11Ba8= github.com/Abirdcfly/dupword v0.0.14/go.mod h1:VKDAbxdY8YbKUByLGg8EETzYSuC4crm9WwI6Y3S0cLI= github.com/Antonboom/errname v0.1.13 h1:JHICqsewj/fNckzrfVSe+T33svwQxmjC+1ntDsHOVvM= @@ -147,8 +147,8 @@ github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwV github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= github.com/fzipp/gocyclo v0.6.0 h1:lsblElZG7d3ALtGMx9fmxeTKZaLLpU8mET09yN4BBLo= github.com/fzipp/gocyclo v0.6.0/go.mod h1:rXPyn8fnlpa0R2csP/31uerbiVBugk5whMdlyaLkLoA= -github.com/ghostiam/protogetter v0.3.5 h1:+f7UiF8XNd4w3a//4DnusQ2SZjPkUjxkMEfjbxOK4Ug= -github.com/ghostiam/protogetter v0.3.5/go.mod h1:7lpeDnEJ1ZjL/YtyoN99ljO4z0pd3H0d18/t2dPBxHw= +github.com/ghostiam/protogetter v0.3.6 h1:R7qEWaSgFCsy20yYHNIJsU9ZOb8TziSRRxuAOTVKeOk= +github.com/ghostiam/protogetter v0.3.6/go.mod h1:7lpeDnEJ1ZjL/YtyoN99ljO4z0pd3H0d18/t2dPBxHw= github.com/go-critic/go-critic v0.11.3 h1:SJbYD/egY1noYjTMNTlhGaYlfQ77rQmrNH7h+gtn0N0= github.com/go-critic/go-critic v0.11.3/go.mod h1:Je0h5Obm1rR5hAGA9mP2PDiOOk53W+n7pyvXErFKIgI= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= @@ -226,8 +226,8 @@ github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a h1:w8hkcTqaFpzKqonE9 github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a/go.mod h1:ryS0uhF+x9jgbj/N71xsEqODy9BN81/GonCZiOzirOk= github.com/golangci/gofmt v0.0.0-20231018234816-f50ced29576e h1:ULcKCDV1LOZPFxGZaA6TlQbiM3J2GCPnkx/bGF6sX/g= github.com/golangci/gofmt v0.0.0-20231018234816-f50ced29576e/go.mod h1:Pm5KhLPA8gSnQwrQ6ukebRcapGb/BG9iUkdaiCcGHJM= -github.com/golangci/golangci-lint v1.58.0 h1:r8duFARMJ0VdSM9tDXAdt2+f57dfZQmagvYX6kmkUKQ= -github.com/golangci/golangci-lint v1.58.0/go.mod h1:WAY3BnSLvTUEv41Q0v3ZFzNybLRF+a7Vd9Da8Jx9Eqo= +github.com/golangci/golangci-lint v1.58.1 h1:IYKjkt7nofq/mYXiDUyJiBZQi5kxD0jPCjBy6VXxjz8= +github.com/golangci/golangci-lint v1.58.1/go.mod h1:IX9uSbhwDDOVTcceKZWmshlally+fOQYv1pZhIJCMNw= github.com/golangci/misspell v0.5.1 h1:/SjR1clj5uDjNLwYzCahHwIOPmQgoH04AyQIiWGbhCM= github.com/golangci/misspell v0.5.1/go.mod h1:keMNyY6R9isGaSAu+4Q8NMBwMPkh15Gtc8UCVoDtAWo= github.com/golangci/modinfo v0.3.4 h1:oU5huX3fbxqQXdfspamej74DFX0kyGLkw1ppvXoJ8GA= @@ -675,8 +675,8 @@ golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w= -golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8= +golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= +golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -752,8 +752,8 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= -golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= +golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -836,8 +836,8 @@ golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA= golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k= golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.20.0 h1:hz/CVckiOxybQvFw6h7b/q80NTr9IUQb4s1IIzW7KNY= -golang.org/x/tools v0.20.0/go.mod h1:WvitBU7JJf6A4jOdg4S1tviW9bhUxkgeCui/0JHctQg= +golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw= +golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From 415d0adb0d53bc09cc023d5f6e05482d2054556d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 May 2024 11:23:04 +0800 Subject: [PATCH 5/7] build(deps): bump ossf/scorecard-action from 2.3.1 to 2.3.3 (#3381) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.3.1 to 2.3.3. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/0864cf19026789058feabb7e87baa5f140aac736...dc50aa9510b46c811795eb24b2f1ba02a914e534) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 8347d4367d5..f0b2754655c 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -26,7 +26,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 with: results_file: results.sarif results_format: sarif From c4b021671fd1a1df851959775d956ec929ffbc89 Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 15 May 2024 11:30:15 +0800 Subject: [PATCH 6/7] tcproute/udproute support multiple backends (#3212) * tcproute support multiple backend Signed-off-by: zirain * updroute support multiple backend Signed-off-by: zirain * use BackendWeights Signed-off-by: zirain * lint Signed-off-by: zirain * gofumpt Signed-off-by: zirain * fix test Signed-off-by: zirain * fix gen Signed-off-by: zirain * gen Signed-off-by: zirain * comments Signed-off-by: zirain * comments Signed-off-by: zirain * DirectResponse Signed-off-by: zirain * remove empty tls Signed-off-by: zirain * update Signed-off-by: zirain * nit Signed-off-by: zirain --------- Signed-off-by: zirain --- .../translate/out/quickstart.all.yaml | 5 +- internal/gatewayapi/filters.go | 2 +- internal/gatewayapi/route.go | 136 ++++++++---------- .../backendtlspolicy-ca-only.out.yaml | 5 +- .../backendtlspolicy-default-ns.out.yaml | 5 +- .../backendtlspolicy-invalid-ca.out.yaml | 5 +- ...ackendtlspolicy-system-truststore.out.yaml | 5 +- ...dtlspolicy-without-referencegrant.out.yaml | 5 +- ...endtrafficpolicy-override-replace.out.yaml | 10 +- ...ndtrafficpolicy-status-conditions.out.yaml | 14 +- ...fficpolicy-status-fault-injection.out.yaml | 15 +- ...trafficpolicy-use-client-protocol.out.yaml | 5 +- ...policy-with-circuitbreakers-error.out.yaml | 15 +- ...rafficpolicy-with-circuitbreakers.out.yaml | 10 +- ...endtrafficpolicy-with-healthcheck.out.yaml | 20 +-- ...ndtrafficpolicy-with-loadbalancer.out.yaml | 15 +- ...telimit-default-route-level-limit.out.yaml | 5 +- ...ocal-ratelimit-invalid-limit-unit.out.yaml | 5 +- ...ocal-ratelimit-invalid-match-type.out.yaml | 5 +- ...valid-multiple-route-level-limits.out.yaml | 5 +- ...rafficpolicy-with-local-ratelimit.out.yaml | 5 +- ...dtrafficpolicy-with-proxyprotocol.out.yaml | 10 +- ...licy-with-ratelimit-invalid-regex.out.yaml | 5 +- ...ckendtrafficpolicy-with-ratelimit.out.yaml | 10 +- ...backendtrafficpolicy-with-retries.out.yaml | 10 +- ...olicy-with-same-prefix-httproutes.out.yaml | 10 +- ...cp-udp-listeners-apply-on-gateway.out.yaml | 1 - ...-tcp-udp-listeners-apply-on-route.out.yaml | 1 - ...ndtrafficpolicy-with-tcpkeepalive.out.yaml | 10 +- ...dtrafficpolicy-with-timeout-error.out.yaml | 5 +- ...backendtrafficpolicy-with-timeout.out.yaml | 10 +- .../clienttrafficpolicy-http3.out.yaml | 5 +- .../testdata/conflicting-policies.out.yaml | 10 +- .../testdata/custom-filter-order.out.yaml | 7 +- ...yextensionpolicy-override-replace.out.yaml | 10 +- ...extensionpolicy-status-conditions.out.yaml | 14 +- ...-extproc-invalid-no-matching-port.out.yaml | 5 +- ...licy-with-extproc-invalid-no-port.out.yaml | 5 +- ...xtproc-invalid-no-reference-grant.out.yaml | 5 +- ...y-with-extproc-invalid-no-service.out.yaml | 5 +- ...ith-extproc-with-backendtlspolicy.out.yaml | 10 +- ...extproc-with-multiple-backendrefs.out.yaml | 10 +- .../envoyextensionpolicy-with-wasm.out.yaml | 10 +- .../testdata/envoyproxy-tls-settings.out.yaml | 5 +- ...route-with-valid-extension-filter.out.yaml | 5 +- ...-namespace-with-allowed-httproute.out.yaml | 5 +- .../testdata/gateway-infrastructure.out.yaml | 5 +- ...route-with-mismatch-port-protocol.out.yaml | 6 + ...h-tcproute-with-multiple-backends.out.yaml | 23 ++- ...her-namespace-allowed-by-refgrant.out.yaml | 5 +- ...ith-tls-terminate-and-passthrough.out.yaml | 5 +- ...route-with-mismatch-port-protocol.out.yaml | 8 ++ ...th-udproute-with-multiple-backends.in.yaml | 4 +- ...h-udproute-with-multiple-backends.out.yaml | 29 +++- ...ith-same-algorithm-different-fqdn.out.yaml | 5 +- ...-valid-multiple-tls-configuration.out.yaml | 5 +- ...ener-with-valid-tls-configuration.out.yaml | 5 +- ...with-preexisting-status-condition.out.yaml | 5 +- ...-listener-with-multiple-tcproutes.out.yaml | 1 - ...teway-with-stale-status-condition.out.yaml | 5 +- ...listeners-on-same-tcp-or-tls-port.out.yaml | 1 - ...isteners-with-multiple-httproutes.out.yaml | 20 +-- ...-with-same-port-http-tcp-protocol.out.yaml | 6 +- ...-with-same-port-http-udp-protocol.out.yaml | 5 +- ...s-with-tcproutes-with-sectionname.out.yaml | 2 - ...ith-tcproutes-without-sectionname.out.yaml | 2 - .../grpcroute-with-empty-backends.out.yaml | 5 +- .../grpcroute-with-header-match.out.yaml | 5 +- ...ute-with-method-and-service-match.out.yaml | 10 +- .../grpcroute-with-method-match.out.yaml | 10 +- ...oute-with-request-header-modifier.out.yaml | 3 - .../grpcroute-with-service-match.out.yaml | 10 +- ...dtrafficpolicy-with-timeout-error.out.yaml | 5 +- ...backendtrafficpolicy-with-timeout.out.yaml | 10 +- ...way-with-more-different-listeners.out.yaml | 40 ++---- ...ng-to-gateway-with-more-listeners.out.yaml | 40 ++---- ...wo-listeners-with-different-ports.out.yaml | 10 +- ...ing-to-gateway-with-two-listeners.out.yaml | 10 +- .../httproute-attaching-to-gateway.out.yaml | 5 +- ...taching-to-listener-matching-port.out.yaml | 5 +- ...ner-on-gateway-with-two-listeners.out.yaml | 5 +- ...ort-backendrefs-diff-address-type.out.yaml | 5 +- ...ort-backendrefs-same-address-type.out.yaml | 5 +- ...port-backendref-fqdn-address-type.out.yaml | 5 +- ...ort-backendref-mixed-address-type.out.yaml | 5 +- ...ner-with-serviceimport-backendref.out.yaml | 5 +- .../httproute-attaching-to-listener.out.yaml | 5 +- ...httproute-backend-request-timeout.out.yaml | 5 +- .../httproute-request-timeout.out.yaml | 5 +- ...ith-empty-backends-and-no-filters.out.yaml | 5 +- ...-multiple-backends-and-no-weights.out.yaml | 5 +- ...ith-multiple-backends-and-weights.out.yaml | 5 +- ...her-namespace-allowed-by-refgrant.out.yaml | 5 +- ...her-namespace-allowed-by-refgrant.out.yaml | 5 +- .../httproute-with-empty-matches.out.yaml | 5 +- ...er-duplicate-add-multiple-filters.out.yaml | 3 - ...with-header-filter-duplicate-adds.out.yaml | 3 - ...duplicate-remove-multiple-filters.out.yaml | 5 +- ...h-header-filter-duplicate-removes.out.yaml | 5 +- ...header-filter-empty-header-values.out.yaml | 3 - ...ute-with-header-filter-no-headers.out.yaml | 5 +- ...tproute-with-header-filter-remove.out.yaml | 5 +- ...with-invalid-backend-ref-bad-port.out.yaml | 7 +- ...invalid-backend-ref-invalid-group.out.yaml | 7 +- ...-invalid-backend-ref-invalid-kind.out.yaml | 7 +- ...-with-invalid-backend-ref-no-port.out.yaml | 7 +- ...lid-backend-ref-no-service.import.out.yaml | 7 +- ...th-invalid-backend-ref-no-service.out.yaml | 7 +- ...id-backend-ref-unsupported-filter.out.yaml | 7 +- ...lid-backendref-in-other-namespace.out.yaml | 7 +- ...ute-with-mirror-filter-duplicates.out.yaml | 5 +- ...route-with-mirror-filter-multiple.out.yaml | 3 - ...ith-mirror-filter-service-no-port.out.yaml | 5 +- ...h-mirror-filter-service-not-found.out.yaml | 5 +- .../httproute-with-mirror-filter.out.yaml | 5 +- ...ct-filter-full-path-replace-https.out.yaml | 5 +- ...ute-with-redirect-filter-hostname.out.yaml | 5 +- ...ter-prefix-replace-with-port-http.out.yaml | 5 +- ...-with-response-header-filter-adds.out.yaml | 3 - ...er-duplicate-add-multiple-filters.out.yaml | 3 - ...onse-header-filter-duplicate-adds.out.yaml | 3 - ...duplicate-remove-multiple-filters.out.yaml | 5 +- ...e-header-filter-duplicate-removes.out.yaml | 5 +- ...header-filter-empty-header-values.out.yaml | 3 - ...response-header-filter-no-headers.out.yaml | 5 +- ...ith-response-header-filter-remove.out.yaml | 5 +- ...single-rule-with-exact-path-match.out.yaml | 5 +- ...ingle-rule-with-http-method-match.out.yaml | 5 +- ...h-prefix-and-exact-header-matches.out.yaml | 5 +- ...e-invalid-backend-refs-no-service.out.yaml | 7 +- ...to-gateway-with-wildcard-hostname.out.yaml | 5 +- ...to-gateway-with-wildcard-hostname.out.yaml | 10 +- ...ite-filter-full-path-replace-http.out.yaml | 5 +- ...te-filter-hostname-prefix-replace.out.yaml | 5 +- ...e-with-urlrewrite-filter-hostname.out.yaml | 5 +- ...ewrite-filter-invalid-filter-type.out.yaml | 5 +- ...ewrite-filter-prefix-replace-http.out.yaml | 5 +- ...ng-to-gateway-with-unset-hostname.out.yaml | 5 +- .../httproutes-with-multiple-matches.out.yaml | 35 +---- ...multiple-gateways-multiple-routes.out.yaml | 10 +- .../merge-with-isolated-policies-2.out.yaml | 20 +-- .../merge-with-isolated-policies.out.yaml | 10 +- .../securitypolicy-override-replace.out.yaml | 10 +- .../securitypolicy-status-conditions.out.yaml | 14 +- .../securitypolicy-with-basic-auth.out.yaml | 15 +- .../securitypolicy-with-cors.out.yaml | 15 +- ...-extauth-invalid-no-matching-port.out.yaml | 5 +- ...licy-with-extauth-invalid-no-port.out.yaml | 5 +- ...xtauth-invalid-no-reference-grant.out.yaml | 5 +- ...y-with-extauth-invalid-no-service.out.yaml | 5 +- ...ith-extauth-with-backendtlspolicy.out.yaml | 10 +- .../securitypolicy-with-extauth.out.yaml | 15 +- ...ypolicy-with-jwt-and-invalid-oidc.out.yaml | 10 +- .../securitypolicy-with-jwt-optional.out.yaml | 10 +- ...cy-with-jwt-with-custom-extractor.out.yaml | 10 +- .../testdata/securitypolicy-with-jwt.out.yaml | 10 +- .../securitypolicy-with-oidc.out.yaml | 10 +- .../tracing-merged-multiple-routes.out.yaml | 10 +- .../testdata/tracing-multiple-routes.out.yaml | 10 +- internal/ir/xds.go | 34 ++++- internal/ir/xds_test.go | 7 - internal/ir/zz_generated.deepcopy.go | 1 - internal/xds/translator/route.go | 38 ++--- .../testdata/in/xds-ir/ext-proc.yaml | 10 +- .../http-route-weighted-invalid-backend.yaml | 5 +- .../translator/testdata/in/xds-ir/wasm.yaml | 5 +- ...te-weighted-invalid-backend.endpoints.yaml | 3 + 167 files changed, 432 insertions(+), 1007 deletions(-) diff --git a/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml b/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml index 3ea1f3f2bc7..edba4588a83 100644 --- a/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml @@ -104,10 +104,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/envoy-gateway-system/backend/rule/0 settings: - endpoints: diff --git a/internal/gatewayapi/filters.go b/internal/gatewayapi/filters.go index 476d821e721..2630ed1cf84 100644 --- a/internal/gatewayapi/filters.go +++ b/internal/gatewayapi/filters.go @@ -797,7 +797,7 @@ func (t *Translator) processRequestMirrorFilter( return } - ds, _ := t.processDestination(mirrorBackendRef, filterContext.ParentRef, filterContext.Route, resources) + ds := t.processDestination(mirrorBackendRef, filterContext.ParentRef, filterContext.Route, resources) newMirror := &ir.RouteDestination{ Name: fmt.Sprintf("%s-mirror-%d", irRouteDestinationName(filterContext.Route, filterContext.RuleIdx), filterIdx), diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index 8abbac6c8b0..5edcf53af01 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -187,27 +187,27 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe for _, backendRef := range rule.BackendRefs { backendRef := backendRef - ds, backendWeight := t.processDestination(backendRef, parentRef, httpRoute, resources) + ds := t.processDestination(backendRef, parentRef, httpRoute, resources) if !t.EndpointRoutingDisabled && ds != nil && len(ds.Endpoints) > 0 && ds.AddressType != nil { dstAddrTypeMap[*ds.AddressType]++ } + if ds == nil { + continue + } for _, route := range ruleRoutes { // If the route already has a direct response or redirect configured, then it was from a filter so skip // processing any destinations for this route. - if route.DirectResponse == nil && route.Redirect == nil { - if ds != nil && len(ds.Endpoints) > 0 { - if route.Destination == nil { - route.Destination = &ir.RouteDestination{ - Name: irRouteDestinationName(httpRoute, ruleIdx), - } - } - route.Destination.Settings = append(route.Destination.Settings, ds) - route.BackendWeights.Valid += backendWeight - } else { - route.BackendWeights.Invalid += backendWeight + if route.DirectResponse != nil || route.Redirect != nil { + continue + } + + if route.Destination == nil { + route.Destination = &ir.RouteDestination{ + Name: irRouteDestinationName(httpRoute, ruleIdx), } } + route.Destination.Settings = append(route.Destination.Settings, ds) } } @@ -225,7 +225,8 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe // If the route has no valid backends then just use a direct response and don't fuss with weighted responses for _, ruleRoute := range ruleRoutes { - if ruleRoute.Destination == nil && ruleRoute.Redirect == nil { + noValidBackends := ruleRoute.Destination == nil || ruleRoute.Destination.ToBackendWeights().Valid == 0 + if noValidBackends && ruleRoute.Redirect == nil { ruleRoute.DirectResponse = &ir.DirectResponse{ StatusCode: 500, } @@ -493,30 +494,31 @@ func (t *Translator) processGRPCRouteRules(grpcRoute *GRPCRouteContext, parentRe for _, backendRef := range rule.BackendRefs { backendRef := backendRef - ds, backendWeight := t.processDestination(backendRef, parentRef, grpcRoute, resources) + ds := t.processDestination(backendRef, parentRef, grpcRoute, resources) + if ds == nil { + continue + } + for _, route := range ruleRoutes { // If the route already has a direct response or redirect configured, then it was from a filter so skip // processing any destinations for this route. - if route.DirectResponse == nil && route.Redirect == nil { - if ds != nil && len(ds.Endpoints) > 0 { - if route.Destination == nil { - route.Destination = &ir.RouteDestination{ - Name: irRouteDestinationName(grpcRoute, ruleIdx), - } - } - route.Destination.Settings = append(route.Destination.Settings, ds) - route.BackendWeights.Valid += backendWeight + if route.DirectResponse != nil || route.Redirect != nil { + continue + } - } else { - route.BackendWeights.Invalid += backendWeight + if route.Destination == nil { + route.Destination = &ir.RouteDestination{ + Name: irRouteDestinationName(grpcRoute, ruleIdx), } } + route.Destination.Settings = append(route.Destination.Settings, ds) } } // If the route has no valid backends then just use a direct response and don't fuss with weighted responses for _, ruleRoute := range ruleRoutes { - if ruleRoute.Destination == nil && ruleRoute.Redirect == nil { + noValidBackends := ruleRoute.Destination == nil || ruleRoute.Destination.ToBackendWeights().Valid == 0 + if noValidBackends && ruleRoute.Redirect == nil { ruleRoute.DirectResponse = &ir.DirectResponse{ StatusCode: 500, } @@ -685,10 +687,6 @@ func (t *Translator) processHTTPRouteParentRefListener(route RouteContext, route ExtensionRefs: routeRoute.ExtensionRefs, IsHTTP2: routeRoute.IsHTTP2, } - // Don't bother copying over the weights unless the route has invalid backends. - if routeRoute.BackendWeights.Invalid > 0 { - hostRoute.BackendWeights = routeRoute.BackendWeights - } if routeRoute.Traffic != nil { hostRoute.Traffic = &ir.TrafficFeatures{ Timeout: routeRoute.Traffic.Timeout, @@ -752,7 +750,7 @@ func (t *Translator) processTLSRouteParentRefs(tlsRoute *TLSRouteContext, resour for _, rule := range tlsRoute.Spec.Rules { for _, backendRef := range rule.BackendRefs { backendRef := backendRef - ds, _ := t.processDestination(backendRef, parentRef, tlsRoute, resources) + ds := t.processDestination(backendRef, parentRef, tlsRoute, resources) if ds != nil { destSettings = append(destSettings, ds) } @@ -890,27 +888,16 @@ func (t *Translator) processUDPRouteParentRefs(udpRoute *UDPRouteContext, resour ) continue } - if len(udpRoute.Spec.Rules[0].BackendRefs) != 1 { - routeStatus := GetRouteStatus(udpRoute) - status.SetRouteStatusCondition(routeStatus, - parentRef.routeParentStatusIdx, - udpRoute.GetGeneration(), - gwapiv1.RouteConditionResolvedRefs, - metav1.ConditionFalse, - "InvalidBackend", - "One and only one backend is supported", - ) - continue - } - backendRef := udpRoute.Spec.Rules[0].BackendRefs[0] - ds, _ := t.processDestination(backendRef, parentRef, udpRoute, resources) - // Skip further processing if route destination is not valid - if ds == nil || len(ds.Endpoints) == 0 { - continue + for _, backendRef := range udpRoute.Spec.Rules[0].BackendRefs { + ds := t.processDestination(backendRef, parentRef, udpRoute, resources) + if ds == nil { + continue + } + + destSettings = append(destSettings, ds) } - destSettings = append(destSettings, ds) // If no negative condition has been set for ResolvedRefs, set "ResolvedRefs=True" if !parentRef.HasCondition(udpRoute, gwapiv1.RouteConditionResolvedRefs, metav1.ConditionFalse) { routeStatus := GetRouteStatus(udpRoute) @@ -1019,7 +1006,6 @@ func (t *Translator) ProcessTCPRoutes(tcpRoutes []*gwapiv1a2.TCPRoute, gateways func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resources *Resources, xdsIR XdsIRMap) { for _, parentRef := range tcpRoute.ParentRefs { - // Need to compute Route rules within the parentRef loop because // any conditions that come out of it have to go on each RouteParentStatus, // not on the Route as a whole. @@ -1038,26 +1024,17 @@ func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resour ) continue } - if len(tcpRoute.Spec.Rules[0].BackendRefs) != 1 { - routeStatus := GetRouteStatus(tcpRoute) - status.SetRouteStatusCondition(routeStatus, - parentRef.routeParentStatusIdx, - tcpRoute.GetGeneration(), - gwapiv1.RouteConditionResolvedRefs, - metav1.ConditionFalse, - "InvalidBackend", - "One and only one backend is supported", - ) - continue - } - backendRef := tcpRoute.Spec.Rules[0].BackendRefs[0] - ds, _ := t.processDestination(backendRef, parentRef, tcpRoute, resources) - // Skip further processing if route destination is not valid - if ds == nil || len(ds.Endpoints) == 0 { - continue + for _, backendRef := range tcpRoute.Spec.Rules[0].BackendRefs { + backendRef := backendRef + ds := t.processDestination(backendRef, parentRef, tcpRoute, resources) + if ds == nil { + continue + } + + destSettings = append(destSettings, ds) } - destSettings = append(destSettings, ds) + // If no negative condition has been set for ResolvedRefs, set "ResolvedRefs=True" if !parentRef.HasCondition(tcpRoute, gwapiv1.RouteConditionResolvedRefs, metav1.ConditionFalse) { routeStatus := GetRouteStatus(tcpRoute) @@ -1088,9 +1065,13 @@ func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resour accepted = true irKey := t.getIRKey(listener.gateway) - tls := ir.TLS{ - Terminate: irTLSConfigs(listener.tlsSecrets), + var tls *ir.TLS + if len(listener.tlsSecrets) > 0 { + tls = &ir.TLS{ + Terminate: irTLSConfigs(listener.tlsSecrets), + } } + if listener.Hostname != nil { tls.TLSInspectorConfig = &ir.TLSInspectorConfig{ SNIs: []string{string(*listener.Hostname)}, @@ -1105,7 +1086,7 @@ func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resour Name: irRouteDestinationName(tcpRoute, -1 /*rule index*/), Settings: destSettings, }, - TLS: &tls, + TLS: tls, } irListener.Routes = append(irListener.Routes, irRoute) @@ -1145,10 +1126,8 @@ func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resour // returns the weight for the backend so that 500 error responses can be returned for invalid backends in // the same proportion as the backend would have otherwise received func (t *Translator) processDestination(backendRefContext BackendRefContext, - parentRef *RouteParentContext, - route RouteContext, - resources *Resources, -) (ds *ir.DestinationSetting, backendWeight uint32) { + parentRef *RouteParentContext, route RouteContext, resources *Resources, +) (ds *ir.DestinationSetting) { routeType := GetRouteType(route) weight := uint32(1) backendRef := GetBackendRef(backendRefContext) @@ -1158,12 +1137,13 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext, backendNamespace := NamespaceDerefOr(backendRef.Namespace, route.GetNamespace()) if !t.validateBackendRef(backendRefContext, parentRef, route, resources, backendNamespace, routeType) { - return nil, weight + // return with empty endpoint means the backend is invalid + return &ir.DestinationSetting{Weight: &weight} } // Skip processing backends with 0 weight if weight == 0 { - return nil, weight + return nil } var ( @@ -1256,7 +1236,7 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext, AddressType: addrType, TLS: backendTLS, } - return ds, weight + return ds } func inspectAppProtocolByRouteKind(kind gwapiv1.Kind) ir.AppProtocol { diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml index c802acac89a..7a08b16fb98 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml @@ -142,10 +142,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/envoy-gateway/httproute-btls/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml index 63ea3f98192..1becf7daff1 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml @@ -142,10 +142,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/envoy-gateway/httproute-btls/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml index 818edfc8994..f9fbbdf2587 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml @@ -142,10 +142,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/envoy-gateway/httproute-btls/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml index 1fdb9af1170..acacb721e8c 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml @@ -139,10 +139,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/envoy-gateway/httproute-btls/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtlspolicy-without-referencegrant.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-without-referencegrant.out.yaml index 0df8e3e1b4a..156b563b509 100755 --- a/internal/gatewayapi/testdata/backendtlspolicy-without-referencegrant.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-without-referencegrant.out.yaml @@ -143,10 +143,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/envoy-gateway/httproute-btls/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-override-replace.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-override-replace.out.yaml index c5ad9495b2f..dbc75516093 100755 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-override-replace.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-override-replace.out.yaml @@ -218,10 +218,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -241,10 +238,7 @@ xdsIR: loadBalancer: consistentHash: sourceIP: true - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml index edbf09d0398..6206229c7d9 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml @@ -545,9 +545,10 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 1 - valid: 0 + - destination: + name: httproute/envoy-gateway/httproute-1/rule/0 + settings: + - weight: 1 directResponse: statusCode: 500 hostname: '*' @@ -573,9 +574,10 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 1 - valid: 0 + - destination: + name: grpcroute/envoy-gateway/grpcroute-1/rule/0 + settings: + - weight: 1 directResponse: statusCode: 500 headerMatches: diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml index 31566cafdfa..9c1f0126c7e 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml @@ -339,10 +339,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP @@ -377,10 +374,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP @@ -401,10 +395,7 @@ xdsIR: abort: httpStatus: 14 percentage: 0.01 - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-use-client-protocol.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-use-client-protocol.out.yaml index 2f43d16b48b..6702f8a9623 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-use-client-protocol.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-use-client-protocol.out.yaml @@ -137,10 +137,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml index d76081d3a98..223ccf2735c 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml @@ -321,10 +321,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP @@ -351,10 +348,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP @@ -370,10 +364,7 @@ xdsIR: distinct: false name: "" prefix: /foo - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers.out.yaml index b3f265b9b62..a28df73de2b 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers.out.yaml @@ -263,10 +263,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP @@ -300,10 +297,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml index ee23bed198b..97bc564d9b1 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml @@ -471,10 +471,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP @@ -525,10 +522,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP @@ -564,10 +558,7 @@ xdsIR: interval: 10s maxEjectionPercent: 10 splitExternalLocalOriginErrors: false - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-3/rule/0 settings: - addressType: IP @@ -603,10 +594,7 @@ xdsIR: interval: 8ms maxEjectionPercent: 11 splitExternalLocalOriginErrors: false - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml index 6114cd008d6..36fe54c4648 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml @@ -360,10 +360,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP @@ -393,10 +390,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP @@ -417,10 +411,7 @@ xdsIR: leastRequest: slowStart: window: 5m0s - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-default-route-level-limit.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-default-route-level-limit.out.yaml index c55cf63331e..7e3d794b7c6 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-default-route-level-limit.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-default-route-level-limit.out.yaml @@ -160,10 +160,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml index 97090bd582f..5aceec2a5b4 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml @@ -164,10 +164,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml index 65c647c9a11..d286951ecdf 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml @@ -160,10 +160,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml index 64b71093d9f..9d82dac487f 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml @@ -167,10 +167,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit.out.yaml index 9c9d73f35cb..9ebb100f64a 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit.out.yaml @@ -163,10 +163,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-proxyprotocol.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-proxyprotocol.out.yaml index 92245edd5cc..539b7e08312 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-proxyprotocol.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-proxyprotocol.out.yaml @@ -255,10 +255,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP @@ -288,10 +285,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml index 3f240552f4a..99115522e3a 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml @@ -146,10 +146,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml index 7a8ea390fff..3907527966b 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml @@ -275,10 +275,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP @@ -318,10 +315,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-retries.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-retries.out.yaml index e2db512f82a..a889433ee8c 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-retries.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-retries.out.yaml @@ -274,10 +274,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP @@ -314,10 +311,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-same-prefix-httproutes.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-same-prefix-httproutes.out.yaml index ad6bbe269ee..0964d8a2d43 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-same-prefix-httproutes.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-same-prefix-httproutes.out.yaml @@ -179,10 +179,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -203,10 +200,7 @@ xdsIR: maxConnections: 2048 maxParallelRequests: 4294967295 maxPendingRequests: 1 - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml index e61c3b211a4..857ec1e89d1 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml @@ -291,7 +291,6 @@ xdsIR: maxConnectionDuration: 17s tcp: connectTimeout: 15s - tls: {} udp: - address: 0.0.0.0 destination: diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml index 811442554f4..5c0f2240bd6 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml @@ -364,7 +364,6 @@ xdsIR: maxConnectionDuration: 17s tcp: connectTimeout: 15s - tls: {} udp: - address: 0.0.0.0 destination: diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcpkeepalive.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcpkeepalive.out.yaml index 902cdd31384..187cb39eac2 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcpkeepalive.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcpkeepalive.out.yaml @@ -259,10 +259,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP @@ -294,10 +291,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml index 01871b5578f..c32fa1ae20e 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml @@ -137,10 +137,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml index b7dc2f6a064..e7ad5be9b78 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml @@ -263,10 +263,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP @@ -300,10 +297,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml index eb7503a4b31..25987f33f78 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml @@ -143,10 +143,7 @@ xdsIR: mergeSlashes: true port: 10443 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/conflicting-policies.out.yaml b/internal/gatewayapi/testdata/conflicting-policies.out.yaml index 9bb89edf906..d6a50d7db5c 100644 --- a/internal/gatewayapi/testdata/conflicting-policies.out.yaml +++ b/internal/gatewayapi/testdata/conflicting-policies.out.yaml @@ -275,10 +275,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/bdkzlmibsivuiqav/rule/0 settings: - addressType: IP @@ -304,10 +301,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/mfqjpuycbgjrtdww/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/custom-filter-order.out.yaml b/internal/gatewayapi/testdata/custom-filter-order.out.yaml index aac42e9966c..5a520a9a9da 100755 --- a/internal/gatewayapi/testdata/custom-filter-order.out.yaml +++ b/internal/gatewayapi/testdata/custom-filter-order.out.yaml @@ -235,9 +235,10 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 1 - valid: 0 + - destination: + name: httproute/envoy-gateway/httproute-1/rule/0 + settings: + - weight: 1 directResponse: statusCode: 500 hostname: www.example.com diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.out.yaml index 7b2e5dce6d1..76a40d590b1 100755 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.out.yaml @@ -214,10 +214,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -241,10 +238,7 @@ xdsIR: distinct: false name: "" prefix: /foo - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml index a4ed5badfde..a18fd36001c 100755 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml @@ -545,9 +545,10 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 1 - valid: 0 + - destination: + name: httproute/envoy-gateway/httproute-1/rule/0 + settings: + - weight: 1 directResponse: statusCode: 500 hostname: '*' @@ -572,9 +573,10 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 1 - valid: 0 + - destination: + name: grpcroute/envoy-gateway/grpcroute-1/rule/0 + settings: + - weight: 1 directResponse: statusCode: 500 headerMatches: diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml index 209fd00dc20..27619e60e35 100755 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml @@ -140,10 +140,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml index 65ca50c9cc4..ac556bd8a52 100755 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml @@ -140,10 +140,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml index 49b831c2def..09b3ecdccca 100755 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml @@ -142,10 +142,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml index 5c730909e6d..630a246f8b3 100755 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml @@ -141,10 +141,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml index a85f3205e70..8dfa6a9bf5f 100755 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml @@ -290,10 +290,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -328,10 +325,7 @@ xdsIR: distinct: false name: "" prefix: /foo - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml index 1a5eb4604c9..2d1b6d1825d 100755 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml @@ -215,10 +215,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -254,10 +251,7 @@ xdsIR: distinct: false name: "" prefix: /foo - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml index f248162b5a3..30bda358c18 100755 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml @@ -241,10 +241,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -273,10 +270,7 @@ xdsIR: url: https://www.test.com/wasm-filter-3.wasm name: envoyextensionpolicy/default/policy-for-http-route/0 wasmName: wasm-filter-3 - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml index 6408f39b790..5370ff414c2 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml @@ -165,10 +165,7 @@ xdsIR: mergeSlashes: true port: 10443 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/envoy-gateway/httproute-tls/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/extensions/httproute-with-valid-extension-filter.out.yaml b/internal/gatewayapi/testdata/extensions/httproute-with-valid-extension-filter.out.yaml index ed697a91ad0..be79b38f74c 100644 --- a/internal/gatewayapi/testdata/extensions/httproute-with-valid-extension-filter.out.yaml +++ b/internal/gatewayapi/testdata/extensions/httproute-with-valid-extension-filter.out.yaml @@ -117,10 +117,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-allowed-httproute.out.yaml b/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-allowed-httproute.out.yaml index 7ec08cdd2c8..89a00e7bea8 100644 --- a/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-allowed-httproute.out.yaml +++ b/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-allowed-httproute.out.yaml @@ -106,10 +106,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/envoy-gateway/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml b/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml index 2cca7a21513..938e2acb61c 100644 --- a/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml +++ b/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml @@ -124,10 +124,7 @@ xdsIR: mergeSlashes: true port: 10443 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml index 78d9c5cf752..736c23a35b7 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml @@ -94,3 +94,9 @@ xdsIR: - address: 0.0.0.0 name: envoy-gateway/gateway-1/tcp port: 10162 + routes: + - destination: + name: tcproute/default/tcproute-1/rule/-1 + settings: + - weight: 1 + name: tcproute/default/tcproute-1 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-backends.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-backends.out.yaml index 417b1a5d68a..cbc01a3d11d 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-backends.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-backends.out.yaml @@ -81,9 +81,9 @@ tcpRoutes: status: "True" type: Accepted - lastTransitionTime: null - message: One and only one backend is supported - reason: InvalidBackend - status: "False" + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: @@ -98,3 +98,20 @@ xdsIR: - address: 0.0.0.0 name: envoy-gateway/gateway-1/tcp port: 10080 + routes: + - destination: + name: tcproute/default/tcproute-1/rule/-1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: TCP + weight: 50 + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: TCP + weight: 50 + name: tcproute/default/tcproute-1 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml index a501e2a7ccd..14a14acfe1d 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml @@ -113,10 +113,7 @@ xdsIR: mergeSlashes: true port: 10443 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml index deeae09f620..d83e9660cff 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml @@ -182,10 +182,7 @@ xdsIR: mergeSlashes: true port: 10443 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-mismatch-port-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-mismatch-port-protocol.out.yaml index ddbf1400ee6..2fbbe314fa5 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-mismatch-port-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-mismatch-port-protocol.out.yaml @@ -90,3 +90,11 @@ xdsIR: accessLog: text: - path: /dev/stdout + udp: + - address: 0.0.0.0 + destination: + name: udproute/default/udproute-1/rule/-1 + settings: + - weight: 1 + name: envoy-gateway/gateway-1/udp/udproute-1 + port: 10162 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-backends.in.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-backends.in.yaml index 6dfe97fba5e..fc6b8aec64d 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-backends.in.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-backends.in.yaml @@ -26,8 +26,8 @@ udpRoutes: rules: - backendRefs: - name: service-1 - port: 8080 + port: 8162 weight: 50 - name: service-2 - port: 8080 + port: 8162 weight: 50 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-backends.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-backends.out.yaml index 69ece808c6b..7141e821a37 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-backends.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-backends.out.yaml @@ -67,10 +67,10 @@ udpRoutes: rules: - backendRefs: - name: service-1 - port: 8080 + port: 8162 weight: 50 - name: service-2 - port: 8080 + port: 8162 weight: 50 status: parents: @@ -81,9 +81,9 @@ udpRoutes: status: "True" type: Accepted - lastTransitionTime: null - message: One and only one backend is supported - reason: InvalidBackend - status: "False" + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: @@ -94,3 +94,22 @@ xdsIR: accessLog: text: - path: /dev/stdout + udp: + - address: 0.0.0.0 + destination: + name: udproute/default/udproute-1/rule/-1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8162 + protocol: UDP + weight: 50 + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8162 + protocol: UDP + weight: 50 + name: envoy-gateway/gateway-1/udp/udproute-1 + port: 10080 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml index e197d01d60b..b6d1092b87b 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml @@ -115,10 +115,7 @@ xdsIR: mergeSlashes: true port: 10443 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml index e9534d5bd7b..1a610141c4d 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml @@ -115,10 +115,7 @@ xdsIR: mergeSlashes: true port: 10443 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml index cdc613c4a9a..511c9948aa6 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml @@ -112,10 +112,7 @@ xdsIR: mergeSlashes: true port: 10443 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/gateway-with-preexisting-status-condition.out.yaml b/internal/gatewayapi/testdata/gateway-with-preexisting-status-condition.out.yaml index aefd53705de..49ef24efe2c 100644 --- a/internal/gatewayapi/testdata/gateway-with-preexisting-status-condition.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-preexisting-status-condition.out.yaml @@ -106,10 +106,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml b/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml index 6441a614d07..f7fd4e2752c 100644 --- a/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml @@ -136,4 +136,3 @@ xdsIR: protocol: TCP weight: 1 name: tcproute/default/tcproute-1 - tls: {} diff --git a/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml b/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml index acb517c5b82..8b700e44d4b 100644 --- a/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml @@ -112,10 +112,7 @@ xdsIR: mergeSlashes: true port: 10443 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml index 923ff633afe..e3bc11e2cc5 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml @@ -129,4 +129,3 @@ xdsIR: protocol: TCP weight: 1 name: tcproute/default/tcproute-1 - tls: {} diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-multiple-httproutes.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-multiple-httproutes.out.yaml index e43457681d5..f9f59d28d27 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-multiple-httproutes.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-multiple-httproutes.out.yaml @@ -178,10 +178,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP @@ -197,10 +194,7 @@ xdsIR: distinct: false name: "" prefix: /test - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -226,10 +220,7 @@ xdsIR: mergeSlashes: true port: 10081 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP @@ -245,10 +236,7 @@ xdsIR: distinct: false name: "" prefix: /test - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml index 3dc939e6f55..5a5d4d9dcb9 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml @@ -173,10 +173,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -207,4 +204,3 @@ xdsIR: protocol: TCP weight: 1 name: tcproute/default/tcproute-1 - tls: {} diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-udp-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-udp-protocol.out.yaml index 7ac4c4e14b3..88db8d64873 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-udp-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-udp-protocol.out.yaml @@ -173,10 +173,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-with-sectionname.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-with-sectionname.out.yaml index b667e4243a1..d2d74cd296e 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-with-sectionname.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-with-sectionname.out.yaml @@ -174,7 +174,6 @@ xdsIR: protocol: TCP weight: 1 name: tcproute/default/tcproute-1 - tls: {} - address: 0.0.0.0 name: envoy-gateway/gateway-1/tcp2 port: 10163 @@ -189,4 +188,3 @@ xdsIR: protocol: TCP weight: 1 name: tcproute/default/tcproute-2 - tls: {} diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml index f39d2f4bedb..20519f07857 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml @@ -170,7 +170,6 @@ xdsIR: protocol: TCP weight: 1 name: tcproute/default/tcproute-1 - tls: {} - address: 0.0.0.0 name: envoy-gateway/gateway-1/tcp2 port: 10162 @@ -185,4 +184,3 @@ xdsIR: protocol: TCP weight: 1 name: tcproute/default/tcproute-1 - tls: {} diff --git a/internal/gatewayapi/testdata/grpcroute-with-empty-backends.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-empty-backends.out.yaml index 23d899faad6..f51ff89282d 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-empty-backends.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-empty-backends.out.yaml @@ -106,10 +106,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/grpcroute-with-header-match.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-header-match.out.yaml index 2c5ecc13bf0..fbc957f6a32 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-header-match.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-header-match.out.yaml @@ -110,10 +110,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/grpcroute-with-method-and-service-match.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-method-and-service-match.out.yaml index eb7ce849a96..57a04d53358 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-method-and-service-match.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-method-and-service-match.out.yaml @@ -114,10 +114,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP @@ -133,10 +130,7 @@ xdsIR: distinct: false exact: /com.example/Example name: "" - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/grpcroute-with-method-match.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-method-match.out.yaml index 82a2584d195..95f9675985d 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-method-match.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-method-match.out.yaml @@ -112,10 +112,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP @@ -131,10 +128,7 @@ xdsIR: distinct: false name: "" safeRegex: /(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*/FooBar[0-9]+ - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.out.yaml index ad5e96b684b..85f8e4fd6ae 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.out.yaml @@ -115,9 +115,6 @@ xdsIR: - append: true name: my-header value: foo - backendWeights: - invalid: 0 - valid: 0 destination: name: grpcroute/default/grpcroute-1/rule/0 settings: diff --git a/internal/gatewayapi/testdata/grpcroute-with-service-match.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-service-match.out.yaml index aa2ef46b259..76f28bb638e 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-service-match.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-service-match.out.yaml @@ -112,10 +112,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP @@ -131,10 +128,7 @@ xdsIR: distinct: false name: "" safeRegex: /com.[A-Z]+/[A-Za-z_][A-Za-z_0-9]* - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml index 3a85ecb7c9e..bd25d7bc60b 100644 --- a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml +++ b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml @@ -144,10 +144,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml index 097b37b516a..e1794349d1d 100644 --- a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml +++ b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml @@ -264,10 +264,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP @@ -301,10 +298,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-different-listeners.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-different-listeners.out.yaml index 197503b51c5..2b9d2ead500 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-different-listeners.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-different-listeners.out.yaml @@ -366,10 +366,7 @@ xdsIR: mergeSlashes: true port: 10081 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -395,10 +392,7 @@ xdsIR: mergeSlashes: true port: 10082 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -424,10 +418,7 @@ xdsIR: mergeSlashes: true port: 10083 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -453,10 +444,7 @@ xdsIR: mergeSlashes: true port: 10084 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -482,10 +470,7 @@ xdsIR: mergeSlashes: true port: 10085 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -511,10 +496,7 @@ xdsIR: mergeSlashes: true port: 10086 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -540,10 +522,7 @@ xdsIR: mergeSlashes: true port: 10087 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -569,10 +548,7 @@ xdsIR: mergeSlashes: true port: 10088 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-listeners.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-listeners.out.yaml index 1c238cdf039..778cd512009 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-listeners.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-listeners.out.yaml @@ -317,10 +317,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -346,10 +343,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -375,10 +369,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -404,10 +395,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -433,10 +421,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -462,10 +447,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -491,10 +473,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -520,10 +499,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml index e16ff66b0ea..90a0f7b5714 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml @@ -148,10 +148,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -177,10 +174,7 @@ xdsIR: mergeSlashes: true port: 10443 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners.out.yaml index 1d39beaf5e7..893b7e3cee9 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners.out.yaml @@ -137,10 +137,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -166,10 +163,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway.out.yaml index 352a6da41a5..a96437f62a6 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway.out.yaml @@ -106,10 +106,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-matching-port.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-matching-port.out.yaml index 6ddbd88af2a..b28b77d40ef 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-matching-port.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-matching-port.out.yaml @@ -110,10 +110,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-on-gateway-with-two-listeners.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-on-gateway-with-two-listeners.out.yaml index 3e2ef78a015..3154e235a56 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-on-gateway-with-two-listeners.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-on-gateway-with-two-listeners.out.yaml @@ -148,10 +148,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-diff-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-diff-address-type.out.yaml index e2a3401c217..41fb649c610 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-diff-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-diff-address-type.out.yaml @@ -114,10 +114,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: FQDN diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-same-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-same-address-type.out.yaml index a1e080d6482..39e96414cc3 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-same-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-same-address-type.out.yaml @@ -114,10 +114,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: FQDN diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-fqdn-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-fqdn-address-type.out.yaml index 134162f6b5c..2fb1c6bf723 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-fqdn-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-fqdn-address-type.out.yaml @@ -110,10 +110,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: FQDN diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-mixed-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-mixed-address-type.out.yaml index 8a3c4a0587a..cea76f60b53 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-mixed-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-mixed-address-type.out.yaml @@ -110,10 +110,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: Mixed diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref.out.yaml index c1bb62b6797..de50a036fd6 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref.out.yaml @@ -110,10 +110,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener.out.yaml index 0d0d1755ef4..e974a543f7c 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener.out.yaml @@ -108,10 +108,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-backend-request-timeout.out.yaml b/internal/gatewayapi/testdata/httproute-backend-request-timeout.out.yaml index 33076734d2d..e25c7316fea 100644 --- a/internal/gatewayapi/testdata/httproute-backend-request-timeout.out.yaml +++ b/internal/gatewayapi/testdata/httproute-backend-request-timeout.out.yaml @@ -110,10 +110,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-request-timeout.out.yaml b/internal/gatewayapi/testdata/httproute-request-timeout.out.yaml index 49c64cfe615..32ab3d343f9 100644 --- a/internal/gatewayapi/testdata/httproute-request-timeout.out.yaml +++ b/internal/gatewayapi/testdata/httproute-request-timeout.out.yaml @@ -110,10 +110,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-rule-with-empty-backends-and-no-filters.out.yaml b/internal/gatewayapi/testdata/httproute-rule-with-empty-backends-and-no-filters.out.yaml index 6a99fbe90e3..58ba3b90737 100644 --- a/internal/gatewayapi/testdata/httproute-rule-with-empty-backends-and-no-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-rule-with-empty-backends-and-no-filters.out.yaml @@ -103,10 +103,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-no-weights.out.yaml b/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-no-weights.out.yaml index 8a8b799c552..49801fd00cc 100644 --- a/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-no-weights.out.yaml +++ b/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-no-weights.out.yaml @@ -110,10 +110,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-weights.out.yaml b/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-weights.out.yaml index b962d108c8b..a247d619d2e 100644 --- a/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-weights.out.yaml +++ b/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-weights.out.yaml @@ -116,10 +116,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml b/internal/gatewayapi/testdata/httproute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml index a170bf0e21f..0e30d1fe8f8 100644 --- a/internal/gatewayapi/testdata/httproute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml @@ -108,10 +108,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-backendref-serviceimport-in-other-namespace-allowed-by-refgrant.out.yaml b/internal/gatewayapi/testdata/httproute-with-backendref-serviceimport-in-other-namespace-allowed-by-refgrant.out.yaml index 2501f9d8c20..220ca8837b2 100644 --- a/internal/gatewayapi/testdata/httproute-with-backendref-serviceimport-in-other-namespace-allowed-by-refgrant.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-backendref-serviceimport-in-other-namespace-allowed-by-refgrant.out.yaml @@ -110,10 +110,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-empty-matches.out.yaml b/internal/gatewayapi/testdata/httproute-with-empty-matches.out.yaml index d345186e64c..9139e3d0596 100644 --- a/internal/gatewayapi/testdata/httproute-with-empty-matches.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-empty-matches.out.yaml @@ -105,10 +105,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-add-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-add-multiple-filters.out.yaml index d1b3c41b858..f9c016ce18c 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-add-multiple-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-add-multiple-filters.out.yaml @@ -136,9 +136,6 @@ xdsIR: - append: true name: add-header-3 value: some-value - backendWeights: - invalid: 0 - valid: 0 destination: name: httproute/default/httproute-1/rule/0 settings: diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-adds.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-adds.out.yaml index ec57fd25d09..44d663d5727 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-adds.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-adds.out.yaml @@ -152,9 +152,6 @@ xdsIR: - append: false name: set-header-4 value: some-value - backendWeights: - invalid: 0 - valid: 0 destination: name: httproute/default/httproute-1/rule/0 settings: diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-remove-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-remove-multiple-filters.out.yaml index c290d1a96c5..56bf4ab65ad 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-remove-multiple-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-remove-multiple-filters.out.yaml @@ -122,10 +122,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-removes.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-removes.out.yaml index d6d97d8e7d4..0de03eca628 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-removes.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-removes.out.yaml @@ -117,10 +117,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml index c74c9294dab..cfce6ae709c 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml @@ -127,9 +127,6 @@ xdsIR: - append: false name: example-header-1 value: "" - backendWeights: - invalid: 0 - valid: 0 destination: name: httproute/default/httproute-1/rule/0 settings: diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-no-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-no-headers.out.yaml index d06a9820f7a..ef7ed7ff100 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-no-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-no-headers.out.yaml @@ -114,10 +114,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-remove.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-remove.out.yaml index f0e08c90108..a2ea25b14b5 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-remove.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-remove.out.yaml @@ -118,10 +118,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-bad-port.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-bad-port.out.yaml index d976cb93f38..54e0ea88d40 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-bad-port.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-bad-port.out.yaml @@ -107,9 +107,10 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 1 - valid: 0 + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - weight: 1 directResponse: statusCode: 500 hostname: '*' diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-group.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-group.out.yaml index fe064903ada..1029946b473 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-group.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-group.out.yaml @@ -111,9 +111,10 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 1 - valid: 0 + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - weight: 1 directResponse: statusCode: 500 hostname: '*' diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-kind.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-kind.out.yaml index bee00784ac7..5deb6eea7f4 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-kind.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-kind.out.yaml @@ -108,9 +108,10 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 1 - valid: 0 + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - weight: 1 directResponse: statusCode: 500 hostname: '*' diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-port.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-port.out.yaml index 417f53c7dfb..9fc9447f929 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-port.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-port.out.yaml @@ -107,9 +107,10 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 1 - valid: 0 + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - weight: 1 directResponse: statusCode: 500 hostname: '*' diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.import.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.import.out.yaml index a6c22425e84..38db11e9da1 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.import.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.import.out.yaml @@ -109,9 +109,10 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 1 - valid: 0 + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - weight: 1 directResponse: statusCode: 500 hostname: '*' diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.out.yaml index 2bf53591ed3..2cd197a2297 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.out.yaml @@ -107,9 +107,10 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 1 - valid: 0 + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - weight: 1 directResponse: statusCode: 500 hostname: '*' diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-unsupported-filter.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-unsupported-filter.out.yaml index 26c803f9d91..5aaa08d2f41 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-unsupported-filter.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-unsupported-filter.out.yaml @@ -113,9 +113,10 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 1 - valid: 0 + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - weight: 1 directResponse: statusCode: 500 hostname: '*' diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backendref-in-other-namespace.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backendref-in-other-namespace.out.yaml index cc0cc881a87..73d6d2e0ebf 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backendref-in-other-namespace.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backendref-in-other-namespace.out.yaml @@ -108,9 +108,10 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 1 - valid: 0 + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - weight: 1 directResponse: statusCode: 500 hostname: '*' diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter-duplicates.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter-duplicates.out.yaml index 8ed5fe11eff..fcf2331b3d4 100644 --- a/internal/gatewayapi/testdata/httproute-with-mirror-filter-duplicates.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter-duplicates.out.yaml @@ -124,10 +124,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter-multiple.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter-multiple.out.yaml index 425bebf34b3..d3c1278628f 100644 --- a/internal/gatewayapi/testdata/httproute-with-mirror-filter-multiple.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter-multiple.out.yaml @@ -146,9 +146,6 @@ xdsIR: - append: false name: X-Header-Set value: set-overwrites-values - backendWeights: - invalid: 0 - valid: 0 destination: name: httproute/default/httproute-1/rule/0 settings: diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-no-port.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-no-port.out.yaml index 60b599dcdd7..75b65817e36 100644 --- a/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-no-port.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-no-port.out.yaml @@ -118,10 +118,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-not-found.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-not-found.out.yaml index 724d00e1ecc..758293335d4 100644 --- a/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-not-found.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-not-found.out.yaml @@ -118,10 +118,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter.out.yaml index d98e16bd4d3..33dd4c62de2 100644 --- a/internal/gatewayapi/testdata/httproute-with-mirror-filter.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter.out.yaml @@ -118,10 +118,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml index c1f9030ef3c..7b34d1d8809 100644 --- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml @@ -116,10 +116,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - hostname: gateway.envoyproxy.io + - hostname: gateway.envoyproxy.io isHTTP2: false name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io pathMatch: diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml index 0cc17703e29..4ef1c86052e 100644 --- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml @@ -114,10 +114,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - hostname: gateway.envoyproxy.io + - hostname: gateway.envoyproxy.io isHTTP2: false name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io pathMatch: diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.out.yaml index bb9d2644130..3040ddd27e6 100644 --- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.out.yaml @@ -117,10 +117,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - hostname: gateway.envoyproxy.io + - hostname: gateway.envoyproxy.io isHTTP2: false name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io pathMatch: diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-adds.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-adds.out.yaml index b3625b41e1a..9d14e6231cf 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-adds.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-adds.out.yaml @@ -148,9 +148,6 @@ xdsIR: - append: false name: set-header-4 value: some-value - backendWeights: - invalid: 0 - valid: 0 destination: name: httproute/default/httproute-1/rule/0 settings: diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-add-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-add-multiple-filters.out.yaml index 05f34deb133..582efee93df 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-add-multiple-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-add-multiple-filters.out.yaml @@ -136,9 +136,6 @@ xdsIR: - append: true name: add-header-3 value: some-value - backendWeights: - invalid: 0 - valid: 0 destination: name: httproute/default/httproute-1/rule/0 settings: diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-adds.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-adds.out.yaml index 6c95d3dbc5f..d4ca73c555b 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-adds.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-adds.out.yaml @@ -152,9 +152,6 @@ xdsIR: - append: false name: set-header-4 value: some-value - backendWeights: - invalid: 0 - valid: 0 destination: name: httproute/default/httproute-1/rule/0 settings: diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-remove-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-remove-multiple-filters.out.yaml index 3183508ec02..20d977a5bd7 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-remove-multiple-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-remove-multiple-filters.out.yaml @@ -122,10 +122,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-removes.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-removes.out.yaml index e20ab6f52fc..55ab627dbe1 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-removes.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-removes.out.yaml @@ -117,10 +117,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml index 4de5380a305..20f48f85df3 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml @@ -127,9 +127,6 @@ xdsIR: - append: false name: example-header-1 value: "" - backendWeights: - invalid: 0 - valid: 0 destination: name: httproute/default/httproute-1/rule/0 settings: diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-headers.out.yaml index 41667e93380..1fef736b4aa 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-headers.out.yaml @@ -114,10 +114,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-remove.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-remove.out.yaml index 4e06010a1a2..c018bfcf9d2 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-remove.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-remove.out.yaml @@ -118,10 +118,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-single-rule-with-exact-path-match.out.yaml b/internal/gatewayapi/testdata/httproute-with-single-rule-with-exact-path-match.out.yaml index 9f7d91d4ec7..a6b960c340f 100644 --- a/internal/gatewayapi/testdata/httproute-with-single-rule-with-exact-path-match.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-single-rule-with-exact-path-match.out.yaml @@ -107,10 +107,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-single-rule-with-http-method-match.out.yaml b/internal/gatewayapi/testdata/httproute-with-single-rule-with-http-method-match.out.yaml index 55059d9d6ee..839e2c4d7c6 100644 --- a/internal/gatewayapi/testdata/httproute-with-single-rule-with-http-method-match.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-single-rule-with-http-method-match.out.yaml @@ -105,10 +105,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-single-rule-with-path-prefix-and-exact-header-matches.out.yaml b/internal/gatewayapi/testdata/httproute-with-single-rule-with-path-prefix-and-exact-header-matches.out.yaml index f48725ca3ce..b6b4f50e211 100644 --- a/internal/gatewayapi/testdata/httproute-with-single-rule-with-path-prefix-and-exact-header-matches.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-single-rule-with-path-prefix-and-exact-header-matches.out.yaml @@ -111,10 +111,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml b/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml index da444284df0..1a2a5e1f78c 100644 --- a/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml @@ -111,12 +111,11 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 2 - valid: 1 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: + - weight: 1 + - weight: 1 - addressType: IP endpoints: - host: 7.7.7.7 diff --git a/internal/gatewayapi/testdata/httproute-with-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml index f2aab324c92..619a610b3c8 100644 --- a/internal/gatewayapi/testdata/httproute-with-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml @@ -109,10 +109,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-two-specific-hostnames-attaching-to-gateway-with-wildcard-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-two-specific-hostnames-attaching-to-gateway-with-wildcard-hostname.out.yaml index f07df0591d4..0472bfb73af 100644 --- a/internal/gatewayapi/testdata/httproute-with-two-specific-hostnames-attaching-to-gateway-with-wildcard-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-two-specific-hostnames-attaching-to-gateway-with-wildcard-hostname.out.yaml @@ -110,10 +110,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -129,10 +126,7 @@ xdsIR: distinct: false name: "" prefix: / - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-full-path-replace-http.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-full-path-replace-http.out.yaml index e2cbea3dd90..838a4c9df53 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-full-path-replace-http.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-full-path-replace-http.out.yaml @@ -117,10 +117,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname-prefix-replace.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname-prefix-replace.out.yaml index 2b59d98a5b1..0bdcb79425b 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname-prefix-replace.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname-prefix-replace.out.yaml @@ -118,10 +118,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname.out.yaml index 6a2571e0e26..0384ecaf954 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname.out.yaml @@ -115,10 +115,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-filter-type.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-filter-type.out.yaml index 79131ac54f1..e2c93de1d8c 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-filter-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-filter-type.out.yaml @@ -115,10 +115,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-prefix-replace-http.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-prefix-replace-http.out.yaml index 44067c28c56..9300b9c8798 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-prefix-replace-http.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-prefix-replace-http.out.yaml @@ -117,10 +117,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-wildcard-hostname-attaching-to-gateway-with-unset-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-wildcard-hostname-attaching-to-gateway-with-unset-hostname.out.yaml index 0353ec71963..a85f7062d05 100644 --- a/internal/gatewayapi/testdata/httproute-with-wildcard-hostname-attaching-to-gateway-with-unset-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-wildcard-hostname-attaching-to-gateway-with-unset-hostname.out.yaml @@ -108,10 +108,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/httproutes-with-multiple-matches.out.yaml b/internal/gatewayapi/testdata/httproutes-with-multiple-matches.out.yaml index 58921ad7474..395168b46a1 100644 --- a/internal/gatewayapi/testdata/httproutes-with-multiple-matches.out.yaml +++ b/internal/gatewayapi/testdata/httproutes-with-multiple-matches.out.yaml @@ -293,10 +293,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/envoy-gateway/httproute-2/rule/0 settings: - addressType: IP @@ -316,10 +313,7 @@ xdsIR: - distinct: false exact: "yes" name: debug - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/envoy-gateway/httproute-3/rule/0 settings: - addressType: IP @@ -335,10 +329,7 @@ xdsIR: distinct: false name: "" prefix: /v1/example - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/envoy-gateway/httproute-4/rule/0 settings: - addressType: IP @@ -358,10 +349,7 @@ xdsIR: distinct: false name: "" prefix: /v1/status - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/envoy-gateway/httproute-5/rule/0 settings: - addressType: IP @@ -377,10 +365,7 @@ xdsIR: distinct: false name: "" prefix: /v1/status - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/envoy-gateway/httproute-1/rule/0 settings: - addressType: IP @@ -396,10 +381,7 @@ xdsIR: distinct: false name: "" prefix: /foo - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/envoy-gateway/httproute-1/rule/0 settings: - addressType: IP @@ -415,10 +397,7 @@ xdsIR: distinct: false name: "" prefix: /foo - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/envoy-gateway/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-routes.out.yaml b/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-routes.out.yaml index e02cf0852f4..32a125fa2b6 100644 --- a/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-routes.out.yaml +++ b/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-routes.out.yaml @@ -233,10 +233,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -271,10 +268,7 @@ xdsIR: mergeSlashes: true port: 8888 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml b/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml index 62df76b1ba8..5c74b388d27 100755 --- a/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml +++ b/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml @@ -511,10 +511,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -564,10 +561,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP @@ -617,10 +611,7 @@ xdsIR: mergeSlashes: true port: 10081 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-3/rule/0 settings: - addressType: IP @@ -662,10 +653,7 @@ xdsIR: mergeSlashes: true port: 10081 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-4/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/merge-with-isolated-policies.out.yaml b/internal/gatewayapi/testdata/merge-with-isolated-policies.out.yaml index 9c3438bffa9..d8f3ae18064 100644 --- a/internal/gatewayapi/testdata/merge-with-isolated-policies.out.yaml +++ b/internal/gatewayapi/testdata/merge-with-isolated-policies.out.yaml @@ -303,10 +303,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -353,10 +350,7 @@ xdsIR: mergeSlashes: true port: 8888 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/securitypolicy-override-replace.out.yaml b/internal/gatewayapi/testdata/securitypolicy-override-replace.out.yaml index 3683c0fd036..96ddcaa0ccd 100755 --- a/internal/gatewayapi/testdata/securitypolicy-override-replace.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-override-replace.out.yaml @@ -246,10 +246,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -284,10 +281,7 @@ xdsIR: - x-header-7 - x-header-8 maxAge: 33m20s - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml index c92591ff933..a564d9d860f 100755 --- a/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml @@ -416,9 +416,10 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 1 - valid: 0 + - destination: + name: httproute/envoy-gateway/httproute-1/rule/0 + settings: + - weight: 1 directResponse: statusCode: 500 hostname: '*' @@ -444,9 +445,10 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 1 - valid: 0 + - destination: + name: grpcroute/envoy-gateway/grpcroute-1/rule/0 + settings: + - weight: 1 directResponse: statusCode: 500 headerMatches: diff --git a/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml index 402a4a3e4a2..820b860c4ba 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml @@ -222,10 +222,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -245,10 +242,7 @@ xdsIR: basicAuth: name: securitypolicy/default/policy-for-http-route-1 users: dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo= - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/1 settings: - addressType: IP @@ -268,10 +262,7 @@ xdsIR: basicAuth: name: securitypolicy/default/policy-for-http-route-1 users: dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo= - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/securitypolicy-with-cors.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-cors.out.yaml index f5dff15241d..1054edccc26 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-cors.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-cors.out.yaml @@ -412,10 +412,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP @@ -464,10 +461,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -517,10 +511,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml index f13afd5abf3..0d8bb167f23 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml @@ -146,10 +146,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml index 0d52890c692..eb68592572c 100755 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml @@ -146,10 +146,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml index bcbc82868f7..648d8567a82 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml @@ -147,10 +147,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml index 9f051341a41..62ac5dabd39 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml @@ -146,10 +146,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml index aa7fd5e3738..ae40c82a579 100755 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml @@ -291,10 +291,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -333,10 +330,7 @@ xdsIR: - header1 - header2 name: securitypolicy/default/policy-for-http-route - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml index 89374356f49..4d7686f8fd7 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml @@ -232,10 +232,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -269,10 +266,7 @@ xdsIR: - header1 - header2 name: securitypolicy/default/policy-for-http-route-1 - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/1 settings: - addressType: IP @@ -306,10 +300,7 @@ xdsIR: - header1 - header2 name: securitypolicy/default/policy-for-http-route-1 - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml index 4cb4593139a..6c9172f65ad 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml @@ -244,10 +244,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -275,10 +272,7 @@ xdsIR: name: example1 remoteJWKS: uri: https://one.example.com/jwt/public-key/jwks.json - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml index f86b30220ca..1602842473b 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml @@ -291,10 +291,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP @@ -342,10 +339,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-with-custom-extractor.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-with-custom-extractor.out.yaml index 23183e0da9e..dc18e67a6d1 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt-with-custom-extractor.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-with-custom-extractor.out.yaml @@ -290,10 +290,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP @@ -341,10 +338,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt.out.yaml index 0560f023a0a..00ff67b23db 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt.out.yaml @@ -282,10 +282,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: grpcroute/default/grpcroute-1/rule/0 settings: - addressType: IP @@ -333,10 +330,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml index 821dcd7090e..ba458c5a557 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml @@ -236,10 +236,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -274,10 +271,7 @@ xdsIR: - openid - email - profile - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/tracing-merged-multiple-routes.out.yaml b/internal/gatewayapi/testdata/tracing-merged-multiple-routes.out.yaml index 08e2e85c06e..8ff7d8ec5b2 100755 --- a/internal/gatewayapi/testdata/tracing-merged-multiple-routes.out.yaml +++ b/internal/gatewayapi/testdata/tracing-merged-multiple-routes.out.yaml @@ -240,10 +240,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -278,10 +275,7 @@ xdsIR: mergeSlashes: true port: 8888 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP diff --git a/internal/gatewayapi/testdata/tracing-multiple-routes.out.yaml b/internal/gatewayapi/testdata/tracing-multiple-routes.out.yaml index fb5c6f89acc..d8d945ac796 100755 --- a/internal/gatewayapi/testdata/tracing-multiple-routes.out.yaml +++ b/internal/gatewayapi/testdata/tracing-multiple-routes.out.yaml @@ -265,10 +265,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -313,10 +310,7 @@ xdsIR: mergeSlashes: true port: 8888 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 25e3f583461..6d9ac357e73 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -379,6 +379,7 @@ type ClientIPDetectionSettings egv1a1.ClientIPDetectionSettings // BackendWeights stores the weights of valid and invalid backends for the route so that 500 error responses can be returned in the same proportions type BackendWeights struct { + Name string `json:"name" yaml:"name"` Valid uint32 `json:"valid" yaml:"valid"` Invalid uint32 `json:"invalid" yaml:"invalid"` } @@ -456,8 +457,6 @@ type HTTPRoute struct { HeaderMatches []*StringMatch `json:"headerMatches,omitempty" yaml:"headerMatches,omitempty"` // QueryParamMatches define the match conditions on the query parameters. QueryParamMatches []*StringMatch `json:"queryParamMatches,omitempty" yaml:"queryParamMatches,omitempty"` - // DestinationWeights stores the weights of valid and invalid backends for the route so that 500 error responses can be returned in the same proportions - BackendWeights BackendWeights `json:"backendWeights" yaml:"backendWeights"` // AddRequestHeaders defines header/value sets to be added to the headers of requests. AddRequestHeaders []AddHeader `json:"addRequestHeaders,omitempty" yaml:"addRequestHeaders,omitempty"` // RemoveRequestHeaders defines a list of headers to be removed from requests. @@ -918,7 +917,7 @@ type RouteDestination struct { } // Validate the fields within the RouteDestination structure -func (r RouteDestination) Validate() error { +func (r *RouteDestination) Validate() error { var errs error if len(r.Name) == 0 { errs = errors.Join(errs, ErrDestinationNameEmpty) @@ -932,14 +931,35 @@ func (r RouteDestination) Validate() error { return errs } +func (r *RouteDestination) ToBackendWeights() *BackendWeights { + w := &BackendWeights{ + Name: r.Name, + } + + for _, s := range r.Settings { + if s.Weight == nil { + continue + } + + if len(s.Endpoints) > 0 { + w.Valid += *s.Weight + } else { + w.Invalid += *s.Weight + } + } + + return w +} + // DestinationSetting holds the settings associated with the destination // +kubebuilder:object:generate=true type DestinationSetting struct { - // Weight associated with this destination. - // Note: Weight is not used in TCP/UDP route. + // Weight associated with this destination, + // invalid endpoints are represents with a + // non-zero weight with an empty endpoints list Weight *uint32 `json:"weight,omitempty" yaml:"weight,omitempty"` // Protocol associated with this destination/port. - Protocol AppProtocol `json:"protocol" yaml:"protocol"` + Protocol AppProtocol `json:"protocol,omitempty" yaml:"protocol,omitempty"` Endpoints []*DestinationEndpoint `json:"endpoints,omitempty" yaml:"endpoints,omitempty"` // AddressTypeState specifies the state of DestinationEndpoint address type. AddressType *DestinationAddressType `json:"addressType,omitempty" yaml:"addressType,omitempty"` @@ -948,7 +968,7 @@ type DestinationSetting struct { } // Validate the fields within the RouteDestination structure -func (d DestinationSetting) Validate() error { +func (d *DestinationSetting) Validate() error { var errs error for _, ep := range d.Endpoints { if err := ep.Validate(); err != nil { diff --git a/internal/ir/xds_test.go b/internal/ir/xds_test.go index d777aa7a58d..ec1b0f74132 100644 --- a/internal/ir/xds_test.go +++ b/internal/ir/xds_test.go @@ -182,9 +182,6 @@ var ( PathMatch: &StringMatch{ Exact: ptr.To("invalid-backend"), }, - BackendWeights: BackendWeights{ - Invalid: 1, - }, } weightedInvalidBackendsHTTPRoute = HTTPRoute{ Name: "weighted-invalid-backends", @@ -193,10 +190,6 @@ var ( Exact: ptr.To("invalid-backends"), }, Destination: &happyRouteDestination, - BackendWeights: BackendWeights{ - Invalid: 1, - Valid: 1, - }, } redirectHTTPRoute = HTTPRoute{ diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 514543c80a9..172ac9ec493 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -969,7 +969,6 @@ func (in *HTTPRoute) DeepCopyInto(out *HTTPRoute) { } } } - out.BackendWeights = in.BackendWeights if in.AddRequestHeaders != nil { in, out := &in.AddRequestHeaders, &out.AddRequestHeaders *out = make([]AddHeader, len(*in)) diff --git a/internal/xds/translator/route.go b/internal/xds/translator/route.go index bf68ac7df45..c8205fa9509 100644 --- a/internal/xds/translator/route.go +++ b/internal/xds/translator/route.go @@ -70,13 +70,10 @@ func buildXdsRoute(httpRoute *ir.HTTPRoute) (*routev3.Route, error) { router.Action = &routev3.Route_Route{Route: routeAction} default: - var routeAction *routev3.RouteAction - if httpRoute.BackendWeights.Invalid != 0 { - // If there are invalid backends then a weighted cluster is required for the route - routeAction = buildXdsWeightedRouteAction(httpRoute) - } else { - routeAction = buildXdsRouteAction(httpRoute) - } + backendWeights := httpRoute.Destination.ToBackendWeights() + routeAction := buildXdsRouteAction(backendWeights) + routeAction.IdleTimeout = idleTimeout(httpRoute) + if httpRoute.Mirrors != nil { routeAction.RequestMirrorPolicies = buildXdsRequestMirrorPolicies(httpRoute.Mirrors) } @@ -225,27 +222,31 @@ func buildXdsStringMatcher(irMatch *ir.StringMatch) *matcherv3.StringMatcher { return stringMatcher } -func buildXdsRouteAction(httpRoute *ir.HTTPRoute) *routev3.RouteAction { - return &routev3.RouteAction{ - ClusterSpecifier: &routev3.RouteAction_Cluster{ - Cluster: httpRoute.Destination.Name, - }, - IdleTimeout: idleTimeout(httpRoute), +func buildXdsRouteAction(backendWeights *ir.BackendWeights) *routev3.RouteAction { + // only use weighted cluster when there are invalid weights + if backendWeights.Invalid == 0 { + return &routev3.RouteAction{ + ClusterSpecifier: &routev3.RouteAction_Cluster{ + Cluster: backendWeights.Name, + }, + } } + + return buildXdsWeightedRouteAction(backendWeights) } -func buildXdsWeightedRouteAction(httpRoute *ir.HTTPRoute) *routev3.RouteAction { +func buildXdsWeightedRouteAction(backendWeights *ir.BackendWeights) *routev3.RouteAction { clusters := []*routev3.WeightedCluster_ClusterWeight{ { Name: "invalid-backend-cluster", - Weight: &wrapperspb.UInt32Value{Value: httpRoute.BackendWeights.Invalid}, + Weight: &wrapperspb.UInt32Value{Value: backendWeights.Invalid}, }, } - if httpRoute.BackendWeights.Valid > 0 { + if backendWeights.Valid > 0 { validCluster := &routev3.WeightedCluster_ClusterWeight{ - Name: httpRoute.Destination.Name, - Weight: &wrapperspb.UInt32Value{Value: httpRoute.BackendWeights.Valid}, + Name: backendWeights.Name, + Weight: &wrapperspb.UInt32Value{Value: backendWeights.Valid}, } clusters = append(clusters, validCluster) } @@ -258,7 +259,6 @@ func buildXdsWeightedRouteAction(httpRoute *ir.HTTPRoute) *routev3.RouteAction { Clusters: clusters, }, }, - IdleTimeout: idleTimeout(httpRoute), } } diff --git a/internal/xds/translator/testdata/in/xds-ir/ext-proc.yaml b/internal/xds/translator/testdata/in/xds-ir/ext-proc.yaml index 90fd067480b..64773de0a1d 100644 --- a/internal/xds/translator/testdata/in/xds-ir/ext-proc.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/ext-proc.yaml @@ -9,10 +9,7 @@ http: mergeSlashes: true port: 10080 routes: - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-1/rule/0 settings: - addressType: IP @@ -52,10 +49,7 @@ http: distinct: false name: "" prefix: /foo - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-invalid-backend.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-invalid-backend.yaml index 4419c5222e1..d883bac1fa1 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-invalid-backend.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-invalid-backend.yaml @@ -16,6 +16,5 @@ http: - endpoints: - host: "1.2.3.4" port: 50000 - backendWeights: - invalid: 1 - valid: 1 + weight: 1 + - weight: 1 diff --git a/internal/xds/translator/testdata/in/xds-ir/wasm.yaml b/internal/xds/translator/testdata/in/xds-ir/wasm.yaml index a879c182731..06f767957c1 100644 --- a/internal/xds/translator/testdata/in/xds-ir/wasm.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/wasm.yaml @@ -41,10 +41,7 @@ http: url: https://www.test.com/wasm-filter-3.wasm name: envoyextensionpolicy/default/policy-for-http-route/0 wasmName: wasm-filter-3 - - backendWeights: - invalid: 0 - valid: 0 - destination: + - destination: name: httproute/default/httproute-2/rule/0 settings: - addressType: IP diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.endpoints.yaml index 3b3f2d09076..7f8a0281325 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.endpoints.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.endpoints.yaml @@ -10,3 +10,6 @@ loadBalancingWeight: 1 locality: region: first-route-dest/backend/0 + - loadBalancingWeight: 1 + locality: + region: first-route-dest/backend/1 From a2fbbad5db9a6fe4a1afa0bc20d0217d022275ca Mon Sep 17 00:00:00 2001 From: Dingkang Li Date: Wed, 15 May 2024 13:20:09 +0800 Subject: [PATCH 7/7] refactor: refactor UDP IR (#3373) * Refactor IR creation for UDPRoute Signed-off-by: Dingkang Li * Remove duplicate code to generate UDP route name Signed-off-by: Dingkang Li * Fix comment Co-authored-by: Arko Dasgupta Signed-off-by: Dingkang Li --------- Signed-off-by: Dingkang Li Co-authored-by: Arko Dasgupta --- .../translate/out/default-resources.all.yaml | 2 +- .../out/from-gateway-api-to-xds.all.json | 2 +- .../out/from-gateway-api-to-xds.all.yaml | 2 +- .../out/from-gateway-api-to-xds.listener.yaml | 2 +- internal/gatewayapi/backendtrafficpolicy.go | 24 +++++++--- internal/gatewayapi/helpers.go | 8 ++-- internal/gatewayapi/listener.go | 7 +++ internal/gatewayapi/route.go | 25 +++++----- ...cp-udp-listeners-apply-on-gateway.out.yaml | 40 ++++++++-------- ...-tcp-udp-listeners-apply-on-route.out.yaml | 40 ++++++++-------- ...route-with-mismatch-port-protocol.out.yaml | 12 +++-- ...h-udproute-with-multiple-backends.out.yaml | 34 ++++++------- ...with-udproute-with-multiple-rules.out.yaml | 4 ++ ...-listener-with-unmatched-udproute.out.yaml | 4 ++ ...-listener-with-multiple-udproutes.out.yaml | 22 +++++---- ...th-two-listeners-on-same-udp-port.out.yaml | 22 +++++---- ...-with-same-port-http-udp-protocol.out.yaml | 22 +++++---- ...s-with-udproutes-with-sectionname.out.yaml | 44 +++++++++-------- ...ith-udproutes-without-sectionname.out.yaml | 44 +++++++++-------- .../merge-invalid-multiple-gateways.out.yaml | 4 ++ internal/ir/xds.go | 30 +++++++++++- internal/ir/xds_test.go | 34 +++++++------ internal/ir/zz_generated.deepcopy.go | 26 ++++++++-- .../in/xds-ir/udp-endpoint-stats.yaml | 18 +++---- .../testdata/in/xds-ir/udp-route-invalid.yaml | 16 ++++--- .../testdata/in/xds-ir/udp-route.yaml | 18 +++---- internal/xds/translator/translator.go | 48 ++++++++++--------- 27 files changed, 332 insertions(+), 222 deletions(-) diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index 7b8319b6376..cacca5bb7c4 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -1041,7 +1041,7 @@ xds: '@type': type.googleapis.com/envoy.extensions.filters.udp.udp_proxy.v3.Route cluster: udproute/default/backend/rule/-1 statPrefix: service - name: default/eg/udp/backend + name: default/eg/udp - '@type': type.googleapis.com/envoy.admin.v3.RoutesConfigDump dynamicRouteConfigs: - routeConfig: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json index 80be0dae629..476f6cdae77 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json @@ -942,7 +942,7 @@ } } ], - "name": "default/eg/udp/backend" + "name": "default/eg/udp" } } } diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml index 05c22f5ab88..4481d9989ff 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml @@ -560,7 +560,7 @@ xds: '@type': type.googleapis.com/envoy.extensions.filters.udp.udp_proxy.v3.Route cluster: udproute/default/backend/rule/-1 statPrefix: service - name: default/eg/udp/backend + name: default/eg/udp - '@type': type.googleapis.com/envoy.admin.v3.RoutesConfigDump dynamicRouteConfigs: - routeConfig: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml index 61288c6e130..2b1c410cd96 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml @@ -255,4 +255,4 @@ xds: '@type': type.googleapis.com/envoy.extensions.filters.udp.udp_proxy.v3.Route cluster: udproute/default/backend/rule/-1 statPrefix: service - name: default/eg/udp/backend + name: default/eg/udp diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index 1a2df010dae..d29f7d10656 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -354,9 +354,13 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen } for _, udp := range x.UDP { - if strings.HasPrefix(udp.Destination.Name, prefix) { - udp.LoadBalancer = lb - udp.Timeout = to + if udp.Route != nil { + route := udp.Route + + if strings.HasPrefix(route.Destination.Name, prefix) { + route.LoadBalancer = lb + route.Timeout = to + } } } @@ -490,14 +494,20 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back continue } + if udp.Route == nil { + continue + } + + route := udp.Route + // policy(targeting xRoute) has already set it, so we skip it. - if udp.LoadBalancer != nil || udp.Timeout != nil { + if route.LoadBalancer != nil || route.Timeout != nil { continue } - udp.LoadBalancer = lb - if udp.Timeout == nil { - udp.Timeout = ct + route.LoadBalancer = lb + if route.Timeout == nil { + route.Timeout = ct } } diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go index 246c1f12251..2dfc04a1842 100644 --- a/internal/gatewayapi/helpers.go +++ b/internal/gatewayapi/helpers.go @@ -347,10 +347,6 @@ func irListenerName(listener *ListenerContext) string { return fmt.Sprintf("%s/%s/%s", listener.gateway.Namespace, listener.gateway.Name, listener.Name) } -func irUDPListenerName(listener *ListenerContext, udpRoute *UDPRouteContext) string { - return fmt.Sprintf("%s/%s/%s/%s", listener.gateway.Namespace, listener.gateway.Name, listener.Name, udpRoute.Name) -} - func irListenerPortName(proto ir.ProtocolType, port int32) string { return strings.ToLower(fmt.Sprintf("%s-%d", proto, port)) } @@ -369,6 +365,10 @@ func irTCPRouteName(route RouteContext) string { return fmt.Sprintf("%s/%s/%s", strings.ToLower(string(GetRouteType(route))), route.GetNamespace(), route.GetName()) } +func irUDPRouteName(route RouteContext) string { + return irTCPRouteName(route) +} + func irRouteDestinationName(route RouteContext, ruleIdx int) string { return fmt.Sprintf("%srule/%d", irRoutePrefix(route), ruleIdx) } diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go index 0d9b04a4027..62d60b75f1f 100644 --- a/internal/gatewayapi/listener.go +++ b/internal/gatewayapi/listener.go @@ -124,6 +124,13 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap Port: uint32(containerPort), } xdsIR[irKey].TCP = append(xdsIR[irKey].TCP, irListener) + case gwapiv1.UDPProtocolType: + irListener := &ir.UDPListener{ + Name: irListenerName(listener), + Address: "0.0.0.0", + Port: uint32(containerPort), + } + xdsIR[irKey].UDP = append(xdsIR[irKey].UDP, irListener) } // Add the listener to the Infra IR. Infra IR ports must have a unique port number per layer-4 protocol diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index 5edcf53af01..aa1d2091b63 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -929,21 +929,18 @@ func (t *Translator) processUDPRouteParentRefs(udpRoute *UDPRouteContext, resour irKey := t.getIRKey(listener.gateway) - containerPort := servicePortToContainerPort(int32(listener.Port)) - // Create the UDP Listener while parsing the UDPRoute since - // the listener directly links to a routeDestination. - irListener := &ir.UDPListener{ - Name: irUDPListenerName(listener, udpRoute), - Address: "0.0.0.0", - Port: uint32(containerPort), - Destination: &ir.RouteDestination{ - Name: irRouteDestinationName(udpRoute, -1 /*rule index*/), - Settings: destSettings, - }, - } gwXdsIR := xdsIR[irKey] - gwXdsIR.UDP = append(gwXdsIR.UDP, irListener) - + irListener := gwXdsIR.GetUDPListener(irListenerName(listener)) + if irListener != nil { + irRoute := &ir.UDPRoute{ + Name: irUDPRouteName(udpRoute), + Destination: &ir.RouteDestination{ + Name: irRouteDestinationName(udpRoute, -1 /*rule index*/), + Settings: destSettings, + }, + } + irListener.Route = irRoute + } } // If no negative conditions have been set, the route is considered "Accepted=True". diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml index 857ec1e89d1..660c8d7d800 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml @@ -293,23 +293,25 @@ xdsIR: connectTimeout: 15s udp: - address: 0.0.0.0 - destination: - name: udproute/default/udp-app-1/rule/-1 - settings: - - addressType: IP - endpoints: - - host: 7.7.7.7 - port: 8162 - protocol: UDP - weight: 1 - loadBalancer: - consistentHash: - sourceIP: true - name: default/tcp-gateway/foo/udp-app-1 + name: default/tcp-gateway/foo port: 8162 - timeout: - http: - connectionIdleTimeout: 16s - maxConnectionDuration: 17s - tcp: - connectTimeout: 15s + route: + destination: + name: udproute/default/udp-app-1/rule/-1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8162 + protocol: UDP + weight: 1 + loadBalancer: + consistentHash: + sourceIP: true + name: udproute/default/udp-app-1 + timeout: + http: + connectionIdleTimeout: 16s + maxConnectionDuration: 17s + tcp: + connectTimeout: 15s diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml index 5c0f2240bd6..d2c691d719d 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml @@ -366,23 +366,25 @@ xdsIR: connectTimeout: 15s udp: - address: 0.0.0.0 - destination: - name: udproute/default/udp-app-1/rule/-1 - settings: - - addressType: IP - endpoints: - - host: 7.7.7.7 - port: 8162 - protocol: UDP - weight: 1 - loadBalancer: - consistentHash: - sourceIP: true - name: default/tcp-gateway/foo/udp-app-1 + name: default/tcp-gateway/foo port: 8162 - timeout: - http: - connectionIdleTimeout: 16s - maxConnectionDuration: 17s - tcp: - connectTimeout: 15s + route: + destination: + name: udproute/default/udp-app-1/rule/-1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8162 + protocol: UDP + weight: 1 + loadBalancer: + consistentHash: + sourceIP: true + name: udproute/default/udp-app-1 + timeout: + http: + connectionIdleTimeout: 16s + maxConnectionDuration: 17s + tcp: + connectTimeout: 15s diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-mismatch-port-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-mismatch-port-protocol.out.yaml index 2fbbe314fa5..2603bbfad7d 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-mismatch-port-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-mismatch-port-protocol.out.yaml @@ -92,9 +92,11 @@ xdsIR: - path: /dev/stdout udp: - address: 0.0.0.0 - destination: - name: udproute/default/udproute-1/rule/-1 - settings: - - weight: 1 - name: envoy-gateway/gateway-1/udp/udproute-1 + name: envoy-gateway/gateway-1/udp port: 10162 + route: + destination: + name: udproute/default/udproute-1/rule/-1 + settings: + - weight: 1 + name: udproute/default/udproute-1 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-backends.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-backends.out.yaml index 7141e821a37..70a5a2a8599 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-backends.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-backends.out.yaml @@ -96,20 +96,22 @@ xdsIR: - path: /dev/stdout udp: - address: 0.0.0.0 - destination: - name: udproute/default/udproute-1/rule/-1 - settings: - - addressType: IP - endpoints: - - host: 7.7.7.7 - port: 8162 - protocol: UDP - weight: 50 - - addressType: IP - endpoints: - - host: 7.7.7.7 - port: 8162 - protocol: UDP - weight: 50 - name: envoy-gateway/gateway-1/udp/udproute-1 + name: envoy-gateway/gateway-1/udp port: 10080 + route: + destination: + name: udproute/default/udproute-1/rule/-1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8162 + protocol: UDP + weight: 50 + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8162 + protocol: UDP + weight: 50 + name: udproute/default/udproute-1 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-rules.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-rules.out.yaml index 56d9c366b02..850f9e64cba 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-rules.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-rules.out.yaml @@ -95,3 +95,7 @@ xdsIR: accessLog: text: - path: /dev/stdout + udp: + - address: 0.0.0.0 + name: envoy-gateway/gateway-1/udp + port: 10080 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-udproute.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-udproute.out.yaml index 27d949d622e..a30d7cf5a5b 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-udproute.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-udproute.out.yaml @@ -58,3 +58,7 @@ xdsIR: accessLog: text: - path: /dev/stdout + udp: + - address: 0.0.0.0 + name: envoy-gateway/gateway-1/udp + port: 10080 diff --git a/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-udproutes.out.yaml b/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-udproutes.out.yaml index 22e840d232a..4f4555a87e8 100644 --- a/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-udproutes.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-udproutes.out.yaml @@ -123,14 +123,16 @@ xdsIR: - path: /dev/stdout udp: - address: 0.0.0.0 - destination: - name: udproute/default/udproute-1/rule/-1 - settings: - - addressType: IP - endpoints: - - host: 7.7.7.7 - port: 8162 - protocol: UDP - weight: 1 - name: envoy-gateway/gateway-1/udp/udproute-1 + name: envoy-gateway/gateway-1/udp port: 10162 + route: + destination: + name: udproute/default/udproute-1/rule/-1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8162 + protocol: UDP + weight: 1 + name: udproute/default/udproute-1 diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml index 68f755e99ab..5f904c3de3e 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml @@ -119,14 +119,16 @@ xdsIR: - path: /dev/stdout udp: - address: 0.0.0.0 - destination: - name: udproute/default/udproute-1/rule/-1 - settings: - - addressType: IP - endpoints: - - host: 7.7.7.7 - port: 8162 - protocol: UDP - weight: 1 - name: envoy-gateway/gateway-1/udp1/udproute-1 + name: envoy-gateway/gateway-1/udp1 port: 10162 + route: + destination: + name: udproute/default/udproute-1/rule/-1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8162 + protocol: UDP + weight: 1 + name: udproute/default/udproute-1 diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-udp-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-udp-protocol.out.yaml index 88db8d64873..ef9658f0f2a 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-udp-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-udp-protocol.out.yaml @@ -191,14 +191,16 @@ xdsIR: prefix: / udp: - address: 0.0.0.0 - destination: - name: udproute/default/udproute-1/rule/-1 - settings: - - addressType: IP - endpoints: - - host: 7.7.7.7 - port: 8162 - protocol: UDP - weight: 1 - name: envoy-gateway/gateway-1/udp/udproute-1 + name: envoy-gateway/gateway-1/udp port: 10080 + route: + destination: + name: udproute/default/udproute-1/rule/-1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8162 + protocol: UDP + weight: 1 + name: udproute/default/udproute-1 diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-with-sectionname.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-with-sectionname.out.yaml index 418f7a0ad4e..00a61415035 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-with-sectionname.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-with-sectionname.out.yaml @@ -161,26 +161,30 @@ xdsIR: - path: /dev/stdout udp: - address: 0.0.0.0 - destination: - name: udproute/default/udproute-1/rule/-1 - settings: - - addressType: IP - endpoints: - - host: 7.7.7.7 - port: 8162 - protocol: UDP - weight: 1 - name: envoy-gateway/gateway-1/udp1/udproute-1 + name: envoy-gateway/gateway-1/udp1 port: 10162 + route: + destination: + name: udproute/default/udproute-1/rule/-1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8162 + protocol: UDP + weight: 1 + name: udproute/default/udproute-1 - address: 0.0.0.0 - destination: - name: udproute/default/udproute-2/rule/-1 - settings: - - addressType: IP - endpoints: - - host: 7.7.7.7 - port: 8162 - protocol: UDP - weight: 1 - name: envoy-gateway/gateway-1/udp2/udproute-2 + name: envoy-gateway/gateway-1/udp2 port: 10163 + route: + destination: + name: udproute/default/udproute-2/rule/-1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8162 + protocol: UDP + weight: 1 + name: udproute/default/udproute-2 diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-without-sectionname.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-without-sectionname.out.yaml index 17b9d4e2253..f6cb6959c4b 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-without-sectionname.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-without-sectionname.out.yaml @@ -157,26 +157,30 @@ xdsIR: - path: /dev/stdout udp: - address: 0.0.0.0 - destination: - name: udproute/default/udproute-1/rule/-1 - settings: - - addressType: IP - endpoints: - - host: 7.7.7.7 - port: 8162 - protocol: UDP - weight: 1 - name: envoy-gateway/gateway-1/udp1/udproute-1 + name: envoy-gateway/gateway-1/udp1 port: 10161 + route: + destination: + name: udproute/default/udproute-1/rule/-1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8162 + protocol: UDP + weight: 1 + name: udproute/default/udproute-1 - address: 0.0.0.0 - destination: - name: udproute/default/udproute-1/rule/-1 - settings: - - addressType: IP - endpoints: - - host: 7.7.7.7 - port: 8162 - protocol: UDP - weight: 1 - name: envoy-gateway/gateway-1/udp2/udproute-1 + name: envoy-gateway/gateway-1/udp2 port: 10162 + route: + destination: + name: udproute/default/udproute-1/rule/-1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8162 + protocol: UDP + weight: 1 + name: udproute/default/udproute-1 diff --git a/internal/gatewayapi/testdata/merge-invalid-multiple-gateways.out.yaml b/internal/gatewayapi/testdata/merge-invalid-multiple-gateways.out.yaml index c37bd4038e5..64eba4e494a 100644 --- a/internal/gatewayapi/testdata/merge-invalid-multiple-gateways.out.yaml +++ b/internal/gatewayapi/testdata/merge-invalid-multiple-gateways.out.yaml @@ -145,3 +145,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + udp: + - address: 0.0.0.0 + name: envoy-gateway/gateway-2/udp + port: 10080 diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 6d9ac357e73..b77d26cf759 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -1332,6 +1332,15 @@ type UDPListener struct { Address string `json:"address" yaml:"address"` // Port on which the service can be expected to be accessed by clients. Port uint32 `json:"port" yaml:"port"` + // Route associated with UDP traffic to the listener. + Route *UDPRoute `json:"route,omitempty" yaml:"route,omitempty"` +} + +// UDPRoute holds the route information associated with the UDP Route. +// +k8s:deepcopy-gen=true +type UDPRoute struct { + // Name of the UDPRoute. + Name string `json:"name" yaml:"name"` // Destination associated with UDP traffic to the service. Destination *RouteDestination `json:"destination,omitempty" yaml:"destination,omitempty"` // load balancer policy to use when routing to the backend endpoints. @@ -1352,8 +1361,25 @@ func (h UDPListener) Validate() error { if h.Port == 0 { errs = errors.Join(errs, ErrListenerPortInvalid) } - if h.Destination != nil { - if err := h.Destination.Validate(); err != nil { + + if h.Route != nil { + if err := h.Route.Validate(); err != nil { + errs = errors.Join(errs, err) + } + } + + return errs +} + +func (u UDPRoute) Validate() error { + var errs error + + if u.Name == "" { + errs = errors.Join(errs, ErrRouteNameEmpty) + } + + if u.Destination != nil { + if err := u.Destination.Validate(); err != nil { errs = errors.Join(errs, err) } } diff --git a/internal/ir/xds_test.go b/internal/ir/xds_test.go index ec1b0f74132..d122f25c6e1 100644 --- a/internal/ir/xds_test.go +++ b/internal/ir/xds_test.go @@ -144,26 +144,32 @@ var ( // UDPListener happyUDPListener = UDPListener{ - Name: "happy", - Address: "0.0.0.0", - Port: 80, - Destination: &happyRouteDestination, + Name: "happy", + Address: "0.0.0.0", + Port: 80, + Route: &happyUDPRoute, } invalidNameUDPListener = UDPListener{ - Address: "0.0.0.0", - Port: 80, - Destination: &happyRouteDestination, + Address: "0.0.0.0", + Port: 80, + Route: &happyUDPRoute, } invalidAddrUDPListener = UDPListener{ - Name: "invalid-addr", - Address: "1.0.0", - Port: 80, - Destination: &happyRouteDestination, + Name: "invalid-addr", + Address: "1.0.0", + Port: 80, + Route: &happyUDPRoute, } invalidPortUDPListenerT = UDPListener{ - Name: "invalid-port", - Address: "0.0.0.0", - Port: 0, + Name: "invalid-port", + Address: "0.0.0.0", + Port: 0, + Route: &happyUDPRoute, + } + + // UDPRoute + happyUDPRoute = UDPRoute{ + Name: "happy", Destination: &happyRouteDestination, } diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 172ac9ec493..0024414525f 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -2445,6 +2445,26 @@ func (in *TrafficFeatures) DeepCopy() *TrafficFeatures { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *UDPListener) DeepCopyInto(out *UDPListener) { + *out = *in + if in.Route != nil { + in, out := &in.Route, &out.Route + *out = new(UDPRoute) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UDPListener. +func (in *UDPListener) DeepCopy() *UDPListener { + if in == nil { + return nil + } + out := new(UDPListener) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *UDPRoute) DeepCopyInto(out *UDPRoute) { *out = *in if in.Destination != nil { in, out := &in.Destination, &out.Destination @@ -2463,12 +2483,12 @@ func (in *UDPListener) DeepCopyInto(out *UDPListener) { } } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UDPListener. -func (in *UDPListener) DeepCopy() *UDPListener { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UDPRoute. +func (in *UDPRoute) DeepCopy() *UDPRoute { if in == nil { return nil } - out := new(UDPListener) + out := new(UDPRoute) in.DeepCopyInto(out) return out } diff --git a/internal/xds/translator/testdata/in/xds-ir/udp-endpoint-stats.yaml b/internal/xds/translator/testdata/in/xds-ir/udp-endpoint-stats.yaml index 4b5b9982aee..fc597f28928 100644 --- a/internal/xds/translator/testdata/in/xds-ir/udp-endpoint-stats.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/udp-endpoint-stats.yaml @@ -5,11 +5,13 @@ udp: - name: "udp-route-enable-endpoint-stats" address: "0.0.0.0" port: 10080 - destination: - name: "udp-route-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 - - host: "5.6.7.8" - port: 50001 + route: + name: "udp-route" + destination: + name: "udp-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - host: "5.6.7.8" + port: 50001 diff --git a/internal/xds/translator/testdata/in/xds-ir/udp-route-invalid.yaml b/internal/xds/translator/testdata/in/xds-ir/udp-route-invalid.yaml index 39ab4e7f403..29841a984b8 100644 --- a/internal/xds/translator/testdata/in/xds-ir/udp-route-invalid.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/udp-route-invalid.yaml @@ -1,10 +1,12 @@ udp: - name: "udp-route" port: 10080 - destination: - name: "udp-reoute-dest" - settings: - - endpoints: - - host: "" - - host: "5.6.7.8" - port: 50001 + route: + name: "udp-route" + destination: + name: "udp-route-dest" + settings: + - endpoints: + - host: "" + - host: "5.6.7.8" + port: 50001 diff --git a/internal/xds/translator/testdata/in/xds-ir/udp-route.yaml b/internal/xds/translator/testdata/in/xds-ir/udp-route.yaml index fa4ffafc138..a933bdd78a4 100644 --- a/internal/xds/translator/testdata/in/xds-ir/udp-route.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/udp-route.yaml @@ -2,11 +2,13 @@ udp: - name: "udp-route" address: "0.0.0.0" port: 10080 - destination: - name: "udp-route-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 - - host: "5.6.7.8" - port: 50001 + route: + name: "udp-route" + destination: + name: "udp-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - host: "5.6.7.8" + port: 50001 diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index cab26d1f905..373d4a7530c 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -529,29 +529,33 @@ func processUDPListenerXdsTranslation(tCtx *types.ResourceVersionTable, udpListe for _, udpListener := range udpListeners { // There won't be multiple UDP listeners on the same port since it's already been checked at the gateway api // translator - xdsListener, err := buildXdsUDPListener(udpListener.Destination.Name, udpListener, accesslog) - if err != nil { - // skip this listener if failed to build xds listener - errs = errors.Join(errs, err) - continue - } - if err := tCtx.AddXdsResource(resourcev3.ListenerType, xdsListener); err != nil { - // skip this listener if failed to add xds listener to the resource version table - errs = errors.Join(errs, err) - continue - } + if udpListener.Route != nil { + route := udpListener.Route - // 1:1 between IR UDPListener and xDS Cluster - if err := addXdsCluster(tCtx, &xdsClusterArgs{ - name: udpListener.Destination.Name, - settings: udpListener.Destination.Settings, - loadBalancer: udpListener.LoadBalancer, - timeout: udpListener.Timeout, - tSocket: nil, - endpointType: buildEndpointType(udpListener.Destination.Settings), - metrics: metrics, - }); err != nil && !errors.Is(err, ErrXdsClusterExists) { - errs = errors.Join(errs, err) + xdsListener, err := buildXdsUDPListener(route.Destination.Name, udpListener, accesslog) + if err != nil { + // skip this listener if failed to build xds listener + errs = errors.Join(errs, err) + continue + } + if err := tCtx.AddXdsResource(resourcev3.ListenerType, xdsListener); err != nil { + // skip this listener if failed to add xds listener to the resource version table + errs = errors.Join(errs, err) + continue + } + + // 1:1 between IR UDPRoute and xDS Cluster + if err := addXdsCluster(tCtx, &xdsClusterArgs{ + name: route.Destination.Name, + settings: route.Destination.Settings, + loadBalancer: route.LoadBalancer, + timeout: route.Timeout, + tSocket: nil, + endpointType: buildEndpointType(route.Destination.Settings), + metrics: metrics, + }); err != nil && !errors.Is(err, ErrXdsClusterExists) { + errs = errors.Join(errs, err) + } } } return errs