[release/v1.1] Cherry-Pick envoyproxy#4279, envoyproxy#4296, envoypro…

…xy#4230 (envoyproxy#4315) * fix: Reconcile on HTTPRoute labels change (envoyproxy#4279) * added label change predicate Signed-off-by: Luv <luvk1412@gmail.com> * added labels predicate for xroute and gw Signed-off-by: Luv <luvk1412@gmail.com> * changed predicate to use .Or Signed-off-by: Luv <luvk1412@gmail.com> --------- Signed-off-by: Luv <luvk1412@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> (cherry picked from commit 0d1ccae) Signed-off-by: Guy Daich <guy.daich@sap.com> * fix: handle invalid sectionName in BackendTLSPolicy for Backend (envoyproxy#4296) (cherry picked from commit 73c223e) Signed-off-by: Guy Daich <guy.daich@sap.com> * fix: Switch to an immediate drain strategy (envoyproxy#4230) Switch to a immediate drain strategy * Ensures clients immediately receive a `connection: close` / `GOAWAY` instead of a probabilistic approach of receiving one b/w drain start and drain end (defaults to 600s). This should speed up shutdown with clients reconnecting to newer upgraded proxies. Fixes: envoyproxy#4205 Signed-off-by: Arko Dasgupta <arko@tetrate.io> (cherry picked from commit 14f687f) Signed-off-by: Guy Daich <guy.daich@sap.com> --------- Signed-off-by: Luv <luvk1412@gmail.com> Signed-off-by: Guy Daich <guy.daich@sap.com> Signed-off-by: Arko Dasgupta <arko@tetrate.io> Co-authored-by: Luv <luvk1412@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com>
guydc · Sep 24, 2024 · 8bd641f · 8bd641f
1 parent 563fb3c
commit 8bd641f
Show file tree

Hide file tree

Showing 160 changed files with 147 additions and 188 deletions.
diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml
@@ -921,7 +921,6 @@ xds:
                   statPrefix: http
                   useRemoteAddress: true
               name: default/eg/http
-            drainType: MODIFY_ONLY
             name: default/eg/http
             perConnectionBufferLimitBytes: 32768
       - activeState:
@@ -989,7 +988,6 @@ xds:
                   statPrefix: http
                   useRemoteAddress: true
               name: default/eg/grpc
-            drainType: MODIFY_ONLY
             name: default/eg/grpc
             perConnectionBufferLimitBytes: 32768
       - activeState:
@@ -1012,7 +1010,6 @@ xds:
               socketAddress:
                 address: 0.0.0.0
                 portValue: 1234
-            drainType: MODIFY_ONLY
             filterChains:
             - filters:
               - name: envoy.filters.network.tcp_proxy
@@ -1052,7 +1049,6 @@ xds:
               socketAddress:
                 address: 0.0.0.0
                 portValue: 8443
-            drainType: MODIFY_ONLY
             filterChains:
             - filterChainMatch:
                 serverNames:

diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json
@@ -688,7 +688,6 @@
                     ],
                     "name": "default/eg/http"
                   },
-                  "drainType": "MODIFY_ONLY",
                   "name": "default/eg/http",
                   "perConnectionBufferLimitBytes": 32768
                 }
@@ -794,7 +793,6 @@
                     ],
                     "name": "default/eg/grpc"
                   },
-                  "drainType": "MODIFY_ONLY",
                   "name": "default/eg/grpc",
                   "perConnectionBufferLimitBytes": 32768
                 }
@@ -831,7 +829,6 @@
                       "portValue": 1234
                     }
                   },
-                  "drainType": "MODIFY_ONLY",
                   "filterChains": [
                     {
                       "filters": [
@@ -897,7 +894,6 @@
                       "portValue": 8443
                     }
                   },
-                  "drainType": "MODIFY_ONLY",
                   "filterChains": [
                     {
                       "filterChainMatch": {

diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml
@@ -402,7 +402,6 @@ xds:
                   statPrefix: http
                   useRemoteAddress: true
               name: default/eg/http
-            drainType: MODIFY_ONLY
             name: default/eg/http
             perConnectionBufferLimitBytes: 32768
       - activeState:
@@ -470,7 +469,6 @@ xds:
                   statPrefix: http
                   useRemoteAddress: true
               name: default/eg/grpc
-            drainType: MODIFY_ONLY
             name: default/eg/grpc
             perConnectionBufferLimitBytes: 32768
       - activeState:
@@ -493,7 +491,6 @@ xds:
               socketAddress:
                 address: 0.0.0.0
                 portValue: 1234
-            drainType: MODIFY_ONLY
             filterChains:
             - filters:
               - name: envoy.filters.network.tcp_proxy
@@ -533,7 +530,6 @@ xds:
               socketAddress:
                 address: 0.0.0.0
                 portValue: 8443
-            drainType: MODIFY_ONLY
             filterChains:
             - filterChainMatch:
                 serverNames:

diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml
@@ -59,7 +59,6 @@ xds:
                 statPrefix: http
                 useRemoteAddress: true
             name: default/eg/http
-          drainType: MODIFY_ONLY
           name: default/eg/http
           perConnectionBufferLimitBytes: 32768
     - activeState:
@@ -127,7 +126,6 @@ xds:
                 statPrefix: http
                 useRemoteAddress: true
             name: default/eg/grpc
-          drainType: MODIFY_ONLY
           name: default/eg/grpc
           perConnectionBufferLimitBytes: 32768
     - activeState:
@@ -150,7 +148,6 @@ xds:
             socketAddress:
               address: 0.0.0.0
               portValue: 1234
-          drainType: MODIFY_ONLY
           filterChains:
           - filters:
             - name: envoy.filters.network.tcp_proxy
@@ -190,7 +187,6 @@ xds:
             socketAddress:
               address: 0.0.0.0
               portValue: 8443
-          drainType: MODIFY_ONLY
           filterChains:
           - filterChainMatch:
               serverNames:

diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json
@@ -544,7 +544,6 @@
                     ],
                     "name": "envoy-gateway-system/eg/http"
                   },
-                  "drainType": "MODIFY_ONLY",
                   "name": "envoy-gateway-system/eg/http",
                   "perConnectionBufferLimitBytes": 32768
                 }

diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml
@@ -320,7 +320,6 @@ xds:
                   statPrefix: http
                   useRemoteAddress: true
               name: envoy-gateway-system/eg/http
-            drainType: MODIFY_ONLY
             name: envoy-gateway-system/eg/http
             perConnectionBufferLimitBytes: 32768
     - '@type': type.googleapis.com/envoy.admin.v3.RoutesConfigDump

diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml
@@ -76,6 +76,5 @@ xds:
                 statPrefix: http
                 useRemoteAddress: true
             name: envoy-gateway-system/eg/http
-          drainType: MODIFY_ONLY
           name: envoy-gateway-system/eg/http
           perConnectionBufferLimitBytes: 32768
diff --git a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml
@@ -265,7 +265,6 @@ xds:
                   statPrefix: http
                   useRemoteAddress: true
               name: envoy-gateway-system/eg/http
-            drainType: MODIFY_ONLY
             name: envoy-gateway-system/eg/http
             perConnectionBufferLimitBytes: 32768
     - '@type': type.googleapis.com/envoy.admin.v3.RoutesConfigDump

diff --git a/internal/cmd/envoy/shutdown_manager.go b/internal/cmd/envoy/shutdown_manager.go
@@ -114,7 +114,7 @@ func shutdownReadyHandler(w http.ResponseWriter, readyTimeout time.Duration, rea
 }
 
 // Shutdown is called from a preStop hook on the shutdown-manager container where
-// it will initiate a graceful drain sequence on the Envoy proxy and block until
+// it will initiate a drain sequence on the Envoy proxy and block until
 // connections are drained or a timeout is exceeded.
 func Shutdown(drainTimeout time.Duration, minDrainDuration time.Duration, exitAtConnections int) error {
 	startTime := time.Now()
@@ -125,19 +125,14 @@ func Shutdown(drainTimeout time.Duration, minDrainDuration time.Duration, exitAt
 		logger = logging.FileLogger("/proc/1/fd/1", "shutdown-manager", egv1a1.LogLevelInfo)
 	}
 
-	logger.Info(fmt.Sprintf("initiating graceful drain with %.0f second minimum drain period and %.0f second timeout",
+	logger.Info(fmt.Sprintf("initiating drain with %.0f second minimum drain period and %.0f second timeout",
 		minDrainDuration.Seconds(), drainTimeout.Seconds()))
 
 	// Start failing active health checks
 	if err := postEnvoyAdminAPI("healthcheck/fail"); err != nil {
 		logger.Error(err, "error failing active health checks")
 	}
 
-	// Initiate graceful drain sequence
-	if err := postEnvoyAdminAPI("drain_listeners?graceful&skip_exit"); err != nil {
-		logger.Error(err, "error initiating graceful drain")
-	}
-
 	// Poll total connections from Envoy admin API until minimum drain period has
 	// been reached and total connections reaches threshold or timeout is exceeded
 	for {
@@ -154,10 +149,10 @@ func Shutdown(drainTimeout time.Duration, minDrainDuration time.Duration, exitAt
 		}
 
 		if elapsedTime > drainTimeout {
-			logger.Info("graceful drain sequence timeout exceeded")
+			logger.Info("drain sequence timeout exceeded")
 			break
 		} else if allowedToExit && conn != nil && *conn <= exitAtConnections {
-			logger.Info("graceful drain sequence completed")
+			logger.Info("drain sequence completed")
 			break
 		}
 

diff --git a/internal/gatewayapi/backendtlspolicy.go b/internal/gatewayapi/backendtlspolicy.go
@@ -144,7 +144,10 @@ func backendTLSTargetMatched(policy gwapiv1a3.BackendTLSPolicy, target gwapiv1a2
 			target.Kind == currTarget.Kind &&
 			backendNamespace == policy.Namespace &&
 			target.Name == currTarget.Name {
-			if currTarget.SectionName != nil && *currTarget.SectionName != *target.SectionName {
+			if currTarget.SectionName != nil {
+				if target.SectionName != nil && *currTarget.SectionName == *target.SectionName {
+					return true
+				}
 				return false
 			}
 			return true

diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml
@@ -33,7 +33,11 @@ httpRoutes:
             - name: http-backend
               namespace: default
               port: 8080
-            - name: backend-ip-tls
+            - name: backend-ip-tls-1
+              namespace: default
+              kind: Backend
+              group: gateway.envoyproxy.io
+            - name: backend-ip-tls-2
               namespace: default
               kind: Backend
               group: gateway.envoyproxy.io
@@ -140,13 +144,30 @@ backendTLSPolicies:
   - apiVersion: gateway.networking.k8s.io/v1alpha2
     kind: BackendTLSPolicy
     metadata:
-      name: policy-btls-backend-ip
+      name: policy-btls-backend-ip-1
       namespace: default
     spec:
       targetRefs:
         - group: gateway.envoyproxy.io
           kind: Backend
-          name: backend-ip-tls
+          name: backend-ip-tls-1
+      validation:
+        caCertificateRefs:
+          - name: ca-cmap
+            group: ''
+            kind: ConfigMap
+        hostname: ip-backend
+  - apiVersion: gateway.networking.k8s.io/v1alpha2
+    kind: BackendTLSPolicy
+    metadata:
+      name: policy-btls-backend-ip-2
+      namespace: default
+    spec:
+      targetRefs:
+        - group: gateway.envoyproxy.io
+          kind: Backend
+          name: backend-ip-tls-2
+          sectionName: 3443
       validation:
         caCertificateRefs:
           - name: ca-cmap
@@ -157,10 +178,20 @@ backends:
   - apiVersion: gateway.envoyproxy.io/v1alpha1
     kind: Backend
     metadata:
-      name: backend-ip-tls
+      name: backend-ip-tls-1
       namespace: default
     spec:
       endpoints:
         - ip:
             address: 2.2.2.2
             port: 3443
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: Backend
+    metadata:
+      name: backend-ip-tls-2
+      namespace: default
+    spec:
+      endpoints:
+        - ip:
+            address: 3.3.3.3
+            port: 3443
diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml
@@ -34,13 +34,13 @@ backendTLSPolicies:
   kind: BackendTLSPolicy
   metadata:
     creationTimestamp: null
-    name: policy-btls-backend-ip
+    name: policy-btls-backend-ip-1
     namespace: default
   spec:
     targetRefs:
     - group: gateway.envoyproxy.io
       kind: Backend
-      name: backend-ip-tls
+      name: backend-ip-tls-1
     validation:
       caCertificateRefs:
       - group: ""
@@ -60,12 +60,32 @@ backendTLSPolicies:
         status: "True"
         type: Accepted
       controllerName: gateway.envoyproxy.io/gatewayclass-controller
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+  kind: BackendTLSPolicy
+  metadata:
+    creationTimestamp: null
+    name: policy-btls-backend-ip-2
+    namespace: default
+  spec:
+    targetRefs:
+    - group: gateway.envoyproxy.io
+      kind: Backend
+      name: backend-ip-tls-2
+      sectionName: "3443"
+    validation:
+      caCertificateRefs:
+      - group: ""
+        kind: ConfigMap
+        name: ca-cmap
+      hostname: ip-backend
+  status:
+    ancestors: null
 backends:
 - apiVersion: gateway.envoyproxy.io/v1alpha1
   kind: Backend
   metadata:
     creationTimestamp: null
-    name: backend-ip-tls
+    name: backend-ip-tls-1
     namespace: default
   spec:
     endpoints:
@@ -79,6 +99,24 @@ backends:
       reason: Accepted
       status: "True"
       type: Accepted
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: Backend
+  metadata:
+    creationTimestamp: null
+    name: backend-ip-tls-2
+    namespace: default
+  spec:
+    endpoints:
+    - ip:
+        address: 3.3.3.3
+        port: 3443
+  status:
+    conditions:
+    - lastTransitionTime: null
+      message: The Backend was accepted
+      reason: Accepted
+      status: "True"
+      type: Accepted
 gateways:
 - apiVersion: gateway.networking.k8s.io/v1
   kind: Gateway
@@ -139,7 +177,11 @@ httpRoutes:
         port: 8080
       - group: gateway.envoyproxy.io
         kind: Backend
-        name: backend-ip-tls
+        name: backend-ip-tls-1
+        namespace: default
+      - group: gateway.envoyproxy.io
+        kind: Backend
+        name: backend-ip-tls-2
         namespace: default
       matches:
       - path:
@@ -221,9 +263,14 @@ xdsIR:
             tls:
               caCertificate:
                 certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
-                name: policy-btls-backend-ip/default-ca
+                name: policy-btls-backend-ip-1/default-ca
               sni: ip-backend
             weight: 1
+          - addressType: IP
+            endpoints:
+            - host: 3.3.3.3
+              port: 3443
+            weight: 1
         hostname: '*'
         isHTTP2: false
         metadata:

diff --git a/internal/infrastructure/kubernetes/proxy/resource.go b/internal/infrastructure/kubernetes/proxy/resource.go
@@ -171,6 +171,7 @@ func expectedProxyContainers(infra *ir.ProxyInfra,
 		fmt.Sprintf("--config-yaml %s", bootstrapConfigurations),
 		fmt.Sprintf("--log-level %s", logging.DefaultEnvoyProxyLoggingLevel()),
 		"--cpuset-threads",
+		"--drain-strategy immediate",
 	}
 
 	if infra.Config != nil &&