[release/v1.1] Cherry-pick commits for v1.1.1 (envoyproxy#4173)

* bugfix: fix upstream get unwanted /. (envoyproxy#3990) * bugfix: fix upstream get unwanted /. Signed-off-by: qicz <qiczzhu@gmail.com> * ut for bugfix Signed-off-by: qicz <qiczzhu@gmail.com> --------- Signed-off-by: qicz <qiczzhu@gmail.com> Co-authored-by: Xunzhuo <bitliu@tencent.com> (cherry picked from commit b77f6a4) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * feat: gateway http listener isolation (envoyproxy#4000) Signed-off-by: Kobi Levi <kobilevi503@gmail.com> (cherry picked from commit 97830e9) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix: multiple reference grants in same namespace (envoyproxy#4008) * fix: multiple reference grants in same namespace Signed-off-by: Ardika Bagus <me@ardikabs.com> * test: add e2e test Signed-off-by: Ardika Bagus <me@ardikabs.com> * chore: wrong service port Signed-off-by: Ardika Bagus <me@ardikabs.com> --------- Signed-off-by: Ardika Bagus <me@ardikabs.com> (cherry picked from commit b82f4b2) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * reduce readinessProbe failureThreshold and periodSeconds (envoyproxy#4021) * Reduces time for the endpoint to be removed from the endpointSlice from `30s` (3 * 10) to `5s` (1 * 5) * Since kube-proxy and CNIs rely on this info and so do external LBs like GKE https://cloud.google.com/kubernetes-engine/docs/concepts/service-load-balancer Signed-off-by: Arko Dasgupta <arko@tetrate.io> (cherry picked from commit 67575b8) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix: add header values as described in the documentation (envoyproxy#4031) Add header values after splitting the provided value string on ',', like described in the documentation. Signed-off-by: Lior Okman <lior.okman@sap.com> (cherry picked from commit eac30d6) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix ratelimit statsd not working (envoyproxy#4073) fix ratelimit statd not working Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit 6ab6482) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix: active http healthcheck documents a default for expected status, but doesn't use it (envoyproxy#4090) If no expected status was explicitly set, use the default value as described in the documentation. Signed-off-by: Lior Okman <lior.okman@sap.com> (cherry picked from commit 0926b38) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * Fix IsNotFound check for secret and configmap (envoyproxy#4126) fix IsNotFound check for secret and configmap Signed-off-by: TasdidurRahman <tasdid@appscode.com> (cherry picked from commit c20315f) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix: assign sugar logger name. (envoyproxy#4144) Signed-off-by: qicz <qiczzhu@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> (cherry picked from commit b50f5fa) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * use sets and return stable result (envoyproxy#4074) Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit 6066f5a) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * delete internal/gatewayapi/clustersettings.go NA for v1.1 Signed-off-by: Arko Dasgupta <arko@tetrate.io> * bump to go1.22.7 (envoyproxy#4175) * bump to go1.22.6 Signed-off-by: zirain <zirain2009@gmail.com> * bump to 1.22.7 Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit 69bf882) Signed-off-by: Arko Dasgupta <arko@tetrate.io> --------- Signed-off-by: qicz <qiczzhu@gmail.com> Signed-off-by: Arko Dasgupta <arko@tetrate.io> Signed-off-by: Kobi Levi <kobilevi503@gmail.com> Signed-off-by: Ardika Bagus <me@ardikabs.com> Signed-off-by: Lior Okman <lior.okman@sap.com> Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: TasdidurRahman <tasdid@appscode.com> Co-authored-by: qi <qiczzhu@gmail.com> Co-authored-by: Xunzhuo <bitliu@tencent.com> Co-authored-by: Kobi Levi <56400138+levikobi@users.noreply.github.com> Co-authored-by: Ardika <me@ardikabs.com> Co-authored-by: Lior Okman <lior.okman@sap.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: Tasdidur Rahman <52253951+TasdidurRahman@users.noreply.github.com>
guydc · Sep 10, 2024 · 9a3f8f7 · 9a3f8f7
1 parent e138872
commit 9a3f8f7
Show file tree

Hide file tree

Showing 111 changed files with 1,342 additions and 246 deletions.
diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod
@@ -1,6 +1,6 @@
 module github.com/exampleorg/envoygateway-extension
 
-go 1.22.5
+go 1.22.7
 
 require (
 	github.com/envoyproxy/gateway v1.0.2

diff --git a/examples/extension-server/tools/src/controller-gen/go.mod b/examples/extension-server/tools/src/controller-gen/go.mod
@@ -1,6 +1,6 @@
 module local
 
-go 1.22.5
+go 1.22.7
 
 require sigs.k8s.io/controller-tools v0.15.0
 

diff --git a/examples/kubernetes/ext-proc-grpc-service.yaml b/examples/kubernetes/ext-proc-grpc-service.yaml
@@ -361,7 +361,7 @@ spec:
             - sh
             - "-c"
             - "cp -a /app /app-live && cd /app-live && go  run . --certPath=/app-live/certs/ "
-          image: golang:1.22.5-alpine
+          image: golang:1.22.7-alpine
           ports:
             - containerPort: 8000
           volumeMounts:

diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/envoyproxy/gateway
 
-go 1.22.5
+go 1.22.7
 
 replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.16
 

diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go
@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"math"
 	"math/big"
+	"net/http"
 	"sort"
 	"strings"
 	"time"
@@ -962,6 +963,12 @@ func (t *Translator) buildHTTPActiveHealthChecker(h *egv1a1.HTTPActiveHealthChec
 	for _, r := range h.ExpectedStatuses {
 		statusSet.Insert(int(r))
 	}
+
+	// If no ExpectedStatus was set, use the default value (200)
+	if statusSet.Len() == 0 {
+		statusSet.Insert(http.StatusOK)
+	}
+
 	irStatuses := make([]ir.HTTPStatus, 0, statusSet.Len())
 
 	for _, r := range statusSet.List() {

diff --git a/internal/gatewayapi/conformance/suite.go b/internal/gatewayapi/conformance/suite.go
@@ -15,7 +15,6 @@ import (
 // SkipTests is a list of tests that are skipped in the conformance suite.
 var SkipTests = []suite.ConformanceTest{
 	tests.GatewayStaticAddresses,
-	tests.GatewayHTTPListenerIsolation, // https://github.com/envoyproxy/gateway/issues/3352
 }
 
 func skipTestsShortNames(skipTests []suite.ConformanceTest) []string {

diff --git a/internal/gatewayapi/filters.go b/internal/gatewayapi/filters.go
@@ -445,7 +445,7 @@ func (t *Translator) processRequestHeaderModifierFilter(
 			newHeader := ir.AddHeader{
 				Name:   headerKey,
 				Append: true,
-				Value:  addHeader.Value,
+				Value:  strings.Split(addHeader.Value, ","),
 			}
 
 			filterContext.AddRequestHeaders = append(filterContext.AddRequestHeaders, newHeader)
@@ -500,7 +500,7 @@ func (t *Translator) processRequestHeaderModifierFilter(
 			newHeader := ir.AddHeader{
 				Name:   string(setHeader.Name),
 				Append: false,
-				Value:  setHeader.Value,
+				Value:  strings.Split(setHeader.Value, ","),
 			}
 
 			filterContext.AddRequestHeaders = append(filterContext.AddRequestHeaders, newHeader)
@@ -617,7 +617,7 @@ func (t *Translator) processResponseHeaderModifierFilter(
 			newHeader := ir.AddHeader{
 				Name:   headerKey,
 				Append: true,
-				Value:  addHeader.Value,
+				Value:  strings.Split(addHeader.Value, ","),
 			}
 
 			filterContext.AddResponseHeaders = append(filterContext.AddResponseHeaders, newHeader)
@@ -672,7 +672,7 @@ func (t *Translator) processResponseHeaderModifierFilter(
 			newHeader := ir.AddHeader{
 				Name:   string(setHeader.Name),
 				Append: false,
-				Value:  setHeader.Value,
+				Value:  strings.Split(setHeader.Value, ","),
 			}
 
 			filterContext.AddResponseHeaders = append(filterContext.AddResponseHeaders, newHeader)

diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go
@@ -262,12 +262,12 @@ func servicePortToContainerPort(servicePort int32, envoyProxy *egv1a1.EnvoyProxy
 	return servicePort
 }
 
-// computeHosts returns a list of the intersecting hostnames between the route
-// and the listener.
-func computeHosts(routeHostnames []string, listenerHostname *gwapiv1.Hostname) []string {
+// computeHosts returns a list of intersecting listener hostnames and route hostnames
+// that don't intersect with other listener hostnames.
+func computeHosts(routeHostnames []string, listenerContext *ListenerContext) []string {
 	var listenerHostnameVal string
-	if listenerHostname != nil {
-		listenerHostnameVal = string(*listenerHostname)
+	if listenerContext != nil && listenerContext.Hostname != nil {
+		listenerHostnameVal = string(*listenerContext.Hostname)
 	}
 
 	// No route hostnames specified: use the listener hostname if specified,
@@ -280,8 +280,9 @@ func computeHosts(routeHostnames []string, listenerHostname *gwapiv1.Hostname) [
 		return []string{"*"}
 	}
 
-	var hostnames []string
+	hostnamesSet := sets.NewString()
 
+	// Find intersecting hostnames
 	for i := range routeHostnames {
 		routeHostname := routeHostnames[i]
 
@@ -290,28 +291,47 @@ func computeHosts(routeHostnames []string, listenerHostname *gwapiv1.Hostname) [
 		switch {
 		// No listener hostname: use the route hostname.
 		case len(listenerHostnameVal) == 0:
-			hostnames = append(hostnames, routeHostname)
+			hostnamesSet.Insert(routeHostname)
 
 		// Listener hostname matches the route hostname: use it.
 		case listenerHostnameVal == routeHostname:
-			hostnames = append(hostnames, routeHostname)
+			hostnamesSet.Insert(routeHostname)
 
 		// Listener has a wildcard hostname: check if the route hostname matches.
 		case strings.HasPrefix(listenerHostnameVal, "*"):
 			if hostnameMatchesWildcardHostname(routeHostname, listenerHostnameVal) {
-				hostnames = append(hostnames, routeHostname)
+				hostnamesSet.Insert(routeHostname)
 			}
 
 		// Route has a wildcard hostname: check if the listener hostname matches.
 		case strings.HasPrefix(routeHostname, "*"):
 			if hostnameMatchesWildcardHostname(listenerHostnameVal, routeHostname) {
-				hostnames = append(hostnames, listenerHostnameVal)
+				hostnamesSet.Insert(listenerHostnameVal)
 			}
 
 		}
 	}
 
-	return hostnames
+	// Filter out route hostnames that intersect with other listener hostnames
+	var listeners []*ListenerContext
+	if listenerContext != nil && listenerContext.gateway != nil {
+		listeners = listenerContext.gateway.listeners
+	}
+
+	for _, listener := range listeners {
+		if listenerContext == listener {
+			continue
+		}
+		if listenerContext != nil && listenerContext.Port != listener.Port {
+			continue
+		}
+		if listener.Hostname == nil {
+			continue
+		}
+		hostnamesSet.Delete(string(*listener.Hostname))
+	}
+
+	return hostnamesSet.List()
 }
 
 // hostnameMatchesWildcardHostname returns true if hostname has the non-wildcard

diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go
@@ -651,7 +651,7 @@ func (t *Translator) processHTTPRouteParentRefListener(route RouteContext, route
 	var hasHostnameIntersection bool
 
 	for _, listener := range parentRef.listeners {
-		hosts := computeHosts(GetHostnames(route), listener.Hostname)
+		hosts := computeHosts(GetHostnames(route), listener)
 		if len(hosts) == 0 {
 			continue
 		}
@@ -818,7 +818,7 @@ func (t *Translator) processTLSRouteParentRefs(tlsRoute *TLSRouteContext, resour
 
 		var hasHostnameIntersection bool
 		for _, listener := range parentRef.listeners {
-			hosts := computeHosts(GetHostnames(tlsRoute), listener.Hostname)
+			hosts := computeHosts(GetHostnames(tlsRoute), listener)
 			if len(hosts) == 0 {
 				continue
 			}

diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.in.yaml
@@ -100,6 +100,25 @@ httpRoutes:
       backendRefs:
       - name: service-3
         port: 8080
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    namespace: default
+    name: httproute-4
+  spec:
+    hostnames:
+    - gateway.envoyproxy.io
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-2
+      sectionName: http
+    rules:
+    - matches:
+      - path:
+          value: "/v2"
+      backendRefs:
+      - name: service-2
+        port: 8080
 backendTrafficPolicies:
 - apiVersion: gateway.envoyproxy.io/v1alpha1
   kind: BackendTrafficPolicy
@@ -169,6 +188,29 @@ backendTrafficPolicies:
         consecutiveGatewayErrors: 0
         consecutiveLocalOriginFailures: 5
         splitExternalLocalOriginErrors: false
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: BackendTrafficPolicy
+  metadata:
+    namespace: default
+    name: policy-for-route-4
+  spec:
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: httproute-4
+    healthCheck:
+      active:
+        timeout: "1s"
+        interval: "5s"
+        unhealthyThreshold: 3
+        healthyThreshold: 3
+        type: HTTP
+        http:
+          path: "/healthz"
+          method: "GET"
+          expectedResponse:
+            type: Text
+            text: pong
 - apiVersion: gateway.envoyproxy.io/v1alpha1
   kind: BackendTrafficPolicy
   metadata:

diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml
@@ -49,6 +49,45 @@ backendTrafficPolicies:
         status: "True"
         type: Accepted
       controllerName: gateway.envoyproxy.io/gatewayclass-controller
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: BackendTrafficPolicy
+  metadata:
+    creationTimestamp: null
+    name: policy-for-route-4
+    namespace: default
+  spec:
+    healthCheck:
+      active:
+        healthyThreshold: 3
+        http:
+          expectedResponse:
+            text: pong
+            type: Text
+          method: GET
+          path: /healthz
+        interval: 5s
+        timeout: 1s
+        type: HTTP
+        unhealthyThreshold: 3
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: httproute-4
+  status:
+    ancestors:
+    - ancestorRef:
+        group: gateway.networking.k8s.io
+        kind: Gateway
+        name: gateway-2
+        namespace: envoy-gateway
+        sectionName: http
+      conditions:
+      - lastTransitionTime: null
+        message: Policy has been accepted.
+        reason: Accepted
+        status: "True"
+        type: Accepted
+      controllerName: gateway.envoyproxy.io/gatewayclass-controller
 - apiVersion: gateway.envoyproxy.io/v1alpha1
   kind: BackendTrafficPolicy
   metadata:
@@ -252,7 +291,7 @@ gateways:
       protocol: HTTP
   status:
     listeners:
-    - attachedRoutes: 3
+    - attachedRoutes: 4
       conditions:
       - lastTransitionTime: null
         message: Sending translated listener configuration to the data plane
@@ -424,6 +463,44 @@ httpRoutes:
         name: gateway-2
         namespace: envoy-gateway
         sectionName: http
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    creationTimestamp: null
+    name: httproute-4
+    namespace: default
+  spec:
+    hostnames:
+    - gateway.envoyproxy.io
+    parentRefs:
+    - name: gateway-2
+      namespace: envoy-gateway
+      sectionName: http
+    rules:
+    - backendRefs:
+      - name: service-2
+        port: 8080
+      matches:
+      - path:
+          value: /v2
+  status:
+    parents:
+    - conditions:
+      - lastTransitionTime: null
+        message: Route is accepted
+        reason: Accepted
+        status: "True"
+        type: Accepted
+      - lastTransitionTime: null
+        message: Resolved all the Object references for the Route
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
+      controllerName: gateway.envoyproxy.io/gatewayclass-controller
+      parentRef:
+        name: gateway-2
+        namespace: envoy-gateway
+        sectionName: http
 infraIR:
   envoy-gateway/gateway-1:
     proxy:
@@ -616,6 +693,41 @@ xdsIR:
               interval: 8ms
               maxEjectionPercent: 11
               splitExternalLocalOriginErrors: false
+      - destination:
+          name: httproute/default/httproute-4/rule/0
+          settings:
+          - addressType: IP
+            endpoints:
+            - host: 7.7.7.7
+              port: 8080
+            protocol: HTTP
+            weight: 1
+        hostname: gateway.envoyproxy.io
+        isHTTP2: false
+        metadata:
+          kind: HTTPRoute
+          name: httproute-4
+          namespace: default
+        name: httproute/default/httproute-4/rule/0/match/0/gateway_envoyproxy_io
+        pathMatch:
+          distinct: false
+          name: ""
+          prefix: /v2
+        traffic:
+          healthCheck:
+            active:
+              healthyThreshold: 3
+              http:
+                expectedResponse:
+                  text: pong
+                expectedStatuses:
+                - 200
+                host: gateway.envoyproxy.io
+                method: GET
+                path: /healthz
+              interval: 5s
+              timeout: 1s
+              unhealthyThreshold: 3
       - destination:
           name: httproute/default/httproute-1/rule/0
           settings: