diff --git a/controllers/gateway/route_reconciler.go b/controllers/gateway/route_reconciler.go index b7e1d40d1..86d4c7045 100644 --- a/controllers/gateway/route_reconciler.go +++ b/controllers/gateway/route_reconciler.go @@ -226,69 +226,48 @@ func (d *routeReconcilerImpl) resolveRefGateway(parentRef gwv1.ParentReference, // setCondition based on RouteStatusInfo func (d *routeReconcilerImpl) setConditionsWithRouteStatusInfo(route client.Object, parentStatus *gwv1.RouteParentStatus, info routeutils.RouteStatusInfo) { timeNow := metav1.NewTime(time.Now()) + var conditions []metav1.Condition if !info.ResolvedRefs { - // resolvedRef rejected - parentStatus.Conditions = []metav1.Condition{ - { - Type: string(gwv1.RouteConditionAccepted), - Status: metav1.ConditionFalse, - Reason: info.Reason, - Message: info.Message, - LastTransitionTime: timeNow, - ObservedGeneration: route.GetGeneration(), - }, - { - Type: string(gwv1.RouteConditionResolvedRefs), - Status: metav1.ConditionFalse, - Reason: info.Reason, - Message: info.Message, - LastTransitionTime: timeNow, - ObservedGeneration: route.GetGeneration(), - }, - } - return + conditions = append(conditions, metav1.Condition{ + Type: string(gwv1.RouteConditionResolvedRefs), + Status: metav1.ConditionFalse, + Reason: info.Reason, + Message: info.Message, + LastTransitionTime: timeNow, + ObservedGeneration: route.GetGeneration(), + }) + } else { + conditions = append(conditions, metav1.Condition{ + Type: string(gwv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: string(gwv1.RouteReasonResolvedRefs), + Message: "", + LastTransitionTime: timeNow, + ObservedGeneration: route.GetGeneration(), + }) } - // resolveRef accepted and route accepted - if info.Accepted { - parentStatus.Conditions = []metav1.Condition{ - { - Type: string(gwv1.RouteConditionAccepted), - Status: metav1.ConditionTrue, - Reason: info.Reason, - Message: info.Message, - LastTransitionTime: timeNow, - ObservedGeneration: route.GetGeneration(), - }, - { - Type: string(gwv1.RouteConditionResolvedRefs), - Status: metav1.ConditionTrue, - Reason: string(gwv1.RouteReasonResolvedRefs), - LastTransitionTime: timeNow, - ObservedGeneration: route.GetGeneration(), - }, - } - return + + if !info.Accepted { + conditions = append(conditions, metav1.Condition{ + Type: string(gwv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: info.Reason, + Message: info.Message, + LastTransitionTime: timeNow, + ObservedGeneration: route.GetGeneration(), + }) } else { - // resolveRef accepted but route rejected - parentStatus.Conditions = []metav1.Condition{ - { - Type: string(gwv1.RouteConditionAccepted), - Status: metav1.ConditionFalse, - Reason: info.Reason, - Message: info.Message, - LastTransitionTime: timeNow, - ObservedGeneration: route.GetGeneration(), - }, - { - Type: string(gwv1.RouteConditionResolvedRefs), - Status: metav1.ConditionTrue, - Reason: string(gwv1.RouteReasonAccepted), - LastTransitionTime: timeNow, - ObservedGeneration: route.GetGeneration(), - }, - } - return + conditions = append(conditions, metav1.Condition{ + Type: string(gwv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: string(gwv1.RouteReasonAccepted), + Message: "", + LastTransitionTime: timeNow, + ObservedGeneration: route.GetGeneration(), + }) } + + parentStatus.Conditions = conditions } func (d *routeReconcilerImpl) setConditionsBasedOnResolveRefGateway(route client.Object, parentStatus *gwv1.RouteParentStatus, resolveErr error) { diff --git a/controllers/gateway/route_reconciler_test.go b/controllers/gateway/route_reconciler_test.go index ac1fa5633..4b88ed64f 100644 --- a/controllers/gateway/route_reconciler_test.go +++ b/controllers/gateway/route_reconciler_test.go @@ -503,10 +503,12 @@ func Test_setConditionsWithRouteStatusInfo(t *testing.T) { acceptedCondition := findCondition(conditions, string(gwv1.RouteConditionAccepted)) assert.NotNil(t, acceptedCondition) assert.Equal(t, metav1.ConditionTrue, acceptedCondition.Status) + assert.Equal(t, string(gwv1.RouteReasonAccepted), acceptedCondition.Reason) resolvedRefCondition := findCondition(conditions, string(gwv1.RouteConditionResolvedRefs)) assert.NotNil(t, resolvedRefCondition) assert.Equal(t, metav1.ConditionTrue, resolvedRefCondition.Status) + assert.Equal(t, string(gwv1.RouteReasonResolvedRefs), resolvedRefCondition.Reason) }, }, { @@ -529,18 +531,18 @@ func Test_setConditionsWithRouteStatusInfo(t *testing.T) { }, }, { - name: "accepted false and resolvedRef false", + name: "accepted true and resolvedRef false", info: routeutils.RouteStatusInfo{ - Accepted: false, + Accepted: true, ResolvedRefs: false, - Reason: string(gwv1.RouteReasonBackendNotFound), - Message: "backend not found", + Reason: string(gwv1.RouteReasonRefNotPermitted), + Message: "ref not permitted", }, validateResult: func(t *testing.T, conditions []metav1.Condition) { assert.Len(t, conditions, 2) acceptedCondition := findCondition(conditions, string(gwv1.RouteConditionAccepted)) assert.NotNil(t, acceptedCondition) - assert.Equal(t, metav1.ConditionFalse, acceptedCondition.Status) + assert.Equal(t, metav1.ConditionTrue, acceptedCondition.Status) resolvedRefCondition := findCondition(conditions, string(gwv1.RouteConditionResolvedRefs)) assert.NotNil(t, resolvedRefCondition) diff --git a/docs/guide/gateway/gateway.md b/docs/guide/gateway/gateway.md index 1200fbb1b..67e99ae81 100644 --- a/docs/guide/gateway/gateway.md +++ b/docs/guide/gateway/gateway.md @@ -127,7 +127,7 @@ spec: When `my-http-service` or the configured service port can't be found, the target group will not be materialized on any ALBs that the route attaches to. -An [503 Fixed Response](https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_FixedResponseActionConfig.html) +An [500 Fixed Response](https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_FixedResponseActionConfig.html) will be added to any Listener Rules that would have referenced the invalid backend. ## Specify out-of-band Target Groups diff --git a/pkg/gateway/model/model_build_listener.go b/pkg/gateway/model/model_build_listener.go index e1ebafabd..fe7fd63d9 100644 --- a/pkg/gateway/model/model_build_listener.go +++ b/pkg/gateway/model/model_build_listener.go @@ -381,16 +381,16 @@ func buildL7ListenerDefaultActions() []elbv2model.Action { return []elbv2model.Action{action404} } -// returns 503 when no backends are configured +// returns 500 when no backends are configured func buildL7ListenerNoBackendActions() elbv2model.Action { - action503 := elbv2model.Action{ + action500 := elbv2model.Action{ Type: elbv2model.ActionTypeFixedResponse, FixedResponseConfig: &elbv2model.FixedResponseActionConfig{ ContentType: awssdk.String("text/plain"), - StatusCode: "503", + StatusCode: "500", }, } - return action503 + return action500 } func buildL4ListenerDefaultActions(arn core.StringToken) []elbv2model.Action { diff --git a/pkg/gateway/model/model_build_listener_test.go b/pkg/gateway/model/model_build_listener_test.go index 0eb414e0c..689c0c6e8 100644 --- a/pkg/gateway/model/model_build_listener_test.go +++ b/pkg/gateway/model/model_build_listener_test.go @@ -2,6 +2,10 @@ package model import ( "context" + "reflect" + "strings" + "testing" + awssdk "github.com/aws/aws-sdk-go-v2/aws" elbv2sdk "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2" elbv2types "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2/types" @@ -9,12 +13,9 @@ import ( "github.com/google/go-cmp/cmp/cmpopts" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/sets" - "reflect" "sigs.k8s.io/aws-load-balancer-controller/pkg/aws/services" "sigs.k8s.io/aws-load-balancer-controller/pkg/gateway/routeutils" coremodel "sigs.k8s.io/aws-load-balancer-controller/pkg/model/core" - "strings" - "testing" "github.com/golang/mock/gomock" "github.com/pkg/errors" @@ -1242,7 +1243,7 @@ func Test_BuildListenerRules(t *testing.T) { tagErr error }{ { - name: "no backends should result in 503 fixed response", + name: "no backends should result in 500 fixed response", port: 80, listenerProtocol: elbv2model.ProtocolHTTP, ipAddressType: elbv2model.IPAddressTypeIPV4, @@ -1277,7 +1278,7 @@ func Test_BuildListenerRules(t *testing.T) { Type: "fixed-response", FixedResponseConfig: &elbv2model.FixedResponseActionConfig{ ContentType: awssdk.String("text/plain"), - StatusCode: "503", + StatusCode: "500", }, }, }, @@ -1590,7 +1591,7 @@ func Test_BuildListenerRules(t *testing.T) { }, }, { - name: "listener rule config with authenticate-cognito and no backends should result in auth + 503 fixed response", + name: "listener rule config with authenticate-cognito and no backends should result in auth + 500 fixed response", port: 80, listenerProtocol: elbv2model.ProtocolHTTPS, ipAddressType: elbv2model.IPAddressTypeIPV4, @@ -1663,7 +1664,7 @@ func Test_BuildListenerRules(t *testing.T) { Type: "fixed-response", FixedResponseConfig: &elbv2model.FixedResponseActionConfig{ ContentType: awssdk.String("text/plain"), - StatusCode: "503", + StatusCode: "500", }, }, }, diff --git a/pkg/gateway/routeutils/backend.go b/pkg/gateway/routeutils/backend.go index 1d11f0724..6b5f6d9e2 100644 --- a/pkg/gateway/routeutils/backend.go +++ b/pkg/gateway/routeutils/backend.go @@ -3,6 +3,7 @@ package routeutils import ( "context" "fmt" + "github.com/pkg/errors" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" @@ -21,6 +22,8 @@ const ( gatewayKind = "Gateway" referenceGrantNotExists = "No explicit ReferenceGrant exists to allow the reference." maxWeight = 999 + gatewayAPIGroup = "gateway.networking.k8s.io" + coreAPIGroup = "" ) var ( @@ -216,7 +219,7 @@ func LookUpTargetGroupConfiguration(ctx context.Context, k8sClient client.Client // Implements the reference grant API // https://gateway-api.sigs.k8s.io/api-types/referencegrant/ -func referenceGrantCheck(ctx context.Context, k8sClient client.Client, objKind string, objIdentifier types.NamespacedName, routeIdentifier types.NamespacedName, routeKind RouteKind) (bool, error) { +func referenceGrantCheck(ctx context.Context, k8sClient client.Client, objKind string, objGroup string, objIdentifier types.NamespacedName, routeIdentifier types.NamespacedName, routeKind RouteKind, routeGroup string) (bool, error) { referenceGrantList := &gwbeta1.ReferenceGrantList{} if err := k8sClient.List(ctx, referenceGrantList, client.InNamespace(objIdentifier.Namespace)); err != nil { return false, err @@ -226,8 +229,7 @@ func referenceGrantCheck(ctx context.Context, k8sClient client.Client, objKind s var routeAllowed bool for _, from := range grant.Spec.From { - // Kind check maybe? - if string(from.Kind) == string(routeKind) && string(from.Namespace) == routeIdentifier.Namespace { + if string(from.Group) == routeGroup && string(from.Kind) == string(routeKind) && string(from.Namespace) == routeIdentifier.Namespace { routeAllowed = true break } @@ -235,8 +237,7 @@ func referenceGrantCheck(ctx context.Context, k8sClient client.Client, objKind s if routeAllowed { for _, to := range grant.Spec.To { - // Make sure the kind is correct for our query. - if string(to.Kind) != objKind { + if string(to.Group) != objGroup || string(to.Kind) != objKind { continue } diff --git a/pkg/gateway/routeutils/backend_gateway.go b/pkg/gateway/routeutils/backend_gateway.go index 4fcc3be7c..2fb77be55 100644 --- a/pkg/gateway/routeutils/backend_gateway.go +++ b/pkg/gateway/routeutils/backend_gateway.go @@ -3,6 +3,8 @@ package routeutils import ( "context" "fmt" + "strings" + "github.com/pkg/errors" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -14,7 +16,6 @@ import ( "sigs.k8s.io/aws-load-balancer-controller/pkg/shared_constants" "sigs.k8s.io/controller-runtime/pkg/client" gwv1 "sigs.k8s.io/gateway-api/apis/v1" - "strings" ) var _ TargetGroupConfigurator = &GatewayBackendConfig{} @@ -101,7 +102,7 @@ func gatewayLoader(ctx context.Context, k8sClient client.Client, routeIdentifier // Check for reference grant when performing cross namespace gateway -> route attachment if gwIdentifier.Namespace != routeIdentifier.Namespace { - allowed, err := referenceGrantCheck(ctx, k8sClient, gatewayKind, gwIdentifier, routeIdentifier, routeKind) + allowed, err := referenceGrantCheck(ctx, k8sClient, gatewayKind, gatewayAPIGroup, gwIdentifier, routeIdentifier, routeKind, gatewayAPIGroup) if err != nil { // Currently, this API only fails for a k8s related error message, hence no status update + make the error fatal. return nil, nil, errors.Wrapf(err, "Unable to perform reference grant check") diff --git a/pkg/gateway/routeutils/backend_service.go b/pkg/gateway/routeutils/backend_service.go index 295473bf7..0dad940a2 100644 --- a/pkg/gateway/routeutils/backend_service.go +++ b/pkg/gateway/routeutils/backend_service.go @@ -3,6 +3,8 @@ package routeutils import ( "context" "fmt" + "strings" + "github.com/pkg/errors" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" @@ -13,7 +15,6 @@ import ( "sigs.k8s.io/aws-load-balancer-controller/pkg/shared_constants" "sigs.k8s.io/controller-runtime/pkg/client" gwv1 "sigs.k8s.io/gateway-api/apis/v1" - "strings" ) type ServiceBackendConfig struct { @@ -141,7 +142,7 @@ func serviceLoader(ctx context.Context, k8sClient client.Client, routeIdentifier // Check for reference grant when performing cross namespace gateway -> route attachment if svcNamespace != routeIdentifier.Namespace { - allowed, err := referenceGrantCheck(ctx, k8sClient, serviceKind, svcIdentifier, routeIdentifier, routeKind) + allowed, err := referenceGrantCheck(ctx, k8sClient, serviceKind, coreAPIGroup, svcIdentifier, routeIdentifier, routeKind, gatewayAPIGroup) if err != nil { // Currently, this API only fails for a k8s related error message, hence no status update + make the error fatal. return nil, nil, errors.Wrapf(err, "Unable to perform reference grant check") diff --git a/pkg/gateway/routeutils/backend_test.go b/pkg/gateway/routeutils/backend_test.go index 2d2f4fe2e..b54e1b818 100644 --- a/pkg/gateway/routeutils/backend_test.go +++ b/pkg/gateway/routeutils/backend_test.go @@ -229,13 +229,15 @@ func TestCommonBackendLoader_Service(t *testing.T) { Spec: gwbeta1.ReferenceGrantSpec{ From: []gwbeta1.ReferenceGrantFrom{ { + Group: gatewayAPIGroup, Kind: gwbeta1.Kind(kind), Namespace: "route-ns", }, }, To: []gwbeta1.ReferenceGrantTo{ { - Kind: serviceKind, + Group: "", + Kind: serviceKind, }, }, }, @@ -724,14 +726,16 @@ func Test_referenceGrantCheck(t *testing.T) { Spec: gwbeta1.ReferenceGrantSpec{ From: []gwbeta1.ReferenceGrantFrom{ { + Group: gatewayAPIGroup, Kind: gwbeta1.Kind(kind), Namespace: "route-namespace", }, }, To: []gwbeta1.ReferenceGrantTo{ { - Kind: serviceKind, - Name: (*gwbeta1.ObjectName)(awssdk.String("svc-name")), + Group: "", + Kind: serviceKind, + Name: (*gwbeta1.ObjectName)(awssdk.String("svc-name")), }, }, }, @@ -759,14 +763,16 @@ func Test_referenceGrantCheck(t *testing.T) { Spec: gwbeta1.ReferenceGrantSpec{ From: []gwbeta1.ReferenceGrantFrom{ { + Group: gatewayAPIGroup, Kind: gwbeta1.Kind(kind), Namespace: "route-namespace", }, }, To: []gwbeta1.ReferenceGrantTo{ { - Kind: gatewayKind, - Name: (*gwbeta1.ObjectName)(awssdk.String("gw-name")), + Group: gatewayAPIGroup, + Kind: gatewayKind, + Name: (*gwbeta1.ObjectName)(awssdk.String("gw-name")), }, }, }, @@ -794,13 +800,15 @@ func Test_referenceGrantCheck(t *testing.T) { Spec: gwbeta1.ReferenceGrantSpec{ From: []gwbeta1.ReferenceGrantFrom{ { + Group: gatewayAPIGroup, Kind: gwbeta1.Kind(kind), Namespace: "route-namespace", }, }, To: []gwbeta1.ReferenceGrantTo{ { - Kind: serviceKind, + Group: "", + Kind: serviceKind, }, }, }, @@ -841,14 +849,16 @@ func Test_referenceGrantCheck(t *testing.T) { Spec: gwbeta1.ReferenceGrantSpec{ From: []gwbeta1.ReferenceGrantFrom{ { + Group: gatewayAPIGroup, Kind: gwbeta1.Kind(kind), Namespace: "route-namespace", }, }, To: []gwbeta1.ReferenceGrantTo{ { - Kind: serviceKind, - Name: (*gwbeta1.ObjectName)(awssdk.String("baz")), + Group: "", + Kind: serviceKind, + Name: (*gwbeta1.ObjectName)(awssdk.String("baz")), }, }, }, @@ -876,13 +886,15 @@ func Test_referenceGrantCheck(t *testing.T) { Spec: gwbeta1.ReferenceGrantSpec{ From: []gwbeta1.ReferenceGrantFrom{ { + Group: gatewayAPIGroup, Kind: gwbeta1.Kind("other kind"), Namespace: "route-namespace", }, }, To: []gwbeta1.ReferenceGrantTo{ { - Kind: serviceKind, + Group: "", + Kind: serviceKind, }, }, }, @@ -910,14 +922,16 @@ func Test_referenceGrantCheck(t *testing.T) { Spec: gwbeta1.ReferenceGrantSpec{ From: []gwbeta1.ReferenceGrantFrom{ { + Group: gatewayAPIGroup, Kind: gwbeta1.Kind(kind), Namespace: "route-namespace", }, }, To: []gwbeta1.ReferenceGrantTo{ { - Kind: serviceKind, - Name: (*gwbeta1.ObjectName)(awssdk.String("gw-name")), + Group: "", + Kind: serviceKind, + Name: (*gwbeta1.ObjectName)(awssdk.String("gw-name")), }, }, }, @@ -925,6 +939,114 @@ func Test_referenceGrantCheck(t *testing.T) { }, expected: false, }, + { + name: "wrong from group - should not allow", + kind: serviceKind, + objectIdentifier: types.NamespacedName{ + Namespace: "svc-namespace", + Name: "svc-name", + }, + routeIdentifier: types.NamespacedName{ + Namespace: "route-namespace", + Name: "route-name", + }, + referenceGrants: []gwbeta1.ReferenceGrant{ + { + ObjectMeta: metav1.ObjectMeta{ + Namespace: "svc-namespace", + Name: "grant1", + }, + Spec: gwbeta1.ReferenceGrantSpec{ + From: []gwbeta1.ReferenceGrantFrom{ + { + Group: "wrong-group", + Kind: gwbeta1.Kind(kind), + Namespace: "route-namespace", + }, + }, + To: []gwbeta1.ReferenceGrantTo{ + { + Group: "", + Kind: serviceKind, + }, + }, + }, + }, + }, + expected: false, + }, + { + name: "wrong to group - should not allow", + kind: serviceKind, + objectIdentifier: types.NamespacedName{ + Namespace: "svc-namespace", + Name: "svc-name", + }, + routeIdentifier: types.NamespacedName{ + Namespace: "route-namespace", + Name: "route-name", + }, + referenceGrants: []gwbeta1.ReferenceGrant{ + { + ObjectMeta: metav1.ObjectMeta{ + Namespace: "svc-namespace", + Name: "grant1", + }, + Spec: gwbeta1.ReferenceGrantSpec{ + From: []gwbeta1.ReferenceGrantFrom{ + { + Group: gatewayAPIGroup, + Kind: gwbeta1.Kind(kind), + Namespace: "route-namespace", + }, + }, + To: []gwbeta1.ReferenceGrantTo{ + { + Group: "wrong-group", + Kind: serviceKind, + }, + }, + }, + }, + }, + expected: false, + }, + { + name: "correct groups - should allow", + kind: serviceKind, + objectIdentifier: types.NamespacedName{ + Namespace: "svc-namespace", + Name: "svc-name", + }, + routeIdentifier: types.NamespacedName{ + Namespace: "route-namespace", + Name: "route-name", + }, + referenceGrants: []gwbeta1.ReferenceGrant{ + { + ObjectMeta: metav1.ObjectMeta{ + Namespace: "svc-namespace", + Name: "grant1", + }, + Spec: gwbeta1.ReferenceGrantSpec{ + From: []gwbeta1.ReferenceGrantFrom{ + { + Group: gatewayAPIGroup, + Kind: gwbeta1.Kind(kind), + Namespace: "route-namespace", + }, + }, + To: []gwbeta1.ReferenceGrantTo{ + { + Group: "", + Kind: serviceKind, + }, + }, + }, + }, + }, + expected: true, + }, } for _, tc := range testCases { @@ -935,7 +1057,11 @@ func Test_referenceGrantCheck(t *testing.T) { assert.NoError(t, err) } - result, err := referenceGrantCheck(context.Background(), k8sClient, tc.kind, tc.objectIdentifier, tc.routeIdentifier, kind) + objGroup := coreAPIGroup + if tc.kind == gatewayKind { + objGroup = gatewayAPIGroup + } + result, err := referenceGrantCheck(context.Background(), k8sClient, tc.kind, objGroup, tc.objectIdentifier, tc.routeIdentifier, kind, gatewayAPIGroup) if tc.expectErr { assert.Error(t, err) return diff --git a/pkg/gateway/routeutils/loader.go b/pkg/gateway/routeutils/loader.go index 561e87c3e..cc69b8d3b 100644 --- a/pkg/gateway/routeutils/loader.go +++ b/pkg/gateway/routeutils/loader.go @@ -174,7 +174,32 @@ func (l *loaderImpl) loadChildResources(ctx context.Context, preloadedRoutes map for _, lare := range loadAttachedRulesErrors { var loaderErr LoaderError if errors.As(lare.Err, &loaderErr) { - failedRoutes = append(failedRoutes, GenerateRouteData(false, false, string(loaderErr.GetRouteReason()), loaderErr.GetRouteMessage(), preloadedRoute.GetRouteNamespacedName(), preloadedRoute.GetRouteKind(), preloadedRoute.GetRouteGeneration(), gw)) + routeReason := loaderErr.GetRouteReason() + // Categorize reasons into Accepted vs ResolvedRefs conditions + var accepted, resolvedRefs bool + switch routeReason { + case gwv1.RouteReasonNotAllowedByListeners, + gwv1.RouteReasonNoMatchingListenerHostname, + gwv1.RouteReasonNoMatchingParent, + gwv1.RouteReasonUnsupportedValue, + gwv1.RouteReasonPending, + gwv1.RouteReasonIncompatibleFilters: + // These affect Accepted condition + accepted = false + resolvedRefs = true + case gwv1.RouteReasonRefNotPermitted, + gwv1.RouteReasonInvalidKind, + gwv1.RouteReasonBackendNotFound, + gwv1.RouteReasonUnsupportedProtocol: + // These affect ResolvedRefs condition + accepted = true + resolvedRefs = false + default: + // Unknown reason, fail both + accepted = false + resolvedRefs = false + } + failedRoutes = append(failedRoutes, GenerateRouteData(accepted, resolvedRefs, string(routeReason), loaderErr.GetRouteMessage(), preloadedRoute.GetRouteNamespacedName(), preloadedRoute.GetRouteKind(), preloadedRoute.GetRouteGeneration(), gw)) } if lare.Fatal { return nil, failedRoutes, lare.Err diff --git a/test/e2e/gateway/alb_instance_target_test.go b/test/e2e/gateway/alb_instance_target_test.go index f57e27111..e65d030f0 100644 --- a/test/e2e/gateway/alb_instance_target_test.go +++ b/test/e2e/gateway/alb_instance_target_test.go @@ -57,7 +57,12 @@ var _ = Describe("test k8s alb gateway using instance targets reconciled by the Scheme: &interf, ListenerConfigurations: listenerConfigurationForHeaderModification, } - tgSpec := elbv2gw.TargetGroupConfigurationSpec{} + instanceTargetType := elbv2gw.TargetTypeInstance + tgSpec := elbv2gw.TargetGroupConfigurationSpec{ + DefaultConfiguration: elbv2gw.TargetGroupProps{ + TargetType: &instanceTargetType, + }, + } lrcSpec := elbv2gw.ListenerRuleConfigurationSpec{} gwListeners := []gwv1.Listener{ { @@ -135,9 +140,9 @@ var _ = Describe("test k8s alb gateway using instance targets reconciled by the err := tf.HTTPVerifier.VerifyURL(url, http.ResponseCodeMatches(200)) Expect(err).NotTo(HaveOccurred()) }) - By("cross-ns listener should return 503 as no ref grant is available", func() { + By("cross-ns listener should return 500 as no ref grant is available", func() { url := fmt.Sprintf("http://%v:5000/any-path", dnsName) - err := tf.HTTPVerifier.VerifyURL(url, http.ResponseCodeMatches(503)) + err := tf.HTTPVerifier.VerifyURL(url, http.ResponseCodeMatches(500)) Expect(err).NotTo(HaveOccurred()) }) By("confirming the route status", func() { @@ -191,9 +196,9 @@ var _ = Describe("test k8s alb gateway using instance targets reconciled by the // Give some time to have the reference grant to be deleted time.Sleep(2 * time.Minute) }) - By("cross-ns listener should return 503 as no ref grant is available", func() { + By("cross-ns listener should return 500 as no ref grant is available", func() { url := fmt.Sprintf("http://%v:5000/any-path", dnsName) - err := tf.HTTPVerifier.VerifyURL(url, http.ResponseCodeMatches(503)) + err := tf.HTTPVerifier.VerifyURL(url, http.ResponseCodeMatches(500)) Expect(err).NotTo(HaveOccurred()) }) By("confirming the route status", func() { @@ -209,7 +214,12 @@ var _ = Describe("test k8s alb gateway using instance targets reconciled by the lbcSpec := elbv2gw.LoadBalancerConfigurationSpec{ Scheme: &interf, } - tgSpec := elbv2gw.TargetGroupConfigurationSpec{} + instanceTargetType := elbv2gw.TargetTypeInstance + tgSpec := elbv2gw.TargetGroupConfigurationSpec{ + DefaultConfiguration: elbv2gw.TargetGroupProps{ + TargetType: &instanceTargetType, + }, + } lrcSpec := elbv2gw.ListenerRuleConfigurationSpec{} gwListeners := []gwv1.Listener{ { @@ -414,7 +424,12 @@ var _ = Describe("test k8s alb gateway using instance targets reconciled by the lbcSpec := elbv2gw.LoadBalancerConfigurationSpec{ Scheme: &interf, } - tgSpec := elbv2gw.TargetGroupConfigurationSpec{} + instanceTargetType := elbv2gw.TargetTypeInstance + tgSpec := elbv2gw.TargetGroupConfigurationSpec{ + DefaultConfiguration: elbv2gw.TargetGroupProps{ + TargetType: &instanceTargetType, + }, + } lrcSpec := elbv2gw.ListenerRuleConfigurationSpec{} gwListeners := []gwv1.Listener{ { @@ -477,7 +492,12 @@ var _ = Describe("test k8s alb gateway using instance targets reconciled by the lbcSpec := elbv2gw.LoadBalancerConfigurationSpec{ Scheme: &interf, } - tgSpec := elbv2gw.TargetGroupConfigurationSpec{} + instanceTargetType := elbv2gw.TargetTypeInstance + tgSpec := elbv2gw.TargetGroupConfigurationSpec{ + DefaultConfiguration: elbv2gw.TargetGroupProps{ + TargetType: &instanceTargetType, + }, + } matchIndex := []int{0, 2} sourceIp := "10.0.0.0/8" @@ -681,7 +701,12 @@ var _ = Describe("test k8s alb gateway using instance targets reconciled by the DefaultCertificate: &cert, } lbcSpec.ListenerConfigurations = &[]elbv2gw.ListenerConfiguration{lsConfig} - tgSpec := elbv2gw.TargetGroupConfigurationSpec{} + instanceTargetType := elbv2gw.TargetTypeInstance + tgSpec := elbv2gw.TargetGroupConfigurationSpec{ + DefaultConfiguration: elbv2gw.TargetGroupProps{ + TargetType: &instanceTargetType, + }, + } lrcSpec := elbv2gw.ListenerRuleConfigurationSpec{} gwListeners := []gwv1.Listener{ { @@ -781,7 +806,12 @@ var _ = Describe("test k8s alb gateway using instance targets reconciled by the }, } lbcSpec.ListenerConfigurations = &[]elbv2gw.ListenerConfiguration{lsConfig} - tgSpec := elbv2gw.TargetGroupConfigurationSpec{} + instanceTargetType := elbv2gw.TargetTypeInstance + tgSpec := elbv2gw.TargetGroupConfigurationSpec{ + DefaultConfiguration: elbv2gw.TargetGroupProps{ + TargetType: &instanceTargetType, + }, + } lrcSpec := elbv2gw.ListenerRuleConfigurationSpec{} gwListeners := []gwv1.Listener{ { @@ -885,7 +915,12 @@ var _ = Describe("test k8s alb gateway using instance targets reconciled by the DefaultCertificate: &cert, } lbcSpec.ListenerConfigurations = &[]elbv2gw.ListenerConfiguration{lsConfig} - tgSpec := elbv2gw.TargetGroupConfigurationSpec{} + instanceTargetType := elbv2gw.TargetTypeInstance + tgSpec := elbv2gw.TargetGroupConfigurationSpec{ + DefaultConfiguration: elbv2gw.TargetGroupProps{ + TargetType: &instanceTargetType, + }, + } gwListeners := []gwv1.Listener{ { Name: "https443", @@ -1071,7 +1106,12 @@ var _ = Describe("test k8s alb gateway using instance targets reconciled by the DefaultCertificate: &cert, } lbcSpec.ListenerConfigurations = &[]elbv2gw.ListenerConfiguration{lsConfig} - tgSpec := elbv2gw.TargetGroupConfigurationSpec{} + instanceTargetType := elbv2gw.TargetTypeInstance + tgSpec := elbv2gw.TargetGroupConfigurationSpec{ + DefaultConfiguration: elbv2gw.TargetGroupProps{ + TargetType: &instanceTargetType, + }, + } gwListeners := []gwv1.Listener{ { Name: "https443", @@ -1284,7 +1324,12 @@ var _ = Describe("test k8s alb gateway using instance targets reconciled by the httpsLsConfig, } - tgSpec := elbv2gw.TargetGroupConfigurationSpec{} + instanceTargetType := elbv2gw.TargetTypeInstance + tgSpec := elbv2gw.TargetGroupConfigurationSpec{ + DefaultConfiguration: elbv2gw.TargetGroupProps{ + TargetType: &instanceTargetType, + }, + } lrcSpec := elbv2gw.ListenerRuleConfigurationSpec{} gwListeners := []gwv1.Listener{ { @@ -1413,8 +1458,11 @@ var _ = Describe("test k8s alb gateway using instance targets reconciled by the DefaultCertificate: &cert, } lbcSpec.ListenerConfigurations = &[]elbv2gw.ListenerConfiguration{lsConfig} + instanceTargetType := elbv2gw.TargetTypeInstance tgSpec := elbv2gw.TargetGroupConfigurationSpec{ - DefaultConfiguration: elbv2gw.TargetGroupProps{}, + DefaultConfiguration: elbv2gw.TargetGroupProps{ + TargetType: &instanceTargetType, + }, } lrcSpec := elbv2gw.ListenerRuleConfigurationSpec{} gwListeners := []gwv1.Listener{ diff --git a/test/e2e/gateway/alb_ip_target_test.go b/test/e2e/gateway/alb_ip_target_test.go index adc25f006..fc61676dc 100644 --- a/test/e2e/gateway/alb_ip_target_test.go +++ b/test/e2e/gateway/alb_ip_target_test.go @@ -4,6 +4,9 @@ import ( "context" "crypto/tls" "fmt" + "strings" + "time" + awssdk "github.com/aws/aws-sdk-go-v2/aws" elbv2types "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2/types" "github.com/gavv/httpexpect/v2" @@ -21,8 +24,6 @@ import ( "sigs.k8s.io/aws-load-balancer-controller/test/framework/utils" "sigs.k8s.io/aws-load-balancer-controller/test/framework/verifier" gwv1 "sigs.k8s.io/gateway-api/apis/v1" - "strings" - "time" ) var _ = Describe("test k8s alb gateway using ip targets reconciled by the aws load balancer controller", func() { @@ -130,9 +131,9 @@ var _ = Describe("test k8s alb gateway using ip targets reconciled by the aws lo err := tf.HTTPVerifier.VerifyURL(url, http.ResponseCodeMatches(200)) Expect(err).NotTo(HaveOccurred()) }) - By("cross-ns listener should return 503 as no ref grant is available", func() { + By("cross-ns listener should return 500 as no ref grant is available", func() { url := fmt.Sprintf("http://%v:5000/any-path", dnsName) - err := tf.HTTPVerifier.VerifyURL(url, http.ResponseCodeMatches(503)) + err := tf.HTTPVerifier.VerifyURL(url, http.ResponseCodeMatches(500)) Expect(err).NotTo(HaveOccurred()) }) By("confirming the route status", func() { @@ -184,9 +185,9 @@ var _ = Describe("test k8s alb gateway using ip targets reconciled by the aws lo // Give some time to have the reference grant to be deleted time.Sleep(2 * time.Minute) }) - By("cross-ns listener should return 503 as no ref grant is available", func() { + By("cross-ns listener should return 500 as no ref grant is available", func() { url := fmt.Sprintf("http://%v:5000/any-path", dnsName) - err := tf.HTTPVerifier.VerifyURL(url, http.ResponseCodeMatches(503)) + err := tf.HTTPVerifier.VerifyURL(url, http.ResponseCodeMatches(500)) Expect(err).NotTo(HaveOccurred()) }) By("confirming the route status", func() { diff --git a/test/e2e/gateway/alb_test_helper.go b/test/e2e/gateway/alb_test_helper.go index e3fb34b8c..0c35c7d07 100644 --- a/test/e2e/gateway/alb_test_helper.go +++ b/test/e2e/gateway/alb_test_helper.go @@ -4,6 +4,7 @@ import ( "context" "crypto/tls" "fmt" + "google.golang.org/grpc" "google.golang.org/grpc/credentials" appsv1 "k8s.io/api/apps/v1" @@ -131,8 +132,8 @@ func validateHTTPRouteStatusNotPermitted(tf *framework.Framework, stack ALBTestS parentKind: "Gateway", resolvedRefReason: "RefNotPermitted", resolvedRefsStatus: "False", - acceptedReason: "RefNotPermitted", - acceptedStatus: "False", + acceptedReason: "Accepted", + acceptedStatus: "True", }, }, }, diff --git a/test/e2e/gateway/nlb_instance_target_test.go b/test/e2e/gateway/nlb_instance_target_test.go index fdd7ff292..b1d02fb5c 100644 --- a/test/e2e/gateway/nlb_instance_target_test.go +++ b/test/e2e/gateway/nlb_instance_target_test.go @@ -3,6 +3,10 @@ package gateway import ( "context" "fmt" + "strconv" + "strings" + "time" + awssdk "github.com/aws/aws-sdk-go-v2/aws" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" @@ -10,9 +14,6 @@ import ( "sigs.k8s.io/aws-load-balancer-controller/test/framework/http" "sigs.k8s.io/aws-load-balancer-controller/test/framework/utils" "sigs.k8s.io/aws-load-balancer-controller/test/framework/verifier" - "strconv" - "strings" - "time" ) var _ = Describe("test nlb gateway using instance targets reconciled by the aws load balancer controller", func() { @@ -56,7 +57,12 @@ var _ = Describe("test nlb gateway using instance targets reconciled by the aws hasTLS = true } - tgSpec := elbv2gw.TargetGroupConfigurationSpec{} + instanceTargetType := elbv2gw.TargetTypeInstance + tgSpec := elbv2gw.TargetGroupConfigurationSpec{ + DefaultConfiguration: elbv2gw.TargetGroupProps{ + TargetType: &instanceTargetType, + }, + } auxiliaryStack = newAuxiliaryResourceStack(ctx, tf, tgSpec, false) @@ -318,7 +324,12 @@ var _ = Describe("test nlb gateway using instance targets reconciled by the aws hasTLS = true } - tgSpec := elbv2gw.TargetGroupConfigurationSpec{} + instanceTargetType := elbv2gw.TargetTypeInstance + tgSpec := elbv2gw.TargetGroupConfigurationSpec{ + DefaultConfiguration: elbv2gw.TargetGroupProps{ + TargetType: &instanceTargetType, + }, + } auxiliaryStack = newAuxiliaryResourceStack(ctx, tf, tgSpec, false) diff --git a/test/e2e/gateway/nlb_test_helper.go b/test/e2e/gateway/nlb_test_helper.go index 5fdca62ae..7031db938 100644 --- a/test/e2e/gateway/nlb_test_helper.go +++ b/test/e2e/gateway/nlb_test_helper.go @@ -3,6 +3,7 @@ package gateway import ( "context" "fmt" + awssdk "github.com/aws/aws-sdk-go-v2/aws" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" @@ -49,10 +50,19 @@ func (s *NLBTestStack) Deploy(ctx context.Context, f *framework.Framework, auxil if lbConfSpec.ListenerConfigurations != nil { for _, lsr := range *lbConfSpec.ListenerConfigurations { if lsr.ProtocolPort == "TLS:443" { + tlsMode := gwv1.TLSModeTerminate listeners = append(listeners, gwv1.Listener{ Name: "port443", Port: 443, Protocol: gwv1.TLSProtocolType, + TLS: &gwv1.GatewayTLSConfig{ + Mode: &tlsMode, + CertificateRefs: []gwv1.SecretObjectReference{ + { + Name: "tls-cert", + }, + }, + }, }) break } @@ -253,8 +263,8 @@ func validateL4RouteStatusNotPermitted(tf *framework.Framework, stack NLBTestSta parentKind: "Gateway", resolvedRefReason: "RefNotPermitted", resolvedRefsStatus: "False", - acceptedReason: "RefNotPermitted", - acceptedStatus: "False", + acceptedReason: "Accepted", + acceptedStatus: "True", }, }, }, diff --git a/test/e2e/gateway/route_validator.go b/test/e2e/gateway/route_validator.go index 23b2dc57f..542a83e25 100644 --- a/test/e2e/gateway/route_validator.go +++ b/test/e2e/gateway/route_validator.go @@ -2,6 +2,7 @@ package gateway import ( "fmt" + "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "k8s.io/apimachinery/pkg/types"