skip invalid listener first in IR#8577
Conversation
✅ Deploy Preview for cerulean-figolla-1f9435 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #8577 +/- ##
==========================================
- Coverage 74.69% 74.67% -0.02%
==========================================
Files 251 251
Lines 40257 40398 +141
==========================================
+ Hits 30068 30166 +98
- Misses 8123 8160 +37
- Partials 2066 2072 +6 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
45bd0eb to
e9a458a
Compare
f5bee1d to
2db4164
Compare
| message: Route is accepted | ||
| reason: Accepted | ||
| status: "True" | ||
| message: Multiple routes on the same TCP listener |
There was a problem hiding this comment.
this's because tcp-80 is invalid and skipped now.
2db4164 to
1fa2c97
Compare
1fa2c97 to
46b11c4
Compare
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
gateway/internal/gatewayapi/validate.go
Lines 659 to 660 in 46b11c4
validateListenerSpec now depends on validateTLSConfiguration’s boolean to decide whether a listener should be excluded from conflict resolution, but the frontendTLSValidation.ValidateError path only sets conditions and never flips specValid to false. That means listeners with invalid frontend CA refs can still participate in conflict checks and block otherwise valid listeners on the same port/hostname, which defeats the intended invalid-first skip behavior in this change.
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
f587c83 to
97a571f
Compare
7f0e72b to
b214810
Compare
|
possible not
|
| name: http-80 | ||
| protocol: HTTP | ||
| servicePort: 80 | ||
| - name: envoy-gateway/gateway-2/https |
There was a problem hiding this comment.
why is existing logic for Gateway listeners changing ?
There was a problem hiding this comment.
- attachedRoutes: 1
conditions:
- lastTransitionTime: null
message: Listener must have TLS set when protocol is HTTPS.
reason: Invalid
status: "False"
type: Programmed
- lastTransitionTime: null
message: Listener references have been resolved
reason: ResolvedRefs
status: "True"
type: ResolvedRefs
name: https
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- group: gateway.networking.k8s.io
kind: GRPCRoute
Signed-off-by: zirain <[email protected]>
rudrakhp
left a comment
There was a problem hiding this comment.
A few questions on the new listener validation flow.
| seenUDPProtocol := false | ||
| for _, listener := range listenersOnPort { | ||
| protocol := getProtocolForListener(listener) | ||
| if protocol == string(gwapiv1.UDPProtocolType) { |
There was a problem hiding this comment.
The multi-UDP conflict branch looks unreachable in practice (gated by len(nonUDPProtocols) > 1 earlier), and validateConflictedLayer4Listeners(UDP) already flags the same condition. Can we drop UDP handling from this function and let validateConflictedLayer4Listeners own UDP port conflicts?
| // conflict detection. In the normal translation flow this is driven by | ||
| // listener.specValid. The fallback keeps direct unit tests meaningful when they | ||
| // invoke conflict checks without running per-listener spec validation first. | ||
| func isSpecValidForConflictChecks(listener *ListenerContext) bool { |
There was a problem hiding this comment.
isSpecValidForConflictChecks falls back to hasInvalidCondition so unit tests that skip Phase 1 keep working. Doesn't this mean real-flow regressions in Phase 1 to Phase 2 ordering would be masked by the fallback? Could we update direct-call tests to run validateListenerSpec first and then rely solely on listener.specValid? If the fallback stays, can we add a comment noting it exists only for tests that skip Phase 1?
Signed-off-by: zirain <[email protected]>
updated |
|
LGTM, thanks! |
* fix(api): increase RateLimitSelectCondition.headers MaxItems from 16 to 64 (#8906) * fix(api): increase RateLimitSelectCondition.headers MaxItems from 16 to 64 Co-Authored-By: Claude Sonnet 4.6 <[email protected]> Signed-off-by: wucm667 <[email protected]> Signed-off-by: jukie <[email protected]> * feat: policy field owner (#8538) * feat: policy field owner Signed-off-by: kkk777-7 <[email protected]> Signed-off-by: jukie <[email protected]> * skip invalid listener first in IR (#8577) * skip invalid listener Signed-off-by: zirain <[email protected]> * fix specValid Signed-off-by: zirain <[email protected]> * nit Signed-off-by: zirain <[email protected]> * fix Signed-off-by: zirain <[email protected]> * MUST NOT pick one conflicting Listener as the winner Signed-off-by: zirain <[email protected]> * update Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> Co-authored-by: Isaac Wilson <[email protected]> Signed-off-by: jukie <[email protected]> * fix: remove cross ns policy attachment status (#8901) * Revert "add warning for partially accepted targets" This reverts commit 5d88fbb. Signed-off-by: Huabing (Robin) Zhao <[email protected]> * remove warning condition for cross-ns policy attachments without referenceGrants Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: jukie <[email protected]> * feat: add runner event metrics (#8802) * add metrics for runner Signed-off-by: zirain <[email protected]> * rename Signed-off-by: zirain <[email protected]> * rename Signed-off-by: zirain <[email protected]> * reuse Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> Signed-off-by: Arko Dasgupta <[email protected]> Co-authored-by: Arko Dasgupta <[email protected]> Signed-off-by: jukie <[email protected]> * fix: respect backend endpoint hostname for health checks (#8929) * fix: respect backend endpoint hostname for health checks ### Summary - Keep BackendTrafficPolicy HTTP health check hostnames as explicit cluster-level hosts, and leave route-derived host fallback to xDS cluster translation. - Preserve Backend endpoint hostnames as per-endpoint overrides via Endpoint.HealthCheckConfig.hostname, ahead of the route fallback. - Update gatewayapi/xDS fixtures, release notes, and generated API docs/CRDs for the host selection order. ### Test plan - go test ./internal/ir - go test ./internal/xds/translator - go test ./internal/gatewayapi -run TestTranslate/backendtrafficpolicy - go test ./internal/gatewayapi -run TestTranslate/(clienttrafficpolicy-http-health-check|envoyextensionpolicy-with-extproc-with-retries|envoyextensionpolicy-with-extproc-with-traffic-features|envoyproxy-accesslog-with-traffic|envoyproxy-tracing-backend-uds|envoyproxy-tracing-backend|securitypolicy-with-jwt-backendcluster|securitypolicy-with-jwt-backendsettings) - make generate - make manifests - git diff --check Signed-off-by: Arko Dasgupta <[email protected]> Co-authored-by: Codex <[email protected]> * fix gen Signed-off-by: zirain <[email protected]> --------- Signed-off-by: Arko Dasgupta <[email protected]> Signed-off-by: zirain <[email protected]> Co-authored-by: Codex <[email protected]> Co-authored-by: zirain <[email protected]> Signed-off-by: jukie <[email protected]> * fix(helm): propagate commonLabels to RBAC resources (#8818) * feat(helm): propagate commonLabels to RBAC resources Issue #8817 reported that 'helm template ... --set commonLabels.custom-label=custom-value' left ClusterRole, ClusterRoleBinding, Role, and RoleBinding resources unlabelled. The other resources in the chart already include 'eg.labels' in their metadata - which picks up 'commonLabels' via the helper at _helpers.tpl:43 - but envoy-gateway-rbac.yaml didn't set any labels block. Add 'labels: {{- include "eg.labels" . | nindent 4 }}' on every Role / RoleBinding / ClusterRole / ClusterRoleBinding declared in envoy-gateway-rbac.yaml. Matches the existing labels pattern used in certgen-rbac.yaml and envoy-gateway-deployment.yaml. Scopes are '$' inside the watched-namespaces 'range' and '.' at the template root, same rule the helper block inside the file already used. Verified locally with: helm dependency update charts/gateway-helm envsubst < charts/gateway-helm/values.tmpl.yaml > \ charts/gateway-helm/values.yaml helm template eg charts/gateway-helm \ --set commonLabels.custom-label=custom-value | yq ... All four RBAC resources now emit 'custom-label: custom-value' in their metadata.labels, matching the issue's repro steps. Cert-gen RBAC resources already carried it; this PR brings the core envoy-gateway RBAC set into parity. Fixes #8817 Signed-off-by: Matt Van Horn <[email protected]> * chore: regenerate helm-template snapshots for RBAC labels Run 'make helm-template.gateway-helm' to regenerate the snapshot fixtures after the envoy-gateway-rbac.yaml labels change. Adds the 'labels:' block to the RBAC resources in all 27 test cases. Signed-off-by: Matt Van Horn <[email protected]> * fix gen Signed-off-by: Huabing (Robin) Zhao <[email protected]> * add release note Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Matt Van Horn <[email protected]> Signed-off-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: Matt Van Horn <[email protected]> Co-authored-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: jukie <[email protected]> * fix(translator): set ListenerSet and listener Accepted:True for InvalidCertificateRef (#8871) * fix(translator): set ListenerSet and listener Accepted:True for InvalidCertificateRef When a ListenerSet listener has an unresolvable TLS certificate reference (InvalidCertificateRef or RefNotPermitted), Accepted: False was incorrectly set on both the listener and ListenerSet object. The Gateway API spec places InvalidCertificateRef exclusively under ResolvedRefs, not Accepted — a missing certificate is a reference resolution concern, not a structural one. Fixes #8870 Signed-off-by: apkatsikas <[email protected]> * chore: fix gofumpt formatting in validateListenerConditions Signed-off-by: apkatsikas <[email protected]> * fix(translator): separate RefNotPermitted from InvalidCertificateRef handling Unlike InvalidCertificateRef, RefNotPermitted should not set Accepted:True. Update unit test fixtures to match. Signed-off-by: apkatsikas <[email protected]> * fix gen Signed-off-by: zirain <[email protected]> --------- Signed-off-by: apkatsikas <[email protected]> Signed-off-by: zirain <[email protected]> Signed-off-by: jukie <[email protected]> * fix: do not downgrade ALPN for only hostnames-overlapping listeners (#8934) fix: do not downgrade ALPN for overlapping hostnames withoug SANs overlapping Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: jukie <[email protected]> * feat: enableDeferredCreationStats by default (#8937) * feat: enableDeferredCreationStats by default Signed-off-by: zirain <[email protected]> Signed-off-by: jukie <[email protected]> * fix: restore last transition time in merge status conditions (#8962) * fix: restore last transition time in merge status conditions Signed-off-by: Rudrakh Panigrahi <[email protected]> * add release note Signed-off-by: Rudrakh Panigrahi <[email protected]> --------- Signed-off-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: jukie <[email protected]> * [release/v1.8] v1.8.0 release notes Cherry-picked release-notes/v1.8.0.yaml and VERSION bump from #8942. Signed-off-by: jukie <[email protected]> --------- Signed-off-by: wucm667 <[email protected]> Signed-off-by: jukie <[email protected]> Signed-off-by: kkk777-7 <[email protected]> Signed-off-by: zirain <[email protected]> Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: Arko Dasgupta <[email protected]> Signed-off-by: Arko Dasgupta <[email protected]> Signed-off-by: Matt Van Horn <[email protected]> Signed-off-by: apkatsikas <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> Co-authored-by: wucm667 <[email protected]> Co-authored-by: Claude Sonnet 4.6 <[email protected]> Co-authored-by: Kota Kimura <[email protected]> Co-authored-by: zirain <[email protected]> Co-authored-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: Arko Dasgupta <[email protected]> Co-authored-by: Codex <[email protected]> Co-authored-by: Matt Van Horn <[email protected]> Co-authored-by: Matt Van Horn <[email protected]> Co-authored-by: Andrew Katsikas <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]>
* skip invalid listener Signed-off-by: zirain <[email protected]> * fix specValid Signed-off-by: zirain <[email protected]> * nit Signed-off-by: zirain <[email protected]> * fix Signed-off-by: zirain <[email protected]> * MUST NOT pick one conflicting Listener as the winner Signed-off-by: zirain <[email protected]> * update Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> Co-authored-by: Isaac Wilson <[email protected]> Signed-off-by: Karol Szwaj <[email protected]>
|
this PR requried lots of preconditions, remove it from 1.7.4 |
* skip invalid listener Signed-off-by: zirain <[email protected]> * fix specValid Signed-off-by: zirain <[email protected]> * nit Signed-off-by: zirain <[email protected]> * fix Signed-off-by: zirain <[email protected]> * MUST NOT pick one conflicting Listener as the winner Signed-off-by: zirain <[email protected]> * update Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> Co-authored-by: Isaac Wilson <[email protected]> Signed-off-by: Karol Szwaj <[email protected]>
xref: #9120 |
* fix: encode TLS secrets with canonical PEM formatting (#8744) * exclude non-ready https Signed-off-by: Karol Szwaj <[email protected]> * prevent BoringSSL errors Signed-off-by: Karol Szwaj <[email protected]> * Add trailing newline to testdata PEMs Signed-off-by: Karol Szwaj <[email protected]> * add release notes Signed-off-by: Karol Szwaj <[email protected]> * use shallow copy instead of DeepCopy Signed-off-by: Karol Szwaj <[email protected]> * use maps.Clone for the data and split the PRs Signed-off-by: Karol Szwaj <[email protected]> --------- Signed-off-by: Karol Szwaj <[email protected]> * fix(xds): hot-reload xDS server cert in GatewayNamespaceMode (#8959) * fix(xds): hot-reload xDS server cert in GatewayNamespaceMode Signed-off-by: nguyenptk <[email protected]> * extract loadServerTLSConfig helper and add tests Signed-off-by: nguyenptk <[email protected]> --------- Signed-off-by: nguyenptk <[email protected]> Signed-off-by: Nguyên (Harry) <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * fix: restore last transition time in merge status conditions (#8962) * fix: restore last transition time in merge status conditions Signed-off-by: Rudrakh Panigrahi <[email protected]> * add release note Signed-off-by: Rudrakh Panigrahi <[email protected]> --------- Signed-off-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target (#9068) * add passing testcase showing wildcard overriding sectioned backendTLSPolicy Signed-off-by: AlecDiraimondo <[email protected]> * fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target When two BackendTLSPolicies target the same backend — one with sectionName set, one without — the wildcard wins whenever it sorts earlier, since policies are iterated in creationTimestamp order with no specificity preference. The sectioned policy is silently dropped: never selected by the translator, no status written. Make getBackendTLSPolicy prefer policies with an explicit sectionName match before falling back to wildcard matches. Matches the specificity ordering SecurityPolicy already implements. Refs #9035 Signed-off-by: AlecDiraimondo <[email protected]> * update release notes Signed-off-by: AlecDiraimondo <[email protected]> * fixes from review: dedup helper, return early if backendTarget has no section specified Signed-off-by: AlecDiraimondo <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> --------- Signed-off-by: AlecDiraimondo <[email protected]> Signed-off-by: Alec Diraimondo <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * skip invalid listener first in IR (#8577) * skip invalid listener Signed-off-by: zirain <[email protected]> * fix specValid Signed-off-by: zirain <[email protected]> * nit Signed-off-by: zirain <[email protected]> * fix Signed-off-by: zirain <[email protected]> * MUST NOT pick one conflicting Listener as the winner Signed-off-by: zirain <[email protected]> * update Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> Co-authored-by: Isaac Wilson <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * fix testdata Signed-off-by: Karol Szwaj <[email protected]> * Add v1.7.4 release notes Signed-off-by: Karol Szwaj <[email protected]> * update release notes Signed-off-by: Karol Szwaj <[email protected]> Signed-off-by: zirain <[email protected]> --------- Signed-off-by: Karol Szwaj <[email protected]> Signed-off-by: nguyenptk <[email protected]> Signed-off-by: Nguyên (Harry) <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: AlecDiraimondo <[email protected]> Signed-off-by: Alec Diraimondo <[email protected]> Signed-off-by: zirain <[email protected]> Co-authored-by: Nguyên (Harry) <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> Co-authored-by: Alec Diraimondo <[email protected]> Co-authored-by: zirain <[email protected]> Co-authored-by: Isaac Wilson <[email protected]>
This's seperated from #8361
Invalid listeners should probably be skipped before check confilict.
Otherwise an invalid-first listener can still win hostname/protocol precedence and cause a later valid listener on the same hostname/port to be marked HostnameConflict.