diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-group.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-group.out.yaml index 8fe261735e..e432f2f3ff 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-group.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-group.out.yaml @@ -19,6 +19,7 @@ gateways: status: listeners: - name: http + supportedKinds: [] attachedRoutes: 0 conditions: - type: ResolvedRefs diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind-and-supported.in.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind-and-supported.in.yaml new file mode 100644 index 0000000000..eaa066350a --- /dev/null +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind-and-supported.in.yaml @@ -0,0 +1,37 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All + kinds: + - group: gateway.networking.k8s.io + kind: FooRoute + - group: + kind: HTTPRoute +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + rules: + - matches: + - path: + value: "/" + backendRefs: + - name: service-1 + port: 8080 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind-and-supported.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind-and-supported.out.yaml new file mode 100644 index 0000000000..97384a246a --- /dev/null +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind-and-supported.out.yaml @@ -0,0 +1,76 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All + kinds: + - group: gateway.networking.k8s.io + kind: FooRoute + - group: + kind: HTTPRoute + status: + listeners: + - name: http + attachedRoutes: 0 + supportedKinds: + - kind: HTTPRoute + conditions: + - type: ResolvedRefs + status: "False" + reason: InvalidRouteKinds + message: "FooRoute is not supported, kind must be HTTPRoute" + - type: Programmed + status: "False" + reason: Invalid + message: Listener is invalid, see other Conditions for details. +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + rules: + - matches: + - path: + value: "/" + backendRefs: + - name: service-1 + port: 8080 + status: + parents: + - parentRef: + namespace: envoy-gateway + name: gateway-1 + controllerName: gateway.envoyproxy.io/gatewayclass-controller + conditions: + - type: Accepted + status: "False" + reason: NoReadyListeners + message: There are no ready listeners for this parent ref +xdsIR: + envoy-gateway-gateway-1: {} +infraIR: + envoy-gateway-gateway-1: + proxy: + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + name: envoy-gateway-gateway-1 + image: envoyproxy/envoy:translator-tests + listeners: + - address: "" diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind.out.yaml index 8d0774981e..ddcdc9efa9 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind.out.yaml @@ -20,11 +20,12 @@ gateways: listeners: - name: http attachedRoutes: 0 + supportedKinds: [] conditions: - type: ResolvedRefs status: "False" reason: InvalidRouteKinds - message: "Kind is not supported, kind must be HTTPRoute" + message: "FooRoute is not supported, kind must be HTTPRoute" - type: Programmed status: "False" reason: Invalid diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.out.yaml index f868809098..8478bec2eb 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.out.yaml @@ -23,11 +23,12 @@ gateways: listeners: - name: tls attachedRoutes: 0 + supportedKinds: [] conditions: - type: ResolvedRefs status: "False" reason: InvalidRouteKinds - message: "Kind is not supported, kind must be TLSRoute" + message: "HTTPRoute is not supported, kind must be TLSRoute" - type: Programmed status: "False" reason: Invalid diff --git a/internal/gatewayapi/validate.go b/internal/gatewayapi/validate.go index 8d9da7804a..6a82eee926 100644 --- a/internal/gatewayapi/validate.go +++ b/internal/gatewayapi/validate.go @@ -392,30 +392,38 @@ func (t *Translator) validateHostName(listener *ListenerContext) { func (t *Translator) validateAllowedRoutes(listener *ListenerContext, routeKind v1beta1.Kind) { if listener.AllowedRoutes == nil || len(listener.AllowedRoutes.Kinds) == 0 { listener.SetSupportedKinds(v1beta1.RouteGroupKind{Group: GroupPtr(v1beta1.GroupName), Kind: routeKind}) - } else { - for _, kind := range listener.AllowedRoutes.Kinds { - if kind.Group != nil && string(*kind.Group) != v1beta1.GroupName { - listener.SetCondition( - v1beta1.ListenerConditionResolvedRefs, - metav1.ConditionFalse, - v1beta1.ListenerReasonInvalidRouteKinds, - fmt.Sprintf("Group is not supported, group must be %s", v1beta1.GroupName), - ) - continue - } + return + } - if kind.Kind != routeKind { - listener.SetCondition( - v1beta1.ListenerConditionResolvedRefs, - metav1.ConditionFalse, - v1beta1.ListenerReasonInvalidRouteKinds, - fmt.Sprintf("Kind is not supported, kind must be %s", routeKind), - ) - continue - } - listener.SetSupportedKinds(kind) + supportedKinds := make([]v1beta1.RouteGroupKind, 0, len(listener.AllowedRoutes.Kinds)) + + for _, kind := range listener.AllowedRoutes.Kinds { + + // if there is a group it must match `gateway.networking.k8s.io` + if kind.Group != nil && string(*kind.Group) != v1beta1.GroupName { + listener.SetCondition( + v1beta1.ListenerConditionResolvedRefs, + metav1.ConditionFalse, + v1beta1.ListenerReasonInvalidRouteKinds, + fmt.Sprintf("Group is not supported, group must be %s", v1beta1.GroupName), + ) + continue + } + + if kind.Kind != routeKind { + listener.SetCondition( + v1beta1.ListenerConditionResolvedRefs, + metav1.ConditionFalse, + v1beta1.ListenerReasonInvalidRouteKinds, + fmt.Sprintf("%s is not supported, kind must be %s", kind.Kind, routeKind), + ) + continue } + + supportedKinds = append(supportedKinds, kind) } + + listener.SetSupportedKinds(supportedKinds...) } type portListeners struct { diff --git a/test/conformance/conformance_test.go b/test/conformance/conformance_test.go index 23e45c2322..691e3bc37f 100644 --- a/test/conformance/conformance_test.go +++ b/test/conformance/conformance_test.go @@ -80,6 +80,7 @@ func TestGatewayAPIConformance(t *testing.T) { tests.GatewaySecretMissingReferenceGrant, tests.GatewaySecretInvalidReferenceGrant, tests.GatewayInvalidTLSConfiguration, + tests.GatewayInvalidRouteKind, tests.HTTPRouteReferenceGrant, tests.HTTPRoutePartiallyInvalidViaInvalidReferenceGrant, }