Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for TLS (conformance test passes) #316

Merged
merged 12 commits into from
Jul 12, 2022
5 changes: 4 additions & 1 deletion config/200-clusterrole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,5 +39,8 @@ metadata:
app.kubernetes.io/version: devel
rules:
- apiGroups: ["gateway.networking.k8s.io"]
resources: ["httproutes", "gateways"]
resources: ["httproutes", "referencepolicies"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["gateway.networking.k8s.io"]
resources: ["gateways"]
verbs: ["get", "list", "update", "patch", "watch"]
4 changes: 2 additions & 2 deletions docs/test-version.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,5 +15,5 @@ The following Gateway API version and Ingress were tested as part of the release

| Ingress | Tested version | Unavailable features |
| ------- | ----------------------- | ------------------------------ |
| Istio | v1.13.2 | tls,retry,httpoption,host-rewrite |
| Contour | v1.21.0 | tls,retry,httpoption,basics/http2,websocket,websocket/split,grpc,grpc/split,visibility/path,visibility,update,host-rewrite |
| Istio | v1.13.2 | retry,httpoption,host-rewrite |
| Contour | v1.21.0 | retry,httpoption,basics/http2,websocket,websocket/split,grpc,grpc/split,visibility/path,visibility,update,host-rewrite |
4 changes: 2 additions & 2 deletions hack/test-env.sh
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,6 @@

export GATEWAY_API_VERSION="v0.4.3"
export ISTIO_VERSION="1.13.2"
export ISTIO_UNSUPPORTED_E2E_TESTS="tls,retry,httpoption,host-rewrite"
export ISTIO_UNSUPPORTED_E2E_TESTS="retry,httpoption,host-rewrite"
export CONTOUR_VERSION="v1.21.0"
export CONTOUR_UNSUPPORTED_E2E_TESTS="tls,retry,httpoption,basics/http2,websocket,websocket/split,grpc,grpc/split,visibility/path,visibility,update,host-rewrite"
export CONTOUR_UNSUPPORTED_E2E_TESTS="retry,httpoption,basics/http2,websocket,websocket/split,grpc,grpc/split,visibility/path,visibility,update,host-rewrite"
8 changes: 6 additions & 2 deletions pkg/reconciler/ingress/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ import (
gwapiclient "knative.dev/net-gateway-api/pkg/client/gatewayapi/injection/client"
gatewayinformer "knative.dev/net-gateway-api/pkg/client/gatewayapi/injection/informers/apis/v1alpha2/gateway"
httprouteinformer "knative.dev/net-gateway-api/pkg/client/gatewayapi/injection/informers/apis/v1alpha2/httproute"
referencepolicyinformer "knative.dev/net-gateway-api/pkg/client/gatewayapi/injection/informers/apis/v1alpha2/referencepolicy"
"knative.dev/net-gateway-api/pkg/reconciler/ingress/config"
)

Expand All @@ -55,12 +56,15 @@ func NewController(

ingressInformer := ingressinformer.Get(ctx)
httprouteInformer := httprouteinformer.Get(ctx)
referencePolicyInformer := referencepolicyinformer.Get(ctx)
gatewayInformer := gatewayinformer.Get(ctx)
endpointsInformer := endpointsinformer.Get(ctx)

c := &Reconciler{
gwapiclient: gwapiclient.Get(ctx),
httprouteLister: httprouteInformer.Lister(),
gwapiclient: gwapiclient.Get(ctx),
httprouteLister: httprouteInformer.Lister(),
referencePolicyLister: referencePolicyInformer.Lister(),
gatewayLister: gatewayInformer.Lister(),
}

filterFunc := reconciler.AnnotationFilterFunc(networking.IngressClassAnnotationKey, gatewayAPIIngressClassName, false)
Expand Down
1 change: 1 addition & 0 deletions pkg/reconciler/ingress/controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ import (

_ "knative.dev/net-gateway-api/pkg/client/gatewayapi/injection/informers/apis/v1alpha2/gateway/fake"
_ "knative.dev/net-gateway-api/pkg/client/gatewayapi/injection/informers/apis/v1alpha2/httproute/fake"
_ "knative.dev/net-gateway-api/pkg/client/gatewayapi/injection/informers/apis/v1alpha2/referencepolicy/fake"
"knative.dev/net-gateway-api/pkg/reconciler/ingress/config"
)

Expand Down
28 changes: 26 additions & 2 deletions pkg/reconciler/ingress/ingress.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,10 @@ type Reconciler struct {

// Listers index properties about resources
httprouteLister gatewayListers.HTTPRouteLister

referencePolicyLister gatewayListers.ReferencePolicyLister

gatewayLister gatewayListers.GatewayLister
}

var (
Expand All @@ -68,6 +72,7 @@ func (c *Reconciler) ReconcileKind(ctx context.Context, ingress *v1alpha1.Ingres

func (c *Reconciler) reconcileIngress(ctx context.Context, ing *v1alpha1.Ingress) error {
logger := logging.FromContext(ctx)
gatewayConfig := config.FromContext(ctx).Gateway

// We may be reading a version of the object that was stored at an older version
// and may not have had all of the assumed defaults specified. This won't result
Expand Down Expand Up @@ -100,14 +105,33 @@ func (c *Reconciler) reconcileIngress(ctx context.Context, ing *v1alpha1.Ingress
logger.Infof("HTTPRoute successfully synced %v", httproutes)
}

listeners := make([]*gatewayv1alpha2.Listener, 0, len(ing.Spec.TLS))
for _, tls := range ing.Spec.TLS {
tls := tls

l, err := c.reconcileTLS(ctx, &tls, ing)
if err != nil {
return err
}
listeners = append(listeners, l...)
}

if len(listeners) > 0 {
// For now, we only reconcile the external visibility, because there's
// no way to provide TLS for internal listeners.
err := c.reconcileGatewayListeners(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious if we should update the gateway listeners first before updating the httproute

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure -- how would you decide which to do?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could imagine a poor implementation (of the gateway api) that doesn't trigger reconciliation of existing HTTP routes when ReferenceGrants for certain namespaces are create.

Thus I think I'd prefer to create the listener & grant and update the gateway prior to creating an HTTPRoute.

I'm ok if that's done in a followup PR

ctx, listeners, ing, *gatewayConfig.Gateways[v1alpha1.IngressVisibilityExternalIP].Gateway)
if err != nil {
return err
}
}

ready, err := c.statusManager.IsReady(ctx, before)
if err != nil {
return fmt.Errorf("failed to probe Ingress: %w", err)
}

if ready {
gatewayConfig := config.FromContext(ctx).Gateway

namespacedNameService := gatewayConfig.Gateways[v1alpha1.IngressVisibilityExternalIP].Service
publicLbs := []v1alpha1.LoadBalancerIngressStatus{
{DomainInternal: network.GetServiceHostname(namespacedNameService.Name, namespacedNameService.Namespace)},
Expand Down
173 changes: 173 additions & 0 deletions pkg/reconciler/ingress/ingress_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ import (
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"
clientgotesting "k8s.io/client-go/testing"
"k8s.io/utils/pointer"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: knative/pkg/ptr

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why prefer knative.dev packages to the upstream k8s ones?

gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"

"knative.dev/networking/pkg/apis/networking"
Expand Down Expand Up @@ -246,6 +247,99 @@ func TestReconcileProberNotReady(t *testing.T) {
}))
}

func TestReconcileTLS(t *testing.T) {
// The gateway API annoyingly has a number of
secretName := "name-WE-STICK-A-LONG-UID-HERE"
nsName := "ns"
myGw := gw(defaultListener)
table := TableTest{{
Name: "Happy TLS",
Key: "ns/name",
SkipNamespaceValidation: true, // We need to create the Gateway in a different namespace
Objects: []runtime.Object{
ing(withBasicSpec, withGatewayAPIClass, withTLS(secretName)),
secret(secretName, nsName),
myGw,
},
WantCreates: []runtime.Object{
myGw,
httpRoute(t, ing(withBasicSpec, withGatewayAPIClass, withTLS(secretName))),
rp(secret(secretName, nsName)),
},
WantUpdates: []clientgotesting.UpdateActionImpl{{
Object: gw(defaultListener, func(g *gatewayv1alpha2.Gateway) {
g.Spec.Listeners = append(g.Spec.Listeners, gatewayv1alpha2.Listener{
Name: "secure.example.com",
Hostname: (*gatewayv1alpha2.Hostname)(pointer.String("secure.example.com")),
Port: 443,
Protocol: "HTTPS",
TLS: &gatewayv1alpha2.GatewayTLSConfig{
Mode: (*gatewayv1alpha2.TLSModeType)(pointer.String("Terminate")),
CertificateRefs: []*gatewayv1alpha2.SecretObjectReference{{
Group: (*gatewayv1alpha2.Group)(pointer.String("")),
Kind: (*gatewayv1alpha2.Kind)(pointer.String("Secret")),
Name: gatewayv1alpha2.ObjectName(secretName),
Namespace: (*gatewayv1alpha2.Namespace)(&nsName),
}},
Options: map[gatewayv1alpha2.AnnotationKey]gatewayv1alpha2.AnnotationValue{},
},
AllowedRoutes: &gatewayv1alpha2.AllowedRoutes{
Namespaces: &gatewayv1alpha2.RouteNamespaces{
From: (*gatewayv1alpha2.FromNamespaces)(pointer.String("Selector")),
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"kubernetes.io/metadata.name": "ns",
},
},
},
Kinds: []gatewayv1alpha2.RouteGroupKind{},
},
})
}),
}},
WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
Object: ing(withBasicSpec, withGatewayAPIClass, withTLS(secretName), func(i *v1alpha1.Ingress) {
i.Status.InitializeConditions()
i.Status.MarkLoadBalancerReady(
[]v1alpha1.LoadBalancerIngressStatus{{
DomainInternal: publicSvc,
}},
[]v1alpha1.LoadBalancerIngressStatus{{
DomainInternal: privateSvc,
}})
}),
}},
WantEvents: []string{
Eventf(corev1.EventTypeNormal, "Created", `Created HTTPRoute "example.com"`),
},
}}

table.Test(t, MakeFactory(func(ctx context.Context, listers *Listers, cmw configmap.Watcher) controller.Reconciler {
r := &Reconciler{
gwapiclient: fakegwapiclientset.Get(ctx),
httprouteLister: listers.GetHTTPRouteLister(),
referencePolicyLister: listers.GetReferencePolicyLister(),
gatewayLister: listers.GetGatewayLister(),
statusManager: &fakeStatusManager{FakeIsReady: func(context.Context, *v1alpha1.Ingress) (bool, error) {
return true, nil
}},
}

// The fake tracker's `Add` method incorrectly pluralizes "gatewaies" using UnsafeGuessKindToResource,
// so create this via explicit call (per note in client-go/testing/fixture.go in tracker.Add)
fakegwapiclientset.Get(ctx).GatewayV1alpha2().Gateways(myGw.Namespace).Create(ctx, myGw, metav1.CreateOptions{})

ingr := ingressreconciler.NewReconciler(ctx, logging.FromContext(ctx), fakeingressclient.Get(ctx),
listers.GetIngressLister(), controller.GetEventRecorder(ctx), r, gatewayAPIIngressClassName,
controller.Options{
ConfigStore: &testConfigStore{
config: defaultConfig,
}})

return ingr
}))
}

func TestReconcileProbeError(t *testing.T) {
theError := errors.New("this is the error")

Expand Down Expand Up @@ -336,6 +430,85 @@ func (t *testConfigStore) ToContext(ctx context.Context) context.Context {
return config.ToContext(ctx, t.config)
}

type GatewayOption func(*gatewayv1alpha2.Gateway)

func gw(opts ...GatewayOption) *gatewayv1alpha2.Gateway {
g := &gatewayv1alpha2.Gateway{
ObjectMeta: metav1.ObjectMeta{
Name: publicName,
Namespace: testNamespace,
},
Spec: gatewayv1alpha2.GatewaySpec{
GatewayClassName: gatewayAPIIngressClassName,
},
}
for _, opt := range opts {
opt(g)
}
return g
}

func defaultListener(g *gatewayv1alpha2.Gateway) {
g.Spec.Listeners = append(g.Spec.Listeners, gatewayv1alpha2.Listener{
Name: "http",
Port: 80,
Protocol: "HTTP",
})
}

func withTLS(secret string) IngressOption {
return func(i *v1alpha1.Ingress) {
i.Spec.TLS = append(i.Spec.TLS, v1alpha1.IngressTLS{
Hosts: []string{"secure.example.com"},
SecretName: "name-WE-STICK-A-LONG-UID-HERE",
SecretNamespace: "ns",
})
}
}

func secret(name, ns string) *corev1.Secret {
return &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: ns,
},
StringData: map[string]string{
"ca.crt": "signed thing",
"ca.key": "private thing",
},
Type: "kubernetes.io/tls",
}
}

func rp(to *corev1.Secret) *gatewayv1alpha2.ReferencePolicy {
t := true
return &gatewayv1alpha2.ReferencePolicy{
ObjectMeta: metav1.ObjectMeta{
Name: to.Name + "-" + testNamespace,
Namespace: to.Namespace,
OwnerReferences: []metav1.OwnerReference{{
APIVersion: "networking.internal.knative.dev/v1alpha1",
Kind: "Ingress",
Name: "name",
Controller: &t,
BlockOwnerDeletion: &t,
}},
},
Spec: gatewayv1alpha2.ReferencePolicySpec{
From: []gatewayv1alpha2.ReferencePolicyFrom{{
Group: "gateway.networking.k8s.io",
Kind: "Gateway",
Namespace: gatewayv1alpha2.Namespace(testNamespace),
}},
To: []gatewayv1alpha2.ReferencePolicyTo{{
Group: gatewayv1alpha2.Group(""),
Kind: gatewayv1alpha2.Kind("Secret"),
Name: (*gatewayv1alpha2.ObjectName)(&to.Name),
}},
},
}
}

var (
defaultConfig = &config.Config{
Network: &networkcfg.Config{},
Expand Down
Loading