Merge pull request #4446 from shuqz/conformance-reference-grant

[feat gw-api]update reference grant check and route status

Author: k8s-ci-robot

controllers/gateway/route_reconciler.go

@@ -226,69 +226,48 @@ func (d *routeReconcilerImpl) resolveRefGateway(parentRef gwv1.ParentReference,
 // setCondition based on RouteStatusInfo
 func (d *routeReconcilerImpl) setConditionsWithRouteStatusInfo(route client.Object, parentStatus *gwv1.RouteParentStatus, info routeutils.RouteStatusInfo) {
 	timeNow := metav1.NewTime(time.Now())
+	var conditions []metav1.Condition
 	if !info.ResolvedRefs {
-		// resolvedRef rejected
-		parentStatus.Conditions = []metav1.Condition{
-			{
-				Type:               string(gwv1.RouteConditionAccepted),
-				Status:             metav1.ConditionFalse,
-				Reason:             info.Reason,
-				Message:            info.Message,
-				LastTransitionTime: timeNow,
-				ObservedGeneration: route.GetGeneration(),
-			},
-			{
-				Type:               string(gwv1.RouteConditionResolvedRefs),
-				Status:             metav1.ConditionFalse,
-				Reason:             info.Reason,
-				Message:            info.Message,
-				LastTransitionTime: timeNow,
-				ObservedGeneration: route.GetGeneration(),
-			},
-		}
-		return
+		conditions = append(conditions, metav1.Condition{
+			Type:               string(gwv1.RouteConditionResolvedRefs),
+			Status:             metav1.ConditionFalse,
+			Reason:             info.Reason,
+			Message:            info.Message,
+			LastTransitionTime: timeNow,
+			ObservedGeneration: route.GetGeneration(),
+		})
+	} else {
+		conditions = append(conditions, metav1.Condition{
+			Type:               string(gwv1.RouteConditionResolvedRefs),
+			Status:             metav1.ConditionTrue,
+			Reason:             string(gwv1.RouteReasonResolvedRefs),
+			Message:            "",
+			LastTransitionTime: timeNow,
+			ObservedGeneration: route.GetGeneration(),
+		})
 	}
-	// resolveRef accepted and route accepted
-	if info.Accepted {
-		parentStatus.Conditions = []metav1.Condition{
-			{
-				Type:               string(gwv1.RouteConditionAccepted),
-				Status:             metav1.ConditionTrue,
-				Reason:             info.Reason,
-				Message:            info.Message,
-				LastTransitionTime: timeNow,
-				ObservedGeneration: route.GetGeneration(),
-			},
-			{
-				Type:               string(gwv1.RouteConditionResolvedRefs),
-				Status:             metav1.ConditionTrue,
-				Reason:             string(gwv1.RouteReasonResolvedRefs),
-				LastTransitionTime: timeNow,
-				ObservedGeneration: route.GetGeneration(),
-			},
-		}
-		return
+
+	if !info.Accepted {
+		conditions = append(conditions, metav1.Condition{
+			Type:               string(gwv1.RouteConditionAccepted),
+			Status:             metav1.ConditionFalse,
+			Reason:             info.Reason,
+			Message:            info.Message,
+			LastTransitionTime: timeNow,
+			ObservedGeneration: route.GetGeneration(),
+		})
 	} else {
-		// resolveRef accepted but route rejected
-		parentStatus.Conditions = []metav1.Condition{
-			{
-				Type:               string(gwv1.RouteConditionAccepted),
-				Status:             metav1.ConditionFalse,
-				Reason:             info.Reason,
-				Message:            info.Message,
-				LastTransitionTime: timeNow,
-				ObservedGeneration: route.GetGeneration(),
-			},
-			{
-				Type:               string(gwv1.RouteConditionResolvedRefs),
-				Status:             metav1.ConditionTrue,
-				Reason:             string(gwv1.RouteReasonAccepted),
-				LastTransitionTime: timeNow,
-				ObservedGeneration: route.GetGeneration(),
-			},
-		}
-		return
+		conditions = append(conditions, metav1.Condition{
+			Type:               string(gwv1.RouteConditionAccepted),
+			Status:             metav1.ConditionTrue,
+			Reason:             string(gwv1.RouteReasonAccepted),
+			Message:            "",
+			LastTransitionTime: timeNow,
+			ObservedGeneration: route.GetGeneration(),
+		})
 	}
+
+	parentStatus.Conditions = conditions
 }
 
 func (d *routeReconcilerImpl) setConditionsBasedOnResolveRefGateway(route client.Object, parentStatus *gwv1.RouteParentStatus, resolveErr error) {

controllers/gateway/route_reconciler_test.go

@@ -503,10 +503,12 @@ func Test_setConditionsWithRouteStatusInfo(t *testing.T) {
 				acceptedCondition := findCondition(conditions, string(gwv1.RouteConditionAccepted))
 				assert.NotNil(t, acceptedCondition)
 				assert.Equal(t, metav1.ConditionTrue, acceptedCondition.Status)
+				assert.Equal(t, string(gwv1.RouteReasonAccepted), acceptedCondition.Reason)
 
 				resolvedRefCondition := findCondition(conditions, string(gwv1.RouteConditionResolvedRefs))
 				assert.NotNil(t, resolvedRefCondition)
 				assert.Equal(t, metav1.ConditionTrue, resolvedRefCondition.Status)
+				assert.Equal(t, string(gwv1.RouteReasonResolvedRefs), resolvedRefCondition.Reason)
 			},
 		},
 		{
@@ -529,18 +531,18 @@ func Test_setConditionsWithRouteStatusInfo(t *testing.T) {
 			},
 		},
 		{
-			name: "accepted false and resolvedRef false",
+			name: "accepted true and resolvedRef false",
 			info: routeutils.RouteStatusInfo{
-				Accepted:     false,
+				Accepted:     true,
 				ResolvedRefs: false,
-				Reason:       string(gwv1.RouteReasonBackendNotFound),
-				Message:      "backend not found",
+				Reason:       string(gwv1.RouteReasonRefNotPermitted),
+				Message:      "ref not permitted",
 			},
 			validateResult: func(t *testing.T, conditions []metav1.Condition) {
 				assert.Len(t, conditions, 2)
 				acceptedCondition := findCondition(conditions, string(gwv1.RouteConditionAccepted))
 				assert.NotNil(t, acceptedCondition)
-				assert.Equal(t, metav1.ConditionFalse, acceptedCondition.Status)
+				assert.Equal(t, metav1.ConditionTrue, acceptedCondition.Status)
 
 				resolvedRefCondition := findCondition(conditions, string(gwv1.RouteConditionResolvedRefs))
 				assert.NotNil(t, resolvedRefCondition)

docs/guide/gateway/gateway.md

@@ -127,7 +127,7 @@ spec:
 
 When `my-http-service` or the configured service port can't be found,
 the target group will not be materialized on any ALBs that the route attaches to.
-An [503 Fixed Response](https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_FixedResponseActionConfig.html)
+An [500 Fixed Response](https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_FixedResponseActionConfig.html)
 will be added to any Listener Rules that would have referenced the invalid backend.
 
 ## Specify out-of-band Target Groups

pkg/gateway/model/model_build_listener.go

@@ -381,16 +381,16 @@ func buildL7ListenerDefaultActions() []elbv2model.Action {
 	return []elbv2model.Action{action404}
 }
 
-// returns 503 when no backends are configured
+// returns 500 when no backends are configured
 func buildL7ListenerNoBackendActions() elbv2model.Action {
-	action503 := elbv2model.Action{
+	action500 := elbv2model.Action{
 		Type: elbv2model.ActionTypeFixedResponse,
 		FixedResponseConfig: &elbv2model.FixedResponseActionConfig{
 			ContentType: awssdk.String("text/plain"),
-			StatusCode:  "503",
+			StatusCode:  "500",
 		},
 	}
-	return action503
+	return action500
 }
 
 func buildL4ListenerDefaultActions(arn core.StringToken) []elbv2model.Action {

pkg/gateway/model/model_build_listener_test.go

@@ -2,19 +2,20 @@ package model
 
 import (
 	"context"
+	"reflect"
+	"strings"
+	"testing"
+
 	awssdk "github.com/aws/aws-sdk-go-v2/aws"
 	elbv2sdk "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2"
 	elbv2types "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2/types"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
-	"reflect"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/aws/services"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/gateway/routeutils"
 	coremodel "sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
-	"strings"
-	"testing"
 
 	"github.com/golang/mock/gomock"
 	"github.com/pkg/errors"
@@ -1242,7 +1243,7 @@ func Test_BuildListenerRules(t *testing.T) {
 		tagErr        error
 	}{
 		{
-			name:             "no backends should result in 503 fixed response",
+			name:             "no backends should result in 500 fixed response",
 			port:             80,
 			listenerProtocol: elbv2model.ProtocolHTTP,
 			ipAddressType:    elbv2model.IPAddressTypeIPV4,
@@ -1277,7 +1278,7 @@ func Test_BuildListenerRules(t *testing.T) {
 							Type: "fixed-response",
 							FixedResponseConfig: &elbv2model.FixedResponseActionConfig{
 								ContentType: awssdk.String("text/plain"),
-								StatusCode:  "503",
+								StatusCode:  "500",
 							},
 						},
 					},
@@ -1590,7 +1591,7 @@ func Test_BuildListenerRules(t *testing.T) {
 			},
 		},
 		{
-			name:             "listener rule config with authenticate-cognito and no backends should result in auth + 503 fixed response",
+			name:             "listener rule config with authenticate-cognito and no backends should result in auth + 500 fixed response",
 			port:             80,
 			listenerProtocol: elbv2model.ProtocolHTTPS,
 			ipAddressType:    elbv2model.IPAddressTypeIPV4,
@@ -1663,7 +1664,7 @@ func Test_BuildListenerRules(t *testing.T) {
 							Type: "fixed-response",
 							FixedResponseConfig: &elbv2model.FixedResponseActionConfig{
 								ContentType: awssdk.String("text/plain"),
-								StatusCode:  "503",
+								StatusCode:  "500",
 							},
 						},
 					},

pkg/gateway/routeutils/backend.go

@@ -3,6 +3,7 @@ package routeutils
 import (
 	"context"
 	"fmt"
+
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -21,6 +22,8 @@ const (
 	gatewayKind             = "Gateway"
 	referenceGrantNotExists = "No explicit ReferenceGrant exists to allow the reference."
 	maxWeight               = 999
+	gatewayAPIGroup         = "gateway.networking.k8s.io"
+	coreAPIGroup            = ""
 )
 
 var (
@@ -216,7 +219,7 @@ func LookUpTargetGroupConfiguration(ctx context.Context, k8sClient client.Client
 
 // Implements the reference grant API
 // https://gateway-api.sigs.k8s.io/api-types/referencegrant/
-func referenceGrantCheck(ctx context.Context, k8sClient client.Client, objKind string, objIdentifier types.NamespacedName, routeIdentifier types.NamespacedName, routeKind RouteKind) (bool, error) {
+func referenceGrantCheck(ctx context.Context, k8sClient client.Client, objKind string, objGroup string, objIdentifier types.NamespacedName, routeIdentifier types.NamespacedName, routeKind RouteKind, routeGroup string) (bool, error) {
 	referenceGrantList := &gwbeta1.ReferenceGrantList{}
 	if err := k8sClient.List(ctx, referenceGrantList, client.InNamespace(objIdentifier.Namespace)); err != nil {
 		return false, err
@@ -226,17 +229,15 @@ func referenceGrantCheck(ctx context.Context, k8sClient client.Client, objKind s
 		var routeAllowed bool
 
 		for _, from := range grant.Spec.From {
-			// Kind check maybe?
-			if string(from.Kind) == string(routeKind) && string(from.Namespace) == routeIdentifier.Namespace {
+			if string(from.Group) == routeGroup && string(from.Kind) == string(routeKind) && string(from.Namespace) == routeIdentifier.Namespace {
 				routeAllowed = true
 				break
 			}
 		}
 
 		if routeAllowed {
 			for _, to := range grant.Spec.To {
-				// Make sure the kind is correct for our query.
-				if string(to.Kind) != objKind {
+				if string(to.Group) != objGroup || string(to.Kind) != objKind {
 					continue
 				}
 

pkg/gateway/routeutils/backend_gateway.go

@@ -3,6 +3,8 @@ package routeutils
 import (
 	"context"
 	"fmt"
+	"strings"
+
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -14,7 +16,6 @@ import (
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/shared_constants"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
-	"strings"
 )
 
 var _ TargetGroupConfigurator = &GatewayBackendConfig{}
@@ -101,7 +102,7 @@ func gatewayLoader(ctx context.Context, k8sClient client.Client, routeIdentifier
 
 	// Check for reference grant when performing cross namespace gateway -> route attachment
 	if gwIdentifier.Namespace != routeIdentifier.Namespace {
-		allowed, err := referenceGrantCheck(ctx, k8sClient, gatewayKind, gwIdentifier, routeIdentifier, routeKind)
+		allowed, err := referenceGrantCheck(ctx, k8sClient, gatewayKind, gatewayAPIGroup, gwIdentifier, routeIdentifier, routeKind, gatewayAPIGroup)
 		if err != nil {
 			// Currently, this API only fails for a k8s related error message, hence no status update + make the error fatal.
 			return nil, nil, errors.Wrapf(err, "Unable to perform reference grant check")

pkg/gateway/routeutils/backend_service.go

@@ -3,6 +3,8 @@ package routeutils
 import (
 	"context"
 	"fmt"
+	"strings"
+
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -13,7 +15,6 @@ import (
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/shared_constants"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
-	"strings"
 )
 
 type ServiceBackendConfig struct {
@@ -141,7 +142,7 @@ func serviceLoader(ctx context.Context, k8sClient client.Client, routeIdentifier
 
 	// Check for reference grant when performing cross namespace gateway -> route attachment
 	if svcNamespace != routeIdentifier.Namespace {
-		allowed, err := referenceGrantCheck(ctx, k8sClient, serviceKind, svcIdentifier, routeIdentifier, routeKind)
+		allowed, err := referenceGrantCheck(ctx, k8sClient, serviceKind, coreAPIGroup, svcIdentifier, routeIdentifier, routeKind, gatewayAPIGroup)
 		if err != nil {
 			// Currently, this API only fails for a k8s related error message, hence no status update + make the error fatal.
 			return nil, nil, errors.Wrapf(err, "Unable to perform reference grant check")