diff --git a/internal/cmd/egctl/testdata/translate/out/backend-endpoint.all.yaml b/internal/cmd/egctl/testdata/translate/out/backend-endpoint.all.yaml index c811fe72943..862ab81c593 100644 --- a/internal/cmd/egctl/testdata/translate/out/backend-endpoint.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/backend-endpoint.all.yaml @@ -19,6 +19,11 @@ backendTLSPolicies: kind: Gateway name: eg conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/backendtlspolicy.go b/internal/gatewayapi/backendtlspolicy.go index 812648ce05a..24769d8c4ba 100644 --- a/internal/gatewayapi/backendtlspolicy.go +++ b/internal/gatewayapi/backendtlspolicy.go @@ -6,9 +6,11 @@ package gatewayapi import ( + "errors" "fmt" "reflect" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/utils/ptr" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" @@ -19,6 +21,8 @@ import ( "github.com/envoyproxy/gateway/internal/ir" ) +var ErrBackendTLSPolicyInvalidKind = fmt.Errorf("no CA bundle found in referenced ConfigMap, Secret, or ClusterTrustBundle") + // ProcessBackendTLSPolicyStatus is called to post-process Backend TLS Policy status // after they were applied in all relevant translations. func (t *Translator) ProcessBackendTLSPolicyStatus(btlsp []*gwapiv1.BackendTLSPolicy) { @@ -158,14 +162,42 @@ func (t *Translator) processBackendTLSPolicy( ancestorRefs = append(ancestorRefs, &parent) if err != nil { - status.SetTranslationErrorForPolicyAncestors(&policy.Status, + status.SetConditionForPolicyAncestors(&policy.Status, ancestorRefs, t.GatewayControllerName, + gwapiv1.PolicyConditionAccepted, + metav1.ConditionFalse, + gwapiv1.BackendTLSPolicyReasonNoValidCACertificate, + status.Error2ConditionMsg(err), policy.Generation, + ) + + reason := gwapiv1.BackendTLSPolicyReasonInvalidCACertificateRef + if errors.Is(err, ErrBackendTLSPolicyInvalidKind) { + reason = gwapiv1.BackendTLSPolicyReasonInvalidKind + } + + status.SetConditionForPolicyAncestors(&policy.Status, + ancestorRefs, + t.GatewayControllerName, + gwapiv1.BackendTLSPolicyConditionResolvedRefs, + metav1.ConditionFalse, + reason, status.Error2ConditionMsg(err), + policy.Generation, ) + return nil, err } + status.SetConditionForPolicyAncestors(&policy.Status, + ancestorRefs, + t.GatewayControllerName, + gwapiv1.BackendTLSPolicyConditionResolvedRefs, + metav1.ConditionTrue, + gwapiv1.BackendTLSPolicyReasonResolvedRefs, + "Resolved all the Object references.", + policy.Generation, + ) status.SetAcceptedForPolicyAncestors(&policy.Status, ancestorRefs, t.GatewayControllerName, policy.Generation) return tlsBundle, nil } @@ -345,7 +377,7 @@ func getCaCertsFromCARefs(namespace string, caCertificates []gwapiv1.LocalObject } if ca == "" { - return nil, fmt.Errorf("no ca found in referred ConfigMap or Secret") + return nil, ErrBackendTLSPolicyInvalidKind } return []byte(ca), nil } diff --git a/internal/gatewayapi/conformance/suite.go b/internal/gatewayapi/conformance/suite.go index d55db04dd4a..588685bb83e 100644 --- a/internal/gatewayapi/conformance/suite.go +++ b/internal/gatewayapi/conformance/suite.go @@ -14,34 +14,20 @@ import ( // SkipTests is a list of tests that are skipped in the conformance suite. func SkipTests(gatewayNamespaceMode bool) []suite.ConformanceTest { - if gatewayNamespaceMode { - return []suite.ConformanceTest{ - tests.GatewayStaticAddresses, - - tests.BackendTLSPolicyInvalidCACertificateRef, - tests.BackendTLSPolicyInvalidKind, - tests.BackendTLSPolicySANValidation, - tests.BackendTLSPolicyConflictResolution, - tests.BackendTLSPolicy, - tests.BackendTLSPolicyObservedGenerationBump, - tests.TLSRouteInvalidReferenceGrant, - tests.TLSRouteSimpleSameNamespace, - } - } - - return []suite.ConformanceTest{ + skipTests := []suite.ConformanceTest{ tests.GatewayStaticAddresses, - tests.GatewayInfrastructure, - tests.BackendTLSPolicyInvalidCACertificateRef, - tests.BackendTLSPolicyInvalidKind, - tests.BackendTLSPolicySANValidation, + // TODO: fix me tests.BackendTLSPolicyConflictResolution, - tests.BackendTLSPolicy, - tests.BackendTLSPolicyObservedGenerationBump, - tests.TLSRouteInvalidReferenceGrant, - tests.TLSRouteSimpleSameNamespace, } + + if gatewayNamespaceMode { + return skipTests + } + + skipTests = append(skipTests, tests.GatewayInfrastructure) + + return skipTests } // SkipFeatures is a list of features that are skipped in the conformance report. diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index 6b7eb38329a..2dc143aa1f2 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -1598,6 +1598,25 @@ func (t *Translator) processDestination(name string, backendRefContext BackendRe protocol := inspectAppProtocolByRouteKind(routeType) + // Process BackendTLSPolicy first to ensure status is set. + tls, tlsErr := t.applyBackendTLSSetting( + backendRef.BackendObjectReference, + backendNamespace, + gwapiv1.ParentReference{ + Group: parentRef.Group, + Kind: parentRef.Kind, + Namespace: parentRef.Namespace, + Name: parentRef.Name, + SectionName: parentRef.SectionName, + Port: parentRef.Port, + }, + resources, + envoyProxy, + ) + if tlsErr != nil { + return nil, nil, status.NewRouteStatusError(tlsErr, status.RouteReasonInvalidBackendTLS) + } + switch KindDerefOr(backendRef.Kind, resource.KindService) { case resource.KindServiceImport: ds, err = t.processServiceImportDestinationSetting(name, backendRef.BackendObjectReference, backendNamespace, protocol, resources, envoyProxy) @@ -1612,7 +1631,6 @@ func (t *Translator) processDestination(name string, backendRefContext BackendRe svc := resources.GetService(backendNamespace, string(backendRef.Name)) ds.IPFamily = getServiceIPFamily(svc) ds.PreferLocal = processPreferLocalZone(svc) - case egv1a1.KindBackend: ds = t.processBackendDestinationSetting(name, backendRef.BackendObjectReference, backendNamespace, protocol, resources) default: @@ -1640,24 +1658,7 @@ func (t *Translator) processDestination(name string, backendRefContext BackendRe } } - var tlsErr error - ds.TLS, tlsErr = t.applyBackendTLSSetting( - backendRef.BackendObjectReference, - backendNamespace, - gwapiv1.ParentReference{ - Group: parentRef.Group, - Kind: parentRef.Kind, - Namespace: parentRef.Namespace, - Name: parentRef.Name, - SectionName: parentRef.SectionName, - Port: parentRef.Port, - }, - resources, - envoyProxy, - ) - if tlsErr != nil { - return nil, nil, status.NewRouteStatusError(tlsErr, status.RouteReasonInvalidBackendTLS) - } + ds.TLS = tls var filtersErr error ds.Filters, filtersErr = t.processDestinationFilters(routeType, backendRefContext, parentRef, route, resources) diff --git a/internal/gatewayapi/testdata/backend-tls-settings-invalid.out.yaml b/internal/gatewayapi/testdata/backend-tls-settings-invalid.out.yaml index 339c8a7ed7e..d4fd15c115e 100644 --- a/internal/gatewayapi/testdata/backend-tls-settings-invalid.out.yaml +++ b/internal/gatewayapi/testdata/backend-tls-settings-invalid.out.yaml @@ -26,6 +26,11 @@ backendTLSPolicies: name: gateway-1 namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/backend-tls-settings.out.yaml b/internal/gatewayapi/testdata/backend-tls-settings.out.yaml index f52cf1e41ef..bd8ba2b64f1 100644 --- a/internal/gatewayapi/testdata/backend-tls-settings.out.yaml +++ b/internal/gatewayapi/testdata/backend-tls-settings.out.yaml @@ -23,6 +23,11 @@ backendTLSPolicies: name: gateway-1 namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -48,6 +53,11 @@ backendTLSPolicies: name: gateway-1 namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -74,6 +84,11 @@ backendTLSPolicies: name: gateway-1 namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/backend-with-auto-san-sni.out.yaml b/internal/gatewayapi/testdata/backend-with-auto-san-sni.out.yaml index f44f583f858..497dc002b18 100644 --- a/internal/gatewayapi/testdata/backend-with-auto-san-sni.out.yaml +++ b/internal/gatewayapi/testdata/backend-with-auto-san-sni.out.yaml @@ -30,6 +30,11 @@ backendTLSPolicies: namespace: envoy-gateway sectionName: http conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/backend-with-skip-tls-verify.out.yaml b/internal/gatewayapi/testdata/backend-with-skip-tls-verify.out.yaml index 7d23ac63db7..6de04e535ab 100644 --- a/internal/gatewayapi/testdata/backend-with-skip-tls-verify.out.yaml +++ b/internal/gatewayapi/testdata/backend-with-skip-tls-verify.out.yaml @@ -22,6 +22,11 @@ backendTLSPolicies: namespace: envoy-gateway sectionName: http conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-clustertrustbundle.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-clustertrustbundle.out.yaml index 249f5c57bd0..97f2675e33c 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-clustertrustbundle.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-clustertrustbundle.out.yaml @@ -23,6 +23,11 @@ backendTLSPolicies: namespace: envoy-gateway sectionName: http conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml index b555436b112..a6b5e4d8c8c 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml @@ -23,6 +23,11 @@ backendTLSPolicies: namespace: envoy-gateway sectionName: http conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml index 37ffc4b7ade..3fd05f7df24 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml @@ -23,6 +23,11 @@ backendTLSPolicies: namespace: envoy-gateway sectionName: http conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml index 3255819436c..3310c68babb 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml @@ -26,6 +26,11 @@ backendTLSPolicies: namespace: envoy-gateway sectionName: http conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -37,6 +42,11 @@ backendTLSPolicies: namespace: envoy-gateway sectionName: http conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml index fe57781d15c..e8bfb01faa7 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml @@ -23,6 +23,11 @@ backendTLSPolicies: namespace: envoy-gateway sectionName: http conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -52,6 +57,11 @@ backendTLSPolicies: namespace: envoy-gateway sectionName: http conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.in.yaml index 9352e1a47ee..8dedad27094 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.in.yaml @@ -33,6 +33,9 @@ httpRoutes: - name: http-backend namespace: backends port: 8080 + - name: http-backend2 + namespace: backends + port: 8080 referenceGrants: - apiVersion: gateway.networking.k8s.io/v1alpha2 @@ -65,6 +68,18 @@ services: name: http protocol: TCP targetPort: 8080 + - apiVersion: v1 + kind: Service + metadata: + name: http-backend2 + namespace: backends + spec: + clusterIP: 10.11.13.13 + ports: + - port: 8080 + name: http + protocol: TCP + targetPort: 8080 endpointSlices: - apiVersion: discovery.k8s.io/v1 @@ -84,6 +99,23 @@ endpointSlices: - "10.244.0.11" conditions: ready: true + - apiVersion: discovery.k8s.io/v1 + kind: EndpointSlice + metadata: + name: endpointslice-http-backend2 + namespace: backends + labels: + kubernetes.io/service-name: http-backend2 + addressType: IPv4 + ports: + - name: http + protocol: TCP + port: 8080 + endpoints: + - addresses: + - "10.244.1.11" + conditions: + ready: true backendTLSPolicies: - apiVersion: gateway.networking.k8s.io/v1alpha2 kind: BackendTLSPolicy @@ -102,3 +134,20 @@ backendTLSPolicies: group: "" kind: ConfigMap hostname: example.com + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + name: policy-invalid-kind + namespace: backends + spec: + targetRefs: + - group: "" + kind: Service + name: http-backend2 + sectionName: http + validation: + caCertificateRefs: + - name: invalid-kind + group: "" + kind: InvalidKind + hostname: example.com diff --git a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml index 76394fa4ef1..e932a38ce00 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml @@ -25,9 +25,49 @@ backendTLSPolicies: conditions: - lastTransitionTime: null message: Configmap no-ca-cmap not found in namespace backends. - reason: Invalid + reason: NoValidCACertificate status: "False" type: Accepted + - lastTransitionTime: null + message: Configmap no-ca-cmap not found in namespace backends. + reason: InvalidCACertificateRef + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + name: policy-invalid-kind + namespace: backends + spec: + targetRefs: + - group: "" + kind: Service + name: http-backend2 + sectionName: http + validation: + caCertificateRefs: + - group: "" + kind: InvalidKind + name: invalid-kind + hostname: example.com + status: + ancestors: + - ancestorRef: + name: gateway-btls + namespace: envoy-gateway + sectionName: http + conditions: + - lastTransitionTime: null + message: No CA bundle found in referenced ConfigMap, Secret, or ClusterTrustBundle. + reason: NoValidCACertificate + status: "False" + type: Accepted + - lastTransitionTime: null + message: No CA bundle found in referenced ConfigMap, Secret, or ClusterTrustBundle. + reason: InvalidKind + status: "False" + type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller gateways: - apiVersion: gateway.networking.k8s.io/v1 @@ -85,6 +125,9 @@ httpRoutes: - name: http-backend namespace: backends port: 8080 + - name: http-backend2 + namespace: backends + port: 8080 matches: - path: type: Exact @@ -98,8 +141,9 @@ httpRoutes: status: "True" type: Accepted - lastTransitionTime: null - message: 'Failed to process route rule 0 backendRef 0: configmap no-ca-cmap - not found in namespace backends.' + message: |- + Failed to process route rule 0 backendRef 0: configmap no-ca-cmap not found in namespace backends. + Failed to process route rule 0 backendRef 1: no CA bundle found in referenced ConfigMap, Secret, or ClusterTrustBundle. reason: InvalidBackendTLS status: "False" type: ResolvedRefs diff --git a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml index 55bd867223c..999f5698cdf 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml @@ -27,6 +27,11 @@ backendTLSPolicies: namespace: envoy-gateway sectionName: http conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/backendtlspolicy-serviceimport-target.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-serviceimport-target.out.yaml index fa469495a82..d8f516d3392 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-serviceimport-target.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-serviceimport-target.out.yaml @@ -24,6 +24,11 @@ backendTLSPolicies: namespace: envoy-gateway sectionName: http conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/backendtlspolicy-status-conditions-truncated.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-status-conditions-truncated.out.yaml index 7270cfbe348..7a090f870be 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-status-conditions-truncated.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-status-conditions-truncated.out.yaml @@ -22,6 +22,11 @@ backendTLSPolicies: name: gateway-1 namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -32,6 +37,11 @@ backendTLSPolicies: name: gateway-10 namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -42,6 +52,11 @@ backendTLSPolicies: name: gateway-11 namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -52,6 +67,11 @@ backendTLSPolicies: name: gateway-12 namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -62,6 +82,11 @@ backendTLSPolicies: name: gateway-13 namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -72,6 +97,11 @@ backendTLSPolicies: name: gateway-14 namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -82,6 +112,11 @@ backendTLSPolicies: name: gateway-15 namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -92,6 +127,11 @@ backendTLSPolicies: name: gateway-16 namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -102,6 +142,11 @@ backendTLSPolicies: name: gateway-17 namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -112,6 +157,11 @@ backendTLSPolicies: name: gateway-18 namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -122,6 +172,11 @@ backendTLSPolicies: name: gateway-2 namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -132,6 +187,11 @@ backendTLSPolicies: name: gateway-3 namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -142,6 +202,11 @@ backendTLSPolicies: name: gateway-4 namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -152,6 +217,11 @@ backendTLSPolicies: name: gateway-5 namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -162,6 +232,11 @@ backendTLSPolicies: name: gateway-6 namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -172,6 +247,11 @@ backendTLSPolicies: name: gateway-7 namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -209,9 +289,14 @@ backendTLSPolicies: conditions: - lastTransitionTime: null message: Configmap ca-not-found not found in namespace envoy-gateway. - reason: Invalid + reason: NoValidCACertificate status: "False" type: Accepted + - lastTransitionTime: null + message: Configmap ca-not-found not found in namespace envoy-gateway. + reason: InvalidCACertificateRef + status: "False" + type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: name: gateway-10 @@ -219,9 +304,14 @@ backendTLSPolicies: conditions: - lastTransitionTime: null message: Configmap ca-not-found not found in namespace envoy-gateway. - reason: Invalid + reason: NoValidCACertificate status: "False" type: Accepted + - lastTransitionTime: null + message: Configmap ca-not-found not found in namespace envoy-gateway. + reason: InvalidCACertificateRef + status: "False" + type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: name: gateway-11 @@ -229,9 +319,14 @@ backendTLSPolicies: conditions: - lastTransitionTime: null message: Configmap ca-not-found not found in namespace envoy-gateway. - reason: Invalid + reason: NoValidCACertificate status: "False" type: Accepted + - lastTransitionTime: null + message: Configmap ca-not-found not found in namespace envoy-gateway. + reason: InvalidCACertificateRef + status: "False" + type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: name: gateway-12 @@ -239,9 +334,14 @@ backendTLSPolicies: conditions: - lastTransitionTime: null message: Configmap ca-not-found not found in namespace envoy-gateway. - reason: Invalid + reason: NoValidCACertificate status: "False" type: Accepted + - lastTransitionTime: null + message: Configmap ca-not-found not found in namespace envoy-gateway. + reason: InvalidCACertificateRef + status: "False" + type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: name: gateway-13 @@ -249,9 +349,14 @@ backendTLSPolicies: conditions: - lastTransitionTime: null message: Configmap ca-not-found not found in namespace envoy-gateway. - reason: Invalid + reason: NoValidCACertificate status: "False" type: Accepted + - lastTransitionTime: null + message: Configmap ca-not-found not found in namespace envoy-gateway. + reason: InvalidCACertificateRef + status: "False" + type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: name: gateway-14 @@ -259,9 +364,14 @@ backendTLSPolicies: conditions: - lastTransitionTime: null message: Configmap ca-not-found not found in namespace envoy-gateway. - reason: Invalid + reason: NoValidCACertificate status: "False" type: Accepted + - lastTransitionTime: null + message: Configmap ca-not-found not found in namespace envoy-gateway. + reason: InvalidCACertificateRef + status: "False" + type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: name: gateway-15 @@ -269,9 +379,14 @@ backendTLSPolicies: conditions: - lastTransitionTime: null message: Configmap ca-not-found not found in namespace envoy-gateway. - reason: Invalid + reason: NoValidCACertificate status: "False" type: Accepted + - lastTransitionTime: null + message: Configmap ca-not-found not found in namespace envoy-gateway. + reason: InvalidCACertificateRef + status: "False" + type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: name: gateway-16 @@ -279,9 +394,14 @@ backendTLSPolicies: conditions: - lastTransitionTime: null message: Configmap ca-not-found not found in namespace envoy-gateway. - reason: Invalid + reason: NoValidCACertificate status: "False" type: Accepted + - lastTransitionTime: null + message: Configmap ca-not-found not found in namespace envoy-gateway. + reason: InvalidCACertificateRef + status: "False" + type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: name: gateway-17 @@ -289,9 +409,14 @@ backendTLSPolicies: conditions: - lastTransitionTime: null message: Configmap ca-not-found not found in namespace envoy-gateway. - reason: Invalid + reason: NoValidCACertificate status: "False" type: Accepted + - lastTransitionTime: null + message: Configmap ca-not-found not found in namespace envoy-gateway. + reason: InvalidCACertificateRef + status: "False" + type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: name: gateway-18 @@ -299,9 +424,14 @@ backendTLSPolicies: conditions: - lastTransitionTime: null message: Configmap ca-not-found not found in namespace envoy-gateway. - reason: Invalid + reason: NoValidCACertificate status: "False" type: Accepted + - lastTransitionTime: null + message: Configmap ca-not-found not found in namespace envoy-gateway. + reason: InvalidCACertificateRef + status: "False" + type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: name: gateway-2 @@ -309,9 +439,14 @@ backendTLSPolicies: conditions: - lastTransitionTime: null message: Configmap ca-not-found not found in namespace envoy-gateway. - reason: Invalid + reason: NoValidCACertificate status: "False" type: Accepted + - lastTransitionTime: null + message: Configmap ca-not-found not found in namespace envoy-gateway. + reason: InvalidCACertificateRef + status: "False" + type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: name: gateway-3 @@ -319,9 +454,14 @@ backendTLSPolicies: conditions: - lastTransitionTime: null message: Configmap ca-not-found not found in namespace envoy-gateway. - reason: Invalid + reason: NoValidCACertificate status: "False" type: Accepted + - lastTransitionTime: null + message: Configmap ca-not-found not found in namespace envoy-gateway. + reason: InvalidCACertificateRef + status: "False" + type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: name: gateway-4 @@ -329,9 +469,14 @@ backendTLSPolicies: conditions: - lastTransitionTime: null message: Configmap ca-not-found not found in namespace envoy-gateway. - reason: Invalid + reason: NoValidCACertificate status: "False" type: Accepted + - lastTransitionTime: null + message: Configmap ca-not-found not found in namespace envoy-gateway. + reason: InvalidCACertificateRef + status: "False" + type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: name: gateway-5 @@ -339,9 +484,14 @@ backendTLSPolicies: conditions: - lastTransitionTime: null message: Configmap ca-not-found not found in namespace envoy-gateway. - reason: Invalid + reason: NoValidCACertificate status: "False" type: Accepted + - lastTransitionTime: null + message: Configmap ca-not-found not found in namespace envoy-gateway. + reason: InvalidCACertificateRef + status: "False" + type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: name: gateway-6 @@ -349,9 +499,14 @@ backendTLSPolicies: conditions: - lastTransitionTime: null message: Configmap ca-not-found not found in namespace envoy-gateway. - reason: Invalid + reason: NoValidCACertificate status: "False" type: Accepted + - lastTransitionTime: null + message: Configmap ca-not-found not found in namespace envoy-gateway. + reason: InvalidCACertificateRef + status: "False" + type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller - ancestorRef: name: gateway-7 @@ -359,9 +514,14 @@ backendTLSPolicies: conditions: - lastTransitionTime: null message: Configmap ca-not-found not found in namespace envoy-gateway. - reason: Invalid + reason: NoValidCACertificate status: "False" type: Accepted + - lastTransitionTime: null + message: Configmap ca-not-found not found in namespace envoy-gateway. + reason: InvalidCACertificateRef + status: "False" + type: ResolvedRefs - lastTransitionTime: null message: Ancestors have been truncated because the number of policy ancestors exceeds 16. diff --git a/internal/gatewayapi/testdata/backendtlspolicy-subjectaltnames.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-subjectaltnames.out.yaml index 6587ea4957e..4f630fc081b 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-subjectaltnames.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-subjectaltnames.out.yaml @@ -28,6 +28,11 @@ backendTLSPolicies: namespace: envoy-gateway sectionName: http conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml index 5ec61858e78..4b03c994ac6 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml @@ -20,6 +20,11 @@ backendTLSPolicies: namespace: envoy-gateway sectionName: http conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml index f58bf26e41c..72a7bbde2ef 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml @@ -24,6 +24,11 @@ backendTLSPolicies: name: policy-for-gateway namespace: default conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -57,9 +62,14 @@ backendTLSPolicies: conditions: - lastTransitionTime: null message: Configmap ca-cmap not found in namespace default. - reason: Invalid + reason: NoValidCACertificate status: "False" type: Accepted + - lastTransitionTime: null + message: Configmap ca-cmap not found in namespace default. + reason: InvalidCACertificateRef + status: "False" + type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller envoyExtensionPolicies: - apiVersion: gateway.envoyproxy.io/v1alpha1 diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml index c00c403679d..e38f08cf5e1 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml @@ -24,6 +24,11 @@ backendTLSPolicies: name: policy-for-http-route namespace: default conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -54,6 +59,11 @@ backendTLSPolicies: name: policy-for-http-route namespace: default conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-retries.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-retries.out.yaml index fd24cdf44e1..49eb923bc4d 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-retries.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-retries.out.yaml @@ -24,6 +24,11 @@ backendTLSPolicies: name: policy-for-http-route namespace: default conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -54,6 +59,11 @@ backendTLSPolicies: name: policy-for-http-route namespace: default conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml index 6ad70fea71d..313bb1b14bc 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml @@ -24,6 +24,11 @@ backendTLSPolicies: name: policy-for-http-route namespace: default conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -54,6 +59,11 @@ backendTLSPolicies: name: policy-for-http-route namespace: default conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml index 9fd0470b2e7..86faf7f1e69 100644 --- a/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml @@ -24,6 +24,11 @@ backendTLSPolicies: name: policy-for-http-route namespace: default conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -54,6 +59,11 @@ backendTLSPolicies: name: policy-for-http-route namespace: default conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml index d58d4390a01..ccf5d21b6f5 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml @@ -18,6 +18,11 @@ backendTLSPolicies: name: gateway-tls namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml index fdd7a0841c6..5a34dbf42c7 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml @@ -18,6 +18,11 @@ backendTLSPolicies: name: gateway-tls namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml index 5cbfdc32226..224f3037d17 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml @@ -18,6 +18,11 @@ backendTLSPolicies: name: gateway-tls namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml index e2ad6aa3d07..beddbe6e446 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml @@ -24,6 +24,11 @@ backendTLSPolicies: name: policy-for-gateway namespace: default conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted @@ -55,6 +60,11 @@ backendTLSPolicies: name: policy-for-http-route namespace: default conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-backendcluster.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-backendcluster.out.yaml index bd90643696f..ad87f2ead96 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt-backendcluster.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-backendcluster.out.yaml @@ -23,6 +23,11 @@ backendTLSPolicies: name: policy-for-route namespace: default conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-serviceimport.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-serviceimport.out.yaml index 9d29637b3f4..28eab19759e 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt-serviceimport.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-serviceimport.out.yaml @@ -24,6 +24,11 @@ backendTLSPolicies: name: policy-for-route namespace: default conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml index 8fa81fc2035..1278cc27a60 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml @@ -23,6 +23,11 @@ backendTLSPolicies: name: policy-for-gateway namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-serviceimport.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-serviceimport.out.yaml index e4affddf2e4..a5886bd2da5 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-serviceimport.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-serviceimport.out.yaml @@ -24,6 +24,11 @@ backendTLSPolicies: name: policy-for-gateway namespace: envoy-gateway conditions: + - lastTransitionTime: null + message: Resolved all the Object references. + reason: ResolvedRefs + status: "True" + type: ResolvedRefs - lastTransitionTime: null message: Policy has been accepted. reason: Accepted diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-tls-settings.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-tls-settings.clusters.yaml index a50137304e8..d425625f02d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-tls-settings.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-tls-settings.clusters.yaml @@ -45,9 +45,6 @@ combinedValidationContext: defaultValidationContext: matchTypedSubjectAltNames: - - matcher: - exact: example.com - sanType: DNS - matcher: exact: spiffe://cluster.local/ns/istio-demo/sa/echo-v1 sanType: URI diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml index ac3d627aac3..ba7a90c3590 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml @@ -38,9 +38,6 @@ combinedValidationContext: defaultValidationContext: matchTypedSubjectAltNames: - - matcher: - exact: example.com - sanType: DNS - matcher: exact: spiffe://cluster.local/ns/istio-demo/sa/echo-v1 sanType: URI diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index 606240efa75..38c2c2836ac 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -1177,7 +1177,10 @@ func buildValidationContext(tlsConfig *ir.TLSUpstreamConfig) (*tlsv3.CommonTlsCo } hasSANValidations := false - if tlsConfig.SNI != nil { + // 3. If SubjectAltNames are specified, Hostname can be used for certificate selection + // but MUST NOT be used for authentication. If you want to use the value + // of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. + if tlsConfig.SNI != nil && len(tlsConfig.SubjectAltNames) == 0 { validationContext.DefaultValidationContext.MatchTypedSubjectAltNames = []*tlsv3.SubjectAltNameMatcher{ { SanType: tlsv3.SubjectAltNameMatcher_DNS, diff --git a/test/e2e/tests/utils.go b/test/e2e/tests/utils.go index beca0666db1..c15e13bce12 100644 --- a/test/e2e/tests/utils.go +++ b/test/e2e/tests/utils.go @@ -623,6 +623,11 @@ type LokiQueryResponse struct { // CollectAndDump collects and dumps the cluster data for troubleshooting and log. // This function should be call within t.Cleanup. func CollectAndDump(t *testing.T, rest *rest.Config) { + if os.Getenv("ACTIONS_STEP_DEBUG") != "true" { + tlog.Logf(t, "Skipping collecting and dumping cluster data, set ACTIONS_STEP_DEBUG=true to enable it") + return + } + dumpedNamespaces := []string{"envoy-gateway-system"} if IsGatewayNamespaceMode() { dumpedNamespaces = append(dumpedNamespaces, ConformanceInfraNamespace) @@ -632,15 +637,6 @@ func CollectAndDump(t *testing.T, rest *rest.Config) { tb.WithCollectedNamespaces(dumpedNamespaces), } - if os.Getenv("ACTIONS_STEP_DEBUG") != "true" { - // don't collector metrics, pod logs and config dumps when ACTIONS_STEP_DEBUG is false - opts = append(opts, - tb.DisableCollector(tb.CollectorTypePrometheusMetrics), - tb.DisableCollector(tb.CollectorTypePodLogs), - tb.DisableCollector(tb.CollectorTypeConfigDump), - ) - } - result, _ := tb.CollectResult(t.Context(), rest, opts...) for r, data := range result { tlog.Logf(t, "\nfilename: %s", r) diff --git a/tools/make/kube.mk b/tools/make/kube.mk index 47d75ee0b15..59034075dcf 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -29,8 +29,6 @@ BENCHMARK_REPORT_DIR ?= benchmark_report # Disable PNG rendering by default to speed up CI BENCHMARK_RENDER_PNG ?= false -CONFORMANCE_RUN_TEST ?= - E2E_RUN_TEST ?= E2E_CLEANUP ?= true E2E_TIMEOUT ?= 20m @@ -38,6 +36,10 @@ E2E_TIMEOUT ?= 20m E2E_REDIRECT ?= E2E_TEST_ARGS ?= -v -tags e2e -timeout $(E2E_TIMEOUT) +CONFORMANCE_RUN_TEST ?= +CONFORMANCE_TEST_ARGS ?= -v -tags conformance -timeout $(E2E_TIMEOUT) +EXPERIMENTAL_CONFORMANCE_TEST_ARGS ?= -v -tags experimental -timeout $(E2E_TIMEOUT) + DOCKER_MAC_NET_CONNECT ?= true HOMEBREW_GOPROXY ?= @@ -318,9 +320,9 @@ run-conformance: prepare-ip-family ## Run Gateway API conformance. kubectl wait --timeout=$(WAIT_TIMEOUT) -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available kubectl apply -f test/config/gatewayclass.yaml ifeq ($(CONFORMANCE_RUN_TEST),) - go test -v -tags conformance ./test/conformance --gateway-class=envoy-gateway --debug=true + go test $(CONFORMANCE_TEST_ARGS) ./test/conformance --gateway-class=envoy-gateway --debug=true $(E2E_REDIRECT) else - go test -v -tags conformance ./test/conformance --gateway-class=envoy-gateway --debug=true --run-test $(CONFORMANCE_RUN_TEST) + go test $(CONFORMANCE_TEST_ARGS) ./test/conformance --gateway-class=envoy-gateway --debug=true --run-test $(CONFORMANCE_RUN_TEST) $(E2E_REDIRECT) endif CONFORMANCE_REPORT_PATH ?= @@ -331,13 +333,13 @@ run-experimental-conformance: prepare-ip-family ## Run Experimental Gateway API kubectl wait --timeout=$(WAIT_TIMEOUT) -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available kubectl apply -f test/config/gatewayclass.yaml ifeq ($(CONFORMANCE_RUN_TEST),) - go test -v -tags experimental ./test/conformance -run TestExperimentalConformance --gateway-class=envoy-gateway --debug=true \ + go test $(EXPERIMENTAL_CONFORMANCE_TEST_ARGS) ./test/conformance -run TestExperimentalConformance --gateway-class=envoy-gateway --debug=true \ --organization=envoyproxy --project=envoy-gateway --url=https://github.com/envoyproxy/gateway --version=latest \ --report-output="$(CONFORMANCE_REPORT_PATH)" --contact=https://github.com/envoyproxy/gateway/blob/main/GOVERNANCE.md \ --mode="$(KUBE_DEPLOY_PROFILE)" --version=$(TAG) else # we didn't care about output when running single test - go test -v -tags experimental ./test/conformance -run TestExperimentalConformance --gateway-class=envoy-gateway --debug=true --run-test $(CONFORMANCE_RUN_TEST) + go test $(EXPERIMENTAL_CONFORMANCE_TEST_ARGS) ./test/conformance -run TestExperimentalConformance --gateway-class=envoy-gateway --debug=true --run-test $(CONFORMANCE_RUN_TEST) endif