feat(gateway) restrict listeners to type

When looking for a supported gateway, only check the listeners whose protocol matches the route type.
Kong · Apr 4, 2022 · 9640a39 · 9640a39
1 parent ef24245
commit 9640a39
Show file tree

Hide file tree

Showing 2 changed files with 89 additions and 28 deletions.
diff --git a/internal/controllers/gateway/route_utils.go b/internal/controllers/gateway/route_utils.go
@@ -90,8 +90,28 @@ func getSupportedGatewayForRoute(ctx context.Context, mgrc client.Client, obj cl
 			// set true if we find any AllowedRoutes. there may be none, in which case any namespace is permitted
 			filtered := false
 			for _, listener := range gateway.Spec.Listeners {
+				// Only match if the listener type matches the protocol type
+				switch obj.(type) {
+				case *gatewayv1alpha2.HTTPRoute:
+					if !(listener.Protocol == gatewayv1alpha2.HTTPProtocolType || listener.Protocol == gatewayv1alpha2.HTTPSProtocolType) {
+						continue
+					}
+				case *gatewayv1alpha2.TCPRoute:
+					if listener.Protocol != gatewayv1alpha2.TCPProtocolType {
+						continue
+					}
+				case *gatewayv1alpha2.UDPRoute:
+					if listener.Protocol != gatewayv1alpha2.UDPProtocolType {
+						continue
+					}
+				case *gatewayv1alpha2.TLSRoute:
+					if listener.Protocol != gatewayv1alpha2.TLSProtocolType {
+						continue
+					}
+				default:
+					continue
+				}
 				if listener.AllowedRoutes != nil {
-					// TODO NS need to filter by kinds per https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.AllowedRoutes
 					filtered = true
 					if *listener.AllowedRoutes.Namespaces.From == gatewayv1alpha2.NamespacesFromAll {
 						// we allow "all" by just stuffing the namespace we want to find into the map

diff --git a/test/integration/gateway_test.go b/test/integration/gateway_test.go
@@ -453,16 +453,28 @@ func TestGatewayFilters(t *testing.T) {
 		},
 		Spec: gatewayv1alpha2.GatewaySpec{
 			GatewayClassName: gatewayv1alpha2.ObjectName(gwc.Name),
-			Listeners: []gatewayv1alpha2.Listener{{
-				Name:     "http",
-				Protocol: gatewayv1alpha2.HTTPProtocolType,
-				Port:     gatewayv1alpha2.PortNumber(80),
-				AllowedRoutes: &gatewayv1alpha2.AllowedRoutes{
-					Namespaces: &gatewayv1alpha2.RouteNamespaces{
-						From: &fromAll,
+			Listeners: []gatewayv1alpha2.Listener{
+				{
+					Name:     "http",
+					Protocol: gatewayv1alpha2.HTTPProtocolType,
+					Port:     gatewayv1alpha2.PortNumber(80),
+					AllowedRoutes: &gatewayv1alpha2.AllowedRoutes{
+						Namespaces: &gatewayv1alpha2.RouteNamespaces{
+							From: &fromAll,
+						},
 					},
 				},
-			}},
+				{
+					Name:     "https",
+					Protocol: gatewayv1alpha2.HTTPSProtocolType,
+					Port:     gatewayv1alpha2.PortNumber(443),
+					AllowedRoutes: &gatewayv1alpha2.AllowedRoutes{
+						Namespaces: &gatewayv1alpha2.RouteNamespaces{
+							From: &fromAll,
+						},
+					},
+				},
+			},
 		},
 	}
 	gw, err = c.GatewayV1alpha2().Gateways(ns.Name).Create(ctx, gw, metav1.CreateOptions{})
@@ -592,16 +604,28 @@ func TestGatewayFilters(t *testing.T) {
 	t.Log("changing to the same namespace filter")
 	gw, err = c.GatewayV1alpha2().Gateways(ns.Name).Get(ctx, gw.Name, metav1.GetOptions{})
 	require.NoError(t, err)
-	gw.Spec.Listeners = []gatewayv1alpha2.Listener{{
-		Name:     "http",
-		Protocol: gatewayv1alpha2.HTTPProtocolType,
-		Port:     gatewayv1alpha2.PortNumber(80),
-		AllowedRoutes: &gatewayv1alpha2.AllowedRoutes{
-			Namespaces: &gatewayv1alpha2.RouteNamespaces{
-				From: &fromSame,
+	gw.Spec.Listeners = []gatewayv1alpha2.Listener{
+		{
+			Name:     "http",
+			Protocol: gatewayv1alpha2.HTTPProtocolType,
+			Port:     gatewayv1alpha2.PortNumber(80),
+			AllowedRoutes: &gatewayv1alpha2.AllowedRoutes{
+				Namespaces: &gatewayv1alpha2.RouteNamespaces{
+					From: &fromSame,
+				},
 			},
 		},
-	}}
+		{
+			Name:     "https",
+			Protocol: gatewayv1alpha2.HTTPSProtocolType,
+			Port:     gatewayv1alpha2.PortNumber(443),
+			AllowedRoutes: &gatewayv1alpha2.AllowedRoutes{
+				Namespaces: &gatewayv1alpha2.RouteNamespaces{
+					From: &fromSame,
+				},
+			},
+		},
+	}
 	_, err = c.GatewayV1alpha2().Gateways(ns.Name).Update(ctx, gw, metav1.UpdateOptions{})
 	require.NoError(t, err)
 
@@ -614,21 +638,38 @@ func TestGatewayFilters(t *testing.T) {
 	gw, err = c.GatewayV1alpha2().Gateways(ns.Name).Get(ctx, gw.Name, metav1.GetOptions{})
 	require.NoError(t, err)
 
-	gw.Spec.Listeners = []gatewayv1alpha2.Listener{{
-		Name:     "http",
-		Protocol: gatewayv1alpha2.HTTPProtocolType,
-		Port:     gatewayv1alpha2.PortNumber(80),
-		AllowedRoutes: &gatewayv1alpha2.AllowedRoutes{
-			Namespaces: &gatewayv1alpha2.RouteNamespaces{
-				From: &fromSelector,
-				Selector: &metav1.LabelSelector{
-					MatchLabels: map[string]string{
-						clusters.TestResourceLabel: t.Name() + "other",
+	gw.Spec.Listeners = []gatewayv1alpha2.Listener{
+		{
+			Name:     "http",
+			Protocol: gatewayv1alpha2.HTTPProtocolType,
+			Port:     gatewayv1alpha2.PortNumber(80),
+			AllowedRoutes: &gatewayv1alpha2.AllowedRoutes{
+				Namespaces: &gatewayv1alpha2.RouteNamespaces{
+					From: &fromSelector,
+					Selector: &metav1.LabelSelector{
+						MatchLabels: map[string]string{
+							clusters.TestResourceLabel: t.Name() + "other",
+						},
 					},
 				},
 			},
 		},
-	}}
+		{
+			Name:     "https",
+			Protocol: gatewayv1alpha2.HTTPSProtocolType,
+			Port:     gatewayv1alpha2.PortNumber(443),
+			AllowedRoutes: &gatewayv1alpha2.AllowedRoutes{
+				Namespaces: &gatewayv1alpha2.RouteNamespaces{
+					From: &fromSelector,
+					Selector: &metav1.LabelSelector{
+						MatchLabels: map[string]string{
+							clusters.TestResourceLabel: t.Name() + "other",
+						},
+					},
+				},
+			},
+		},
+	}
 
 	_, err = c.GatewayV1alpha2().Gateways(ns.Name).Update(ctx, gw, metav1.UpdateOptions{})
 	require.NoError(t, err)