internal/dag: Implement TLSRoute mode:terminate #3801
Conversation
stevesloka
added
the
release-note
stevesloka
requested review from
danehans and
sunjayBhatia
and removed request for
a team
Codecov Report
@@ Coverage Diff @@
## main #3801 +/- ##
==========================================
- Coverage 75.81% 75.78% -0.03%
==========================================
Files 107 107
Lines 7340 7344 +4
==========================================
+ Hits 5565 5566 +1
- Misses 1654 1656 +2
- Partials 121 122 +1
|
internal/dag/gatewayapi_processor.go
Outdated
| @@ -112,6 +112,14 @@ func (p *GatewayAPIProcessor) Run(dag *DAG, source *KubernetesCache) { | |||
| } | |||
| } | |||
| } | |||
| } else { | |||
There was a problem hiding this comment.
so this case now means a TLSRoute with no TLS field set defaults to terminate, though terminate without a secret doesn't really work? so can this just be an error now if you don't set TLS at all?
There was a problem hiding this comment.
/shrug The spec says that "Terminate" is the default.
There was a problem hiding this comment.
is this intended to be the code for if the mode is nil? rather than the whole TLS block is nil?
sounds like the listener should be rejected if the TLS field is not set: https://github.com/kubernetes-sigs/gateway-api/blob/17a98f6f5aaa1e7fa607c1fc974efeb915b3337c/apis/v1alpha2/gateway_types.go#L184-L197
There was a problem hiding this comment.
Essentially it is since the cert validation then fails on L118. Part of the problem with our unit tests is that we don't have the kubebuilder defaults applied. So we can create a test that doesn't specify the cert, but would get the mode applied by the api server and wouldn't pass the unit test.
There was a problem hiding this comment.
Ok I rereead the spec and at the top level it does say "This field is required if the Protocol field is “HTTPS” or “TLS” and ignored otherwise.", so that make sense. I've updated.
stevesloka
force-pushed
the
tlsRouteTerminate
branch
from
436f5dc to
1570bae
Compare
stevesloka
force-pushed
the
tlsRouteTerminate
branch
from
3aba04d to
860a144
Compare
|
This one needs a rebase now that the E2E changes have gone in |
Implements support for GatewayAPI TLSRoute mode: terminate which terminates TLS at the Gateway. Updates projectcontour#3440 Signed-off-by: Steve Sloka <slokas@vmware.com>
Signed-off-by: Steve Sloka <slokas@vmware.com>
Signed-off-by: Steve Sloka <slokas@vmware.com>
Signed-off-by: Steve Sloka <slokas@vmware.com>
Signed-off-by: Steve Sloka <slokas@vmware.com>
Signed-off-by: Steve Sloka <slokas@vmware.com>
Signed-off-by: Steve Sloka <slokas@vmware.com>
Signed-off-by: Steve Sloka <slokas@vmware.com>
Signed-off-by: Steve Sloka <slokas@vmware.com>
stevesloka
force-pushed
the
tlsRouteTerminate
branch
from
0383177 to
9dee885
Compare
|
all rebased @skriss @sunjayBhatia, please take a look! |
| }, | ||
| want: listeners(), | ||
| }, | ||
| "TLSRoute with TLS.Mode=Terminate is invalid when TLS is not defined": { |
There was a problem hiding this comment.
nit:
| "TLSRoute with TLS.Mode=Terminate is invalid when TLS is not defined": { | |
| "TLSRoute with TLS.Mode=Terminate is invalid when TLS certificate reference is not defined": { |
|
gonna merge, can fix the nit separately |
Updates projectcontour#3801. Signed-off-by: Steve Kriss <krisss@vmware.com>
Updates #3801. Signed-off-by: Steve Kriss <krisss@vmware.com>
Implements support for GatewayAPI TLSRoute mode: terminate which terminates TLS
at the Gateway.
Updates #3440
Signed-off-by: Steve Sloka slokas@vmware.com