Warn on missing TLS secret

.github/workflows/composite-actions/kubernetes-e2e-tests/action.yaml

@@ -32,10 +32,11 @@ runs:
       TEST_PKG: ./test/kubernetes/e2e/tests
       ISTIO_VERSION: ${{ inputs.istio-version }}
     shell: bash
-    run: make go-test
+    # we tee the output into a temp file and then grep through that for an overall summary of the run at the end.
+    run: 'mkdir ./_test/test_output && make go-test | tee ./_test/test_output/${{inputs.cluster-name}} || grep -E "(--- FAIL)|(--- PASS)" ./_test/test_output/${{inputs.cluster-name}}'
   - name: Archive bug report directory on failure
     if: ${{ failure() }}
     uses: actions/upload-artifact@v4
     with:
       name: bug-report-${{ inputs.cluster-name }}
-      path: ./_test/bug_report/${{ inputs.cluster-name }}
+      path: ./_test/bug_report/${{ inputs.cluster-name }}

changelog/v1.18.0-beta15/missing-tls-secret.yaml

@@ -0,0 +1,8 @@
+changelog:
+  - type: FIX
+    issueLink: https://github.com/solo-io/gloo/issues/6957
+    resolvesIssue: false
+    description: >-
+      Fix for issue where a missing TLS secret was treated by validation as an error,
+      potentially bringing down the entire HTTPS gateway if the gloo pod restarts while 
+      in this bad state.

pkg/utils/envutils/env.go

@@ -23,3 +23,23 @@ func IsTruthyValue(value string) bool {
 	envValue, _ := strconv.ParseBool(value)
 	return envValue
 }
+
+// GetOrDefault returns the value of the environment variable for the given key,
+// or the default value if the environment variable is not set.
+func GetOrDefault(key, fallback string) string {
+	if value, ok := os.LookupEnv(key); ok {
+		return value
+	}
+	return fallback
+}
+
+// LookupOrDefault returns the value of the environment variable for the given key,
+// or the default value if the environment variable is not set. Also returns whether
+// the value existed.
+func LookupOrDefault(key, fallback string) (string, bool) {
+	if value, ok := os.LookupEnv(key); ok {
+		return value, ok
+	} else {
+		return fallback, ok
+	}
+}

pkg/utils/kubeutils/kubectl/cli.go

@@ -313,6 +313,24 @@ func (c *Cli) Scale(ctx context.Context, namespace string, resource string, repl
 	return c.RunCommand(ctx, "wait", "-n", namespace, "--for=condition=available", resource, "--timeout=300s")
 }
 
+// RestartDeployment restarts a deployment. It does not wait for the deployment to be ready.
+func (c *Cli) RestartDeployment(ctx context.Context, name string, extraArgs ...string) error {
+	args := append([]string{
+		"rollout",
+		"restart",
+		fmt.Sprintf("deployment/%s", name),
+	}, extraArgs...)
+	return c.RunCommand(ctx, args...)
+}
+
+// RestartDeploymentAndWait restarts a deployment and waits for it to become healthy.
+func (c *Cli) RestartDeploymentAndWait(ctx context.Context, name string, extraArgs ...string) error {
+	if err := c.RestartDeployment(ctx, name, extraArgs...); err != nil {
+		return err
+	}
+	return c.DeploymentRolloutStatus(ctx, name, extraArgs...)
+}
+
 // GetContainerLogs retrieves the logs for the specified container
 func (c *Cli) GetContainerLogs(ctx context.Context, namespace string, name string) (string, error) {
 	stdout, stderr, err := c.Execute(ctx, "-n", namespace, "logs", name)

pkg/utils/requestutils/curl/request.go

@@ -134,9 +134,9 @@ func (c *requestConfig) generateArgs() []string {
 	var fullAddress string
 
 	if c.sni != "" {
-		sniResolution := fmt.Sprintf("%s:%d:%s", c.sni, c.port, c.host)
+		sniResolution := fmt.Sprintf("%s:%d:%s:%d", c.sni, c.port, c.host, c.port)
 		fullAddress = fmt.Sprintf("%s://%s:%d", c.scheme, c.sni, c.port)
-		args = append(args, "--resolve", sniResolution)
+		args = append(args, "--connect-to", sniResolution)
 	} else {
 		fullAddress = fmt.Sprintf("%v://%s:%v/%s", c.scheme, c.host, c.port, c.path)
 		if len(c.queryParameters) > 0 {

projects/gateway/pkg/reporting/add_proxy_validation_result.go

@@ -116,13 +116,15 @@ func AddProxyValidationResult(resourceReports reporter.ResourceReports, proxy *g
 
 func addListenerResult(resourceReports reporter.ResourceReports, listener *gloov1.Listener, listenerReport *validation.ListenerReport) error {
 	listenerErrs := getListenerLevelErrors(listenerReport)
+	listenerWarnings := getListenerLevelWarnings(listenerReport)
 
 	return translator.ForEachSource(listener, func(src translator.SourceRef) error {
 		srcResource, _ := resourceReports.Find(src.ResourceKind, &core.ResourceRef{Name: src.Name, Namespace: src.Namespace})
 		if srcResource == nil {
 			return missingReportForSourceErr
 		}
 		resourceReports.AddErrors(srcResource, listenerErrs...)
+		resourceReports.AddWarnings(srcResource, listenerWarnings...)
 		return nil
 	})
 }
@@ -180,6 +182,14 @@ func getListenerLevelErrors(listenerReport *validation.ListenerReport) []error {
 
 	return listenerErrs
 }
+func getListenerLevelWarnings(listenerReport *validation.ListenerReport) []string {
+	listenerWarnings := validationutils.GetListenerWarning(listenerReport)
+
+	// TODO(jbohanon) implement warnings on various listener types and account for them here
+	// similarly to the errors aggregation func above.
+
+	return listenerWarnings
+}
 
 // get errors that can be caused by virtual services
 func getVirtualHostLevelErrorsAndWarnings(vhReport *validation.VirtualHostReport) ([]error, []string) {

projects/gloo/api/grpc/validation/gloo_validation.proto

@@ -121,9 +121,25 @@ message ListenerReport {
         string reason = 2;
     }
 
+    // warning types for the given listener config
+    message Warning {
+        enum Type {
+            SSLConfigWarning = 0;
+        }
+
+        // the type of the error
+        Type type = 1;
+        // any extra info as a string
+        string reason = 2;
+    }
+
+
     // errors on top-level config of the listener
     repeated Error errors = 2;
 
+    // warnings on the top-levelconfig of the listener
+    repeated Warning warnings = 7;
+
     oneof listener_type_report {
         // report for the http listener
         HttpListenerReport http_listener_report = 3;