From 6341b5b8979f8da2c3727524661961a61a60fe7c Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Wed, 27 Sep 2023 16:21:11 -0700 Subject: [PATCH] feat: ClientTrafficPolicy * adds base API + CRD * adding k8s provider reconciliation * add skeleton in gateway-api translation layer Relates to https://github.com/envoyproxy/gateway/issues/1846 Signed-off-by: Arko Dasgupta --- api/v1alpha1/clienttrafficpolicy_types.go | 68 +++++++ api/v1alpha1/zz_generated.deepcopy.go | 97 ++++++++++ ...y.envoyproxy.io_clienttrafficpolicies.yaml | 181 ++++++++++++++++++ charts/gateway-helm/templates/_rbac.tpl | 2 + docs/latest/api/extension_types.md | 51 +++++ internal/gatewayapi/resource.go | 2 + internal/gatewayapi/translator.go | 3 + internal/gatewayapi/zz_generated.deepcopy.go | 11 ++ internal/provider/kubernetes/controller.go | 29 +++ 9 files changed, 444 insertions(+) create mode 100644 api/v1alpha1/clienttrafficpolicy_types.go create mode 100644 charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml diff --git a/api/v1alpha1/clienttrafficpolicy_types.go b/api/v1alpha1/clienttrafficpolicy_types.go new file mode 100644 index 000000000000..8a9b6547c7fa --- /dev/null +++ b/api/v1alpha1/clienttrafficpolicy_types.go @@ -0,0 +1,68 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" +) + +const ( + // KindClientTrafficPolicy is the name of the ClientTrafficPolicy kind. + KindClientTrafficPolicy = "ClientTrafficPolicy" +) + +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Programmed")].reason` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` + +// ClientTrafficPolicy allows the user to configure the behavior of the connection +// between the downstream client and Envoy Proxy listener. +type ClientTrafficPolicy struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec defines the desired state of ClientTrafficPolicy. + Spec ClientTrafficPolicySpec `json:"spec"` + + // Status defines the current status of ClientTrafficPolicy. + Status ClientTrafficPolicyStatus `json:"status,omitempty"` +} + +// ClientTrafficPolicySpec defines the desired state of ClientTrafficPolicy. +type ClientTrafficPolicySpec struct { + // TargetRef is the name of the Gateway resource this policy + // is being attached to. + // This Policy and the TargetRef MUST be in the same namespace + // for this Policy to have effect and be applied to the Gateway. + // TargetRef + TargetRef gwapiv1a2.PolicyTargetReferenceWithSectionName `json:"targetRef"` +} + +// ClientTrafficPolicyStatus defines the state of ClientTrafficPolicy +type ClientTrafficPolicyStatus struct { + // Conditions describe the current conditions of the ClientTrafficPolicy. + // + // +optional + // +listType=map + // +listMapKey=type + // +kubebuilder:validation:MaxItems=8 + Conditions []metav1.Condition `json:"conditions,omitempty"` +} + +//+kubebuilder:object:root=true + +// ClientTrafficPolicyList contains a list of ClientTrafficPolicy resources. +type ClientTrafficPolicyList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []ClientTrafficPolicy `json:"items"` +} + +func init() { + SchemeBuilder.Register(&ClientTrafficPolicy{}, &ClientTrafficPolicyList{}) +} diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 178968647210..ac04882eb3a7 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -110,6 +110,103 @@ func (in *ClaimToHeader) DeepCopy() *ClaimToHeader { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClientTrafficPolicy) DeepCopyInto(out *ClientTrafficPolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientTrafficPolicy. +func (in *ClientTrafficPolicy) DeepCopy() *ClientTrafficPolicy { + if in == nil { + return nil + } + out := new(ClientTrafficPolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClientTrafficPolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClientTrafficPolicyList) DeepCopyInto(out *ClientTrafficPolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ClientTrafficPolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientTrafficPolicyList. +func (in *ClientTrafficPolicyList) DeepCopy() *ClientTrafficPolicyList { + if in == nil { + return nil + } + out := new(ClientTrafficPolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClientTrafficPolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClientTrafficPolicySpec) DeepCopyInto(out *ClientTrafficPolicySpec) { + *out = *in + in.TargetRef.DeepCopyInto(&out.TargetRef) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientTrafficPolicySpec. +func (in *ClientTrafficPolicySpec) DeepCopy() *ClientTrafficPolicySpec { + if in == nil { + return nil + } + out := new(ClientTrafficPolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClientTrafficPolicyStatus) DeepCopyInto(out *ClientTrafficPolicyStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientTrafficPolicyStatus. +func (in *ClientTrafficPolicyStatus) DeepCopy() *ClientTrafficPolicyStatus { + if in == nil { + return nil + } + out := new(ClientTrafficPolicyStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *EnvoyJSONPatchConfig) DeepCopyInto(out *EnvoyJSONPatchConfig) { *out = *in diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml new file mode 100644 index 000000000000..5727b08a66ee --- /dev/null +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml @@ -0,0 +1,181 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: clienttrafficpolicies.gateway.envoyproxy.io +spec: + group: gateway.envoyproxy.io + names: + kind: ClientTrafficPolicy + listKind: ClientTrafficPolicyList + plural: clienttrafficpolicies + singular: clienttrafficpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Programmed")].reason + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClientTrafficPolicy allows the user to configure the behavior + of the connection between the downstream client and Envoy Proxy listener. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ClientTrafficPolicy. + properties: + targetRef: + description: TargetRef is the name of the Gateway resource this policy + is being attached to. This Policy and the TargetRef MUST be in the + same namespace for this Policy to have effect and be applied to + the Gateway. TargetRef + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. When + unspecified, the local namespace is inferred. Even when policy + targets a resource in a different namespace, it MUST only apply + to traffic originating from the same namespace as the policy. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + sectionName: + description: "SectionName is the name of a section within the + target resource. When unspecified, this targetRef targets the + entire resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name * + Service: Port Name \n If a SectionName is specified, but does + not exist on the targeted object, the Policy must fail to attach, + and the policy implementation should record a `ResolvedRefs` + or similar Condition in the Policy's status." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + required: + - targetRef + type: object + status: + description: Status defines the current status of ClientTrafficPolicy. + properties: + conditions: + description: Conditions describe the current conditions of the ClientTrafficPolicy. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/gateway-helm/templates/_rbac.tpl b/charts/gateway-helm/templates/_rbac.tpl index d81033486ada..a005ff5b75c5 100644 --- a/charts/gateway-helm/templates/_rbac.tpl +++ b/charts/gateway-helm/templates/_rbac.tpl @@ -79,6 +79,7 @@ apiGroups: resources: - authenticationfilters - envoypatchpolicies +- clienttrafficpolicies - ratelimitfilters verbs: - get @@ -93,6 +94,7 @@ apiGroups: - gateway.envoyproxy.io resources: - envoypatchpolicies/status +- clienttrafficpolicies/status verbs: - update {{- end }} diff --git a/docs/latest/api/extension_types.md b/docs/latest/api/extension_types.md index 4276b23601f9..6cc8d4269cda 100644 --- a/docs/latest/api/extension_types.md +++ b/docs/latest/api/extension_types.md @@ -11,6 +11,8 @@ Package v1alpha1 contains API schema definitions for the gateway.envoyproxy.io A ### Resource Types - [AuthenticationFilter](#authenticationfilter) +- [ClientTrafficPolicy](#clienttrafficpolicy) +- [ClientTrafficPolicyList](#clienttrafficpolicylist) - [EnvoyPatchPolicy](#envoypatchpolicy) - [EnvoyPatchPolicyList](#envoypatchpolicylist) - [RateLimitFilter](#ratelimitfilter) @@ -74,6 +76,55 @@ _Appears in:_ | `claim` _string_ | Claim is the JWT Claim that should be saved into the header : it can be a nested claim of type (eg. "claim.nested.key", "sub"). The nested claim name must use dot "." to separate the JSON name path. | +## ClientTrafficPolicy + + + +ClientTrafficPolicy allows the user to configure the behavior of the connection between the downstream client and Envoy Proxy listener. + +_Appears in:_ +- [ClientTrafficPolicyList](#clienttrafficpolicylist) + +| Field | Description | +| --- | --- | +| `apiVersion` _string_ | `gateway.envoyproxy.io/v1alpha1` +| `kind` _string_ | `ClientTrafficPolicy` +| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | +| `spec` _[ClientTrafficPolicySpec](#clienttrafficpolicyspec)_ | Spec defines the desired state of ClientTrafficPolicy. | + + +## ClientTrafficPolicyList + + + +ClientTrafficPolicyList contains a list of ClientTrafficPolicy resources. + + + +| Field | Description | +| --- | --- | +| `apiVersion` _string_ | `gateway.envoyproxy.io/v1alpha1` +| `kind` _string_ | `ClientTrafficPolicyList` +| `metadata` _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#listmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | +| `items` _[ClientTrafficPolicy](#clienttrafficpolicy) array_ | | + + +## ClientTrafficPolicySpec + + + +ClientTrafficPolicySpec defines the desired state of ClientTrafficPolicy. + +_Appears in:_ +- [ClientTrafficPolicy](#clienttrafficpolicy) + +| Field | Description | +| --- | --- | +| `targetRef` _[PolicyTargetReferenceWithSectionName](#policytargetreferencewithsectionname)_ | TargetRef is the name of the Gateway resource this policy is being attached to. This Policy and the TargetRef MUST be in the same namespace for this Policy to have effect and be applied to the Gateway. TargetRef | + + + + ## EnvoyJSONPatchConfig diff --git a/internal/gatewayapi/resource.go b/internal/gatewayapi/resource.go index 3eb830e2b700..2da40cf3d7e4 100644 --- a/internal/gatewayapi/resource.go +++ b/internal/gatewayapi/resource.go @@ -45,6 +45,7 @@ type Resources struct { EnvoyProxy *egcfgv1a1.EnvoyProxy `json:"envoyProxy,omitempty" yaml:"envoyProxy,omitempty"` ExtensionRefFilters []unstructured.Unstructured `json:"extensionRefFilters,omitempty" yaml:"extensionRefFilters,omitempty"` EnvoyPatchPolicies []*egv1a1.EnvoyPatchPolicy `json:"envoyPatchPolicies,omitempty" yaml:"envoyPatchPolicies,omitempty"` + ClientTrafficPolicies []*egv1a1.ClientTrafficPolicy `json:"clientTrafficPolicies,omitempty" yaml:"clientTrafficPolicies,omitempty"` } func NewResources() *Resources { @@ -62,6 +63,7 @@ func NewResources() *Resources { AuthenticationFilters: []*egv1a1.AuthenticationFilter{}, ExtensionRefFilters: []unstructured.Unstructured{}, EnvoyPatchPolicies: []*egv1a1.EnvoyPatchPolicy{}, + ClientTrafficPolicies: []*egv1a1.ClientTrafficPolicy{}, } } diff --git a/internal/gatewayapi/translator.go b/internal/gatewayapi/translator.go index 7a94ad234cf0..26aabb1f4c81 100644 --- a/internal/gatewayapi/translator.go +++ b/internal/gatewayapi/translator.go @@ -130,6 +130,9 @@ func (t *Translator) Translate(resources *Resources) *TranslateResult { // Process EnvoyPatchPolicies t.ProcessEnvoyPatchPolicies(resources.EnvoyPatchPolicies, xdsIR) + // Process ClientTrafficPolicies + t.ProcessClientTrafficPolicies(resources.ClientTrafficPolicies, xdsIR) + // Process all Addresses for all relevant Gateways. t.ProcessAddresses(gateways, xdsIR, infraIR, resources) diff --git a/internal/gatewayapi/zz_generated.deepcopy.go b/internal/gatewayapi/zz_generated.deepcopy.go index 14845fcd9010..1f983058269b 100644 --- a/internal/gatewayapi/zz_generated.deepcopy.go +++ b/internal/gatewayapi/zz_generated.deepcopy.go @@ -206,6 +206,17 @@ func (in *Resources) DeepCopyInto(out *Resources) { } } } + if in.ClientTrafficPolicies != nil { + in, out := &in.ClientTrafficPolicies, &out.ClientTrafficPolicies + *out = make([]*apiv1alpha1.ClientTrafficPolicy, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(apiv1alpha1.ClientTrafficPolicy) + (*in).DeepCopyInto(*out) + } + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Resources. diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index 6e3b65258dee..37ea418ae4b6 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -294,6 +294,21 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques } } + // Add all ClientTrafficPolicies + clientTrafficPolicies := egv1a1.ClientTrafficPolicyList{} + if err := r.client.List(ctx, &clientTrafficPolicies); err != nil { + return reconcile.Result{}, fmt.Errorf("error listing clienttrafficpolicies: %v", err) + } + + for _, policy := range clientTrafficPolicies.Items { + policy := policy + // Discard Status to reduce memory consumption in watchable + // It will be recomputed by the gateway-api layer + policy.Status = egv1a1.ClientTrafficPolicyStatus{} + resourceTree.ClientTrafficPolicies = append(resourceTree.ClientTrafficPolicies, &policy) + + } + // For this particular Gateway, and all associated objects, check whether the // namespace exists. Add to the resourceTree. for ns := range resourceMap.allAssociatedNamespaces { @@ -1512,6 +1527,20 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M } } + // Watch ClientTrafficPolicy + ctpPredicates := []predicate.Predicate{} + if len(r.namespaceLabels) != 0 { + ctpPredicates = append(ctpPredicates, predicate.NewPredicateFuncs(r.hasMatchingNamespaceLabels)) + } + + if err := c.Watch( + source.Kind(mgr.GetCache(), &egv1a1.ClientTrafficPolicy{}), + handler.EnqueueRequestsFromMapFunc(r.enqueueClass), + ctpPredicates..., + ); err != nil { + return err + } + r.log.Info("Watching gatewayAPI related objects") // Watch any additional GVKs from the registered extension.