Merge branch 'main' into improv-validateClusterStatName

Author: zirain

api/v1alpha1/clienttrafficpolicy_types.go

@@ -357,11 +357,19 @@ type HTTP1Settings struct {
 
 // HTTP10Settings provides HTTP/1.0 configuration on the listener.
 type HTTP10Settings struct {
-	// UseDefaultHost defines if the HTTP/1.0 request is missing the Host header,
-	// then the hostname associated with the listener should be injected into the
-	// request.
-	// If this is not set and an HTTP/1.0 request arrives without a host, then
-	// it will be rejected.
+	// UseDefaultHost specifies whether a default Host header should be injected
+	// into HTTP/1.0 requests that do not include one.
+	//
+	// When set to true, Envoy Gateway injects the hostname associated with the
+	// listener or route into the request, in the following order:
+	//
+	//   1. If the targeted listener has a non-wildcard hostname, use that hostname.
+	//   2. If there is exactly one HTTPRoute with a non-wildcard hostname under
+	//      the targeted listener, use that hostname.
+	//
+	//  Note: Setting this field to true without a non-wildcard hostname makes the
+	// ClientTrafficPolicy invalid.
+	//
 	// +optional
 	UseDefaultHost *bool `json:"useDefaultHost,omitempty"`
 }

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml

@@ -604,11 +604,18 @@ spec:
                     properties:
                       useDefaultHost:
                         description: |-
-                          UseDefaultHost defines if the HTTP/1.0 request is missing the Host header,
-                          then the hostname associated with the listener should be injected into the
-                          request.
-                          If this is not set and an HTTP/1.0 request arrives without a host, then
-                          it will be rejected.
+                          UseDefaultHost specifies whether a default Host header should be injected
+                          into HTTP/1.0 requests that do not include one.
+
+                          When set to true, Envoy Gateway injects the hostname associated with the
+                          listener or route into the request, in the following order:
+
+                            1. If the targeted listener has a non-wildcard hostname, use that hostname.
+                            2. If there is exactly one HTTPRoute with a non-wildcard hostname under
+                               the targeted listener, use that hostname.
+
+                           Note: Setting this field to true without a non-wildcard hostname makes the
+                          ClientTrafficPolicy invalid.
                         type: boolean
                     type: object
                   preserveHeaderCase:

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml

@@ -603,11 +603,18 @@ spec:
                     properties:
                       useDefaultHost:
                         description: |-
-                          UseDefaultHost defines if the HTTP/1.0 request is missing the Host header,
-                          then the hostname associated with the listener should be injected into the
-                          request.
-                          If this is not set and an HTTP/1.0 request arrives without a host, then
-                          it will be rejected.
+                          UseDefaultHost specifies whether a default Host header should be injected
+                          into HTTP/1.0 requests that do not include one.
+
+                          When set to true, Envoy Gateway injects the hostname associated with the
+                          listener or route into the request, in the following order:
+
+                            1. If the targeted listener has a non-wildcard hostname, use that hostname.
+                            2. If there is exactly one HTTPRoute with a non-wildcard hostname under
+                               the targeted listener, use that hostname.
+
+                           Note: Setting this field to true without a non-wildcard hostname makes the
+                          ClientTrafficPolicy invalid.
                         type: boolean
                     type: object
                   preserveHeaderCase:

internal/gatewayapi/backend.go

@@ -17,6 +17,7 @@ import (
 
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
 	"github.com/envoyproxy/gateway/internal/gatewayapi/status"
+	"github.com/envoyproxy/gateway/internal/utils/net"
 )
 
 func (t *Translator) ProcessBackends(backends []*egv1a1.Backend, backendTLSPolicies []*gwapiv1.BackendTLSPolicy) []*egv1a1.Backend {
@@ -27,7 +28,7 @@ func (t *Translator) ProcessBackends(backends []*egv1a1.Backend, backendTLSPolic
 			status.UpdateBackendStatusAcceptedCondition(backend, false,
 				"The Backend was not accepted since Backend is not enabled in Envoy Gateway Config")
 		} else {
-			if err := validateBackend(backend, backendTLSPolicies); err != nil {
+			if err := validateBackend(backend, backendTLSPolicies, t.RunningOnHost); err != nil {
 				status.UpdateBackendStatusAcceptedCondition(backend, false, fmt.Sprintf("The Backend was not accepted: %s", err.Error()))
 			} else {
 				status.UpdateBackendStatusAcceptedCondition(backend, true, "The Backend was accepted")
@@ -40,7 +41,7 @@ func (t *Translator) ProcessBackends(backends []*egv1a1.Backend, backendTLSPolic
 	return res
 }
 
-func validateBackend(backend *egv1a1.Backend, backendTLSPolicies []*gwapiv1.BackendTLSPolicy) status.Error {
+func validateBackend(backend *egv1a1.Backend, backendTLSPolicies []*gwapiv1.BackendTLSPolicy, runningOnHost bool) status.Error {
 	if backend.Spec.Type != nil && *backend.Spec.Type == egv1a1.BackendTypeDynamicResolver {
 		if len(backend.Spec.Endpoints) > 0 {
 			return status.NewRouteStatusError(
@@ -57,13 +58,13 @@ func validateBackend(backend *egv1a1.Backend, backendTLSPolicies []*gwapiv1.Back
 
 	for _, ep := range backend.Spec.Endpoints {
 		if ep.Hostname != nil {
-			routeErr := validateHostname(*ep.Hostname, "hostname")
+			routeErr := validateHostname(*ep.Hostname, "hostname", runningOnHost)
 			if routeErr != nil {
 				return routeErr
 			}
 		}
 		if ep.FQDN != nil {
-			routeErr := validateHostname(ep.FQDN.Hostname, "FQDN")
+			routeErr := validateHostname(ep.FQDN.Hostname, "FQDN", runningOnHost)
 			if routeErr != nil {
 				return routeErr
 			}
@@ -74,9 +75,9 @@ func validateBackend(backend *egv1a1.Backend, backendTLSPolicies []*gwapiv1.Back
 					fmt.Errorf("IP address %s is invalid", ep.IP.Address),
 					status.RouteReasonInvalidAddress,
 				)
-			} else if ip.IsLoopback() {
+			} else if ip.IsLoopback() && !runningOnHost {
 				return status.NewRouteStatusError(
-					fmt.Errorf("IP address %s in the loopback range is not supported", ep.IP.Address),
+					fmt.Errorf("IP address %s in the loopback range is only supported when using the Host infrastructure", ep.IP.Address),
 					status.RouteReasonInvalidAddress,
 				)
 			}
@@ -169,15 +170,16 @@ func validateBackendTLSSettings(backend *egv1a1.Backend, backendTLSPolicies []*g
 	return nil
 }
 
-func validateHostname(hostname, typeName string) *status.RouteStatusError {
+func validateHostname(hostname, typeName string, allowLocalhost bool) *status.RouteStatusError {
 	// must be a valid hostname
 	if errs := validation.IsDNS1123Subdomain(hostname); errs != nil {
 		return status.NewRouteStatusError(
 			fmt.Errorf("hostname %s is not a valid %s", hostname, typeName),
 			status.RouteReasonInvalidAddress,
 		)
 	}
-	if len(strings.Split(hostname, ".")) < 2 {
+	isLocalHostname := allowLocalhost && hostname == net.DefaultLocalAddress
+	if !isLocalHostname && len(strings.Split(hostname, ".")) < 2 {
 		return status.NewRouteStatusError(
 			fmt.Errorf("hostname %s should be a domain with at least two segments separated by dots", hostname),
 			status.RouteReasonInvalidAddress,

internal/gatewayapi/listener.go

@@ -891,7 +891,9 @@ func validCELExpression(expr string) bool {
 // servicePortToContainerPort translates a service port into an ephemeral
 // container port.
 func (t *Translator) servicePortToContainerPort(servicePort int32, envoyProxy *egv1a1.EnvoyProxy) int32 {
-	if t.ListenerPortShiftDisabled {
+	// When running on the local host using the Host infrastructure provider, disable translating the
+	// gateway listener port into a non-privileged port and reuse the specified value.
+	if t.RunningOnHost {
 		return servicePort
 	}
 

internal/gatewayapi/runner/runner.go

@@ -146,17 +146,17 @@ func (r *Runner) subscribeAndTranslate(sub <-chan watchable.Snapshot[string, *re
 			for _, resources := range *val {
 				// Translate and publish IRs.
 				t := &gatewayapi.Translator{
-					GatewayControllerName:     r.EnvoyGateway.Gateway.ControllerName,
-					GatewayClassName:          gwapiv1.ObjectName(resources.GatewayClass.Name),
-					GlobalRateLimitEnabled:    r.EnvoyGateway.RateLimit != nil,
-					EnvoyPatchPolicyEnabled:   r.EnvoyGateway.ExtensionAPIs != nil && r.EnvoyGateway.ExtensionAPIs.EnableEnvoyPatchPolicy,
-					BackendEnabled:            r.EnvoyGateway.ExtensionAPIs != nil && r.EnvoyGateway.ExtensionAPIs.EnableBackend,
-					ControllerNamespace:       r.ControllerNamespace,
-					GatewayNamespaceMode:      r.EnvoyGateway.GatewayNamespaceMode(),
-					MergeGateways:             gatewayapi.IsMergeGatewaysEnabled(resources),
-					WasmCache:                 r.wasmCache,
-					ListenerPortShiftDisabled: r.EnvoyGateway.Provider != nil && r.EnvoyGateway.Provider.IsRunningOnHost(),
-					Logger:                    r.Logger,
+					GatewayControllerName:   r.EnvoyGateway.Gateway.ControllerName,
+					GatewayClassName:        gwapiv1.ObjectName(resources.GatewayClass.Name),
+					GlobalRateLimitEnabled:  r.EnvoyGateway.RateLimit != nil,
+					EnvoyPatchPolicyEnabled: r.EnvoyGateway.ExtensionAPIs != nil && r.EnvoyGateway.ExtensionAPIs.EnableEnvoyPatchPolicy,
+					BackendEnabled:          r.EnvoyGateway.ExtensionAPIs != nil && r.EnvoyGateway.ExtensionAPIs.EnableBackend,
+					ControllerNamespace:     r.ControllerNamespace,
+					GatewayNamespaceMode:    r.EnvoyGateway.GatewayNamespaceMode(),
+					MergeGateways:           gatewayapi.IsMergeGatewaysEnabled(resources),
+					WasmCache:               r.wasmCache,
+					RunningOnHost:           r.EnvoyGateway.Provider != nil && r.EnvoyGateway.Provider.IsRunningOnHost(),
+					Logger:                  r.Logger,
 				}
 
 				// If an extension is loaded, pass its supported groups/kinds to the translator

internal/gatewayapi/testdata/backend-invalid-hostname-address.out.yaml

@@ -48,7 +48,7 @@ backends:
     conditions:
     - lastTransitionTime: null
       message: 'The Backend was not accepted: IP address 127.0.0.3 in the loopback
-        range is not supported'
+        range is only supported when using the Host infrastructure'
       reason: Accepted
       status: "False"
       type: Invalid

internal/gatewayapi/testdata/backend-with-localhost-host-infra.in.yaml

@@ -0,0 +1,21 @@
+backends:
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: Backend
+    metadata:
+      name: backend-fqdn
+      namespace: default
+    spec:
+      endpoints:
+        - fqdn:
+            hostname: 'localhost'
+            port: 3000
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: Backend
+    metadata:
+      name: backend-fqdn
+      namespace: default
+    spec:
+      endpoints:
+        - ip:
+            address: '127.0.0.3'
+            port: 3000

internal/gatewayapi/testdata/backend-with-localhost-host-infra.out.yaml

@@ -0,0 +1,37 @@
+backends:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: Backend
+  metadata:
+    name: backend-fqdn
+    namespace: default
+  spec:
+    endpoints:
+    - fqdn:
+        hostname: localhost
+        port: 3000
+  status:
+    conditions:
+    - lastTransitionTime: null
+      message: The Backend was accepted
+      reason: Accepted
+      status: "True"
+      type: Accepted
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: Backend
+  metadata:
+    name: backend-fqdn
+    namespace: default
+  spec:
+    endpoints:
+    - ip:
+        address: 127.0.0.3
+        port: 3000
+  status:
+    conditions:
+    - lastTransitionTime: null
+      message: The Backend was accepted
+      reason: Accepted
+      status: "True"
+      type: Accepted
+infraIR: {}
+xdsIR: {}