fix(Gateway API): ensure parentRef match

[davidwin93]

Description

This PR updates routes are matched to their parent Gateway. This change prevents stale route statuses from being considered valid and ensures that the route's acceptance status is up-to-date with its current state.

Changes

• Added logic to ensure that the Gateway is a valid parent in the routes spec
• This lookup will return false is the Gateway is not defined in the routes spec as a parent.

Why

The previous implementation only checked for the presence of an accepted condition with a true status, but didn't verify if the condition was stale. This could lead to:

• Routes being considered accepted even after significant changes
• Potential misrouting of traffic based on outdated status
• Inconsistent behavior with an old parent references still being used instead of the one defined in the routes spec.

Fixes #5095

Checklist

• Unit tests updated
• End user documentation updated

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: davidwin93 / name: Dave Winiarski (4386d8b, 94278ae, 9854a0e, f27da2b, 5a1aef4, 1476fe1, 127122d, cb4b6a2)

[k8s-ci-robot]

Welcome @davidwin93!

It looks like this is your first PR to kubernetes-sigs/external-dns 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/external-dns has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @davidwin93. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[mloiseleur]

/ok-to-test
/retitle fix(Gateway API): ensure generation match

@abursavich Do you think you can review this PR ?

[travisghansen]

Are all gateway api resources covered by this? ie: grpcroutes, udproutes, tcproutes, etc

[travisghansen]

Also is it possible that race conditions could occur where the route has a new generation but the gateways have not reconciled/reacted yet and thereby updated the status? That seems potentially dangerous.

ie: maybe a gateway controller is temporarily down for maintenance or whatever

Maybe the logic should be:

• only analyze parents that are in the current route spec.parentRefs (this ensures any statuses for no longer relevant gateways is ignored)
• When checking conditions we find the most recent status update for the given parent (this ensures race conditions don’t overly aggressively remove DNS entries)

[davidwin93]

Are all gateway api resources covered by this? ie: grpcroutes, udproutes, tcproutes, etc

Yes they should all be covered by this change.

Also is it possible that race conditions could occur where the route has a new generation but the gateways have not reconciled/reacted yet and thereby updated the status? That seems potentially dangerous.

That's a fair point. I'll review my change and try and setup a similar test case to validate.

[travisghansen]

only analyze parents that are in the current route spec.parentRefs (this ensures any statuses for no longer relevant gateways is ignored)
This is should already be happening here.

envoyproxy/gateway#5656

[travisghansen]

So same issue applies there, the controller may be down or simply doesn't remove the conditions when the gateway has been removed from the actual spec.parentRefs. I'm unclear what expected behavior on the part of the controllers is supposed to be:

• Leave old conditions around after they are no longer associated
  OR
• Delete old conditions when the 2 are no longer connected via spec.parentRefs

The former is what envoy-gateway is currently doing which your original code would resolve (but could lead to overly aggressive removal).

If gateways are expected to do the latter then we're being underly agressive removing the entry if the controller hasn't gotten around to removing the status entry.

That's why I suggested the steps above...

1. Check the that spec.parentRefs (this ensures we're removing them when appropriate regardless of status)
2. Only use the most recent status vs requiring an exact match on generation (this ensures we're safe from the race conditions and not overly aggressive on the removal front)

Just some crude suggestions without being overly familiar with all the intricacies, I certainly could be missing something.

[davidwin93]

Digging more into this I think using the spec.parentRef as you mentioned as a filter on the route conditions list should work. There is a possible race condition when changing gateways where the record could be dropped before the new gateway accepts the route, but a user can work around this my listing both gateways as parentRefs in their spec.

I don't think that using transitionTime is beneficial and instead we should just depend on the route status being accepted.

Ill draft these changes this weekend. Thanks for the feedback on this.

[travisghansen]

Thank you for the PR! I am not sure I follow the risks etc entirely as you mentioned but probably easiest to just review code when in drops and go from there at this point. I am not proficient in go but can certainly read it well enough to understand the logic flow.

[davidwin93]

/retest

[travisghansen]

Probably should revert this comment.

[travisghansen]

I think the logic in this will work given 2 requirements:

1. the status.parents never ends up with multiple entries for the same gateway (I would assume this supposed to be the case)
2. the conditions only ever have 1 entry for the accepted condition type (less sure about this one)

I am essentially unclear if the conditions is meant to carry some historical record in there or if there should only ever be the ‘current’ entry of the given type.

[davidwin93]

| the conditions only ever have 1 entry for the accepted condition type (less sure about this one)
Reading more about the architectural design behind Conditions it seems that it'll be up to each Controller. I do think there will only ever be a single Accepted type condition based on the earlier doc.

[davidwin93]

/retest

[mloiseleur]

@davidwin93 If you rebase on top of #5268, the tests should go green.

[davidwin93]

@mloiseleur or @abursavich mind if I grab the lgtm label again? My rebase on master removed it.

[mloiseleur]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abursavich, mloiseleur

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mloiseleur]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mrozentsvayg]

For the reference - this PR also fixes #5348

By the way, it would be helpful to retitle and update the description.
After creation (and first commit) the logic switched from comparing generations to matching parentRef instead.
Which is great, but the title and PR info are no longer accurate and little confusing.

[mloiseleur]

@mrozentsvayg That's right. I updated PR title. Feel free to suggest a better one if needed.
I'll let @davidwin93 update PR info.

[davidwin93]

I've updated the PR description to match the changes that I made.

[travisghansen]

Did this land in a release yet?