Another round of v1alpha2 cleanup #839
Conversation
k8s-ci-robot
added
kind/cleanup
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: robscott The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
robscott
force-pushed
the
cleanup-v1alpha2
branch
2 times, most recently
from
0c787e6
to
d784985
Compare
apis/v1alpha2/gateway_types.go
Outdated
| @@ -72,6 +72,9 @@ type GatewaySpec struct { | |||
| // logical endpoints that are bound on this Gateway's addresses. | |||
| // At least one Listener MUST be specified. | |||
| // | |||
| // Each listener in a Gateway must have a unique combination of Hostname, | |||
| // Port, and Protocol. This will be enforced by a validating webhook. | |||
There was a problem hiding this comment.
nit: how it will be enforced doesn't seem like it should be in the docs?
There was a problem hiding this comment.
Recommend adding an issue instead.
There was a problem hiding this comment.
I'd include the TLS details in that list as well, tbh.
There was a problem hiding this comment.
Created #847 to track webhook validation.
I'd include the TLS details in that list as well, tbh.
Do you mean that hostname, listener, and protocol can be identical across listener if TLS is different?
There was a problem hiding this comment.
Removed reference to webhook in godocs here.
There was a problem hiding this comment.
Do you mean that hostname, listener, and protocol can be identical across listener if TLS is different?
Oh, you're quite right, that makes no sense. I was more thinking that TLS details are part of the key for this, but you're right that if the hostname, port, and protocol are identical, then the TLS details must not be different.
apis/v1alpha2/tlsroute_types.go
Outdated
| // | ||
| // If hostnames do not match with the criteria above, then the TLSRoute is | ||
| // not accepted, and the implementation must raise an 'Accepted' Condition | ||
| // with a status of `False` for the target Listener(s). |
There was a problem hiding this comment.
This is a bit confusing when not using sectionName in parentRefs. Since the target is not a listener
There was a problem hiding this comment.
Yeah, this comes down to the behavior with partial Listener acceptance, I think if we mandate "all", and have a ResolvedRefs in the event not all match, then this covers the sectionName case.
There was a problem hiding this comment.
I agree that we need a better way to handle status when sectionName is not specified. 2 options I've been thinking of:
- A standard/reserved listener name such as "all" that is used in status to cover failed attachment to the Gateway as a whole.
- A new set of condition types for Gateway status specifically for this purpose. (We could potentially reuse the existing listener condition types).
There was a problem hiding this comment.
I think option 2 seems better - if no listeners are valid, that seems very relevant for top-level status, but I would have thought we had that covered already somehow.
apis/v1alpha2/tlsroute_types.go
Outdated
| // TLSRoute specified `test.example.com` and `test.example.net`, | ||
| // `test.example.net` must not be considered for a match. | ||
| // | ||
| // If hostnames do not match with the criteria above, then the TLSRoute is |
There was a problem hiding this comment.
I would clarify: If <any,all> hostnames .... And should be All IMO
There was a problem hiding this comment.
+1 that it the Route should only not be accepted if all hostnames do not match, and if at least one does, a ResolvedRefs condition should be raised as well.
There was a problem hiding this comment.
+1 that it the Route should only not be accepted if all hostnames do not match
Updated, thanks!
and if at least one does, a ResolvedRefs condition should be raised as well.
Wouldn't this result in a successful attachment? Why would we raise a ResolvedRefs condition?
There was a problem hiding this comment.
I guess you're right, the thing I wanted to make sure we have is to indicate what hostnames are in use somehow. If you've got a bunch of hostnames and only one is in use, that seems like it would be good to know.
apis/v1alpha2/gateway_types.go
Outdated
| @@ -72,6 +72,9 @@ type GatewaySpec struct { | |||
| // logical endpoints that are bound on this Gateway's addresses. | |||
| // At least one Listener MUST be specified. | |||
| // | |||
| // Each listener in a Gateway must have a unique combination of Hostname, | |||
| // Port, and Protocol. This will be enforced by a validating webhook. | |||
There was a problem hiding this comment.
Recommend adding an issue instead.
apis/v1alpha2/gateway_types.go
Outdated
| // [effective request URI](https://tools.ietf.org/html/rfc7230#section-5.5) | ||
| // or the [:authority pseudo-header](https://tools.ietf.org/html/rfc7540#section-8.1.2.3) | ||
| // * HTTPS: The Hostname match MUST be applied at both the TLS and HTTP | ||
| // protocol layers. |
There was a problem hiding this comment.
@youngnick Is this sufficient to close the domain fronting issue (#72) as well?
There was a problem hiding this comment.
Although this isn't entirely new content, now that I'm seeing it here, I think this wording may be a bit too strong. I'm not sure that every implementation can apply a match at both layers.
There was a problem hiding this comment.
I think the direction is good, but maybe we need to specify this in terms of API objects, like:
- TLS: the Listener hostname must match the SNI.
- HTTP: The HTTPRoute hostname must match the Host header of the request.
- HTTPS: The Listener Hostname and the HTTPRoute hostname must agree with each other, and also match request properties as above.
There was a problem hiding this comment.
Because the important part is that we expect that Listeners and HTTPRoutes that do not match these rules should not end up attached.
There was a problem hiding this comment.
I don't think we should mix up the route type with the listener protocol here. While there's likely a ~99% overlap here, if we tie route types too closely here, we prevent or at least complicate extended route types. I've copied most of your suggestions from above, but removed any references to Routes - the following paragraph already covers that intersection.
apis/v1alpha2/gateway_types.go
Outdated
| @@ -72,6 +72,9 @@ type GatewaySpec struct { | |||
| // logical endpoints that are bound on this Gateway's addresses. | |||
| // At least one Listener MUST be specified. | |||
| // | |||
| // Each listener in a Gateway must have a unique combination of Hostname, | |||
| // Port, and Protocol. This will be enforced by a validating webhook. | |||
There was a problem hiding this comment.
I'd include the TLS details in that list as well, tbh.
apis/v1alpha2/gateway_types.go
Outdated
| // [effective request URI](https://tools.ietf.org/html/rfc7230#section-5.5) | ||
| // or the [:authority pseudo-header](https://tools.ietf.org/html/rfc7540#section-8.1.2.3) | ||
| // * HTTPS: The Hostname match MUST be applied at both the TLS and HTTP | ||
| // protocol layers. |
There was a problem hiding this comment.
I think the direction is good, but maybe we need to specify this in terms of API objects, like:
- TLS: the Listener hostname must match the SNI.
- HTTP: The HTTPRoute hostname must match the Host header of the request.
- HTTPS: The Listener Hostname and the HTTPRoute hostname must agree with each other, and also match request properties as above.
apis/v1alpha2/gateway_types.go
Outdated
| // [effective request URI](https://tools.ietf.org/html/rfc7230#section-5.5) | ||
| // or the [:authority pseudo-header](https://tools.ietf.org/html/rfc7540#section-8.1.2.3) | ||
| // * HTTPS: The Hostname match MUST be applied at both the TLS and HTTP | ||
| // protocol layers. |
There was a problem hiding this comment.
Because the important part is that we expect that Listeners and HTTPRoutes that do not match these rules should not end up attached.
apis/v1alpha2/tlsroute_types.go
Outdated
| // TLSRoute specified `test.example.com` and `test.example.net`, | ||
| // `test.example.net` must not be considered for a match. | ||
| // | ||
| // If hostnames do not match with the criteria above, then the TLSRoute is |
There was a problem hiding this comment.
+1 that it the Route should only not be accepted if all hostnames do not match, and if at least one does, a ResolvedRefs condition should be raised as well.
apis/v1alpha2/tlsroute_types.go
Outdated
| // | ||
| // If hostnames do not match with the criteria above, then the TLSRoute is | ||
| // not accepted, and the implementation must raise an 'Accepted' Condition | ||
| // with a status of `False` for the target Listener(s). |
There was a problem hiding this comment.
Yeah, this comes down to the behavior with partial Listener acceptance, I think if we mandate "all", and have a ResolvedRefs in the event not all match, then this covers the sectionName case.
robscott
force-pushed
the
cleanup-v1alpha2
branch
from
d784985
to
4ddc359
Compare
|
@youngnick @hbagdi @howardjohn Thanks for the great feedback on this! I think I've responded to everything, PTAL. |
There was a problem hiding this comment.
LGTM aside from me being nitpicky about SHOULD.
I think that we need to ensure that every time we use SHOULD, we clearly explain the reasons that is not MUST, and consider using "MUST, except if" instead.
I think that SHOULD leaves too much room for interpretation without clarification.
apis/v1alpha2/gateway_types.go
Outdated
| // * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP | ||
| // protocol layers as described above. |
There was a problem hiding this comment.
Sorry to go around again, but if this is a SHOULD, then I think we need to clarify, with something like:
If an implementation allows this to be the case, it MUST clearly document its behavior and how it manages the resulting security issue (different SNI and Host header can be used to bypass client certificate authentication).
I think we need to ensure that everytime we have a SHOULD, we have an explanation of why it's a SHOULD rather than a MUST, and we should (ironically) prefer must.
There was a problem hiding this comment.
At the very least, the SNI MUST match the listener hostname I would think. And the HTTP Host MUST match the HTTPRoute hostname. And the listener/route hostnames MUST form an intersection. Therefor, there MUST be some intersection between the two if both are specified. For example, if I have listener hostname *.example.com, then both MUST have *.example.com.
Not that we should write that as is.. just brain dumping.
There was a problem hiding this comment.
I took a shot at updating this. What I'm trying to communicate here is that if implementations can implement the match at both levels they should, but not every implementation can.
robscott
force-pushed
the
cleanup-v1alpha2
branch
from
4ddc359
to
b22e4e6
Compare
|
I think you got it @robscott, nice work. /lgtm /hold |
k8s-ci-robot
added
the
do-not-merge/hold
k8s-ci-robot
added
the
lgtm
|
Just a couple of formatting nits. /lgtm |
robscott
force-pushed
the
cleanup-v1alpha2
branch
from
b22e4e6
to
58e1dd2
Compare
k8s-ci-robot
removed
the
lgtm
|
/lgtm /hold cancel |
k8s-ci-robot
added
lgtm
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
This takes care of another big chunk of feedback from #780 as well as some of the items in #790.
Does this PR introduce a user-facing change?: