Add EgressNetwork and routes statuses
#13181
Conversation
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
zaharidichev
force-pushed
the
zd/egress-network-statuses
branch
from
ebffad9
to
90cce50
Compare
| - AllowAll | ||
| - DenyAll |
There was a problem hiding this comment.
Naming bikeshed: I think "Allow" and "Deny" are better here. I don't think the word "All" is semantically meaningful, especially considering that the behavior can be changed by matching an attached route.
i.e. the "Deny" policy doesn't deny ALL traffic, it denies traffic that doesn't match any attached routes.
charts/linkerd-crds/values.yaml
Outdated
| @@ -1 +1,3 @@ | |||
| enableHttpRoutes: true | |||
| enableTlsRoutes: true | |||
| enableTcpRoutes: true | |||
| @@ -1 +1,3 @@ | |||
| enableHttpRoutes: true | |||
| enableTlsRoutes: true | |||
There was a problem hiding this comment.
it's a little weird that enableHttpRoutes controls both the HTTPRoute and GRPCRoute CRDs but then TLSRoute and TCPRoute each get their own value. but this is probably fine, more flexibility probably doesn't hurt.
| UnknownKind, | ||
| } | ||
|
|
||
| #[derive(Clone, Eq, PartialEq)] | ||
| pub enum BackendReference { | ||
| Service(ResourceId), | ||
| EgressNetwork(ResourceId), |
There was a problem hiding this comment.
I don't think an EgressNetwork can be a backend.
There was a problem hiding this comment.
I would say an EgressNetwork has to be able to be a backend. The reason for that is that if you look at the TCPRoute and TLSRoute CRD definitions, you will notice that they mandate that there should be at least 1 rule with at least 1 backend.
If that is a requirement and a user wants to attach a TCPRoute to an EgressNetwork, then what backend would it specify explicitly? Well, it has to be the EgressNetwork itself then. And an EgressNetwork backend in our proxy world will build a Forward stack?
I would argue that... it does not make sense for a route that is attached to a Service to have an EgressNetwork backend, although I cannot come up with a strong argument apart from.. "it does not make sense to do that". But in general.. I do not see a way around having an EgressNetwork work as a backend for EgressNetwork parents.
Does that make sense?
| @@ -945,3 +1316,21 @@ fn eq_time_insensitive( | |||
| }) | |||
| }) | |||
| } | |||
|
|
|||
| fn eq_time_insensitive_conditions( | |||
There was a problem hiding this comment.
Can we use this function in the above eq_time_insensitive_route_parent_statuses to avoid repetition?
| // attach to has any routes attached that are in conflict with the one | ||
| // that we are about to attach. This is done following the logs outlined in: | ||
| // https://gateway-api.sigs.k8s.io/geps/gep-1426/#route-types | ||
| pub(super) fn parent_has_conflicting_routes<'p>( |
There was a problem hiding this comment.
TIOLI but I golfed this down a bit. Same idea but with an inline if instead of building a HashSet
pub(super) fn parent_has_conflicting_routes<'p>(
existing_routes: impl Iterator<Item = (&'p NamespaceGroupKindName, &'p RouteRef)>,
parent_ref: &routes::ParentReference,
candidate_kind: &str,
) -> bool {
let grpc_kind = k8s_gateway_api::GrpcRoute::kind(&());
let http_kind = k8s_gateway_api::HttpRoute::kind(&());
let tls_kind = k8s_gateway_api::TlsRoute::kind(&());
let tcp_kind = k8s_gateway_api::TcpRoute::kind(&());
let mut siblings = existing_routes.filter(|(_, route)| route.parents.contains(parent_ref));
siblings.any(|(id, _sibling)| {
if *candidate_kind == grpc_kind {
false
} else if *candidate_kind == http_kind {
id.gkn.kind == grpc_kind
} else if *candidate_kind == tls_kind {
id.gkn.kind == grpc_kind || id.gkn.kind == http_kind
} else if *candidate_kind == tcp_kind {
id.gkn.kind == grpc_kind || id.gkn.kind == http_kind || id.gkn.kind == tls_kind
} else {
false
}
})
}
| @@ -73,8 +91,32 @@ impl BackendReference { | |||
| namespace.to_string(), | |||
| backend_ref.name.clone(), | |||
| )) | |||
| } else if linkerd_k8s_api::httproute::backend_ref_targets_kind::< | |||
There was a problem hiding this comment.
left a more detailed comment on the matter here: #13181 (comment)
| impl EgressNetworkRef { | ||
| fn is_accepted(&self) -> bool { | ||
| self.status_conditions.iter().any(|c| { | ||
| c.type_ == conditions::ACCEPTED.to_string() |
| && l.observed_generation == r.observed_generation | ||
| && l.reason == r.reason | ||
| && l.status == r.status | ||
| && l.type_ == r.type_; |
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
| routes::BackendReference::EgressNetwork(egress_net) => { | ||
| self.egress_networks.contains_key(egress_net) | ||
| } |
There was a problem hiding this comment.
Is this where we should validate that the EgressNetwork backend must be equal to the parent?
There was a problem hiding this comment.
Yes, correct. Except for the fact that we now need to compute the backend status per parent because the backend status is dependent on the parent type. Namely, you can have an EgressNetwork parent with a Service backend but not the other way around.
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
| } | ||
| } | ||
| routes::BackendReference::EgressNetwork(egress_net) => { | ||
| println!("backend is a net"); |
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
This PR adds an
EgressNetworkCRD, which purpose is to describe networks that are external to the cluster.In addition to that it also adds
TLSRouteandTCPRoutegateway api CRDs.Most of the work in this change is focused on introducing these CRDs and correctly setting their status based on route specificity rules described in: https://gateway-api.sigs.k8s.io/geps/gep-1426/#route-types.
Notable changes include:
EgressNetworksandServiceobjectsSigned-off-by: Zahari Dichev zaharidichev@gmail.com