internal: Adds support for TLSRoute

[stevesloka]

Add support for TLSRoute to enable Passthrough TCP Proxying to pods via SNI.

Note: This is currently rebased from #3620 which makes the Status bits more generic. Merging that first will make this PR smaller.

Updates #3440

Signed-off-by: Steve Sloka slokas@vmware.com

[codecov]

Codecov Report

Merging #3627 (ad166f2) into main (dee6631) will decrease coverage by 0.05%.
The diff coverage is 79.56%.

❗ Current head ad166f2 differs from pull request most recent head 5feeee6. Consider uploading reports for the commit 5feeee6 to get more accurate results

@@            Coverage Diff             @@
##             main    #3627      +/-   ##
==========================================
- Coverage   76.18%   76.13%   -0.06%     
==========================================
  Files         103      103              
  Lines        7117     7185      +68     
==========================================
+ Hits         5422     5470      +48     
- Misses       1578     1596      +18     
- Partials      117      119       +2     

Impacted Files	Coverage Δ
internal/dag/cache.go	95.43% <ø> (-0.05%)	⬇️
internal/status/conditions.go	31.88% <0.00%> (-3.60%)	⬇️
internal/dag/gatewayapi_processor.go	93.52% <94.66%> (-0.37%)	⬇️
internal/envoy/v3/listener.go	98.16% <100.00%> (+<0.01%)	⬆️
internal/k8s/log.go	69.56% <0.00%> (-15.29%)	⬇️
internal/dag/httpproxy_processor.go	91.71% <0.00%> (+0.01%)	⬆️

[sunjayBhatia]

test looks good, should we leave as the original _integration version and conver to new e2e format later?

[skriss]

I can convert this one separately if necessary. PR #3665 adds code for the ingress-conformance-echo-tls fixture which is maybe what was missing for implementing this one in Go? After that merges, though, I'd love to see all new tests written in Go.

[sunjayBhatia]

how does it work if we have both no SNI an SNI together? I think Envoy will choose the most specific so they should be able to coexist

https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto#config-listener-v3-filterchainmatch

For criteria that allow ranges or wildcards, the most specific value in any of the configured filter chains that matches the incoming connection is going to be used (e.g. for SNI www.example.com the most specific match would be www.example.com, then *.example.com, then *.com, then any filter chain without server_names requirements).

[stevesloka]

This is a great point, there probably should be some validation higher up across all the listeners to check that only one wildcard (e.g. '*') can exist for the same port.

Additionally, we need to validate that the same domain isn't used for both TLSRoute as well as an HTTPRoute.

[sunjayBhatia]

the docs mention that a secret is required on TLSRoutes, seems like the integration test and this one have omitted it and not made the TLS secret required?

[sunjayBhatia]

is this because this just enables passthrough TLS and not terminating and re-encrypting?

[sunjayBhatia]

what are the rules that we/upstream decided on for supporting TLS passthrough/termination and how they relate to TLSRoute/TCPRoute?

[stevesloka]

There were some discussions upstream (kubernetes-sigs/gateway-api#633 (comment)) and essentially from what I understand, TLSRoute is a passthrough TCPProxy against SNI.

If you want to terminate then route, you'd have to use TCPRoute.

@youngnick said we can't support TCPRoute so this will be a point that differs from HTTPProxy.

• HTTPProxy.TCPProxy (passthrough: true) == TLSRoute
• HTTPProxy.TCPProxy (passthrough: false) == TCPRoute

[sunjayBhatia]

I think this is all done? I think all my previous comments are resolved

[skriss]

Is this block of logic that we have for HTTPRoutes not needed for TLSRoutes?

[stevesloka]

Yup it is to satisfy the API. I think I just didn't add it yet for this PR. Is it easier to merge this with out (assuming the rest is ok), then follow up with a new PR to add that with corresponding tests?

[skriss]

OK with me

[skriss]

LGTM pending CI