From ba0b4663055538dcd9175168e15d8928fbcc0fa3 Mon Sep 17 00:00:00 2001 From: Sunjay Bhatia Date: Wed, 10 Aug 2022 16:23:09 +0000 Subject: [PATCH 1/3] internal/dag: Gateway Listeners with invalid references should have reason RefNotPermitted See https://github.com/kubernetes-sigs/gateway-api/pull/1305 Fixes conformance test failures on main Signed-off-by: Sunjay Bhatia --- internal/dag/gatewayapi_processor.go | 4 ++-- internal/dag/status_test.go | 14 +++++++------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/internal/dag/gatewayapi_processor.go b/internal/dag/gatewayapi_processor.go index 6be79f24f7b..88bc03bde1f 100644 --- a/internal/dag/gatewayapi_processor.go +++ b/internal/dag/gatewayapi_processor.go @@ -675,7 +675,7 @@ func (p *GatewayAPIProcessor) resolveListenerSecret(certificateRefs []gatewayapi listenerName, gatewayapi_v1beta1.ListenerConditionResolvedRefs, metav1.ConditionFalse, - gatewayapi_v1beta1.ListenerReasonInvalidCertificateRef, + gatewayapi_v1beta1.ListenerReasonRefNotPermitted, fmt.Sprintf("Spec.VirtualHost.TLS.CertificateRefs %q namespace must match the Gateway's namespace or be covered by a ReferencePolicy/ReferenceGrant", certificateRef.Name), ) return nil @@ -695,7 +695,7 @@ func (p *GatewayAPIProcessor) resolveListenerSecret(certificateRefs []gatewayapi listenerName, gatewayapi_v1beta1.ListenerConditionResolvedRefs, metav1.ConditionFalse, - gatewayapi_v1beta1.ListenerReasonInvalidCertificateRef, + gatewayapi_v1beta1.ListenerReasonRefNotPermitted, fmt.Sprintf("Spec.VirtualHost.TLS.CertificateRefs %q referent is invalid: %s", certificateRef.Name, err), ) return nil diff --git a/internal/dag/status_test.go b/internal/dag/status_test.go index 519ee140288..05fe172711a 100644 --- a/internal/dag/status_test.go +++ b/internal/dag/status_test.go @@ -3871,7 +3871,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { { Type: string(gatewayapi_v1beta1.ListenerConditionResolvedRefs), Status: metav1.ConditionFalse, - Reason: string(gatewayapi_v1beta1.ListenerReasonInvalidCertificateRef), + Reason: string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted), Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferencePolicy/ReferenceGrant", }, }, @@ -4015,7 +4015,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { { Type: string(gatewayapi_v1beta1.ListenerConditionResolvedRefs), Status: metav1.ConditionFalse, - Reason: string(gatewayapi_v1beta1.ListenerReasonInvalidCertificateRef), + Reason: string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted), Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferencePolicy/ReferenceGrant", }, }, @@ -4103,7 +4103,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { { Type: string(gatewayapi_v1beta1.ListenerConditionResolvedRefs), Status: metav1.ConditionFalse, - Reason: string(gatewayapi_v1beta1.ListenerReasonInvalidCertificateRef), + Reason: string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted), Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferencePolicy/ReferenceGrant", }, }, @@ -4191,7 +4191,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { { Type: string(gatewayapi_v1beta1.ListenerConditionResolvedRefs), Status: metav1.ConditionFalse, - Reason: string(gatewayapi_v1beta1.ListenerReasonInvalidCertificateRef), + Reason: string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted), Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferencePolicy/ReferenceGrant", }, }, @@ -4279,7 +4279,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { { Type: string(gatewayapi_v1beta1.ListenerConditionResolvedRefs), Status: metav1.ConditionFalse, - Reason: string(gatewayapi_v1beta1.ListenerReasonInvalidCertificateRef), + Reason: string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted), Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferencePolicy/ReferenceGrant", }, }, @@ -4368,7 +4368,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { { Type: string(gatewayapi_v1beta1.ListenerConditionResolvedRefs), Status: metav1.ConditionFalse, - Reason: string(gatewayapi_v1beta1.ListenerReasonInvalidCertificateRef), + Reason: string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted), Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferencePolicy/ReferenceGrant", }, }, @@ -5616,7 +5616,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { { Type: string(gatewayapi_v1beta1.ListenerConditionResolvedRefs), Status: metav1.ConditionFalse, - Reason: string(gatewayapi_v1beta1.ListenerReasonInvalidCertificateRef), + Reason: string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted), Message: "Spec.VirtualHost.TLS.CertificateRefs \"nonexistent-secret\" referent is invalid: Secret not found", }, }, From 38bd3578476dc5b57c04ee702b7a2a260590b20f Mon Sep 17 00:00:00 2001 From: Sunjay Bhatia Date: Wed, 24 Aug 2022 16:48:43 +0000 Subject: [PATCH 2/3] Changes from gateway-api #1334 Signed-off-by: Sunjay Bhatia --- internal/dag/gatewayapi_processor.go | 2 +- internal/dag/status_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/dag/gatewayapi_processor.go b/internal/dag/gatewayapi_processor.go index 88bc03bde1f..26445238d72 100644 --- a/internal/dag/gatewayapi_processor.go +++ b/internal/dag/gatewayapi_processor.go @@ -695,7 +695,7 @@ func (p *GatewayAPIProcessor) resolveListenerSecret(certificateRefs []gatewayapi listenerName, gatewayapi_v1beta1.ListenerConditionResolvedRefs, metav1.ConditionFalse, - gatewayapi_v1beta1.ListenerReasonRefNotPermitted, + gatewayapi_v1beta1.ListenerReasonInvalidCertificateRef, fmt.Sprintf("Spec.VirtualHost.TLS.CertificateRefs %q referent is invalid: %s", certificateRef.Name, err), ) return nil diff --git a/internal/dag/status_test.go b/internal/dag/status_test.go index 05fe172711a..6c34dee32a3 100644 --- a/internal/dag/status_test.go +++ b/internal/dag/status_test.go @@ -5616,7 +5616,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { { Type: string(gatewayapi_v1beta1.ListenerConditionResolvedRefs), Status: metav1.ConditionFalse, - Reason: string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted), + Reason: string(gatewayapi_v1beta1.ListenerReasonInvalidCertificateRef), Message: "Spec.VirtualHost.TLS.CertificateRefs \"nonexistent-secret\" referent is invalid: Secret not found", }, }, From 8115d990cc5cf429e4e5e66dc54b6e1a320bef2a Mon Sep 17 00:00:00 2001 From: Sunjay Bhatia Date: Wed, 24 Aug 2022 18:19:08 +0000 Subject: [PATCH 3/3] changelog Signed-off-by: Sunjay Bhatia --- changelogs/unreleased/4664-sunjayBhatia-small.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelogs/unreleased/4664-sunjayBhatia-small.md diff --git a/changelogs/unreleased/4664-sunjayBhatia-small.md b/changelogs/unreleased/4664-sunjayBhatia-small.md new file mode 100644 index 00000000000..c8bc8e34547 --- /dev/null +++ b/changelogs/unreleased/4664-sunjayBhatia-small.md @@ -0,0 +1 @@ +Gateway Listeners with Secret references whose namespace is not covered by a ReferenceGrant should have their status reason set to RefNotPermitted.