fix(gateway-api): verify TLS/TCPRoute is accepted before pushing to Gateway #3226
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
czeslavo
had a problem deploying
to
Configure ci
GitHub Actions
Failure
czeslavo
added
area/gateway-api
5 tasks
pmalek
approved these changes
Dec 8, 2022
|
As for the UDP issue: I'm personally in favor of postponing this (unless we have a strong desire to include this in 2.8). Reason being that the fix might take some time and be more involved (although I can be convinced otherwise). |
Yup, I also think that will be the most reasonable approach. Adding the UDP publish service, adapting helm charts for that and testing properly might take some time. |
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Fixes lack of verifying if TLS/TCPRoutes are accepted by the Gateway before proceeding with provisioning. It effectively enables GEP-957 port matching for them -- without that even when a Route doesn't match any Listener, it will be provisioned in Kong Gateway, which is incorrect.
It also improves populating
ListenerStatus.SupportedKindsby deriving kinds from listener's protocol orAllowedRoutes.Kinds.Which issue this PR fixes:
Part of #2709.
Special notes for your reviewer:
UDPRoute is left with no modifications due to a lack of possibility to specify two separate publish services for TCP and UDP (see #2544), which is blocking passing the existing integration tests. The default "publish service" (
ingress-controller-kong-proxyLoadBalancer) exposes all its ports as TCP ones (including the9999which is meant to be UDP). Due to that, it falls into this case where Listener is marked as not ready due to a missingUDPport.We may decide to:
ingress-controller-kong-udpLoadBalancer as its Unmanaged Gateway publish service,PR Readiness Checklist:
Complete these before marking the PR as
ready to review:CHANGELOG.mdrelease notes have been updated to reflect any significant (and particularly user-facing) changes introduced by this PR