Merge branch 'main' into NET-5272/add-docs-team-for-code-review

hashicorp · Aug 15, 2024 · bc1c1f9 · bc1c1f9
2 parents 14a5b77 + a7479a9
commit bc1c1f9
Show file tree

Hide file tree

Showing 10 changed files with 42 additions and 2 deletions.
diff --git a/.changelog/4247.txt b/.changelog/4247.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+api-gateway: fix nil pointer deref bug when the section name in a gateway policy is not specified
+```
diff --git a/acceptance/tests/consul-dns/coredns-original.yaml b/acceptance/tests/consul-dns/coredns-original.yaml
@@ -1,3 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 apiVersion: v1
 data:
   Corefile: |

diff --git a/acceptance/tests/consul-dns/coredns-template.yaml b/acceptance/tests/consul-dns/coredns-template.yaml
@@ -1,3 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 apiVersion: v1
 data:
   Corefile: |

diff --git a/acceptance/tests/fixtures/cases/terminating-gateway-destinations/terminating-gateway.yaml b/acceptance/tests/fixtures/cases/terminating-gateway-destinations/terminating-gateway.yaml
@@ -1,3 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 apiVersion: consul.hashicorp.com/v1alpha1
 kind: TerminatingGateway
 metadata:

diff --git a/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/external-service.yaml b/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/external-service.yaml
@@ -1,3 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 apiVersion: consul.hashicorp.com/v1alpha1
 kind: Registration
 metadata:

diff --git a/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/terminating-gateway.yaml b/acceptance/tests/fixtures/cases/terminating-gateway-namespaces/terminating-gateway.yaml
@@ -1,3 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 apiVersion: consul.hashicorp.com/v1alpha1
 kind: TerminatingGateway
 metadata:

diff --git a/acceptance/tests/fixtures/cases/terminating-gateway/external-service.yaml b/acceptance/tests/fixtures/cases/terminating-gateway/external-service.yaml
@@ -1,3 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 apiVersion: consul.hashicorp.com/v1alpha1
 kind: Registration
 metadata:

diff --git a/acceptance/tests/fixtures/cases/terminating-gateway/terminating-gateway.yaml b/acceptance/tests/fixtures/cases/terminating-gateway/terminating-gateway.yaml
@@ -1,3 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 apiVersion: consul.hashicorp.com/v1alpha1
 kind: TerminatingGateway
 metadata:

diff --git a/control-plane/api-gateway/binding/validation.go b/control-plane/api-gateway/binding/validation.go
@@ -166,6 +166,13 @@ func validateGateway(gateway gwv1beta1.Gateway, pods []corev1.Pod, consulGateway
 	return result
 }
 
+func stringOrEmtpy(s *gwv1beta1.SectionName) string {
+	if s == nil {
+		return ""
+	}
+	return string(*s)
+}
+
 func validateGatewayPolicies(gateway gwv1beta1.Gateway, policies []v1alpha1.GatewayPolicy, resources *common.ResourceMap) gatewayPolicyValidationResults {
 	results := make(gatewayPolicyValidationResults, 0, len(policies))
 
@@ -176,7 +183,7 @@ func validateGatewayPolicies(gateway gwv1beta1.Gateway, policies []v1alpha1.Gate
 
 		exists := listenerExistsForPolicy(gateway, policy)
 		if !exists {
-			result.resolvedRefsErrs = append(result.resolvedRefsErrs, errorForMissingListener(policy.Spec.TargetRef.Name, string(*policy.Spec.TargetRef.SectionName)))
+			result.resolvedRefsErrs = append(result.resolvedRefsErrs, errorForMissingListener(policy.Spec.TargetRef.Name, stringOrEmtpy(policy.Spec.TargetRef.SectionName)))
 		}
 
 		missingJWTProviders := make(map[string]struct{})
@@ -212,6 +219,10 @@ func validateGatewayPolicies(gateway gwv1beta1.Gateway, policies []v1alpha1.Gate
 }
 
 func listenerExistsForPolicy(gateway gwv1beta1.Gateway, policy v1alpha1.GatewayPolicy) bool {
+	if policy.Spec.TargetRef.SectionName == nil {
+		return false
+	}
+
 	return gateway.Name == policy.Spec.TargetRef.Name &&
 		slices.ContainsFunc(gateway.Spec.Listeners, func(l gwv1beta1.Listener) bool { return l.Name == *policy.Spec.TargetRef.SectionName })
 }

diff --git a/hack/copy-crds-to-chart/main.go b/hack/copy-crds-to-chart/main.go
@@ -69,7 +69,12 @@ func realMain(helmPath string) error {
 				// Add {{- if and .Values.connectInject.enabled .Values.global.peering.enabled  }} {{- end }} wrapper.
 				contents = fmt.Sprintf("{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }}\n%s{{- end }}\n", contents)
 			} else if dir == "external" {
-				contents = fmt.Sprintf("{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }}\n%s{{- end }}\n", contents)
+				// TCP Route is special, as it isn't installed onto GKE Autopilot, so it needs to have the option for `manageNonStandardCRDs`.
+				if info.Name() == "tcproutes.gateway.networking.k8s.io.yaml" {
+					contents = fmt.Sprintf("{{- if and .Values.connectInject.enabled (or .Values.connectInject.apiGateway.manageExternalCRDs .Values.connectInject.apiGateway.manageNonStandardCRDs ) }}\n%s{{- end }}\n", contents)
+				} else {
+					contents = fmt.Sprintf("{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }}\n%s{{- end }}\n", contents)
+				}
 			} else {
 				// Add {{- if .Values.connectInject.enabled }} {{- end }} wrapper.
 				contents = fmt.Sprintf("{{- if .Values.connectInject.enabled }}\n%s{{- end }}\n", contents)