Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AllowedRoutes support for Listeners #721

Merged
merged 7 commits into from
Jun 9, 2023
Merged

AllowedRoutes support for Listeners #721

merged 7 commits into from
Jun 9, 2023
+960 −64

Conversation

sjberman
Copy link
Contributor

@sjberman sjberman commented Jun 6, 2023

Problem: As a Cluster Admin I want to restrict what elements of my system have access to Gateway ingress, I want to create predictable isolation across GatewayClasses and dataplanes, I want to help App Devs by restricting Route binding so they see predictable attachments and not unintentional or unexpected traffic routing.

Conversely, I want to allow App Devs in different organizations access to my Gateway controller by specifying All namespaces, a selection, or only same namespaces are supported.

Solution: Add support for specifying AllowedRoutes in Listeners. A user can now allow/disallow routes based on namespace. Either all namespaces, same namespace, or label selectors can be used to determine which routes are allowed.

Testing: Manually verified adding/removing labels to namespaces triggers updates and sets the status properly.

Closes #475

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

@sjberman sjberman requested a review from a team as a code owner June 6, 2023 19:41
@github-actions github-actions bot added documentation Improvements or additions to documentation enhancement New feature or request labels Jun 6, 2023
kate-osborn
kate-osborn requested changes Jun 6, 2023
View reviewed changes
internal/state/graph/gateway_listener.go Show resolved Hide resolved
internal/state/graph/gateway_listener.go Show resolved Hide resolved
internal/state/graph/gateway_listener.go Outdated Show resolved Hide resolved
internal/state/graph/httproute.go Outdated Show resolved Hide resolved
internal/state/graph/httproute.go Outdated Show resolved Hide resolved
internal/state/graph/httproute.go Outdated Show resolved Hide resolved
internal/state/relationship/capturer.go Outdated Show resolved Hide resolved
internal/state/relationship/capturer.go Outdated Show resolved Hide resolved
internal/state/relationship/capturer_test.go Outdated Show resolved Hide resolved
pleshakov
pleshakov suggested changes Jun 6, 2023
View reviewed changes
internal/state/change_processor_test.go Outdated Show resolved Hide resolved
internal/state/graph/gateway_listener.go Outdated Show resolved Hide resolved
internal/state/graph/gateway_listener.go Outdated Show resolved Hide resolved
internal/state/graph/httproute.go Outdated Show resolved Hide resolved
internal/state/relationship/capturer.go Show resolved Hide resolved
internal/state/relationship/capturer.go Outdated Show resolved Hide resolved
internal/state/relationship/capturer.go Outdated Show resolved Hide resolved
@sjberman
Copy link
Contributor Author

sjberman commented Jun 8, 2023

https://gateway-api.sigs.k8s.io/guides/multiple-ns/ has a pretty good description of the use case and examples of using this functionality, so I don't think we need to rewrite that with our own example.

pleshakov
pleshakov suggested changes Jun 8, 2023
View reviewed changes
internal/state/graph/gateway_test.go Show resolved Hide resolved
internal/state/graph/httproute.go Outdated Show resolved Hide resolved
internal/state/graph/httproute_test.go Outdated Show resolved Hide resolved
internal/state/relationship/capturer.go Outdated Show resolved Hide resolved
internal/state/relationship/capturer.go Outdated Show resolved Hide resolved
internal/state/relationship/capturer.go Outdated Show resolved Hide resolved
internal/state/relationship/capturer.go Outdated Show resolved Hide resolved
internal/state/relationship/capturer.go Outdated Show resolved Hide resolved
@sjberman sjberman requested a review from pleshakov June 9, 2023 17:09
@sjberman
AllowedRoutes support for Listeners
3a28988 
Add support for specifying AllowedRoutes in Listeners. A user can now allow/disallow routes based on namespace. Either all namespaces, same namespace, or label selectors can be used to determine which routes are allowed.
@sjberman
Address code review
b8c627d
@sjberman
Code review round 2
7d59bf9
@sjberman
Add selector validation
5ba11d3
@sjberman
Remove new function, use existing function for relationships
c606ad5
@sjberman
Cleanup capturer; add test
de18137
@sjberman
move namespace func closer to definition
746bf67
@sjberman sjberman requested a review from pleshakov June 9, 2023 20:27
@sjberman sjberman merged commit b37c6dd into nginxinc:main Jun 9, 2023
@sjberman sjberman deleted the feature/allowed-routes branch June 9, 2023 20:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kate-osborn kate-osborn kate-osborn approved these changes

@pleshakov pleshakov pleshakov approved these changes

Assignees
No one assigned
Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
NGINX Gateway Fabric
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Core API: AllowedRoutes
3 participants
@sjberman @pleshakov @kate-osborn