diff --git a/controller/internal/translation/init_state.go b/controller/internal/translation/init_state.go index 76e97b62..36dabb40 100644 --- a/controller/internal/translation/init_state.go +++ b/controller/internal/translation/init_state.go @@ -246,10 +246,6 @@ func (s *InitState) AddPolicyForK8sGateway(policy *mosniov1.FilterPolicy, gw *gw for _, ls := range gw.Spec.Listeners { proto := mosniov1.NormalizeK8sGatewayProtocol(ls.Protocol) - if proto != "HTTP" && proto != "HTTPS" { - continue - } - scope := PolicyScopeGateway if targetRef != nil && targetRef.SectionName != nil { if ls.Name != *targetRef.SectionName { diff --git a/e2e/Makefile b/e2e/Makefile index 4229a5f3..69cb795f 100644 --- a/e2e/Makefile +++ b/e2e/Makefile @@ -35,7 +35,8 @@ helm: $(LOCALBIN) .PHONY: create-cluster create-cluster: kind kubectl $(KIND) create cluster --name htnn --image kindest/node:v$(MIN_K8S_VERSION) - $(KUBECTL) kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v$(GATEWAY_API_VERSION)" | $(KUBECTL) apply -f - + $(KUBECTL) apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v$(GATEWAY_API_VERSION)/standard-install.yaml + $(KUBECTL) apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v$(GATEWAY_API_VERSION)/experimental-install.yaml .PHONY: delete-cluster delete-cluster: kind diff --git a/e2e/base/default.yml b/e2e/base/default.yml index beb82dd2..c17b67c3 100644 --- a/e2e/base/default.yml +++ b/e2e/base/default.yml @@ -16,6 +16,12 @@ spec: hostname: "localhost" port: 10000 protocol: HTTP + - name: tcp + port: 10001 + protocol: TCP + allowedRoutes: + kinds: + - kind: TCPRoute --- apiVersion: v1 kind: Service diff --git a/e2e/htnn_controller_values.yaml b/e2e/htnn_controller_values.yaml index 72cc03e8..cd8eda96 100644 --- a/e2e/htnn_controller_values.yaml +++ b/e2e/htnn_controller_values.yaml @@ -2,6 +2,7 @@ pilot: image: "htnn/controller:e2e" env: HTNN_ENABLE_LDS_PLUGIN_VIA_ECDS: "true" + PILOT_ENABLE_ALPHA_GATEWAY_API: true UNSAFE_PILOT_ENABLE_RUNTIME_ASSERTIONS: "true" UNSAFE_PILOT_ENABLE_DELTA_TEST: "true" volumes: diff --git a/e2e/pkg/suite/suite.go b/e2e/pkg/suite/suite.go index ee1abd67..4433f6b0 100644 --- a/e2e/pkg/suite/suite.go +++ b/e2e/pkg/suite/suite.go @@ -145,7 +145,8 @@ func (suite *Suite) startPortForward(t *testing.T) { cmdline := "./port-forward.sh" dests := []string{"istio-ingressgateway", "istio-ingressgateway-tcp", - "k8s-gateway-api", "k8s-gateway-api-another"} + "k8s-gateway-api", "k8s-gateway-api-tcp", + "k8s-gateway-api-another"} for _, d := range dests { forwarder := exec.Command(cmdline, d) forwarder.Stdout = os.Stdout diff --git a/e2e/port-forward.sh b/e2e/port-forward.sh index ded41335..037a4c0e 100755 --- a/e2e/port-forward.sh +++ b/e2e/port-forward.sh @@ -24,6 +24,8 @@ elif [[ "$DEST" == "istio-ingressgateway-tcp" ]]; then exec kubectl port-forward -n istio-system pod/"$(kubectl -n istio-system get pods | grep '^istio-ingressgateway' | cut -d' ' -f 1)" 18001:18001 elif [[ "$DEST" == "k8s-gateway-api" ]]; then exec kubectl port-forward -n e2e pod/"$(kubectl -n e2e get pods | grep '^default-istio' | cut -d' ' -f 1)" 10000:10000 +elif [[ "$DEST" == "k8s-gateway-api-tcp" ]]; then + exec kubectl port-forward -n e2e pod/"$(kubectl -n e2e get pods | grep '^default-istio' | cut -d' ' -f 1)" 10001:10001 else - exec kubectl port-forward -n e2e-another pod/"$(kubectl -n e2e-another get pods | grep '^default-istio' | cut -d' ' -f 1)" 10001:10000 + exec kubectl port-forward -n e2e-another pod/"$(kubectl -n e2e-another get pods | grep '^default-istio' | cut -d' ' -f 1)" 10100:10000 fi diff --git a/e2e/tests/httproute_other_namespace.go b/e2e/tests/httproute_other_namespace.go index b992d287..bae11fd1 100644 --- a/e2e/tests/httproute_other_namespace.go +++ b/e2e/tests/httproute_other_namespace.go @@ -42,7 +42,7 @@ func init() { // Same host, in different gateway of different namespace tr = &http.Transport{DialContext: func(ctx context.Context, proto, addr string) (conn net.Conn, err error) { - return net.DialTimeout("tcp", ":10001", 1*time.Second) + return net.DialTimeout("tcp", ":10100", 1*time.Second) }} client = &http.Client{Transport: tr, Timeout: 10 * time.Second} rsp, err = client.Get("http://localhost:10000/echo") diff --git a/e2e/tests/policy_to_tcp_proxy.go b/e2e/tests/policy_to_tcp_proxy.go index 3756b9e2..ca577b9f 100644 --- a/e2e/tests/policy_to_tcp_proxy.go +++ b/e2e/tests/policy_to_tcp_proxy.go @@ -53,6 +53,25 @@ func init() { rsp, err := client.Get("http://default.local:18001/echo") require.NoError(t, err) require.Equal(t, 200, rsp.StatusCode) + + // Do the same with Gateway API + tr = &http.Transport{DialContext: func(ctx context.Context, proto, addr string) (conn net.Conn, err error) { + return net.DialTimeout("tcp", ":10001", 1*time.Second) + }} + client = &http.Client{Transport: tr, Timeout: 10 * time.Second} + _, err = client.Get("http://localhost:10001/echo") + require.Error(t, err) + + nsName = types.NamespacedName{Name: "policy", Namespace: k8s.DefaultNamespace} + err = c.Get(ctx, nsName, &policy) + require.NoError(t, err) + err = c.Delete(ctx, &policy) + require.NoError(t, err) + + time.Sleep(1 * time.Second) + rsp, err = client.Get("http://localhost:10001/echo") + require.NoError(t, err) + require.Equal(t, 200, rsp.StatusCode) }, }) } diff --git a/e2e/tests/policy_to_tcp_proxy.yml b/e2e/tests/policy_to_tcp_proxy.yml index e0196718..44e89e6b 100644 --- a/e2e/tests/policy_to_tcp_proxy.yml +++ b/e2e/tests/policy_to_tcp_proxy.yml @@ -1,4 +1,3 @@ -# TODO: support Gateway API apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: @@ -65,3 +64,63 @@ spec: "@type": type.googleapis.com/envoy.config.rbac.v3.Action name: match-all action: ALLOW +--- +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: TCPRoute +metadata: + name: test +spec: + parentRefs: + - name: default + sectionName: tcp + rules: + - backendRefs: + - name: backend + port: 8080 +--- +apiVersion: htnn.mosn.io/v1 +kind: FilterPolicy +metadata: + name: policy +spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: default + sectionName: tcp + filters: + networkRBAC: + config: + statPrefix: network_rbac + matcher: + matcherTree: + input: + name: envoy.matching.inputs.source_ip + typedConfig: + "@type": type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.SourceIPInput + customMatch: + name: ip-matcher + typedConfig: + "@type": type.googleapis.com/xds.type.matcher.v3.IPMatcher + rangeMatchers: + - ranges: + - addressPrefix: 127.0.0.1 + prefixLen: 32 + onMatch: + action: + name: envoy.filters.rbac.action + typedConfig: + "@type": type.googleapis.com/envoy.config.rbac.v3.Action + name: localhost + action: DENY + # match-all action + - ranges: + - addressPrefix: 0.0.0.0 + prefixLen: 0 + onMatch: + action: + name: envoy.filters.rbac.action + typedConfig: + "@type": type.googleapis.com/envoy.config.rbac.v3.Action + name: match-all + action: ALLOW