Merge pull request #4625 from zac-nixon/main

[Gateway API] ListenerSet Loader

Author: k8s-ci-robot

pkg/gateway/routeutils/attachment_helper.go

@@ -0,0 +1,57 @@
+package routeutils
+
+import (
+	"context"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+// doesResourceAttachToGateway checks if a target resource (route, listenerset) wishes to connect to the gateway.
+// this is done by following Gateway API conventions on the parent reference found within target resource.
+func doesResourceAttachToGateway(parentRef gwv1.ParentReference, resourceNamespace string, gw gwv1.Gateway) bool {
+	// Default for kind is Gateway.
+	if parentRef.Kind != nil && *parentRef.Kind != gatewayKind {
+		return false
+	}
+
+	var namespaceToCompare string
+
+	if parentRef.Namespace != nil {
+		namespaceToCompare = string(*parentRef.Namespace)
+	} else {
+		namespaceToCompare = resourceNamespace
+	}
+
+	nameCheck := string(parentRef.Name) == gw.Name
+	nsCheck := gw.Namespace == namespaceToCompare
+	return nameCheck && nsCheck
+}
+
+func doesResourceAllowNamespace(ctx context.Context, fromNamespaces gwv1.FromNamespaces, labelSelector *metav1.LabelSelector, nsSelector namespaceSelector, resourceNamespace string, gw gwv1.Gateway) (bool, error) {
+	switch fromNamespaces {
+	case gwv1.NamespacesFromNone:
+		return false, nil
+	case gwv1.NamespacesFromSame:
+		return gw.Namespace == resourceNamespace, nil
+	case gwv1.NamespacesFromAll:
+		return true, nil
+	case gwv1.NamespacesFromSelector:
+		if labelSelector == nil {
+			return false, nil
+		}
+		// This should be executed off the client-go cache, hence we do not need to perform local caching.
+		namespaces, err := nsSelector.getNamespacesFromSelector(ctx, labelSelector)
+		if err != nil {
+			return false, err
+		}
+
+		if !namespaces.Has(resourceNamespace) {
+			return false, nil
+		}
+		return true, nil
+	default:
+		// Unclear what to do in this case, we'll just filter out this route.
+		return false, nil
+	}
+}

pkg/gateway/routeutils/attachment_helper_test.go

@@ -0,0 +1,254 @@
+package routeutils
+
+import (
+	"context"
+	"testing"
+
+	awssdk "github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/pkg/errors"
+	"github.com/stretchr/testify/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+func Test_doesResourceAttachToGateway(t *testing.T) {
+	testCases := []struct {
+		name              string
+		parentRef         gwv1.ParentReference
+		resourceNamespace string
+		gw                gwv1.Gateway
+		expected          bool
+	}{
+		{
+			name: "nil kind defaults to Gateway, matching name and namespace",
+			parentRef: gwv1.ParentReference{
+				Name: "my-gw",
+			},
+			resourceNamespace: "ns1",
+			gw: gwv1.Gateway{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-gw",
+					Namespace: "ns1",
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "explicit Gateway kind, matching name and explicit namespace",
+			parentRef: gwv1.ParentReference{
+				Name:      "my-gw",
+				Kind:      (*gwv1.Kind)(awssdk.String("Gateway")),
+				Namespace: (*gwv1.Namespace)(awssdk.String("ns1")),
+			},
+			resourceNamespace: "other-ns",
+			gw: gwv1.Gateway{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-gw",
+					Namespace: "ns1",
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "non-Gateway kind returns false",
+			parentRef: gwv1.ParentReference{
+				Name: "my-gw",
+				Kind: (*gwv1.Kind)(awssdk.String("Service")),
+			},
+			resourceNamespace: "ns1",
+			gw: gwv1.Gateway{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-gw",
+					Namespace: "ns1",
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "name mismatch returns false",
+			parentRef: gwv1.ParentReference{
+				Name: "other-gw",
+			},
+			resourceNamespace: "ns1",
+			gw: gwv1.Gateway{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-gw",
+					Namespace: "ns1",
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "namespace mismatch via explicit namespace returns false",
+			parentRef: gwv1.ParentReference{
+				Name:      "my-gw",
+				Namespace: (*gwv1.Namespace)(awssdk.String("ns2")),
+			},
+			resourceNamespace: "ns1",
+			gw: gwv1.Gateway{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-gw",
+					Namespace: "ns1",
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "namespace mismatch via resource namespace returns false",
+			parentRef: gwv1.ParentReference{
+				Name: "my-gw",
+			},
+			resourceNamespace: "ns2",
+			gw: gwv1.Gateway{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-gw",
+					Namespace: "ns1",
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "nil kind with explicit namespace matching",
+			parentRef: gwv1.ParentReference{
+				Name:      "my-gw",
+				Namespace: (*gwv1.Namespace)(awssdk.String("ns1")),
+			},
+			resourceNamespace: "different-ns",
+			gw: gwv1.Gateway{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-gw",
+					Namespace: "ns1",
+				},
+			},
+			expected: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := doesResourceAttachToGateway(tc.parentRef, tc.resourceNamespace, tc.gw)
+			assert.Equal(t, tc.expected, result)
+		})
+	}
+}
+
+func Test_doesResourceAllowNamespace(t *testing.T) {
+	testCases := []struct {
+		name              string
+		fromNamespaces    gwv1.FromNamespaces
+		labelSelector     *metav1.LabelSelector
+		nsSelector        namespaceSelector
+		resourceNamespace string
+		gw                gwv1.Gateway
+		expected          bool
+		expectErr         bool
+	}{
+		{
+			name:              "NamespacesFromNone returns false",
+			fromNamespaces:    gwv1.NamespacesFromNone,
+			resourceNamespace: "ns1",
+			gw: gwv1.Gateway{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "ns1"},
+			},
+			expected: false,
+		},
+		{
+			name:              "NamespacesFromSame with same namespace returns true",
+			fromNamespaces:    gwv1.NamespacesFromSame,
+			resourceNamespace: "ns1",
+			gw: gwv1.Gateway{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "ns1"},
+			},
+			expected: true,
+		},
+		{
+			name:              "NamespacesFromSame with different namespace returns false",
+			fromNamespaces:    gwv1.NamespacesFromSame,
+			resourceNamespace: "ns2",
+			gw: gwv1.Gateway{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "ns1"},
+			},
+			expected: false,
+		},
+		{
+			name:              "NamespacesFromAll returns true",
+			fromNamespaces:    gwv1.NamespacesFromAll,
+			resourceNamespace: "any-ns",
+			gw: gwv1.Gateway{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "ns1"},
+			},
+			expected: true,
+		},
+		{
+			name:              "NamespacesFromSelector with nil selector returns false",
+			fromNamespaces:    gwv1.NamespacesFromSelector,
+			labelSelector:     nil,
+			resourceNamespace: "ns1",
+			gw: gwv1.Gateway{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "ns1"},
+			},
+			expected: false,
+		},
+		{
+			name:           "NamespacesFromSelector with matching namespace returns true",
+			fromNamespaces: gwv1.NamespacesFromSelector,
+			labelSelector:  &metav1.LabelSelector{},
+			nsSelector: &mockNamespaceSelector{
+				nss: sets.New("ns1", "ns3"),
+			},
+			resourceNamespace: "ns1",
+			gw: gwv1.Gateway{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "gw-ns"},
+			},
+			expected: true,
+		},
+		{
+			name:           "NamespacesFromSelector with non-matching namespace returns false",
+			fromNamespaces: gwv1.NamespacesFromSelector,
+			labelSelector:  &metav1.LabelSelector{},
+			nsSelector: &mockNamespaceSelector{
+				nss: sets.New("ns3", "ns5"),
+			},
+			resourceNamespace: "ns1",
+			gw: gwv1.Gateway{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "gw-ns"},
+			},
+			expected: false,
+		},
+		{
+			name:           "NamespacesFromSelector with error returns error",
+			fromNamespaces: gwv1.NamespacesFromSelector,
+			labelSelector:  &metav1.LabelSelector{},
+			nsSelector: &mockNamespaceSelector{
+				err: errors.New("k8s error"),
+			},
+			resourceNamespace: "ns1",
+			gw: gwv1.Gateway{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "gw-ns"},
+			},
+			expectErr: true,
+		},
+		{
+			name:              "unknown FromNamespaces value returns false",
+			fromNamespaces:    gwv1.FromNamespaces("Unknown"),
+			resourceNamespace: "ns1",
+			gw: gwv1.Gateway{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "ns1"},
+			},
+			expected: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result, err := doesResourceAllowNamespace(context.Background(), tc.fromNamespaces, tc.labelSelector, tc.nsSelector, tc.resourceNamespace, tc.gw)
+			if tc.expectErr {
+				assert.Error(t, err)
+				return
+			}
+			assert.NoError(t, err)
+			assert.Equal(t, tc.expected, result)
+		})
+	}
+}

pkg/gateway/routeutils/listener_attachment_helper.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/pkg/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -87,38 +88,14 @@ func (attachmentHelper *listenerAttachmentHelperImpl) listenerAllowsAttachment(c
 // and route to determine compatibility.
 func (attachmentHelper *listenerAttachmentHelperImpl) namespaceCheck(ctx context.Context, gw gwv1.Gateway, listener gwv1.Listener, route preLoadRouteDescriptor) (bool, error) {
 	var allowedNamespaces gwv1.FromNamespaces
-
+	var labelSelector *metav1.LabelSelector
 	if listener.AllowedRoutes == nil || listener.AllowedRoutes.Namespaces == nil || listener.AllowedRoutes.Namespaces.From == nil {
 		allowedNamespaces = gwv1.NamespacesFromSame
 	} else {
 		allowedNamespaces = *listener.AllowedRoutes.Namespaces.From
+		labelSelector = listener.AllowedRoutes.Namespaces.Selector
 	}
-
-	namespacedName := route.GetRouteNamespacedName()
-
-	switch allowedNamespaces {
-	case gwv1.NamespacesFromSame:
-		return gw.Namespace == namespacedName.Namespace, nil
-	case gwv1.NamespacesFromAll:
-		return true, nil
-	case gwv1.NamespacesFromSelector:
-		if listener.AllowedRoutes.Namespaces.Selector == nil {
-			return false, nil
-		}
-		// This should be executed off the client-go cache, hence we do not need to perform local caching.
-		namespaces, err := attachmentHelper.namespaceSelector.getNamespacesFromSelector(ctx, listener.AllowedRoutes.Namespaces.Selector)
-		if err != nil {
-			return false, err
-		}
-
-		if !namespaces.Has(namespacedName.Namespace) {
-			return false, nil
-		}
-		return true, nil
-	default:
-		// Unclear what to do in this case, we'll just filter out this route.
-		return false, nil
-	}
+	return doesResourceAllowNamespace(ctx, allowedNamespaces, labelSelector, attachmentHelper.namespaceSelector, route.GetRouteNamespacedName().Namespace, gw)
 }
 
 // kindCheck kind check implements the Gateway API spec for kindCheck matching between listener