Commit 924252b

authored

Add OverlappingTLSConfig condition (#3709)

* Add OverlappingTLSConfig condition * Add test for HTTP and HTTPS listeners with same hostname and port

1 parent e8083f7 commit 924252bCopy full SHA for 924252b

File tree

5 files changed

+400

-9

lines changed

internal/controller
- state
  - conditions
    - conditions.go
  - graph
- status
  - prepare_requests.go

5 files changed

+400

-9

lines changed

`‎internal/controller/state/conditions/conditions.go‎`

Lines changed: 38 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,11 @@ const (`
`29`	`29`	`ListenerMessageFailedNginxReload = "The Listener is not programmed due to a failure to " +`
`30`	`30`	`"reload nginx with the configuration"`
`31`	`31`
	`32`	`+ // ListenerMessageOverlappingHostnames is a message used with the "OverlappingTLSConfig" condition when the`
	`33`	`+ // condition is true due to overlapping hostnames.`
	`34`	`+ ListenerMessageOverlappingHostnames = "Listener hostname overlaps with hostname(s) of other Listener(s) " +`
	`35`	`+ "on the same port"`
	`36`	`+`
`32`	`37`	`// RouteReasonBackendRefUnsupportedValue is used with the "ResolvedRefs" condition when one of the`
`33`	`38`	`// Route rules has a backendRef with an unsupported value.`
`34`	`39`	`RouteReasonBackendRefUnsupportedValue v1.RouteConditionReason = "UnsupportedValue"`
`@@ -501,13 +506,32 @@ func NewRouteResolvedRefsInvalidFilter(msg string) Condition {`
`501`	`506`	`}`
`502`	`507`
`503`	`508`	`// NewDefaultListenerConditions returns the default Conditions that must be present in the status of a Listener.`
`504`		`-func NewDefaultListenerConditions() []Condition {`
`505`		`- return []Condition{`
	`509`	`+// If existingConditions contains conflict-related conditions (like OverlappingTLSConfig or Conflicted),`
	`510`	`+// the NoConflicts condition is excluded to avoid conflicting condition states.`
	`511`	`+func NewDefaultListenerConditions(existingConditions []Condition) []Condition {`
	`512`	`+ defaultConds := []Condition{`
`506`	`513`	`NewListenerAccepted(),`
`507`	`514`	`NewListenerProgrammed(),`
`508`	`515`	`NewListenerResolvedRefs(),`
`509`		`- NewListenerNoConflicts(),`
`510`	`516`	`}`
	`517`	`+`
	`518`	`+ // Only add NoConflicts condition if there are no existing conflict-related conditions`
	`519`	`+ if !hasConflictConditions(existingConditions) {`
	`520`	`+ defaultConds = append(defaultConds, NewListenerNoConflicts())`
	`521`	`+ }`
	`522`	`+`
	`523`	`+ return defaultConds`
	`524`	`+}`
	`525`	`+`
	`526`	`+// hasConflictConditions checks if the listener has any conflict-related conditions.`
	`527`	`+func hasConflictConditions(conditions []Condition) bool {`
	`528`	`+ for _, cond := range conditions {`
	`529`	`+ if cond.Type == string(v1.ListenerConditionConflicted) \|\|`
	`530`	`+ cond.Type == string(v1.ListenerConditionOverlappingTLSConfig) {`
	`531`	`+ return true`
	`532`	`+ }`
	`533`	`+ }`
	`534`	`+ return false`
`511`	`535`	`}`
`512`	`536`
`513`	`537`	`// NewListenerAccepted returns a Condition that indicates that the Listener is accepted.`
`@@ -681,6 +705,17 @@ func NewListenerRefNotPermitted(msg string) []Condition {`
`681`	`705`	`}`
`682`	`706`	`}`
`683`	`707`
	`708`	`+// NewListenerOverlappingTLSConfig returns a Condition that indicates overlapping TLS configuration`
	`709`	`+// between Listeners on the same port.`
	`710`	`+func NewListenerOverlappingTLSConfig(reason v1.ListenerConditionReason, msg string) Condition {`
	`711`	`+ return Condition{`
	`712`	`+ Type: string(v1.ListenerConditionOverlappingTLSConfig),`
	`713`	`+ Status: metav1.ConditionTrue,`
	`714`	`+ Reason: string(reason),`
	`715`	`+ Message: msg,`
	`716`	`+ }`
	`717`	`+}`
	`718`	`+`
`684`	`719`	`// NewGatewayClassResolvedRefs returns a Condition that indicates that the parametersRef`
`685`	`720`	`// on the GatewayClass is resolved.`
`686`	`721`	`func NewGatewayClassResolvedRefs() Condition {`

`‎internal/controller/state/graph/gateway_listener.go‎`

Lines changed: 38 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -89,6 +89,7 @@ func newListenerConfiguratorFactory(`
`89`	`89`	`protectedPorts ProtectedPorts,`
`90`	`90`	`) *listenerConfiguratorFactory {`
`91`	`91`	`sharedPortConflictResolver := createPortConflictResolver()`
	`92`	`+ sharedOverlappingTLSConfigResolver := createOverlappingTLSConfigResolver()`
`92`	`93`
`93`	`94`	`return &listenerConfiguratorFactory{`
`94`	`95`	`unsupportedProtocol: &listenerConfigurator{`
`@@ -123,6 +124,7 @@ func newListenerConfiguratorFactory(`
`123`	`124`	`},`
`124`	`125`	`conflictResolvers: []listenerConflictResolver{`
`125`	`126`	`sharedPortConflictResolver,`
	`127`	`+ sharedOverlappingTLSConfigResolver,`
`126`	`128`	`},`
`127`	`129`	`externalReferenceResolvers: []listenerExternalReferenceResolver{`
`128`	`130`	`createExternalReferencesForTLSSecretsResolver(gw.Namespace, secretResolver, refGrantResolver),`
`@@ -137,6 +139,7 @@ func newListenerConfiguratorFactory(`
`137`	`139`	`},`
`138`	`140`	`conflictResolvers: []listenerConflictResolver{`
`139`	`141`	`sharedPortConflictResolver,`
	`142`	`+ sharedOverlappingTLSConfigResolver,`
`140`	`143`	`},`
`141`	`144`	`externalReferenceResolvers: []listenerExternalReferenceResolver{},`
`142`	`145`	`},`
`@@ -591,3 +594,38 @@ func haveOverlap(hostname1, hostname2 *v1.Hostname) bool {`
`591`	`594`	`}`
`592`	`595`	`return matchesWildcard(h1, h2)`
`593`	`596`	`}`
	`597`	`+`
	`598`	`+func createOverlappingTLSConfigResolver() listenerConflictResolver {`
	`599`	`+ listenersByPort := make(map[v1.PortNumber][]*Listener)`
	`600`	`+`
	`601`	`+ return func(l *Listener) {`
	`602`	`+ port := l.Source.Port`
	`603`	`+`
	`604`	`+ // Only check TLS-enabled listeners (HTTPS/TLS)`
	`605`	`+ if l.Source.Protocol != v1.HTTPSProtocolType && l.Source.Protocol != v1.TLSProtocolType {`
	`606`	`+ return`
	`607`	`+ }`
	`608`	`+`
	`609`	`+ // Check for overlaps with existing listeners on this port`
	`610`	`+ for _, existingListener := range listenersByPort[port] {`
	`611`	`+ // Only check against other TLS-enabled listeners`
	`612`	`+ if existingListener.Source.Protocol != v1.HTTPSProtocolType &&`
	`613`	`+ existingListener.Source.Protocol != v1.TLSProtocolType {`
	`614`	`+ continue`
	`615`	`+ }`
	`616`	`+`
	`617`	`+ // Check for hostname overlap`
	`618`	`+ if haveOverlap(l.Source.Hostname, existingListener.Source.Hostname) {`
	`619`	`+ // Set condition on both listeners`
	`620`	`+ cond := conditions.NewListenerOverlappingTLSConfig(`
	`621`	`+ v1.ListenerReasonOverlappingHostnames,`
	`622`	`+ conditions.ListenerMessageOverlappingHostnames,`
	`623`	`+ )`
	`624`	`+ l.Conditions = append(l.Conditions, cond)`
	`625`	`+ existingListener.Conditions = append(existingListener.Conditions, cond)`
	`626`	`+ }`
	`627`	`+ }`
	`628`	`+`
	`629`	`+ listenersByPort[port] = append(listenersByPort[port], l)`
	`630`	`+ }`
	`631`	`+}`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 924252b

File tree

5 files changed

5 files changed

`‎internal/controller/state/conditions/conditions.go‎`

`‎internal/controller/state/graph/gateway_listener.go‎`

0 commit comments