gateway-api: Ensure hostname check when set on both the HTTPRoute and the Gateway Listener

[cjvirtucio87]

Description

This PR ensures that the gateway_checks code for the operator respects the hostname field, when it is set on both the HTTPRoute and the Gateway listener. Per the text of kubectl explain gateway.spec.listeners.hostname:

     For HTTPRoute and TLSRoute resources, there is an interaction with the
    `spec.hostnames` array. When both listener and route specify hostnames,
    there MUST be an intersection between the values for a Route to be accepted.

Contribution Text

Please ensure your pull request adheres to the following guidelines:

• For first time contributors, read Submitting a pull request
• All code is covered by unit and/or runtime tests where feasible.
• All commits contain a well written commit description including a title,
  description and a Fixes: #XXX line if the commit addresses a particular
  GitHub issue.
• If your commit description contains a Fixes: <commit-id> tag, then
  please add the commit author[s] as reviewer[s] to this issue.
• All commits are signed off. See the section Developer’s Certificate of Origin
• Provide a title or release-note blurb suitable for the release notes.
• Are you a user of Cilium? Please add yourself to the Users doc
• Thanks for contributing!

Fixes: #30685

gateway-api: Ensure hostname check when set on both the HTTPRoute and the Gateway Listener

[maintainer-s-little-helper]

Commit 72eb9e8 does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[maintainer-s-little-helper]

Commits 72eb9e8, 9813250 do not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[maintainer-s-little-helper]

Commits 72eb9e8, 9813250, df2aa76 do not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[maintainer-s-little-helper]

Commit fef4274 does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[sayboras]

Thanks for your PR, I vaguely remembered that we have similar checks, let me double-check and get back to you.

[sayboras]

👋

We are having the below check to compute the overlapping host name, so I think better to update this function if you see there is any gap/discrepancy. Thanks

https://github.com/cilium/cilium/blob/main/operator/pkg/gateway-api/routechecks/gateway_checks.go#L146

[cjvirtucio87]

👋

We are having the below check to compute the overlapping host name, so I think better to update this function if you see there is any gap/discrepancy. Thanks

https://github.com/cilium/cilium/blob/main/operator/pkg/gateway-api/routechecks/gateway_checks.go#L146

hi, @sayboras , thanks for giving this a look. I think the matching hostnames validator is only tangentially related. this is about matching the right listener to the HTTPRoute while its gateway reference is being validated for the namespace restriction. currently, the gateway namespace validator matches the HTTPRoute with the first listener to have a NamespacesFromSelector, and will then immediately fail-close because the wrong listener's namespace selector is used.

is the intention to let the hostnames validator function be the sole gatekeeper for the hostname-matching logic? if so, maybe the NamespacesFromSelector check should fail-open, instead. that way, it can run through all the listeners' namespace selectors, and if none of them match, it could re-attempt validation through the downstream validators such as the matching hostnames validator.

[sayboras]

ah thanks for your explanation.

Should we use the computeHost function for pattern matching? or is it should be exact match based on your implementation only ?

[cjvirtucio87]

ah thanks for your explanation.

Should we use the computeHost function for pattern matching? or is it should be exact match based on your implementation only ?

Sorry maybe I misunderstood what you said earlier. Are you saying I should reuse the ComputeHosts function here?