diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index d29f7d10656..1664370d512 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -6,6 +6,7 @@ package gatewayapi import ( + "errors" "fmt" "math" "net" @@ -13,7 +14,7 @@ import ( "strings" "time" - "github.com/pkg/errors" + perr "github.com/pkg/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/sets" @@ -286,22 +287,23 @@ func resolveBTPolicyRouteTargetRef(policy *egv1a1.BackendTrafficPolicy, routes m func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.BackendTrafficPolicy, route RouteContext, xdsIR XdsIRMap) error { var ( - rl *ir.RateLimit - lb *ir.LoadBalancer - pp *ir.ProxyProtocol - hc *ir.HealthCheck - cb *ir.CircuitBreaker - fi *ir.FaultInjection - to *ir.Timeout - ka *ir.TCPKeepalive - rt *ir.Retry - err error + rl *ir.RateLimit + lb *ir.LoadBalancer + pp *ir.ProxyProtocol + hc *ir.HealthCheck + cb *ir.CircuitBreaker + fi *ir.FaultInjection + to *ir.Timeout + ka *ir.TCPKeepalive + rt *ir.Retry + err, errs error ) // Build IR if policy.Spec.RateLimit != nil { if rl, err = t.buildRateLimit(policy); err != nil { - return errors.Wrap(err, "RateLimit") + err = perr.WithMessage(err, "RateLimit") + errs = errors.Join(errs, err) } } if policy.Spec.LoadBalancer != nil { @@ -315,30 +317,37 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen } if policy.Spec.CircuitBreaker != nil { if cb, err = t.buildCircuitBreaker(policy); err != nil { - return errors.Wrap(err, "CircuitBreaker") + err = perr.WithMessage(err, "CircuitBreaker") + errs = errors.Join(errs, err) } } - if policy.Spec.FaultInjection != nil { fi = t.buildFaultInjection(policy) } if policy.Spec.TCPKeepalive != nil { if ka, err = t.buildTCPKeepAlive(policy); err != nil { - return errors.Wrap(err, "TCPKeepalive") + err = perr.WithMessage(err, "TCPKeepalive") + errs = errors.Join(errs, err) } } if policy.Spec.Retry != nil { rt = t.buildRetry(policy) } - // Apply IR to all relevant routes - prefix := irRoutePrefix(route) - if policy.Spec.Timeout != nil { if to, err = t.buildTimeout(policy, nil); err != nil { - return errors.Wrap(err, "Timeout") + err = perr.WithMessage(err, "Timeout") + errs = errors.Join(errs, err) } } + // Early return if got any errors + if errs != nil { + return errs + } + + // Apply IR to all relevant routes + prefix := irRoutePrefix(route) + for _, x := range xdsIR { for _, tcp := range x.TCP { for _, r := range tcp.Routes { @@ -384,10 +393,9 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen // Some timeout setting originate from the route. if policy.Spec.Timeout != nil { - if to, err = t.buildTimeout(policy, r); err != nil { - return errors.Wrap(err, "Timeout") + if to, err = t.buildTimeout(policy, r); err == nil { + r.Traffic.Timeout = to } - r.Traffic.Timeout = to } if policy.Spec.UseClientProtocol != nil { @@ -403,22 +411,23 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.BackendTrafficPolicy, gateway *GatewayContext, xdsIR XdsIRMap) error { var ( - rl *ir.RateLimit - lb *ir.LoadBalancer - pp *ir.ProxyProtocol - hc *ir.HealthCheck - cb *ir.CircuitBreaker - fi *ir.FaultInjection - ct *ir.Timeout - ka *ir.TCPKeepalive - rt *ir.Retry - err error + rl *ir.RateLimit + lb *ir.LoadBalancer + pp *ir.ProxyProtocol + hc *ir.HealthCheck + cb *ir.CircuitBreaker + fi *ir.FaultInjection + ct *ir.Timeout + ka *ir.TCPKeepalive + rt *ir.Retry + err, errs error ) // Build IR if policy.Spec.RateLimit != nil { if rl, err = t.buildRateLimit(policy); err != nil { - return errors.Wrap(err, "RateLimit") + err = perr.WithMessage(err, "RateLimit") + errs = errors.Join(errs, err) } } if policy.Spec.LoadBalancer != nil { @@ -432,7 +441,8 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back } if policy.Spec.CircuitBreaker != nil { if cb, err = t.buildCircuitBreaker(policy); err != nil { - return errors.Wrap(err, "CircuitBreaker") + err = perr.WithMessage(err, "CircuitBreaker") + errs = errors.Join(errs, err) } } if policy.Spec.FaultInjection != nil { @@ -440,12 +450,24 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back } if policy.Spec.TCPKeepalive != nil { if ka, err = t.buildTCPKeepAlive(policy); err != nil { - return errors.Wrap(err, "TCPKeepalive") + err = perr.WithMessage(err, "TCPKeepalive") + errs = errors.Join(errs, err) } } if policy.Spec.Retry != nil { rt = t.buildRetry(policy) } + if policy.Spec.Timeout != nil { + if ct, err = t.buildTimeout(policy, nil); err != nil { + err = perr.WithMessage(err, "Timeout") + errs = errors.Join(errs, err) + } + } + + // Early return if got any errors + if errs != nil { + return errs + } // Apply IR to all the routes within the specific Gateway // If the feature is already set, then skip it, since it must be have @@ -456,12 +478,6 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back policyTarget := irStringKey(policy.Namespace, string(policy.Spec.TargetRef.Name)) - if policy.Spec.Timeout != nil { - if ct, err = t.buildTimeout(policy, nil); err != nil { - return errors.Wrap(err, "Timeout") - } - } - for _, tcp := range x.TCP { gatewayName := tcp.Name[0:strings.LastIndex(tcp.Name, "/")] if t.MergeGateways && gatewayName != policyTarget { @@ -541,10 +557,9 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back r.Traffic.HealthCheck.SetHTTPHostIfAbsent(r.Hostname) if policy.Spec.Timeout != nil { - if ct, err = t.buildTimeout(policy, r); err != nil { - return errors.Wrap(err, "Timeout") + if ct, err = t.buildTimeout(policy, r); err == nil { + r.Traffic.Timeout = ct } - r.Traffic.Timeout = ct } if policy.Spec.UseClientProtocol != nil { @@ -1009,8 +1024,10 @@ func (t *Translator) buildCircuitBreaker(policy *egv1a1.BackendTrafficPolicy) (* func (t *Translator) buildTimeout(policy *egv1a1.BackendTrafficPolicy, r *ir.HTTPRoute) (*ir.Timeout, error) { var ( - tto *ir.TCPTimeout - hto *ir.HTTPTimeout + tto *ir.TCPTimeout + hto *ir.HTTPTimeout + terr bool + errs error ) pto := policy.Spec.Timeout @@ -1018,11 +1035,12 @@ func (t *Translator) buildTimeout(policy *egv1a1.BackendTrafficPolicy, r *ir.HTT if pto.TCP != nil && pto.TCP.ConnectTimeout != nil { d, err := time.ParseDuration(string(*pto.TCP.ConnectTimeout)) if err != nil { - return nil, fmt.Errorf("invalid ConnectTimeout value %s", *pto.TCP.ConnectTimeout) - } - - tto = &ir.TCPTimeout{ - ConnectTimeout: ptr.To(metav1.Duration{Duration: d}), + terr = true + errs = errors.Join(errs, fmt.Errorf("invalid ConnectTimeout value %s", *pto.TCP.ConnectTimeout)) + } else { + tto = &ir.TCPTimeout{ + ConnectTimeout: ptr.To(metav1.Duration{Duration: d}), + } } } @@ -1033,19 +1051,21 @@ func (t *Translator) buildTimeout(policy *egv1a1.BackendTrafficPolicy, r *ir.HTT if pto.HTTP.ConnectionIdleTimeout != nil { d, err := time.ParseDuration(string(*pto.HTTP.ConnectionIdleTimeout)) if err != nil { - return nil, fmt.Errorf("invalid ConnectionIdleTimeout value %s", *pto.HTTP.ConnectionIdleTimeout) + terr = true + errs = errors.Join(errs, fmt.Errorf("invalid ConnectionIdleTimeout value %s", *pto.HTTP.ConnectionIdleTimeout)) + } else { + cit = ptr.To(metav1.Duration{Duration: d}) } - - cit = ptr.To(metav1.Duration{Duration: d}) } if pto.HTTP.MaxConnectionDuration != nil { d, err := time.ParseDuration(string(*pto.HTTP.MaxConnectionDuration)) if err != nil { - return nil, fmt.Errorf("invalid MaxConnectionDuration value %s", *pto.HTTP.MaxConnectionDuration) + terr = true + errs = errors.Join(errs, fmt.Errorf("invalid MaxConnectionDuration value %s", *pto.HTTP.MaxConnectionDuration)) + } else { + mcd = ptr.To(metav1.Duration{Duration: d}) } - - mcd = ptr.To(metav1.Duration{Duration: d}) } hto = &ir.HTTPTimeout{ @@ -1056,28 +1076,36 @@ func (t *Translator) buildTimeout(policy *egv1a1.BackendTrafficPolicy, r *ir.HTT // http request timeout is translated during the gateway-api route resource translation // merge route timeout setting with backendtrafficpolicy timeout settings - if r != nil && - r.Traffic != nil && - r.Traffic.Timeout != nil && - r.Traffic.Timeout.HTTP != nil && - r.Traffic.Timeout.HTTP.RequestTimeout != nil { - if hto == nil { - hto = &ir.HTTPTimeout{ - RequestTimeout: r.Traffic.Timeout.HTTP.RequestTimeout, + if terr { + if r != nil && r.Traffic != nil && r.Traffic.Timeout != nil { + return r.Traffic.Timeout.DeepCopy(), errs + } + } else { + // http request timeout is translated during the gateway-api route resource translation + // merge route timeout setting with backendtrafficpolicy timeout settings + if r != nil && + r.Traffic != nil && + r.Traffic.Timeout != nil && + r.Traffic.Timeout.HTTP != nil && + r.Traffic.Timeout.HTTP.RequestTimeout != nil { + if hto == nil { + hto = &ir.HTTPTimeout{ + RequestTimeout: r.Traffic.Timeout.HTTP.RequestTimeout, + } + } else { + hto.RequestTimeout = r.Traffic.Timeout.HTTP.RequestTimeout } - } else { - hto.RequestTimeout = r.Traffic.Timeout.HTTP.RequestTimeout } - } - if hto != nil || tto != nil { - return &ir.Timeout{ - TCP: tto, - HTTP: hto, - }, nil + if hto != nil || tto != nil { + return &ir.Timeout{ + TCP: tto, + HTTP: hto, + }, nil + } } - return nil, nil + return nil, errs } func int64ToUint32(in int64) (uint32, bool) { diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go index 1cf802cb21c..c5da32c4c60 100644 --- a/internal/gatewayapi/clienttrafficpolicy.go +++ b/internal/gatewayapi/clienttrafficpolicy.go @@ -13,6 +13,7 @@ import ( "strings" "time" + perr "github.com/pkg/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/sets" @@ -385,22 +386,24 @@ func (t *Translator) translateClientTrafficPolicyForListener(policy *egv1a1.Clie var ( keepalive *ir.TCPKeepalive connection *ir.Connection - enableProxyProtocol bool tlsConfig *ir.TLSConfig - err error + enableProxyProtocol bool + err, errs error ) // Build common IR shared by HTTP and TCP listeners, return early if some field is invalid. // Translate TCPKeepalive keepalive, err = buildKeepAlive(policy.Spec.TCPKeepalive) if err != nil { - return err + err = perr.WithMessage(err, "TCP KeepAlive") + errs = errors.Join(errs, err) } // Translate Connection connection, err = buildConnection(policy.Spec.Connection) if err != nil { - return err + err = perr.WithMessage(err, "Connection") + errs = errors.Join(errs, err) } // Translate Proxy Protocol @@ -418,18 +421,21 @@ func (t *Translator) translateClientTrafficPolicyForListener(policy *egv1a1.Clie translatePathSettings(policy.Spec.Path, httpIR) // Translate Client Timeout Settings - if err := translateClientTimeout(policy.Spec.Timeout, httpIR); err != nil { - return err + if err = translateClientTimeout(policy.Spec.Timeout, httpIR); err != nil { + err = perr.WithMessage(err, "Timeout") + errs = errors.Join(errs, err) } // Translate HTTP1 Settings - if err := translateHTTP1Settings(policy.Spec.HTTP1, httpIR); err != nil { - return err + if err = translateHTTP1Settings(policy.Spec.HTTP1, httpIR); err != nil { + err = perr.WithMessage(err, "HTTP1") + errs = errors.Join(errs, err) } // Translate HTTP2 Settings - if err := translateHTTP2Settings(policy.Spec.HTTP2, httpIR); err != nil { - return err + if err = translateHTTP2Settings(policy.Spec.HTTP2, httpIR); err != nil { + err = perr.WithMessage(err, "HTTP2") + errs = errors.Join(errs, err) } // enable http3 if set and TLS is enabled @@ -453,7 +459,13 @@ func (t *Translator) translateClientTrafficPolicyForListener(policy *egv1a1.Clie // Translate TLS parameters tlsConfig, err = t.buildListenerTLSParameters(policy, httpIR.TLS, resources) if err != nil { - return err + err = perr.WithMessage(err, "TLS") + errs = errors.Join(errs, err) + } + + // Early return if got any errors + if errs != nil { + return errs } httpIR.TCPKeepalive = keepalive @@ -466,7 +478,13 @@ func (t *Translator) translateClientTrafficPolicyForListener(policy *egv1a1.Clie // Translate TLS parameters tlsConfig, err = t.buildListenerTLSParameters(policy, tcpIR.TLS, resources) if err != nil { - return err + err = perr.WithMessage(err, "TLS") + errs = errors.Join(errs, err) + } + + // Early return if got any errors + if errs != nil { + return errs } tcpIR.TCPKeepalive = keepalive @@ -616,7 +634,7 @@ func translateHTTP1Settings(http1Settings *egv1a1.HTTP1Settings, httpIR *ir.HTTP } } if defaultHost == nil { - return fmt.Errorf("can't set http10 default host on listener with only wildcard hostnames") + return fmt.Errorf("cannot set http10 default host on listener with only wildcard hostnames") } } // If useDefaultHost was set, then defaultHost will have the hostname to use. diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index 905919ea852..16229f2d7c9 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -12,6 +12,7 @@ import ( "strings" "time" + perr "github.com/pkg/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/sets" @@ -293,16 +294,23 @@ func (t *Translator) translateEnvoyExtensionPolicyForRoute(policy *egv1a1.EnvoyE ) if extProcs, err = t.buildExtProcs(policy, resources); err != nil { + err = perr.WithMessage(err, "ExtProcs") errs = errors.Join(errs, err) } if wasms, err = t.buildWasms(policy); err != nil { + err = perr.WithMessage(err, "WASMs") errs = errors.Join(errs, err) } + // Early return if got any errors + if errs != nil { + return errs + } + // Apply IR to all relevant routes prefix := irRoutePrefix(route) - for _, ir := range xdsIR { - for _, http := range ir.HTTP { + for _, x := range xdsIR { + for _, http := range x.HTTP { for _, r := range http.Routes { // Apply if there is a match if strings.HasPrefix(r.Name, prefix) { @@ -313,25 +321,7 @@ func (t *Translator) translateEnvoyExtensionPolicyForRoute(policy *egv1a1.EnvoyE } } - return errs -} - -func (t *Translator) buildExtProcs(policy *egv1a1.EnvoyExtensionPolicy, resources *Resources) ([]ir.ExtProc, error) { - var extProcIRList []ir.ExtProc - - if policy == nil { - return nil, nil - } - - for idx, ep := range policy.Spec.ExtProc { - name := irConfigNameForEEP(policy, idx) - extProcIR, err := t.buildExtProc(name, utils.NamespacedName(policy), ep, idx, resources) - if err != nil { - return nil, err - } - extProcIRList = append(extProcIRList, *extProcIR) - } - return extProcIRList, nil + return nil } func (t *Translator) translateEnvoyExtensionPolicyForGateway(policy *egv1a1.EnvoyExtensionPolicy, @@ -343,20 +333,27 @@ func (t *Translator) translateEnvoyExtensionPolicyForGateway(policy *egv1a1.Envo err, errs error ) - irKey := t.getIRKey(gateway.Gateway) - // Should exist since we've validated this - ir := xdsIR[irKey] - - policyTarget := irStringKey(policy.Namespace, string(policy.Spec.TargetRef.Name)) - if extProcs, err = t.buildExtProcs(policy, resources); err != nil { + err = perr.WithMessage(err, "ExtProcs") errs = errors.Join(errs, err) } if wasms, err = t.buildWasms(policy); err != nil { + err = perr.WithMessage(err, "WASMs") errs = errors.Join(errs, err) } - for _, http := range ir.HTTP { + // Early return if got any errors + if errs != nil { + return errs + } + + irKey := t.getIRKey(gateway.Gateway) + // Should exist since we've validated this + x := xdsIR[irKey] + + policyTarget := irStringKey(policy.Namespace, string(policy.Spec.TargetRef.Name)) + + for _, http := range x.HTTP { gatewayName := http.Name[0:strings.LastIndex(http.Name, "/")] if t.MergeGateways && gatewayName != policyTarget { continue @@ -380,7 +377,25 @@ func (t *Translator) translateEnvoyExtensionPolicyForGateway(policy *egv1a1.Envo } } - return errs + return nil +} + +func (t *Translator) buildExtProcs(policy *egv1a1.EnvoyExtensionPolicy, resources *Resources) ([]ir.ExtProc, error) { + var extProcIRList []ir.ExtProc + + if policy == nil { + return nil, nil + } + + for idx, ep := range policy.Spec.ExtProc { + name := irConfigNameForEEP(policy, idx) + extProcIR, err := t.buildExtProc(name, utils.NamespacedName(policy), ep, idx, resources) + if err != nil { + return nil, err + } + extProcIRList = append(extProcIRList, *extProcIR) + } + return extProcIRList, nil } func (t *Translator) buildExtProc( diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index e68cf3fabae..bfb4d9e7eca 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -16,6 +16,7 @@ import ( "strconv" "strings" + perr "github.com/pkg/errors" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" @@ -351,6 +352,7 @@ func (t *Translator) translateSecurityPolicyForRoute( if oidc, err = t.buildOIDC( policy, resources); err != nil { + err = perr.WithMessage(err, "OIDC") errs = errors.Join(errs, err) } } @@ -359,6 +361,7 @@ func (t *Translator) translateSecurityPolicyForRoute( if basicAuth, err = t.buildBasicAuth( policy, resources); err != nil { + err = perr.WithMessage(err, "BasicAuth") errs = errors.Join(errs, err) } } @@ -367,6 +370,7 @@ func (t *Translator) translateSecurityPolicyForRoute( if extAuth, err = t.buildExtAuth( policy, resources); err != nil { + err = perr.WithMessage(err, "ExtAuth") errs = errors.Join(errs, err) } } @@ -423,6 +427,7 @@ func (t *Translator) translateSecurityPolicyForGateway( if oidc, err = t.buildOIDC( policy, resources); err != nil { + err = perr.WithMessage(err, "OIDC") errs = errors.Join(errs, err) } } @@ -431,6 +436,7 @@ func (t *Translator) translateSecurityPolicyForGateway( if basicAuth, err = t.buildBasicAuth( policy, resources); err != nil { + err = perr.WithMessage(err, "BasicAuth") errs = errors.Join(errs, err) } } @@ -439,6 +445,7 @@ func (t *Translator) translateSecurityPolicyForGateway( if extAuth, err = t.buildExtAuth( policy, resources); err != nil { + err = perr.WithMessage(err, "ExtAuth") errs = errors.Join(errs, err) } } @@ -585,7 +592,7 @@ func (t *Translator) buildOIDC( // Generate a unique cookie suffix for oauth filters suffix := utils.Digest32(string(policy.UID)) - // Get the HMAC secret + // Get the HMAC secret. // HMAC secret is generated by the CertGen job and stored in a secret // We need to rotate the HMAC secret in the future, probably the same // way we rotate the certs generated by the CertGen job. diff --git a/internal/gatewayapi/status/conditions.go b/internal/gatewayapi/status/conditions.go index f2e735307d4..2b710189a18 100644 --- a/internal/gatewayapi/status/conditions.go +++ b/internal/gatewayapi/status/conditions.go @@ -67,7 +67,7 @@ func conditionChanged(a, b metav1.Condition) bool { // Error2ConditionMsg format the error string to a Status condition message. // * Convert the first letter to capital -// * Append "." to the string if it doesn't exit +// * Append "." to the string if it doesn't exist func Error2ConditionMsg(err error) string { if err == nil { return "" @@ -86,6 +86,12 @@ func Error2ConditionMsg(err error) string { runes[0] = unicode.ToUpper(runes[0]) } + // Check if the last rune is a punctuation '.' and append it if not + last := runes[len(runes)-1] + if !unicode.IsPunct(last) || last != '.' { + runes = append(runes, '.') + } + // Convert the rune slice back to a string return string(runes) } diff --git a/internal/gatewayapi/status/conditions_test.go b/internal/gatewayapi/status/conditions_test.go index 066dcabd23f..74c66edf206 100644 --- a/internal/gatewayapi/status/conditions_test.go +++ b/internal/gatewayapi/status/conditions_test.go @@ -199,7 +199,7 @@ func TestError2ConditionMsg(t *testing.T) { { name: "error with message", err: errors.New("something is wrong"), - expect: "Something is wrong", + expect: "Something is wrong.", }, } for _, tt := range testCases { diff --git a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml index e5c997f27de..a99860bb175 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml @@ -25,7 +25,7 @@ backendTLSPolicies: sectionName: http conditions: - lastTransitionTime: null - message: No ca found in configmap no-ca-cmap + message: No ca found in configmap no-ca-cmap. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml index 223ccf2735c..b60218d10b0 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml @@ -22,7 +22,7 @@ backendTrafficPolicies: sectionName: http conditions: - lastTransitionTime: null - message: 'CircuitBreaker: invalid MaxRequestsPerConnection value -1' + message: 'CircuitBreaker: invalid MaxRequestsPerConnection value -1.' reason: Invalid status: "False" type: Accepted @@ -50,7 +50,7 @@ backendTrafficPolicies: sectionName: http conditions: - lastTransitionTime: null - message: 'CircuitBreaker: invalid MaxParallelRetries value -1' + message: 'CircuitBreaker: invalid MaxParallelRetries value -1.' reason: Invalid status: "False" type: Accepted @@ -77,7 +77,7 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: 'CircuitBreaker: invalid MaxConnections value -1' + message: 'CircuitBreaker: invalid MaxConnections value -1.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml index 5aceec2a5b4..68c2812ac5b 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml @@ -47,7 +47,7 @@ backendTrafficPolicies: conditions: - lastTransitionTime: null message: 'RateLimit: local rateLimit rule limit unit must be a multiple of - the default limit unit' + the default limit unit.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml index d286951ecdf..4a3317ac166 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml @@ -43,7 +43,7 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: 'RateLimit: local rateLimit does not support distinct HeaderMatch' + message: 'RateLimit: local rateLimit does not support distinct HeaderMatch.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml index 9d82dac487f..99f5cfe8c79 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml @@ -50,7 +50,7 @@ backendTrafficPolicies: conditions: - lastTransitionTime: null message: 'RateLimit: local rateLimit can not have more than one rule without - clientSelectors' + clientSelectors.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml index 99115522e3a..f412c2a86f2 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml @@ -34,7 +34,7 @@ backendTrafficPolicies: conditions: - lastTransitionTime: null message: 'RateLimit: regex "*.illegal.regex" is invalid: error parsing regexp: - missing argument to repetition operator: `*`' + missing argument to repetition operator: `*`.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml index c32fa1ae20e..1bcc74258c4 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml @@ -25,7 +25,7 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: 'Timeout: invalid MaxConnectionDuration value 22mib' + message: 'Timeout: invalid MaxConnectionDuration value 22mib.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml index 8a366de05d8..246db14238b 100755 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml @@ -23,7 +23,7 @@ clientTrafficPolicies: sectionName: http-1 conditions: - lastTransitionTime: null - message: Invalid BufferLimit value 500m + message: 'Connection: invalid BufferLimit value 500m.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml index 9f983a0d2c0..cabe1f7a6e2 100755 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml @@ -23,7 +23,8 @@ clientTrafficPolicies: sectionName: http-1 conditions: - lastTransitionTime: null - message: BufferLimit value 100G is out of range, must be between 0 and 4294967295 + message: 'Connection: BufferLimit value 100G is out of range, must be between + 0 and 4294967295.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit-error.out.yaml index 5eb39d934e6..eaea65e56a1 100755 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit-error.out.yaml @@ -25,7 +25,7 @@ clientTrafficPolicies: sectionName: http-1 conditions: - lastTransitionTime: null - message: Invalid CloseDelay value 10mib + message: 'Connection: invalid CloseDelay value 10mib.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml index d0e2660dc12..4a8a3b98f03 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml @@ -83,7 +83,8 @@ clientTrafficPolicies: sectionName: http-3 conditions: - lastTransitionTime: null - message: Can't set http10 default host on listener with only wildcard hostnames + message: 'HTTP1: cannot set http10 default host on listener with only wildcard + hostnames.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml index e94e1ffed1e..cf410dffe52 100755 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml @@ -57,8 +57,8 @@ clientTrafficPolicies: conditions: - lastTransitionTime: null message: |- - InitialStreamWindowSize value 1Ki is out of range, must be between 65535 and 2147483647 - InitialConnectionWindowSize value 1Ti is out of range, must be between 65535 and 2147483647 + HTTP2: InitialStreamWindowSize value 1Ki is out of range, must be between 65535 and 2147483647 + InitialConnectionWindowSize value 1Ti is out of range, must be between 65535 and 2147483647. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml index 18b814b82d8..6989cb91d4a 100755 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml @@ -22,7 +22,7 @@ clientTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: 'Time: unknown unit "sec" in duration "10sec"' + message: 'Timeout: time: unknown unit "sec" in duration "10sec".' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-timeout-with-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-timeout-with-error.out.yaml index d162dce4b47..7efaef7eb33 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-timeout-with-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-timeout-with-error.out.yaml @@ -22,7 +22,7 @@ clientTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: 'Time: unknown unit "sec" in duration "5sec"' + message: 'Timeout: time: unknown unit "sec" in duration "5sec".' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/conflicting-policies.out.yaml b/internal/gatewayapi/testdata/conflicting-policies.out.yaml index d6a50d7db5c..0af25b10a7b 100644 --- a/internal/gatewayapi/testdata/conflicting-policies.out.yaml +++ b/internal/gatewayapi/testdata/conflicting-policies.out.yaml @@ -23,7 +23,7 @@ clientTrafficPolicies: conditions: - lastTransitionTime: null message: ClientTrafficPolicy is being applied to multiple http (non https) - listeners (default/gateway-1/http) on the same port, which is not allowed + listeners (default/gateway-1/http) on the same port, which is not allowed. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml index 27619e60e35..76ce25c20f6 100755 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml @@ -23,7 +23,7 @@ envoyExtensionPolicies: namespace: default conditions: - lastTransitionTime: null - message: TCP Port 4000 not found on service default/grpc-backend + message: 'ExtProcs: TCP Port 4000 not found on service default/grpc-backend.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml index ac556bd8a52..c8d26813c85 100755 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml @@ -22,8 +22,8 @@ envoyExtensionPolicies: namespace: default conditions: - lastTransitionTime: null - message: A valid port number corresponding to a port on the Service must be - specified + message: 'ExtProcs: a valid port number corresponding to a port on the Service + must be specified.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml index 09b3ecdccca..50148ea73d0 100755 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml @@ -24,8 +24,8 @@ envoyExtensionPolicies: namespace: default conditions: - lastTransitionTime: null - message: Backend ref to Service envoy-gateway/grpc-backend not permitted by - any ReferenceGrant + message: 'ExtProcs: backend ref to Service envoy-gateway/grpc-backend not + permitted by any ReferenceGrant.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml index 630a246f8b3..7e5e5aba4b5 100755 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml @@ -24,7 +24,7 @@ envoyExtensionPolicies: namespace: default conditions: - lastTransitionTime: null - message: Service envoy-gateway/grpc-backend not found + message: 'ExtProcs: service envoy-gateway/grpc-backend not found.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml index bd25d7bc60b..4b5fc9ae902 100644 --- a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml +++ b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml @@ -25,7 +25,7 @@ backendTrafficPolicies: sectionName: http conditions: - lastTransitionTime: null - message: 'Timeout: invalid ConnectTimeout value 20kib' + message: 'Timeout: invalid ConnectTimeout value 20kib.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-regex.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-regex.out.yaml index a8e06b4fa54..c8285fb3ee8 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-regex.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-regex.out.yaml @@ -103,7 +103,7 @@ httpRoutes: - conditions: - lastTransitionTime: null message: 'Regex "*.foo.bar.com" is invalid: error parsing regexp: missing - argument to repetition operator: `*`' + argument to repetition operator: `*`.' reason: UnsupportedValue status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/httproute-with-single-rule-with-multiple-rules.out.yaml b/internal/gatewayapi/testdata/httproute-with-single-rule-with-multiple-rules.out.yaml index 7cae3475b67..2b3440d9a60 100644 --- a/internal/gatewayapi/testdata/httproute-with-single-rule-with-multiple-rules.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-single-rule-with-multiple-rules.out.yaml @@ -93,7 +93,7 @@ httpRoutes: - conditions: - lastTransitionTime: null message: 'Regex "*regex*" is invalid: error parsing regexp: missing argument - to repetition operator: `*`' + to repetition operator: `*`.' reason: UnsupportedValue status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml b/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml index 5c74b388d27..d22f2ed111f 100755 --- a/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml +++ b/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml @@ -55,7 +55,7 @@ clientTrafficPolicies: conditions: - lastTransitionTime: null message: ClientTrafficPolicy is being applied to multiple http (non https) - listeners (default/gateway-2/http-2) on the same port, which is not allowed + listeners (default/gateway-2/http-2) on the same port, which is not allowed. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml index 0d8bb167f23..582db7cf245 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml @@ -125,7 +125,7 @@ securityPolicies: namespace: default conditions: - lastTransitionTime: null - message: TCP Port 80 not found on service default/http-backend + message: 'ExtAuth: TCP Port 80 not found on service default/http-backend.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml index eb68592572c..fa9d38b2572 100755 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml @@ -124,8 +124,8 @@ securityPolicies: namespace: default conditions: - lastTransitionTime: null - message: A valid port number corresponding to a port on the Service must be - specified + message: 'ExtAuth: a valid port number corresponding to a port on the Service + must be specified.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml index 648d8567a82..9afc90b0970 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml @@ -125,8 +125,8 @@ securityPolicies: namespace: default conditions: - lastTransitionTime: null - message: Backend ref to Service envoy-gateway/http-backend not permitted by - any ReferenceGrant + message: 'ExtAuth: backend ref to Service envoy-gateway/http-backend not permitted + by any ReferenceGrant.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml index 62ac5dabd39..cc079ddf6cd 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml @@ -125,7 +125,7 @@ securityPolicies: namespace: default conditions: - lastTransitionTime: null - message: Service default/http-backend not found + message: 'ExtAuth: service default/http-backend not found.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml index 6c9172f65ad..f2ca05d1414 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml @@ -173,7 +173,7 @@ securityPolicies: sectionName: http conditions: - lastTransitionTime: null - message: Secret default/client2-secret does not exist + message: 'OIDC: secret default/client2-secret does not exist.' reason: Invalid status: "False" type: Accepted @@ -217,7 +217,7 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Secret envoy-gateway/client1-secret does not exist + message: 'OIDC: secret envoy-gateway/client1-secret does not exist.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml index d2a6d6afab3..1102e64d406 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml @@ -85,8 +85,8 @@ securityPolicies: namespace: default conditions: - lastTransitionTime: null - message: 'Error fetching endpoints from issuer: invalid character ''<'' looking - for beginning of value' + message: 'OIDC: error fetching endpoints from issuer: invalid character ''<'' + looking for beginning of value.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml index 2ea3ac2420d..259908a1ad4 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml @@ -197,7 +197,7 @@ securityPolicies: namespace: default conditions: - lastTransitionTime: null - message: Secret default/client1-secret does not exist + message: 'OIDC: secret default/client1-secret does not exist.' reason: Invalid status: "False" type: Accepted @@ -234,7 +234,7 @@ securityPolicies: namespace: default conditions: - lastTransitionTime: null - message: Secret ref namespace must be unspecified/empty or default + message: 'OIDC: secret ref namespace must be unspecified/empty or default.' reason: Invalid status: "False" type: Accepted @@ -270,7 +270,7 @@ securityPolicies: namespace: default conditions: - lastTransitionTime: null - message: Client secret not found in secret default/client3-secret + message: 'OIDC: client secret not found in secret default/client3-secret.' reason: Invalid status: "False" type: Accepted