From 9a755499e7e6f242134f5c94553b9f31b687f46a Mon Sep 17 00:00:00 2001 From: shawnh2 Date: Mon, 29 Apr 2024 14:55:48 +0800 Subject: [PATCH 1/4] add append '.' to err message for xpolicy Signed-off-by: shawnh2 --- .../testdata/backendtlspolicy-invalid-ca.out.yaml | 2 +- .../backendtlspolicy-without-referencegrant.out.yaml | 2 +- ...ckendtrafficpolicy-with-circuitbreakers-error.out.yaml | 6 +++--- ...olicy-with-local-ratelimit-invalid-limit-unit.out.yaml | 2 +- ...olicy-with-local-ratelimit-invalid-match-type.out.yaml | 2 +- ...ratelimit-invalid-multiple-route-level-limits.out.yaml | 2 +- ...endtrafficpolicy-with-ratelimit-invalid-regex.out.yaml | 2 +- .../backendtrafficpolicy-with-timeout-error.out.yaml | 2 +- ...ttrafficpolicy-buffer-limit-with-format-error.out.yaml | 2 +- ...icpolicy-buffer-limit-with-out-of-range-error.out.yaml | 2 +- .../clienttrafficpolicy-connection-limit-error.out.yaml | 2 +- .../testdata/clienttrafficpolicy-http10.out.yaml | 2 +- .../testdata/clienttrafficpolicy-http2.out.yaml | 2 +- .../clienttrafficpolicy-idle-timeout-with-error.out.yaml | 2 +- .../clienttrafficpolicy-timeout-with-error.out.yaml | 2 +- .../gatewayapi/testdata/conflicting-policies.out.yaml | 2 +- ...npolicy-with-extproc-invalid-no-matching-port.out.yaml | 2 +- ...yextensionpolicy-with-extproc-invalid-no-port.out.yaml | 2 +- ...olicy-with-extproc-invalid-no-reference-grant.out.yaml | 2 +- ...tensionpolicy-with-extproc-invalid-no-service.out.yaml | 2 +- ...e-and-backendtrafficpolicy-with-timeout-error.out.yaml | 2 +- .../testdata/httproute-with-invalid-regex.out.yaml | 2 +- ...ttproute-with-single-rule-with-multiple-rules.out.yaml | 2 +- .../testdata/merge-with-isolated-policies-2.out.yaml | 2 +- ...ypolicy-with-extauth-invalid-no-matching-port.out.yaml | 2 +- .../securitypolicy-with-extauth-invalid-no-port.out.yaml | 2 +- ...olicy-with-extauth-invalid-no-reference-grant.out.yaml | 2 +- ...ecuritypolicy-with-extauth-invalid-no-service.out.yaml | 2 +- .../securitypolicy-with-jwt-and-invalid-oidc.out.yaml | 4 ++-- .../securitypolicy-with-oidc-invalid-issuer.out.yaml | 2 +- .../securitypolicy-with-oidc-invalid-secretref.out.yaml | 6 +++--- internal/status/conditions.go | 8 +++++++- internal/status/conditions_test.go | 2 +- 33 files changed, 44 insertions(+), 38 deletions(-) diff --git a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml index 47e7c66c07e..fcb2a79f73b 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml @@ -26,7 +26,7 @@ backendTLSPolicies: sectionName: http conditions: - lastTransitionTime: null - message: No ca found in configmap no-ca-cmap + message: No ca found in configmap no-ca-cmap. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/backendtlspolicy-without-referencegrant.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-without-referencegrant.out.yaml index 6922e60d7c8..b8e9bc4b51f 100755 --- a/internal/gatewayapi/testdata/backendtlspolicy-without-referencegrant.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-without-referencegrant.out.yaml @@ -27,7 +27,7 @@ backendTLSPolicies: conditions: - lastTransitionTime: null message: Target ref to Service backends/http-backend not permitted by any - ReferenceGrant + ReferenceGrant. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml index 45d95e8aaf9..3d767a9d58f 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml @@ -23,7 +23,7 @@ backendTrafficPolicies: sectionName: http conditions: - lastTransitionTime: null - message: 'CircuitBreaker: invalid MaxRequestsPerConnection value -1' + message: 'CircuitBreaker: invalid MaxRequestsPerConnection value -1.' reason: Invalid status: "False" type: Accepted @@ -52,7 +52,7 @@ backendTrafficPolicies: sectionName: http conditions: - lastTransitionTime: null - message: 'CircuitBreaker: invalid MaxParallelRetries value -1' + message: 'CircuitBreaker: invalid MaxParallelRetries value -1.' reason: Invalid status: "False" type: Accepted @@ -80,7 +80,7 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: 'CircuitBreaker: invalid MaxConnections value -1' + message: 'CircuitBreaker: invalid MaxConnections value -1.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml index 0b81c2dd0de..936a1465391 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml @@ -48,7 +48,7 @@ backendTrafficPolicies: conditions: - lastTransitionTime: null message: 'RateLimit: local rateLimit rule limit unit must be a multiple of - the default limit unit' + the default limit unit.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml index 68ed3affde6..7130794e502 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml @@ -44,7 +44,7 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: 'RateLimit: local rateLimit does not support distinct HeaderMatch' + message: 'RateLimit: local rateLimit does not support distinct HeaderMatch.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml index 32d1661ea55..fbb90cd518c 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml @@ -51,7 +51,7 @@ backendTrafficPolicies: conditions: - lastTransitionTime: null message: 'RateLimit: local rateLimit can not have more than one rule without - clientSelectors' + clientSelectors.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml index 360544da250..4231fc42432 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml @@ -35,7 +35,7 @@ backendTrafficPolicies: conditions: - lastTransitionTime: null message: 'RateLimit: regex "*.illegal.regex" is invalid: error parsing regexp: - missing argument to repetition operator: `*`' + missing argument to repetition operator: `*`.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml index 3adff744df7..b97572801f3 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml @@ -26,7 +26,7 @@ backendTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: 'Timeout: invalid MaxConnectionDuration value 22mib' + message: 'Timeout: invalid MaxConnectionDuration value 22mib.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml index f82580ce39f..c4b852ea8f3 100755 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml @@ -24,7 +24,7 @@ clientTrafficPolicies: sectionName: http-1 conditions: - lastTransitionTime: null - message: Invalid BufferLimit value 500m + message: Invalid BufferLimit value 500m. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml index 08c7f6dbbd9..c1831d14c7a 100755 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml @@ -24,7 +24,7 @@ clientTrafficPolicies: sectionName: http-1 conditions: - lastTransitionTime: null - message: BufferLimit value 100G is out of range, must be between 0 and 4294967295 + message: BufferLimit value 100G is out of range, must be between 0 and 4294967295. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit-error.out.yaml index 2dfb99f691e..09f893c7149 100755 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit-error.out.yaml @@ -26,7 +26,7 @@ clientTrafficPolicies: sectionName: http-1 conditions: - lastTransitionTime: null - message: Invalid CloseDelay value 10mib + message: Invalid CloseDelay value 10mib. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml index df2e0592b6b..cc5a14de0a3 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml @@ -86,7 +86,7 @@ clientTrafficPolicies: sectionName: http-3 conditions: - lastTransitionTime: null - message: Can't set http10 default host on listener with only wildcard hostnames + message: Can't set http10 default host on listener with only wildcard hostnames. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml index 96d1fc82fec..9dd9e04037e 100755 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml @@ -60,7 +60,7 @@ clientTrafficPolicies: - lastTransitionTime: null message: |- InitialStreamWindowSize value 1Ki is out of range, must be between 65535 and 2147483647 - InitialConnectionWindowSize value 1Ti is out of range, must be between 65535 and 2147483647 + InitialConnectionWindowSize value 1Ti is out of range, must be between 65535 and 2147483647. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml index 0854e41ef4d..e52a5b34bc9 100755 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml @@ -23,7 +23,7 @@ clientTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: 'Time: unknown unit "sec" in duration "10sec"' + message: 'Time: unknown unit "sec" in duration "10sec".' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-timeout-with-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-timeout-with-error.out.yaml index eaf13c0af18..1670495493f 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-timeout-with-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-timeout-with-error.out.yaml @@ -23,7 +23,7 @@ clientTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: 'Time: unknown unit "sec" in duration "5sec"' + message: 'Time: unknown unit "sec" in duration "5sec".' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/conflicting-policies.out.yaml b/internal/gatewayapi/testdata/conflicting-policies.out.yaml index 3f2a1d53418..657c99672fe 100644 --- a/internal/gatewayapi/testdata/conflicting-policies.out.yaml +++ b/internal/gatewayapi/testdata/conflicting-policies.out.yaml @@ -24,7 +24,7 @@ clientTrafficPolicies: conditions: - lastTransitionTime: null message: ClientTrafficPolicy is being applied to multiple http (non https) - listeners (default/gateway-1/http) on the same port, which is not allowed + listeners (default/gateway-1/http) on the same port, which is not allowed. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml index 55e0b661896..3fd66d99178 100755 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml @@ -24,7 +24,7 @@ envoyExtensionPolicies: namespace: default conditions: - lastTransitionTime: null - message: TCP Port 4000 not found on service default/grpc-backend + message: TCP Port 4000 not found on service default/grpc-backend. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml index 05db4b4438c..d571707aecc 100755 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml @@ -24,7 +24,7 @@ envoyExtensionPolicies: conditions: - lastTransitionTime: null message: A valid port number corresponding to a port on the Service must be - specified + specified. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml index c4ad278a6c4..a3d0820b067 100755 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml @@ -26,7 +26,7 @@ envoyExtensionPolicies: conditions: - lastTransitionTime: null message: Backend ref to Service envoy-gateway/grpc-backend not permitted by - any ReferenceGrant + any ReferenceGrant. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml index 7155bfe7243..0f1032195d6 100755 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml @@ -25,7 +25,7 @@ envoyExtensionPolicies: namespace: default conditions: - lastTransitionTime: null - message: Service envoy-gateway/grpc-backend not found + message: Service envoy-gateway/grpc-backend not found. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml index 88becd8a82a..49a6d1cc5d9 100644 --- a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml +++ b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml @@ -26,7 +26,7 @@ backendTrafficPolicies: sectionName: http conditions: - lastTransitionTime: null - message: 'Timeout: invalid ConnectTimeout value 20kib' + message: 'Timeout: invalid ConnectTimeout value 20kib.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-regex.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-regex.out.yaml index a8e06b4fa54..c8285fb3ee8 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-regex.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-regex.out.yaml @@ -103,7 +103,7 @@ httpRoutes: - conditions: - lastTransitionTime: null message: 'Regex "*.foo.bar.com" is invalid: error parsing regexp: missing - argument to repetition operator: `*`' + argument to repetition operator: `*`.' reason: UnsupportedValue status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/httproute-with-single-rule-with-multiple-rules.out.yaml b/internal/gatewayapi/testdata/httproute-with-single-rule-with-multiple-rules.out.yaml index 7cae3475b67..2b3440d9a60 100644 --- a/internal/gatewayapi/testdata/httproute-with-single-rule-with-multiple-rules.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-single-rule-with-multiple-rules.out.yaml @@ -93,7 +93,7 @@ httpRoutes: - conditions: - lastTransitionTime: null message: 'Regex "*regex*" is invalid: error parsing regexp: missing argument - to repetition operator: `*`' + to repetition operator: `*`.' reason: UnsupportedValue status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml b/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml index f8797d895ca..7bedafa6241 100755 --- a/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml +++ b/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml @@ -57,7 +57,7 @@ clientTrafficPolicies: conditions: - lastTransitionTime: null message: ClientTrafficPolicy is being applied to multiple http (non https) - listeners (default/gateway-2/http-2) on the same port, which is not allowed + listeners (default/gateway-2/http-2) on the same port, which is not allowed. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml index d23b2a7d8f7..aabb54434f4 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml @@ -126,7 +126,7 @@ securityPolicies: namespace: default conditions: - lastTransitionTime: null - message: TCP Port 80 not found on service default/http-backend + message: TCP Port 80 not found on service default/http-backend. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml index fb8d90097a0..1ef304673d8 100755 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml @@ -126,7 +126,7 @@ securityPolicies: conditions: - lastTransitionTime: null message: A valid port number corresponding to a port on the Service must be - specified + specified. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml index 5d31bd10a9b..0dc44875c47 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml @@ -127,7 +127,7 @@ securityPolicies: conditions: - lastTransitionTime: null message: Backend ref to Service envoy-gateway/http-backend not permitted by - any ReferenceGrant + any ReferenceGrant. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml index da185ff74a0..de2e3010da3 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml @@ -126,7 +126,7 @@ securityPolicies: namespace: default conditions: - lastTransitionTime: null - message: Service default/http-backend not found + message: Service default/http-backend not found. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml index b4e2932f294..f2af5bd857a 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml @@ -174,7 +174,7 @@ securityPolicies: sectionName: http conditions: - lastTransitionTime: null - message: Secret default/client2-secret does not exist + message: Secret default/client2-secret does not exist. reason: Invalid status: "False" type: Accepted @@ -219,7 +219,7 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Secret envoy-gateway/client1-secret does not exist + message: Secret envoy-gateway/client1-secret does not exist. reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml index d2a6d6afab3..34cdbe793ff 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml @@ -86,7 +86,7 @@ securityPolicies: conditions: - lastTransitionTime: null message: 'Error fetching endpoints from issuer: invalid character ''<'' looking - for beginning of value' + for beginning of value.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml index 2ea3ac2420d..18d499d849c 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml @@ -197,7 +197,7 @@ securityPolicies: namespace: default conditions: - lastTransitionTime: null - message: Secret default/client1-secret does not exist + message: Secret default/client1-secret does not exist. reason: Invalid status: "False" type: Accepted @@ -234,7 +234,7 @@ securityPolicies: namespace: default conditions: - lastTransitionTime: null - message: Secret ref namespace must be unspecified/empty or default + message: Secret ref namespace must be unspecified/empty or default. reason: Invalid status: "False" type: Accepted @@ -270,7 +270,7 @@ securityPolicies: namespace: default conditions: - lastTransitionTime: null - message: Client secret not found in secret default/client3-secret + message: Client secret not found in secret default/client3-secret. reason: Invalid status: "False" type: Accepted diff --git a/internal/status/conditions.go b/internal/status/conditions.go index 092513184bb..036a59d1309 100644 --- a/internal/status/conditions.go +++ b/internal/status/conditions.go @@ -142,7 +142,7 @@ func conditionChanged(a, b metav1.Condition) bool { // Error2ConditionMsg format the error string to a Status condition message. // * Convert the first letter to capital -// * Append "." to the string if it doesn't exit +// * Append "." to the string if it doesn't exist func Error2ConditionMsg(err error) string { if err == nil { return "" @@ -161,6 +161,12 @@ func Error2ConditionMsg(err error) string { runes[0] = unicode.ToUpper(runes[0]) } + // Check if the last rune is a punctuation '.' and append it if not + last := runes[len(runes)-1] + if !unicode.IsPunct(last) || last != '.' { + runes = append(runes, '.') + } + // Convert the rune slice back to a string return string(runes) } diff --git a/internal/status/conditions_test.go b/internal/status/conditions_test.go index a1181b89b98..88620b7aa0c 100644 --- a/internal/status/conditions_test.go +++ b/internal/status/conditions_test.go @@ -356,7 +356,7 @@ func TestError2ConditionMsg(t *testing.T) { { name: "error with message", err: errors.New("something is wrong"), - expect: "Something is wrong", + expect: "Something is wrong.", }, } for _, tt := range testCases { From 8092fe6029929bbb78bf175d918ce9ee9f9bbd5b Mon Sep 17 00:00:00 2001 From: shawnh2 Date: Mon, 29 Apr 2024 16:48:13 +0800 Subject: [PATCH 2/4] refactor xpolicy err message Signed-off-by: shawnh2 --- internal/gatewayapi/backendtrafficpolicy.go | 88 +++++++++++-------- internal/gatewayapi/securitypolicy.go | 9 +- ...-extauth-invalid-no-matching-port.out.yaml | 2 +- ...licy-with-extauth-invalid-no-port.out.yaml | 4 +- ...xtauth-invalid-no-reference-grant.out.yaml | 4 +- ...y-with-extauth-invalid-no-service.out.yaml | 2 +- ...ypolicy-with-jwt-and-invalid-oidc.out.yaml | 4 +- ...typolicy-with-oidc-invalid-issuer.out.yaml | 4 +- ...olicy-with-oidc-invalid-secretref.out.yaml | 6 +- 9 files changed, 72 insertions(+), 51 deletions(-) diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index 55f79723be3..c6c1c3757f7 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -6,6 +6,7 @@ package gatewayapi import ( + "errors" "fmt" "math" "net" @@ -13,7 +14,7 @@ import ( "strings" "time" - "github.com/pkg/errors" + perr "github.com/pkg/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/sets" @@ -310,7 +311,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen // Build IR if policy.Spec.RateLimit != nil { if rl, err = t.buildRateLimit(policy); err != nil { - return errors.Wrap(err, "RateLimit") + return perr.WithMessage(err, "RateLimit") } } if policy.Spec.LoadBalancer != nil { @@ -324,7 +325,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen } if policy.Spec.CircuitBreaker != nil { if cb, err = t.buildCircuitBreaker(policy); err != nil { - return errors.Wrap(err, "CircuitBreaker") + return perr.WithMessage(err, "CircuitBreaker") } } @@ -333,7 +334,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen } if policy.Spec.TCPKeepalive != nil { if ka, err = t.buildTCPKeepAlive(policy); err != nil { - return errors.Wrap(err, "TCPKeepalive") + return perr.WithMessage(err, "TCPKeepalive") } } if policy.Spec.Retry != nil { @@ -344,7 +345,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen if policy.Spec.Timeout != nil { if to, err = t.buildTimeout(policy, nil); err != nil { - return errors.Wrap(err, "Timeout") + return perr.WithMessage(err, "Timeout") } } @@ -385,7 +386,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen // some timeout setting originate from the route if policy.Spec.Timeout != nil { if to, err = t.buildTimeout(policy, r); err != nil { - return errors.Wrap(err, "Timeout") + return perr.WithMessage(err, "Timeout") } r.Timeout = to } @@ -418,7 +419,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back // Build IR if policy.Spec.RateLimit != nil { if rl, err = t.buildRateLimit(policy); err != nil { - return errors.Wrap(err, "RateLimit") + return perr.WithMessage(err, "RateLimit") } } if policy.Spec.LoadBalancer != nil { @@ -432,7 +433,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back } if policy.Spec.CircuitBreaker != nil { if cb, err = t.buildCircuitBreaker(policy); err != nil { - return errors.Wrap(err, "CircuitBreaker") + return perr.WithMessage(err, "CircuitBreaker") } } if policy.Spec.FaultInjection != nil { @@ -440,7 +441,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back } if policy.Spec.TCPKeepalive != nil { if ka, err = t.buildTCPKeepAlive(policy); err != nil { - return errors.Wrap(err, "TCPKeepalive") + return perr.WithMessage(err, "TCPKeepalive") } } if policy.Spec.Retry != nil { @@ -461,7 +462,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back if policy.Spec.Timeout != nil { if ct, err = t.buildTimeout(policy, nil); err != nil { - return errors.Wrap(err, "Timeout") + return perr.WithMessage(err, "Timeout") } } @@ -557,7 +558,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back if policy.Spec.Timeout != nil { if ct, err = t.buildTimeout(policy, r); err != nil { - return errors.Wrap(err, "Timeout") + return perr.WithMessage(err, "Timeout") } if r.Timeout == nil { @@ -1014,8 +1015,10 @@ func (t *Translator) buildCircuitBreaker(policy *egv1a1.BackendTrafficPolicy) (* func (t *Translator) buildTimeout(policy *egv1a1.BackendTrafficPolicy, r *ir.HTTPRoute) (*ir.Timeout, error) { var ( - tto *ir.TCPTimeout - hto *ir.HTTPTimeout + tto *ir.TCPTimeout + hto *ir.HTTPTimeout + terr bool + errs error ) pto := policy.Spec.Timeout @@ -1023,11 +1026,12 @@ func (t *Translator) buildTimeout(policy *egv1a1.BackendTrafficPolicy, r *ir.HTT if pto.TCP != nil && pto.TCP.ConnectTimeout != nil { d, err := time.ParseDuration(string(*pto.TCP.ConnectTimeout)) if err != nil { - return nil, fmt.Errorf("invalid ConnectTimeout value %s", *pto.TCP.ConnectTimeout) - } - - tto = &ir.TCPTimeout{ - ConnectTimeout: ptr.To(metav1.Duration{Duration: d}), + terr = true + errs = errors.Join(errs, fmt.Errorf("invalid ConnectTimeout value %s", *pto.TCP.ConnectTimeout)) + } else { + tto = &ir.TCPTimeout{ + ConnectTimeout: ptr.To(metav1.Duration{Duration: d}), + } } } @@ -1038,19 +1042,21 @@ func (t *Translator) buildTimeout(policy *egv1a1.BackendTrafficPolicy, r *ir.HTT if pto.HTTP.ConnectionIdleTimeout != nil { d, err := time.ParseDuration(string(*pto.HTTP.ConnectionIdleTimeout)) if err != nil { - return nil, fmt.Errorf("invalid ConnectionIdleTimeout value %s", *pto.HTTP.ConnectionIdleTimeout) + terr = true + errs = errors.Join(errs, fmt.Errorf("invalid ConnectionIdleTimeout value %s", *pto.HTTP.ConnectionIdleTimeout)) + } else { + cit = ptr.To(metav1.Duration{Duration: d}) } - - cit = ptr.To(metav1.Duration{Duration: d}) } if pto.HTTP.MaxConnectionDuration != nil { d, err := time.ParseDuration(string(*pto.HTTP.MaxConnectionDuration)) if err != nil { - return nil, fmt.Errorf("invalid MaxConnectionDuration value %s", *pto.HTTP.MaxConnectionDuration) + terr = true + errs = errors.Join(errs, fmt.Errorf("invalid MaxConnectionDuration value %s", *pto.HTTP.MaxConnectionDuration)) + } else { + mcd = ptr.To(metav1.Duration{Duration: d}) } - - mcd = ptr.To(metav1.Duration{Duration: d}) } hto = &ir.HTTPTimeout{ @@ -1061,24 +1067,32 @@ func (t *Translator) buildTimeout(policy *egv1a1.BackendTrafficPolicy, r *ir.HTT // http request timeout is translated during the gateway-api route resource translation // merge route timeout setting with backendtrafficpolicy timeout settings - if r != nil && r.Timeout != nil && r.Timeout.HTTP != nil && r.Timeout.HTTP.RequestTimeout != nil { - if hto == nil { - hto = &ir.HTTPTimeout{ - RequestTimeout: r.Timeout.HTTP.RequestTimeout, + if terr { + if r != nil && r.Timeout != nil { + return r.Timeout.DeepCopy(), errs + } + } else { + // http request timeout is translated during the gateway-api route resource translation + // merge route timeout setting with backendtrafficpolicy timeout settings + if r != nil && r.Timeout != nil && r.Timeout.HTTP != nil && r.Timeout.HTTP.RequestTimeout != nil { + if hto == nil { + hto = &ir.HTTPTimeout{ + RequestTimeout: r.Timeout.HTTP.RequestTimeout, + } + } else { + hto.RequestTimeout = r.Timeout.HTTP.RequestTimeout } - } else { - hto.RequestTimeout = r.Timeout.HTTP.RequestTimeout } - } - if hto != nil || tto != nil { - return &ir.Timeout{ - TCP: tto, - HTTP: hto, - }, nil + if hto != nil || tto != nil { + return &ir.Timeout{ + TCP: tto, + HTTP: hto, + }, nil + } } - return nil, nil + return nil, errs } func int64ToUint32(in int64) (uint32, bool) { diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index f03e46590db..4f7be1837cb 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -16,6 +16,7 @@ import ( "strconv" "strings" + perr "github.com/pkg/errors" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" @@ -356,6 +357,7 @@ func (t *Translator) translateSecurityPolicyForRoute( if oidc, err = t.buildOIDC( policy, resources); err != nil { + err = perr.WithMessage(err, "OIDC") errs = errors.Join(errs, err) } } @@ -364,6 +366,7 @@ func (t *Translator) translateSecurityPolicyForRoute( if basicAuth, err = t.buildBasicAuth( policy, resources); err != nil { + err = perr.WithMessage(err, "BasicAuth") errs = errors.Join(errs, err) } } @@ -372,6 +375,7 @@ func (t *Translator) translateSecurityPolicyForRoute( if extAuth, err = t.buildExtAuth( policy, resources); err != nil { + err = perr.WithMessage(err, "ExtAuth") errs = errors.Join(errs, err) } } @@ -427,6 +431,7 @@ func (t *Translator) translateSecurityPolicyForGateway( if oidc, err = t.buildOIDC( policy, resources); err != nil { + err = perr.WithMessage(err, "OIDC") errs = errors.Join(errs, err) } } @@ -435,6 +440,7 @@ func (t *Translator) translateSecurityPolicyForGateway( if basicAuth, err = t.buildBasicAuth( policy, resources); err != nil { + err = perr.WithMessage(err, "BasicAuth") errs = errors.Join(errs, err) } } @@ -443,6 +449,7 @@ func (t *Translator) translateSecurityPolicyForGateway( if extAuth, err = t.buildExtAuth( policy, resources); err != nil { + err = perr.WithMessage(err, "ExtAuth") errs = errors.Join(errs, err) } } @@ -591,7 +598,7 @@ func (t *Translator) buildOIDC( // Generate a unique cookie suffix for oauth filters suffix := utils.Digest32(string(policy.UID)) - // Get the HMAC secret + // Get the HMAC secret. // HMAC secret is generated by the CertGen job and stored in a secret // We need to rotate the HMAC secret in the future, probably the same // way we rotate the certs generated by the CertGen job. diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml index aabb54434f4..64b870b5e47 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml @@ -126,7 +126,7 @@ securityPolicies: namespace: default conditions: - lastTransitionTime: null - message: TCP Port 80 not found on service default/http-backend. + message: 'ExtAuth: TCP Port 80 not found on service default/http-backend.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml index 1ef304673d8..67d42873f9b 100755 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml @@ -125,8 +125,8 @@ securityPolicies: namespace: default conditions: - lastTransitionTime: null - message: A valid port number corresponding to a port on the Service must be - specified. + message: 'ExtAuth: a valid port number corresponding to a port on the Service + must be specified.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml index 0dc44875c47..eecad291496 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml @@ -126,8 +126,8 @@ securityPolicies: namespace: default conditions: - lastTransitionTime: null - message: Backend ref to Service envoy-gateway/http-backend not permitted by - any ReferenceGrant. + message: 'ExtAuth: backend ref to Service envoy-gateway/http-backend not permitted + by any ReferenceGrant.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml index de2e3010da3..e5e3f1fc995 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml @@ -126,7 +126,7 @@ securityPolicies: namespace: default conditions: - lastTransitionTime: null - message: Service default/http-backend not found. + message: 'ExtAuth: service default/http-backend not found.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml index f2af5bd857a..2d3022a33bb 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml @@ -174,7 +174,7 @@ securityPolicies: sectionName: http conditions: - lastTransitionTime: null - message: Secret default/client2-secret does not exist. + message: 'OIDC: secret default/client2-secret does not exist.' reason: Invalid status: "False" type: Accepted @@ -219,7 +219,7 @@ securityPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: Secret envoy-gateway/client1-secret does not exist. + message: 'OIDC: secret envoy-gateway/client1-secret does not exist.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml index 34cdbe793ff..1102e64d406 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml @@ -85,8 +85,8 @@ securityPolicies: namespace: default conditions: - lastTransitionTime: null - message: 'Error fetching endpoints from issuer: invalid character ''<'' looking - for beginning of value.' + message: 'OIDC: error fetching endpoints from issuer: invalid character ''<'' + looking for beginning of value.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml index 18d499d849c..259908a1ad4 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml @@ -197,7 +197,7 @@ securityPolicies: namespace: default conditions: - lastTransitionTime: null - message: Secret default/client1-secret does not exist. + message: 'OIDC: secret default/client1-secret does not exist.' reason: Invalid status: "False" type: Accepted @@ -234,7 +234,7 @@ securityPolicies: namespace: default conditions: - lastTransitionTime: null - message: Secret ref namespace must be unspecified/empty or default. + message: 'OIDC: secret ref namespace must be unspecified/empty or default.' reason: Invalid status: "False" type: Accepted @@ -270,7 +270,7 @@ securityPolicies: namespace: default conditions: - lastTransitionTime: null - message: Client secret not found in secret default/client3-secret. + message: 'OIDC: client secret not found in secret default/client3-secret.' reason: Invalid status: "False" type: Accepted From 2bdf9807a143048d2e3bf07a1734d84154fe55c2 Mon Sep 17 00:00:00 2001 From: shawnh2 Date: Sat, 11 May 2024 15:11:57 +0800 Subject: [PATCH 3/4] refactor error processing logic for EEP & CTP Signed-off-by: shawnh2 --- internal/gatewayapi/backendtrafficpolicy.go | 79 ++++++++++--------- internal/gatewayapi/clienttrafficpolicy.go | 33 +++++--- internal/gatewayapi/envoyextensionpolicy.go | 5 ++ ...cy-buffer-limit-with-format-error.out.yaml | 2 +- ...fer-limit-with-out-of-range-error.out.yaml | 3 +- ...fficpolicy-connection-limit-error.out.yaml | 2 +- .../clienttrafficpolicy-http10.out.yaml | 3 +- .../clienttrafficpolicy-http2.out.yaml | 2 +- ...ficpolicy-idle-timeout-with-error.out.yaml | 2 +- ...ttrafficpolicy-timeout-with-error.out.yaml | 2 +- ...-extproc-invalid-no-matching-port.out.yaml | 2 +- ...licy-with-extproc-invalid-no-port.out.yaml | 4 +- ...xtproc-invalid-no-reference-grant.out.yaml | 4 +- ...y-with-extproc-invalid-no-service.out.yaml | 2 +- 14 files changed, 82 insertions(+), 63 deletions(-) diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index 50119ab0d07..54c0f21d893 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -287,22 +287,23 @@ func resolveBTPolicyRouteTargetRef(policy *egv1a1.BackendTrafficPolicy, routes m func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.BackendTrafficPolicy, route RouteContext, xdsIR XdsIRMap) error { var ( - rl *ir.RateLimit - lb *ir.LoadBalancer - pp *ir.ProxyProtocol - hc *ir.HealthCheck - cb *ir.CircuitBreaker - fi *ir.FaultInjection - to *ir.Timeout - ka *ir.TCPKeepalive - rt *ir.Retry - err error + rl *ir.RateLimit + lb *ir.LoadBalancer + pp *ir.ProxyProtocol + hc *ir.HealthCheck + cb *ir.CircuitBreaker + fi *ir.FaultInjection + to *ir.Timeout + ka *ir.TCPKeepalive + rt *ir.Retry + err, errs error ) // Build IR if policy.Spec.RateLimit != nil { if rl, err = t.buildRateLimit(policy); err != nil { - return perr.WithMessage(err, "RateLimit") + err = perr.WithMessage(err, "RateLimit") + errs = errors.Join(errs, err) } } if policy.Spec.LoadBalancer != nil { @@ -316,7 +317,8 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen } if policy.Spec.CircuitBreaker != nil { if cb, err = t.buildCircuitBreaker(policy); err != nil { - return perr.WithMessage(err, "CircuitBreaker") + err = perr.WithMessage(err, "CircuitBreaker") + errs = errors.Join(errs, err) } } @@ -325,7 +327,8 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen } if policy.Spec.TCPKeepalive != nil { if ka, err = t.buildTCPKeepAlive(policy); err != nil { - return perr.WithMessage(err, "TCPKeepalive") + err = perr.WithMessage(err, "TCPKeepalive") + errs = errors.Join(errs, err) } } if policy.Spec.Retry != nil { @@ -336,7 +339,8 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen if policy.Spec.Timeout != nil { if to, err = t.buildTimeout(policy, nil); err != nil { - return perr.WithMessage(err, "Timeout") + err = perr.WithMessage(err, "Timeout") + errs = errors.Join(errs, err) } } @@ -378,10 +382,9 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen // some timeout setting originate from the route if policy.Spec.Timeout != nil { - if to, err = t.buildTimeout(policy, r); err != nil { - return perr.WithMessage(err, "Timeout") + if to, err = t.buildTimeout(policy, r); err == nil { + r.Timeout = to } - r.Timeout = to } if policy.Spec.UseClientProtocol != nil { @@ -392,27 +395,28 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen } } - return nil + return errs } func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.BackendTrafficPolicy, gateway *GatewayContext, xdsIR XdsIRMap) error { var ( - rl *ir.RateLimit - lb *ir.LoadBalancer - pp *ir.ProxyProtocol - hc *ir.HealthCheck - cb *ir.CircuitBreaker - fi *ir.FaultInjection - ct *ir.Timeout - ka *ir.TCPKeepalive - rt *ir.Retry - err error + rl *ir.RateLimit + lb *ir.LoadBalancer + pp *ir.ProxyProtocol + hc *ir.HealthCheck + cb *ir.CircuitBreaker + fi *ir.FaultInjection + ct *ir.Timeout + ka *ir.TCPKeepalive + rt *ir.Retry + err, errs error ) // Build IR if policy.Spec.RateLimit != nil { if rl, err = t.buildRateLimit(policy); err != nil { - return perr.WithMessage(err, "RateLimit") + err = perr.WithMessage(err, "RateLimit") + errs = errors.Join(errs, err) } } if policy.Spec.LoadBalancer != nil { @@ -426,7 +430,8 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back } if policy.Spec.CircuitBreaker != nil { if cb, err = t.buildCircuitBreaker(policy); err != nil { - return perr.WithMessage(err, "CircuitBreaker") + err = perr.WithMessage(err, "CircuitBreaker") + errs = errors.Join(errs, err) } } if policy.Spec.FaultInjection != nil { @@ -434,7 +439,8 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back } if policy.Spec.TCPKeepalive != nil { if ka, err = t.buildTCPKeepAlive(policy); err != nil { - return perr.WithMessage(err, "TCPKeepalive") + err = perr.WithMessage(err, "TCPKeepalive") + errs = errors.Join(errs, err) } } if policy.Spec.Retry != nil { @@ -452,7 +458,8 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back if policy.Spec.Timeout != nil { if ct, err = t.buildTimeout(policy, nil); err != nil { - return perr.WithMessage(err, "Timeout") + err = perr.WithMessage(err, "Timeout") + errs = errors.Join(errs, err) } } @@ -549,11 +556,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back } if policy.Spec.Timeout != nil { - if ct, err = t.buildTimeout(policy, r); err != nil { - return perr.WithMessage(err, "Timeout") - } - - if r.Timeout == nil { + if ct, err = t.buildTimeout(policy, r); err == nil && r.Timeout == nil { r.Timeout = ct } } @@ -566,7 +569,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back } } - return nil + return errs } func (t *Translator) buildRateLimit(policy *egv1a1.BackendTrafficPolicy) (*ir.RateLimit, error) { diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go index 8cc054dee71..7b29d0eb09f 100644 --- a/internal/gatewayapi/clienttrafficpolicy.go +++ b/internal/gatewayapi/clienttrafficpolicy.go @@ -13,6 +13,7 @@ import ( "strings" "time" + perr "github.com/pkg/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/sets" @@ -360,6 +361,8 @@ func validatePortOverlapForClientTrafficPolicy(l *ListenerContext, xds *ir.Xds, func (t *Translator) translateClientTrafficPolicyForListener(policy *egv1a1.ClientTrafficPolicy, l *ListenerContext, xdsIR XdsIRMap, infraIR InfraIRMap, resources *Resources, ) error { + var err, errs error + // Find IR irKey := t.getIRKey(l.gateway) // It must exist since we've already finished processing the gateways @@ -384,8 +387,9 @@ func (t *Translator) translateClientTrafficPolicyForListener(policy *egv1a1.Clie translateListenerTCPKeepalive(policy.Spec.TCPKeepalive, httpIR) // Translate Connection - if err := translateListenerConnection(policy.Spec.Connection, httpIR); err != nil { - return err + if err = translateListenerConnection(policy.Spec.Connection, httpIR); err != nil { + err = perr.WithMessage(err, "Connection") + errs = errors.Join(errs, err) } // Translate Proxy Protocol @@ -401,18 +405,21 @@ func (t *Translator) translateClientTrafficPolicyForListener(policy *egv1a1.Clie translatePathSettings(policy.Spec.Path, httpIR) // Translate Client Timeout Settings - if err := translateClientTimeout(policy.Spec.Timeout, httpIR); err != nil { - return err + if err = translateClientTimeout(policy.Spec.Timeout, httpIR); err != nil { + err = perr.WithMessage(err, "Timeout") + errs = errors.Join(errs, err) } // Translate HTTP1 Settings - if err := translateHTTP1Settings(policy.Spec.HTTP1, httpIR); err != nil { - return err + if err = translateHTTP1Settings(policy.Spec.HTTP1, httpIR); err != nil { + err = perr.WithMessage(err, "HTTP1") + errs = errors.Join(errs, err) } // Translate HTTP2 Settings - if err := translateHTTP2Settings(policy.Spec.HTTP2, httpIR); err != nil { - return err + if err = translateHTTP2Settings(policy.Spec.HTTP2, httpIR); err != nil { + err = perr.WithMessage(err, "HTTP2") + errs = errors.Join(errs, err) } // enable http3 if set and TLS is enabled @@ -434,11 +441,13 @@ func (t *Translator) translateClientTrafficPolicyForListener(policy *egv1a1.Clie } // Translate TLS parameters - if err := t.translateListenerTLSParameters(policy, httpIR, resources); err != nil { - return err + if err = t.translateListenerTLSParameters(policy, httpIR, resources); err != nil { + err = perr.WithMessage(err, "TLS") + errs = errors.Join(errs, err) } } - return nil + + return errs } func translateListenerTCPKeepalive(tcpKeepAlive *egv1a1.TCPKeepalive, httpIR *ir.HTTPListener) { @@ -570,7 +579,7 @@ func translateHTTP1Settings(http1Settings *egv1a1.HTTP1Settings, httpIR *ir.HTTP } } if defaultHost == nil { - return fmt.Errorf("can't set http10 default host on listener with only wildcard hostnames") + return fmt.Errorf("cannot set http10 default host on listener with only wildcard hostnames") } } // If useDefaultHost was set, then defaultHost will have the hostname to use. diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index 905919ea852..4992261d197 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -12,6 +12,7 @@ import ( "strings" "time" + perr "github.com/pkg/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/sets" @@ -293,9 +294,11 @@ func (t *Translator) translateEnvoyExtensionPolicyForRoute(policy *egv1a1.EnvoyE ) if extProcs, err = t.buildExtProcs(policy, resources); err != nil { + err = perr.WithMessage(err, "ExtProcs") errs = errors.Join(errs, err) } if wasms, err = t.buildWasms(policy); err != nil { + err = perr.WithMessage(err, "WASMs") errs = errors.Join(errs, err) } @@ -350,9 +353,11 @@ func (t *Translator) translateEnvoyExtensionPolicyForGateway(policy *egv1a1.Envo policyTarget := irStringKey(policy.Namespace, string(policy.Spec.TargetRef.Name)) if extProcs, err = t.buildExtProcs(policy, resources); err != nil { + err = perr.WithMessage(err, "ExtProcs") errs = errors.Join(errs, err) } if wasms, err = t.buildWasms(policy); err != nil { + err = perr.WithMessage(err, "WASMs") errs = errors.Join(errs, err) } diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml index 85bdb7288c4..246db14238b 100755 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml @@ -23,7 +23,7 @@ clientTrafficPolicies: sectionName: http-1 conditions: - lastTransitionTime: null - message: Invalid BufferLimit value 500m. + message: 'Connection: invalid BufferLimit value 500m.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml index ad0823a128a..cabe1f7a6e2 100755 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml @@ -23,7 +23,8 @@ clientTrafficPolicies: sectionName: http-1 conditions: - lastTransitionTime: null - message: BufferLimit value 100G is out of range, must be between 0 and 4294967295. + message: 'Connection: BufferLimit value 100G is out of range, must be between + 0 and 4294967295.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit-error.out.yaml index e47c88aec96..eaea65e56a1 100755 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit-error.out.yaml @@ -25,7 +25,7 @@ clientTrafficPolicies: sectionName: http-1 conditions: - lastTransitionTime: null - message: Invalid CloseDelay value 10mib. + message: 'Connection: invalid CloseDelay value 10mib.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml index 7ef16359c35..4a8a3b98f03 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml @@ -83,7 +83,8 @@ clientTrafficPolicies: sectionName: http-3 conditions: - lastTransitionTime: null - message: Can't set http10 default host on listener with only wildcard hostnames. + message: 'HTTP1: cannot set http10 default host on listener with only wildcard + hostnames.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml index 66ae344996b..cf410dffe52 100755 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml @@ -57,7 +57,7 @@ clientTrafficPolicies: conditions: - lastTransitionTime: null message: |- - InitialStreamWindowSize value 1Ki is out of range, must be between 65535 and 2147483647 + HTTP2: InitialStreamWindowSize value 1Ki is out of range, must be between 65535 and 2147483647 InitialConnectionWindowSize value 1Ti is out of range, must be between 65535 and 2147483647. reason: Invalid status: "False" diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml index 98212a2341f..6989cb91d4a 100755 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml @@ -22,7 +22,7 @@ clientTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: 'Time: unknown unit "sec" in duration "10sec".' + message: 'Timeout: time: unknown unit "sec" in duration "10sec".' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-timeout-with-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-timeout-with-error.out.yaml index 4f8aab7ebe3..7efaef7eb33 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-timeout-with-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-timeout-with-error.out.yaml @@ -22,7 +22,7 @@ clientTrafficPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: 'Time: unknown unit "sec" in duration "5sec".' + message: 'Timeout: time: unknown unit "sec" in duration "5sec".' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml index 6ae35b8f386..823f2f25a2f 100755 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml @@ -23,7 +23,7 @@ envoyExtensionPolicies: namespace: default conditions: - lastTransitionTime: null - message: TCP Port 4000 not found on service default/grpc-backend. + message: 'ExtProcs: TCP Port 4000 not found on service default/grpc-backend.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml index d259a991336..72413e49c64 100755 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml @@ -22,8 +22,8 @@ envoyExtensionPolicies: namespace: default conditions: - lastTransitionTime: null - message: A valid port number corresponding to a port on the Service must be - specified. + message: 'ExtProcs: a valid port number corresponding to a port on the Service + must be specified.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml index 0d596d9a2f8..c59e87bf5ee 100755 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml @@ -24,8 +24,8 @@ envoyExtensionPolicies: namespace: default conditions: - lastTransitionTime: null - message: Backend ref to Service envoy-gateway/grpc-backend not permitted by - any ReferenceGrant. + message: 'ExtProcs: backend ref to Service envoy-gateway/grpc-backend not + permitted by any ReferenceGrant.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml index 571bd131f05..7af1d65ce61 100755 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml @@ -24,7 +24,7 @@ envoyExtensionPolicies: namespace: default conditions: - lastTransitionTime: null - message: Service envoy-gateway/grpc-backend not found. + message: 'ExtProcs: service envoy-gateway/grpc-backend not found.' reason: Invalid status: "False" type: Accepted From f4b0742008e36008a37f9c92be64ec23b7762a00 Mon Sep 17 00:00:00 2001 From: shawnh2 Date: Thu, 23 May 2024 11:42:07 +0800 Subject: [PATCH 4/4] fix test and add refactor error processing login Signed-off-by: shawnh2 --- internal/gatewayapi/backendtrafficpolicy.go | 34 ++++++---- internal/gatewayapi/clienttrafficpolicy.go | 20 ++++-- internal/gatewayapi/envoyextensionpolicy.go | 68 +++++++++++-------- .../backendtlspolicy-across-ns.out.yaml | 14 +--- 4 files changed, 77 insertions(+), 59 deletions(-) diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index 2a31754160f..1664370d512 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -321,7 +321,6 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen errs = errors.Join(errs, err) } } - if policy.Spec.FaultInjection != nil { fi = t.buildFaultInjection(policy) } @@ -334,9 +333,6 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen if policy.Spec.Retry != nil { rt = t.buildRetry(policy) } - // Apply IR to all relevant routes - prefix := irRoutePrefix(route) - if policy.Spec.Timeout != nil { if to, err = t.buildTimeout(policy, nil); err != nil { err = perr.WithMessage(err, "Timeout") @@ -344,6 +340,14 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen } } + // Early return if got any errors + if errs != nil { + return errs + } + + // Apply IR to all relevant routes + prefix := irRoutePrefix(route) + for _, x := range xdsIR { for _, tcp := range x.TCP { for _, r := range tcp.Routes { @@ -402,7 +406,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen } } - return errs + return nil } func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.BackendTrafficPolicy, gateway *GatewayContext, xdsIR XdsIRMap) error { @@ -453,6 +457,17 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back if policy.Spec.Retry != nil { rt = t.buildRetry(policy) } + if policy.Spec.Timeout != nil { + if ct, err = t.buildTimeout(policy, nil); err != nil { + err = perr.WithMessage(err, "Timeout") + errs = errors.Join(errs, err) + } + } + + // Early return if got any errors + if errs != nil { + return errs + } // Apply IR to all the routes within the specific Gateway // If the feature is already set, then skip it, since it must be have @@ -463,13 +478,6 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back policyTarget := irStringKey(policy.Namespace, string(policy.Spec.TargetRef.Name)) - if policy.Spec.Timeout != nil { - if ct, err = t.buildTimeout(policy, nil); err != nil { - err = perr.WithMessage(err, "Timeout") - errs = errors.Join(errs, err) - } - } - for _, tcp := range x.TCP { gatewayName := tcp.Name[0:strings.LastIndex(tcp.Name, "/")] if t.MergeGateways && gatewayName != policyTarget { @@ -562,7 +570,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back } } - return errs + return nil } func (t *Translator) buildRateLimit(policy *egv1a1.BackendTrafficPolicy) (*ir.RateLimit, error) { diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go index 668f9f756f8..c5da32c4c60 100644 --- a/internal/gatewayapi/clienttrafficpolicy.go +++ b/internal/gatewayapi/clienttrafficpolicy.go @@ -386,8 +386,8 @@ func (t *Translator) translateClientTrafficPolicyForListener(policy *egv1a1.Clie var ( keepalive *ir.TCPKeepalive connection *ir.Connection - enableProxyProtocol bool tlsConfig *ir.TLSConfig + enableProxyProtocol bool err, errs error ) @@ -395,7 +395,8 @@ func (t *Translator) translateClientTrafficPolicyForListener(policy *egv1a1.Clie // Translate TCPKeepalive keepalive, err = buildKeepAlive(policy.Spec.TCPKeepalive) if err != nil { - return err + err = perr.WithMessage(err, "TCP KeepAlive") + errs = errors.Join(errs, err) } // Translate Connection @@ -462,6 +463,11 @@ func (t *Translator) translateClientTrafficPolicyForListener(policy *egv1a1.Clie errs = errors.Join(errs, err) } + // Early return if got any errors + if errs != nil { + return errs + } + httpIR.TCPKeepalive = keepalive httpIR.Connection = connection httpIR.EnableProxyProtocol = enableProxyProtocol @@ -472,7 +478,13 @@ func (t *Translator) translateClientTrafficPolicyForListener(policy *egv1a1.Clie // Translate TLS parameters tlsConfig, err = t.buildListenerTLSParameters(policy, tcpIR.TLS, resources) if err != nil { - return err + err = perr.WithMessage(err, "TLS") + errs = errors.Join(errs, err) + } + + // Early return if got any errors + if errs != nil { + return errs } tcpIR.TCPKeepalive = keepalive @@ -481,7 +493,7 @@ func (t *Translator) translateClientTrafficPolicyForListener(policy *egv1a1.Clie tcpIR.TLS = tlsConfig } - return errs + return nil } func buildKeepAlive(tcpKeepAlive *egv1a1.TCPKeepalive) (*ir.TCPKeepalive, error) { diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index 4992261d197..16229f2d7c9 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -302,10 +302,15 @@ func (t *Translator) translateEnvoyExtensionPolicyForRoute(policy *egv1a1.EnvoyE errs = errors.Join(errs, err) } + // Early return if got any errors + if errs != nil { + return errs + } + // Apply IR to all relevant routes prefix := irRoutePrefix(route) - for _, ir := range xdsIR { - for _, http := range ir.HTTP { + for _, x := range xdsIR { + for _, http := range x.HTTP { for _, r := range http.Routes { // Apply if there is a match if strings.HasPrefix(r.Name, prefix) { @@ -316,25 +321,7 @@ func (t *Translator) translateEnvoyExtensionPolicyForRoute(policy *egv1a1.EnvoyE } } - return errs -} - -func (t *Translator) buildExtProcs(policy *egv1a1.EnvoyExtensionPolicy, resources *Resources) ([]ir.ExtProc, error) { - var extProcIRList []ir.ExtProc - - if policy == nil { - return nil, nil - } - - for idx, ep := range policy.Spec.ExtProc { - name := irConfigNameForEEP(policy, idx) - extProcIR, err := t.buildExtProc(name, utils.NamespacedName(policy), ep, idx, resources) - if err != nil { - return nil, err - } - extProcIRList = append(extProcIRList, *extProcIR) - } - return extProcIRList, nil + return nil } func (t *Translator) translateEnvoyExtensionPolicyForGateway(policy *egv1a1.EnvoyExtensionPolicy, @@ -346,12 +333,6 @@ func (t *Translator) translateEnvoyExtensionPolicyForGateway(policy *egv1a1.Envo err, errs error ) - irKey := t.getIRKey(gateway.Gateway) - // Should exist since we've validated this - ir := xdsIR[irKey] - - policyTarget := irStringKey(policy.Namespace, string(policy.Spec.TargetRef.Name)) - if extProcs, err = t.buildExtProcs(policy, resources); err != nil { err = perr.WithMessage(err, "ExtProcs") errs = errors.Join(errs, err) @@ -361,7 +342,18 @@ func (t *Translator) translateEnvoyExtensionPolicyForGateway(policy *egv1a1.Envo errs = errors.Join(errs, err) } - for _, http := range ir.HTTP { + // Early return if got any errors + if errs != nil { + return errs + } + + irKey := t.getIRKey(gateway.Gateway) + // Should exist since we've validated this + x := xdsIR[irKey] + + policyTarget := irStringKey(policy.Namespace, string(policy.Spec.TargetRef.Name)) + + for _, http := range x.HTTP { gatewayName := http.Name[0:strings.LastIndex(http.Name, "/")] if t.MergeGateways && gatewayName != policyTarget { continue @@ -385,7 +377,25 @@ func (t *Translator) translateEnvoyExtensionPolicyForGateway(policy *egv1a1.Envo } } - return errs + return nil +} + +func (t *Translator) buildExtProcs(policy *egv1a1.EnvoyExtensionPolicy, resources *Resources) ([]ir.ExtProc, error) { + var extProcIRList []ir.ExtProc + + if policy == nil { + return nil, nil + } + + for idx, ep := range policy.Spec.ExtProc { + name := irConfigNameForEEP(policy, idx) + extProcIR, err := t.buildExtProc(name, utils.NamespacedName(policy), ep, idx, resources) + if err != nil { + return nil, err + } + extProcIRList = append(extProcIRList, *extProcIR) + } + return extProcIRList, nil } func (t *Translator) buildExtProc( diff --git a/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml index 63c7aeeca6a..f12999aa1e9 100755 --- a/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml @@ -18,19 +18,7 @@ backendTLSPolicies: name: ca-cmap hostname: example.com status: - ancestors: - - ancestorRef: - name: gateway-btls - namespace: envoy-gateway - sectionName: http - conditions: - - lastTransitionTime: null - message: Target ref to Service backends/http-backend not permitted by any - ReferenceGrant. - reason: Invalid - status: "False" - type: Accepted - controllerName: gateway.envoyproxy.io/gatewayclass-controller + ancestors: null gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway