gateway-apis: HTTPRoute with 0 weight still forward the request to backend

[nak3]

Bug description

• Istio still forwards the request to backend even when HTTPRoute sets weight: 0.

[X] Networking

Expected behavior

• weight: 0 should not forward the request.

Steps to reproduce the bug

1. Prepare k8s cluster with non-default cluster domain

2. Install Istio

For example, I am using the following manifest.

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  values:
    global:
      proxy:
        autoInject: disabled
        clusterDomain: cluster.local
      useMCP: false
      # The third-party-jwt is not enabled on all k8s.
      # See: https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens
      jwtPolicy: first-party-jwt
    pilot:
      autoscaleMin: 1
      autoscaleMax: 3
      cpu:
        targetAverageUtilization: 60
      env:
        PILOT_ENABLED_SERVICE_APIS: true

    gateways:
      istio-ingressgateway:
        autoscaleMin: 1
        autoscaleMax: 3
        type: NodePort

  addonComponents:
    pilot:
      enabled: true

  components:
    ingressGateways:
      - name: istio-ingressgateway
        enabled: true
        k8s:
          resources:
            requests:
              cpu: 100m
              memory: 256Mi

3. deploy Gateway,GatewayClass,HTTPRoute (with weight=0) ,Deployments

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Namespace
metadata:
  name: gateway-demo
---
apiVersion: networking.x-k8s.io/v1alpha1
kind: GatewayClass
metadata:
  name: istio
spec:
  controller: istio.io/gateway-controller
---
kind: Gateway
apiVersion: networking.x-k8s.io/v1alpha1
metadata:
  name: simple-gateway
  namespace: gateway-demo
spec:
  gatewayClassName: istio
  listeners:  # Use GatewayClass defaults for listener definition.
  - protocol: HTTP
    port: 80
    routes:
      kind: HTTPRoute
      namespaces:
        from: "All"
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: foo
  namespace: gateway-demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: foo
  template:
    metadata:
      labels:
        app: foo
    spec:
      containers:
      - name: whereami
        image: docker.io/kennethreitz/httpbin
        ports:
          - containerPort: 80
        env:
        - name: METADATA
          value: "foo"
---
apiVersion: v1
kind: Service
metadata:
  name: foo-svc
  namespace: gateway-demo
spec:
  selector:
    app: foo
  ports:
  - port: 8000
    targetPort: 80
---
apiVersion: networking.x-k8s.io/v1alpha1
kind: HTTPRoute
metadata:
  name: test
  namespace: gateway-demo
spec:
  gateways:
    allow: SameNamespace
  hostnames:
  - "*"
  rules:
  - forwardTo:
    - port: 8000
      serviceName: foo-svc
      weight: 0
    matches:
    - path:
        type: Prefix
        value: /
EOF

4. Access to the service

The access still works.

$ curl $IP:$PORT/headers -s -o /dev/null -w "%{http_code}" 
200

Version

$ istioctl version
client version: 1.10-alpha.75974d56a327e9857f36d17151b2ef3146745b92
control plane version: 1.10-dev
data plane version: 1.10-alpha.75974d56a327e9857f36d17151b2ef3146745b92 (2 proxies)

[howardjohn]

What is the expectation when you have a single host with weight=0? I am not actually sure what the spec defines here? It seems like maybe it should be invalid?

[nak3]

As per spec comment:
https://github.com/kubernetes-sigs/gateway-api/blob/1caea70dce2571124a7a4887d32076ff8aa166e2/apis/v1alpha1/httproute_types.go#L624-L627

   // If only one backend is specified and it has a weight greater than 0, 100%
   // of the traffic is forwarded to that backend. If weight is set to 0, no
   // traffic should be forwarded for this entry.

it seems that weight = 0 for only one backend is not invalid but just should not forward the traffic.

[howardjohn]

hmm.. and what should happen? we send a 404? it really seems odd to have only a single weight=0 backend..

[nak3]

Okay, I will open an issue against gateway-apis repo to make sure.

[nak3]

Opened kubernetes-sigs/gateway-api#596