bump gateway-api to support arm64

go.mod

@@ -98,7 +98,7 @@ require (
 	k8s.io/kubectl v0.24.2
 	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9
 	sigs.k8s.io/controller-runtime v0.12.2
-	sigs.k8s.io/gateway-api v0.5.0
+	sigs.k8s.io/gateway-api v0.5.1-0.20220815164014-854e2bfc5276
 	sigs.k8s.io/mcs-api v0.1.0
 	sigs.k8s.io/yaml v1.3.0
 )

go.sum

@@ -2536,8 +2536,8 @@ sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gE
 sigs.k8s.io/controller-runtime v0.12.2 h1:nqV02cvhbAj7tbt21bpPpTByrXGn2INHRsi39lXy9sE=
 sigs.k8s.io/controller-runtime v0.12.2/go.mod h1:qKsk4WE6zW2Hfj0G4v10EnNB2jMG1C+NTb8h+DwCoU0=
 sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WGJhdVChfvI=
-sigs.k8s.io/gateway-api v0.5.0 h1:ze+k9fJqvmL8s1t3e4q1ST8RnN+f09dEv+gfacahlAE=
-sigs.k8s.io/gateway-api v0.5.0/go.mod h1:x0AP6gugkFV8fC/oTlnOMU0pnmuzIR8LfIPRVUjxSqA=
+sigs.k8s.io/gateway-api v0.5.1-0.20220815164014-854e2bfc5276 h1:7L9X/IkG9/Ww8Glcbtf8KTZde8kReC3m2e1RGRytANQ=
+sigs.k8s.io/gateway-api v0.5.1-0.20220815164014-854e2bfc5276/go.mod h1:x0AP6gugkFV8fC/oTlnOMU0pnmuzIR8LfIPRVUjxSqA=
 sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y=
 sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY=
 sigs.k8s.io/kind v0.8.1/go.mod h1:oNKTxUVPYkV9lWzY6CVMNluVq8cBsyq+UgPJdvA3uu4=

pilot/pkg/config/kube/gateway/conditions.go

@@ -145,7 +145,9 @@ const (
 	// InvalidFilter indicates an issue with the filters
 	InvalidFilter ConfigErrorReason = "InvalidFilter"
 	// InvalidTLS indicates an issue with TLS settings
-	InvalidTLS ConfigErrorReason = "InvalidTLS"
+	InvalidTLS ConfigErrorReason = ConfigErrorReason(k8s.ListenerReasonInvalidCertificateRef)
+	// InvalidListenerRefNotPermitted indicates a listener reference was not permitted
+	InvalidListenerRefNotPermitted ConfigErrorReason = ConfigErrorReason(k8s.ListenerReasonRefNotPermitted)
 	// InvalidConfiguration indicates a generic error for all other invalid configurations
 	InvalidConfiguration ConfigErrorReason = "InvalidConfiguration"
 )

pilot/pkg/config/kube/gateway/conversion.go

@@ -1546,14 +1546,8 @@ func buildListener(r ConfigContext, obj config.Config, l k8s.Listener, listenerI
 	defer reportListenerCondition(listenerIndex, l, obj, listenerConditions)
 	tls, err := buildTLS(r.AllowedReferences, l.TLS, obj.Namespace, isAutoPassthrough(obj, l))
 	if err != nil {
-		listenerConditions[string(k8s.ListenerConditionReady)].error = &ConfigError{
-			Reason:  string(k8s.ListenerReasonInvalid),
-			Message: err.Message,
-		}
-		listenerConditions[string(k8s.ListenerConditionResolvedRefs)].error = &ConfigError{
-			Reason:  string(k8s.ListenerReasonInvalidCertificateRef),
-			Message: err.Message,
-		}
+		listenerConditions[string(k8s.ListenerConditionReady)].error = err
+		listenerConditions[string(k8s.ListenerConditionResolvedRefs)].error = err
 		return nil, false
 	}
 	hostnames := buildHostnameMatch(obj.Namespace, r.KubernetesResources, l)
@@ -1613,7 +1607,7 @@ func buildTLS(refs AllowedReferences, tls *k8s.GatewayTLSConfig, namespace strin
 		out.Mode = istio.ServerTLSSettings_SIMPLE
 		if len(tls.CertificateRefs) != 1 {
 			// This is required in the API, should be rejected in validation
-			return nil, &ConfigError{Reason: InvalidConfiguration, Message: "exactly 1 certificateRefs should be present for TLS termination"}
+			return nil, &ConfigError{Reason: InvalidTLS, Message: "exactly 1 certificateRefs should be present for TLS termination"}
 		}
 		cred, err := buildSecretReference(tls.CertificateRefs[0], namespace)
 		if err != nil {
@@ -1623,7 +1617,7 @@ func buildTLS(refs AllowedReferences, tls *k8s.GatewayTLSConfig, namespace strin
 		sameNamespace := credNs == namespace
 		if !sameNamespace && !refs.SecretAllowed(credentials.ToResourceName(cred), namespace) {
 			return nil, &ConfigError{
-				Reason: InvalidConfiguration,
+				Reason: InvalidListenerRefNotPermitted,
 				Message: fmt.Sprintf(
 					"certificateRef %v/%v not accessible to a Gateway in namespace %q (missing a ReferenceGrant?)",
 					tls.CertificateRefs[0].Name, credNs, namespace,

pilot/pkg/config/kube/gateway/conversion_test.go

@@ -337,12 +337,8 @@ func TestConvertResources(t *testing.T) {
 				return output.VirtualService[i].Namespace+"/"+output.VirtualService[i].Name < output.VirtualService[j].Namespace+"/"+output.VirtualService[j].Name
 			})
 			goldenFile := fmt.Sprintf("testdata/%s.yaml.golden", tt.name)
-			if util.Refresh() {
-				res := append(output.Gateway, output.VirtualService...)
-				if err := os.WriteFile(goldenFile, marshalYaml(t, res), 0o644); err != nil {
-					t.Fatal(err)
-				}
-			}
+			res := append(output.Gateway, output.VirtualService...)
+			util.CompareContent(t, marshalYaml(t, res), goldenFile)
 			golden := splitOutput(readConfig(t, goldenFile, validator))
 
 			// sort virtual services to make the order deterministic

pilot/pkg/config/kube/gateway/testdata/invalid.status.yaml.golden

@@ -244,7 +244,7 @@ status:
     - lastTransitionTime: fake
       message: invalid certificate reference core/unknown/my-cert-http., only secret
         is allowed
-      reason: Invalid
+      reason: InvalidCertificateRef
       status: "False"
       type: Ready
     - lastTransitionTime: fake

pilot/pkg/config/kube/gateway/testdata/invalid.yaml.golden

@@ -92,49 +92,49 @@ apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
   annotations:
-    internal.istio.io/parent: HTTPRoute/invalid-backendRef-notfound.default
+    internal.istio.io/parent: HTTPRoute/invalid-backendRef-mixed.default
     internal.istio.io/route-semantics: gateway
   creationTimestamp: null
-  name: invalid-backendRef-notfound-0-istio-autogenerated-k8s-gateway
+  name: invalid-backendRef-mixed-0-istio-autogenerated-k8s-gateway
   namespace: default
 spec:
   gateways:
   - istio-system/gateway-istio-autogenerated-k8s-gateway-default
   hosts:
-  - second.domain.example
+  - third.domain.example
   http:
   - route:
     - destination:
         host: nonexistent.default.svc.domain.suffix
         port:
           number: 80
+      weight: 1
+    - destination:
+        host: httpbin.default.svc.domain.suffix
+        port:
+          number: 80
+      weight: 1
+    - destination: {}
+      weight: 1
 ---
 apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
   annotations:
-    internal.istio.io/parent: HTTPRoute/invalid-backendRef-mixed.default
+    internal.istio.io/parent: HTTPRoute/invalid-backendRef-notfound.default
     internal.istio.io/route-semantics: gateway
   creationTimestamp: null
-  name: invalid-backendRef-mixed-0-istio-autogenerated-k8s-gateway
+  name: invalid-backendRef-notfound-0-istio-autogenerated-k8s-gateway
   namespace: default
 spec:
   gateways:
   - istio-system/gateway-istio-autogenerated-k8s-gateway-default
   hosts:
-  - third.domain.example
+  - second.domain.example
   http:
   - route:
     - destination:
         host: nonexistent.default.svc.domain.suffix
         port:
           number: 80
-      weight: 1
-    - destination:
-        host: httpbin.default.svc.domain.suffix
-        port:
-          number: 80
-      weight: 1
-    - destination: {}
-      weight: 1
 ---

pilot/pkg/config/kube/gateway/testdata/reference-policy-service.yaml.golden

@@ -20,44 +20,44 @@ apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
   annotations:
-    internal.istio.io/parent: HTTPRoute/http.istio-system
+    internal.istio.io/parent: HTTPRoute/backend-not-allowed.istio-system
     internal.istio.io/route-semantics: gateway
   creationTimestamp: null
-  name: http-0-istio-autogenerated-k8s-gateway
+  name: backend-not-allowed-0-istio-autogenerated-k8s-gateway
   namespace: istio-system
 spec:
   gateways:
   - istio-system/gateway-istio-autogenerated-k8s-gateway-simple
   hosts:
-  - simple.domain.example
+  - simple2.domain.example
   http:
   - route:
     - destination:
         host: my-svc.service.svc.domain.suffix
         port:
           number: 80
+      weight: 1
+    - destination: {}
+      weight: 1
 ---
 apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
   annotations:
-    internal.istio.io/parent: HTTPRoute/backend-not-allowed.istio-system
+    internal.istio.io/parent: HTTPRoute/http.istio-system
     internal.istio.io/route-semantics: gateway
   creationTimestamp: null
-  name: backend-not-allowed-0-istio-autogenerated-k8s-gateway
+  name: http-0-istio-autogenerated-k8s-gateway
   namespace: istio-system
 spec:
   gateways:
   - istio-system/gateway-istio-autogenerated-k8s-gateway-simple
   hosts:
-  - simple2.domain.example
+  - simple.domain.example
   http:
   - route:
     - destination:
         host: my-svc.service.svc.domain.suffix
         port:
           number: 80
-      weight: 1
-    - destination: {}
-      weight: 1
 ---

tests/integration/pilot/gateway_conformance_test.go

@@ -104,8 +104,10 @@ func TestGatewayConformance(t *testing.T) {
 				if !ctx.Failed() {
 					return
 				}
-				for _, ns := range conformanceNamespaces {
-					namespace.Dump(ctx, ns)
+				if ctx.Settings().CIMode {
+					for _, ns := range conformanceNamespaces {
+						namespace.Dump(ctx, ns)
+					}
 				}
 			})
 			csuite := suite.New(opts)