Gw2 externaltrafficpolicy #10386
Closed
Gw2 externaltrafficpolicy #10386
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fix failing unit tests
Addresses CVE-2023-45288 caught by Snyk scanner (golang http2 lib, Rated HIGH)
fix CRDExists check
Co-authored-by: Jenny Shu <28537278+jenshu@users.noreply.github.com>
Co-authored-by: Sam Heilbron <SamHeilbron@gmail.com>
Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io> Co-authored-by: Sam Heilbron <SamHeilbron@gmail.com> Co-authored-by: Nathan Fudenberg <nathan.fudenberg@solo.io>
When only Kube GW proxies are present, we still rely on the edge translator_syncer for extension syncing.
The edge translator will mark Upstreams & UpstreamGroups as Accepted
then perform xds translation where status may be changed to e.g. Rejected if there is an error.
However, in the case where there are no edge proxies,
translation doesn't actually occur, so any actual errors on the Upstream are never encountered,
thus the status is never set to Rejected.
We end up in a scenario where the Kube GW syncer (correctly) reports Rejected status
while the Edge syncer reports Accepted and they will fight each other indefinitely.
This changes the edge translator_syncer to no longer mark Upstream[Group]s as Accepted unless it will also perform translation.
track obj status in krt collections
the status reporter compares the desired status with the
existing status in the solo-kit object to determine if it
should actually UPDATE the resource.
the current proxy_syncer will do a once per second status sync
and relies on this status comparison to be functional to prevent
endless object UPDATEs.
this commit fixes the solo-kit objects (really wrappers) in the
krt collections to contain the status so an accurate comparison
can take place.
Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io> Co-authored-by: Nathan Fudenberg <nathan.fudenberg@solo.io>
Co-authored-by: Art <artberger@users.noreply.github.com>
Co-authored-by: Omar Hammami <58956785+puertomontt@users.noreply.github.com>
Co-authored-by: Yuval Kohavi <yuval.kohavi@gmail.com>
Signed-off-by: Shashank Ram <shashank.ram@solo.io>
Co-authored-by: Sam Heilbron <SamHeilbron@gmail.com> Co-authored-by: Nathan Fudenberg <nathan.fudenberg@solo.io>
Co-authored-by: Nathan Fudenberg <nathan.fudenberg@solo.io> Co-authored-by: changelog-bot <changelog-bot>
Co-authored-by: Seth Heidkamp <61526534+sheidkamp@users.noreply.github.com> Co-authored-by: Nadine Spies <17709352+Nadine2016@users.noreply.github.com> Co-authored-by: Nathan Fudenberg <nathan.fudenberg@solo.io>
…ces (#10412) Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io> Co-authored-by: Nathan Fudenberg <nathan.fudenberg@solo.io>
Co-authored-by: changelog-bot <changelog-bot> Co-authored-by: Nathan Fudenberg <nathan.fudenberg@solo.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
When using the Kubernetes Gateway API, the provisioned proxy service external traffic policy is now configurable via the GatewayParameters fields spec.kube.service.externalTrafficPolicy
This values can also be set on the default GatewayParameters during install/upgrade using the Helm value kubeGateway.gatewayParameters.glooGateway.service.externalTrafficPolicy
API changes
Added fields to GatewayParameters:
spec.kube.service.externalTrafficPolicy
Code changes
Update gw params to expose external traffic policy
Add test
Context
Fixes #9879
Isers need to be able to change the external traffic policy so that source client IPs are preserved for features like WAF and ext auth.
Testing steps
helm unit tests
deployer unit tests
deployer e2e test
Notes for reviewers
First time making gw2 changes - let me know what i did wrong
Checklist: