Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Another round of v1alpha2 cleanup #839

Merged
merged 1 commit into from
Sep 7, 2021

Conversation

robscott
Copy link
Member

What type of PR is this?
/kind cleanup

What this PR does / why we need it:
This takes care of another big chunk of feedback from #780 as well as some of the items in #790.

Does this PR introduce a user-facing change?:

* "Controller" has been renamed to "ControllerName"
* "Admitted" condition has been renamed to "Accepted" and now defaults to an "Unknown" state instead of "False"

@k8s-ci-robot k8s-ci-robot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 27, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: robscott

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot requested review from hbagdi and thockin August 27, 2021 23:09
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 27, 2021
@robscott robscott force-pushed the cleanup-v1alpha2 branch 2 times, most recently from 0c787e6 to d784985 Compare August 27, 2021 23:27
@@ -72,6 +72,9 @@ type GatewaySpec struct {
// logical endpoints that are bound on this Gateway's addresses.
// At least one Listener MUST be specified.
//
// Each listener in a Gateway must have a unique combination of Hostname,
// Port, and Protocol. This will be enforced by a validating webhook.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: how it will be enforced doesn't seem like it should be in the docs?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommend adding an issue instead.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd include the TLS details in that list as well, tbh.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created #847 to track webhook validation.

I'd include the TLS details in that list as well, tbh.

Do you mean that hostname, listener, and protocol can be identical across listener if TLS is different?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed reference to webhook in godocs here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean that hostname, listener, and protocol can be identical across listener if TLS is different?

Oh, you're quite right, that makes no sense. I was more thinking that TLS details are part of the key for this, but you're right that if the hostname, port, and protocol are identical, then the TLS details must not be different.

apis/v1alpha2/gatewayclass_types.go Outdated Show resolved Hide resolved
apis/v1alpha2/tlsroute_types.go Outdated Show resolved Hide resolved
//
// If hostnames do not match with the criteria above, then the TLSRoute is
// not accepted, and the implementation must raise an 'Accepted' Condition
// with a status of `False` for the target Listener(s).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a bit confusing when not using sectionName in parentRefs. Since the target is not a listener

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, this comes down to the behavior with partial Listener acceptance, I think if we mandate "all", and have a ResolvedRefs in the event not all match, then this covers the sectionName case.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that we need a better way to handle status when sectionName is not specified. 2 options I've been thinking of:

  1. A standard/reserved listener name such as "all" that is used in status to cover failed attachment to the Gateway as a whole.
  2. A new set of condition types for Gateway status specifically for this purpose. (We could potentially reuse the existing listener condition types).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think option 2 seems better - if no listeners are valid, that seems very relevant for top-level status, but I would have thought we had that covered already somehow.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

// TLSRoute specified `test.example.com` and `test.example.net`,
// `test.example.net` must not be considered for a match.
//
// If hostnames do not match with the criteria above, then the TLSRoute is
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would clarify: If <any,all> hostnames .... And should be All IMO

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 that it the Route should only not be accepted if all hostnames do not match, and if at least one does, a ResolvedRefs condition should be raised as well.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 that it the Route should only not be accepted if all hostnames do not match

Updated, thanks!

and if at least one does, a ResolvedRefs condition should be raised as well.

Wouldn't this result in a successful attachment? Why would we raise a ResolvedRefs condition?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess you're right, the thing I wanted to make sure we have is to indicate what hostnames are in use somehow. If you've got a bunch of hostnames and only one is in use, that seems like it would be good to know.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@@ -72,6 +72,9 @@ type GatewaySpec struct {
// logical endpoints that are bound on this Gateway's addresses.
// At least one Listener MUST be specified.
//
// Each listener in a Gateway must have a unique combination of Hostname,
// Port, and Protocol. This will be enforced by a validating webhook.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommend adding an issue instead.

apis/v1alpha2/gateway_types.go Outdated Show resolved Hide resolved
// [effective request URI](https://tools.ietf.org/html/rfc7230#section-5.5)
// or the [:authority pseudo-header](https://tools.ietf.org/html/rfc7540#section-8.1.2.3)
// * HTTPS: The Hostname match MUST be applied at both the TLS and HTTP
// protocol layers.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@youngnick Is this sufficient to close the domain fronting issue (#72) as well?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although this isn't entirely new content, now that I'm seeing it here, I think this wording may be a bit too strong. I'm not sure that every implementation can apply a match at both layers.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the direction is good, but maybe we need to specify this in terms of API objects, like:

- TLS: the Listener hostname must match the SNI.
- HTTP: The HTTPRoute hostname must match the Host header of the request.
- HTTPS: The Listener Hostname and the HTTPRoute hostname must agree with each other, and also match request properties as above.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because the important part is that we expect that Listeners and HTTPRoutes that do not match these rules should not end up attached.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should mix up the route type with the listener protocol here. While there's likely a ~99% overlap here, if we tie route types too closely here, we prevent or at least complicate extended route types. I've copied most of your suggestions from above, but removed any references to Routes - the following paragraph already covers that intersection.

apis/v1alpha2/tcproute_types.go Outdated Show resolved Hide resolved
apis/v1alpha2/tlsroute_types.go Outdated Show resolved Hide resolved
@robscott robscott mentioned this pull request Aug 30, 2021
10 tasks
Copy link
Contributor

@youngnick youngnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM, some small comments.

@@ -72,6 +72,9 @@ type GatewaySpec struct {
// logical endpoints that are bound on this Gateway's addresses.
// At least one Listener MUST be specified.
//
// Each listener in a Gateway must have a unique combination of Hostname,
// Port, and Protocol. This will be enforced by a validating webhook.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd include the TLS details in that list as well, tbh.

// [effective request URI](https://tools.ietf.org/html/rfc7230#section-5.5)
// or the [:authority pseudo-header](https://tools.ietf.org/html/rfc7540#section-8.1.2.3)
// * HTTPS: The Hostname match MUST be applied at both the TLS and HTTP
// protocol layers.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the direction is good, but maybe we need to specify this in terms of API objects, like:

- TLS: the Listener hostname must match the SNI.
- HTTP: The HTTPRoute hostname must match the Host header of the request.
- HTTPS: The Listener Hostname and the HTTPRoute hostname must agree with each other, and also match request properties as above.

// [effective request URI](https://tools.ietf.org/html/rfc7230#section-5.5)
// or the [:authority pseudo-header](https://tools.ietf.org/html/rfc7540#section-8.1.2.3)
// * HTTPS: The Hostname match MUST be applied at both the TLS and HTTP
// protocol layers.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because the important part is that we expect that Listeners and HTTPRoutes that do not match these rules should not end up attached.

apis/v1alpha2/gateway_types.go Outdated Show resolved Hide resolved
apis/v1alpha2/shared_types.go Outdated Show resolved Hide resolved
apis/v1alpha2/tlsroute_types.go Outdated Show resolved Hide resolved
// TLSRoute specified `test.example.com` and `test.example.net`,
// `test.example.net` must not be considered for a match.
//
// If hostnames do not match with the criteria above, then the TLSRoute is
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 that it the Route should only not be accepted if all hostnames do not match, and if at least one does, a ResolvedRefs condition should be raised as well.

//
// If hostnames do not match with the criteria above, then the TLSRoute is
// not accepted, and the implementation must raise an 'Accepted' Condition
// with a status of `False` for the target Listener(s).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, this comes down to the behavior with partial Listener acceptance, I think if we mandate "all", and have a ResolvedRefs in the event not all match, then this covers the sectionName case.

@robscott
Copy link
Member Author

robscott commented Sep 2, 2021

@youngnick @hbagdi @howardjohn Thanks for the great feedback on this! I think I've responded to everything, PTAL.

Copy link
Contributor

@youngnick youngnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM aside from me being nitpicky about SHOULD.

I think that we need to ensure that every time we use SHOULD, we clearly explain the reasons that is not MUST, and consider using "MUST, except if" instead.

I think that SHOULD leaves too much room for interpretation without clarification.

Comment on lines 166 to 167
// * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
// protocol layers as described above.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry to go around again, but if this is a SHOULD, then I think we need to clarify, with something like:

If an implementation allows this to be the case, it MUST clearly document its behavior and how it manages the resulting security issue (different SNI and Host header can be used to bypass client certificate authentication).

I think we need to ensure that everytime we have a SHOULD, we have an explanation of why it's a SHOULD rather than a MUST, and we should (ironically) prefer must.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At the very least, the SNI MUST match the listener hostname I would think. And the HTTP Host MUST match the HTTPRoute hostname. And the listener/route hostnames MUST form an intersection. Therefor, there MUST be some intersection between the two if both are specified. For example, if I have listener hostname *.example.com, then both MUST have *.example.com.

Not that we should write that as is.. just brain dumping.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I took a shot at updating this. What I'm trying to communicate here is that if implementations can implement the match at both levels they should, but not every implementation can.

apis/v1alpha2/gateway_types.go Outdated Show resolved Hide resolved
apis/v1alpha2/httproute_types.go Outdated Show resolved Hide resolved
@youngnick
Copy link
Contributor

I think you got it @robscott, nice work.

/lgtm

/hold
for another lgtm though.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 6, 2021
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 6, 2021
@jpeach
Copy link
Contributor

jpeach commented Sep 7, 2021

Just a couple of formatting nits.

/lgtm

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 7, 2021
@youngnick
Copy link
Contributor

/lgtm

/hold cancel

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Sep 7, 2021
@k8s-ci-robot k8s-ci-robot merged commit ff66fd9 into kubernetes-sigs:master Sep 7, 2021
robscott added a commit to robscott/gateway-api that referenced this pull request Sep 10, 2021
robscott added a commit to robscott/gateway-api that referenced this pull request Sep 27, 2021
robscott added a commit to robscott/gateway-api that referenced this pull request Sep 27, 2021
@robscott robscott deleted the cleanup-v1alpha2 branch January 8, 2022 01:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants