-
Notifications
You must be signed in to change notification settings - Fork 490
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Another round of v1alpha2 cleanup #839
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: robscott The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
0c787e6
to
d784985
Compare
apis/v1alpha2/gateway_types.go
Outdated
@@ -72,6 +72,9 @@ type GatewaySpec struct { | |||
// logical endpoints that are bound on this Gateway's addresses. | |||
// At least one Listener MUST be specified. | |||
// | |||
// Each listener in a Gateway must have a unique combination of Hostname, | |||
// Port, and Protocol. This will be enforced by a validating webhook. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: how it will be enforced doesn't seem like it should be in the docs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Recommend adding an issue instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd include the TLS details in that list as well, tbh.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created #847 to track webhook validation.
I'd include the TLS details in that list as well, tbh.
Do you mean that hostname, listener, and protocol can be identical across listener if TLS is different?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed reference to webhook in godocs here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mean that hostname, listener, and protocol can be identical across listener if TLS is different?
Oh, you're quite right, that makes no sense. I was more thinking that TLS details are part of the key for this, but you're right that if the hostname, port, and protocol are identical, then the TLS details must not be different.
apis/v1alpha2/tlsroute_types.go
Outdated
// | ||
// If hostnames do not match with the criteria above, then the TLSRoute is | ||
// not accepted, and the implementation must raise an 'Accepted' Condition | ||
// with a status of `False` for the target Listener(s). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a bit confusing when not using sectionName
in parentRefs. Since the target is not a listener
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, this comes down to the behavior with partial Listener acceptance, I think if we mandate "all", and have a ResolvedRefs in the event not all match, then this covers the sectionName case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree that we need a better way to handle status when sectionName
is not specified. 2 options I've been thinking of:
- A standard/reserved listener name such as "all" that is used in status to cover failed attachment to the Gateway as a whole.
- A new set of condition types for Gateway status specifically for this purpose. (We could potentially reuse the existing listener condition types).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think option 2 seems better - if no listeners are valid, that seems very relevant for top-level status, but I would have thought we had that covered already somehow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
apis/v1alpha2/tlsroute_types.go
Outdated
// TLSRoute specified `test.example.com` and `test.example.net`, | ||
// `test.example.net` must not be considered for a match. | ||
// | ||
// If hostnames do not match with the criteria above, then the TLSRoute is |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would clarify: If <any,all> hostnames ...
. And should be All IMO
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 that it the Route should only not be accepted if all hostnames do not match, and if at least one does, a ResolvedRefs condition should be raised as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 that it the Route should only not be accepted if all hostnames do not match
Updated, thanks!
and if at least one does, a ResolvedRefs condition should be raised as well.
Wouldn't this result in a successful attachment? Why would we raise a ResolvedRefs condition?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess you're right, the thing I wanted to make sure we have is to indicate what hostnames are in use somehow. If you've got a bunch of hostnames and only one is in use, that seems like it would be good to know.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
apis/v1alpha2/gateway_types.go
Outdated
@@ -72,6 +72,9 @@ type GatewaySpec struct { | |||
// logical endpoints that are bound on this Gateway's addresses. | |||
// At least one Listener MUST be specified. | |||
// | |||
// Each listener in a Gateway must have a unique combination of Hostname, | |||
// Port, and Protocol. This will be enforced by a validating webhook. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Recommend adding an issue instead.
apis/v1alpha2/gateway_types.go
Outdated
// [effective request URI](https://tools.ietf.org/html/rfc7230#section-5.5) | ||
// or the [:authority pseudo-header](https://tools.ietf.org/html/rfc7540#section-8.1.2.3) | ||
// * HTTPS: The Hostname match MUST be applied at both the TLS and HTTP | ||
// protocol layers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@youngnick Is this sufficient to close the domain fronting issue (#72) as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Although this isn't entirely new content, now that I'm seeing it here, I think this wording may be a bit too strong. I'm not sure that every implementation can apply a match at both layers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the direction is good, but maybe we need to specify this in terms of API objects, like:
- TLS: the Listener hostname must match the SNI.
- HTTP: The HTTPRoute hostname must match the Host header of the request.
- HTTPS: The Listener Hostname and the HTTPRoute hostname must agree with each other, and also match request properties as above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because the important part is that we expect that Listeners and HTTPRoutes that do not match these rules should not end up attached.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we should mix up the route type with the listener protocol here. While there's likely a ~99% overlap here, if we tie route types too closely here, we prevent or at least complicate extended route types. I've copied most of your suggestions from above, but removed any references to Routes - the following paragraph already covers that intersection.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall LGTM, some small comments.
apis/v1alpha2/gateway_types.go
Outdated
@@ -72,6 +72,9 @@ type GatewaySpec struct { | |||
// logical endpoints that are bound on this Gateway's addresses. | |||
// At least one Listener MUST be specified. | |||
// | |||
// Each listener in a Gateway must have a unique combination of Hostname, | |||
// Port, and Protocol. This will be enforced by a validating webhook. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd include the TLS details in that list as well, tbh.
apis/v1alpha2/gateway_types.go
Outdated
// [effective request URI](https://tools.ietf.org/html/rfc7230#section-5.5) | ||
// or the [:authority pseudo-header](https://tools.ietf.org/html/rfc7540#section-8.1.2.3) | ||
// * HTTPS: The Hostname match MUST be applied at both the TLS and HTTP | ||
// protocol layers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the direction is good, but maybe we need to specify this in terms of API objects, like:
- TLS: the Listener hostname must match the SNI.
- HTTP: The HTTPRoute hostname must match the Host header of the request.
- HTTPS: The Listener Hostname and the HTTPRoute hostname must agree with each other, and also match request properties as above.
apis/v1alpha2/gateway_types.go
Outdated
// [effective request URI](https://tools.ietf.org/html/rfc7230#section-5.5) | ||
// or the [:authority pseudo-header](https://tools.ietf.org/html/rfc7540#section-8.1.2.3) | ||
// * HTTPS: The Hostname match MUST be applied at both the TLS and HTTP | ||
// protocol layers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because the important part is that we expect that Listeners and HTTPRoutes that do not match these rules should not end up attached.
apis/v1alpha2/tlsroute_types.go
Outdated
// TLSRoute specified `test.example.com` and `test.example.net`, | ||
// `test.example.net` must not be considered for a match. | ||
// | ||
// If hostnames do not match with the criteria above, then the TLSRoute is |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 that it the Route should only not be accepted if all hostnames do not match, and if at least one does, a ResolvedRefs condition should be raised as well.
apis/v1alpha2/tlsroute_types.go
Outdated
// | ||
// If hostnames do not match with the criteria above, then the TLSRoute is | ||
// not accepted, and the implementation must raise an 'Accepted' Condition | ||
// with a status of `False` for the target Listener(s). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, this comes down to the behavior with partial Listener acceptance, I think if we mandate "all", and have a ResolvedRefs in the event not all match, then this covers the sectionName case.
d784985
to
4ddc359
Compare
@youngnick @hbagdi @howardjohn Thanks for the great feedback on this! I think I've responded to everything, PTAL. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM aside from me being nitpicky about SHOULD.
I think that we need to ensure that every time we use SHOULD, we clearly explain the reasons that is not MUST, and consider using "MUST, except if" instead.
I think that SHOULD leaves too much room for interpretation without clarification.
apis/v1alpha2/gateway_types.go
Outdated
// * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP | ||
// protocol layers as described above. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry to go around again, but if this is a SHOULD, then I think we need to clarify, with something like:
If an implementation allows this to be the case, it MUST clearly document its behavior and how it manages the resulting security issue (different SNI and Host header can be used to bypass client certificate authentication).
I think we need to ensure that everytime we have a SHOULD, we have an explanation of why it's a SHOULD rather than a MUST, and we should (ironically) prefer must.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At the very least, the SNI MUST match the listener hostname I would think. And the HTTP Host MUST match the HTTPRoute hostname. And the listener/route hostnames MUST form an intersection. Therefor, there MUST be some intersection between the two if both are specified. For example, if I have listener hostname *.example.com
, then both MUST have *.example.com
.
Not that we should write that as is.. just brain dumping.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I took a shot at updating this. What I'm trying to communicate here is that if implementations can implement the match at both levels they should, but not every implementation can.
4ddc359
to
b22e4e6
Compare
I think you got it @robscott, nice work. /lgtm /hold |
Just a couple of formatting nits. /lgtm |
b22e4e6
to
58e1dd2
Compare
/lgtm /hold cancel |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
This takes care of another big chunk of feedback from #780 as well as some of the items in #790.
Does this PR introduce a user-facing change?: