search

Kuadrant / kuadrant-controller

Apache License 2.0
12 stars 7 forks source link

rlp: validate httproute target is accepted #145

Closed eguzki closed 2 years ago

eguzki commented 2 years ago

what

The controller validates that targetref from the RateLimitPolicy are Accepted HTTPRoutes. Otherwise, update .status object and retry.

verification steps

Deploy gateway with hostname in the listener:

k apply -f - <<EOF
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
  labels:
    istio: kuadrant-system
  name: kuadrant-gwapi-gateway
  namespace: kuadrant-system
spec:
  gatewayClassName: istio
  listeners:
  - name: default
    hostname: "*.toystore.com"
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: All
  addresses:
  - value: kuadrant-gateway.kuadrant-system.svc.cluster.local
    type: Hostname
EOF

Deploy HTTPRoute with a hostname not matching the previous gateway's hostname. It should not be accepted.

k apply -f - <<EOF
--
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  name: carstore
  labels:
    app: carstore
spec:
  parentRefs:
    - name: kuadrant-gwapi-gateway
      namespace: kuadrant-system
  hostnames: ["*.carstore.com"]
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: "/car"
          method: GET
      backendRefs:
        - name: carstore
          port: 80
EOF

It should not be accepted.

k get httproutes.gateway.networking.k8s.io  carstore -o jsonpath='{.status}' | yq e -P
parents:
  - conditions:
      - lastTransitionTime: "2022-04-25T14:32:44Z"
        message: no hostnames matched parent hostname "*.toystore.com"
        observedGeneration: 1
        reason: InvalidParentReference
        status: "False"
        type: Accepted
    controllerName: istio.io/gateway-controller
    parentRef:
      group: gateway.networking.k8s.io
      kind: Gateway
      name: kuadrant-gwapi-gateway
      namespace: kuadrant-system

Deploy RLP targeting the HTTPRoute:

k apply -f - <<EOF
---
apiVersion: apim.kuadrant.io/v1alpha1
kind: RateLimitPolicy
metadata:
  name: carstore
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: carstore
  rules:
    - operations:
        - paths: ["/car"]
          methods: ["GET"]
      rateLimits:
        - stage: PREAUTH
          actions:
            - generic_key:
                descriptor_key: get-car
                descriptor_value: "yes"
  domain: carstore-app
  limits:
    - conditions: ["get-car== yes"]
      max_value: 2
      namespace: carstore-app
      seconds: 30
      variables: []
EOF

The status of the RLP should report as not available:

k get ratelimitpolicy carstore -o jsonpath='{.status}' | yq e -P
conditions:
  - lastTransitionTime: "2022-04-25T14:44:55Z"
    message: httproute not accepted
    reason: ReconcilliationError
    status: "False"
    type: Available
observedGeneration: 1