diff --git a/.github/workflows/publish-doc.yaml b/.github/workflows/publish-doc.yaml index 78bf6b52..77c3d70f 100644 --- a/.github/workflows/publish-doc.yaml +++ b/.github/workflows/publish-doc.yaml @@ -26,7 +26,7 @@ jobs: pip install mkdocs-material mike - name: Build run: | - mike deploy v1.0.6-rc1 latest --update-aliases --push + mike deploy 1.0.5 latest --update-aliases --push mike set-default latest --allow-empty --push diff --git a/config/crds/bases/application-networking.k8s.aws_targetgrouppolicies.yaml b/config/crds/bases/application-networking.k8s.aws_targetgrouppolicies.yaml index 553e3ca5..22d9797f 100644 --- a/config/crds/bases/application-networking.k8s.aws_targetgrouppolicies.yaml +++ b/config/crds/bases/application-networking.k8s.aws_targetgrouppolicies.yaml @@ -82,7 +82,7 @@ spec: type: string protocolVersion: description: The protocol version used when performing health - checks on targets. Defaults to HTTP/1. + checks on targets. enum: - HTTP1 - HTTP2 diff --git a/docs/guides/tls-passthrough.md b/docs/guides/tls-passthrough.md deleted file mode 100644 index ef9abd3f..00000000 --- a/docs/guides/tls-passthrough.md +++ /dev/null @@ -1,257 +0,0 @@ -# TLS Passthrough Support - -[Kubernetes Gateway API](https://gateway-api.sigs.k8s.io/guides/tls/) lays out the general guidelines on how to configure TLS passthrough. Here are examples on how to use them against AWS Gateway Api controller and VPC Lattice. - -## Install Gateway API TLSRoute CRD - -The TLSRoute CRD already included in the helm chart and deployment.yaml, If you are using these 2 methods to install the controller no extra steps are needed. -If you want to install the CRD manually by yourself: -``` -# Install CRD -kubectl apply -f config/crds/bases/gateway.networking.k8s.io_tlsroutes.yaml -# Verfiy TLSRoute CRD -kubectl get crd tlsroutes.gateway.networking.k8s.io -NAME CREATED AT -tlsroutes.gateway.networking.k8s.io 2024-03-07T23:16:22Z -``` - -## Setup TLS Passthrough Connectivity in a single cluster - -### 1. Configure TLS Passthrough Listener on Gateway - -``` -kubectl apply -f files/examples/gateway-tls-passthrough.yaml -``` - -``` -# tls listener config snips: -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: Gateway -metadata: - name: my-hotel-tls-passthrough -spec: - gatewayClassName: amazon-vpc-lattice - listeners: - ... - - name: tls - protocol: TLS - port: 443 - tls: - mode: Passthrough - ... -``` - -### 2. Configure TLSRoute - -``` -# Suppose in the below example, we use the "parking" service as the client pod to test the TLS passthrough traffic. -kubectl apply -f files/examples/parking.yaml - -# Configure nginx backend service (This nginx image includes a self-signed certificate) -kubectl apply -f files/example/nginx-server-tls-passthrough.yaml - -# configure nginx tls route -kubectl apply -f files/examples/tlsroute-nginx.yaml - -``` - -### 3. Verify the controller has reconciled nginx-tls route - -Make sure the TLSRoute has the `application-networking.k8s.aws/lattice-assigned-domain-name` annotation and status `Accepted: True` -``` -kubectl get tlsroute nginx-tls -o yaml -apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: TLSRoute -metadata: - annotations: - application-networking.k8s.aws/lattice-assigned-domain-name: nginx-tls-default-0af995120af2711bc.7d67968.vpc-lattice-svcs.us-west-2.on.aws - ... - name: nginx-tls - namespace: default - ... - -status: - parents: - - conditions: - - lastTransitionTime: ..... - message: "" - observedGeneration: 1 - reason: Accepted - status: "True" - type: Accepted - - lastTransitionTime: ..... - message: "" - observedGeneration: 1 - reason: ResolvedRefs - status: "True" - type: ResolvedRefs - controllerName: application-networking.k8s.aws/gateway-api-controller - -``` - -### 4. Verify TLS Passthrough Traffic - -``` -kubectl get deployment nginx-tls -NAME READY UP-TO-DATE AVAILABLE AGE -nginx-tls 2/2 2 2 1d - -kubectl exec deployments/parking -- curl -kv https://nginx-test.my-test.com --resolve nginx-test.my-test.com:443:169.254.171.0 - -* Trying 169.254.171.0:443... -* Connected to nginx-test.my-test.com (169.254.171.0) port 443 (#0) -* ALPN, offering h2 -* ALPN, offering http/1.1 -* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH -* successfully set certificate verify locations: -* CAfile: /etc/pki/tls/certs/ca-bundle.crt -* CApath: none -* TLSv1.2 (OUT), TLS header, Certificate Status (22): -* TLSv1.2 (OUT), TLS handshake, Client hello (1): -* TLSv1.2 (IN), TLS handshake, Server hello (2): -* TLSv1.2 (IN), TLS handshake, Certificate (11): -* TLSv1.2 (IN), TLS handshake, Server key exchange (12): -* TLSv1.2 (IN), TLS handshake, Server finished (14): -* TLSv1.2 (OUT), TLS handshake, Client key exchange (16): -* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): -* TLSv1.2 (OUT), TLS handshake, Finished (20): -* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): -* TLSv1.2 (IN), TLS handshake, Finished (20): -* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 -* ALPN, server accepted to use h2 -* Server certificate: -* subject: C=US; ST=wa; L=seattle; O=aws; OU=lattice; CN=liwen.ssl-test.com; emailAddress=liwenwu@amazon.com -* start date: Mar 5 21:26:24 2024 GMT -# use customer defined name -curl -k -v https://nginx-test.my-test.com --resolve nginx-test.my-test.com:443:169.254.171.32 -* Added nginx-test.my-test.com:443:169.254.171.32 to DNS cache -* Hostname nginx-test.my-test.com was found in DNS cache -* Trying 169.254.171.0:443... -* Connected to nginx-test.my-test.com (169.254.171.0) port 443 (#0) -* ALPN, offering h2 -* ALPN, offering http/1.1 -* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH -* successfully set certificate verify locations: -* CAfile: /etc/pki/tls/certs/ca-bundle.crt -* CApath: none -* TLSv1.2 (OUT), TLS header, Certificate Status (22): -* TLSv1.2 (OUT), TLS handshake, Client hello (1): -* TLSv1.2 (IN), TLS handshake, Server hello (2): -* TLSv1.2 (IN), TLS handshake, Certificate (11): -* TLSv1.2 (IN), TLS handshake, Server key exchange (12): -* TLSv1.2 (IN), TLS handshake, Server finished (14): -* TLSv1.2 (OUT), TLS handshake, Client key exchange (16): -* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): -* TLSv1.2 (OUT), TLS handshake, Finished (20): -* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): -* TLSv1.2 (IN), TLS handshake, Finished (20): -* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 -* ALPN, server accepted to use h2 -* Server certificate: -* subject: C=US; ST=wa; L=seattle; O=aws; OU=lattice; CN=liwen.ssl-test.com; emailAddress=liwenwu@amazon.com - -.... - -

Welcome to nginx!

-

If you see this page, the nginx web server is successfully installed and -working. Further configuration is required.

-.... - -``` - -## Setup TLS Passthrough Connectivity spanning multiple clusters - - -![tlsoute multi cluster](../images/tlsroute-multi-cluster.png) - -### 1. In this example we still use the "parking" Kubernetes service as the client pod to test the cross cluster TLS passthrough traffic. -``` -kubectl apply -f files/examples/parking.yaml -``` - -### 2. In cluster-1, create `tls-rate1` Kubernetes Service: -``` -kubectl apply -f files/examples/tls-rate1.yaml -``` - -### 3. Configure ServieExport with TargetGroupPolicy `protocol:TCP` in cluster-2 - -``` -# Create tls-rate2 Kubernetes Service in cluster-2 -kubectl apply -f files/examples/tls-rate2.yaml -# Create serviceexport in cluster-2 -kubectl apply -f files/examples/tls-rate2-export.yaml -# Create targetgroup policy to configure TCP protocol for tls-rate2 in cluster-2 -kubectl apply -f files/examples/tls-rate2-targetgrouppolicy.yaml -``` - -``` -# Snips of serviceexport config -apiVersion: application-networking.k8s.aws/v1alpha1 -kind: ServiceExport -metadata: - name: tls-rate-2 - annotations: - application-networking.k8s.aws/federation: "amazon-vpc-lattice" -# Snips of targetgroup policy config -apiVersion: application-networking.k8s.aws/v1alpha1 -kind: TargetGroupPolicy -metadata: - name: tls-rate2 -spec: - targetRef: - group: "application-networking.k8s.aws" - kind: ServiceExport - name: tls-rate2 - protocol: TCP -``` - -### 4. Configure ServiceImport in cluster1 - -``` -kubectl apply -f files/examples/tls-rate2-import.yaml -``` - -### 5. Configure TLSRoute for bluegreen deployment - -``` -kubectl apply -f files/examples/rate-tlsroute-bluegreen.yaml - -# snips of TLSRoute span multiple Kubernetes Clusters -apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: TLSRoute -metadata: - name: tls-rate -spec: - hostnames: - - tls-rate.my-test.com - parentRefs: - - name: my-hotel-tls - sectionName: tls - rules: - - backendRefs: - - name: tls-rate1 <---------- to Kubernetes Cluster-1 - kind: Service - port: 443 - weight: 10 - - name: tls-rate2 <---------- to Kubernetes Cluster-2 - kind: ServiceImport - port: 443 - weight: 90 -``` -### 6. Verify cross-cluster TLS passthrough traffic - -Expected to receive the weighted traffic route to tls-rate1 service(10%) and tls-rate2 service(90%), if you curl the `tls-rate.my-test.com` from the client pod multiple times: -``` -kubectl exec deploy/parking -- sh -c 'for ((i=1; i<=30; i++)); do curl -k https://tls-rate.my-test.com --resolve tls-rate.my-test.com:443:169.254.171.0 2>/dev/null; done' - -Requsting to TLS Pod(tls-rate2-7f8b9cc97b-fgqk6): tls-rate2 handler pod <----> k8s service in cluster-2 -Requsting to TLS Pod(tls-rate2-7f8b9cc97b-fgqk6): tls-rate2 handler pod -Requsting to TLS Pod(tls-rate2-7f8b9cc97b-fgqk6): tls-rate2 handler pod -Requsting to TLS Pod(tls-rate2-7f8b9cc97b-fgqk6): tls-rate2 handler pod -Requsting to TLS Pod(tls-rate1-98cc7fd87a-642zw): tls-rate1 handler pod <----> k8s service in cluster-1 -Requsting to TLS Pod(tls-rate2-7f8b9cc97b-fgqk6): tls-rate2 handler pod -Requsting to TLS Pod(tls-rate2-7f8b9cc97b-fgqk6): tls-rate2 handler pod -Requsting to TLS Pod(tls-rate2-7f8b9cc97b-fgqk6): tls-rate2 handler pod -Requsting to TLS Pod(tls-rate1-98cc7fd87a-642zw): tls-rate1 handler pod -``` diff --git a/docs/images/tlsroute-multi-cluster.png b/docs/images/tlsroute-multi-cluster.png deleted file mode 100644 index ba7b6c28..00000000 Binary files a/docs/images/tlsroute-multi-cluster.png and /dev/null differ diff --git a/files/examples/my-gateway-tls-passthrough.yaml b/files/examples/my-gateway-tls-passthrough.yaml deleted file mode 100644 index 79cff561..00000000 --- a/files/examples/my-gateway-tls-passthrough.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: Gateway -metadata: - name: my-hotel-tls-passthrough -spec: - gatewayClassName: amazon-vpc-lattice - listeners: - - name: http - protocol: HTTP - port: 80 - - name: tls - protocol: TLS - port: 443 - tls: - mode: Passthrough \ No newline at end of file diff --git a/files/examples/nginx-server-tls-passthrough.yaml b/files/examples/nginx-server-tls-passthrough.yaml deleted file mode 100644 index 4833d8cb..00000000 --- a/files/examples/nginx-server-tls-passthrough.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-tls -spec: - selector: - matchLabels: - app: nginx-tls - replicas: 2 - template: - metadata: - labels: - app: nginx-tls - spec: - containers: - - name: nginx-tls - image: public.ecr.aws/x2j8p8w7/lattice-test-server:latest - ports: - - containerPort: 443 - ---- -apiVersion: v1 -kind: Service -metadata: - name: nginx-tls -spec: - selector: - app: nginx-tls - ports: - - protocol: TCP - port: 443 - targetPort: 443 - diff --git a/files/examples/rate-tlsroute-bluegreen.yaml b/files/examples/rate-tlsroute-bluegreen.yaml deleted file mode 100644 index 9a7a02eb..00000000 --- a/files/examples/rate-tlsroute-bluegreen.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: TLSRoute -metadata: - name: rate-tls-passthrough -spec: - hostnames: - - tls-rate.my-test.com - parentRefs: - - name: my-hotel-tls-passthrough - sectionName: tls - rules: - - backendRefs: - - name: tls-rate1 - kind: Service - port: 443 - weight: 10 - - name: tls-rate2 - kind: ServiceImport - port: 443 - weight: 90 \ No newline at end of file diff --git a/files/examples/tls-rate1.yaml b/files/examples/tls-rate1.yaml deleted file mode 100644 index 677600ed..00000000 --- a/files/examples/tls-rate1.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tls-rate1 - labels: - app: tls-rate1 -spec: - replicas: 2 - selector: - matchLabels: - app: tls-rate1 - template: - metadata: - labels: - app: tls-rate1 - spec: - containers: - - name: tls-rate1 - image: public.ecr.aws/x2j8p8w7/https-server:latest - env: - - name: PodName - value: "tls-rate1 handler pod" - - ---- -apiVersion: v1 -kind: Service -metadata: - name: tls-rate1 -spec: - selector: - app: tls-rate1 - ports: - - protocol: TCP - port: 443 - targetPort: 443 \ No newline at end of file diff --git a/files/examples/tls-rate2-export.yaml b/files/examples/tls-rate2-export.yaml deleted file mode 100644 index 352944fc..00000000 --- a/files/examples/tls-rate2-export.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: application-networking.k8s.aws/v1alpha1 -kind: ServiceExport -metadata: - name: tls-rate2 - annotations: - application-networking.k8s.aws/federation: "amazon-vpc-lattice" \ No newline at end of file diff --git a/files/examples/tls-rate2-import.yaml b/files/examples/tls-rate2-import.yaml deleted file mode 100644 index 3faf33e4..00000000 --- a/files/examples/tls-rate2-import.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: application-networking.k8s.aws/v1alpha1 -kind: ServiceImport -metadata: - name: tls-rate2 -spec: - type: ClusterSetIP - ports: - - port: 443 - protocol: TCP \ No newline at end of file diff --git a/files/examples/tls-rate2-targetgrouppolicy.yaml b/files/examples/tls-rate2-targetgrouppolicy.yaml deleted file mode 100644 index 72338ce9..00000000 --- a/files/examples/tls-rate2-targetgrouppolicy.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: application-networking.k8s.aws/v1alpha1 -kind: TargetGroupPolicy -metadata: - name: tls-rate2 -spec: - targetRef: - group: "application-networking.k8s.aws" - kind: ServiceExport - name: tls-rate2 - protocol: TCP - healthCheck: - enabled: false \ No newline at end of file diff --git a/files/examples/tls-rate2.yaml b/files/examples/tls-rate2.yaml deleted file mode 100644 index c41dffa9..00000000 --- a/files/examples/tls-rate2.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tls-rate2 - labels: - app: tls-rate2 -spec: - replicas: 2 - selector: - matchLabels: - app: tls-rate2 - template: - metadata: - labels: - app: tls-rate2 - spec: - containers: - - name: tls-rate2 - image: public.ecr.aws/x2j8p8w7/https-server:latest - env: - - name: PodName - value: "tls-rate2 handler pod" - - ---- -apiVersion: v1 -kind: Service -metadata: - name: tls-rate2 -spec: - selector: - app: tls-rate2 - ports: - - protocol: TCP - port: 443 - targetPort: 443 \ No newline at end of file diff --git a/files/examples/tlsroute-nginx.yaml b/files/examples/tlsroute-nginx.yaml deleted file mode 100644 index 28b73421..00000000 --- a/files/examples/tlsroute-nginx.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: TLSRoute -metadata: - name: nginx-tls -spec: - hostnames: - - nginx-test.my-test.com - parentRefs: - - name: my-hotel-tls-passthrough - sectionName: tls - rules: - - backendRefs: - - name: nginx-tls - kind: Service - port: 443 \ No newline at end of file diff --git a/helm/crds/application-networking.k8s.aws_targetgrouppolicies.yaml b/helm/crds/application-networking.k8s.aws_targetgrouppolicies.yaml index 553e3ca5..22d9797f 100644 --- a/helm/crds/application-networking.k8s.aws_targetgrouppolicies.yaml +++ b/helm/crds/application-networking.k8s.aws_targetgrouppolicies.yaml @@ -82,7 +82,7 @@ spec: type: string protocolVersion: description: The protocol version used when performing health - checks on targets. Defaults to HTTP/1. + checks on targets. enum: - HTTP1 - HTTP2 diff --git a/mkdocs.yml b/mkdocs.yml index ae45612a..59a9bed1 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -16,10 +16,9 @@ nav: - Getting Started: guides/getstarted.md - Cross-Account Sharing: guides/ram-sharing.md - Advanced Configurations: guides/advanced-configurations.md - - HTTPS: guides/https.md + - TLS: guides/https.md - Custom Domain Name: guides/custom-domain-name.md - GRPC: guides/grpc.md - - TLS Passthrough: guides/tls-passthrough.md - Pod Readiness Gates: guides/pod-readiness-gates.md - Configuration: guides/environment.md - API Specification: api-reference.md diff --git a/pkg/apis/applicationnetworking/v1alpha1/targetgrouppolicy_types.go b/pkg/apis/applicationnetworking/v1alpha1/targetgrouppolicy_types.go index 6e4fa4a7..93fe2ffd 100644 --- a/pkg/apis/applicationnetworking/v1alpha1/targetgrouppolicy_types.go +++ b/pkg/apis/applicationnetworking/v1alpha1/targetgrouppolicy_types.go @@ -65,7 +65,7 @@ type TargetGroupPolicySpec struct { } // HealthCheckConfig defines health check configuration for given VPC Lattice target group. -// For the detailed explanation and supported values, please refer to VPC Lattice documentationon health checks. +// For the detailed explanation and supported values, please refer to [VPC Lattice health checks documentation](https://docs.aws.amazon.com/vpc-lattice/latest/ug/target-group-health-checks.html). type HealthCheckConfig struct { // Indicates whether health checking is enabled. // +optional @@ -113,7 +113,7 @@ type HealthCheckConfig struct { // +optional Protocol *HealthCheckProtocol `json:"protocol,omitempty"` - // The protocol version used when performing health checks on targets. Defaults to HTTP/1. + // The protocol version used when performing health checks on targets. // +optional ProtocolVersion *HealthCheckProtocolVersion `json:"protocolVersion,omitempty"` } diff --git a/pkg/controllers/route_controller.go b/pkg/controllers/route_controller.go index 2ee22a76..a5d613fd 100644 --- a/pkg/controllers/route_controller.go +++ b/pkg/controllers/route_controller.go @@ -148,9 +148,6 @@ func RegisterAllRouteControllers( return nil } -// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=tlsroutes;grpcroutes;httproutes,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=tlsroutes/status;grpcroutes/status;httproutes/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=tlsroutes/finalizers;grpcroutes/finalizers;httproutes/finalizers,verbs=update func (r *routeReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { r.log.Infow("reconcile", "name", req.Name) recErr := r.reconcile(ctx, req) diff --git a/pkg/deploy/lattice/listener_manager.go b/pkg/deploy/lattice/listener_manager.go index a6fc0be1..d81ffc50 100644 --- a/pkg/deploy/lattice/listener_manager.go +++ b/pkg/deploy/lattice/listener_manager.go @@ -22,7 +22,7 @@ import ( //go:generate mockgen -destination listener_manager_mock.go -package lattice github.com/aws/aws-application-networking-k8s/pkg/deploy/lattice ListenerManager type ListenerManager interface { - Upsert(ctx context.Context, modelListener *model.Listener, modelSvc *model.Service, defaultActionTgs []*model.RuleTargetGroup) (model.ListenerStatus, error) + Upsert(ctx context.Context, modelListener *model.Listener, modelSvc *model.Service, defaultAction *vpclattice.RuleAction) (model.ListenerStatus, error) Delete(ctx context.Context, modelListener *model.Listener) error List(ctx context.Context, serviceID string) ([]*vpclattice.ListenerSummary, error) } @@ -46,7 +46,7 @@ func (d *defaultListenerManager) Upsert( ctx context.Context, modelListener *model.Listener, modelSvc *model.Service, - defaultActionTgs []*model.RuleTargetGroup, + defaultAction *vpclattice.RuleAction, ) (model.ListenerStatus, error) { if modelSvc.Status == nil || modelSvc.Status.Id == "" { return model.ListenerStatus{}, errors.New("model service is missing id") @@ -59,9 +59,8 @@ func (d *defaultListenerManager) Upsert( return model.ListenerStatus{}, err } if latticeListener != nil { - // we do not support listener updates as the only mutable property - // is the default action, which we set to 404 as required by the gw spec - // so here we just return the existing one + // we don't need to do vpclattice.UpdateListener(), if we can find a existing one. + // Since we can make sure the every time when calling the vpclattice.CreateListener() it must have the latest and correct defaultAction. d.log.Debugf("Found existing listener %s, nothing to update", aws.StringValue(latticeListener.Id)) return model.ListenerStatus{ Name: aws.StringValue(latticeListener.Name), @@ -71,33 +70,9 @@ func (d *defaultListenerManager) Upsert( }, nil } - // no listener currently exists, create - defaultAction := vpclattice.RuleAction{ - FixedResponse: &vpclattice.FixedResponseAction{ - StatusCode: aws.Int64(404), - }, - } - - if modelListener.Spec.Protocol == vpclattice.ListenerProtocolTlsPassthrough { - // Fill the defaultAction tgs for TLS_PASSTHROUGH lattice listener - var latticeTGs []*vpclattice.WeightedTargetGroup - for _, modelTG := range defaultActionTgs { - latticeTG := vpclattice.WeightedTargetGroup{ - TargetGroupIdentifier: aws.String(modelTG.LatticeTgId), - Weight: aws.Int64(modelTG.Weight), - } - latticeTGs = append(latticeTGs, &latticeTG) - } - d.log.Debugf("For TLS_PASSTHROUGH listener, forward to default target groups %v", latticeTGs) - defaultAction = vpclattice.RuleAction{ - Forward: &vpclattice.ForwardAction{ - TargetGroups: latticeTGs, - }, - } - } listenerInput := vpclattice.CreateListenerInput{ ClientToken: nil, - DefaultAction: &defaultAction, + DefaultAction: defaultAction, Name: aws.String(k8sLatticeListenerName(modelListener)), Port: aws.Int64(modelListener.Spec.Port), Protocol: aws.String(modelListener.Spec.Protocol), diff --git a/pkg/deploy/lattice/listener_manager_mock.go b/pkg/deploy/lattice/listener_manager_mock.go index 1fe6653c..678a8806 100644 --- a/pkg/deploy/lattice/listener_manager_mock.go +++ b/pkg/deploy/lattice/listener_manager_mock.go @@ -66,7 +66,7 @@ func (mr *MockListenerManagerMockRecorder) List(arg0, arg1 interface{}) *gomock. } // Upsert mocks base method. -func (m *MockListenerManager) Upsert(arg0 context.Context, arg1 *lattice.Listener, arg2 *lattice.Service, arg3 []*lattice.RuleTargetGroup) (lattice.ListenerStatus, error) { +func (m *MockListenerManager) Upsert(arg0 context.Context, arg1 *lattice.Listener, arg2 *lattice.Service, arg3 *vpclattice.RuleAction) (lattice.ListenerStatus, error) { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "Upsert", arg0, arg1, arg2, arg3) ret0, _ := ret[0].(lattice.ListenerStatus) diff --git a/pkg/deploy/lattice/listener_manager_test.go b/pkg/deploy/lattice/listener_manager_test.go index 9d0806a5..f94b952d 100644 --- a/pkg/deploy/lattice/listener_manager_test.go +++ b/pkg/deploy/lattice/listener_manager_test.go @@ -40,9 +40,13 @@ func Test_CreateListenerNew(t *testing.T) { return &vpclattice.CreateListenerOutput{Id: aws.String("new-lid")}, nil }, ) - + defaultAction := &vpclattice.RuleAction{ + FixedResponse: &vpclattice.FixedResponseAction{ + StatusCode: aws.Int64(404), + }, + } lm := NewListenerManager(gwlog.FallbackLogger, cloud) - status, err := lm.Upsert(ctx, ml, ms, nil) + status, err := lm.Upsert(ctx, ml, ms, defaultAction) assert.Nil(t, err) assert.Equal(t, "new-lid", status.Id) assert.Equal(t, "svc-id", status.ServiceId) diff --git a/pkg/deploy/lattice/listener_synthesizer.go b/pkg/deploy/lattice/listener_synthesizer.go index d8d3431c..3190b73f 100644 --- a/pkg/deploy/lattice/listener_synthesizer.go +++ b/pkg/deploy/lattice/listener_synthesizer.go @@ -50,19 +50,12 @@ func (l *listenerSynthesizer) Synthesize(ctx context.Context) error { return err } - var stackRules []*model.Rule - var defaultActionTgs []*model.RuleTargetGroup - if listener.Spec.Protocol == vpclattice.ListenerProtocolTlsPassthrough { - _ = l.stack.ListResources(&stackRules) - if err := l.tgManager.ResolveRuleTgIds(ctx, stackRules[0], l.stack); err != nil { - l.log.Infof("Failed to update TGId, err = %v", err) - return err - } - // Fill the default action target groups for TLS_PASSTHROUGH listener, since TLS_PASSTHROUGH listener only has the defaultAction and no extra listener rules - defaultActionTgs = stackRules[0].Spec.Action.TargetGroups + defaultAction, err := l.getLatticeListenerDefaultAction(ctx, listener.Spec.Protocol) + if err != nil { + return err } - status, err := l.listenerMgr.Upsert(ctx, listener, svc, defaultActionTgs) + status, err := l.listenerMgr.Upsert(ctx, listener, svc, defaultAction) if err != nil { listenerErr = errors.Join(listenerErr, fmt.Errorf("failed ListenerManager.Upsert %s-%s due to err %s", @@ -96,6 +89,44 @@ func (l *listenerSynthesizer) Synthesize(ctx context.Context) error { return nil } +func (l *listenerSynthesizer) getLatticeListenerDefaultAction(ctx context.Context, modelListenerProtocol string) ( + *vpclattice.RuleAction, error, +) { + if modelListenerProtocol != vpclattice.ListenerProtocolTlsPassthrough { + return &vpclattice.RuleAction{ + FixedResponse: &vpclattice.FixedResponseAction{ + StatusCode: aws.Int64(404), + }, + }, nil + } + + // For TLS_PASSTHROUGH listener, we need to fill the stackRules[0].Spec.Action.TargetGroups to the lattice listener's defaultAction tgs + var stackRules []*model.Rule + _ = l.stack.ListResources(&stackRules) + // Fill the default action target groups for TLS_PASSTHROUGH listener, since TLS_PASSTHROUGH listener only has the defaultAction and no extra listener rules + if err := l.tgManager.ResolveRuleTgIds(ctx, stackRules[0], l.stack); err != nil { + return nil, fmt.Errorf("failed to resolve rule tg ids, err = %v", err) + } + + // Fill the defaultAction tgs for TLS_PASSTHROUGH lattice listener + var latticeTGs []*vpclattice.WeightedTargetGroup + for _, modelTG := range stackRules[0].Spec.Action.TargetGroups { + latticeTG := vpclattice.WeightedTargetGroup{ + TargetGroupIdentifier: aws.String(modelTG.LatticeTgId), + Weight: aws.Int64(modelTG.Weight), + } + latticeTGs = append(latticeTGs, &latticeTG) + } + + l.log.Debugf("For TLS_PASSTHROUGH listener, forward to default target groups %v", latticeTGs) + return &vpclattice.RuleAction{ + Forward: &vpclattice.ForwardAction{ + TargetGroups: latticeTGs, + }, + }, nil + +} + func (l *listenerSynthesizer) shouldDelete(listenerToFind *model.Listener, stackListeners []*model.Listener) bool { for _, candidate := range stackListeners { if candidate.Spec.Port == listenerToFind.Spec.Port && candidate.Spec.Protocol == listenerToFind.Spec.Protocol { diff --git a/pkg/gateway/model_build_lattice_service.go b/pkg/gateway/model_build_lattice_service.go index 02b4c66c..84c0fc72 100644 --- a/pkg/gateway/model_build_lattice_service.go +++ b/pkg/gateway/model_build_lattice_service.go @@ -105,6 +105,8 @@ func (t *latticeServiceModelBuildTask) buildLatticeService(ctx context.Context) routeType = core.GrpcRouteType case *core.TLSRoute: routeType = core.TlsRouteType + default: + return nil, fmt.Errorf("unsupported route type: %T", t.route) } spec := model.ServiceSpec{ diff --git a/pkg/gateway/model_build_targetgroup.go b/pkg/gateway/model_build_targetgroup.go index a69e3a07..3ce6cc38 100644 --- a/pkg/gateway/model_build_targetgroup.go +++ b/pkg/gateway/model_build_targetgroup.go @@ -354,6 +354,8 @@ func (t *backendRefTargetGroupModelBuildTask) buildTargetGroupSpec(ctx context.C protocol = vpclattice.TargetGroupProtocolTcp protocolVersion = "" parentRefType = model.SourceTypeTLSRoute + default: + return model.TargetGroupSpec{}, fmt.Errorf("unsupported route type %T", t.route) } spec := model.TargetGroupSpec{ diff --git a/test/pkg/test/tlsroute.go b/test/pkg/test/tlsroute.go index b3df6c6f..b31646c9 100644 --- a/test/pkg/test/tlsroute.go +++ b/test/pkg/test/tlsroute.go @@ -21,7 +21,7 @@ func (env *Framework) NewTLSRoute(namespace string, parentRefsGateway *gwv1.Gate SectionName: lo.ToPtr(gwv1.SectionName("tls")), }}, }, - Hostnames: []gwv1.Hostname{"tls.test.com"}, + Hostnames: []gwv1.Hostname{"lattice-k8s-tls-passthrough-test.com"}, Rules: rules, }, }) diff --git a/test/suites/integration/tlsroute_serviceexport_test.go b/test/suites/integration/tlsroute_serviceexport_test.go index 024c8b03..0d36ee30 100644 --- a/test/suites/integration/tlsroute_serviceexport_test.go +++ b/test/suites/integration/tlsroute_serviceexport_test.go @@ -105,7 +105,7 @@ var _ = Describe("TLSRoute ServiceExport ServiceImport Test", func() { pod := pods[0] Eventually(func(g Gomega) { - cmd := fmt.Sprintf("curl -k https://tls.test.com:444 --resolve tls.test.com:444:%s", dnsIP[0]) + cmd := fmt.Sprintf("curl -k https://lattice-k8s-tls-passthrough-test.com:444 --resolve tls.test.com:444:%s", dnsIP[0]) log.Printf("Executing command [%s] \n", cmd) stdout, _, err := testFramework.PodExec(pod, cmd) g.Expect(err).To(BeNil()) diff --git a/test/suites/integration/tlsroute_test.go b/test/suites/integration/tlsroute_test.go index 89301f23..96bc8c4a 100644 --- a/test/suites/integration/tlsroute_test.go +++ b/test/suites/integration/tlsroute_test.go @@ -88,7 +88,7 @@ var _ = Describe("TLSRoute test", func() { pod := pods[0] Eventually(func(g Gomega) { - cmd := fmt.Sprintf("curl -k https://tls.test.com:444 --resolve tls.test.com:444:%s", dnsIP[0]) + cmd := fmt.Sprintf("curl -k https://lattice-k8s-tls-passthrough-test.com:444 --resolve tls.test.com:444:%s", dnsIP[0]) stdout, _, err := testFramework.PodExec(pod, cmd) g.Expect(err).To(BeNil()) g.Expect(stdout).To(ContainSubstring("my-https-1 handler pod"))