Rebased Fixes Tests and Envoy Wildcard Cert

internal/cmd/xdstest.go

@@ -187,19 +187,19 @@ func xDSTest() error {
 		for {
 			time.Sleep(10 * time.Second)
 			logger.Info("Updating the cache for first-listener with first-route")
-			err := snapCache.GenerateNewSnapshot(cacheVersion1.GetXdsResources())
+			err := snapCache.GenerateNewSnapshot("", cacheVersion1.GetXdsResources())
 			if err != nil {
 				logger.Error(err, "Something went wrong with generating a snapshot")
 			}
 			time.Sleep(10 * time.Second)
 			logger.Info("Updating the cache for first-listener with second-route")
-			err = snapCache.GenerateNewSnapshot(cacheVersion2.GetXdsResources())
+			err = snapCache.GenerateNewSnapshot("", cacheVersion2.GetXdsResources())
 			if err != nil {
 				logger.Error(err, "Something went wrong with generating a snapshot")
 			}
 			time.Sleep(10 * time.Second)
 			logger.Info("Updating the cache for second-listener with second-route")
-			err = snapCache.GenerateNewSnapshot(cacheVersion3.GetXdsResources())
+			err = snapCache.GenerateNewSnapshot("", cacheVersion3.GetXdsResources())
 			if err != nil {
 				logger.Error(err, "Something went wrong with generating a snapshot")
 			}

internal/crypto/certgen.go

@@ -21,7 +21,7 @@ const (
 	DefaultEnvoyGatewayDNSPrefix = config.EnvoyGatewayServiceName
 
 	// DefaultEnvoyDNSPrefix defines the default Envoy DNS prefix.
-	DefaultEnvoyDNSPrefix = config.EnvoyServiceName
+	DefaultEnvoyDNSPrefix = "*"
 
 	// DefaultNamespace is the default Namespace name where Envoy Gateway is running.
 	DefaultNamespace = config.EnvoyGatewayNamespace
@@ -112,7 +112,7 @@ func GenerateCerts(egCfg *v1alpha1.EnvoyGateway) (*Certificates, error) {
 		switch egProvider {
 		case v1alpha1.ProviderTypeKubernetes:
 			egDNSNames = kubeServiceNames(DefaultEnvoyGatewayDNSPrefix, DefaultNamespace, DefaultDNSSuffix)
-			envoyDNSNames = kubeServiceNames(DefaultEnvoyDNSPrefix, DefaultNamespace, DefaultDNSSuffix)
+			envoyDNSNames = append(envoyDNSNames, fmt.Sprintf("*.%s", DefaultNamespace))
 		default:
 			// Kubernetes is the only supported Envoy Gateway provider.
 			return nil, fmt.Errorf("unsupported provider type %v", egProvider)

internal/crypto/certgen_test.go

@@ -47,7 +47,7 @@ func TestGenerateCerts(t *testing.T) {
 	run(t, "no configuration - use defaults", testcase{
 		certConfig:              &Configuration{},
 		wantEnvoyGatewayDNSName: "envoy-gateway",
-		wantEnvoyDNSName:        "envoy",
+		wantEnvoyDNSName:        "*.envoy-gateway-system",
 	})
 }
 

internal/envoygateway/config/config.go

@@ -12,12 +12,12 @@ const (
 	EnvoyGatewayNamespace = "envoy-gateway-system"
 	// EnvoyGatewayServiceName is the name of the Envoy Gateway service.
 	EnvoyGatewayServiceName = "envoy-gateway"
-	// EnvoyServiceName is the name of the Envoy Service.
-	EnvoyServiceName = "envoy"
-	// EnvoyDeploymentName is the name of the Envoy Deployment.
-	EnvoyDeploymentName = "envoy"
 	// EnvoyConfigMapName is the name of the Envoy ConfigMap.
 	EnvoyConfigMapName = "envoy"
+	// EnvoyServicePrefix is the prefix applied to the Envoy Service.
+	EnvoyServicePrefix = "envoy"
+	// EnvoyDeploymentPrefix is the prefix applied to the Envoy Deployment.
+	EnvoyDeploymentPrefix = "envoy"
 )
 
 // Server wraps the EnvoyGateway configuration and additional parameters

internal/gatewayapi/runner/runner.go

@@ -97,22 +97,24 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) {
 			yamlInfraIR, _ := yaml.Marshal(&result.InfraIR)
 			r.Logger.WithValues("output", "infra-ir").Info(string(yamlInfraIR))
 
-			// Publish the IRs. Use the service name as the key
-			// to ensure there is always one element in the map.
+			// Publish the IRs.
 			// Also validate the ir before sending it.
-			if err := result.InfraIR.Validate(); err != nil {
-				r.Logger.Error(err, "unable to validate infra ir, skipped sending it")
-			} else {
-				r.InfraIR.Store(r.Name(), result.InfraIR)
+			for key, val := range result.InfraIR {
+				if err := val.Validate(); err != nil {
+					r.Logger.Error(err, "unable to validate infra ir, skipped sending it")
+				} else {
+					r.InfraIR.Store(key, val)
+				}
 			}
-
 			// Wait until all HTTPRoutes have been reconciled , else the translation
 			// result will be incomplete, and might cause churn in the data plane.
 			if xdsIRReady {
-				if err := result.XdsIR.Validate(); err != nil {
-					r.Logger.Error(err, "unable to validate xds ir, skipped sending it")
-				} else {
-					r.XdsIR.Store(r.Name(), result.XdsIR)
+				for key, val := range result.XdsIR {
+					if err := val.Validate(); err != nil {
+						r.Logger.Error(err, "unable to validate xds ir, skipped sending it")
+					} else {
+						r.XdsIR.Store(key, val)
+					}
 				}
 			}
 

internal/gatewayapi/runner/runner_test.go

@@ -7,6 +7,7 @@ import (
 	"time"
 
 	"github.com/stretchr/testify/require"
+	"k8s.io/apimachinery/pkg/types"
 
 	"github.com/envoyproxy/gateway/internal/envoygateway/config"
 	"github.com/envoyproxy/gateway/internal/ir"
@@ -32,21 +33,22 @@ func TestRunner(t *testing.T) {
 	require.NoError(t, err)
 
 	// IR is nil at start
-	require.Equal(t, (*ir.Xds)(nil), xdsIR.Get())
-	require.Equal(t, (*ir.Infra)(nil), infraIR.Get())
+	require.Equal(t, map[string]*ir.Xds{}, xdsIR.LoadAll())
+	require.Equal(t, map[string]*ir.Infra{}, infraIR.LoadAll())
 
 	// TODO: pass valid provider resources
 
-	// Reset gatewayclass slice and update with a nil gatewayclass to trigger a delete
-	pResources.DeleteGatewayClasses()
-	pResources.GatewayClasses.Store("test", nil)
+	// Reset gateway slice and update with a nil gateway to trigger a delete.
+	pResources.DeleteGateways()
+	key := types.NamespacedName{Namespace: "test", Name: "test"}
+	pResources.Gateways.Store(key, nil)
 	require.Eventually(t, func() bool {
-		out := xdsIR.Get()
+		out := xdsIR.LoadAll()
 		if out == nil {
 			return false
 		}
 		// Ensure ir is empty
-		return (reflect.DeepEqual(*xdsIR.Get(), ir.Xds{})) && (reflect.DeepEqual(*infraIR.Get(), ir.Infra{Proxy: nil}))
+		return (reflect.DeepEqual(xdsIR.LoadAll(), map[string]*ir.Xds{})) && (reflect.DeepEqual(infraIR.LoadAll(), map[string]*ir.Infra{}))
 	}, time.Second*1, time.Millisecond*20)
 
 }

internal/gatewayapi/testdata/gateway-allows-same-namespace-with-allowed-httproute.out.yaml

@@ -54,31 +54,33 @@ httpRoutes:
               reason: Accepted
               message: Route is accepted
 xdsIR:
-  http:
-    - name: envoy-gateway-gateway-1-http
-      address: 0.0.0.0
-      port: 10080
-      hostnames:
-        - "*"
-      routes:
-        - name: envoy-gateway-httproute-1-rule-0-match-0-*
-          pathMatch:
-            prefix: "/"
-          destinations:
-            - host: 7.7.7.7
-              port: 8080
-              weight: 1
+  envoy-gateway-gateway-1:
+    http:
+      - name: envoy-gateway-gateway-1-http
+        address: 0.0.0.0
+        port: 10080
+        hostnames:
+          - "*"
+        routes:
+          - name: envoy-gateway-httproute-1-rule-0-match-0-*
+            pathMatch:
+              prefix: "/"
+            destinations:
+              - host: 7.7.7.7
+                port: 8080
+                weight: 1
 infraIR:
-  proxy:
-    metadata:
-      labels:
-        gateway.envoyproxy.io/owning-gatewayclass: envoy-gateway-class
-    name: envoy-gateway-class
-    image: envoyproxy/envoy:v1.23-latest
-    listeners:
-      - address: ""
-        ports:
-          - name: envoy-gateway-gateway-1
-            protocol: "HTTP"
-            servicePort: 80
-            containerPort: 10080
+  envoy-gateway-gateway-1:
+    proxy:
+      metadata:
+        labels:
+          gateway.envoyproxy.io/owning-gateway: gateway-1
+      name: envoy-gateway-gateway-1
+      image: envoyproxy/envoy:v1.23-latest
+      listeners:
+        - address: ""
+          ports:
+            - name: envoy-gateway-gateway-1
+              protocol: "HTTP"
+              servicePort: 80
+              containerPort: 10080

internal/gatewayapi/testdata/gateway-allows-same-namespace-with-disallowed-httproute.out.yaml

@@ -54,23 +54,25 @@ httpRoutes:
         reason: NotAllowedByListeners
         message: No listeners included by this parent ref allowed this attachment.
 xdsIR:
-  http:
-  - name: envoy-gateway-gateway-1-http
-    address: 0.0.0.0
-    hostnames:
-    - "*"
-    port: 10080
+  envoy-gateway-gateway-1:
+    http:
+    - name: envoy-gateway-gateway-1-http
+      address: 0.0.0.0
+      hostnames:
+      - "*"
+      port: 10080
 infraIR:
-  proxy:
-    metadata:
-      labels:
-        gateway.envoyproxy.io/owning-gatewayclass: envoy-gateway-class
-    name: envoy-gateway-class
-    image: envoyproxy/envoy:v1.23-latest
-    listeners:
-    - address: ""
-      ports:
-      - name: envoy-gateway-gateway-1
-        protocol: "HTTP"
-        servicePort: 80
-        containerPort: 10080
+  envoy-gateway-gateway-1:
+    proxy:
+      metadata:
+        labels:
+          gateway.envoyproxy.io/owning-gateway: gateway-1
+      name: envoy-gateway-gateway-1
+      image: envoyproxy/envoy:v1.23-latest
+      listeners:
+      - address: ""
+        ports:
+        - name: envoy-gateway-gateway-1
+          protocol: "HTTP"
+          servicePort: 80
+          containerPort: 10080

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-namespaces-selector.out.yaml

@@ -59,13 +59,15 @@ httpRoutes:
               status: "False"
               reason: NoReadyListeners
               message: There are no ready listeners for this parent ref
-xdsIR: {}
+xdsIR:
+  envoy-gateway-gateway-1: {}
 infraIR:
-  proxy:
-    metadata:
-      labels:
-        gateway.envoyproxy.io/owning-gatewayclass: envoy-gateway-class
-    name: envoy-gateway-class
-    image: envoyproxy/envoy:v1.23-latest
-    listeners:
-      - address: ""
+  envoy-gateway-gateway-1:
+    proxy:
+      metadata:
+        labels:
+          gateway.envoyproxy.io/owning-gateway: gateway-1
+      name: envoy-gateway-gateway-1
+      image: envoyproxy/envoy:v1.23-latest
+      listeners:
+        - address: ""

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-group.out.yaml

@@ -57,13 +57,15 @@ httpRoutes:
               status: "False"
               reason: NoReadyListeners
               message: There are no ready listeners for this parent ref
-xdsIR: {}
+xdsIR:
+  envoy-gateway-gateway-1: {}
 infraIR:
-  proxy:
-    metadata:
-      labels:
-        gateway.envoyproxy.io/owning-gatewayclass: envoy-gateway-class
-    name: envoy-gateway-class
-    image: envoyproxy/envoy:v1.23-latest
-    listeners:
-      - address: ""
+  envoy-gateway-gateway-1:
+    proxy:
+      metadata:
+        labels:
+          gateway.envoyproxy.io/owning-gateway: gateway-1
+      name: envoy-gateway-gateway-1
+      image: envoyproxy/envoy:v1.23-latest
+      listeners:
+        - address: ""

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind.out.yaml

@@ -57,13 +57,15 @@ httpRoutes:
               status: "False"
               reason: NoReadyListeners
               message: There are no ready listeners for this parent ref
-xdsIR: {}
+xdsIR:
+  envoy-gateway-gateway-1: {}
 infraIR:
-  proxy:
-    metadata:
-      labels:
-        gateway.envoyproxy.io/owning-gatewayclass: envoy-gateway-class
-    name: envoy-gateway-class
-    image: envoyproxy/envoy:v1.23-latest
-    listeners:
-      - address: ""
+  envoy-gateway-gateway-1:
+    proxy:
+      metadata:
+        labels:
+          gateway.envoyproxy.io/owning-gateway: gateway-1
+      name: envoy-gateway-gateway-1
+      image: envoyproxy/envoy:v1.23-latest
+      listeners:
+        - address: ""

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-invalid-mode.out.yaml

@@ -57,13 +57,15 @@ httpRoutes:
               status: "False"
               reason: NoReadyListeners
               message: There are no ready listeners for this parent ref
-xdsIR: {}
+xdsIR:
+  envoy-gateway-gateway-1: {}
 infraIR:
-  proxy:
-    metadata:
-      labels:
-        gateway.envoyproxy.io/owning-gatewayclass: envoy-gateway-class
-    name: envoy-gateway-class
-    image: envoyproxy/envoy:v1.23-latest
-    listeners:
-      - address: ""
+  envoy-gateway-gateway-1:
+    proxy:
+      metadata:
+        labels:
+          gateway.envoyproxy.io/owning-gateway: gateway-1
+      name: envoy-gateway-gateway-1
+      image: envoyproxy/envoy:v1.23-latest
+      listeners:
+        - address: ""

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-no-certificate-refs.out.yaml

@@ -55,13 +55,15 @@ httpRoutes:
               status: "False"
               reason: NoReadyListeners
               message: There are no ready listeners for this parent ref
-xdsIR: {}
+xdsIR:
+  envoy-gateway-gateway-1: {}
 infraIR:
-  proxy:
-    metadata:
-      labels:
-        gateway.envoyproxy.io/owning-gatewayclass: envoy-gateway-class
-    name: envoy-gateway-class
-    image: envoyproxy/envoy:v1.23-latest
-    listeners:
-      - address: ""
+  envoy-gateway-gateway-1:
+    proxy:
+      metadata:
+        labels:
+          gateway.envoyproxy.io/owning-gateway: gateway-1
+      name: envoy-gateway-gateway-1
+      image: envoyproxy/envoy:v1.23-latest
+      listeners:
+        - address: ""

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-does-not-exist.out.yaml

@@ -61,13 +61,15 @@ httpRoutes:
               status: "False"
               reason: NoReadyListeners
               message: There are no ready listeners for this parent ref
-xdsIR: {}
+xdsIR:
+  envoy-gateway-gateway-1: {}
 infraIR:
-  proxy:
-    metadata:
-      labels:
-        gateway.envoyproxy.io/owning-gatewayclass: envoy-gateway-class
-    name: envoy-gateway-class
-    image: envoyproxy/envoy:v1.23-latest
-    listeners:
-      - address: ""
+  envoy-gateway-gateway-1:
+    proxy:
+      metadata:
+        labels:
+          gateway.envoyproxy.io/owning-gateway: gateway-1
+      name: envoy-gateway-gateway-1
+      image: envoyproxy/envoy:v1.23-latest
+      listeners:
+        - address: ""