add checks for TLS mode

Author: zac-nixon

pkg/gateway/model/model_build_target_group.go

@@ -102,7 +102,6 @@ func (t *targetGroupBuilderImpl) buildTargetGroup(stack core.Stack,
 	targetGroupProps := backend.ELBV2TargetGroupProps
 	tgResID := t.buildTargetGroupResourceID(k8s.NamespacedName(gw), k8s.NamespacedName(backend.Service), routeDescriptor.GetRouteNamespacedName(), routeDescriptor.GetRouteKind(), backend.ServicePort.TargetPort)
 	if tg, exists := t.tgByResID[tgResID]; exists {
-		fmt.Println("TG already exists. Returning cached version")
 		return tg, nil
 	}
 

pkg/gateway/routeutils/listener_attachment_helper.go

@@ -134,7 +134,36 @@ func (attachmentHelper *listenerAttachmentHelperImpl) kindCheck(listener gwv1.Li
 			allowedRoutes.Insert(RouteKind(v.Kind))
 		}
 	}
-	return allowedRoutes.Has(route.GetRouteKind())
+
+	isAllowed := allowedRoutes.Has(route.GetRouteKind())
+
+	if !isAllowed {
+		return false
+	}
+
+	if listener.Protocol == gwv1.TLSProtocolType {
+
+		var tlsMode *gwv1.TLSModeType
+
+		if listener.TLS != nil && listener.TLS.Mode != nil {
+			tlsMode = listener.TLS.Mode
+		}
+		switch route.GetRouteKind() {
+		case TCPRouteKind:
+			// Listener must allow termination at lb
+			return tlsMode == nil || *tlsMode == gwv1.TLSModeTerminate
+		case TLSRouteKind:
+			// This is kind of different.
+			// For AWS NLB, the original TLS will be terminated, however
+			// the LB will establish a new TLS connection to the backend.
+			// Users that want to persist the same TLS connection should use TCP
+			return tlsMode != nil && *tlsMode == gwv1.TLSModePassthrough
+		}
+		// Unsupported route type.
+		return false
+	}
+
+	return true
 }
 
 func (attachmentHelper *listenerAttachmentHelperImpl) hostnameCheck(listener gwv1.Listener, route preLoadRouteDescriptor) (bool, error) {

pkg/gateway/routeutils/listener_attachment_helper_test.go

@@ -297,6 +297,8 @@ func Test_namespaceCheck(t *testing.T) {
 }
 
 func Test_kindCheck(t *testing.T) {
+	term := gwv1.TLSModeTerminate
+	pt := gwv1.TLSModePassthrough
 	testCases := []struct {
 		name           string
 		route          preLoadRouteDescriptor
@@ -347,6 +349,55 @@ func Test_kindCheck(t *testing.T) {
 			},
 			expectedResult: true,
 		},
+		{
+			name:  "tls listener, tcp route, terminate by default",
+			route: &tcpRouteDescription{},
+			listener: gwv1.Listener{
+				Protocol: gwv1.TCPProtocolType,
+			},
+			expectedResult: true,
+		},
+		{
+			name:  "tls listener, tls route, terminate by default",
+			route: &tlsRouteDescription{},
+			listener: gwv1.Listener{
+				Protocol: gwv1.TCPProtocolType,
+			},
+			expectedResult: false,
+		},
+		{
+			name:  "tls listener, tcp route, terminate specified",
+			route: &tcpRouteDescription{},
+			listener: gwv1.Listener{
+				Protocol: gwv1.TCPProtocolType,
+				TLS: &gwv1.GatewayTLSConfig{
+					Mode: &term,
+				},
+			},
+			expectedResult: true,
+		},
+		{
+			name:  "tls listener, tcp route, passthrough specified",
+			route: &tcpRouteDescription{},
+			listener: gwv1.Listener{
+				Protocol: gwv1.TLSProtocolType,
+				TLS: &gwv1.GatewayTLSConfig{
+					Mode: &pt,
+				},
+			},
+			expectedResult: false,
+		},
+		{
+			name:  "tls listener, tls route, passthrough specified",
+			route: &tlsRouteDescription{},
+			listener: gwv1.Listener{
+				Protocol: gwv1.TLSProtocolType,
+				TLS: &gwv1.GatewayTLSConfig{
+					Mode: &pt,
+				},
+			},
+			expectedResult: true,
+		},
 	}
 
 	for _, tc := range testCases {