diff --git a/apis/v1alpha2/object_reference_types.go b/apis/v1alpha2/object_reference_types.go index f67b80a836..d56407cd79 100644 --- a/apis/v1alpha2/object_reference_types.go +++ b/apis/v1alpha2/object_reference_types.go @@ -123,7 +123,8 @@ type BackendObjectReference struct { Namespace *Namespace `json:"namespace,omitempty"` // Port specifies the destination port number to use for this resource. - // Port is required when the referent is a Kubernetes Service. + // Port is required when the referent is a Kubernetes Service. In this + // case, the port number is the service port number, not the target port. // For other resources, destination port might be derived from the referent // resource or this field. // diff --git a/apis/v1alpha2/shared_types.go b/apis/v1alpha2/shared_types.go index 2ac4ae8ac9..ea4b749078 100644 --- a/apis/v1alpha2/shared_types.go +++ b/apis/v1alpha2/shared_types.go @@ -231,6 +231,8 @@ const ( // Possible reasons for this condition to be false are: // // * "RefNotPermitted" + // * "InvalidKind" + // * "BackendNotFound" // // Controllers may raise this condition with other reasons, // but should prefer to use the reasons listed above to improve diff --git a/apis/v1beta1/object_reference_types.go b/apis/v1beta1/object_reference_types.go index ce92bb453d..3cbbc0ad5e 100644 --- a/apis/v1beta1/object_reference_types.go +++ b/apis/v1beta1/object_reference_types.go @@ -123,7 +123,8 @@ type BackendObjectReference struct { Namespace *Namespace `json:"namespace,omitempty"` // Port specifies the destination port number to use for this resource. - // Port is required when the referent is a Kubernetes Service. + // Port is required when the referent is a Kubernetes Service. In this + // case, the port number is the service port number, not the target port. // For other resources, destination port might be derived from the referent // resource or this field. // diff --git a/apis/v1beta1/shared_types.go b/apis/v1beta1/shared_types.go index a92cf8c116..868ba13b9c 100644 --- a/apis/v1beta1/shared_types.go +++ b/apis/v1beta1/shared_types.go @@ -231,6 +231,8 @@ const ( // Possible reasons for this condition to be false are: // // * "RefNotPermitted" + // * "InvalidKind" + // * "BackendNotFound" // // Controllers may raise this condition with other reasons, // but should prefer to use the reasons listed above to improve diff --git a/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml index 4b8ebaf58b..d207fa4a60 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml @@ -465,7 +465,9 @@ spec: description: Port specifies the destination port number to use for this resource. Port is required when the referent is - a Kubernetes Service. For other resources, + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, destination port might be derived from the referent resource or this field. format: int32 @@ -724,9 +726,10 @@ spec: port: description: Port specifies the destination port number to use for this resource. Port is required when the - referent is a Kubernetes Service. For other resources, - destination port might be derived from the referent - resource or this field. + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. format: int32 maximum: 65535 minimum: 1 @@ -978,9 +981,11 @@ spec: port: description: Port specifies the destination port number to use for this resource. Port is required - when the referent is a Kubernetes Service. For - other resources, destination port might be derived - from the referent resource or this field. + when the referent is a Kubernetes Service. In + this case, the port number is the service port + number, not the target port. For other resources, + destination port might be derived from the referent + resource or this field. format: int32 maximum: 65535 minimum: 1 @@ -2063,7 +2068,9 @@ spec: description: Port specifies the destination port number to use for this resource. Port is required when the referent is - a Kubernetes Service. For other resources, + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, destination port might be derived from the referent resource or this field. format: int32 @@ -2322,9 +2329,10 @@ spec: port: description: Port specifies the destination port number to use for this resource. Port is required when the - referent is a Kubernetes Service. For other resources, - destination port might be derived from the referent - resource or this field. + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. format: int32 maximum: 65535 minimum: 1 @@ -2575,9 +2583,11 @@ spec: port: description: Port specifies the destination port number to use for this resource. Port is required - when the referent is a Kubernetes Service. For - other resources, destination port might be derived - from the referent resource or this field. + when the referent is a Kubernetes Service. In + this case, the port number is the service port + number, not the target port. For other resources, + destination port might be derived from the referent + resource or this field. format: int32 maximum: 65535 minimum: 1 diff --git a/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml index f2ba849fe2..2f62255f9b 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml @@ -212,9 +212,10 @@ spec: port: description: Port specifies the destination port number to use for this resource. Port is required when the - referent is a Kubernetes Service. For other resources, - destination port might be derived from the referent - resource or this field. + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. format: int32 maximum: 65535 minimum: 1 diff --git a/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml index 78ea7b88ec..ee8919b24c 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml @@ -261,9 +261,10 @@ spec: port: description: Port specifies the destination port number to use for this resource. Port is required when the - referent is a Kubernetes Service. For other resources, - destination port might be derived from the referent - resource or this field. + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. format: int32 maximum: 65535 minimum: 1 diff --git a/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml b/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml index d62af40316..3fe678ce69 100644 --- a/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml +++ b/config/crd/experimental/gateway.networking.k8s.io_udproutes.yaml @@ -212,9 +212,10 @@ spec: port: description: Port specifies the destination port number to use for this resource. Port is required when the - referent is a Kubernetes Service. For other resources, - destination port might be derived from the referent - resource or this field. + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. format: int32 maximum: 65535 minimum: 1 diff --git a/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml b/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml index 2fac441686..1aa6a09ba6 100644 --- a/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml +++ b/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml @@ -439,7 +439,9 @@ spec: description: Port specifies the destination port number to use for this resource. Port is required when the referent is - a Kubernetes Service. For other resources, + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, destination port might be derived from the referent resource or this field. format: int32 @@ -585,9 +587,10 @@ spec: port: description: Port specifies the destination port number to use for this resource. Port is required when the - referent is a Kubernetes Service. For other resources, - destination port might be derived from the referent - resource or this field. + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. format: int32 maximum: 65535 minimum: 1 @@ -839,9 +842,11 @@ spec: port: description: Port specifies the destination port number to use for this resource. Port is required - when the referent is a Kubernetes Service. For - other resources, destination port might be derived - from the referent resource or this field. + when the referent is a Kubernetes Service. In + this case, the port number is the service port + number, not the target port. For other resources, + destination port might be derived from the referent + resource or this field. format: int32 maximum: 65535 minimum: 1 @@ -1766,7 +1771,9 @@ spec: description: Port specifies the destination port number to use for this resource. Port is required when the referent is - a Kubernetes Service. For other resources, + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, destination port might be derived from the referent resource or this field. format: int32 @@ -1912,9 +1919,10 @@ spec: port: description: Port specifies the destination port number to use for this resource. Port is required when the - referent is a Kubernetes Service. For other resources, - destination port might be derived from the referent - resource or this field. + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. format: int32 maximum: 65535 minimum: 1 @@ -2165,9 +2173,11 @@ spec: port: description: Port specifies the destination port number to use for this resource. Port is required - when the referent is a Kubernetes Service. For - other resources, destination port might be derived - from the referent resource or this field. + when the referent is a Kubernetes Service. In + this case, the port number is the service port + number, not the target port. For other resources, + destination port might be derived from the referent + resource or this field. format: int32 maximum: 65535 minimum: 1 diff --git a/conformance/tests/gateway-secret-missing-referenced-secret.go b/conformance/tests/gateway-secret-missing-referenced-secret.go new file mode 100644 index 0000000000..69b2f28b67 --- /dev/null +++ b/conformance/tests/gateway-secret-missing-referenced-secret.go @@ -0,0 +1,58 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package tests + +import ( + "testing" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + + "sigs.k8s.io/gateway-api/apis/v1alpha2" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" +) + +func init() { + ConformanceTests = append(ConformanceTests, GatewaySecretMissingReferencedSecret) +} + +var GatewaySecretMissingReferencedSecret = suite.ConformanceTest{ + ShortName: "GatewaySecretMissingReferencedSecret", + Description: "A Gateway should fail to become ready if the Gateway has a certificateRef for a nonexistent Secret", + Manifests: []string{"tests/gateway-secret-missing-referenced-secret.yaml"}, + Test: func(t *testing.T, s *suite.ConformanceTestSuite) { + gwNN := types.NamespacedName{Name: "gateway-secret-missing-referenced-secret", Namespace: "gateway-conformance-infra"} + + t.Run("Gateway listener should have a false ResolvedRefs condition with reason InvalidCertificateRef", func(t *testing.T) { + listeners := []v1alpha2.ListenerStatus{{ + Name: v1alpha2.SectionName("https"), + SupportedKinds: []v1alpha2.RouteGroupKind{{ + Group: (*v1alpha2.Group)(&v1alpha2.GroupVersion.Group), + Kind: v1alpha2.Kind("HTTPRoute"), + }}, + Conditions: []metav1.Condition{{ + Type: string(v1alpha2.ListenerConditionResolvedRefs), + Status: metav1.ConditionFalse, + Reason: string(v1alpha2.ListenerReasonInvalidCertificateRef), + }}, + }} + + kubernetes.GatewayStatusMustHaveListeners(t, s.Client, gwNN, listeners, 60) + }) + }, +} diff --git a/conformance/tests/gateway-secret-missing-referenced-secret.yaml b/conformance/tests/gateway-secret-missing-referenced-secret.yaml new file mode 100644 index 0000000000..bfdbd2b4e6 --- /dev/null +++ b/conformance/tests/gateway-secret-missing-referenced-secret.yaml @@ -0,0 +1,19 @@ +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: Gateway +metadata: + name: gateway-secret-missing-referenced-secret + namespace: gateway-conformance-infra +spec: + gatewayClassName: "{GATEWAY_CLASS_NAME}" + listeners: + - name: https + port: 443 + protocol: HTTPS + allowedRoutes: + namespaces: + from: All + tls: + certificateRefs: + - group: "" + kind: Secret + name: nonexistent-secret