[release-1.5] cherry-pick for v1.5.5 (envoyproxy#7509)

* fix: bug in overlap detection of cert SANs (envoyproxy#7234)

Signed-off-by: zirain <[email protected]>

* fix(translator): Fix panic with request mirror + grpcroute (envoyproxy#6875)

Signed-off-by: Andrew Moreland <[email protected]>
Signed-off-by: zirain <[email protected]>

* fix: watch change for the ca cert in the Backend (envoyproxy#7294)

* watch change for the ca cert in the Backend

Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: zirain <[email protected]>

* fix ipFamily not set in UDPListener (envoyproxy#7313)

fix: set ipfamily in udpistener (envoyproxy#7312)

Signed-off-by: cong <[email protected]>
Signed-off-by: zirain <[email protected]>

* coalesce updates to reduce intermediate updates (envoyproxy#7328)

* coalesce updates to reduce redundant processing in subscription handler

Signed-off-by: Huabing Zhao <[email protected]>

* retain order

Signed-off-by: Huabing Zhao <[email protected]>

* keep intermediate delete updates

Signed-off-by: Huabing Zhao <[email protected]>

* minor wording

Signed-off-by: Huabing Zhao <[email protected]>

* treat delete as normal operations

Signed-off-by: Huabing Zhao <[email protected]>

* retain the original order of the last updates for each key

Signed-off-by: Huabing Zhao <[email protected]>

* address comments

Signed-off-by: Huabing Zhao <[email protected]>

* fix test

Signed-off-by: Huabing Zhao <[email protected]>

---------

Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: zirain <[email protected]>

* fix: port typo (envoyproxy#7397)

Signed-off-by: cong <[email protected]>
Signed-off-by: zirain <[email protected]>

* fix: validate EnvoyGateway configuration before reload (envoyproxy#7412)

Signed-off-by: zirain <[email protected]>

* fix: missing  jwt provider when jwt is configured on multiple listeners sharing the same port (envoyproxy#7337)

* fix jwt provider missing when jwt is configured at multiple ir listeners

Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: zirain <[email protected]>

* fix: memory leak (envoyproxy#7429)

Fix memory leak.

Two watchable.Maps were never closed when shutting down the provider:
- GatewayClassStatuses.Close() - missing in GatewayAPIStatuses.Close()
- BackendTrafficPolicyStatuses.Close() - missing in PolicyStatuses.Close()

Each unclosed map leaked 3 goroutines:
1. Internal watchable.Map.coalesce goroutine
2. HandleSubscription goroutine blocked on channel read
3. Error handler goroutine blocked on channel read

Signed-off-by: Gonzalo Serrano <[email protected]>
Signed-off-by: zirain <[email protected]>

* fix gen after cherry-pick

Signed-off-by: zirain <[email protected]>

* fix watchutil test

Signed-off-by: Huabing Zhao <[email protected]>

---------

Signed-off-by: zirain <[email protected]>
Signed-off-by: Andrew Moreland <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: cong <[email protected]>
Signed-off-by: Gonzalo Serrano <[email protected]>
Co-authored-by: Rudrakh Panigrahi <[email protected]>
Co-authored-by: Andrew Moreland <[email protected]>
Co-authored-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: 聪 <[email protected]>
Co-authored-by: Gonzalo Serrano <[email protected]>

Author: 6 people

internal/envoygateway/config/loader/configloader.go

@@ -10,6 +10,7 @@ import (
 	"io"
 	"time"
 
+	"github.com/envoyproxy/gateway/api/v1alpha1/validation"
 	"github.com/envoyproxy/gateway/internal/envoygateway/config"
 	"github.com/envoyproxy/gateway/internal/filewatcher"
 	"github.com/envoyproxy/gateway/internal/logging"
@@ -67,6 +68,12 @@ func (r *Loader) Start(ctx context.Context, logOut io.Writer) error {
 					// TODO: add a metric for this?
 					continue
 				}
+
+				if err := validation.ValidateEnvoyGateway(eg); err != nil {
+					r.logger.Error(err, "failed to validate EnvoyGateway config")
+					continue
+				}
+
 				// Set defaults for unset fields
 				eg.SetEnvoyGatewayDefaults()
 				r.cfg.EnvoyGateway = eg

internal/gatewayapi/filters.go

@@ -945,22 +945,22 @@ func (t *Translator) processRequestMirrorFilter(
 		return nil
 	}
 
+	// Get the route type from the filter context to determine the correct BackendRef type
+	routeType := filterContext.Route.GetRouteType()
 	weight := int32(1)
 	mirrorBackend := mirrorFilter.BackendRef
-
-	// Create a DirectBackendRef for the mirror backend (no filters needed)
 	mirrorBackendRef := DirectBackendRef{
 		BackendRef: &gwapiv1.BackendRef{
-			BackendObjectReference: mirrorBackend,
+			BackendObjectReference: mirrorFilter.BackendRef,
 			Weight:                 &weight,
 		},
 	}
 
-	// This sets the status on the HTTPRoute, should the usage be changed so that the status message reflects that the backendRef is from the filter?
+	// This sets the status on the Route, should the usage be changed so that the status message reflects that the backendRef is from the filter?
 	filterNs := filterContext.Route.GetNamespace()
 	serviceNamespace := NamespaceDerefOr(mirrorBackend.Namespace, filterNs)
 	err = t.validateBackendRef(mirrorBackendRef, filterContext.Route,
-		resources, serviceNamespace, resource.KindHTTPRoute)
+		resources, serviceNamespace, routeType)
 	if err != nil {
 		return status.NewRouteStatusError(
 			fmt.Errorf("failed to validate the RequestMirror filter: %w", err), err.Reason()).WithType(gwapiv1.RouteConditionResolvedRefs)

internal/gatewayapi/listener.go

@@ -168,6 +168,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource
 						Address:      address,
 						Port:         uint32(containerPort),
 						ExternalPort: uint32(listener.Port),
+						IPFamily:     ipFamily,
 					},
 				}
 				xdsIR[irKey].UDP = append(xdsIR[irKey].UDP, irListener)
@@ -244,7 +245,7 @@ func checkOverlappingHostnames(httpsListeners []*ListenerContext) {
 			if httpsListeners[i].Port != httpsListeners[j].Port {
 				continue
 			}
-			if isOverlappingHostname(httpsListeners[i].Hostname, httpsListeners[j].Hostname) {
+			if areOverlappingHostnames(httpsListeners[i].Hostname, httpsListeners[j].Hostname) {
 				// Overlapping listeners can be more than two, we only report the first two for simplicity.
 				overlappingListeners[i] = &overlappingListener{
 					gateway1:  httpsListeners[i].gateway,
@@ -396,7 +397,7 @@ type overlappingCertificate struct {
 func isOverlappingCertificate(cert1DNSNames, cert2DNSNames []string) *overlappingCertificate {
 	for _, dns1 := range cert1DNSNames {
 		for _, dns2 := range cert2DNSNames {
-			if isOverlappingHostname(ptr.To(gwapiv1.Hostname(dns1)), ptr.To(gwapiv1.Hostname(dns2))) {
+			if areOverlappingHostnames(ptr.To(gwapiv1.Hostname(dns1)), ptr.To(gwapiv1.Hostname(dns2))) {
 				return &overlappingCertificate{
 					san1: dns1,
 					san2: dns2,
@@ -407,22 +408,31 @@ func isOverlappingCertificate(cert1DNSNames, cert2DNSNames []string) *overlappin
 	return nil
 }
 
-// isOverlappingHostname checks if two hostnames overlap.
-func isOverlappingHostname(hostname1, hostname2 *gwapiv1.Hostname) bool {
-	if hostname1 == nil || hostname2 == nil {
+func areOverlappingHostnames(this, other *gwapiv1.Hostname) bool {
+	if this == nil || other == nil {
 		return true
 	}
-	domain1 := strings.Replace(string(*hostname1), "*.", "", 1)
-	domain2 := strings.Replace(string(*hostname2), "*.", "", 1)
-	return isSubdomain(domain1, domain2) || isSubdomain(domain2, domain1)
+	return hostnameMatchesWithOther(this, other) || hostnameMatchesWithOther(other, this)
 }
 
-// isSubdomain checks if subDomain is a sub-domain of domain
-func isSubdomain(subDomain, domain string) bool {
-	if subDomain == domain {
-		return true
+// hostnameMatchesWithOther returns true if this hostname matches other hostname.
+// Assumes that hostnames will either be fully qualified or a wildcard hostname prefixed with a single wildcard.
+// E.g. "*.*.example.com" is not valid.
+func hostnameMatchesWithOther(this, other *gwapiv1.Hostname) bool {
+	thisString := string(*this)
+	otherString := string(*other)
+	if hasWildcardPrefix(other) && !hasWildcardPrefix(this) {
+		return strings.HasSuffix(thisString, otherString[1:]) &&
+			!strings.Contains(strings.TrimSuffix(thisString, otherString[1:]), ".") // not a subdomain
+	}
+	return thisString == otherString
+}
+
+func hasWildcardPrefix(h *gwapiv1.Hostname) bool {
+	if h == nil {
+		return false
 	}
-	return strings.HasSuffix(subDomain, fmt.Sprintf(".%s", domain))
+	return len(string(*h)) > 1 && string(*h)[0] == '*'
 }
 
 func buildListenerMetadata(listener *ListenerContext, gateway *GatewayContext) *ir.ResourceMetadata {

internal/gatewayapi/listener_test.go

@@ -100,7 +100,7 @@ func TestProxySamplingRate(t *testing.T) {
 	}
 }
 
-func TestIsOverlappingHostname(t *testing.T) {
+func TestAreOverlappingHostnames(t *testing.T) {
 	tests := []struct {
 		name      string
 		hostname1 *gwapiv1.Hostname
@@ -120,10 +120,10 @@ func TestIsOverlappingHostname(t *testing.T) {
 			want:      true,
 		},
 		{
-			name:      "two wildcards matches subdomain",
+			name:      "two wildcards with subdomain does not match",
 			hostname1: ptr.To(gwapiv1.Hostname("*.example.com")),
 			hostname2: ptr.To(gwapiv1.Hostname("*.test.example.com")),
-			want:      true,
+			want:      false,
 		},
 		{
 			name:      "nil hostname matches all",
@@ -144,22 +144,22 @@ func TestIsOverlappingHostname(t *testing.T) {
 			want:      true,
 		},
 		{
-			name:      "wildcard matches exact",
+			name:      "wildcard matches exactly one level of subdomain",
 			hostname1: ptr.To(gwapiv1.Hostname("*.example.com")),
 			hostname2: ptr.To(gwapiv1.Hostname("test.example.com")),
 			want:      true,
 		},
 		{
-			name:      "wildcard matches subdomain",
+			name:      "wildcard matches only one level of subdomain",
 			hostname1: ptr.To(gwapiv1.Hostname("*.example.com")),
 			hostname2: ptr.To(gwapiv1.Hostname("sub.test.example.com")),
-			want:      true,
+			want:      false,
 		},
 		{
-			name:      "wildcard matches empty subdomain",
+			name:      "wildcard does not match empty subdomain",
 			hostname1: ptr.To(gwapiv1.Hostname("*.example.com")),
 			hostname2: ptr.To(gwapiv1.Hostname("example.com")),
-			want:      true,
+			want:      false,
 		},
 		{
 			name:      "different domains",
@@ -185,15 +185,21 @@ func TestIsOverlappingHostname(t *testing.T) {
 			hostname2: ptr.To(gwapiv1.Hostname("testing-api.foo.dev")),
 			want:      false,
 		},
+		{
+			name:      "sub domain does not match with parent domain",
+			hostname1: ptr.To(gwapiv1.Hostname("api.foo.dev")),
+			hostname2: ptr.To(gwapiv1.Hostname("foo.dev")),
+			want:      false,
+		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if got := isOverlappingHostname(tt.hostname1, tt.hostname2); got != tt.want {
+			if got := areOverlappingHostnames(tt.hostname1, tt.hostname2); got != tt.want {
 				t.Errorf("isOverlappingHostname(%q, %q) = %v, want %v", ptr.Deref(tt.hostname1, ""), ptr.Deref(tt.hostname2, ""), got, tt.want)
 			}
 			// Test should be symmetric
-			if got := isOverlappingHostname(tt.hostname2, tt.hostname1); got != tt.want {
+			if got := areOverlappingHostnames(tt.hostname2, tt.hostname1); got != tt.want {
 				t.Errorf("isOverlappingHostname(%q, %q) = %v, want %v", ptr.Deref(tt.hostname2, ""), ptr.Deref(tt.hostname1, ""), got, tt.want)
 			}
 		})
@@ -306,15 +312,14 @@ func TestCheckOverlappingHostnames(t *testing.T) {
 							Name:     "listener-3",
 							Protocol: gwapiv1.HTTPSProtocolType,
 							Port:     443,
-							Hostname: ptr.To(gwapiv1.Hostname("sub.test.example.com")),
+							Hostname: ptr.To(gwapiv1.Hostname("sub.test.example.com")), // sub domain does not match with parent domain
 						},
 					},
 				},
 			},
 			expected: map[int]string{
 				0: "test.example.com",
 				1: "*.example.com",
-				2: "*.example.com",
 			},
 		},
 		{

internal/gatewayapi/testdata/grpcroute-with-mirror.in.yaml

@@ -0,0 +1,37 @@
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: Gateway
+  metadata:
+    namespace: envoy-gateway
+    name: gateway-1
+  spec:
+    gatewayClassName: envoy-gateway-class
+    listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      allowedRoutes:
+        namespaces:
+          from: All
+grpcRoutes:
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+  kind: GRPCRoute
+  metadata:
+    namespace: default
+    name: grpcroute-1
+  spec:
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-1
+      sectionName: http
+    rules:
+    - backendRefs:
+      - name: service-1
+        port: 8080
+      filters:
+      - type: RequestMirror
+        requestMirror:
+          backendRef:
+            kind: Service
+            name: service-2
+            port: 8080