add reference grant and targetgroup config look up

Author: zac-nixon

controllers/gateway/gateway_controller.go

@@ -39,16 +39,16 @@ var _ Reconciler = &gatewayReconciler{}
 
 // NewNLBGatewayReconciler constructs a gateway reconciler to handle specifically for NLB gateways
 func NewNLBGatewayReconciler(routeLoader routeutils.Loader, cloud services.Cloud, k8sClient client.Client, eventRecorder record.EventRecorder, controllerConfig config.ControllerConfig, finalizerManager k8s.FinalizerManager, networkingSGReconciler networking.SecurityGroupReconciler, networkingSGManager networking.SecurityGroupManager, elbv2TaggingManager elbv2deploy.TaggingManager, subnetResolver networking.SubnetsResolver, vpcInfoProvider networking.VPCInfoProvider, backendSGProvider networking.BackendSGProvider, sgResolver networking.SecurityGroupResolver, logger logr.Logger, metricsCollector lbcmetrics.MetricCollector, reconcileCounters *metricsutil.ReconcileCounters) Reconciler {
-	return newGatewayReconciler(nlbGatewayController, controllerConfig.NLBGatewayMaxConcurrentReconciles, nlbGatewayTagPrefix, nlbGatewayFinalizer, routeLoader, routeutils.L4RouteFilter, cloud, k8sClient, eventRecorder, controllerConfig, finalizerManager, networkingSGReconciler, networkingSGManager, elbv2TaggingManager, subnetResolver, vpcInfoProvider, backendSGProvider, sgResolver, logger, metricsCollector, reconcileCounters)
+	return newGatewayReconciler(nlbGatewayController, controllerConfig.NLBGatewayMaxConcurrentReconciles, nlbGatewayTagPrefix, nlbGatewayFinalizer, routeLoader, routeutils.L4RouteFilter, cloud, k8sClient, eventRecorder, controllerConfig, finalizerManager, networkingSGReconciler, networkingSGManager, elbv2TaggingManager, subnetResolver, vpcInfoProvider, backendSGProvider, sgResolver, logger, metricsCollector, reconcileCounters.IncrementNLBGateway)
 }
 
 // NewALBGatewayReconciler constructs a gateway reconciler to handle specifically for ALB gateways
 func NewALBGatewayReconciler(routeLoader routeutils.Loader, cloud services.Cloud, k8sClient client.Client, eventRecorder record.EventRecorder, controllerConfig config.ControllerConfig, finalizerManager k8s.FinalizerManager, networkingSGReconciler networking.SecurityGroupReconciler, networkingSGManager networking.SecurityGroupManager, elbv2TaggingManager elbv2deploy.TaggingManager, subnetResolver networking.SubnetsResolver, vpcInfoProvider networking.VPCInfoProvider, backendSGProvider networking.BackendSGProvider, sgResolver networking.SecurityGroupResolver, logger logr.Logger, metricsCollector lbcmetrics.MetricCollector, reconcileCounters *metricsutil.ReconcileCounters) Reconciler {
-	return newGatewayReconciler(albGatewayController, controllerConfig.ALBGatewayMaxConcurrentReconciles, albGatewayTagPrefix, albGatewayFinalizer, routeLoader, routeutils.L7RouteFilter, cloud, k8sClient, eventRecorder, controllerConfig, finalizerManager, networkingSGReconciler, networkingSGManager, elbv2TaggingManager, subnetResolver, vpcInfoProvider, backendSGProvider, sgResolver, logger, metricsCollector, reconcileCounters)
+	return newGatewayReconciler(albGatewayController, controllerConfig.ALBGatewayMaxConcurrentReconciles, albGatewayTagPrefix, albGatewayFinalizer, routeLoader, routeutils.L7RouteFilter, cloud, k8sClient, eventRecorder, controllerConfig, finalizerManager, networkingSGReconciler, networkingSGManager, elbv2TaggingManager, subnetResolver, vpcInfoProvider, backendSGProvider, sgResolver, logger, metricsCollector, reconcileCounters.IncrementALBGateway)
 }
 
 // newGatewayReconciler constructs a reconciler that responds to gateway object changes
-func newGatewayReconciler(controllerName string, maxConcurrentReconciles int, gatewayTagPrefix string, finalizer string, routeLoader routeutils.Loader, routeFilter routeutils.LoadRouteFilter, cloud services.Cloud, k8sClient client.Client, eventRecorder record.EventRecorder, controllerConfig config.ControllerConfig, finalizerManager k8s.FinalizerManager, networkingSGReconciler networking.SecurityGroupReconciler, networkingSGManager networking.SecurityGroupManager, elbv2TaggingManager elbv2deploy.TaggingManager, subnetResolver networking.SubnetsResolver, vpcInfoProvider networking.VPCInfoProvider, backendSGProvider networking.BackendSGProvider, sgResolver networking.SecurityGroupResolver, logger logr.Logger, metricsCollector lbcmetrics.MetricCollector, reconcileCounters *metricsutil.ReconcileCounters) Reconciler {
+func newGatewayReconciler(controllerName string, maxConcurrentReconciles int, gatewayTagPrefix string, finalizer string, routeLoader routeutils.Loader, routeFilter routeutils.LoadRouteFilter, cloud services.Cloud, k8sClient client.Client, eventRecorder record.EventRecorder, controllerConfig config.ControllerConfig, finalizerManager k8s.FinalizerManager, networkingSGReconciler networking.SecurityGroupReconciler, networkingSGManager networking.SecurityGroupManager, elbv2TaggingManager elbv2deploy.TaggingManager, subnetResolver networking.SubnetsResolver, vpcInfoProvider networking.VPCInfoProvider, backendSGProvider networking.BackendSGProvider, sgResolver networking.SecurityGroupResolver, logger logr.Logger, metricsCollector lbcmetrics.MetricCollector, reconcileTracker func(namespaceName types.NamespacedName)) Reconciler {
 
 	trackingProvider := tracking.NewDefaultProvider(gatewayTagPrefix, controllerConfig.ClusterName)
 	modelBuilder := gatewaymodel.NewDefaultModelBuilder(subnetResolver, vpcInfoProvider, cloud.VpcID(), trackingProvider, elbv2TaggingManager, cloud.EC2(), controllerConfig.FeatureGates, controllerConfig.ClusterName, controllerConfig.DefaultTags, sets.New(controllerConfig.ExternalManagedTags...), controllerConfig.DefaultSSLPolicy, controllerConfig.DefaultTargetType, controllerConfig.DefaultLoadBalancerScheme, backendSGProvider, sgResolver, controllerConfig.EnableBackendSecurityGroup, controllerConfig.DisableRestrictedSGRules, logger)
@@ -71,7 +71,7 @@ func newGatewayReconciler(controllerName string, maxConcurrentReconciles int, ga
 		eventRecorder:           eventRecorder,
 		logger:                  logger,
 		metricsCollector:        metricsCollector,
-		reconcileCounters:       reconcileCounters,
+		reconcileTracker:        reconcileTracker,
 	}
 }
 
@@ -91,8 +91,8 @@ type gatewayReconciler struct {
 	eventRecorder           record.EventRecorder
 	logger                  logr.Logger
 
-	metricsCollector  lbcmetrics.MetricCollector
-	reconcileCounters *metricsutil.ReconcileCounters
+	metricsCollector lbcmetrics.MetricCollector
+	reconcileTracker func(namespaceName types.NamespacedName)
 }
 
 // TODO - Add Gateway and TG configuration permissions
@@ -110,6 +110,7 @@ type gatewayReconciler struct {
 //+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=tcproutes/finalizers,verbs=update
 
 func (r *gatewayReconciler) Reconcile(ctx context.Context, req reconcile.Request) (ctrl.Result, error) {
+	r.reconcileTracker(req.NamespacedName)
 	err := r.reconcileHelper(ctx, req)
 	if err != nil {
 		r.logger.Error(err, "Got this error!")

pkg/gateway/routeutils/backend.go

@@ -6,24 +6,26 @@ import (
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
+	elbv2gw "sigs.k8s.io/aws-load-balancer-controller/apis/gateway/v1beta1"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/k8s"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
+	gwbeta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
+)
+
+const (
+	serviceKind = "Service"
 )
 
 // Backend an abstraction on the Gateway Backend, meant to hide the underlying backend type from consumers (unless they really want to see it :))
 type Backend struct {
-	Service             *corev1.Service
-	ServicePort         *corev1.ServicePort
-	TypeSpecificBackend interface{}
-	Weight              int
-	// Add TG config here //
+	Service                *corev1.Service
+	ELBv2TargetGroupConfig *elbv2gw.TargetGroupConfiguration
+	ServicePort            *corev1.ServicePort
+	TypeSpecificBackend    interface{}
+	Weight                 int
 }
 
-// TODOs:
-// 1/ Add reference grant checking
-// 2/ Add target group configuration resolution
-
-// NOTE: Currently routeKind is not used, however, we will need it to load TG specific configuration.
 // commonBackendLoader this function will load the services and target group configurations associated with this gateway backend.
 func commonBackendLoader(ctx context.Context, k8sClient client.Client, typeSpecificBackend interface{}, backendRef gwv1.BackendRef, routeIdentifier types.NamespacedName, routeKind string) (*Backend, error) {
 
@@ -40,23 +42,37 @@ func commonBackendLoader(ctx context.Context, k8sClient client.Client, typeSpeci
 		return nil, errors.Errorf("Missing port in backend reference")
 	}
 
-	var namespace string
+	var svcNamespace string
 	if backendRef.Namespace == nil {
-		namespace = routeIdentifier.Namespace
+		svcNamespace = routeIdentifier.Namespace
 	} else {
-		namespace = string(*backendRef.Namespace)
+		svcNamespace = string(*backendRef.Namespace)
 	}
 
-	// TODO - Need to implement reference grant check here
-
-	svcName := types.NamespacedName{
-		Namespace: namespace,
+	svcIdentifier := types.NamespacedName{
+		Namespace: svcNamespace,
 		Name:      string(backendRef.Name),
 	}
+
+	// Check for reference grant when performing crossname gateway -> route attachment
+	if svcNamespace != routeIdentifier.Namespace {
+		allowed, err := referenceGrantCheck(ctx, k8sClient, svcIdentifier, routeIdentifier, routeKind)
+		if err != nil {
+			return nil, errors.Wrapf(err, "Unable to perform reference grant check")
+		}
+
+		// We should not give any hints about the existence of this resource, therefore, we return nil.
+		// That way, users can't infer if the route is missing because of a misconfigured service reference
+		// or the sentence grant is not allowing the connection.
+		if !allowed {
+			return nil, nil
+		}
+	}
+
 	svc := &corev1.Service{}
-	err := k8sClient.Get(ctx, svcName, svc)
+	err := k8sClient.Get(ctx, svcIdentifier, svc)
 	if err != nil {
-		return nil, errors.Wrap(err, fmt.Sprintf("Unable to fetch svc object %+v", svcName))
+		return nil, errors.Wrap(err, fmt.Sprintf("Unable to fetch svc object %+v", svcIdentifier))
 	}
 
 	var servicePort *corev1.ServicePort
@@ -68,12 +84,16 @@ func commonBackendLoader(ctx context.Context, k8sClient client.Client, typeSpeci
 		}
 	}
 
+	tgConfig, err := lookUpTargetGroupConfiguration(ctx, k8sClient, k8s.NamespacedName(svc))
+
+	if err != nil {
+		return nil, errors.Wrap(err, fmt.Sprintf("Unable to fetch tg config object"))
+	}
+
 	if servicePort == nil {
 		return nil, errors.Errorf("Unable to find service port for port %d", *backendRef.Port)
 	}
 
-	// TODO - Need to TG CRD look up here
-
 	// Weight specifies the proportion of requests forwarded to the referenced
 	// backend. This is computed as weight/(sum of all weights in this
 	// BackendRefs list). For non-zero values, there may be some epsilon from
@@ -90,9 +110,74 @@ func commonBackendLoader(ctx context.Context, k8sClient client.Client, typeSpeci
 		weight = int(*backendRef.Weight)
 	}
 	return &Backend{
-		Service:             svc,
-		ServicePort:         servicePort,
-		Weight:              weight,
-		TypeSpecificBackend: typeSpecificBackend,
+		Service:                svc,
+		ServicePort:            servicePort,
+		Weight:                 weight,
+		TypeSpecificBackend:    typeSpecificBackend,
+		ELBv2TargetGroupConfig: tgConfig,
 	}, nil
 }
+
+// lookUpTargetGroupConfiguration given a service, lookup the target group configuration associated with the service.
+// recall that target group configuration always lives within the same namespace as the service.
+func lookUpTargetGroupConfiguration(ctx context.Context, k8sClient client.Client, serviceMetadata types.NamespacedName) (*elbv2gw.TargetGroupConfiguration, error) {
+	tgConfigList := &elbv2gw.TargetGroupConfigurationList{}
+
+	// TODO - Add index
+	if err := k8sClient.List(ctx, tgConfigList, client.InNamespace(serviceMetadata.Namespace)); err != nil {
+		return nil, err
+	}
+
+	for _, tgConfig := range tgConfigList.Items {
+		if tgConfig.Spec.TargetReference.Kind != nil && *tgConfig.Spec.TargetReference.Kind != serviceKind {
+			continue
+		}
+
+		// TODO - Add a webhook to validate that only one target group config references this service.
+		// TODO - Add an index for this
+		if tgConfig.Spec.TargetReference.Name == serviceMetadata.Name {
+			return &tgConfig, nil
+		}
+	}
+	return nil, nil
+}
+
+// Implements the reference grant API
+// https://gateway-api.sigs.k8s.io/api-types/referencegrant/
+func referenceGrantCheck(ctx context.Context, k8sClient client.Client, svcIdentifier types.NamespacedName, routeIdentifier types.NamespacedName, routeKind string) (bool, error) {
+	referenceGrantList := &gwbeta1.ReferenceGrantList{}
+	if err := k8sClient.List(ctx, referenceGrantList, client.InNamespace(svcIdentifier.Namespace)); err != nil {
+		return false, err
+	}
+
+	for _, grant := range referenceGrantList.Items {
+		var routeAllowed bool
+
+		for _, from := range grant.Spec.From {
+			// Kind check maybe?
+			if string(from.Kind) == routeKind && string(from.Namespace) == routeIdentifier.Namespace {
+				routeAllowed = true
+				break
+			}
+		}
+
+		if routeAllowed {
+			for _, to := range grant.Spec.To {
+				// As this is a backend reference, we only care about the "Service" Kind.
+				if to.Kind != serviceKind {
+					continue
+				}
+
+				// If name is specified, we need to ensure that svc name matches the "to" name.
+				if to.Name != nil && string(*to.Name) != svcIdentifier.Name {
+					continue
+				}
+
+				return true, nil
+			}
+
+		}
+	}
+
+	return false, nil
+}