MINOR: add SNI map for TLS route with passthrough

Author: ivanmatmati

.aspell.yml

@@ -76,3 +76,4 @@ allowed:
   - darwin
   - performant
   - dockerhub
+  - SNI

hug/haproxy/api/tcp-requests.go

@@ -18,7 +18,7 @@ import (
 
 	parser "github.com/haproxytech/client-native/v6/config-parser"
 	"github.com/haproxytech/client-native/v6/models"
-	"github.com/haproxytech/kubernetes-controller/k8s/gate/logging"
+	"github.com/haproxytech/haproxy-unified-gateway/k8s/gate/logging"
 )
 
 func (c *clientNative) TCPRequestDeleteAll(parentType parser.Section, name string) error {

k8s/gate/haproxy/backends.go

@@ -291,7 +291,6 @@ func (b *HaproxyConfMgrImpl) upsertTLSRouteBackends(routeKey k8stypes.Namespaced
 		b.backendsImpactedInCycle.Unreferenced[unreferencedBeName] = struct{}{}
 	}
 	return errs.Result()
-
 }
 
 func (b *HaproxyConfMgrImpl) processTLSRoutes() error {
@@ -382,7 +381,7 @@ func (b *HaproxyConfMgrImpl) addImpactedLTSBackendUpserted(backendName string, r
 	impactedBe := BackendImpactedInCycle{
 		Name:         backendName,
 		HTTPRouteKey: routeKey,
-		//BackendRef:   tlsBackendRef,
+		// BackendRef:   tlsBackendRef,
 	}
 
 	if _, ok := b.backendsImpactedInCycle.Upserted[backendName]; !ok {
@@ -607,6 +606,7 @@ func DeepCopyBackend(original *models.Backend) (*models.Backend, error) {
 	return &copied, nil
 }
 
+//revive:disable:function-length
 func (b *HaproxyConfMgrImpl) processBackendsModifiedInCycle() error {
 	var errs utils.Errors
 	// UPSERTED

k8s/gate/haproxy/frontends.go

@@ -255,12 +255,12 @@ func (b *HaproxyConfMgrImpl) newFrontend(params newFrontendParams) (*models.Fron
 				CondTest: "!{ req_ssl_hello_type 1 }",
 			},
 			{
-				//tcp-request inspect-delay 50000
+				// tcp-request inspect-delay 50000
 				Type:    "inspect-delay",
 				Timeout: utils.PtrInt64(50000),
 			},
 			{
-				//tcp-request content set-var(sess.sni) req_ssl_sni
+				// tcp-request content set-var(sess.sni) req_ssl_sni
 				Type:     "content",
 				Action:   "set-var",
 				VarName:  "sni",

k8s/gate/haproxy/routes-maps.go

@@ -40,10 +40,78 @@ func (e *ErrMapRuntimeUpdate) Error() string {
 }
 
 func (b *RouteMgrImpl) fillMaps() {
+	b.fillMapsForHTTPRoutes()
+	b.fillMapsForTLSRoutes()
+}
+
+func (b *RouteMgrImpl) fillMapsForTLSRoutes() {
 	var errs utils.Errors
 	controllerStore := b.topManager.controllerStore
 	mapsStorage := b.topManager.params.mapsStorage
+	// Managed TLSRoutes => if there is a old resource, clean the state before update
+	for routeKey, route := range controllerStore.GateTree.TLSRoutes {
+		if route.TreeStatus.OldTreeResource == nil {
+			continue
+		}
+		route = route.TreeStatus.OldTreeResource
+		for _, listeners := range route.Listeners.Iterate {
+			for _, listener := range listeners {
+				frontendName, err := b.topManager.getFrontendName(listener.Owner, listener.K8sResource)
+				if err != nil {
+					b.topManager.logger.LogAttrs(context.Background(), slog.LevelError, "Failed to get frontend name",
+						logging.LogAttrError(err),
+					)
+				}
+
+				pathSNIMap := mapsStorage.MapPath(frontendName, storage.SNI_MAP)
+				mapSNIMap := mapsStorage.GetMapData(pathSNIMap)
+				err = b.onDeletedTLSRoute(routeKey, route, mapSNIMap)
+				// errs.Add(err)
+				_ = err // TODO ignore error for now
+			}
+		}
+	}
+	// Managed TLSRoutes => Create / update/ delete backends
+	for routeKey, route := range controllerStore.GateTree.TLSRoutes {
+		for _, listeners := range route.Listeners.Iterate {
+			for _, listener := range listeners {
+				frontendName, err := b.topManager.getFrontendName(listener.Owner, listener.K8sResource)
+				if err != nil {
+					b.topManager.logger.LogAttrs(context.Background(), slog.LevelError, "Failed to get frontend name",
+						logging.LogAttrError(err),
+					)
+				}
+				routesHosnames := utils.ConvertSliceWithFunc(route.K8sResource.Spec.Hostnames, utils.ConvertV1Alpha2HostnameToString)
+				listenerHostname := (*string)(listener.K8sResource.Hostname)
+				acceptedHostnamesForRoute := utils.MatchTLSHostnames(listenerHostname, routesHosnames)
+				pathSNIMap := mapsStorage.MapPath(frontendName, storage.SNI_MAP)
+				mapSNIMap := mapsStorage.GetMapData(pathSNIMap)
+
+				switch route.TreeStatus.Status {
+				case store.StatusUnchanged:
+					continue
+				case store.StatusUpserted:
+					err := b.onUpsertedTLSRoute(routeKey, route, mapSNIMap, acceptedHostnamesForRoute)
+					errs.Add(err)
+				case store.StatusDeleted:
+					err := b.onDeletedTLSRoute(routeKey, route, mapSNIMap)
+					errs.Add(err)
+				}
+			}
+		}
+	}
+
+	if len(errs) > 0 {
+		b.topManager.logger.LogAttrs(context.Background(), slog.LevelError, "Failed to fill maps for TLS routes",
+			logging.LogAttrError(errs.Result()),
+		)
+	}
+}
 
+func (b *RouteMgrImpl) fillMapsForHTTPRoutes() {
+	var errs utils.Errors
+	controllerStore := b.topManager.controllerStore
+	mapsStorage := b.topManager.params.mapsStorage
 	// Managed HTTPRoutes => if there is a old resource, clean the state before update
 	for routeKey, route := range controllerStore.GateTree.HTTPRoutes {
 		if route.TreeStatus.OldTreeResource == nil {
@@ -107,24 +175,11 @@ func (b *RouteMgrImpl) fillMaps() {
 			}
 		}
 	}
-
-	// Cleanup Backends that are not referenced anymore TODO
-	// if err := b.cleanupUnreferencedBackends(); err != nil {
-	// 	b.logger.LogAttrs(context.Background(), slog.LevelError, "Failed to cleanup unreferenced backends",
-	// 		logging.LogAttrError(err),
-	// 	)
-	// 	errs.Add(err)
-	// }
-
-	// // Now we have the list of upserted + delete BE with the correct list of routes pointing to them
-	// if err := b.processBackendsModifiedInCycle(); err != nil {
-	// 	b.logger.LogAttrs(context.Background(), slog.LevelError, "Failed to process backends modified in cycle",
-	// 		logging.LogAttrError(err),
-	// 	)
-	// 	errs.Add(err)
-	// }
-
-	// return errs.Result()
+	if len(errs) > 0 {
+		b.topManager.logger.LogAttrs(context.Background(), slog.LevelError, "Failed to fill maps for HTTP routes",
+			logging.LogAttrError(errs.Result()),
+		)
+	}
 }
 
 func (b *RouteMgrImpl) writeMaps() {

k8s/gate/haproxy/routes.go

@@ -61,6 +61,106 @@ func (b *RouteMgrImpl) onUpsertedHTTPRoute(routeKey k8stypes.NamespacedName, rou
 	return b.onInvalidHTTPRouteUpserted(routeKey, route, mapExact, mapPrefix, mapRegex, mapDomainWPathExact)
 }
 
+func (b *RouteMgrImpl) onUpsertedTLSRoute(routeKey k8stypes.NamespacedName, route *tree.TLSRoute,
+	sni *maps.MapData, acceptedHostnamesForRoute []string,
+) error {
+	if route.Valid {
+		return b.onValidTLSRouteUpserted(routeKey, route, sni, acceptedHostnamesForRoute)
+	}
+	return b.onInvalidTLSRouteUpserted(routeKey, route, sni)
+}
+
+func (b *RouteMgrImpl) onValidTLSRouteUpserted(_ k8stypes.NamespacedName,
+	tlsRoute *tree.TLSRoute, mapSNI *maps.MapData, acceptedHostnamesForRoute []string) error {
+
+	for _, tlsRouteRule := range tlsRoute.Rules {
+		// if !rule.Valid {
+		// find the old rule in route.TreeStatus.OldTreeResource.Rules, name is optional
+		// TODO
+		// }
+		var routeValue string
+		var backendNames []string
+		var backendweights []int32
+		hostnamesInserted := map[string]struct{}{}
+		for _, backend := range tlsRouteRule.K8sResource.BackendRefs {
+			checkResult, ok := tlsRouteRule.CheckBackendRef.Get(backend.BackendObjectReference)
+			if !ok || !checkResult.Valid {
+				b.topManager.logger.LogAttrs(context.Background(), slog.LevelDebug, "Processing TLSRoute [map update] - backend not valid",
+					logging.LogAttrBackendName(string(backend.Name)),
+				)
+				continue
+			}
+
+			// backend := rule.K8sResource.BackendRefs[index]
+			svckey := k8stypes.NamespacedName{
+				Name: string(backend.Name),
+			}
+			if backend.Namespace == nil {
+				svckey.Namespace = tlsRoute.K8sResource.Namespace
+			} else {
+				svckey.Namespace = string(*backend.Namespace)
+			}
+			svcPort := int32(0)
+			if backend.Port != nil {
+				svcPort = int32(*backend.Port)
+			}
+
+			backendName, err := b.topManager.getBackendName(svckey, int32(svcPort), "")
+			if err != nil {
+				b.topManager.logger.LogAttrs(context.Background(), slog.LevelError, "Processing TLSRoute [map update]",
+					logging.LogAttrError(err),
+				)
+				continue
+			}
+			backendNames = append(backendNames, backendName)
+			weight := int32(0)
+			if backend.Weight != nil {
+				weight = *backend.Weight
+			}
+			backendweights = append(backendweights, weight)
+		}
+		if len(backendNames) == 1 {
+			routeValue = backendNames[0]
+		} else {
+			// a: algo, s: suffix, l: list of backend (format depends on algo)
+			// /wr_a70_b20_c10     {"a":"wr","l":"a:70,b:20,c:10"}
+			routeValue = `{"a":"wr","l":"`
+			for i, backendName := range backendNames {
+				if i > 0 {
+					routeValue += ","
+				}
+				routeValue += fmt.Sprintf("%s:%d", backendName, backendweights[i])
+			}
+			routeValue += `"}`
+		}
+
+		for _, hostname := range acceptedHostnamesForRoute {
+			if tlsRouteRule.Valid {
+				mapSNI.AddData(string(hostname), routeValue)
+				hostnamesInserted[string(hostname)] = struct{}{}
+			} else if _, ok := hostnamesInserted[string(hostname)]; !ok {
+				mapSNI.DeleteData(string(hostname))
+			}
+		}
+	}
+	return nil
+}
+
+func (RouteMgrImpl) onInvalidTLSRouteUpserted(_ k8stypes.NamespacedName, _ *tree.TLSRoute, _ *maps.MapData) error {
+	// TODO we might need to remove it from the maps
+	return nil
+}
+
+func (RouteMgrImpl) onDeletedTLSRoute(_ k8stypes.NamespacedName, route *tree.TLSRoute,
+	mapSNI *maps.MapData,
+) error {
+	hostnames := route.K8sResource.Spec.Hostnames
+	for _, hostname := range hostnames {
+		mapSNI.DeleteData(string(hostname))
+	}
+	return nil
+}
+
 func (RouteMgrImpl) onDeletedHTTPRoute(_ k8stypes.NamespacedName, route *tree.HTTPRoute,
 	// func (b *RouteMgrImpl) onDeletedHTTPRoute(routeKey k8stypes.NamespacedName, route *tree.HTTPRoute,
 	mapExact, mapPrefix, mapRegex, mapDomainWPathExact *maps.MapData,
@@ -119,7 +219,7 @@ func (b *RouteMgrImpl) onValidHTTPRouteUpserted(_ k8stypes.NamespacedName, route
 		// TODO
 		// }
 		var routeValue string
-		var backendNames []string
+		var backendNamesForRule []string
 		var backendweights []int32
 		for index, backend := range rule.K8sResource.BackendRefs {
 			checkResult, ok := rule.CheckBackendRef.Get(backend.BackendObjectReference)
@@ -151,20 +251,20 @@ func (b *RouteMgrImpl) onValidHTTPRouteUpserted(_ k8stypes.NamespacedName, route
 				)
 				continue
 			}
-			backendNames = append(backendNames, backendName)
+			backendNamesForRule = append(backendNamesForRule, backendName)
 			weight := int32(0)
 			if backend.Weight != nil {
 				weight = *backend.Weight
 			}
 			backendweights = append(backendweights, weight)
 		}
-		if len(backendNames) == 1 {
-			routeValue = backendNames[0]
-		} else {
+		if len(backendNamesForRule) == 1 {
+			routeValue = backendNamesForRule[0]
+		} else if len(backendNamesForRule) > 1 {
 			// a: algo, s: suffix, l: list of backend (format depends on algo)
 			// /wr_a70_b20_c10     {"a":"wr","l":"a:70,b:20,c:10"}
 			routeValue = `{"a":"wr","l":"`
-			for i, backendName := range backendNames {
+			for i, backendName := range backendNamesForRule {
 				if i > 0 {
 					routeValue += ","
 				}

k8s/gate/haproxy/servers.go

@@ -313,7 +313,8 @@ func (b *HaproxyConfMgrImpl) getSvcEndpoints(ctx context.Context, svcKey client.
 
 func (b *HaproxyConfMgrImpl) backendsByServiceForHTTPRoute(routeOwners map[client.ObjectKey]int64,
 	beName string,
-	servicesByBackend map[client.ObjectKey]map[BackendPort]struct{}) {
+	servicesByBackend map[client.ObjectKey]map[BackendPort]struct{},
+) {
 	for ownerRouteKey := range routeOwners {
 		// Find the route in controllerStore GateTree
 		treeHTTPRoute, ok := b.controllerStore.GateTree.HTTPRoutes[ownerRouteKey]
@@ -358,7 +359,8 @@ func (b *HaproxyConfMgrImpl) backendsByServiceForHTTPRoute(routeOwners map[clien
 
 func (b *HaproxyConfMgrImpl) backendsByServiceForTLSRoute(routeOwners map[client.ObjectKey]int64,
 	beName string,
-	servicesByBackend map[client.ObjectKey]map[BackendPort]struct{}) {
+	servicesByBackend map[client.ObjectKey]map[BackendPort]struct{},
+) {
 	for ownerRouteKey := range routeOwners {
 		// Find the route in controllerStore GateTree
 		treeTLSRoute, ok := b.controllerStore.GateTree.TLSRoutes[ownerRouteKey]

k8s/gate/store/cluster-store.go

@@ -27,7 +27,6 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
-	"sigs.k8s.io/gateway-api/apis/v1alpha2"
 	gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
 )
 
@@ -78,7 +77,7 @@ func NewClusterStoreUpdaterImpl(
 				extractGVK(&gatewayv1.GatewayClass{}):          newObjectStoreImpl(clusterStore.GatewayClasses, clusterStore.Updates.GatewayClasses, logger),
 				extractGVK(&gatewayv1.Gateway{}):               newObjectStoreImpl(clusterStore.Gateways, clusterStore.Updates.Gateways, logger),
 				extractGVK(&gatewayv1.HTTPRoute{}):             newObjectStoreImpl(clusterStore.HTTPRoutes, clusterStore.Updates.HTTPRoutes, logger),
-				extractGVK(&v1alpha2.TLSRoute{}):               newObjectStoreImpl(clusterStore.TLSRoutes, clusterStore.Updates.TLSRoutes, logger),
+				extractGVK(&gatewayv1alpha2.TLSRoute{}):        newObjectStoreImpl(clusterStore.TLSRoutes, clusterStore.Updates.TLSRoutes, logger),
 				extractGVK(&v1.Service{}):                      newObjectStoreImpl(clusterStore.Services, clusterStore.Updates.Services, logger),
 				extractGVK(&v1.Namespace{}):                    newObjectStoreImpl(clusterStore.Namespaces, clusterStore.Updates.Namespaces, logger),
 				extractGVK(&v1.Secret{}):                       newObjectStoreImpl(clusterStore.Secrets, clusterStore.Updates.Secrets, logger),

k8s/gate/store/cluster-updates.go

@@ -22,7 +22,6 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
-	"sigs.k8s.io/gateway-api/apis/v1alpha2"
 	gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
 )
 
@@ -70,7 +69,7 @@ func NewClusterUpdates() ClusterUpdates {
 		GatewayClasses: make(map[types.NamespacedName]Update[*gatewayv1.GatewayClass]),
 		Gateways:       make(map[types.NamespacedName]Update[*gatewayv1.Gateway]),
 		HTTPRoutes:     make(map[types.NamespacedName]Update[*gatewayv1.HTTPRoute]),
-		TLSRoutes:      make(map[types.NamespacedName]Update[*v1alpha2.TLSRoute]),
+		TLSRoutes:      make(map[types.NamespacedName]Update[*gatewayv1alpha2.TLSRoute]),
 		Services:       make(map[types.NamespacedName]Update[*v1.Service]),
 		Namespaces:     make(map[types.NamespacedName]Update[*v1.Namespace]),
 		Secrets:        make(map[types.NamespacedName]Update[*v1.Secret]),

k8s/gate/tree/TLSRoute.go

@@ -166,6 +166,7 @@ func (r *TLSRoute) checkParentRefs(controllerStore ControllerStore) {
 	r.CheckParentRefs = checkParentsRefs
 }
 
+//revive:disable:function-length
 func (r *TLSRoute) checkParentRef(parentRef gatewayv1.ParentReference, controllerStore ControllerStore) checkParentRefResult {
 	if !isParentRefGroupKindSupported(parentRef, controllerStore.ExtractGVK) {
 		return checkParentRefResult{