diff --git a/charts/linkerd-crds/templates/policy/egress-network.yaml b/charts/linkerd-crds/templates/policy/egress-network.yaml index 148c0b191de56..4289de0577090 100644 --- a/charts/linkerd-crds/templates/policy/egress-network.yaml +++ b/charts/linkerd-crds/templates/policy/egress-network.yaml @@ -45,15 +45,15 @@ spec: that does not match any explicit route resources associated with an instance of this object. The values that are allowed currently are: - - AllowAll - permits all traffic, even if it has not been + - Allow - permits all traffic, even if it has not been explicitly described via attaching an xRoute resources. - - DenyAll - blocks all traffic that has not been described via + - Deny - blocks all traffic that has not been described via attaching an xRoute resource. type: string enum: - - AllowAll - - DenyAll + - Allow + - Deny networks: type: array items: diff --git a/charts/linkerd-crds/values.yaml b/charts/linkerd-crds/values.yaml index 119921c4a3de4..2cc17719e3c33 100644 --- a/charts/linkerd-crds/values.yaml +++ b/charts/linkerd-crds/values.yaml @@ -1,3 +1,3 @@ enableHttpRoutes: true enableTlsRoutes: true -enableTcpRoutes: true \ No newline at end of file +enableTcpRoutes: true diff --git a/cli/cmd/testdata/install_crds.golden b/cli/cmd/testdata/install_crds.golden index ca47002d6ab71..56f2fde7700ff 100644 --- a/cli/cmd/testdata/install_crds.golden +++ b/cli/cmd/testdata/install_crds.golden @@ -144,15 +144,15 @@ spec: that does not match any explicit route resources associated with an instance of this object. The values that are allowed currently are: - - AllowAll - permits all traffic, even if it has not been + - Allow - permits all traffic, even if it has not been explicitly described via attaching an xRoute resources. - - DenyAll - blocks all traffic that has not been described via + - Deny - blocks all traffic that has not been described via attaching an xRoute resource. type: string enum: - - AllowAll - - DenyAll + - Allow + - Deny networks: type: array items: diff --git a/cli/cmd/testdata/install_helm_crds_output.golden b/cli/cmd/testdata/install_helm_crds_output.golden index f230189886a48..f642d951b7472 100644 --- a/cli/cmd/testdata/install_helm_crds_output.golden +++ b/cli/cmd/testdata/install_helm_crds_output.golden @@ -148,15 +148,15 @@ spec: that does not match any explicit route resources associated with an instance of this object. The values that are allowed currently are: - - AllowAll - permits all traffic, even if it has not been + - Allow - permits all traffic, even if it has not been explicitly described via attaching an xRoute resources. - - DenyAll - blocks all traffic that has not been described via + - Deny - blocks all traffic that has not been described via attaching an xRoute resource. type: string enum: - - AllowAll - - DenyAll + - Allow + - Deny networks: type: array items: diff --git a/cli/cmd/testdata/install_helm_crds_output_ha.golden b/cli/cmd/testdata/install_helm_crds_output_ha.golden index f230189886a48..f642d951b7472 100644 --- a/cli/cmd/testdata/install_helm_crds_output_ha.golden +++ b/cli/cmd/testdata/install_helm_crds_output_ha.golden @@ -148,15 +148,15 @@ spec: that does not match any explicit route resources associated with an instance of this object. The values that are allowed currently are: - - AllowAll - permits all traffic, even if it has not been + - Allow - permits all traffic, even if it has not been explicitly described via attaching an xRoute resources. - - DenyAll - blocks all traffic that has not been described via + - Deny - blocks all traffic that has not been described via attaching an xRoute resource. type: string enum: - - AllowAll - - DenyAll + - Allow + - Deny networks: type: array items: diff --git a/policy-controller/k8s/api/src/policy/egress_network.rs b/policy-controller/k8s/api/src/policy/egress_network.rs index 7f00c8214014b..90e3a54d4cae5 100644 --- a/policy-controller/k8s/api/src/policy/egress_network.rs +++ b/policy-controller/k8s/api/src/policy/egress_network.rs @@ -20,8 +20,8 @@ pub struct EgressNetworkSpec { #[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, JsonSchema)] pub enum TrafficPolicy { - AllowAll, - DenyAll, + Allow, + Deny, } #[derive(Clone, Debug, PartialEq, Deserialize, Serialize, JsonSchema)] diff --git a/policy-controller/k8s/status/src/index.rs b/policy-controller/k8s/status/src/index.rs index 5a2f8b51a6f6b..dd86eee56534d 100644 --- a/policy-controller/k8s/status/src/index.rs +++ b/policy-controller/k8s/status/src/index.rs @@ -116,10 +116,9 @@ struct EgressNetworkRef { impl EgressNetworkRef { fn is_accepted(&self) -> bool { - self.status_conditions.iter().any(|c| { - c.type_ == conditions::ACCEPTED.to_string() - && c.status == cond_statuses::STATUS_TRUE.to_string() - }) + self.status_conditions + .iter() + .any(|c| c.type_ == *conditions::ACCEPTED && c.status == *cond_statuses::STATUS_TRUE) } } @@ -1306,14 +1305,7 @@ fn eq_time_insensitive_route_parent_statuses( left.iter().zip(right.iter()).all(|(l, r)| { l.parent_ref == r.parent_ref && l.controller_name == r.controller_name - && l.conditions.len() == r.conditions.len() - && l.conditions.iter().zip(r.conditions.iter()).all(|(l, r)| { - l.message == r.message - && l.observed_generation == r.observed_generation - && l.reason == r.reason - && l.status == r.status - && l.type_ == r.type_ - }) + && eq_time_insensitive_conditions(&l.conditions, &r.conditions) }) } @@ -1326,11 +1318,10 @@ fn eq_time_insensitive_conditions( } left.iter().zip(right.iter()).all(|(l, r)| { - let result = l.message == r.message + l.message == r.message && l.observed_generation == r.observed_generation && l.reason == r.reason && l.status == r.status - && l.type_ == r.type_; - result + && l.type_ == r.type_ }) } diff --git a/policy-controller/k8s/status/src/index/conflict.rs b/policy-controller/k8s/status/src/index/conflict.rs index ffd9fb8eb2ffb..2a5efdd53bc8a 100644 --- a/policy-controller/k8s/status/src/index/conflict.rs +++ b/policy-controller/k8s/status/src/index/conflict.rs @@ -1,7 +1,6 @@ use super::RouteRef; use crate::{resource_id::NamespaceGroupKindName, routes}; -use ahash::AHashSet as HashSet; use linkerd_policy_controller_k8s_api::{gateway as k8s_gateway_api, Resource}; // This method determines whether a parent that a route attempts to @@ -9,28 +8,28 @@ use linkerd_policy_controller_k8s_api::{gateway as k8s_gateway_api, Resource}; // that we are about to attach. This is done following the logs outlined in: // https://gateway-api.sigs.k8s.io/geps/gep-1426/#route-types pub(super) fn parent_has_conflicting_routes<'p>( - mut existing_routes: impl Iterator, + existing_routes: impl Iterator, parent_ref: &routes::ParentReference, candidate_kind: &str, ) -> bool { let grpc_kind = k8s_gateway_api::GrpcRoute::kind(&()); let http_kind = k8s_gateway_api::HttpRoute::kind(&()); let tls_kind = k8s_gateway_api::TlsRoute::kind(&()); - - let more_specific_routes: HashSet<_> = if *candidate_kind == grpc_kind { - vec![] - } else if *candidate_kind == http_kind { - vec![grpc_kind] - } else if *candidate_kind == tls_kind { - vec![grpc_kind, http_kind] - } else { - vec![grpc_kind, http_kind, tls_kind] - } - .into_iter() - .collect(); - - existing_routes.any(|(id, route)| { - more_specific_routes.contains(&id.gkn.kind) && route.parents.contains(parent_ref) + let tcp_kind = k8s_gateway_api::TcpRoute::kind(&()); + + let mut siblings = existing_routes.filter(|(_, route)| route.parents.contains(parent_ref)); + siblings.any(|(id, _sibling)| { + if *candidate_kind == grpc_kind { + false + } else if *candidate_kind == http_kind { + id.gkn.kind == grpc_kind + } else if *candidate_kind == tls_kind { + id.gkn.kind == grpc_kind || id.gkn.kind == http_kind + } else if *candidate_kind == tcp_kind { + id.gkn.kind == grpc_kind || id.gkn.kind == http_kind || id.gkn.kind == tls_kind + } else { + false + } }) } diff --git a/policy-controller/k8s/status/src/tests/egress_network.rs b/policy-controller/k8s/status/src/tests/egress_network.rs index a60015c3011e3..d9ba48b125e5b 100644 --- a/policy-controller/k8s/status/src/tests/egress_network.rs +++ b/policy-controller/k8s/status/src/tests/egress_network.rs @@ -49,7 +49,7 @@ fn egress_network_with_no_networks_specified() { }, spec: linkerd_k8s_api::EgressNetworkSpec { networks: None, - traffic_policy: linkerd_k8s_api::TrafficPolicy::AllowAll, + traffic_policy: linkerd_k8s_api::TrafficPolicy::Allow, }, status: None, }; @@ -111,7 +111,7 @@ fn egress_network_with_nonoverlapping_networks_specified() { "fd00::/8".parse().unwrap(), ]), }]), - traffic_policy: linkerd_k8s_api::TrafficPolicy::AllowAll, + traffic_policy: linkerd_k8s_api::TrafficPolicy::Allow, }, status: None, }; @@ -171,7 +171,7 @@ fn egress_network_with_overlapping_networks_specified() { "192.168.0.0/16".parse().unwrap(), ]), }]), - traffic_policy: linkerd_k8s_api::TrafficPolicy::AllowAll, + traffic_policy: linkerd_k8s_api::TrafficPolicy::Allow, }, status: None, }; diff --git a/policy-controller/k8s/status/src/tests/routes.rs b/policy-controller/k8s/status/src/tests/routes.rs index 0f60144ffc2b0..58f0943723550 100644 --- a/policy-controller/k8s/status/src/tests/routes.rs +++ b/policy-controller/k8s/status/src/tests/routes.rs @@ -81,7 +81,7 @@ fn make_egress_network( "fd00::/8".parse().unwrap(), ]), }]), - traffic_policy: linkerd_k8s_api::TrafficPolicy::AllowAll, + traffic_policy: linkerd_k8s_api::TrafficPolicy::Allow, }, status: Some(linkerd_k8s_api::EgressNetworkStatus { conditions: vec![condition], diff --git a/policy-test/tests/admit_egress_networks.rs b/policy-test/tests/admit_egress_networks.rs index 67d31b6ddf63f..78483984610e9 100644 --- a/policy-test/tests/admit_egress_networks.rs +++ b/policy-test/tests/admit_egress_networks.rs @@ -13,7 +13,7 @@ async fn accepts_valid() { ..Default::default() }, spec: EgressNetworkSpec { - traffic_policy: TrafficPolicy::AllowAll, + traffic_policy: TrafficPolicy::Allow, networks: Some(vec![ Network { cidr: "10.1.0.0/24".parse().unwrap(), @@ -39,7 +39,7 @@ async fn rejects_empty_networks() { ..Default::default() }, spec: EgressNetworkSpec { - traffic_policy: TrafficPolicy::AllowAll, + traffic_policy: TrafficPolicy::Allow, networks: Some(Default::default()), }, status: None,