Modify listener isolation rules for routes

[salonichf5]

Proposed changes

Write a clear and concise description that helps reviewers understand the purpose and impact of your changes. Use the
following format:

Problem: Users are unable to configure server blocks with listener sharing the same hostname with another listener but on a different port.

Solution: Modify rules for listener isolation in the following way

1. if 2 listeners have the same hostname and different ports, do not do listener isolation. Attach it to the listener specified in the section name
2. if no sectionName is specified in the routes, attach all listeners to the route.

Note: Not adding unit tests for same hostname and port combination for L4Routes because we never do not attach L4Route to listeners with same port and combination by design.

Testing: Manual Testing

Also verified tests from previous PR

1. L4Routes

Gateway

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: gateway
  namespace: default
spec:
  gatewayClassName: nginx
  listeners:
  - name: tls
    port: 443
    protocol: TLS
    hostname: "*.example.com"
    allowedRoutes:
      namespaces:
        from: All
      kinds:
        - kind: TLSRoute
    tls:
      mode: Passthrough
  - name: tls-diff-port
    port: 300
    protocol: TLS
    hostname: "*.example.com"
    allowedRoutes:
      namespaces:
        from: All
      kinds:
        - kind: TLSRoute
    tls:
      mode: Passthrough

Route

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
  name: tls-secure-app-route
  namespace: default
spec:
  parentRefs:
  - name: gateway
    namespace: default
    sectionName: tls
  hostnames:
  - "*.example.com"
  rules:
  - backendRefs:
    - name: secure-app
      port: 8443

curl to cafe.example.com should succeed

curl --resolve cafe.example.com:8443:$GW_IP https://cafe.example.com:8443 --insecure   
Handling connection for 8443
hello from pod \secure-app-7bfb966596-rbkhx

2. L7 Routes

Gateway

kind: Gateway
metadata:
  name: gateway
spec:
  gatewayClassName: nginx
  listeners:
  - name: diffport
    port: 7777
    protocol: HTTP
    hostname: "cafe.example.com"
  - name: http
    port: 80
    protocol: HTTP
    hostname: "cafe.example.com"

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: coffee
spec:
  parentRefs:
  - name: gateway
    sectionName: http
  hostnames:
  - "cafe.example.com"
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /coffee
    backendRefs:
    - name: coffee
      port: 80

Should receive response from coffee

 curl --resolve cafe.example.com:$GW_PORT:$GW_IP http://cafe.example.com:$GW_PORT/coffee                     
Handling connection for 8080
Server address: 10.244.0.183:8080
Server name: coffee-676c9f8944-2l79x
Date: 21/Feb/2025:21:23:30 +0000
URI: /coffee
Request ID: 5eea03210c43b1d170a284f517f5a41a

Please focus on (optional): If you any specific areas where you would like reviewers to focus their attention or provide
specific feedback, add them here.

Closes #3137

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

NONE

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 86.15%. Comparing base (3914e8f) to head (b4ee102).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3159      +/-   ##
==========================================
+ Coverage   86.14%   86.15%   +0.01%     
==========================================
  Files         113      113              
  Lines       11648    11658      +10     
  Branches       62       62              
==========================================
+ Hits        10034    10044      +10     
  Misses       1553     1553              
  Partials       61       61              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[sjberman]

Still need to review the unit tests.

Did you verify that the previously failing NFR test now passes?

[salonichf5]

Still need to review the unit tests.

Did you verify that the previously failing NFR test now passes?

I did not run the NFR test. I can do that but verified using the gateway and route spec that led to the failure, examples are added above.

[bjee19]

With this route:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: coffee
spec:
  parentRefs:
  - name: gateway
    sectionName: http
  hostnames:
  - "cafe.example.com"
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /coffee
    backendRefs:
    - name: coffee
      port: 80
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: tea
spec:
  parentRefs:
  - name: gateway
    sectionName: https
  hostnames:
  - "cafe.example.com"
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /tea
    backendRefs:
    - name: tea
      port: 80

and with this gateway:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gateway
spec:
  gatewayClassName: nginx
  listeners:
  - name: http
    port: 80
    protocol: HTTP
    hostname: "cafe.example.com"
  - name: https
    port: 80
    protocol: HTTP
    hostname: "*.example.com"

When I checkout these changes, here's the generated nginx conf:

server {
    listen 80;
    listen [::]:80;

    server_name cafe.example.com;


    location /coffee/ {




        proxy_http_version 1.1;
        proxy_set_header Host "$gw_api_compliant_host";
        proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
        proxy_set_header X-Real-IP "$remote_addr";
        proxy_set_header X-Forwarded-Proto "$scheme";
        proxy_set_header X-Forwarded-Host "$host";
        proxy_set_header X-Forwarded-Port "$server_port";
        proxy_set_header Upgrade "$http_upgrade";
        proxy_set_header Connection "$connection_upgrade";
        proxy_pass http://default_coffee_80$request_uri;



    }
    location = /coffee {




        proxy_http_version 1.1;
        proxy_set_header Host "$gw_api_compliant_host";
        proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
        proxy_set_header X-Real-IP "$remote_addr";
        proxy_set_header X-Forwarded-Proto "$scheme";
        proxy_set_header X-Forwarded-Host "$host";
        proxy_set_header X-Forwarded-Port "$server_port";
        proxy_set_header Upgrade "$http_upgrade";
        proxy_set_header Connection "$connection_upgrade";
        proxy_pass http://default_coffee_80$request_uri;



    }
    location / {

        return 404 "";



        proxy_http_version 1.1;
    }
}

server {
    listen unix:/var/run/nginx/nginx-503-server.sock;
    access_log off;

    return 503;
}

server {
    listen unix:/var/run/nginx/nginx-500-server.sock;
    access_log off;

    return 500;
}


upstream default_coffee_80 {
    random two least_conn;
    zone default_coffee_80 512k;


    server 10.244.0.7:8080;




}

upstream default_tea_80 {
    random two least_conn;
    zone default_tea_80 512k;


    server 10.244.0.6:8080;

Is it expected behavior that the tea route is missing?

[salonichf5]

With this route:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: coffee
spec:
  parentRefs:
  - name: gateway
    sectionName: http
  hostnames:
  - "cafe.example.com"
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /coffee
    backendRefs:
    - name: coffee
      port: 80
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: tea
spec:
  parentRefs:
  - name: gateway
    sectionName: https
  hostnames:
  - "cafe.example.com"
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /tea
    backendRefs:
    - name: tea
      port: 80

and with this gateway:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gateway
spec:
  gatewayClassName: nginx
  listeners:
  - name: http
    port: 80
    protocol: HTTP
    hostname: "cafe.example.com"
  - name: https
    port: 80
    protocol: HTTP
    hostname: "*.example.com"

When I checkout these changes, here's the generated nginx conf:

server {
    listen 80;
    listen [::]:80;

    server_name cafe.example.com;


    location /coffee/ {




        proxy_http_version 1.1;
        proxy_set_header Host "$gw_api_compliant_host";
        proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
        proxy_set_header X-Real-IP "$remote_addr";
        proxy_set_header X-Forwarded-Proto "$scheme";
        proxy_set_header X-Forwarded-Host "$host";
        proxy_set_header X-Forwarded-Port "$server_port";
        proxy_set_header Upgrade "$http_upgrade";
        proxy_set_header Connection "$connection_upgrade";
        proxy_pass http://default_coffee_80$request_uri;



    }
    location = /coffee {




        proxy_http_version 1.1;
        proxy_set_header Host "$gw_api_compliant_host";
        proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
        proxy_set_header X-Real-IP "$remote_addr";
        proxy_set_header X-Forwarded-Proto "$scheme";
        proxy_set_header X-Forwarded-Host "$host";
        proxy_set_header X-Forwarded-Port "$server_port";
        proxy_set_header Upgrade "$http_upgrade";
        proxy_set_header Connection "$connection_upgrade";
        proxy_pass http://default_coffee_80$request_uri;



    }
    location / {

        return 404 "";



        proxy_http_version 1.1;
    }
}

server {
    listen unix:/var/run/nginx/nginx-503-server.sock;
    access_log off;

    return 503;
}

server {
    listen unix:/var/run/nginx/nginx-500-server.sock;
    access_log off;

    return 500;
}


upstream default_coffee_80 {
    random two least_conn;
    zone default_coffee_80 512k;


    server 10.244.0.7:8080;




}

upstream default_tea_80 {
    random two least_conn;
    zone default_tea_80 512k;


    server 10.244.0.6:8080;

Is it expected behavior that the tea route is missing?

Yes I believe so, same ports. The second route has hostname cafe.example.com , even though it attaches to the second listener (https) . It needs to isolated because cafe.example.com is part of another listener on the same port.

This has been my understanding of listener isolation. Try using tea.example.com as hostname in second route and see what you get ? That should not be isolated.

[bjee19]

thanks for running through some of my examples, lgtm! 🚀

[salonichf5]

Scale tests pass now so merging this PR.