[feat gw-api]support source ip and handle grpc filter

Author: shuqz

apis/gateway/v1beta1/listenerruleconfig_types.go

@@ -50,6 +50,21 @@ type ListenerRuleCondition struct {
 	// Information for a source IP condition
 	// +optional
 	SourceIPConfig *SourceIPConditionConfig `json:"sourceIPConfig,omitempty"`
+
+	// Indexes of rule to apply source ip to, identified by ruleIndex and MatchIndex
+	// If Indexes is not provided, SourceIpConfig will be applied to all conditions under the same HttpRouteRule or GrpcRouteRule where ListenerRuleConfiguration is used
+	// +optional
+	Indexes *[]IndexesList `json:"indexes,omitempty"`
+}
+
+type IndexesList struct {
+	// Rule index in a rule array to apply source ip to
+	// +kubebuilder:default=0
+	RuleIndex int `json:"ruleIndex,omitempty"`
+
+	// Match index in a matches array to apply source ip to
+	// +kubebuilder:default=0
+	MatchIndex int `json:"matchIndex,omitempty"`
 }
 
 // ActionType defines the type of action for the rule

apis/gateway/v1beta1/zz_generated.deepcopy.go

@@ -329,6 +329,24 @@ spec:
                       enum:
                       - source-ip
                       type: string
+                    indexes:
+                      description: |-
+                        Indexes of rule to apply source ip to, identified by ruleIndex and MatchIndex
+                        If Indexes is not provided, SourceIpConfig will be applied to all conditions under the same HttpRouteRule or GrpcRouteRule where ListenerRuleConfiguration is used
+                      items:
+                        properties:
+                          matchIndex:
+                            default: 0
+                            description: Match index in a matches array to apply source
+                              ip to
+                            type: integer
+                          ruleIndex:
+                            default: 0
+                            description: Rule index in a rule array to apply source
+                              ip to
+                            type: integer
+                        type: object
+                      type: array
                     sourceIPConfig:
                       description: Information for a source IP condition
                       properties:

config/crd/gateway/gateway-crds.yaml

@@ -330,6 +330,24 @@ spec:
                       enum:
                       - source-ip
                       type: string
+                    indexes:
+                      description: |-
+                        Indexes of rule to apply source ip to, identified by ruleIndex and MatchIndex
+                        If Indexes is not provided, SourceIpConfig will be applied to all conditions under the same HttpRouteRule or GrpcRouteRule where ListenerRuleConfiguration is used
+                      items:
+                        properties:
+                          matchIndex:
+                            default: 0
+                            description: Match index in a matches array to apply source
+                              ip to
+                            type: integer
+                          ruleIndex:
+                            default: 0
+                            description: Rule index in a rule array to apply source
+                              ip to
+                            type: integer
+                        type: object
+                      type: array
                     sourceIPConfig:
                       description: Information for a source IP condition
                       properties:

config/crd/gateway/gateway.k8s.aws_listenerruleconfigurations.yaml

@@ -329,6 +329,24 @@ spec:
                       enum:
                       - source-ip
                       type: string
+                    indexes:
+                      description: |-
+                        Indexes of rule to apply source ip to, identified by ruleIndex and MatchIndex
+                        If Indexes is not provided, SourceIpConfig will be applied to all conditions under the same HttpRouteRule or GrpcRouteRule where ListenerRuleConfiguration is used
+                      items:
+                        properties:
+                          matchIndex:
+                            default: 0
+                            description: Match index in a matches array to apply source
+                              ip to
+                            type: integer
+                          ruleIndex:
+                            default: 0
+                            description: Rule index in a rule array to apply source
+                              ip to
+                            type: integer
+                        type: object
+                      type: array
                     sourceIPConfig:
                       description: Information for a source IP condition
                       properties:

helm/aws-load-balancer-controller/crds/gateway-crds.yaml

@@ -3,11 +3,12 @@ package model
 import (
 	"context"
 	"fmt"
-	"sigs.k8s.io/aws-load-balancer-controller/pkg/networking"
-	"sigs.k8s.io/aws-load-balancer-controller/pkg/shared_utils"
 	"strconv"
 	"strings"
 
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/networking"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/shared_utils"
+
 	awssdk "github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/go-logr/logr"
 	"github.com/pkg/errors"
@@ -190,7 +191,7 @@ func (l listenerBuilderImpl) buildListenerRules(stack core.Stack, ls *elbv2model
 		route := ruleWithPrecedence.CommonRulePrecedence.RouteDescriptor
 		rule := ruleWithPrecedence.CommonRulePrecedence.Rule
 
-		// Build Rule Conditions
+		// Build Rule Conditions based on GRPCRouteMatch and HTTPRouteMatch
 		var conditionsList []elbv2model.RuleCondition
 		var err error
 		switch route.GetRouteKind() {
@@ -203,6 +204,9 @@ func (l listenerBuilderImpl) buildListenerRules(stack core.Stack, ls *elbv2model
 			return err
 		}
 
+		// Add Rule Source-IP Conditions based on ListenerRuleConfiguration CRD
+		conditionsList = routeutils.BuildSourceIpInCondition(ruleWithPrecedence, conditionsList)
+
 		// set up for building routing actions
 		var actions []elbv2model.Action
 		var preRoutingAction *elbv2gw.Action

pkg/gateway/model/model_build_listener.go

@@ -2,13 +2,14 @@ package routeutils
 
 import (
 	"fmt"
+	"strconv"
+	"strings"
+
 	awssdk "github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/pkg/errors"
 	elbv2gw "sigs.k8s.io/aws-load-balancer-controller/apis/gateway/v1beta1"
 	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
 	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
-	"strconv"
-	"strings"
 )
 
 // BuildRulePreRoutingActions returns pre-routing action for rule
@@ -103,6 +104,9 @@ func buildForwardRoutingAction(routingAction *elbv2gw.Action, targetGroupTuples
 	return nil, nil
 }
 
+// buildRedirectRoutingAction
+// For HTTPRoute: handle RequestRedirect from HTTPRouteFilterType
+// For GRPCRoute: do not support any filter type other than ExtensionRef, which can be used to refer a listener rule configuration CRD
 func buildRedirectRoutingAction(rule RouteRule, route RouteDescriptor, routingAction *elbv2gw.Action) (*elbv2model.Action, error) {
 	switch route.GetRouteKind() {
 	case HTTPRouteKind:
@@ -118,7 +122,16 @@ func buildRedirectRoutingAction(rule RouteRule, route RouteDescriptor, routingAc
 			}
 			return redirectActions, nil
 		}
-		// TODO: add case for GRPC
+	case GRPCRouteKind:
+		grpcRule := rule.GetRawRouteRule().(*gwv1.GRPCRouteRule)
+		for _, filter := range grpcRule.Filters {
+			switch filter.Type {
+			case gwv1.GRPCRouteFilterExtensionRef:
+				continue
+			default:
+				return nil, errors.Errorf("Unsupported filter type: %v. To specify header modification, please configure it through LoadBalancerConfiguration.", filter.Type)
+			}
+		}
 	}
 	return nil, nil
 }

pkg/gateway/routeutils/route_rule_action.go

@@ -5,6 +5,7 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
+	elbv2gw "sigs.k8s.io/aws-load-balancer-controller/apis/gateway/v1beta1"
 	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
 	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
 )
@@ -234,6 +235,55 @@ func buildGrpcMethodCondition(method *gwv1.GRPCMethodMatch) ([]elbv2model.RuleCo
 	}, nil
 }
 
+func buildSourceIpCondition(condition elbv2gw.ListenerRuleCondition) []elbv2model.RuleCondition {
+	return []elbv2model.RuleCondition{
+		{
+			Field: elbv2model.RuleConditionField(condition.Field),
+			SourceIPConfig: &elbv2model.SourceIPConditionConfig{
+				Values: condition.SourceIPConfig.Values,
+			},
+		},
+	}
+}
+
+// getRoutingConditions: returns routing conditions from listener rule configuration
+func getRoutingConditions(config *elbv2gw.ListenerRuleConfiguration) []elbv2gw.ListenerRuleCondition {
+	conditions := make([]elbv2gw.ListenerRuleCondition, 0)
+	if config != nil && config.Spec.Conditions != nil {
+		for _, condition := range config.Spec.Conditions {
+			conditions = append(conditions, condition)
+		}
+		return conditions
+	}
+	return nil
+}
+
+// BuildSourceIpInCondition : takes source ip configuration from listener rule configuration CRD, then AND it to condition list
+func BuildSourceIpInCondition(ruleWithPrecedence RulePrecedence, conditionsList []elbv2model.RuleCondition) []elbv2model.RuleCondition {
+	rule := ruleWithPrecedence.CommonRulePrecedence.Rule
+	ruleIndex := ruleWithPrecedence.CommonRulePrecedence.RuleIndexInRoute
+	matchIndex := ruleWithPrecedence.CommonRulePrecedence.MatchIndexInRule
+	if rule.GetListenerRuleConfig() != nil {
+		conditionsFromRuleConfig := getRoutingConditions(rule.GetListenerRuleConfig())
+		for _, condition := range conditionsFromRuleConfig {
+			switch condition.Field {
+			case elbv2gw.ListenerRuleConditionFieldSourceIP:
+				sourceIpCondition := buildSourceIpCondition(condition)
+				if condition.Indexes == nil {
+					conditionsList = append(conditionsList, sourceIpCondition...)
+				} else {
+					for _, index := range *condition.Indexes {
+						if index.RuleIndex == ruleIndex && index.MatchIndex == matchIndex {
+							conditionsList = append(conditionsList, sourceIpCondition...)
+						}
+					}
+				}
+			}
+		}
+	}
+	return conditionsList
+}
+
 // generateValuesFromMatchHeaderValue takes in header value from route match
 // returns list of values
 // for a given HTTPHeaderName/GRPCHeaderName, ALB rule can accept a list of values. However, gateway route headers only accept one value per name, and name cannot duplicate.