[feat gw-api]support source ip and handle grpc filter (#4335)

[feat gw-api]update how source ip is suppported

[feat gw-api]add e2e test for source ip

handle rebase conflicts

Author: shuqz

apis/gateway/v1beta1/listenerruleconfig_types.go

@@ -50,6 +50,11 @@ type ListenerRuleCondition struct {
 	// Information for a source IP condition
 	// +optional
 	SourceIPConfig *SourceIPConditionConfig `json:"sourceIPConfig,omitempty"`
+
+	// Indexes of Match in a rule to apply source ip to
+	// If MatchIndexes is not provided, SourceIpConfig will be applied to all conditions where ListenerRuleConfiguration is used
+	// +optional
+	MatchIndexes *[]int `json:"matchIndexes,omitempty"`
 }
 
 // ActionType defines the type of action for the rule

apis/gateway/v1beta1/zz_generated.deepcopy.go

@@ -324,6 +324,13 @@ spec:
                       enum:
                       - source-ip
                       type: string
+                    matchIndexes:
+                      description: |-
+                        Indexes of Match in a rule to apply source ip to
+                        If MatchIndexes is not provided, SourceIpConfig will be applied to all conditions where ListenerRuleConfiguration is used
+                      items:
+                        type: integer
+                      type: array
                     sourceIPConfig:
                       description: Information for a source IP condition
                       properties:

config/crd/gateway/gateway-crds.yaml

@@ -325,6 +325,13 @@ spec:
                       enum:
                       - source-ip
                       type: string
+                    matchIndexes:
+                      description: |-
+                        Indexes of Match in a rule to apply source ip to
+                        If MatchIndexes is not provided, SourceIpConfig will be applied to all conditions where ListenerRuleConfiguration is used
+                      items:
+                        type: integer
+                      type: array
                     sourceIPConfig:
                       description: Information for a source IP condition
                       properties:

config/crd/gateway/gateway.k8s.aws_listenerruleconfigurations.yaml

@@ -324,6 +324,13 @@ spec:
                       enum:
                       - source-ip
                       type: string
+                    matchIndexes:
+                      description: |-
+                        Indexes of Match in a rule to apply source ip to
+                        If MatchIndexes is not provided, SourceIpConfig will be applied to all conditions where ListenerRuleConfiguration is used
+                      items:
+                        type: integer
+                      type: array
                     sourceIPConfig:
                       description: Information for a source IP condition
                       properties:

helm/aws-load-balancer-controller/crds/gateway-crds.yaml

@@ -3,12 +3,13 @@ package model
 import (
 	"context"
 	"fmt"
+	"strconv"
+	"strings"
+
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/networking"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/shared_utils"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"strconv"
-	"strings"
 
 	awssdk "github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/go-logr/logr"
@@ -197,7 +198,7 @@ func (l listenerBuilderImpl) buildListenerRules(ctx context.Context, stack core.
 		route := ruleWithPrecedence.CommonRulePrecedence.RouteDescriptor
 		rule := ruleWithPrecedence.CommonRulePrecedence.Rule
 
-		// Build Rule Conditions
+		// Build Rule Conditions based on GRPCRouteMatch and HTTPRouteMatch
 		var conditionsList []elbv2model.RuleCondition
 		var err error
 		switch route.GetRouteKind() {
@@ -210,6 +211,9 @@ func (l listenerBuilderImpl) buildListenerRules(ctx context.Context, stack core.
 			return nil, err
 		}
 
+		// Add Rule Source-IP Conditions based on ListenerRuleConfiguration CRD
+		conditionsList = routeutils.BuildSourceIpInCondition(ruleWithPrecedence, conditionsList)
+
 		// set up for building routing actions
 		var actions []elbv2model.Action
 		var preRoutingAction *elbv2gw.Action

pkg/gateway/model/model_build_listener.go

@@ -3,6 +3,10 @@ package routeutils
 import (
 	"context"
 	"fmt"
+	"strconv"
+	"strings"
+	"unicode"
+
 	awssdk "github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/pkg/errors"
 	"k8s.io/apimachinery/pkg/types"
@@ -12,12 +16,9 @@ import (
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/shared_constants"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
-	"strconv"
-	"strings"
-	"unicode"
 )
 
-// BuildRulePreRoutingActions returns pre-routing action for rule
+// BuildRulePreRoutingAction returns pre-routing action for rule
 // The assumption is that the ListenerRuleConfiguration CRD makes sure we only have one of the actions (authenticate-cognito, authenticate-oidc) defined
 func BuildRulePreRoutingAction(ctx context.Context, route RouteDescriptor, crdPreRoutingAction *elbv2gw.Action, k8sClient client.Client, secretsManager k8s.SecretsManager) (*elbv2model.Action, *types.NamespacedName, error) {
 	switch crdPreRoutingAction.Type {
@@ -148,6 +149,9 @@ func buildForwardRoutingAction(routingAction *elbv2gw.Action, targetGroupTuples
 	return nil, nil
 }
 
+// buildRedirectRoutingAction
+// For HTTPRoute: handle RequestRedirect from HTTPRouteFilterType
+// For GRPCRoute: do not support any filter type other than ExtensionRef, which can be used to refer a listener rule configuration CRD
 func buildRedirectRoutingAction(rule RouteRule, route RouteDescriptor, routingAction *elbv2gw.Action) (*elbv2model.Action, error) {
 	switch route.GetRouteKind() {
 	case HTTPRouteKind:
@@ -163,7 +167,16 @@ func buildRedirectRoutingAction(rule RouteRule, route RouteDescriptor, routingAc
 			}
 			return redirectActions, nil
 		}
-		// TODO: add case for GRPC
+	case GRPCRouteKind:
+		grpcRule := rule.GetRawRouteRule().(*gwv1.GRPCRouteRule)
+		for _, filter := range grpcRule.Filters {
+			switch filter.Type {
+			case gwv1.GRPCRouteFilterExtensionRef:
+				continue
+			default:
+				return nil, errors.Errorf("Unsupported filter type: %v. To specify header modification, please configure it through LoadBalancerConfiguration.", filter.Type)
+			}
+		}
 	}
 	return nil, nil
 }

pkg/gateway/routeutils/route_rule_action.go

@@ -5,6 +5,7 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
+	elbv2gw "sigs.k8s.io/aws-load-balancer-controller/apis/gateway/v1beta1"
 	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
 	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
 )
@@ -234,6 +235,42 @@ func buildGrpcMethodCondition(method *gwv1.GRPCMethodMatch) ([]elbv2model.RuleCo
 	}, nil
 }
 
+func buildSourceIpCondition(condition elbv2gw.ListenerRuleCondition) []elbv2model.RuleCondition {
+	return []elbv2model.RuleCondition{
+		{
+			Field: elbv2model.RuleConditionField(condition.Field),
+			SourceIPConfig: &elbv2model.SourceIPConditionConfig{
+				Values: condition.SourceIPConfig.Values,
+			},
+		},
+	}
+}
+
+// BuildSourceIpInCondition : takes source ip configuration from listener rule configuration CRD, then AND it to condition list
+func BuildSourceIpInCondition(ruleWithPrecedence RulePrecedence, conditionsList []elbv2model.RuleCondition) []elbv2model.RuleCondition {
+	rule := ruleWithPrecedence.CommonRulePrecedence.Rule
+	matchIndex := ruleWithPrecedence.CommonRulePrecedence.MatchIndexInRule
+	if rule.GetListenerRuleConfig() != nil {
+		conditionsFromRuleConfig := rule.GetListenerRuleConfig().Spec.Conditions
+		for _, condition := range conditionsFromRuleConfig {
+			switch condition.Field {
+			case elbv2gw.ListenerRuleConditionFieldSourceIP:
+				sourceIpCondition := buildSourceIpCondition(condition)
+				if condition.MatchIndexes == nil {
+					conditionsList = append(conditionsList, sourceIpCondition...)
+				} else {
+					for _, index := range *condition.MatchIndexes {
+						if index == matchIndex {
+							conditionsList = append(conditionsList, sourceIpCondition...)
+						}
+					}
+				}
+			}
+		}
+	}
+	return conditionsList
+}
+
 // generateValuesFromMatchHeaderValue takes in header value from route match
 // returns list of values
 // for a given HTTPHeaderName/GRPCHeaderName, ALB rule can accept a list of values. However, gateway route headers only accept one value per name, and name cannot duplicate.