Bump k8s-gateway to v0.11.0 (#10474)

The previous version k8s-gateway (`v0.10.0`) did not include backendRefs
for HTTP Routes, since the policy controller did not use them for any
specific task or validation. BackendRef support is currently being added
for the status controller, and will be used as more and more route
functionality is added to Linkerd.

This change bumps k8s-gateway to the most recent version and updates the
internal model of the route to include backendRefs. Additionally, fixes
any compiler issues that cropped up from adding a field to the struct.

Signed-off-by: Matei David <matei@buoyant.io>

Cargo.lock

@@ -806,9 +806,9 @@ dependencies = [
 
 [[package]]
 name = "k8s-gateway-api"
-version = "0.10.0"
+version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d11a21df154759f0651d797756b08ed01a4681254e532ec412a8670fa3543e63"
+checksum = "67a34efeb4ee6ac6f2c39ce7b25d97554a47a450a140bfd825287b88cf666dc8"
 dependencies = [
  "k8s-openapi",
  "kube",
@@ -837,9 +837,9 @@ dependencies = [
 
 [[package]]
 name = "kube"
-version = "0.79.0"
+version = "0.80.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d1e74b6c3633982788dc51a02a356113b4b74e0db48929b2c7447cb57919b8ae"
+checksum = "414d80c69906a91e8ecf4ae16d0fb504e19aa6b099135d35d85298b4e4be3ed3"
 dependencies = [
  "k8s-openapi",
  "kube-client",
@@ -850,9 +850,9 @@ dependencies = [
 
 [[package]]
 name = "kube-client"
-version = "0.79.0"
+version = "0.80.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "80e9065963ad9966fea4a977efaf1eb22381b56ef4882ef19155869649669dfc"
+checksum = "6dc5ae0b9148b4e2ebb0dabda06a0cd65b1eed2f41d792d49787841a68050283"
 dependencies = [
  "base64 0.20.0",
  "bytes",
@@ -890,9 +890,9 @@ dependencies = [
 
 [[package]]
 name = "kube-core"
-version = "0.79.0"
+version = "0.80.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "381a6982f9f48aec74022ae3e7012f990e2d9893bdafc9d4fb2c58521899440d"
+checksum = "98331c6f1354893f7c50da069e43a3fd1c84e55bbedc7765d9db22ec3291d07d"
 dependencies = [
  "chrono",
  "form_urlencoded",
@@ -908,9 +908,9 @@ dependencies = [
 
 [[package]]
 name = "kube-derive"
-version = "0.79.0"
+version = "0.80.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e300a7410efc929a817fefe80ad0b2b16987cc236eb7737f7686b5d9bffd818"
+checksum = "e4be6ff26b9a34ce831d341e8b33bc78986a33c1be88f5bf9ca84e92e98b1dfb"
 dependencies = [
  "darling",
  "proc-macro2",
@@ -921,9 +921,9 @@ dependencies = [
 
 [[package]]
 name = "kube-runtime"
-version = "0.79.0"
+version = "0.80.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7a11c9e91acd9115b92a7d6cf7210a50b1fdf6d341a146fb0e7eb3423d1548d4"
+checksum = "b698eb8998b46683b0dc3c2ce72c80bc308fc8159f25afa719668c290a037a57"
 dependencies = [
  "ahash",
  "async-trait",
@@ -946,9 +946,9 @@ dependencies = [
 
 [[package]]
 name = "kubert"
-version = "0.14.0"
+version = "0.15.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "11fd33a6cfc53c087537f849dc2d34b8f4ea68eca55b417125d41a9c3fe4a1a4"
+checksum = "7171220877a57ac11ba23d28f42666ca800350e8fd3d6ecfe1b133a40e488ae2"
 dependencies = [
  "ahash",
  "chrono",

policy-controller/Cargo.toml

@@ -17,7 +17,7 @@ anyhow = "1"
 async-trait = "0.1"
 drain = "0.1"
 futures = { version = "0.3", default-features = false }
-k8s-gateway-api = "0.10"
+k8s-gateway-api = "0.11"
 k8s-openapi = { version = "0.17", features = ["v1_20"] }
 hyper = { version = "0.14", features = ["http1", "http2", "runtime", "server"] }
 ipnet = { version = "2", default-features = false }
@@ -40,12 +40,12 @@ default-features = false
 features = ["derive", "env", "std"]
 
 [dependencies.kube]
-version = "0.79"
+version = "0.80"
 default-features = false
 features = ["admission", "derive"]
 
 [dependencies.kubert]
-version = "0.14"
+version = "0.15"
 default-features = false
 features = ["clap", "index", "lease", "runtime", "server"]
 

policy-controller/k8s/api/Cargo.toml

@@ -9,8 +9,8 @@ publish = false
 k8s-openapi = { version = "0.17", default-features = false, features = [
     "v1_20",
 ] }
-k8s-gateway-api = "0.10"
-kube = { version = "0.79", default-features = false, features = [
+k8s-gateway-api = "0.11"
+kube = { version = "0.80", default-features = false, features = [
     "client",
     "derive",
     "runtime",

policy-controller/k8s/api/src/policy/httproute.rs

@@ -1,6 +1,6 @@
 pub use k8s_gateway_api::{
-    CommonRouteSpec, Hostname, HttpHeader, HttpHeaderMatch, HttpHeaderName, HttpMethod,
-    HttpPathMatch, HttpPathModifier, HttpQueryParamMatch, HttpRequestHeaderFilter,
+    CommonRouteSpec, Hostname, HttpBackendRef, HttpHeader, HttpHeaderMatch, HttpHeaderName,
+    HttpMethod, HttpPathMatch, HttpPathModifier, HttpQueryParamMatch, HttpRequestHeaderFilter,
     HttpRequestRedirectFilter, HttpRouteMatch, LocalObjectReference, ParentReference, RouteStatus,
 };
 
@@ -126,6 +126,34 @@ pub struct HttpRouteRule {
     ///
     /// Support: Core
     pub filters: Option<Vec<HttpRouteFilter>>,
+
+    /// BackendRefs defines the backend(s) where matching requests should be
+    /// sent.
+    ///
+    /// A 500 status code MUST be returned if there are no BackendRefs or
+    /// filters specified that would result in a response being sent.
+    ///
+    /// A BackendRef is considered invalid when it refers to:
+    ///
+    /// * an unknown or unsupported kind of resource
+    /// * a resource that does not exist
+    /// * a resource in another namespace when the reference has not been
+    ///   explicitly allowed by a ReferencePolicy (or equivalent concept).
+    ///
+    /// When a BackendRef is invalid, 500 status codes MUST be returned for
+    /// requests that would have otherwise been routed to an invalid backend. If
+    /// multiple backends are specified, and some are invalid, the proportion of
+    /// requests that would otherwise have been routed to an invalid backend
+    /// MUST receive a 500 status code.
+    ///
+    /// When a BackendRef refers to a Service that has no ready endpoints, it is
+    /// recommended to return a 503 status code.
+    ///
+    /// Support: Core for Kubernetes Service
+    /// Support: Custom for any other resource
+    ///
+    /// Support for weight: Core
+    pub backend_refs: Option<Vec<HttpBackendRef>>,
 }
 
 /// HTTPRouteFilter defines processing steps that must be completed during the

policy-controller/k8s/index/Cargo.toml

@@ -9,8 +9,8 @@ publish = false
 ahash = "0.8"
 anyhow = "1"
 futures = { version = "0.3", default-features = false }
-k8s-gateway-api = "0.10"
-kubert = { version = "0.14", default-features = false, features = ["index"] }
+k8s-gateway-api = "0.11"
+kubert = { version = "0.15", default-features = false, features = ["index"] }
 linkerd-policy-controller-core = { path = "../../core" }
 linkerd-policy-controller-k8s-api = { path = "../api" }
 parking_lot = "0.12"

policy-controller/k8s/index/src/http_route.rs

@@ -95,9 +95,11 @@ impl TryFrom<policy::HttpRoute> for InboundRouteBinding {
             .rules
             .into_iter()
             .flatten()
-            .map(|policy::HttpRouteRule { matches, filters }| {
-                Self::try_rule(matches, filters, Self::try_policy_filter)
-            })
+            .map(
+                |policy::HttpRouteRule {
+                     matches, filters, ..
+                 }| { Self::try_rule(matches, filters, Self::try_policy_filter) },
+            )
             .collect::<Result<_>>()?;
 
         Ok(InboundRouteBinding {

policy-controller/k8s/index/src/tests/http_routes.rs

@@ -244,6 +244,7 @@ fn mk_route(
                     method: Some("GET".to_string()),
                 }]),
                 filters: None,
+                backend_refs: None,
             }]),
         },
         status: None,

policy-controller/k8s/status/Cargo.toml

@@ -10,7 +10,7 @@ ahash = "0.8"
 anyhow = "1"
 # Fix for https://github.com/chronotope/chrono/issues/602
 chrono = { version = "0.4.23", default-features = false, features = ["clock"] }
-kubert = { version = "0.14", default-features = false, features = [
+kubert = { version = "0.15", default-features = false, features = [
     "index",
     "lease",
 ] }

policy-controller/k8s/status/src/tests/http_routes.rs

@@ -190,6 +190,7 @@ fn make_route(
                     method: Some("GET".to_string()),
                 }]),
                 filters: None,
+                backend_refs: None,
             }]),
         },
         status: None,

policy-controller/src/admission.rs

@@ -481,7 +481,10 @@ impl Validate<HttpRouteSpec> for Admission {
         // This is essentially equivalent to the indexer's conversion function
         // from `HttpRouteSpec` to `InboundRouteBinding`, except that we don't
         // actually allocate stuff in order to return an `InboundRouteBinding`.
-        for httproute::HttpRouteRule { filters, matches } in spec.rules.into_iter().flatten() {
+        for httproute::HttpRouteRule {
+            filters, matches, ..
+        } in spec.rules.into_iter().flatten()
+        {
             for m in matches.into_iter().flatten() {
                 validate_match(m)?;
             }

policy-test/Cargo.toml

@@ -10,7 +10,7 @@ anyhow = "1"
 hyper = { version = "0.14", features = ["client", "http2"] }
 futures = { version = "0.3", default-features = false }
 ipnet = "2"
-k8s-gateway-api = "0.10"
+k8s-gateway-api = "0.11"
 k8s-openapi = { version = "0.17", features = ["v1_20"] }
 linkerd-policy-controller-core = { path = "../policy-controller/core" }
 linkerd-policy-controller-k8s-api = { path = "../policy-controller/k8s/api" }
@@ -26,7 +26,7 @@ tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 
 [dependencies.kube]
-version = "0.79"
+version = "0.80"
 default-features = false
 features = ["client", "openssl-tls", "runtime", "ws"]
 

policy-test/tests/admit_http_route.rs

@@ -72,6 +72,7 @@ async fn rejects_relative_path_match() {
                     ..HttpRouteMatch::default()
                 }]),
                 filters: None,
+                backend_refs: None,
             }]),
         },
         status: None,
@@ -106,6 +107,7 @@ async fn rejects_relative_redirect_path() {
                         status_code: None,
                     },
                 }]),
+                backend_refs: None,
             }]),
         },
         status: None,
@@ -152,5 +154,6 @@ fn rules() -> Vec<HttpRouteRule> {
             ..HttpRouteMatch::default()
         }]),
         filters: None,
+        backend_refs: None,
     }]
 }

policy-test/tests/api.rs

@@ -550,6 +550,7 @@ fn mk_admin_route(ns: &str, name: &str) -> k8s::policy::HttpRoute {
                     method: Some("GET".to_string()),
                 }]),
                 filters: None,
+                backend_refs: None,
             }]),
         },
         status: None,
@@ -589,6 +590,7 @@ fn mk_admin_route_with_path(ns: &str, name: &str, path: &str) -> k8s::policy::Ht
                     method: Some("GET".to_string()),
                 }]),
                 filters: None,
+                backend_refs: None,
             }]),
         },
         status: None,

policy-test/tests/e2e_authorization_policy.rs

@@ -670,6 +670,7 @@ fn http_route(
                     ..Default::default()
                 }]),
                 filters: None,
+                backend_refs: None,
             }]),
         },
         status: None,