WIP

Signed-off-by: Alex Leong <[email protected]>

Cargo.lock

@@ -417,6 +417,17 @@ version = "2.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0e60eed09d8c01d3cee5b7d30acb059b76614c918fa0f992e0dd6eeb10daad6f"
 
+[[package]]
+name = "delegate"
+version = "0.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "297806318ef30ad066b15792a8372858020ae3ca2e414ee6c2133b1eb9e9e945"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "digest"
 version = "0.10.7"
@@ -636,6 +647,23 @@ dependencies = [
  "slab",
 ]
 
+[[package]]
+name = "gateway-api"
+version = "0.14.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cdca285b86710063162382f6d688fb67918fa8a231cb9248c817f53ddcb53491"
+dependencies = [
+ "delegate",
+ "k8s-openapi",
+ "kube",
+ "once_cell",
+ "regex-lite",
+ "schemars",
+ "serde",
+ "serde_json",
+ "serde_yaml",
+]
+
 [[package]]
 name = "generic-array"
 version = "0.14.7"
@@ -1065,18 +1093,6 @@ dependencies = [
  "serde_json",
 ]
 
-[[package]]
-name = "k8s-gateway-api"
-version = "0.16.0"
-source = "git+https://github.com/linkerd/k8s-gateway-api-rs#4a71642699c90f118f550475a9bb4af78948cbd9"
-dependencies = [
- "k8s-openapi",
- "kube",
- "schemars",
- "serde",
- "serde_json",
-]
-
 [[package]]
 name = "k8s-openapi"
 version = "0.24.0"
@@ -1345,8 +1361,8 @@ dependencies = [
 name = "linkerd-policy-controller-k8s-api"
 version = "0.1.0"
 dependencies = [
+ "gateway-api",
  "ipnet",
- "k8s-gateway-api",
  "k8s-openapi",
  "kube",
  "schemars",
@@ -1444,11 +1460,11 @@ dependencies = [
  "anyhow",
  "bytes",
  "futures",
+ "gateway-api",
  "http-body-util",
  "hyper",
  "hyper-util",
  "ipnet",
- "k8s-gateway-api",
  "k8s-openapi",
  "kube",
  "linkerd-policy-controller-core",
@@ -1963,6 +1979,12 @@ dependencies = [
  "regex-syntax 0.8.5",
 ]
 
+[[package]]
+name = "regex-lite"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "53a49587ad06b26609c52e423de037e7f57f20d53535d66e08c695f347df952a"
+
 [[package]]
 name = "regex-syntax"
 version = "0.6.29"

Cargo.toml

@@ -20,15 +20,7 @@ kube = { version = "0.98", default-features = false }
 kubert = { version = "0.23.0-alpha6", default-features = false }
 prometheus-client = { version = "0.23", default-features = false }
 
-[workspace.dependencies.k8s-gateway-api]
-# TODO(ver): Remove this once we update to a proper generated version of the gateway api bindings.
-git = "https://github.com/linkerd/k8s-gateway-api-rs"
-features = ["experimental"]
-
 [workspace.dependencies.linkerd2-proxy-api]
 git = "https://github.com/linkerd/linkerd2-proxy-api"
 branch = "ver/deps-http"
-features = [
-    "inbound",
-    "outbound",
-]
+features = ["inbound", "outbound"]

policy-controller/k8s/api/Cargo.toml

@@ -7,7 +7,7 @@ publish = false
 
 [dependencies]
 k8s-openapi = { workspace = true }
-k8s-gateway-api = { workspace = true, features = ["experimental"] }
+gateway-api = "0.14"
 kube = { workspace = true, default-features = false, features = [
     "client",
     "derive",

policy-controller/k8s/api/src/lib.rs

@@ -7,7 +7,7 @@ pub mod labels;
 pub mod policy;
 
 pub use self::labels::Labels;
-pub use k8s_gateway_api as gateway;
+pub use gateway_api::apis::experimental as gateway;
 pub use k8s_openapi::{
     api::{
         self,

policy-controller/k8s/api/src/policy.rs

@@ -1,5 +1,6 @@
 pub mod authorization_policy;
 pub mod egress_network;
+pub mod grpcroute;
 pub mod httproute;
 pub mod meshtls_authentication;
 mod network;
@@ -8,6 +9,8 @@ pub mod ratelimit_policy;
 pub mod server;
 pub mod server_authorization;
 pub mod target_ref;
+pub mod tcproute;
+pub mod tlsroute;
 
 pub use self::{
     authorization_policy::{AuthorizationPolicy, AuthorizationPolicySpec},

policy-controller/k8s/api/src/policy/grpcroute.rs

@@ -0,0 +1,26 @@
+use gateway_api::apis::experimental::grpcroutes::{GRPCRouteParentRefs, GRPCRouteRulesBackendRefs};
+
+pub fn parent_ref_targets_kind<T>(parent_ref: &GRPCRouteParentRefs) -> bool
+where
+    T: kube::Resource,
+    T::DynamicType: Default,
+{
+    let kind = match parent_ref.kind {
+        Some(ref kind) => kind,
+        None => return false,
+    };
+
+    super::targets_kind::<T>(parent_ref.group.as_deref(), kind)
+}
+
+pub fn backend_ref_targets_kind<T>(backend_ref: &GRPCRouteRulesBackendRefs) -> bool
+where
+    T: kube::Resource,
+    T::DynamicType: Default,
+{
+    // Default kind is assumed to be service for backend ref objects
+    super::targets_kind::<T>(
+        backend_ref.group.as_deref(),
+        backend_ref.kind.as_deref().unwrap_or("Service"),
+    )
+}

policy-controller/k8s/api/src/policy/httproute.rs

@@ -1,8 +1,8 @@
-pub use k8s_gateway_api::{
-    BackendObjectReference, CommonRouteSpec, Hostname, HttpBackendRef, HttpHeader, HttpHeaderMatch,
-    HttpHeaderName, HttpMethod, HttpPathMatch, HttpPathModifier, HttpQueryParamMatch,
-    HttpRequestHeaderFilter, HttpRequestRedirectFilter, HttpRouteMatch, LocalObjectReference,
-    ParentReference, RouteStatus,
+use gateway_api::apis::experimental::httproutes::HTTPRouteRulesFiltersRequestRedirect;
+pub use gateway_api::apis::experimental::httproutes::{
+    HTTPRouteParentRefs, HTTPRouteRulesBackendRefs, HTTPRouteRulesFiltersRequestHeaderModifier,
+    HTTPRouteRulesFiltersResponseHeaderModifier, HTTPRouteRulesFiltersUrlRewrite,
+    HTTPRouteRulesMatches, HTTPRouteStatus, HTTPRouteStatus as RouteStatus,
 };
 
 /// HTTPRoute provides a way to route HTTP requests. This includes the
@@ -28,8 +28,12 @@ pub use k8s_gateway_api::{
 )]
 pub struct HttpRouteSpec {
     /// Common route information.
-    #[serde(flatten)]
-    pub inner: CommonRouteSpec,
+    #[serde(
+        default,
+        skip_serializing_if = "Option::is_none",
+        rename = "parentRefs"
+    )]
+    pub parent_refs: Option<Vec<HTTPRouteParentRefs>>,
 
     /// Hostnames defines a set of hostname that should match against the HTTP
     /// Host header to select a HTTPRoute to process the request. This matches
@@ -38,7 +42,7 @@ pub struct HttpRouteSpec {
     /// 1. IPs are not allowed.
     /// 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
     ///    label must appear by itself as the first label.
-    pub hostnames: Option<Vec<Hostname>>,
+    pub hostnames: Option<Vec<String>>,
 
     /// Rules are a list of HTTP matchers, filters and actions.
     pub rules: Option<Vec<HttpRouteRule>>,
@@ -47,9 +51,7 @@ pub struct HttpRouteSpec {
 /// HTTPRouteRule defines semantics for matching an HTTP request based on
 /// conditions (matches), processing it (filters), and forwarding the request to
 /// an API object (backendRefs).
-#[derive(
-    Clone, Debug, PartialEq, Eq, serde::Deserialize, serde::Serialize, schemars::JsonSchema,
-)]
+#[derive(Clone, Debug, PartialEq, serde::Deserialize, serde::Serialize, schemars::JsonSchema)]
 #[serde(rename_all = "camelCase")]
 pub struct HttpRouteRule {
     /// Matches define conditions used for matching the rule against incoming
@@ -105,7 +107,7 @@ pub struct HttpRouteRule {
     ///
     /// When no rules matching a request have been successfully attached to the
     /// parent a request is coming from, a HTTP 404 status code MUST be returned.
-    pub matches: Option<Vec<HttpRouteMatch>>,
+    pub matches: Option<Vec<HTTPRouteRulesMatches>>,
 
     /// Filters define the filters that are applied to requests that match this
     /// rule.
@@ -153,7 +155,7 @@ pub struct HttpRouteRule {
     /// Support: Custom for any other resource
     ///
     /// Support for weight: Core
-    pub backend_refs: Option<Vec<HttpBackendRef>>,
+    pub backend_refs: Option<Vec<HTTPRouteRulesBackendRefs>>,
 
     /// Timeouts defines the timeouts that can be configured for an HTTP request.
     ///
@@ -167,9 +169,7 @@ pub struct HttpRouteRule {
 /// Some examples include request or response modification, implementing
 /// authentication strategies, rate-limiting, and traffic shaping. API
 /// guarantee/conformance is defined based on the type of the filter.
-#[derive(
-    Clone, Debug, PartialEq, Eq, serde::Deserialize, serde::Serialize, schemars::JsonSchema,
-)]
+#[derive(Clone, Debug, PartialEq, serde::Deserialize, serde::Serialize, schemars::JsonSchema)]
 #[serde(tag = "type", rename_all = "PascalCase")]
 pub enum HttpRouteFilter {
     /// RequestHeaderModifier defines a schema for a filter that modifies request
@@ -178,7 +178,7 @@ pub enum HttpRouteFilter {
     /// Support: Core
     #[serde(rename_all = "camelCase")]
     RequestHeaderModifier {
-        request_header_modifier: HttpRequestHeaderFilter,
+        request_header_modifier: HTTPRouteRulesFiltersRequestHeaderModifier,
     },
 
     /// ResponseHeaderModifier defines a schema for a filter that modifies response
@@ -187,7 +187,7 @@ pub enum HttpRouteFilter {
     /// Support: Extended
     #[serde(rename_all = "camelCase")]
     ResponseHeaderModifier {
-        response_header_modifier: HttpRequestHeaderFilter,
+        response_header_modifier: HTTPRouteRulesFiltersResponseHeaderModifier,
     },
 
     /// RequestRedirect defines a schema for a filter that responds to the
@@ -196,7 +196,7 @@ pub enum HttpRouteFilter {
     /// Support: Core
     #[serde(rename_all = "camelCase")]
     RequestRedirect {
-        request_redirect: HttpRequestRedirectFilter,
+        request_redirect: HTTPRouteRulesFiltersRequestRedirect,
     },
 }
 
@@ -238,7 +238,7 @@ pub struct HttpRouteTimeouts {
     pub backend_request: Option<crate::duration::K8sDuration>,
 }
 
-pub fn parent_ref_targets_kind<T>(parent_ref: &ParentReference) -> bool
+pub fn parent_ref_targets_kind<T>(parent_ref: &HTTPRouteParentRefs) -> bool
 where
     T: kube::Resource,
     T::DynamicType: Default,
@@ -251,7 +251,7 @@ where
     super::targets_kind::<T>(parent_ref.group.as_deref(), kind)
 }
 
-pub fn backend_ref_targets_kind<T>(backend_ref: &BackendObjectReference) -> bool
+pub fn backend_ref_targets_kind<T>(backend_ref: &HTTPRouteRulesBackendRefs) -> bool
 where
     T: kube::Resource,
     T::DynamicType: Default,

policy-controller/k8s/api/src/policy/tcproute.rs

@@ -0,0 +1,26 @@
+use gateway_api::apis::experimental::tcproutes::{TCPRouteParentRefs, TCPRouteRulesBackendRefs};
+
+pub fn parent_ref_targets_kind<T>(parent_ref: &TCPRouteParentRefs) -> bool
+where
+    T: kube::Resource,
+    T::DynamicType: Default,
+{
+    let kind = match parent_ref.kind {
+        Some(ref kind) => kind,
+        None => return false,
+    };
+
+    super::targets_kind::<T>(parent_ref.group.as_deref(), kind)
+}
+
+pub fn backend_ref_targets_kind<T>(backend_ref: &TCPRouteRulesBackendRefs) -> bool
+where
+    T: kube::Resource,
+    T::DynamicType: Default,
+{
+    // Default kind is assumed to be service for backend ref objects
+    super::targets_kind::<T>(
+        backend_ref.group.as_deref(),
+        backend_ref.kind.as_deref().unwrap_or("Service"),
+    )
+}

policy-controller/k8s/api/src/policy/tlsroute.rs

@@ -0,0 +1,26 @@
+use gateway_api::apis::experimental::tlsroutes::{TLSRouteParentRefs, TLSRouteRulesBackendRefs};
+
+pub fn parent_ref_targets_kind<T>(parent_ref: &TLSRouteParentRefs) -> bool
+where
+    T: kube::Resource,
+    T::DynamicType: Default,
+{
+    let kind = match parent_ref.kind {
+        Some(ref kind) => kind,
+        None => return false,
+    };
+
+    super::targets_kind::<T>(parent_ref.group.as_deref(), kind)
+}
+
+pub fn backend_ref_targets_kind<T>(backend_ref: &TLSRouteRulesBackendRefs) -> bool
+where
+    T: kube::Resource,
+    T::DynamicType: Default,
+{
+    // Default kind is assumed to be service for backend ref objects
+    super::targets_kind::<T>(
+        backend_ref.group.as_deref(),
+        backend_ref.kind.as_deref().unwrap_or("Service"),
+    )
+}

policy-controller/k8s/index/src/inbound/authorization_policy.rs

@@ -66,15 +66,15 @@ fn target(t: LocalTargetRef) -> Result<Target> {
         t if t.targets_kind::<k8s::policy::Server>() => Ok(Target::Server(t.name)),
         t if t.targets_kind::<k8s::Namespace>() => Ok(Target::Namespace),
         t if t.targets_kind::<k8s::policy::HttpRoute>()
-            || t.targets_kind::<k8s_gateway_api::HttpRoute>() =>
+            || t.targets_kind::<k8s_gateway_api::httproutes::HTTPRoute>() =>
         {
             Ok(Target::HttpRoute(GroupKindName {
                 group: t.group.unwrap_or_default().into(),
                 kind: t.kind.into(),
                 name: t.name.into(),
             }))
         }
-        t if t.targets_kind::<k8s_gateway_api::GrpcRoute>() => {
+        t if t.targets_kind::<k8s_gateway_api::grpcroutes::GRPCRoute>() => {
             Ok(Target::GrpcRoute(GroupKindName {
                 group: t.group.unwrap_or_default().into(),
                 kind: t.kind.into(),