feat(gateway-api): Add custom backendRef and filters support for HTTPRoute

Signed-off-by: kahirokunn <okinakahiro@gmail.com>

Author: kahirokunn

artifacts/flagger/crd.yaml

@@ -226,6 +226,8 @@ rules:
     resources:
       - httproutes
       - httproutes/finalizers
+      - referencegrants
+      - referencegrants/finalizers
     verbs:
       - get
       - list

charts/flagger/crds/crd.yaml

@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"time"
 
+	v1 "github.com/fluxcd/flagger/pkg/apis/gatewayapi/v1"
 	"github.com/fluxcd/flagger/pkg/apis/gatewayapi/v1beta1"
 	istiov1beta1 "github.com/fluxcd/flagger/pkg/apis/istio/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -213,11 +214,11 @@ type CanaryService struct {
 
 	// Primary is the metadata to add to the primary service
 	// +optional
-	Primary *CustomMetadata `json:"primary,omitempty"`
+	Primary *CustomBackend `json:"primary,omitempty"`
 
 	// Canary is the metadata to add to the canary service
 	// +optional
-	Canary *CustomMetadata `json:"canary,omitempty"`
+	Canary *CustomBackend `json:"canary,omitempty"`
 }
 
 // CanaryAnalysis is used to describe how the analysis should be done
@@ -496,6 +497,30 @@ type CustomMetadata struct {
 	Annotations map[string]string `json:"annotations,omitempty"`
 }
 
+// CustomBackend holds labels, annotations, and proxyRef to set on generated objects.
+type CustomBackend struct {
+	CustomMetadata
+
+	// Ref references a Kubernetes object.
+	BackendObjectReference *v1.BackendObjectReference `json:"backendRef,omitempty"`
+
+	// Filters defined at this level should be executed if and only if the
+	// request is being forwarded to the backend defined here.
+	//
+	// Support: Implementation-specific (For broader support of filters, use the
+	// Filters field in HTTPRouteRule.)
+	//
+	// +optional
+	// +kubebuilder:validation:MaxItems=16
+	// +kubebuilder:validation:XValidation:message="May specify either httpRouteFilterRequestRedirect or httpRouteFilterRequestRewrite, but not both",rule="!(self.exists(f, f.type == 'RequestRedirect') && self.exists(f, f.type == 'URLRewrite'))"
+	// +kubebuilder:validation:XValidation:message="May specify either httpRouteFilterRequestRedirect or httpRouteFilterRequestRewrite, but not both",rule="!(self.exists(f, f.type == 'RequestRedirect') && self.exists(f, f.type == 'URLRewrite'))"
+	// +kubebuilder:validation:XValidation:message="RequestHeaderModifier filter cannot be repeated",rule="self.filter(f, f.type == 'RequestHeaderModifier').size() <= 1"
+	// +kubebuilder:validation:XValidation:message="ResponseHeaderModifier filter cannot be repeated",rule="self.filter(f, f.type == 'ResponseHeaderModifier').size() <= 1"
+	// +kubebuilder:validation:XValidation:message="RequestRedirect filter cannot be repeated",rule="self.filter(f, f.type == 'RequestRedirect').size() <= 1"
+	// +kubebuilder:validation:XValidation:message="URLRewrite filter cannot be repeated",rule="self.filter(f, f.type == 'URLRewrite').size() <= 1"
+	Filters []v1.HTTPRouteFilter `json:"filters,omitempty"`
+}
+
 // HTTPRewrite holds information about how to modify a request URI during
 // forwarding.
 type HTTPRewrite struct {

charts/flagger/templates/rbac.yaml

@@ -0,0 +1,145 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:categories=gateway-api,shortName=refgrant
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+// +kubebuilder:storageversion
+
+// ReferenceGrant identifies kinds of resources in other namespaces that are
+// trusted to reference the specified kinds of resources in the same namespace
+// as the policy.
+//
+// Each ReferenceGrant can be used to represent a unique trust relationship.
+// Additional Reference Grants can be used to add to the set of trusted
+// sources of inbound references for the namespace they are defined within.
+//
+// All cross-namespace references in Gateway API (with the exception of cross-namespace
+// Gateway-route attachment) require a ReferenceGrant.
+//
+// ReferenceGrant is a form of runtime verification allowing users to assert
+// which cross-namespace object references are permitted. Implementations that
+// support ReferenceGrant MUST NOT permit cross-namespace references which have
+// no grant, and MUST respond to the removal of a grant by revoking the access
+// that the grant allowed.
+type ReferenceGrant struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec defines the desired state of ReferenceGrant.
+	Spec ReferenceGrantSpec `json:"spec,omitempty"`
+
+	// Note that `Status` sub-resource has been excluded at the
+	// moment as it was difficult to work out the design.
+	// `Status` sub-resource may be added in future.
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// ReferenceGrantList contains a list of ReferenceGrant.
+type ReferenceGrantList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ReferenceGrant `json:"items"`
+}
+
+// ReferenceGrantSpec identifies a cross namespace relationship that is trusted
+// for Gateway API.
+type ReferenceGrantSpec struct {
+	// From describes the trusted namespaces and kinds that can reference the
+	// resources described in "To". Each entry in this list MUST be considered
+	// to be an additional place that references can be valid from, or to put
+	// this another way, entries MUST be combined using OR.
+	//
+	// Support: Core
+	//
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=16
+	From []ReferenceGrantFrom `json:"from"`
+
+	// To describes the resources that may be referenced by the resources
+	// described in "From". Each entry in this list MUST be considered to be an
+	// additional place that references can be valid to, or to put this another
+	// way, entries MUST be combined using OR.
+	//
+	// Support: Core
+	//
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=16
+	To []ReferenceGrantTo `json:"to"`
+}
+
+// ReferenceGrantFrom describes trusted namespaces and kinds.
+type ReferenceGrantFrom struct {
+	// Group is the group of the referent.
+	// When empty, the Kubernetes core API group is inferred.
+	//
+	// Support: Core
+	Group Group `json:"group"`
+
+	// Kind is the kind of the referent. Although implementations may support
+	// additional resources, the following types are part of the "Core"
+	// support level for this field.
+	//
+	// When used to permit a SecretObjectReference:
+	//
+	// * Gateway
+	//
+	// When used to permit a BackendObjectReference:
+	//
+	// * GRPCRoute
+	// * HTTPRoute
+	// * TCPRoute
+	// * TLSRoute
+	// * UDPRoute
+	Kind Kind `json:"kind"`
+
+	// Namespace is the namespace of the referent.
+	//
+	// Support: Core
+	Namespace Namespace `json:"namespace"`
+}
+
+// ReferenceGrantTo describes what Kinds are allowed as targets of the
+// references.
+type ReferenceGrantTo struct {
+	// Group is the group of the referent.
+	// When empty, the Kubernetes core API group is inferred.
+	//
+	// Support: Core
+	Group Group `json:"group"`
+
+	// Kind is the kind of the referent. Although implementations may support
+	// additional resources, the following types are part of the "Core"
+	// support level for this field:
+	//
+	// * Secret when used to permit a SecretObjectReference
+	// * Service when used to permit a BackendObjectReference
+	Kind Kind `json:"kind"`
+
+	// Name is the name of the referent. When unspecified, this policy
+	// refers to all resources of the specified Group and Kind in the local
+	// namespace.
+	//
+	// +optional
+	Name *ObjectName `json:"name,omitempty"`
+}

kustomize/base/flagger/crd.yaml

@@ -33,6 +33,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&HTTPRoute{},
 		&HTTPRouteList{},
+		&ReferenceGrant{},
+		&ReferenceGrantList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil