Add EgressNetwork and routes statuses (#13181)

This PR adds an `EgressNetwork` CRD, which purpose is to describe networks that are external to the cluster. 
In addition to that it also adds `TLSRoute` and `TCPRoute` gateway api CRDs.

Most of the work in this change is focused on introducing these CRDs and correctly setting their status based on route specificity rules described in: https://gateway-api.sigs.k8s.io/geps/gep-1426/#route-types.

Notable changes include: 

- ability to attach TCP and TLS routes to both `EgressNetworks` and `Service` objects
- implemented conflict resolutions between routes
- admission validation on the newly introduced resources
- module + integration tests

Signed-off-by: Zahari Dichev <[email protected]>

charts/linkerd-control-plane/templates/destination-rbac.yaml

@@ -185,12 +185,15 @@ webhooks:
     - meshtlsauthentications
     - serverauthorizations
     - servers
+    - egressnetworks
   - operations: ["CREATE", "UPDATE"]
     apiGroups: ["gateway.networking.k8s.io"]
     apiVersions: ["*"]
     resources:
     - httproutes
     - grpcroutes
+    - tlsroutes
+    - tcproutes
   sideEffects: None
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -226,6 +229,7 @@ rules:
       - networkauthentications
       - servers
       - serverauthorizations
+      - egressnetworks
     verbs:
       - get
       - list
@@ -235,6 +239,8 @@ rules:
     resources:
       - httproutes
       - grpcroutes
+      - tlsroutes
+      - tcproutes
     verbs:
       - get
       - list
@@ -243,13 +249,16 @@ rules:
       - policy.linkerd.io
     resources:
       - httproutes/status
+      - egressnetworks/status
     verbs:
       - patch
   - apiGroups:
       - gateway.networking.k8s.io
     resources:
       - httproutes/status
       - grpcroutes/status
+      - tlsroutes/status
+      - tcproutes/status
     verbs:
       - patch
   - apiGroups:

charts/linkerd-crds/templates/policy/egress-network.yaml

@@ -0,0 +1,123 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: egressnetworks.policy.linkerd.io
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+spec:
+  group: policy.linkerd.io
+  names:
+    categories:
+    - policy
+    kind: EgressNetwork
+    listKind: EgressNetworkList
+    plural: egressnetworks
+    singular: egressnetwork
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        description: >-
+          An EgressNetwork captures traffic to egress destinations
+        type: object
+        required: [spec]
+        properties:
+          apiVerson:
+            type: string
+          kind:
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              trafficPolicy:
+                description: >-
+                  This field controls the traffic policy enforced upon traffic
+                  that does not match any explicit route resources associated
+                  with an instance of this object. The values that are allowed
+                  currently are:
+                   - Allow - permits all traffic, even if it has not been
+                                explicitly described via attaching an xRoute
+                                resources.
+                   - Deny -  blocks all traffic that has not been described via
+                                attaching an xRoute resource.
+                type: string
+                enum:
+                - Allow
+                - Deny
+              networks:
+                type: array
+                items:
+                  type: object
+                  required: [cidr]
+                  properties:
+                    cidr:
+                      description: >-
+                        The CIDR of the network to be authorized.
+                      type: string
+                    except:
+                      description: >-
+                        A list of IP networks/addresses not to be included in
+                        the above `cidr`.
+                      type: array
+                      items:
+                        type: string
+            type: object
+            required:
+            - trafficPolicy
+          status:
+            type: object
+            properties:
+              conditions:
+                type: array
+                items:
+                  type: object
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the
+                        condition transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    status:
+                      description: status of the condition (one of True, False, Unknown)
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of the condition in CamelCase or in
+                        foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                    reason:
+                      description: reason contains a programmatic identifier
+                        indicating the reason for the condition's last
+                        transition. Producers of specific condition types may
+                        define expected values and meanings for this field, and
+                        whether the values are considered a guaranteed API. The
+                        value should be a CamelCase string. This field may not
+                        be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    message:
+                      description: message is a human readable message
+                        indicating details about the transition. This may be an
+                        empty string.
+                      maxLength: 32768
+                      type: string
+                required:
+                - status
+                - type

charts/linkerd-crds/values.yaml

@@ -1 +1,3 @@
 enableHttpRoutes: true
+enableTlsRoutes: true
+enableTcpRoutes: true

cli/cmd/check.go

@@ -145,7 +145,11 @@ func configureAndRunChecks(cmd *cobra.Command, wout io.Writer, werr io.Writer, o
 	crdManifest := bytes.Buffer{}
 	err = renderCRDs(&crdManifest, valuespkg.Options{
 		// GatewayAPI CRDs are optional so don't check for them.
-		Values: []string{"enableHttpRoutes=false"},
+		Values: []string{
+			"enableHttpRoutes=false",
+			"enableTcpRoutes=false",
+			"enableTlsRoutes=false",
+		},
 	}, "yaml")
 	if err != nil {
 		return err

cli/cmd/install.go

@@ -50,6 +50,7 @@ You can use the --ignore-cluster flag if you just want to generate the installat
 var (
 	TemplatesCrdFiles = []string{
 		"templates/policy/authorization-policy.yaml",
+		"templates/policy/egress-network.yaml",
 		"templates/policy/httproute.yaml",
 		"templates/policy/meshtls-authentication.yaml",
 		"templates/policy/network-authentication.yaml",
@@ -58,6 +59,8 @@ var (
 		"templates/serviceprofile.yaml",
 		"templates/gateway.networking.k8s.io_httproutes.yaml",
 		"templates/gateway.networking.k8s.io_grpcroutes.yaml",
+		"templates/gateway.networking.k8s.io_tlsroutes.yaml",
+		"templates/gateway.networking.k8s.io_tcproutes.yaml",
 		"templates/workload/external-workload.yaml",
 	}