refactor: return 500 when BackendTLSPolicy translation fails

[alexwo]

What type of PR is this?

What this PR does / why we need it:

• 500 for HTTP
• connection reset for TCP/UDP

Which issue(s) this PR fixes:
Fixes #4087

[codecov]

Codecov Report

Attention: Patch coverage is 81.62162% with 34 lines in your changes missing coverage. Please review.

Project coverage is 66.28%. Comparing base (b9f9a9f) to head (c2c8b4b).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/gatewayapi/route.go	75.00%	16 Missing and 5 partials ⚠️
internal/gatewayapi/filters.go	63.63%	7 Missing and 1 partial ⚠️
internal/gatewayapi/ext_service.go	40.00%	2 Missing and 1 partial ⚠️
internal/gatewayapi/validate.go	95.55%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4363      +/-   ##
==========================================
- Coverage   66.29%   66.28%   -0.01%     
==========================================
  Files         209      209              
  Lines       31912    31956      +44     
==========================================
+ Hits        21157    21183      +26     
- Misses       9507     9523      +16     
- Partials     1248     1250       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[alexwo]

/retest

[zhaohuabing]

@alexwo Thanks for picking up this! This PR looks great overall! I just have a few nits.

[zhaohuabing]

Why this is changed?

[alexwo]

updated, a route will not get translated, if it is a TCP/UDP route & contains invalid configurations

[guydc]

@alexwo - let's maybe update the PR description and title so that the release notes will reflect the two behaviors:

• 500 for HTTP
• connection reset for TCP/UDP

In terms of UX, users experience a reset in this case right? Just want to make sure that the connections on the client side don't hang and wait for some timeout, so that it's clear to users that the request is explicitly rejected.

[alexwo]

If the route associated with the TLS connection is removed, I would expect ongoing connections that are relying on this route will be dropped. This will most likely result in a TCP reset (RST) or a termination of the TLS session, effectively severing the connection. Maybe we can try to confirm it.

[guydc]

LGTM. Few questions on behavior and scope.

[guydc]

Are the changes made here extending the scope of the PR to reject additional cases like invalid backend config, or is this already handled with a 500 response?

[alexwo]

Yes, these changes capture cases where the backend configuration is invalid.

[guydc]

should the destination exist in this case?

[alexwo]

nope, updated.

[guydc]

nice!

[alexwo]

/retes

[alexwo]

/retest

[alexwo]

/retest

[alexwo]

/retest

[alexwo]

/retest

[arkodg]

curious what happened here, and why this got deleted ?

[alexwo]

In this scenario, the route generally shouldn’t be operational. I’ll look into why the settings are being removed to better understand the problem. For now, the route is left as-is because fully invalidating it causes the conformance test to fail. Perhaps we can ignore the TLS route translation errors in the affected flow and create a separate task to address it.

[arkodg]

this 2 similar conditions here

Backend service validation failed: Service default/service-unknown

&&

 Service default/service-unknown not found

[alexwo]

Would it be better to provide a static message explaining why the status is not accepted, such as “invalid configuration detected”? This approach would avoid repeating the message in the accepted status reason. The types, such as “Accepted” and “ResolvedRefs,” are already distinct.

[arkodg]

I think its fine for this PR

[arkodg]

similar comment as https://github.com/envoyproxy/gateway/pull/4363/files#r1792663080

[arkodg]

curious why we need to change the status generation logic

[alexwo]

To clarify why the traffic cannot be routed, previously, the route was accepted, and the traffic was considered routable before this change.

[arkodg]

trying to better understand why do we need an additional check here, isnt if err != nil enough ?

[alexwo]

At this stage, it is already possible that a route is not applicable due to other reasons. This check attempts to retain the original reason, as it may be more specific. However, if that is the case, no traffic would be routed regardless to the settings validations errors.

[arkodg]

can you share an example of what the status looks like with and w/o this change ?

[alexwo]

Actually, this does not seem to happen, I did not notice any different translations when this extra condition is not in place. I have removed it.

[arkodg]

same as https://github.com/envoyproxy/gateway/pull/4363/files#r1792677269

[arkodg]

this isnt added for HTTPRoute and GRPCRoute but is added for UDP and TCP ?

[alexwo]

For HTTP and TCP routes, we currently accept the route but return a 500 response. However, for UDP and TCP routes, the suggestion is to reject and not translate it at all incase of errors, and indicate this via the route status as traffic won't be routable at all.

[arkodg]

same as above

[arkodg]

@alexwo I dont see the conformance tests passing. I'm worried about the size of this change that not only applies to BTP but every error while translating route rules and backendRefs. For example if one out of the many backendRefs is invalid, only a portion of the requests should receive a 503
https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.HTTPBackendRef

[alexwo]

@alexwo I dont see the conformance tests passing. I'm worried about the size of this change that not only applies to BTP but every error while translating route rules and backendRefs. For example if one out of the many backendRefs is invalid, only a portion of the requests should receive a 503 https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.HTTPBackendRef

@arkodg indeed, the impact of the change is large and it will render out many of the partial working, not fully configured routes, I can fully relate to it.

We should be covered as long as many of the necessary tests should be in place,what can detect potential issues.

The conformance tests are passing, but there was a linting issue previously that prevented them from running.

Now, if a part of the backend reference configuration is invalid — for example, if one of the associated configurations cannot be processed — the key question is: should routing to this backend reference still occur in such cases?

[alexwo]

/retest

[arkodg]

Now, if a part of the backend reference configuration is invalid — for example, if one of the associated configurations cannot be processed — the key question is: should routing to this backend reference still occur in such cases?

According to the spec, the answer is a portion of the requests (based on weights) should continue to be sent to the valid backendRef

[alexwo]

Now, if a part of the backend reference configuration is invalid — for example, if one of the associated configurations cannot be processed — the key question is: should routing to this backend reference still occur in such cases?

According to the spec, the answer is a portion of the requests (based on weights) should continue to be sent to the valid backendRef

We’re processing all backend routes and addressing only falty configured ones. This should ensures alignment with the spec, as valid backend routes will continue to function, while only those with invalid configurations will be skipped / not translated.
( we process all routes for each backend and go over all routes, even if some one the backend routes did have errors . )

[alexwo]

/retest

[github-actions]

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. Please feel free to give a status update now, ping for review, when it's ready. Thank you for your contributions!

[arkodg]

LGTM thanks !

[guydc]

LGTM!
@alexwo - can you update the PR?

[alexwo]

/retest

[alexwo]

/retest

[alexwo]

/retest

[alexwo]

/retest