Using PolicyTargetReference instead of Selector

[didierofrivia]

In order to not rely on Gateway a̶n̶n̶o̶t̶a̶t̶i̶o̶n̶s̶ labels/selectors, we are now using PolicyTargetReference. This fixes the issue when no annotation has been added to the managed gateway (or removed/updated).

Verification steps

1. Set up the cluster

make local-setup

2. Remove the deployed gw label

kubectl -n istio-system label gateway istio-ingressgateway istio-

3. Apply Kuadrant CR

kubectl -n kuadrant-system apply -f - <<EOF
apiVersion: kuadrant.io/v1beta1
kind: Kuadrant
metadata:
  name: kuadrant
spec: {}
EOF

4. Deploy ToyStore API and route the traffic

kubectl apply -f examples/toystore/toystore.yaml

kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: toystore
spec:
  parentRefs:
  - name: istio-ingressgateway
    namespace: istio-system
  hostnames:
  - api.toystore.com
  rules:
  - matches:
    - path:
        type: Exact
        value: "/toy"
      method: GET
    backendRefs:
    - name: toystore
      port: 80
EOF

5. Apply a RLP

kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1beta2
kind: RateLimitPolicy
metadata:
  name: toystore
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: toystore
  limits:
    "default":
      rates:
      - limit: 5
        duration: 10
        unit: second
EOF

6. Check the envoy config for the wasm shim configuration for the RLP

kubectl port-forward --namespace istio-system deployment/istio-ingressgateway-istio 15000:15000 &

curl -v "<http://127.0.0.1:15000/config_dump?format=json>" | yq e -P -

It should contain

...
 config:
              name: istio-system.kuadrant-istio-ingressgateway
              vm_config:
                runtime: envoy.wasm.runtime.v8
                code:
                  local:
                    filename: /var/lib/istio/data/81221938ebcbc4550eb35f72aac65d0939d89335832b5a022226fb2526806e9e/9b28356942b98c2a73dd1428403ec45836f956114208dfceb88f8f957e94e45d.wasm
              configuration:
                '@type': type.googleapis.com/google.protobuf.StringValue
                value: '{"failureMode":"deny","rateLimitPolicies":[{"domain":"default/toystore","hostnames":["api.toystore.com"],"name":"default/toystore","rules":[{"conditions":[{"allOf":[{"operator":"eq","selector":"request.url_path","value":"/toy"},{"operator":"eq","selector":"request.method","value":"GET"}]}],"data":[{"static":{"key":"limit.default__37a8eec1","value":"1"}}]}],"service":"kuadrant-rate-limiting-service"}]}'
...

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.54%. Comparing base (ece13e8) to head (cfd9dde).
Report is 87 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #612      +/-   ##
==========================================
+ Coverage   80.20%   82.54%   +2.33%     
==========================================
  Files          64       72       +8     
  Lines        4492     5415     +923     
==========================================
+ Hits         3603     4470     +867     
- Misses        600      639      +39     
- Partials      289      306      +17     

Flag	Coverage Δ
integration	74.08% <100.00%> (+2.80%)	⬆️
unit	33.73% <83.33%> (+3.70%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
api/v1beta1 (u)	71.42% <ø> (ø)
api/v1beta2 (u)	93.58% <100.00%> (+2.16%)	⬆️
pkg/common (u)	83.78% <ø> (-5.05%)	⬇️
pkg/istio (u)	75.86% <ø> (+1.94%)	⬆️
pkg/log (u)	100.00% <ø> (+5.26%)	⬆️
pkg/reconcilers (u)	∅ <ø> (∅)
pkg/rlptools (u)	79.84% <ø> (+0.39%)	⬆️
controllers (i)	80.81% <84.03%> (+4.00%)	⬆️

Files	Coverage Δ
controllers/rate_limiting_wasmplugin_controller.go	80.69% <100.00%> (ø)
pkg/istio/utils.go	100.00% <100.00%> (ø)

... and 33 files with indirect coverage changes

[didierofrivia]

I haven't removed WorkloadSelectorFromGateway since it's still used by https://github.com/Kuadrant/kuadrant-operator/blob/main/controllers/authpolicy_istio_authorizationpolicy.go#L98 and https://github.com/Kuadrant/kuadrant-operator/blob/main/controllers/limitador_cluster_envoyfilter_controller.go#L120

[ehearneRedHat]

Looks good to merge - request did contain

config:
              name: istio-system.kuadrant-istio-ingressgateway
              vm_config:
                runtime: envoy.wasm.runtime.v8
                code:
                  local:
                    filename: /var/lib/istio/data/81221938ebcbc4550eb35f72aac65d0939d89335832b5a022226fb2526806e9e/9b28356942b98c2a73dd1428403ec45836f956114208dfceb88f8f957e94e45d.wasm
              configuration:
                '@type': type.googleapis.com/google.protobuf.StringValue
                value: '{"failureMode":"deny","rateLimitPolicies":[{"domain":"default/toystore","hostnames":["api.toystore.com"],"name":"default/toystore","rules":[{"conditions":[{"allOf":[{"operator":"eq","selector":"request.url_path","value":"/toy"},{"operator":"eq","selector":"request.method","value":"GET"}]}],"data":[{"static":{"key":"limit.default__37a8eec1","value":"1"}}]}],"service":"kuadrant-rate-limiting-service"}]}'

[guicassolato]

What does this have to do with gateway annotations?

[eguzki]

What does this have to do with gateway annotations?

When the gateway does not have labels (nothing to do with annotations), the label selector implemented by kuadrant is failing as it is empty. Empty label selector will not match any gateway, thus rate limiting not enforced.

[guicassolato]

What does this have to do with gateway annotations?

When the gateway does not have labels (nothing to do with annotations), the label selector implemented by kuadrant is failing as it is empty. Empty label selector will not match any gateway, thus rate limiting not enforced.

Thanks @eguzki. That's what I figured. Maybe fix in the description of the PR, @didierofrivia?