Invalidate h2c support for http route

Author: bjee19

internal/controller/state/graph/backend_refs.go

@@ -453,10 +453,14 @@ func validateRouteBackendRefAppProtocol(
 	// Currently we only support recognition of the Kubernetes Standard Application Protocols defined in KEP-3726.
 	switch appProtocol {
 	case AppProtocolTypeH2C:
-		if routeType == RouteTypeHTTP || routeType == RouteTypeGRPC {
+		if routeType == RouteTypeGRPC {
 			return nil
 		}
 
+		if routeType == RouteTypeHTTP {
+			return fmt.Errorf("%w; nginx does not support proxying to upstreams with http2 or h2c", err)
+		}
+
 		return err
 	case AppProtocolTypeWS:
 		if routeType == RouteTypeHTTP {

internal/controller/state/graph/backend_refs_test.go

@@ -700,14 +700,19 @@ func TestAddBackendRefsToRules(t *testing.T) {
 				{
 					SvcNsName:          svcH2cNsName,
 					ServicePort:        svcH2c.Spec.Ports[0],
-					Valid:              true,
+					Valid:              false,
 					Weight:             1,
 					InvalidForGateways: map[types.NamespacedName]conditions.Condition{},
 				},
 			},
-			expectedConditions: nil,
-			policies:           emptyPolicies,
-			name:               "valid backendRef with service port appProtocol h2c and route type http",
+			expectedConditions: []conditions.Condition{
+				conditions.NewRouteBackendRefUnsupportedProtocol(
+					"route type http does not support service port appProtocol kubernetes.io/h2c;" +
+						" nginx does not support proxying to upstreams with http2 or h2c",
+				),
+			},
+			policies: emptyPolicies,
+			name:     "invalid backendRef with service port appProtocol h2c and route type http",
 		},
 		{
 			route: createRoute("hr1", RouteTypeHTTP, "Service", 1, "svcWS"),

internal/controller/state/graph/route_common.go

@@ -766,13 +766,11 @@ func bindL7RouteToListeners(
 			continue
 		}
 
-		for ruleIdx, rule := range route.Spec.Rules {
-			for backendRefIdx, backendRef := range rule.BackendRefs {
+		for _, rule := range route.Spec.Rules {
+			for _, backendRef := range rule.BackendRefs {
 				if cond, ok := backendRef.InvalidForGateways[gwNsName]; ok {
 					attachment.FailedConditions = append(attachment.FailedConditions, cond)
 				}
-
-				checkAppProtocolH2CConditional(backendRef, gw.EffectiveNginxProxy, route, ruleIdx, backendRefIdx)
 			}
 		}
 
@@ -797,29 +795,6 @@ func bindL7RouteToListeners(
 	}
 }
 
-func checkAppProtocolH2CConditional(
-	backendRef BackendRef,
-	npCfg *EffectiveNginxProxy,
-	route *L7Route,
-	ruleIdx,
-	backendRefIdx int,
-) {
-	// For all backendRefs referring to a Service with appProtocol h2c, we need to also check if http2
-	// is enabled. Don't need to check for RouteTypeGRPC since there are checks before this which fail the
-	// route from connecting to the Gateway.
-	if backendRef.ServicePort.AppProtocol != nil &&
-		*backendRef.ServicePort.AppProtocol == AppProtocolTypeH2C &&
-		route.RouteType == RouteTypeHTTP &&
-		isHTTP2Disabled(npCfg) {
-		route.Spec.Rules[ruleIdx].BackendRefs[backendRefIdx].Valid = false
-		route.Conditions = append(route.Conditions, conditions.NewRouteBackendRefUnsupportedProtocol(
-			fmt.Errorf("HTTP2 is disabled - cannot support appProtocol h2c on route type %s",
-				route.RouteType,
-			).Error(),
-		))
-	}
-}
-
 func isHTTP2Disabled(npCfg *EffectiveNginxProxy) bool {
 	if npCfg == nil {
 		return false

internal/controller/state/graph/route_common_test.go

@@ -394,38 +394,6 @@ func TestBindRouteToListeners(t *testing.T) {
 		return normalHTTPRoute
 	}
 
-	normalHTTPRouteWithH2CBackendRef := &L7Route{
-		RouteType: RouteTypeHTTP,
-		Source:    hr,
-		Spec: L7RouteSpec{
-			Hostnames: hr.Spec.Hostnames,
-			Rules: []RouteRule{
-				{
-					BackendRefs: []BackendRef{
-						{
-							Valid: true,
-							ServicePort: v1.ServicePort{
-								AppProtocol: helpers.GetPointer(AppProtocolTypeH2C),
-							},
-						},
-					},
-				},
-			},
-		},
-		Valid:      true,
-		Attachable: true,
-		ParentRefs: []ParentRef{
-			{
-				Idx:         0,
-				Gateway:     &ParentRefGateway{NamespacedName: client.ObjectKeyFromObject(gw)},
-				SectionName: hr.Spec.ParentRefs[0].SectionName,
-			},
-		},
-	}
-
-	invalidBackendRefH2c := *normalHTTPRouteWithH2CBackendRef
-	invalidBackendRefH2c.Spec.Rules[0].BackendRefs[0].Valid = false
-
 	getLastNormalHTTPRoute := func() *L7Route {
 		return normalHTTPRoute
 	}
@@ -603,7 +571,6 @@ func TestBindRouteToListeners(t *testing.T) {
 	tests := []struct {
 		route                    *L7Route
 		gateway                  *Gateway
-		expectedModifiedRoute    *L7Route
 		name                     string
 		expectedGatewayListeners []*Listener
 		expectedSectionNameRefs  []ParentRef
@@ -643,90 +610,6 @@ func TestBindRouteToListeners(t *testing.T) {
 			},
 			name: "normal case",
 		},
-		{
-			route: normalHTTPRouteWithH2CBackendRef,
-			gateway: &Gateway{
-				Source: gw,
-				Valid:  true,
-				Listeners: []*Listener{
-					createListener("listener-80-1"),
-				},
-				EffectiveNginxProxy: &EffectiveNginxProxy{
-					DisableHTTP2: helpers.GetPointer(false),
-				},
-			},
-			expectedSectionNameRefs: []ParentRef{
-				{
-					Idx:         0,
-					Gateway:     &ParentRefGateway{NamespacedName: client.ObjectKeyFromObject(gw)},
-					SectionName: hr.Spec.ParentRefs[0].SectionName,
-					Attachment: &ParentRefAttachmentStatus{
-						Attached: true,
-						AcceptedHostnames: map[string][]string{
-							CreateGatewayListenerKey(
-								client.ObjectKeyFromObject(gw),
-								"listener-80-1",
-							): {"foo.example.com"},
-						},
-					},
-				},
-			},
-			expectedGatewayListeners: []*Listener{
-				createModifiedListener("listener-80-1", func(l *Listener) {
-					l.Routes = map[RouteKey]*L7Route{
-						CreateRouteKey(hr): normalHTTPRouteWithH2CBackendRef,
-					}
-				}),
-			},
-			name: "httpRoute with h2c service port protocol in backend and h2c is enabled",
-		},
-		{
-			route: normalHTTPRouteWithH2CBackendRef,
-			gateway: &Gateway{
-				Source: gw,
-				Valid:  true,
-				Listeners: []*Listener{
-					createListener("listener-80-1"),
-				},
-				EffectiveNginxProxy: &EffectiveNginxProxy{
-					DisableHTTP2: helpers.GetPointer(true),
-				},
-			},
-			expectedSectionNameRefs: []ParentRef{
-				{
-					Idx:         0,
-					Gateway:     &ParentRefGateway{NamespacedName: client.ObjectKeyFromObject(gw)},
-					SectionName: hr.Spec.ParentRefs[0].SectionName,
-					Attachment: &ParentRefAttachmentStatus{
-						Attached: true,
-						AcceptedHostnames: map[string][]string{
-							CreateGatewayListenerKey(
-								client.ObjectKeyFromObject(gw),
-								"listener-80-1",
-							): {"foo.example.com"},
-						},
-					},
-				},
-			},
-			expectedGatewayListeners: []*Listener{
-				createModifiedListener("listener-80-1", func(l *Listener) {
-					route := *normalHTTPRouteWithH2CBackendRef
-					route.Conditions = []conditions.Condition{
-						conditions.NewRouteBackendRefUnsupportedProtocol(
-							"HTTP2 is disabled - cannot support appProtocol h2c on route type http"),
-					}
-					l.Routes = map[RouteKey]*L7Route{
-						CreateRouteKey(hr): &route,
-					}
-				}),
-			},
-			expectedConditions: []conditions.Condition{
-				conditions.NewRouteBackendRefUnsupportedProtocol(
-					"HTTP2 is disabled - cannot support appProtocol h2c on route type http"),
-			},
-			expectedModifiedRoute: &invalidBackendRefH2c,
-			name:                  "httpRoute with h2c service port protocol in backend and h2c is disabled",
-		},
 		{
 			route: routeWithMissingSectionName,
 			gateway: &Gateway{
@@ -1515,12 +1398,6 @@ func TestBindRouteToListeners(t *testing.T) {
 			g.Expect(test.route.ParentRefs).To(Equal(test.expectedSectionNameRefs))
 			g.Expect(helpers.Diff(test.gateway.Listeners, test.expectedGatewayListeners)).To(BeEmpty())
 			g.Expect(helpers.Diff(test.route.Conditions, test.expectedConditions)).To(BeEmpty())
-
-			// in situations where bindRouteToListeners modifies the route spec, for instance marking a backendRef
-			// as invalid
-			if test.expectedModifiedRoute != nil {
-				g.Expect(helpers.Diff(test.route.Spec, test.expectedModifiedRoute.Spec)).To(BeEmpty())
-			}
 		})
 	}
 }