refactor(policy): Use gateway API bindings from the official gateway-api crate

Cargo.toml

@@ -15,6 +15,12 @@ members = [
 lto = "thin"
 
 [workspace.dependencies]
-k8s-openapi = { version = "0.20", features = ["v1_22"] }
-kube = { version = "0.87.1", default-features = false }
-kubert = { version = "0.22", default-features = false }
+k8s-openapi = { version = "0.24", features = ["v1_31"] }
+kube = { version = "0.98", default-features = false }
+kubert = { version = "0.23.0-alpha6", default-features = false }
+prometheus-client = { version = "0.23", default-features = false }
+
+[workspace.dependencies.linkerd2-proxy-api]
+git = "https://github.com/linkerd/linkerd2-proxy-api"
+branch = "ver/deps-http"
+features = ["inbound", "outbound"]

policy-controller/core/Cargo.toml

@@ -11,6 +11,6 @@ anyhow = "1"
 async-trait = "0.1"
 chrono = { version = "0.4.39", default-features = false }
 futures = { version = "0.3", default-features = false, features = ["std"] }
-http = "0.2"
+http = "1"
 ipnet = "2"
 regex = "1"

policy-controller/grpc/Cargo.toml

@@ -8,19 +8,19 @@ publish = false
 [dependencies]
 async-stream = "0.3"
 async-trait = "0.1"
-http = "0.2"
+http = "1"
 drain = "0.1"
 futures = { version = "0.3", default-features = false }
-hyper = { version = "0.14", features = ["http2", "server", "tcp"] }
+hyper = { version = "1", features = ["http2", "server"] }
 linkerd-policy-controller-core = { path = "../core" }
 maplit = "1"
-prost-types = "0.12.6"
+prost-types = "0.13"
 tokio = { version = "1", features = ["macros"] }
-tonic = { version = "0.10", default-features = false }
+tonic = { version = "0.12", default-features = false }
 tracing = "0.1"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 
 [dependencies.linkerd2-proxy-api]
-version = "0.15"
+workspace = true
 features = ["inbound", "outbound"]

policy-controller/grpc/src/outbound/http.rs

@@ -75,7 +75,7 @@ pub(crate) fn protocol(
         }),
         http1: Some(outbound::proxy_protocol::Http1 {
             routes: routes.clone(),
-            failure_accrual: accrual.clone(),
+            failure_accrual: accrual,
         }),
         http2: Some(outbound::proxy_protocol::Http2 {
             routes,

policy-controller/k8s/api/Cargo.toml

@@ -7,7 +7,7 @@ publish = false
 
 [dependencies]
 k8s-openapi = { workspace = true }
-k8s-gateway-api = { version = "0.16", features = ["experimental"] }
+gateway-api = "0.14"
 kube = { workspace = true, default-features = false, features = [
     "client",
     "derive",

policy-controller/k8s/api/src/lib.rs

@@ -7,7 +7,7 @@ pub mod labels;
 pub mod policy;
 
 pub use self::labels::Labels;
-pub use k8s_gateway_api as gateway;
+pub use gateway_api::apis::experimental as gateway;
 pub use k8s_openapi::{
     api::{
         self,

policy-controller/k8s/api/src/policy.rs

@@ -1,5 +1,6 @@
 pub mod authorization_policy;
 pub mod egress_network;
+pub mod grpcroute;
 pub mod httproute;
 pub mod meshtls_authentication;
 mod network;
@@ -8,6 +9,8 @@ pub mod ratelimit_policy;
 pub mod server;
 pub mod server_authorization;
 pub mod target_ref;
+pub mod tcproute;
+pub mod tlsroute;
 
 pub use self::{
     authorization_policy::{AuthorizationPolicy, AuthorizationPolicySpec},

policy-controller/k8s/api/src/policy/grpcroute.rs

@@ -0,0 +1,26 @@
+use gateway_api::apis::experimental::grpcroutes::{GRPCRouteParentRefs, GRPCRouteRulesBackendRefs};
+
+pub fn parent_ref_targets_kind<T>(parent_ref: &GRPCRouteParentRefs) -> bool
+where
+    T: kube::Resource,
+    T::DynamicType: Default,
+{
+    let kind = match parent_ref.kind {
+        Some(ref kind) => kind,
+        None => return false,
+    };
+
+    super::targets_kind::<T>(parent_ref.group.as_deref(), kind)
+}
+
+pub fn backend_ref_targets_kind<T>(backend_ref: &GRPCRouteRulesBackendRefs) -> bool
+where
+    T: kube::Resource,
+    T::DynamicType: Default,
+{
+    // Default kind is assumed to be service for backend ref objects
+    super::targets_kind::<T>(
+        backend_ref.group.as_deref(),
+        backend_ref.kind.as_deref().unwrap_or("Service"),
+    )
+}

policy-controller/k8s/api/src/policy/httproute.rs

@@ -1,8 +1,8 @@
-pub use k8s_gateway_api::{
-    BackendObjectReference, CommonRouteSpec, Hostname, HttpBackendRef, HttpHeader, HttpHeaderMatch,
-    HttpHeaderName, HttpMethod, HttpPathMatch, HttpPathModifier, HttpQueryParamMatch,
-    HttpRequestHeaderFilter, HttpRequestRedirectFilter, HttpRouteMatch, LocalObjectReference,
-    ParentReference, RouteStatus,
+use gateway_api::apis::experimental::httproutes::HTTPRouteRulesFiltersRequestRedirect;
+pub use gateway_api::apis::experimental::httproutes::{
+    HTTPRouteParentRefs, HTTPRouteRulesBackendRefs, HTTPRouteRulesFiltersRequestHeaderModifier,
+    HTTPRouteRulesFiltersResponseHeaderModifier, HTTPRouteRulesFiltersUrlRewrite,
+    HTTPRouteRulesMatches, HTTPRouteStatus, HTTPRouteStatus as RouteStatus,
 };
 
 /// HTTPRoute provides a way to route HTTP requests. This includes the
@@ -28,8 +28,12 @@ pub use k8s_gateway_api::{
 )]
 pub struct HttpRouteSpec {
     /// Common route information.
-    #[serde(flatten)]
-    pub inner: CommonRouteSpec,
+    #[serde(
+        default,
+        skip_serializing_if = "Option::is_none",
+        rename = "parentRefs"
+    )]
+    pub parent_refs: Option<Vec<HTTPRouteParentRefs>>,
 
     /// Hostnames defines a set of hostname that should match against the HTTP
     /// Host header to select a HTTPRoute to process the request. This matches
@@ -38,7 +42,7 @@ pub struct HttpRouteSpec {
     /// 1. IPs are not allowed.
     /// 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
     ///    label must appear by itself as the first label.
-    pub hostnames: Option<Vec<Hostname>>,
+    pub hostnames: Option<Vec<String>>,
 
     /// Rules are a list of HTTP matchers, filters and actions.
     pub rules: Option<Vec<HttpRouteRule>>,
@@ -47,9 +51,7 @@ pub struct HttpRouteSpec {
 /// HTTPRouteRule defines semantics for matching an HTTP request based on
 /// conditions (matches), processing it (filters), and forwarding the request to
 /// an API object (backendRefs).
-#[derive(
-    Clone, Debug, PartialEq, Eq, serde::Deserialize, serde::Serialize, schemars::JsonSchema,
-)]
+#[derive(Clone, Debug, PartialEq, serde::Deserialize, serde::Serialize, schemars::JsonSchema)]
 #[serde(rename_all = "camelCase")]
 pub struct HttpRouteRule {
     /// Matches define conditions used for matching the rule against incoming
@@ -105,7 +107,7 @@ pub struct HttpRouteRule {
     ///
     /// When no rules matching a request have been successfully attached to the
     /// parent a request is coming from, a HTTP 404 status code MUST be returned.
-    pub matches: Option<Vec<HttpRouteMatch>>,
+    pub matches: Option<Vec<HTTPRouteRulesMatches>>,
 
     /// Filters define the filters that are applied to requests that match this
     /// rule.
@@ -153,7 +155,7 @@ pub struct HttpRouteRule {
     /// Support: Custom for any other resource
     ///
     /// Support for weight: Core
-    pub backend_refs: Option<Vec<HttpBackendRef>>,
+    pub backend_refs: Option<Vec<HTTPRouteRulesBackendRefs>>,
 
     /// Timeouts defines the timeouts that can be configured for an HTTP request.
     ///
@@ -167,9 +169,7 @@ pub struct HttpRouteRule {
 /// Some examples include request or response modification, implementing
 /// authentication strategies, rate-limiting, and traffic shaping. API
 /// guarantee/conformance is defined based on the type of the filter.
-#[derive(
-    Clone, Debug, PartialEq, Eq, serde::Deserialize, serde::Serialize, schemars::JsonSchema,
-)]
+#[derive(Clone, Debug, PartialEq, serde::Deserialize, serde::Serialize, schemars::JsonSchema)]
 #[serde(tag = "type", rename_all = "PascalCase")]
 pub enum HttpRouteFilter {
     /// RequestHeaderModifier defines a schema for a filter that modifies request
@@ -178,7 +178,7 @@ pub enum HttpRouteFilter {
     /// Support: Core
     #[serde(rename_all = "camelCase")]
     RequestHeaderModifier {
-        request_header_modifier: HttpRequestHeaderFilter,
+        request_header_modifier: HTTPRouteRulesFiltersRequestHeaderModifier,
     },
 
     /// ResponseHeaderModifier defines a schema for a filter that modifies response
@@ -187,7 +187,7 @@ pub enum HttpRouteFilter {
     /// Support: Extended
     #[serde(rename_all = "camelCase")]
     ResponseHeaderModifier {
-        response_header_modifier: HttpRequestHeaderFilter,
+        response_header_modifier: HTTPRouteRulesFiltersResponseHeaderModifier,
     },
 
     /// RequestRedirect defines a schema for a filter that responds to the
@@ -196,7 +196,7 @@ pub enum HttpRouteFilter {
     /// Support: Core
     #[serde(rename_all = "camelCase")]
     RequestRedirect {
-        request_redirect: HttpRequestRedirectFilter,
+        request_redirect: HTTPRouteRulesFiltersRequestRedirect,
     },
 }
 
@@ -238,7 +238,7 @@ pub struct HttpRouteTimeouts {
     pub backend_request: Option<crate::duration::K8sDuration>,
 }
 
-pub fn parent_ref_targets_kind<T>(parent_ref: &ParentReference) -> bool
+pub fn parent_ref_targets_kind<T>(parent_ref: &HTTPRouteParentRefs) -> bool
 where
     T: kube::Resource,
     T::DynamicType: Default,
@@ -251,7 +251,7 @@ where
     super::targets_kind::<T>(parent_ref.group.as_deref(), kind)
 }
 
-pub fn backend_ref_targets_kind<T>(backend_ref: &BackendObjectReference) -> bool
+pub fn backend_ref_targets_kind<T>(backend_ref: &HTTPRouteRulesBackendRefs) -> bool
 where
     T: kube::Resource,
     T::DynamicType: Default,

policy-controller/k8s/api/src/policy/tcproute.rs

@@ -0,0 +1,26 @@
+use gateway_api::apis::experimental::tcproutes::{TCPRouteParentRefs, TCPRouteRulesBackendRefs};
+
+pub fn parent_ref_targets_kind<T>(parent_ref: &TCPRouteParentRefs) -> bool
+where
+    T: kube::Resource,
+    T::DynamicType: Default,
+{
+    let kind = match parent_ref.kind {
+        Some(ref kind) => kind,
+        None => return false,
+    };
+
+    super::targets_kind::<T>(parent_ref.group.as_deref(), kind)
+}
+
+pub fn backend_ref_targets_kind<T>(backend_ref: &TCPRouteRulesBackendRefs) -> bool
+where
+    T: kube::Resource,
+    T::DynamicType: Default,
+{
+    // Default kind is assumed to be service for backend ref objects
+    super::targets_kind::<T>(
+        backend_ref.group.as_deref(),
+        backend_ref.kind.as_deref().unwrap_or("Service"),
+    )
+}

policy-controller/k8s/api/src/policy/tlsroute.rs

@@ -0,0 +1,26 @@
+use gateway_api::apis::experimental::tlsroutes::{TLSRouteParentRefs, TLSRouteRulesBackendRefs};
+
+pub fn parent_ref_targets_kind<T>(parent_ref: &TLSRouteParentRefs) -> bool
+where
+    T: kube::Resource,
+    T::DynamicType: Default,
+{
+    let kind = match parent_ref.kind {
+        Some(ref kind) => kind,
+        None => return false,
+    };
+
+    super::targets_kind::<T>(parent_ref.group.as_deref(), kind)
+}
+
+pub fn backend_ref_targets_kind<T>(backend_ref: &TLSRouteRulesBackendRefs) -> bool
+where
+    T: kube::Resource,
+    T::DynamicType: Default,
+{
+    // Default kind is assumed to be service for backend ref objects
+    super::targets_kind::<T>(
+        backend_ref.group.as_deref(),
+        backend_ref.kind.as_deref().unwrap_or("Service"),
+    )
+}

policy-controller/k8s/index/Cargo.toml

@@ -10,7 +10,7 @@ ahash = "0.8"
 anyhow = "1"
 chrono = { version = "0.4.39", default-features = false }
 futures = { version = "0.3", default-features = false }
-http = "0.2"
+http = "1"
 kube = { workspace = true, default-features = false, features = [
     "client",
     "derive",
@@ -20,14 +20,14 @@ kubert = { workspace = true, default-features = false, features = ["index"] }
 linkerd-policy-controller-core = { path = "../../core" }
 linkerd-policy-controller-k8s-api = { path = "../api" }
 parking_lot = "0.12"
-prometheus-client = { version = "0.22.3", default-features = false }
+prometheus-client = { workspace = true }
 thiserror = "2"
 tokio = { version = "1", features = ["macros", "rt", "sync"] }
 tracing = "0.1"
 
 [dev-dependencies]
 chrono = { version = "0.4", default-features = false }
-k8s-openapi = { version = "0.20", features = ["schemars"] }
+k8s-openapi = { workspace = true, features = ["schemars"] }
 maplit = "1"
 tokio-stream = "0.1"
 tokio-test = "0.4"

policy-controller/k8s/index/src/inbound/authorization_policy.rs

@@ -66,15 +66,15 @@ fn target(t: LocalTargetRef) -> Result<Target> {
         t if t.targets_kind::<k8s::policy::Server>() => Ok(Target::Server(t.name)),
         t if t.targets_kind::<k8s::Namespace>() => Ok(Target::Namespace),
         t if t.targets_kind::<k8s::policy::HttpRoute>()
-            || t.targets_kind::<k8s_gateway_api::HttpRoute>() =>
+            || t.targets_kind::<k8s_gateway_api::httproutes::HTTPRoute>() =>
         {
             Ok(Target::HttpRoute(GroupKindName {
                 group: t.group.unwrap_or_default().into(),
                 kind: t.kind.into(),
                 name: t.name.into(),
             }))
         }
-        t if t.targets_kind::<k8s_gateway_api::GrpcRoute>() => {
+        t if t.targets_kind::<k8s_gateway_api::grpcroutes::GRPCRoute>() => {
             Ok(Target::GrpcRoute(GroupKindName {
                 group: t.group.unwrap_or_default().into(),
                 kind: t.kind.into(),