add graph to dataplane conversion

Problem: Graph did not support TLS Route to dataplane configuration

Solution: Added the code to convert it

Author: sarthyparty

internal/framework/kinds/kinds.go

@@ -19,6 +19,8 @@ const (
 	HTTPRoute = "HTTPRoute"
 	// GRPCRoute is the GRPCRoute kind.
 	GRPCRoute = "GRPCRoute"
+	// TLSRoute is the TLSRoute kind.
+	TLSRoute = "TLSRoute"
 )
 
 // NGINX Gateway Fabric kinds.

internal/mode/static/state/dataplane/configuration.go

@@ -45,26 +45,130 @@ func BuildConfiguration(
 	baseHTTPConfig := buildBaseHTTPConfig(g)
 	upstreams := buildUpstreams(ctx, g.Gateway.Listeners, serviceResolver, baseHTTPConfig.IPFamily)
 	httpServers, sslServers := buildServers(g, generator)
+	passthroughServers := buildPassthroughServers(g)
+	streamUpstreams := buildStreamUpstreams(ctx, g.Gateway.Listeners, serviceResolver)
 	backendGroups := buildBackendGroups(append(httpServers, sslServers...))
 	keyPairs := buildSSLKeyPairs(g.ReferencedSecrets, g.Gateway.Listeners)
 	certBundles := buildCertBundles(g.ReferencedCaCertConfigMaps, backendGroups)
 	telemetry := buildTelemetry(g)
 
 	config := Configuration{
-		HTTPServers:    httpServers,
-		SSLServers:     sslServers,
-		Upstreams:      upstreams,
-		BackendGroups:  backendGroups,
-		SSLKeyPairs:    keyPairs,
-		Version:        configVersion,
-		CertBundles:    certBundles,
-		Telemetry:      telemetry,
-		BaseHTTPConfig: baseHTTPConfig,
+		HTTPServers:           httpServers,
+		SSLServers:            sslServers,
+		TLSPassthroughServers: passthroughServers,
+		Upstreams:             upstreams,
+		StreamUpstreams:       streamUpstreams,
+		BackendGroups:         backendGroups,
+		SSLKeyPairs:           keyPairs,
+		Version:               configVersion,
+		CertBundles:           certBundles,
+		Telemetry:             telemetry,
+		BaseHTTPConfig:        baseHTTPConfig,
 	}
 
 	return config
 }
 
+// buildPassthroughServers builds TLSPassthroughServers from TLSRoutes attaches to listeners.
+func buildPassthroughServers(g *graph.Graph) []Layer4VirtualServer {
+	passthroughServersMap := make(map[graph.L4RouteKey][]Layer4VirtualServer)
+	routeToListenerHostname := make(map[graph.L4RouteKey]*v1.Hostname)
+
+	for _, l := range g.Gateway.Listeners {
+		if !l.Valid {
+			continue
+		}
+		for key, r := range l.L4Routes {
+			if !r.Valid {
+				continue
+			}
+
+			if _, ok := passthroughServersMap[key]; ok {
+				if listenerHostnameMoreSpecific(l.Source.Hostname, routeToListenerHostname[key]) {
+					continue
+				}
+				passthroughServersMap[key] = []Layer4VirtualServer{}
+			}
+
+			for _, h := range r.Spec.Hostnames {
+				passthroughServersMap[key] = append(passthroughServersMap[key], Layer4VirtualServer{
+					Hostname:     string(h),
+					UpstreamName: r.Spec.BackendRef.ServicePortReference(),
+					Port:         int32(l.Source.Port),
+				})
+			}
+		}
+	}
+
+	passthroughServers := make([]Layer4VirtualServer, 0, len(passthroughServersMap))
+
+	for _, r := range passthroughServersMap {
+		passthroughServers = append(passthroughServers, r...)
+	}
+
+	return passthroughServers
+}
+
+// buildStreamUpstreams builds all stream upstreams.
+func buildStreamUpstreams(
+	ctx context.Context,
+	listeners []*graph.Listener,
+	resolver resolver.ServiceResolver,
+) []Upstream {
+	// There can be duplicate upstreams if multiple routes reference the same upstream.
+	// We use a map to deduplicate them.
+	uniqueUpstreams := make(map[string]Upstream)
+
+	for _, l := range listeners {
+		if !l.Valid || l.Source.Protocol != v1.TLSProtocolType {
+			continue
+		}
+
+		for _, route := range l.L4Routes {
+			if !route.Valid {
+				continue
+			}
+
+			br := route.Spec.BackendRef
+
+			if !br.Valid {
+				continue
+			}
+
+			upstreamName := br.ServicePortReference()
+			_, exist := uniqueUpstreams[upstreamName]
+
+			if exist {
+				continue
+			}
+
+			var errMsg string
+
+			eps, err := resolver.Resolve(ctx, br.SvcNsName, br.ServicePort)
+			if err != nil {
+				errMsg = err.Error()
+			}
+
+			uniqueUpstreams[upstreamName] = Upstream{
+				Name:      upstreamName,
+				Endpoints: eps,
+				ErrorMsg:  errMsg,
+			}
+		}
+	}
+
+	if len(uniqueUpstreams) == 0 {
+		return nil
+	}
+
+	upstreams := make([]Upstream, 0, len(uniqueUpstreams))
+
+	for _, up := range uniqueUpstreams {
+		upstreams = append(upstreams, up)
+	}
+	return upstreams
+}
+
 // buildSSLKeyPairs builds the SSLKeyPairs from the Secrets. It will only include Secrets that are referenced by
 // valid listeners, so that we don't include unused Secrets in the configuration of the data plane.
 func buildSSLKeyPairs(
@@ -212,6 +316,9 @@ func buildServers(g *graph.Graph, generator policies.ConfigGenerator) (http, ssl
 	}
 
 	for _, l := range g.Gateway.Listeners {
+		if l.Source.Protocol == v1.TLSProtocolType {
+			continue
+		}
 		if l.Valid {
 			rules := rulesForProtocol[l.Source.Protocol][l.Source.Port]
 			if rules == nil {

internal/mode/static/state/dataplane/configuration_test.go

@@ -13,6 +13,8 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	v1 "sigs.k8s.io/gateway-api/apis/v1"
 	"sigs.k8s.io/gateway-api/apis/v1alpha2"
@@ -3215,3 +3217,207 @@ func TestGetAllowedAddressType(t *testing.T) {
 		})
 	}
 }
+func TestCreatePassthroughServers(t *testing.T) {
+	testGraph := graph.Graph{
+		Gateway: &graph.Gateway{
+			Listeners: []*graph.Listener{
+				{
+					Name: "testingListener",
+					Source: v1.Listener{
+						Protocol: v1.TLSProtocolType,
+						Port:     443,
+						Hostname: ptr.To[v1.Hostname]("*.example.com"),
+					},
+					Routes: make(map[graph.RouteKey]*graph.L7Route),
+					L4Routes: map[graph.L4RouteKey]*graph.L4Route{
+						{NamespacedName: types.NamespacedName{
+							Namespace: "default",
+							Name:      "secure-app",
+						}}: {
+							Spec: graph.L4RouteSpec{
+								Hostnames: []v1.Hostname{"app.example.com", "cafe.example.com"},
+								BackendRef: graph.BackendRef{
+									SvcNsName: types.NamespacedName{
+										Namespace: "default",
+										Name:      "secure-app",
+									},
+									ServicePort: apiv1.ServicePort{
+										Name:     "https",
+										Protocol: "TCP",
+										Port:     8443,
+										TargetPort: intstr.IntOrString{
+											Type:   intstr.Int,
+											IntVal: 8443,
+										},
+									},
+									Valid: true,
+								},
+							},
+							Valid: true,
+						},
+						{NamespacedName: types.NamespacedName{
+							Namespace: "default",
+							Name:      "secure-app2",
+						}}: {},
+					},
+					Valid: true,
+				},
+				{
+					Name: "testingListener2",
+					Source: v1.Listener{
+						Protocol: v1.TLSProtocolType,
+						Port:     443,
+						Hostname: ptr.To[v1.Hostname]("cafe.example.com"),
+					},
+					Routes: make(map[graph.RouteKey]*graph.L7Route),
+					L4Routes: map[graph.L4RouteKey]*graph.L4Route{
+						{NamespacedName: types.NamespacedName{
+							Namespace: "default",
+							Name:      "secure-app",
+						}}: {
+							Spec: graph.L4RouteSpec{
+								Hostnames: []v1.Hostname{"app.example.com", "cafe.example.com"},
+								BackendRef: graph.BackendRef{
+									SvcNsName: types.NamespacedName{
+										Namespace: "default",
+										Name:      "secure-app",
+									},
+									ServicePort: apiv1.ServicePort{
+										Name:     "https",
+										Protocol: "TCP",
+										Port:     8443,
+										TargetPort: intstr.IntOrString{
+											Type:   intstr.Int,
+											IntVal: 8443,
+										},
+									},
+									Valid: true,
+								},
+							},
+							Valid: true,
+						},
+					},
+					Valid: true,
+				},
+			},
+		},
+	}
+
+	passthroughServers := buildPassthroughServers(&testGraph)
+
+	expectedPassthroughServers := []Layer4VirtualServer{
+		{
+			Hostname:     "app.example.com",
+			UpstreamName: "default_secure-app_8443",
+			Port:         443,
+		},
+		{
+			Hostname:     "cafe.example.com",
+			UpstreamName: "default_secure-app_8443",
+			Port:         443,
+		},
+	}
+
+	g := NewWithT(t)
+
+	g.Expect(passthroughServers).To(Equal(expectedPassthroughServers))
+}
+
+func TestBuildStreamUpstreams(t *testing.T) {
+	testGraph := graph.Graph{
+		Gateway: &graph.Gateway{
+			Listeners: []*graph.Listener{
+				{
+					Name: "testingListener",
+					Source: v1.Listener{
+						Protocol: v1.TLSProtocolType,
+						Port:     443,
+					},
+					Routes: make(map[graph.RouteKey]*graph.L7Route),
+					L4Routes: map[graph.L4RouteKey]*graph.L4Route{
+						{NamespacedName: types.NamespacedName{
+							Namespace: "default",
+							Name:      "secure-app",
+						}}: {
+							Spec: graph.L4RouteSpec{
+								Hostnames: []v1.Hostname{"app.example.com", "cafe.example.com"},
+								BackendRef: graph.BackendRef{
+									SvcNsName: types.NamespacedName{
+										Namespace: "default",
+										Name:      "secure-app",
+									},
+									ServicePort: apiv1.ServicePort{
+										Name:     "https",
+										Protocol: "TCP",
+										Port:     8443,
+										TargetPort: intstr.IntOrString{
+											Type:   intstr.Int,
+											IntVal: 8443,
+										},
+									},
+									Valid: true,
+								},
+							},
+							Valid: true,
+						},
+						{NamespacedName: types.NamespacedName{
+							Namespace: "default",
+							Name:      "secure-app2",
+						}}: {},
+						{NamespacedName: types.NamespacedName{
+							Namespace: "default",
+							Name:      "secure-app3",
+						}}: {
+							Valid: true,
+							Spec: graph.L4RouteSpec{
+								Hostnames:  []v1.Hostname{"test.example.com"},
+								BackendRef: graph.BackendRef{},
+							},
+						},
+						{NamespacedName: types.NamespacedName{
+							Namespace: "default",
+							Name:      "secure-app4",
+						}}: {
+							Spec: graph.L4RouteSpec{
+								Hostnames: []v1.Hostname{"app.example.com", "cafe.example.com"},
+								BackendRef: graph.BackendRef{
+									SvcNsName: types.NamespacedName{
+										Namespace: "default",
+										Name:      "secure-app",
+									},
+									ServicePort: apiv1.ServicePort{
+										Name:     "https",
+										Protocol: "TCP",
+										Port:     8443,
+										TargetPort: intstr.IntOrString{
+											Type:   intstr.Int,
+											IntVal: 8443,
+										},
+									},
+									Valid: true,
+								},
+							},
+							Valid: true,
+						},
+					},
+					Valid: true,
+				},
+			},
+		},
+	}
+
+	fakeResolver := resolverfakes.FakeServiceResolver{}
+	fakeResolver.ResolveReturns(nil, errors.New("error"))
+
+	streamUpstreams := buildStreamUpstreams(context.Background(), testGraph.Gateway.Listeners, &fakeResolver)
+
+	expectedStreamUpstreams := []Upstream{
+		{
+			Name:     "default_secure-app_8443",
+			ErrorMsg: "error",
+		},
+	}
+	g := NewWithT(t)
+
+	g.Expect(streamUpstreams).To(Equal(expectedStreamUpstreams))
+}

internal/mode/static/state/graph/backend_refs.go

@@ -19,7 +19,7 @@ import (
 	staticConds "github.com/nginxinc/nginx-gateway-fabric/internal/mode/static/state/conditions"
 )
 
-// BackendRef is an internal representation of a backendRef in an HTTP/GRPCRoute.
+// BackendRef is an internal representation of a backendRef in an HTTP/GRPC/TLSRoute.
 type BackendRef struct {
 	// BackendTLSPolicy is the BackendTLSPolicy of the Service which is referenced by the backendRef.
 	BackendTLSPolicy *BackendTLSPolicy