Merge branch 'main' into alert-autofix-13

Author: mikestvz

.github/workflows/publish-doc.yaml

@@ -5,6 +5,8 @@ on:
     branches:
       - main
       - 'release-v*.*.*'
+permissions:
+  contents: write
 jobs:
   publish-docs:
     runs-on: ubuntu-latest

docs/guides/deploy.md

@@ -144,7 +144,7 @@ EOF
 3. Create the role:
 
 ```bash
-aws iam create-role --role-name VPCLatticeControllerIAMRole --assume-role-policy-document file://teks-pod-identity-trust-relationship.json --description "IAM Role for AWS Gateway API Controller for VPC Lattice"
+aws iam create-role --role-name VPCLatticeControllerIAMRole --assume-role-policy-document file://eks-pod-identity-trust-relationship.json --description "IAM Role for AWS Gateway API Controller for VPC Lattice"
 aws iam attach-role-policy --role-name VPCLatticeControllerIAMRole --policy-arn=$VPCLatticeControllerIAMPolicyArn
 export VPCLatticeControllerIAMRoleArn=$(aws iam list-roles --query 'Roles[?RoleName==`VPCLatticeControllerIAMRole`].Arn' --output text)
 ```

pkg/controllers/accesslogpolicy_controller.go

@@ -182,7 +182,7 @@ func (r *accessLogPolicyReconciler) reconcileUpsert(ctx context.Context, alp *an
 	targetRefNamespace := k8s.NamespaceOrDefault(alp.Spec.TargetRef.Namespace)
 	if targetRefNamespace != alp.Namespace {
 		message := fmt.Sprintf("The targetRef's namespace, \"%s\", does not match the Access Log Policy's"+
-			" namespace, \"%s\"", string(*alp.Spec.TargetRef.Namespace), alp.Namespace)
+			" namespace, \"%s\"", targetRefNamespace, alp.Namespace)
 		r.eventRecorder.Event(alp, corev1.EventTypeWarning, k8s.FailedReconcileEvent, message)
 		return r.updateAccessLogPolicyStatus(ctx, alp, gwv1alpha2.PolicyReasonInvalid, message)
 	}

pkg/gateway/model_build_lattice_service.go

@@ -111,6 +111,11 @@ func (t *latticeServiceModelBuildTask) buildLatticeService(ctx context.Context)
 		routeType = core.GrpcRouteType
 	case *core.TLSRoute:
 		routeType = core.TlsRouteType
+		// VPC Lattice requires a custom domain name for TLS listeners
+		if len(t.route.Spec().Hostnames()) == 0 {
+			return nil, fmt.Errorf("TLSRoute %s/%s must specify at least one hostname as VPC Lattice requires a custom domain name",
+				t.route.Namespace(), t.route.Name())
+		}
 	default:
 		return nil, fmt.Errorf("unsupported route type: %T", t.route)
 	}

pkg/gateway/model_build_lattice_service_test.go

@@ -16,6 +16,7 @@ import (
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	testclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
 	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
+	gwv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
 )
 
 func Test_LatticeServiceModelBuild(t *testing.T) {
@@ -403,6 +404,31 @@ func Test_LatticeServiceModelBuild(t *testing.T) {
 				ServiceNetworkNames: []string{vpcLatticeGateway.Name, "gateway2"},
 			},
 		},
+		{
+			name:          "TLSRoute without hostname should fail",
+			wantIsDeleted: false,
+			wantErrIsNil:  false,
+			gwClass:       vpcLatticeGatewayClass,
+			gws: []gwv1.Gateway{
+				vpcLatticeGateway,
+			},
+			route: core.NewTLSRoute(gwv1alpha2.TLSRoute{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "service1",
+					Namespace: "default",
+				},
+				Spec: gwv1alpha2.TLSRouteSpec{
+					CommonRouteSpec: gwv1.CommonRouteSpec{
+						ParentRefs: []gwv1.ParentReference{
+							{
+								Name:      gwv1.ObjectName(vpcLatticeGateway.Name),
+								Namespace: namespacePtr(vpcLatticeGateway.Namespace),
+							},
+						},
+					},
+				},
+			}),
+		},
 		{
 			name:          "Multiple service networks with one different controller",
 			wantIsDeleted: false,
@@ -463,6 +489,7 @@ func Test_LatticeServiceModelBuild(t *testing.T) {
 			k8sSchema := runtime.NewScheme()
 			clientgoscheme.AddToScheme(k8sSchema)
 			gwv1.Install(k8sSchema)
+			gwv1alpha2.Install(k8sSchema)
 			k8sClient := testclient.NewClientBuilder().WithScheme(k8sSchema).Build()
 
 			assert.NoError(t, k8sClient.Create(ctx, tt.gwClass.DeepCopy()))