Tls Passthrough support

[zijun726911]

Initial version cherry picked from: https://github.com/liwenwu-amazon/aws-application-networking-k8-publics/tree/tls-route-support-mar20
User experiences about TLSRoute, TargetGroupPolicy of this PR are same with the liwenwu-amazon:tls-route-support-mar20 branch.

main branch to liwenwu-amazon:tls-route-support-mar20 branch diff: zijun726911#3

TLS Passthrough Behaviors Summary

• Users can create Kind:TLSRoute k8s resource, the controller will under the hood create VPC Lattice Service with TLS_PASSTHROUGH protocol listener and TCP type TargetGroup.
• For cross cluster use case, users can create Kind:ServiceExport k8s resource and create the Kind:TargetGroupPolicy resource to specify the TargetGroup protocol to TCP. The controller will under the hood create VPC Lattice TCP TargetGroup
• By default, controller created TCP TargetGroups has healthcheck==disabled
• Same as old TargetGroupPolicy use cases, users can create the Kind:TargetGroupPolicy to override the healthcheck config for either Service (backendref by TLSRoute) or ServiceExport
• For the TargetGroupPolicy with protocol==TCP && protocolVersion!=nil, it will be rejected.
• The controller created TCP Target Groups have tag: application-networking.k8s.aws/ProtocolVersion:""

Changes

The controller logic changes:

• Make the e2e code path (route_controller/serviceexport_controller --> model_build_xxxxx --> xxx_synthesizer --> target_group_manager) support the TLSRoute, and the ServiceExport with protocol:TCP TargetGroupPolicy.
• In the rule_synthesizer.go, skips to create rules for TLSRoute since Lattice TLS_PASSTHROUGH listener can only have one defaultAction and without any addition rules. In the listener_synthesizer.go, fill the lattice listener's defaultAction to point to the referred TCP TargetGroups.
• To support Tls passthrough, both rule_synthesizer and listener_synthesizer need the ResolveRuleTgIds() function (originally resided in the rule_synthesizer.go), so I move the ResolveRuleTgIds() and findSvcExportTG() to the target_group_manager.go to avoid copy paste same code, and the rule_synthesizer and listener_synthesizer can both use the same s.tgManager.ResolveRuleTgIds(ctx, rule, r.stack)
• Encapsulate TLS_PATHTHROUGH listener related logic in the listenerSynthesizer.getLatticeListenerDefaultAction()
• Move the unit test Test_ResolveRuleTgIds() to the target_group_manager_test.go
• Set healthcheck to disabled for TCP targetGroup by default (for both target_group_manager Create() and Update() methods). If the user specify the healthcheck setting by TargetGroupPolicy, the default healthcheck setting will be overridden. (Disable healthcheck by default for TCP TargetGroup is also the default VPC Lattice API default behavior) https://docs.aws.amazon.com/vpc-lattice/latest/ug/target-group-health-checks.html
• Since VPC Lattice TCP TargetGroup don't have ProtocolVersion, for the TCP TargetGroup, set the tag application-networking.k8s.aws/ProtocolVersion:"". In the (t *TargetGroupSpec) Validate() remove the ProtocolVersion from requiredFields.
• Improvement for targetgrouppolicy with targetRef ServiceExport, now, the targetgrouppolicy_controller Watch() the ServiceExport resource change

e2e test changes

• Add new automation e2e tests to test TLSRoute and ServiceExport with protocol:TCP TargetGroupPolicy

CRDs && Image build && helm chart related changes

• Added tlsroutes create, delete, get, list, patch, update, watch permissions for the controller serviceAccount AuthZ permissions
• Added gateway.networking.k8s.io_tlsroutes.yaml, included the tlsroutes CRDs in the helm chart and deploy.yaml

Testing

• Following tls-passthrough.md steps to set up the single cluster e2e connectivity (TLSRoute backendref Service) and cross-cluster e2e connectivity (TLSRoute backendref ServiceImport + ServiceExport + TargetGroupPolicy) both work as expected.
• 2 new automation e2e tests can pass (one test TLSRoute and the other one test the TLSRoute+ ServiceImport+ ServiceExport + TargetGroupPolicy).
• Ran the whole e2e test suite, all test can pass (skiped the RAM share test)

[SynchronizedAfterSuite]
/Volumes/workspace/aws-application-networking-k8s/test/suites/integration/suite_test.go:72
{“level”:“info”,“ts”:“2024-06-04T01:32:32.262-0700",“caller”:“test/framework.go:264",“msg”:“Deleting objects: *v1.Gateway/test-gateway, *v1.Pod/grpc-runner”}
{“level”:“info”,“ts”:“2024-06-04T01:32:32.312-0700",“caller”:“test/framework.go:282",“msg”:“Waiting for NotFound, objects: *v1.Gateway/test-gateway, *v1.Pod/grpc-runner”}
[SynchronizedAfterSuite] PASSED [31.091 seconds]
------------------------------
Ran 66 of 69 Specs in 2537.133 seconds
SUCCESS! -- 66 Passed | 0 Failed | 0 Pending | 3 Skipped

Changes for the new revision: #643 (comment)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[zijun726911]

Just to make the extractListenerInfo() code logic more easy to follow (by reversing the parentRef.SectionName != nil condition and removing the found := false flag and return the function earlier ).

and override protocol string to "TLS_PASSTHROUGH" when create the lattice listener for k8s Gateway with section.TLS.Mode==Passthrough

[liwenwu-amazon]

can you move non TLS-passthrough related change into a separate CR? thanks

[liwenwu-amazon]

These changes seems not related to TLS passthrough feature. Can you separate them into different CR? thanks

[zijun726911]

This one is a little bit special, need to bump up the doc version here. otherwise the the doc version 1.0.5 will include the tls-passthrough.md, but the the controller v1.0.5 actually don't support the TLSRoute.

https://www.gateway-api-controller.eks.aws.dev/1.0.5/

What I am thinking is we can improve the whole Github Action (CI pipeline) publish-doc.yaml (in the future), for example, main branch code change trigger the mike deploy dev latest, and branch release-xxxxx trigger the mike deploy v1.x.x --push

[zijun726911]

tlsroute is still experimental crd and not in the standard gateway api, copy from:
https://github.com/kubernetes-sigs/gateway-api/blob/main/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml

[zijun726911]

This one is a little bit special, need to bump up the doc version here. otherwise the the doc version 1.0.5 will include the tls-passthrough.md, but the the controller v1.0.5 actually don't support the TLSRoute.

https://www.gateway-api-controller.eks.aws.dev/1.0.5/

What I am thinking is we can improve the whole Github Action (CI pipeline) publish-doc.yaml (in the future), for example, main branch code change trigger the mike deploy dev latest, and branch release-xxxxx trigger the mike deploy v1.x.x --push

[liwenwu-amazon]

LGTM

[erikfuller]

Thanks for taking on this massive change @zijun726911 and thanks to @liwenwu-amazon for the initial logic. I've added quite a few comments - please reach out if anything needs clarification.

I understand these changes all go together, but it would be really helpful to have this PR broken up. I'd love to see something like:

1. Refactoring (no logic changes)
2. New code/logic changes
3. Documentation (can even break this up if needed)

I'm OK reviewing 1+2 together, but if we could decouple documentation that would be really helpful. In theory, the docs for this should all be additive functionality anyway.

[erikfuller]

Do we actually use these kubebuilder directives?

[zijun726911]

The +kubebuilder:rbac annotation instructs the controller-gen rbac command to generate the ClusterRole, however our Makefile don't run the controller-gen rbac, I think they are useless, will remove them

https://book.kubebuilder.io/reference/controller-gen

[erikfuller]

Yeah that's what I thought. Just wanted to double check. Thanks for checking.

[erikfuller]

Can you refactor this to a method? Something like getDefaultAction or similar. Alternatively, maybe just the logic in the if block. It actually looks pretty similar to the logic in rule_manager.go, maybe see if it's possible to combine?

[erikfuller]

Let's use something that isn't a real domain here.

[zijun726911]

Changed in the next revision.

[erikfuller]

Since we already need a TG policy here, would it be a good idea to include an enabled health check to make sure that's being set up properly?

[erikfuller]

Wouldn't this be 443?

[zijun726911]

This 80 is come from here:

aws-application-networking-k8s/pkg/gateway/model_build_targetgroup.go

Line 363 in 9cc4efb

Port: 80,

The Target Group port is kind of useless, only the lattice targets' port are useful and guide vpc lattice to route traffic to that port. i.e, :

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
  name: rate-tls-passthrough
spec:
  hostnames:
    - tls-rate.my-test.com
  parentRefs:
    - name: my-hotel-tls-passthrough
      sectionName: tls
  rules:
    - backendRefs:
        - name: tls-rate1
          kind: Service
          port: 443 <-------- This port + k8s service ports intersection define to the lattice target port

[erikfuller]

Should we just drop this Expect() then since we don't really care?

[erikfuller]

Should we have an explicit check for port 444 on the listener?

[erikfuller]

443?

[zijun726911]

https://github.com/aws/aws-application-networking-k8s/pull/643/files#r1623306305

[erikfuller]

Same here, should we drop the Expect()?

[Mengli-Shu]

protocolVersion:
description: The protocol version used when performing health
checks on targets. Defaults to HTTP/1.

Hc config protocol version needs to be changed too, it doesn't have a default for tcp tg, customers need to specify both health check protocol and the protocol version

[zijun726911]

will remove the sentence "Defaults to HTTP/1." in the next revision

[erikfuller]

One other question around TLSRouteRule/BackendRef from the spec: https://github.com/kubernetes-sigs/gateway-api/blob/main/apis/v1alpha2/tlsroute_types.go#L103

	// BackendRefs defines the backend(s) where matching requests should be
	// sent. If unspecified or invalid (refers to a non-existent resource or
	// a Service with no endpoints), the rule performs no forwarding; if no
	// filters are specified that would result in a response being sent, the
	// underlying implementation must actively reject request attempts to this
	// backend, by rejecting the connection or returning a 500 status code.
	// Request rejections must respect weight; if an invalid backend is
	// requested to have 80% of requests, then 80% of requests must be rejected
	// instead.

Just curious what our current approach does with invalid BackendRefs. I think this is probably a less vital part of the spec to honour, especially given it's still experiemental, but would be good to describe the expected behaviour here.

[zijun726911]

One other question around TLSRouteRule/BackendRef from the spec: https://github.com/kubernetes-sigs/gateway-api/blob/main/apis/v1alpha2/tlsroute_types.go#L103

	// BackendRefs defines the backend(s) where matching requests should be
	// sent. If unspecified or invalid (refers to a non-existent resource or
	// a Service with no endpoints), the rule performs no forwarding; if no
	// filters are specified that would result in a response being sent, the
	// underlying implementation must actively reject request attempts to this
	// backend, by rejecting the connection or returning a 500 status code.
	// Request rejections must respect weight; if an invalid backend is
	// requested to have 80% of requests, then 80% of requests must be rejected
	// instead.

Just curious what our current approach does with invalid BackendRefs. I think this is probably a less vital part of the spec to honour, especially given it's still experiemental, but would be good to describe the expected behaviour here.

I will document this part. actually the current behavior is, for example for this TLSRoute:

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
  name: rate-tls-passthrough
spec:
  hostnames:
    - tls-rate.my-test.com
  parentRefs:
    - name: my-hotel-tls-passthrough
      sectionName: tls
  rules:
    - backendRefs:
        - name: tls-rate1
          kind: Service
          port: 443
          weight: 10
        - name: tls-rate2
          kind: ServiceImport
          port: 443
          weight: 90

If the tls-rate2 targetGroup is not ready, it will block the traffic for both tls-rate1 and tls-rate2

( base on the ResolveRuleTgIds() logic

aws-application-networking-k8s/pkg/deploy/lattice/target_group_manager.go

Line 459 in 595fff8

func (s *defaultTargetGroupManager) ResolveRuleTgIds(ctx context.Context, modelRule *model.Rule, stack core.Stack) error {

)

[Mengli-Shu]

only reviewed doc changes for lattice tls passthrough behaviour

[erikfuller]

Thanks again @zijun726911, for all your work on this. I just have a couple remaining requests to work through then I think we'll be all set.

[erikfuller]

Looking at this again it seems like this logic is out of place in the synthesizer.

The default action should be part of the model listener spec. Then, we would set the default action inside model_build_listener.go.

In Synthesize() above, we would resolve target group Ids for the default action. Finally, we would read the default action off the modelListener and convert to Lattice format inside the listener_manager.go#Upsert method. Upsert would then not need an additional argument for the default action.

Can you please have a look at this approach and see if it's feasible?

[zijun726911]

Thanks for your suggestion! I did some changes in the new revision and that did make the code cleaner:

1. Added the field DefaultAction in the modelListener.ListenerSpec

   aws-application-networking-k8s/pkg/model/lattice/listener.go

   Lines 7 to 25 in 036e2a3

   	type Listener struct {
   	core.ResourceMeta `json:"-"`
   	Spec ListenerSpec `json:"spec"`
   	Status *ListenerStatus `json:"status,omitempty"`
   	}
   	type ListenerSpec struct {
   	StackServiceId string `json:"stackserviceid"`
   	K8SRouteName string `json:"k8sroutename"`
   	K8SRouteNamespace string `json:"k8sroutenamespace"`
   	Port int64 `json:"port"`
   	Protocol string `json:"protocol"`
   	DefaultAction *DefaultAction `json:"defaultaction"`
   	}
   	type DefaultAction struct {
   	FixedResponseStatusCode *int64 `json:"fixedresponsestatuscode"`
   	Forward *RuleAction `json:"forward"`
   	}

2. Completely skip to create stackRule for TLS_PASSTHROUGH gwListener. i.e, completely don't call latticeServiceModelBuildTask.buildRules() for TLS_PASSTHROUGH gwListener, therefore removing the "long comments" in the buildRules() and therefore removing the seemly confusing code l.tgManager.ResolveRuleTgIds(ctx, stackRules[0], l.stack) (changed to l.tgManager.ResolveRuleTgIds(ctx, stackListener.Spec.DefaultAction.Forward, l.stack) instead). And since we don't create any stackRule for TLS_PASSTHROUGH gwListener, I also remove the TlsPassthrough skipping logic in the (r *ruleSynthesizer) createOrUpdateRules()

   aws-application-networking-k8s/pkg/gateway/model_build_lattice_service.go

   Lines 89 to 92 in cd6072c

   	if modelListener.Spec.Protocol == vpclattice.ListenerProtocolTlsPassthrough {
   	t.log.Debugf("Skip building rules for TLS_PASSTHROUGH listener %s, since lattice TLS_PASSTHROUGH listener can only have listener defaultAction and without any other rule", modelListener.ID())
   	continue
   	}

3. Added the (t *latticeServiceModelBuildTask) getListenerDefaultAction in the model_build_listener

   aws-application-networking-k8s/pkg/gateway/model_build_listener.go

   Lines 128 to 151 in cd6072c

   	func (t *latticeServiceModelBuildTask) getListenerDefaultAction(ctx context.Context, modelListenerProtocol string) (
   	*model.DefaultAction, error,
   	) {
   	if modelListenerProtocol != vpclattice.ListenerProtocolTlsPassthrough {
   	return &model.DefaultAction{
   	FixedResponseStatusCode: aws.Int64(defaultActionFixedResponseStatusCode),
   	}, nil
   	}
   	if len(t.route.Spec().Rules()) != 1 {
   	return nil, fmt.Errorf("TLS_PASSTHROUGH listener can only have one rule for lattice listener default action, but got %d rules", len(t.route.Spec().Rules()))
   	}
   	modelRouteRule := t.route.Spec().Rules()[0]
   	ruleTgList, err := t.getTargetGroupsForRuleAction(ctx, modelRouteRule)
   	if err != nil {
   	return nil, err
   	}
   	return &model.DefaultAction{
   	Forward: &model.RuleAction{
   	TargetGroups: ruleTgList,
   	},
   	}, nil
   	}

   (Added unit test to cover build TLS_PASSTHROUGH listener)

4. Changed the logic of (l *listenerSynthesizer) getLatticeListenerDefaultAction(

   aws-application-networking-k8s/pkg/deploy/lattice/listener_synthesizer.go

   Lines 92 to 127 in cd6072c

   	func (l *listenerSynthesizer) getLatticeListenerDefaultAction(ctx context.Context, stackListener *model.Listener) (
   	*vpclattice.RuleAction, error,
   	) {
   	if stackListener.Spec.DefaultAction == nil ||
   	(stackListener.Spec.DefaultAction.FixedResponseStatusCode == nil && stackListener.Spec.DefaultAction.Forward == nil) {
   	return nil, fmt.Errorf("invalid listener default action, must be either fixed response or forward")
   	}
   	if stackListener.Spec.DefaultAction.FixedResponseStatusCode != nil {
   	return &vpclattice.RuleAction{
   	FixedResponse: &vpclattice.FixedResponseAction{
   	StatusCode: stackListener.Spec.DefaultAction.FixedResponseStatusCode,
   	},
   	}, nil
   	}
   	// If the listener DefaultAction is not fixed response, for example for TLS_PASSTHROUGH listener, it must be a forward action, fill the forward action target group ids for it
   	if err := l.tgManager.ResolveRuleTgIds(ctx, stackListener.Spec.DefaultAction.Forward, l.stack); err != nil {
   	return nil, fmt.Errorf("failed to resolve rule tg ids, err = %v", err)
   	}
   	var latticeTGs []*vpclattice.WeightedTargetGroup
   	for _, modelTG := range stackListener.Spec.DefaultAction.Forward.TargetGroups {
   	latticeTG := vpclattice.WeightedTargetGroup{
   	TargetGroupIdentifier: aws.String(modelTG.LatticeTgId),
   	Weight: aws.Int64(modelTG.Weight),
   	}
   	latticeTGs = append(latticeTGs, &latticeTG)
   	}
   	l.log.Debugf("DefaultAction Forward target groups: %v", latticeTGs)
   	return &vpclattice.RuleAction{
   	Forward: &vpclattice.ForwardAction{
   	TargetGroups: latticeTGs,
   	},
   	}, nil

   , removed the seemly confusing part l.tgManager.ResolveRuleTgIds(ctx, stackRules[0], l.stack), change to l.tgManager.ResolveRuleTgIds(ctx, stackListener.Spec.DefaultAction.Forward, l.stack);() instead.

5. Still keep the defaultAction argument for the listenerManager.Upsert() , since in the listenerSynthesizer, it needs to convert the model.ListenerDefaultAction into the vpcLattice.ListenerDefaultAction, and pass the vpcLattice.ListenerDefaultAction to listenerManager.Upsert() to "determine" (needToUpdateDefaultAction()) whether the lattice.UpdateListener() need to be called.

Ran the full test suite for the new revision(skip the RAM test):

• [257.448 seconds]
------------------------------
[SynchronizedAfterSuite]
/Volumes/workspace/aws-application-networking-k8s/test/suites/integration/suite_test.go:72
{“level”:“info”,“ts”:“2024-06-05T23:08:51.716-0700",“caller”:“test/framework.go:264",“msg”:“Deleting objects: *v1.Gateway/test-gateway, *v1.Pod/grpc-runner”}
{“level”:“info”,“ts”:“2024-06-05T23:08:51.758-0700",“caller”:“test/framework.go:282",“msg”:“Waiting for NotFound, objects: *v1.Gateway/test-gateway, *v1.Pod/grpc-runner”}
[SynchronizedAfterSuite] PASSED [31.193 seconds]
------------------------------
Ran 66 of 69 Specs in 2412.270 seconds
SUCCESS! -- 66 Passed | 0 Failed | 0 Pending | 3 Skipped
--- PASS: TestIntegration (2412.27s)
PASS

[erikfuller]

The others are "resources" but this one is "resource"?

[zijun726911]

Changed in the new revisions

[erikfuller]

The reason I'd like to change is that right now we have a few comment lines explaining why the code should drop through to the else for TLS passthrough. A multi-line explanation in comments can be a warning sign we don't have the code structured correctly. I'd like us to rather take an approach that is explicit, intuitive to follow, and needs no justifying or explanatory comments. I think what I proposed (or something like it) would do the trick.

Ideally we would redefine the interfaces so there were separate L4 and L7 interfaces, and there would be no Matches() at all on TCPRoute. This would be a larger change and is probably OK to skip for now, but we should not be relying on the empty list behavior here.

[erikfuller]

Should we just drop this Expect() then since we don't really care?

[erikfuller]

Same here, should we drop the Expect()?

[zijun726911]

The reason I'd like to change is that right now we have a few comment lines explaining why the code should drop through to the else for TLS passthrough. A multi-line explanation in comments can be a warning sign we don't have the code structured correctly. I'd like us to rather take an approach that is explicit, intuitive to follow, and needs no justifying or explanatory comments. I think what I proposed (or something like it) would do the trick.

Ideally we would redefine the interfaces so there were separate L4 and L7 interfaces, and there would be no Matches() at all on TCPRoute. This would be a larger change and is probably OK to skip for now, but we should not be relying on the empty list behavior here.

Changed in the new revision. please check: #643 (comment)

Should we just drop this Expect() then since we don't really care?

Removed assertion for the tg port in the new revision.

[erikfuller]

Just a couple small changes and we should be all set.

[erikfuller]

The conversion logic from model -> Lattice type typically lives in each component's manager. Here, it should only resolve the target group Ids.

Please move getDefaultAction logic inside listener_manager. The logic should assume the target group Ids have already been resolved. However, it needs to handling the case where the target group ID is set to model.InvalidBackendRefTgId. This can happen when the backendRef points to something that doesn't exist. Note we should have a test specifically for InvalidBackendRefTgId handling, which I don't think we do yet since I don't see it referenced here.

[zijun726911]

Working on in. Will do the exactly you describe here in the new revision. Will mimic the r *defaultRuleManager) buildLatticeRule() to get the listener defaultAction

aws-application-networking-k8s/pkg/deploy/lattice/rule_manager.go

Lines 92 to 143 in 3e65856

	func (r *defaultRuleManager) buildLatticeRule(modelRule *model.Rule) (*vpclattice.GetRuleOutput, error) {
	gro := vpclattice.GetRuleOutput{
	IsDefault: aws.Bool(false),
	Priority: aws.Int64(modelRule.Spec.Priority),
	}
	httpMatch := vpclattice.HttpMatch{}
	updateMatchFromRule(&httpMatch, modelRule)
	gro.Match = &vpclattice.RuleMatch{HttpMatch: &httpMatch}
	// check if we have at least one valid target group
	var hasValidTargetGroup bool
	for _, tg := range modelRule.Spec.Action.TargetGroups {
	if tg.LatticeTgId != model.InvalidBackendRefTgId {
	hasValidTargetGroup = true
	break
	}
	}
	if hasValidTargetGroup {
	var latticeTGs []*vpclattice.WeightedTargetGroup
	for _, ruleTg := range modelRule.Spec.Action.TargetGroups {
	// skip any invalid TGs - eventually VPC Lattice may support weighted fixed response
	// and this logic can be more in line with the spec
	if ruleTg.LatticeTgId == model.InvalidBackendRefTgId {
	continue
	}
	latticeTG := vpclattice.WeightedTargetGroup{
	TargetGroupIdentifier: aws.String(ruleTg.LatticeTgId),
	Weight: aws.Int64(ruleTg.Weight),
	}
	latticeTGs = append(latticeTGs, &latticeTG)
	}
	gro.Action = &vpclattice.RuleAction{
	Forward: &vpclattice.ForwardAction{
	TargetGroups: latticeTGs,
	},
	}
	} else {
	r.log.Debugf("There are no valid target groups, defaulting to 404 Fixed response")
	gro.Action = &vpclattice.RuleAction{
	FixedResponse: &vpclattice.FixedResponseAction{
	StatusCode: aws.Int64(404),
	},
	}
	}
	gro.Name = aws.String(fmt.Sprintf("k8s-%d-rule-%d", modelRule.Spec.CreateTime.Unix(), modelRule.Spec.Priority))
	return &gro, nil

[zijun726911]

Sent the new revision can you take a look? Did the changes exactly as you describe above. Thank you! b4dfd4d

Note we should have a test specifically for InvalidBackendRefTgId handling

The test cases: Test_ListenerManager_getLatticeListenerDefaultAction_TLS_PASSTHROUGH_Listener covered that.

Also ran the full e2e test suite against new revision

[SynchronizedAfterSuite]
/Volumes/workspace/aws-application-networking-k8s/test/suites/integration/suite_test.go:72
{“level”:“info”,“ts”:“2024-06-07T01:26:52.316-0700",“caller”:“test/framework.go:264",“msg”:“Deleting objects: *v1.Gateway/test-gateway, *v1.Pod/grpc-runner”}
{“level”:“info”,“ts”:“2024-06-07T01:26:52.357-0700",“caller”:“test/framework.go:282",“msg”:“Waiting for NotFound, objects: *v1.Gateway/test-gateway, *v1.Pod/grpc-runner”}
[SynchronizedAfterSuite] PASSED [31.041 seconds]
------------------------------
Ran 66 of 69 Specs in 2407.814 seconds
SUCCESS! -- 66 Passed | 0 Failed | 0 Pending | 3 Skipped
--- PASS: TestIntegration (2407.82s)
PASS
ok 	[github.com/aws/aws-application-networking-k8s/test/suites/integration](http://github.com/aws/aws-application-networking-k8s/test/suites/integration)	2408.753s

[erikfuller]

Bring this block into the Synthesize() method.

[zijun726911]

Will change in the new revision

[erikfuller]

We should rather validate this when we add the listener to the stack in listener.go#NewListener().

[zijun726911]

Will mimic the func (t *TargetGroupSpec) Validate(), and put that validation in the new function func (spec *ListenerSpec) Validate()

[erikfuller]

Just a couple very small changes.

[erikfuller]

Nice!

[erikfuller]

Thanks so much for all your hard work on this!

[erikfuller]

Famous last words 😉