Fix referenced services; we don't care about attached, we care that the service belongs to the winning gateway

Author: Kate Osborn

internal/mode/static/nginx/config/upstreams_template.go

@@ -14,7 +14,7 @@ upstream {{ $u.Name }} {
     {{ if $u.ZoneSize -}}
     zone {{ $u.Name }} {{ $u.ZoneSize }};
     {{- end }}
-    {{ range $server := $u.Servers }}
+    {{ range $server := $u.Servers -}}
     server {{ $server.Address }};
     {{- end }}
     {{ if $u.KeepAlive.Connections -}}

internal/mode/static/state/change_processor_test.go

@@ -739,12 +739,8 @@ var _ = Describe("ChangeProcessor", func() {
 					Routes:            map[graph.RouteKey]*graph.L7Route{routeKey1: expRouteHR1},
 					ReferencedSecrets: map[types.NamespacedName]*graph.Secret{},
 					ReferencedServices: map[types.NamespacedName]*graph.ReferencedService{
-						refSvc: {
-							ParentGateways: []types.NamespacedName{{Namespace: "test", Name: "gateway-1"}},
-						},
-						refTLSSvc: {
-							ParentGateways: []types.NamespacedName{{Namespace: "test", Name: "gateway-1"}},
-						},
+						refSvc:    {},
+						refTLSSvc: {},
 					},
 				}
 			})
@@ -1257,9 +1253,6 @@ var _ = Describe("ChangeProcessor", func() {
 
 					delete(expGraph.ReferencedServices, expRouteHR1.Spec.Rules[0].BackendRefs[0].SvcNsName)
 					expRouteHR1.Spec.Rules[0].BackendRefs[0].SvcNsName = types.NamespacedName{}
-					expGraph.ReferencedServices[refTLSSvc].ParentGateways = []types.NamespacedName{
-						client.ObjectKeyFromObject(gw2),
-					}
 
 					changed, graphCfg := processor.Process()
 					Expect(changed).To(Equal(state.ClusterStateChange))
@@ -1304,9 +1297,6 @@ var _ = Describe("ChangeProcessor", func() {
 
 					delete(expGraph.ReferencedServices, expRouteHR1.Spec.Rules[0].BackendRefs[0].SvcNsName)
 					expRouteHR1.Spec.Rules[0].BackendRefs[0].SvcNsName = types.NamespacedName{}
-					expGraph.ReferencedServices[refTLSSvc].ParentGateways = []types.NamespacedName{
-						client.ObjectKeyFromObject(gw2),
-					}
 
 					changed, graphCfg := processor.Process()
 					Expect(changed).To(Equal(state.ClusterStateChange))

internal/mode/static/state/graph/graph.go

@@ -258,7 +258,7 @@ func BuildGraph(
 
 	referencedNamespaces := buildReferencedNamespaces(state.Namespaces, gw)
 
-	referencedServices := buildReferencedServices(routes, l4routes)
+	referencedServices := buildReferencedServices(routes, l4routes, gw)
 
 	// policies must be processed last because they rely on the state of the other resources in the graph
 	processedPolicies := processPolicies(

internal/mode/static/state/graph/graph_test.go

@@ -894,12 +894,8 @@ func TestBuildGraph(t *testing.T) {
 				client.ObjectKeyFromObject(ns): ns,
 			},
 			ReferencedServices: map[types.NamespacedName]*ReferencedService{
-				client.ObjectKeyFromObject(svc): {
-					ParentGateways: []types.NamespacedName{{Namespace: gw1.Namespace, Name: gw1.Name}},
-				},
-				client.ObjectKeyFromObject(svc1): {
-					ParentGateways: []types.NamespacedName{{Namespace: gw1.Namespace, Name: gw1.Name}},
-				},
+				client.ObjectKeyFromObject(svc):  {},
+				client.ObjectKeyFromObject(svc1): {},
 			},
 			ReferencedCaCertConfigMaps: map[types.NamespacedName]*CaCertConfigMap{
 				client.ObjectKeyFromObject(cm): {

internal/mode/static/state/graph/policies.go

@@ -102,33 +102,21 @@ func attachPolicyToService(
 	gw *Gateway,
 	ctlrName string,
 ) {
-	var ancestor *PolicyAncestor
-
-	for _, parentGw := range svc.ParentGateways {
-		if parentGw != client.ObjectKeyFromObject(gw.Source) {
-			continue
-		}
-		// Once we support multiple Gateways, this will turn into a list.
-		ancestor = &PolicyAncestor{
-			Ancestor: createParentReference(v1.GroupName, kinds.Gateway, parentGw),
-		}
-	}
-
-	if ancestor == nil {
+	if ngfPolicyAncestorsFull(policy, ctlrName) {
 		return
 	}
 
-	if ngfPolicyAncestorsFull(policy, ctlrName) {
-		return
+	ancestor := PolicyAncestor{
+		Ancestor: createParentReference(v1.GroupName, kinds.Gateway, client.ObjectKeyFromObject(gw.Source)),
 	}
 
 	if !gw.Valid {
 		ancestor.Conditions = []conditions.Condition{staticConds.NewPolicyTargetNotFound("Parent Gateway is invalid")}
-		policy.Ancestors = append(policy.Ancestors, *ancestor)
+		policy.Ancestors = append(policy.Ancestors, ancestor)
 		return
 	}
 
-	policy.Ancestors = append(policy.Ancestors, *ancestor)
+	policy.Ancestors = append(policy.Ancestors, ancestor)
 	svc.Policies = append(svc.Policies, policy)
 }
 

internal/mode/static/state/graph/policies_test.go

@@ -158,11 +158,7 @@ func TestAttachPolicies(t *testing.T) {
 
 	getServices := func() map[types.NamespacedName]*ReferencedService {
 		return map[types.NamespacedName]*ReferencedService{
-			{Namespace: testNs, Name: "svc-1"}: {
-				ParentGateways: []types.NamespacedName{
-					{Namespace: testNs, Name: "gateway"},
-				},
-			},
+			{Namespace: testNs, Name: "svc-1"}: {},
 		}
 	}
 
@@ -542,15 +538,14 @@ func TestAttachPolicyToGateway(t *testing.T) {
 func TestAttachPolicyToService(t *testing.T) {
 	t.Parallel()
 
-	winningGwNsName := types.NamespacedName{Namespace: testNs, Name: "gateway"}
-	ignoredGwNsName := types.NamespacedName{Namespace: testNs, Name: "ignored-gateway"}
+	gwNsname := types.NamespacedName{Namespace: testNs, Name: "gateway"}
 
 	getGateway := func(valid bool) *Gateway {
 		return &Gateway{
 			Source: &v1.Gateway{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      winningGwNsName.Name,
-					Namespace: winningGwNsName.Namespace,
+					Name:      gwNsname.Name,
+					Namespace: gwNsname.Namespace,
 				},
 			},
 			Valid: valid,
@@ -568,52 +563,32 @@ func TestAttachPolicyToService(t *testing.T) {
 		{
 			name:        "attachment",
 			policy:      &Policy{Source: &policiesfakes.FakePolicy{}},
-			svc:         &ReferencedService{ParentGateways: []types.NamespacedName{winningGwNsName}},
-			gw:          getGateway(true /*valid*/),
-			expAttached: true,
-			expAncestors: []PolicyAncestor{
-				{
-					Ancestor: getGatewayParentRef(winningGwNsName),
-				},
-			},
-		},
-		{
-			name:        "attachment; multiple parent refs - one is winning gateway",
-			policy:      &Policy{Source: &policiesfakes.FakePolicy{}},
-			svc:         &ReferencedService{ParentGateways: []types.NamespacedName{ignoredGwNsName, winningGwNsName}},
+			svc:         &ReferencedService{},
 			gw:          getGateway(true /*valid*/),
 			expAttached: true,
 			expAncestors: []PolicyAncestor{
 				{
-					Ancestor: getGatewayParentRef(winningGwNsName),
+					Ancestor: getGatewayParentRef(gwNsname),
 				},
 			},
 		},
-		{
-			name:         "no attachment; parent gateway is not winning gateway",
-			policy:       &Policy{Source: &policiesfakes.FakePolicy{}},
-			svc:          &ReferencedService{ParentGateways: []types.NamespacedName{ignoredGwNsName}},
-			gw:           getGateway(true /*valid*/),
-			expAttached:  false,
-			expAncestors: nil,
-		},
 		{
 			name:        "no attachment; gateway is invalid",
 			policy:      &Policy{Source: &policiesfakes.FakePolicy{}},
-			svc:         &ReferencedService{ParentGateways: []types.NamespacedName{winningGwNsName}},
+			svc:         &ReferencedService{},
 			gw:          getGateway(false /*invalid*/),
 			expAttached: false,
 			expAncestors: []PolicyAncestor{
 				{
-					Ancestor:   getGatewayParentRef(winningGwNsName),
+					Ancestor:   getGatewayParentRef(gwNsname),
 					Conditions: []conditions.Condition{staticConds.NewPolicyTargetNotFound("Parent Gateway is invalid")},
 				},
 			},
 		},
 		{
 			name:         "no attachment; max ancestor",
 			policy:       &Policy{Source: createTestPolicyWithAncestors(16)},
-			svc:          &ReferencedService{ParentGateways: []types.NamespacedName{winningGwNsName}},
+			svc:          &ReferencedService{},
 			gw:           getGateway(true /*valid*/),
 			expAttached:  false,
 			expAncestors: nil,

internal/mode/static/state/graph/service.go

@@ -2,26 +2,31 @@ package graph
 
 import (
 	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-// A ReferencedService represents a Kubernetes Service that is referenced by a Route.
-// It does not contain the v1.Service object, because Services are resolved when building the dataplane.Configuration.
+// A ReferencedService represents a Kubernetes Service that is referenced by a Route and that belongs to the
+// winning Gateway. It does not contain the v1.Service object, because Services are resolved when building
+// the dataplane.Configuration.
 type ReferencedService struct {
-	// ParentGateways is a list of unique attached parent Gateways for the Routes that reference this Service.
-	ParentGateways []types.NamespacedName
 	// Policies is a list of NGF Policies that target this Service.
 	Policies []*Policy
 }
 
 func buildReferencedServices(
 	l7routes map[RouteKey]*L7Route,
 	l4Routes map[L4RouteKey]*L4Route,
+	gw *Gateway,
 ) map[types.NamespacedName]*ReferencedService {
+	if gw == nil {
+		return nil
+	}
+
 	referencedServices := make(map[types.NamespacedName]*ReferencedService)
 
-	attached := func(parentRefs []ParentRef) bool {
-		for _, ref := range parentRefs {
-			if ref.Attachment != nil && ref.Attachment.Attached {
+	belongsToWinningGw := func(refs []ParentRef) bool {
+		for _, ref := range refs {
+			if ref.Gateway == client.ObjectKeyFromObject(gw.Source) {
 				return true
 			}
 		}
@@ -31,26 +36,23 @@ func buildReferencedServices(
 
 	// Processes both valid and invalid BackendRefs as invalid ones still have referenced services
 	// we may want to track.
-
-	addServicesForL7Routes := func(routeRules []RouteRule, parentGateways []types.NamespacedName) {
+	addServicesForL7Routes := func(routeRules []RouteRule) {
 		for _, rule := range routeRules {
 			for _, ref := range rule.BackendRefs {
 				if ref.SvcNsName != (types.NamespacedName{}) {
 					referencedServices[ref.SvcNsName] = &ReferencedService{
-						ParentGateways: parentGateways,
-						Policies:       nil,
+						Policies: nil,
 					}
 				}
 			}
 		}
 	}
 
-	addServicesForL4Routes := func(route *L4Route, parentGateways []types.NamespacedName) {
+	addServicesForL4Routes := func(route *L4Route) {
 		nsname := route.Spec.BackendRef.SvcNsName
 		if nsname != (types.NamespacedName{}) {
 			referencedServices[nsname] = &ReferencedService{
-				ParentGateways: parentGateways,
-				Policies:       nil,
+				Policies: nil,
 			}
 		}
 	}
@@ -63,25 +65,23 @@ func buildReferencedServices(
 			continue
 		}
 
-		// If none of the ParentRefs are attached to the Gateway, we want to skip the route.
-		if !attached(route.ParentRefs) {
+		if !belongsToWinningGw(route.ParentRefs) {
 			continue
 		}
 
-		addServicesForL7Routes(route.Spec.Rules, getUniqueAttachedParentGateways(route.ParentRefs))
+		addServicesForL7Routes(route.Spec.Rules)
 	}
 
 	for _, route := range l4Routes {
 		if !route.Valid {
 			continue
 		}
 
-		// If none of the ParentRefs are attached to the Gateway, we want to skip the route.
-		if !attached(route.ParentRefs) {
+		if !belongsToWinningGw(route.ParentRefs) {
 			continue
 		}
 
-		addServicesForL4Routes(route, getUniqueAttachedParentGateways(route.ParentRefs))
+		addServicesForL4Routes(route)
 	}
 
 	if len(referencedServices) == 0 {
@@ -90,20 +90,3 @@ func buildReferencedServices(
 
 	return referencedServices
 }
-
-func getUniqueAttachedParentGateways(parentRefs []ParentRef) []types.NamespacedName {
-	gatewayMap := map[types.NamespacedName]struct{}{}
-	for _, ref := range parentRefs {
-		if ref.Attachment == nil || !ref.Attachment.Attached {
-			continue
-		}
-		gatewayMap[ref.Gateway] = struct{}{}
-	}
-
-	uniqueGateways := make([]types.NamespacedName, 0, len(gatewayMap))
-	for gateway := range gatewayMap {
-		uniqueGateways = append(uniqueGateways, gateway)
-	}
-
-	return uniqueGateways
-}