Tidy code, fix panic, update for plus manifest

Author: ciarams87

.yamllint.yaml

@@ -32,7 +32,6 @@ rules:
     ignore: |
       deploy/manifests/nginx-gateway.yaml
       deploy/manifests/crds
-      examples/backend-tls/secure-app.yaml
   key-duplicates: enable
   key-ordering: disable
   line-length:

deploy/manifests/nginx-plus-gateway.yaml

@@ -32,6 +32,7 @@ rules:
   - namespaces
   - services
   - secrets
+  - configmaps
   verbs:
   - list
   - watch
@@ -76,6 +77,7 @@ rules:
   - gateways
   - httproutes
   - referencegrants
+  - backendtlspolicies
   verbs:
   - list
   - watch
@@ -85,6 +87,7 @@ rules:
   - httproutes/status
   - gateways/status
   - gatewayclasses/status
+  - backendtlspolicies/status
   verbs:
   - update
 - apiGroups:

internal/mode/static/build_statuses_test.go

@@ -616,32 +616,58 @@ func TestBuildGatewayStatuses(t *testing.T) {
 }
 
 func TestBuildBackendTLSPolicyStatuses(t *testing.T) {
-	getBackendTLSPolicy := func(
-		name string,
-		valid bool,
-		ignored bool,
-		isReferenced bool,
-		conditions []conditions.Condition,
-	) *graph.BackendTLSPolicy {
+	type policyCfg struct {
+		Name         string
+		Conditions   []conditions.Condition
+		Valid        bool
+		Ignored      bool
+		IsReferenced bool
+	}
+
+	getBackendTLSPolicy := func(policyCfg policyCfg) *graph.BackendTLSPolicy {
 		return &graph.BackendTLSPolicy{
 			Source: &v1alpha2.BackendTLSPolicy{
 				ObjectMeta: metav1.ObjectMeta{
 					Namespace:  "test",
-					Name:       name,
+					Name:       policyCfg.Name,
 					Generation: 1,
 				},
 			},
-			Valid:        valid,
-			Ignored:      ignored,
-			IsReferenced: isReferenced,
-			Conditions:   conditions,
+			Valid:        policyCfg.Valid,
+			Ignored:      policyCfg.Ignored,
+			IsReferenced: policyCfg.IsReferenced,
+			Conditions:   policyCfg.Conditions,
 			Gateway:      types.NamespacedName{Name: "gateway", Namespace: "test"},
 		}
 	}
 
 	attachedConds := []conditions.Condition{staticConds.NewBackendTLSPolicyAccepted()}
 	invalidConds := []conditions.Condition{staticConds.NewBackendTLSPolicyInvalid("invalid backendTLSPolicy")}
 
+	validPolicyCfg := policyCfg{
+		Name:         "valid-bt",
+		Valid:        true,
+		IsReferenced: true,
+		Conditions:   attachedConds,
+	}
+
+	invalidPolicyCfg := policyCfg{
+		Name:         "invalid-bt",
+		IsReferenced: true,
+		Conditions:   invalidConds,
+	}
+
+	ignoredPolicyCfg := policyCfg{
+		Name:         "ignored-bt",
+		Ignored:      true,
+		IsReferenced: true,
+	}
+
+	notReferencedPolicyCfg := policyCfg{
+		Name:  "not-referenced",
+		Valid: true,
+	}
+
 	tests := []struct {
 		backendTLSPolicies map[types.NamespacedName]*graph.BackendTLSPolicy
 		expected           status.BackendTLSPolicyStatuses
@@ -654,7 +680,7 @@ func TestBuildBackendTLSPolicyStatuses(t *testing.T) {
 		{
 			name: "valid backendTLSPolicy",
 			backendTLSPolicies: map[types.NamespacedName]*graph.BackendTLSPolicy{
-				{Namespace: "test", Name: "valid-bt"}: getBackendTLSPolicy("valid-bt", true, false, true, attachedConds),
+				{Namespace: "test", Name: "valid-bt"}: getBackendTLSPolicy(validPolicyCfg),
 			},
 			expected: status.BackendTLSPolicyStatuses{
 				{Namespace: "test", Name: "valid-bt"}: {
@@ -670,7 +696,7 @@ func TestBuildBackendTLSPolicyStatuses(t *testing.T) {
 		{
 			name: "invalid backendTLSPolicy",
 			backendTLSPolicies: map[types.NamespacedName]*graph.BackendTLSPolicy{
-				{Namespace: "test", Name: "invalid-bt"}: getBackendTLSPolicy("invalid-bt", false, false, true, invalidConds),
+				{Namespace: "test", Name: "invalid-bt"}: getBackendTLSPolicy(invalidPolicyCfg),
 			},
 			expected: status.BackendTLSPolicyStatuses{
 				{Namespace: "test", Name: "invalid-bt"}: {
@@ -686,16 +712,16 @@ func TestBuildBackendTLSPolicyStatuses(t *testing.T) {
 		{
 			name: "ignored or not referenced backendTLSPolicies",
 			backendTLSPolicies: map[types.NamespacedName]*graph.BackendTLSPolicy{
-				{Namespace: "test", Name: "ignored-bt"}:     getBackendTLSPolicy("ignored-bt", false, true, true, nil),
-				{Namespace: "test", Name: "not-referenced"}: getBackendTLSPolicy("not-referenced", true, false, false, nil),
+				{Namespace: "test", Name: "ignored-bt"}:     getBackendTLSPolicy(ignoredPolicyCfg),
+				{Namespace: "test", Name: "not-referenced"}: getBackendTLSPolicy(notReferencedPolicyCfg),
 			},
 			expected: status.BackendTLSPolicyStatuses{},
 		},
 		{
 			name: "mix valid and ignored backendTLSPolicies",
 			backendTLSPolicies: map[types.NamespacedName]*graph.BackendTLSPolicy{
-				{Namespace: "test", Name: "ignored-bt"}: getBackendTLSPolicy("ignored-bt", false, true, true, nil),
-				{Namespace: "test", Name: "valid-bt"}:   getBackendTLSPolicy("valid-bt", true, false, true, attachedConds),
+				{Namespace: "test", Name: "ignored-bt"}: getBackendTLSPolicy(ignoredPolicyCfg),
+				{Namespace: "test", Name: "valid-bt"}:   getBackendTLSPolicy(validPolicyCfg),
 			},
 			expected: status.BackendTLSPolicyStatuses{
 				{Namespace: "test", Name: "valid-bt"}: {

internal/mode/static/nginx/config/servers.go

@@ -258,14 +258,21 @@ func updateLocationsForFilters(
 		proxyPass := createProxyPass(
 			matchRule.BackendGroup,
 			matchRule.Filters.RequestURLRewrite,
-			buildLocations[i].ProxySSLVerify != nil,
+			generateProtocolString(buildLocations[i].ProxySSLVerify),
 		)
 		buildLocations[i].ProxyPass = proxyPass
 	}
 
 	return buildLocations
 }
 
+func generateProtocolString(ssl *http.ProxySSLVerify) string {
+	if ssl != nil {
+		return "https"
+	}
+	return "http"
+}
+
 func createProxyTLSFromBackends(backends []dataplane.Backend) *http.ProxySSLVerify {
 	if len(backends) == 0 {
 		return nil
@@ -467,18 +474,13 @@ func isPathOnlyMatch(match dataplane.Match) bool {
 func createProxyPass(
 	backendGroup dataplane.BackendGroup,
 	filter *dataplane.HTTPURLRewriteFilter,
-	enableTLS bool,
+	protocol string,
 ) string {
 	var requestURI string
 	if filter == nil || filter.Path == nil {
 		requestURI = "$request_uri"
 	}
 
-	protocol := "http"
-	if enableTLS {
-		protocol = "https"
-	}
-
 	backendName := backendGroupName(backendGroup)
 	if backendGroupNeedsSplit(backendGroup) {
 		return protocol + "://$" + convertStringToSafeVariableName(backendName) + requestURI

internal/mode/static/nginx/config/servers_test.go

@@ -1714,7 +1714,7 @@ func TestCreateProxyPass(t *testing.T) {
 	}
 
 	for _, tc := range tests {
-		result := createProxyPass(tc.grp, tc.rewrite, false)
+		result := createProxyPass(tc.grp, tc.rewrite, generateProtocolString(nil))
 		g.Expect(result).To(Equal(tc.expected))
 	}
 }

internal/mode/static/state/change_processor_test.go

@@ -1835,7 +1835,6 @@ var _ = Describe("ChangeProcessor", func() {
 				},
 			}
 			btlsUpdated = btls.DeepCopy()
-			btlsUpdated.Generation++
 		})
 		// Changing change - a change that makes processor.Process() report changed
 		// Non-changing change - a change that doesn't do that

internal/mode/static/state/conditions/conditions.go

@@ -66,19 +66,6 @@ const (
 	RouteMessageFailedNginxReload = GatewayMessageFailedNginxReload + ". NGINX may still be configured " +
 		"for this HTTPRoute. However, future updates to this resource will not be configured until the Gateway " +
 		"is programmed again"
-
-	// BackendTLSPolicyConditionAttached is the condition type indicating the BackendTLS policy is valid and attached to
-	// the Gateway.
-	BackendTLSPolicyConditionAttached BackendTLSPolicyConditionType = "Attached"
-
-	// BackendTLSPolicyReasonAttached is the condition reason for the BackendTLSPolicy Attached condition.
-	BackendTLSPolicyReasonAttached BackendTLSPolicyConditionReason = "BackendTLSPolicyAttached"
-
-	// BackendTLSPolicyConditionValid is the condition type indicating whether the BackendTLS policy is valid.
-	BackendTLSPolicyConditionValid BackendTLSPolicyConditionType = "Valid"
-
-	// BackendTLSPolicyReasonInvalid is the condition reason for the BackendTLSPolicy Valid condition being False.
-	BackendTLSPolicyReasonInvalid BackendTLSPolicyConditionReason = "BackendTLSPolicyInvalid"
 )
 
 // NewTODO returns a Condition that can be used as a placeholder for a condition that is not yet implemented.

internal/mode/static/state/graph/backend_tls_policy.go

@@ -37,18 +37,26 @@ func processBackendTLSPolicies(
 	ctlrName string,
 	gateway *Gateway,
 ) map[types.NamespacedName]*BackendTLSPolicy {
-	if len(backendTLSPolicies) == 0 {
+	if len(backendTLSPolicies) == 0 || gateway == nil {
 		return nil
 	}
+
 	processedBackendTLSPolicies := make(map[types.NamespacedName]*BackendTLSPolicy, len(backendTLSPolicies))
 	for nsname, backendTLSPolicy := range backendTLSPolicies {
-		valid, ignored, caCertRef, conds := validateBackendTLSPolicy(
+		var caCertRef types.NamespacedName
+		valid, ignored, conds := validateBackendTLSPolicy(
 			backendTLSPolicy,
 			configMapResolver,
 			ctlrName,
 			gateway,
 		)
 
+		if valid && !ignored && backendTLSPolicy.Spec.TLS.CACertRefs != nil {
+			caCertRef = types.NamespacedName{
+				Namespace: backendTLSPolicy.Namespace, Name: string(backendTLSPolicy.Spec.TLS.CACertRefs[0].Name),
+			}
+		}
+
 		processedBackendTLSPolicies[nsname] = &BackendTLSPolicy{
 			Source:     backendTLSPolicy,
 			Valid:      valid,
@@ -69,11 +77,9 @@ func validateBackendTLSPolicy(
 	configMapResolver *configMapResolver,
 	ctlrName string,
 	gateway *Gateway,
-) (bool, bool, types.NamespacedName, []conditions.Condition) {
-	var conds []conditions.Condition
-	valid := true
-	ignored := false
-	var caCertRef types.NamespacedName
+) (valid, ignored bool, conds []conditions.Condition) {
+	valid = true
+	ignored = false
 	if err := validateAncestorMaxCount(backendTLSPolicy, ctlrName, gateway); err != nil {
 		valid = false
 		ignored = true
@@ -87,10 +93,6 @@ func validateBackendTLSPolicy(
 			valid = false
 			conds = append(conds, staticConds.NewBackendTLSPolicyInvalid(
 				fmt.Sprintf("invalid CACertRef: %s", err.Error())))
-		} else {
-			caCertRef = types.NamespacedName{
-				Namespace: backendTLSPolicy.Namespace, Name: string(backendTLSPolicy.Spec.TLS.CACertRefs[0].Name),
-			}
 		}
 	} else if backendTLSPolicy.Spec.TLS.WellKnownCACerts != nil {
 		if err := validateBackendTLSWellKnownCACerts(backendTLSPolicy); err != nil {
@@ -102,7 +104,7 @@ func validateBackendTLSPolicy(
 		valid = false
 		conds = append(conds, staticConds.NewBackendTLSPolicyInvalid("CACertRefs and WellKnownCACerts are both nil"))
 	}
-	return valid, ignored, caCertRef, conds
+	return valid, ignored, conds
 }
 
 func validateAncestorMaxCount(backendTLSPolicy *v1alpha2.BackendTLSPolicy, ctlrName string, gateway *Gateway) error {