Add additional test case

ciarams87 · ciarams87 · commit 949c08e5f538 · 2024-02-15T09:01:22.000Z
diff --git a/internal/mode/static/state/change_processor.go b/internal/mode/static/state/change_processor.go
@@ -231,6 +231,9 @@ func NewChangeProcessorImpl(cfg ChangeProcessorConfig) *ChangeProcessorImpl {
 // belong to the NGINX Gateway Fabric or an HTTPRoute that doesn't belong to any of the Gateways of the
 // NGINX Gateway Fabric. Find a way to ignore changes that don't affect the configuration and/or statuses of
 // the resources.
+// Tracking issues: https://github.com/nginxinc/nginx-gateway-fabric/issues/1123,
+// https://github.com/nginxinc/nginx-gateway-fabric/issues/1124,
+// https://github.com/nginxinc/nginx-gateway-fabric/issues/1577
 
 // FIXME(pleshakov)
 // Remove CaptureUpsertChange() and CaptureDeleteChange() from ChangeProcessor and pass all changes directly to
diff --git a/internal/mode/static/state/graph/backend_tls_policy.go b/internal/mode/static/state/graph/backend_tls_policy.go
@@ -88,7 +88,11 @@ func validateBackendTLSPolicy(
 		valid = false
 		conds = append(conds, staticConds.NewBackendTLSPolicyInvalid(fmt.Sprintf("invalid hostname: %s", err.Error())))
 	}
-	if backendTLSPolicy.Spec.TLS.CACertRefs != nil && len(backendTLSPolicy.Spec.TLS.CACertRefs) > 0 {
+	if backendTLSPolicy.Spec.TLS.CACertRefs != nil && backendTLSPolicy.Spec.TLS.WellKnownCACerts != nil {
+		valid = false
+		msg := "CACertRefs and WellKnownCACerts are mutually exclusive"
+		conds = append(conds, staticConds.NewBackendTLSPolicyInvalid(msg))
+	} else if backendTLSPolicy.Spec.TLS.CACertRefs != nil && len(backendTLSPolicy.Spec.TLS.CACertRefs) > 0 {
 		if err := validateBackendTLSCACertRef(backendTLSPolicy, configMapResolver); err != nil {
 			valid = false
 			conds = append(conds, staticConds.NewBackendTLSPolicyInvalid(
diff --git a/internal/mode/static/state/graph/backend_tls_policy_test.go b/internal/mode/static/state/graph/backend_tls_policy_test.go
@@ -323,6 +323,23 @@ func TestValidateBackendTLSPolicy(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "invalid case with too both ca cert refs and wellknowncerts",
+			tlsPolicy: &v1alpha2.BackendTLSPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "tls-policy",
+					Namespace: "test",
+				},
+				Spec: v1alpha2.BackendTLSPolicySpec{
+					TargetRef: *targetRefNormalCase,
+					TLS: v1alpha2.BackendTLSPolicyConfig{
+						CACertRefs:       localObjectRefNormalCase,
+						Hostname:         "foo.test.com",
+						WellKnownCACerts: (helpers.GetPointer(v1alpha2.WellKnownCACertSystem)),
+					},
+				},
+			},
+		},
 		{
 			name: "invalid case with too many ancestors",
 			tlsPolicy: &v1alpha2.BackendTLSPolicy{
