Add status updater for backendtlspolicy, move logic

Author: ciarams87

deploy/helm-chart/templates/rbac.yaml

@@ -87,6 +87,7 @@ rules:
   - httproutes/status
   - gateways/status
   - gatewayclasses/status
+  - backendtlspolicies/status
   verbs:
   - update
 - apiGroups:

deploy/manifests/nginx-gateway.yaml

@@ -87,6 +87,7 @@ rules:
   - httproutes/status
   - gateways/status
   - gatewayclasses/status
+  - backendtlspolicies/status
   verbs:
   - update
 - apiGroups:

internal/framework/status/backend_tls.go

@@ -0,0 +1,45 @@
+package status
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	v1 "sigs.k8s.io/gateway-api/apis/v1"
+	"sigs.k8s.io/gateway-api/apis/v1alpha2"
+)
+
+// prepareBackendTLSPolicyStatus prepares the status for a BackendTLSPolicy resource.
+func prepareBackendTLSPolicyStatus(
+	oldStatus v1alpha2.PolicyStatus,
+	status BackendTLSPolicyStatus,
+	gatewayCtlrName string,
+	transitionTime metav1.Time,
+) v1alpha2.PolicyStatus {
+	// maxAncestors is the max number of ancestor statuses which is the sum of all new ancestor statuses and all old
+	// ancestor statuses.
+	maxAncestors := len(status.AncestorStatuses) + len(oldStatus.Ancestors)
+	ancestors := make([]v1alpha2.PolicyAncestorStatus, 0, maxAncestors)
+
+	// keep all the ancestor statuses that belong to other controllers
+	for _, os := range oldStatus.Ancestors {
+		if string(os.ControllerName) != gatewayCtlrName {
+			ancestors = append(ancestors, os)
+		}
+	}
+
+	for _, as := range status.AncestorStatuses {
+		// reassign the iteration variable inside the loop to fix implicit memory aliasing
+		as := as
+		a := v1alpha2.PolicyAncestorStatus{
+			AncestorRef: v1.ParentReference{
+				Namespace: (*v1.Namespace)(&as.GatewayNsName.Namespace),
+				Name:      v1alpha2.ObjectName(as.GatewayNsName.Name),
+			},
+			ControllerName: v1alpha2.GatewayController(gatewayCtlrName),
+			Conditions:     convertConditions(as.Conditions, status.ObservedGeneration, transitionTime),
+		}
+		ancestors = append(ancestors, a)
+	}
+
+	return v1alpha2.PolicyStatus{
+		Ancestors: ancestors,
+	}
+}

internal/framework/status/setters.go

@@ -6,6 +6,7 @@ import (
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
+	gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
 
 	ngfAPI "github.com/nginxinc/nginx-gateway-fabric/apis/v1alpha1"
 )
@@ -85,6 +86,25 @@ func newHTTPRouteStatusSetter(gatewayCtlrName string, clock Clock, rs HTTPRouteS
 	}
 }
 
+func newBackendTLSPolicyStatusSetter(
+	gatewayCtlrName string,
+	clock Clock,
+	bs BackendTLSPolicyStatus,
+) func(client.Object) bool {
+	return func(object client.Object) bool {
+		btp := object.(*gatewayv1alpha2.BackendTLSPolicy)
+		status := prepareBackendTLSPolicyStatus(btp.Status, bs, gatewayCtlrName, clock.Now())
+
+		if btpStatusEqual(gatewayCtlrName, btp.Status, status) {
+			return false
+		}
+
+		btp.Status = status
+
+		return true
+	}
+}
+
 func gwStatusEqual(prev, cur gatewayv1.GatewayStatus) bool {
 	addressesEqual := slices.EqualFunc(prev.Addresses, cur.Addresses, func(a1, a2 gatewayv1.GatewayStatusAddress) bool {
 		if !equalPointers[gatewayv1.AddressType](a1.Type, a2.Type) {
@@ -181,6 +201,58 @@ func routeParentStatusEqual(p1, p2 gatewayv1.RouteParentStatus) bool {
 	return conditionsEqual(p1.Conditions, p2.Conditions)
 }
 
+func btpStatusEqual(gatewayCtlrName string, prev, cur gatewayv1alpha2.PolicyStatus) bool {
+	// Since other controllers may update BackendTLSPolicy status we can't assume anything about the order of the
+	// statuses, and we have to ignore statuses written by other controllers when checking for equality.
+	// Therefore, we can't use slices.EqualFunc here because it cares about the order.
+
+	// First, we check if the prev status has any PolicyAncestorStatuses that are no longer present in the cur status.
+	for _, prevAncestor := range prev.Ancestors {
+		if prevAncestor.ControllerName != gatewayv1.GatewayController(gatewayCtlrName) {
+			continue
+		}
+
+		exists := slices.ContainsFunc(cur.Ancestors, func(curAncestor gatewayv1alpha2.PolicyAncestorStatus) bool {
+			return btpAncestorStatusEqual(prevAncestor, curAncestor)
+		})
+
+		if !exists {
+			return false
+		}
+	}
+
+	// Then, we check if the cur status has any PolicyAncestorStatuses that are no longer present in the prev status.
+	for _, curParent := range cur.Ancestors {
+		exists := slices.ContainsFunc(prev.Ancestors, func(prevAncestor gatewayv1alpha2.PolicyAncestorStatus) bool {
+			return btpAncestorStatusEqual(curParent, prevAncestor)
+		})
+
+		if !exists {
+			return false
+		}
+	}
+
+	return true
+}
+
+func btpAncestorStatusEqual(p1, p2 gatewayv1alpha2.PolicyAncestorStatus) bool {
+	if p1.ControllerName != p2.ControllerName {
+		return false
+	}
+
+	if p1.AncestorRef.Name != p2.AncestorRef.Name {
+		return false
+	}
+
+	if !equalPointers(p1.AncestorRef.Namespace, p2.AncestorRef.Namespace) {
+		return false
+	}
+
+	// we ignore the rest of the AncestorRef fields because we do not set them
+
+	return conditionsEqual(p1.Conditions, p2.Conditions)
+}
+
 func conditionsEqual(prev, cur []v1.Condition) bool {
 	return slices.EqualFunc(prev, cur, func(c1, c2 v1.Condition) bool {
 		if c1.ObservedGeneration != c2.ObservedGeneration {

internal/framework/status/statuses.go

@@ -16,9 +16,10 @@ type Status interface {
 
 // GatewayAPIStatuses holds the status-related information about Gateway API resources.
 type GatewayAPIStatuses struct {
-	GatewayClassStatuses GatewayClassStatuses
-	GatewayStatuses      GatewayStatuses
-	HTTPRouteStatuses    HTTPRouteStatuses
+	GatewayClassStatuses     GatewayClassStatuses
+	GatewayStatuses          GatewayStatuses
+	HTTPRouteStatuses        HTTPRouteStatuses
+	BackendTLSPolicyStatuses BackendTLSPolicyStatuses
 }
 
 func (g GatewayAPIStatuses) APIGroup() string {
@@ -51,6 +52,10 @@ type GatewayStatuses map[types.NamespacedName]GatewayStatus
 // GatewayClassStatuses holds the statuses of GatewayClasses where the key is the namespaced name of a GatewayClass.
 type GatewayClassStatuses map[types.NamespacedName]GatewayClassStatus
 
+// BackendTLSPolicyStatuses holds the statuses of BackendTLSPolicies where the key is the namespaced name of a
+// BackendTLSPolicy.
+type BackendTLSPolicyStatuses map[types.NamespacedName]BackendTLSPolicyStatus
+
 // GatewayStatus holds the status of the winning Gateway resource.
 type GatewayStatus struct {
 	// ListenerStatuses holds the statuses of listeners defined on the Gateway.
@@ -85,6 +90,14 @@ type HTTPRouteStatus struct {
 	ObservedGeneration int64
 }
 
+// BackendTLSPolicyStatus holds the status-related information about a BackendTLSPolicy resource.
+type BackendTLSPolicyStatus struct {
+	// AncestorStatuses holds the statuses for parentRefs of the BackendTLSPolicy.
+	AncestorStatuses []AncestorStatus
+	// ObservedGeneration is the generation of the resource that was processed.
+	ObservedGeneration int64
+}
+
 // ParentStatus holds status-related information related to how the HTTPRoute binds to a specific parentRef.
 type ParentStatus struct {
 	// GatewayNsName is the Namespaced name of the Gateway, which the parentRef references.
@@ -102,3 +115,10 @@ type GatewayClassStatus struct {
 	// ObservedGeneration is the generation of the resource that was processed.
 	ObservedGeneration int64
 }
+
+type AncestorStatus struct {
+	// GatewayNsName is the Namespaced name of the Gateway, which the ancestorRef references.
+	GatewayNsName types.NamespacedName
+	// Conditions is the list of conditions that are relevant to the ancestor.
+	Conditions []conditions.Condition
+}

internal/framework/status/updater.go

@@ -13,6 +13,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	v1 "sigs.k8s.io/gateway-api/apis/v1"
+	"sigs.k8s.io/gateway-api/apis/v1alpha2"
 
 	ngfAPI "github.com/nginxinc/nginx-gateway-fabric/apis/v1alpha1"
 	"github.com/nginxinc/nginx-gateway-fabric/internal/framework/controller"
@@ -204,6 +205,21 @@ func (upd *UpdaterImpl) updateGatewayAPI(ctx context.Context, statuses GatewayAP
 			newHTTPRouteStatusSetter(upd.cfg.GatewayCtlrName, upd.cfg.Clock, rs),
 		)
 	}
+
+	for nsname, bs := range statuses.BackendTLSPolicyStatuses {
+		select {
+		case <-ctx.Done():
+			return
+		default:
+		}
+
+		upd.writeStatuses(
+			ctx,
+			nsname,
+			&v1alpha2.BackendTLSPolicy{},
+			newBackendTLSPolicyStatusSetter(upd.cfg.GatewayCtlrName, upd.cfg.Clock, bs),
+		)
+	}
 }
 
 func (upd *UpdaterImpl) writeStatuses(

internal/mode/static/build_statuses.go

@@ -29,6 +29,8 @@ func buildGatewayAPIStatuses(
 
 	statuses.GatewayStatuses = buildGatewayStatuses(graph.Gateway, graph.IgnoredGateways, gwAddresses, nginxReloadRes)
 
+	statuses.BackendTLSPolicyStatuses = buildBackendTLSPolicyStatuses(graph.BackendTLSPolicies)
+
 	for nsname, r := range graph.Routes {
 		parentStatuses := make([]status.ParentStatus, 0, len(r.ParentRefs))
 
@@ -190,3 +192,33 @@ func buildGatewayStatus(
 		ObservedGeneration: gateway.Source.Generation,
 	}
 }
+
+func buildBackendTLSPolicyStatuses(backendTLSPolicies map[types.NamespacedName]*graph.BackendTLSPolicy,
+) status.BackendTLSPolicyStatuses {
+	statuses := make(status.BackendTLSPolicyStatuses, len(backendTLSPolicies))
+	ignoreStatus := false
+
+	for nsname, backendTLSPolicy := range backendTLSPolicies {
+		if backendTLSPolicy.IsReferenced {
+			if !backendTLSPolicy.Valid {
+				for i := range backendTLSPolicy.Conditions {
+					if backendTLSPolicy.Conditions[i].Reason == string(staticConds.BackendTLSPolicyReasonIgnored) {
+						// We should not report the status of an ignored BackendTLSPolicy.
+						ignoreStatus = true
+					}
+				}
+			}
+			if !ignoreStatus {
+				statuses[nsname] = status.BackendTLSPolicyStatus{
+					AncestorStatuses: []status.AncestorStatus{
+						{
+							GatewayNsName: backendTLSPolicy.Gateway,
+							Conditions:    conditions.DeduplicateConditions(backendTLSPolicy.Conditions),
+						},
+					},
+				}
+			}
+		}
+	}
+	return statuses
+}

internal/mode/static/build_statuses_test.go

@@ -202,6 +202,7 @@ func TestBuildStatuses(t *testing.T) {
 				},
 			},
 		},
+		BackendTLSPolicyStatuses: status.BackendTLSPolicyStatuses{},
 	}
 
 	g := NewWithT(t)
@@ -304,6 +305,7 @@ func TestBuildStatusesNginxErr(t *testing.T) {
 				},
 			},
 		},
+		BackendTLSPolicyStatuses: status.BackendTLSPolicyStatuses{},
 	}
 
 	g := NewWithT(t)

internal/mode/static/state/conditions/conditions.go

@@ -10,6 +10,14 @@ import (
 	"github.com/nginxinc/nginx-gateway-fabric/internal/framework/conditions"
 )
 
+// BackendTLSPolicyConditionType is a type of condition associated with a BackendTLSPolicy.
+// This type should be used with the BackendTLSPolicyStatus.Conditions field.
+type BackendTLSPolicyConditionType string
+
+// BackendTLSPolicyConditionReason defines the set of reasons that explain why a particular BackendTLSPolicy condition
+// type has been raised.
+type BackendTLSPolicyConditionReason string
+
 const (
 	// ListenerReasonUnsupportedValue is used with the "Accepted" condition when a value of a field in a Listener
 	// is invalid or not supported.
@@ -57,6 +65,22 @@ const (
 	RouteMessageFailedNginxReload = GatewayMessageFailedNginxReload + ". NGINX may still be configured " +
 		"for this HTTPRoute. However, future updates to this resource will not be configured until the Gateway " +
 		"is programmed again"
+
+	// BackendTLSPolicyConditionAttached is the condition type indicating the BackendTLS policy is valid and attached to
+	// the Gateway.
+	BackendTLSPolicyConditionAttached BackendTLSPolicyConditionType = "Attached"
+
+	// BackendTLSPolicyReasonAttached is the condition reason for the BackendTLSPolicy Attached condition.
+	BackendTLSPolicyReasonAttached BackendTLSPolicyConditionReason = "BackendTLSPolicyAttached"
+
+	// BackendTLSPolicyReasonIgnored is the condition reason for the BackendTLSPolicy being ignored by this Gateway.
+	BackendTLSPolicyReasonIgnored BackendTLSPolicyConditionReason = "BackendTLSPolicyIgnored"
+
+	// BackendTLSPolicyConditionValid is the condition type indicating whether the BackendTLS policy is valid.
+	BackendTLSPolicyConditionValid BackendTLSPolicyConditionType = "Valid"
+
+	// BackendTLSPolicyReasonInvalid is the condition reason for the BackendTLSPolicy Valid condition being False.
+	BackendTLSPolicyReasonInvalid BackendTLSPolicyConditionReason = "BackendTLSPolicyInvalid"
 )
 
 // NewTODO returns a Condition that can be used as a placeholder for a condition that is not yet implemented.
@@ -545,3 +569,35 @@ func NewNginxGatewayInvalid(msg string) conditions.Condition {
 		Message: msg,
 	}
 }
+
+// NewBackendTLSPolicyAttached returns a Condition that indicates that the BackendTLSPolicy config is valid and attached
+// to the Gateway.
+func NewBackendTLSPolicyAttached() conditions.Condition {
+	return conditions.Condition{
+		Type:    string(BackendTLSPolicyConditionAttached),
+		Status:  metav1.ConditionTrue,
+		Reason:  string(BackendTLSPolicyReasonAttached),
+		Message: "BackendTLSPolicy is attached to the Gateway",
+	}
+}
+
+// NewBackendTLSPolicyIgnored returns a Condition that indicates that the BackendTLSPolicy config cannot be attached to
+// the Gateway and will be ignored.
+func NewBackendTLSPolicyIgnored(msg string) conditions.Condition {
+	return conditions.Condition{
+		Type:    string(BackendTLSPolicyConditionAttached),
+		Status:  metav1.ConditionFalse,
+		Reason:  string(BackendTLSPolicyReasonIgnored),
+		Message: msg,
+	}
+}
+
+// NewBackendTLSPolicyInvalid returns a Condition that indicates that the BackendTLSPolicy config is invalid.
+func NewBackendTLSPolicyInvalid(msg string) conditions.Condition {
+	return conditions.Condition{
+		Type:    string(BackendTLSPolicyConditionValid),
+		Status:  metav1.ConditionFalse,
+		Reason:  string(BackendTLSPolicyReasonInvalid),
+		Message: msg,
+	}
+}