continue

Signed-off-by: Mattia Lavacca <[email protected]>

internal/annotations/annotations.go

@@ -460,3 +460,7 @@ func SetCACertificates(anns map[string]string, certificates []string) {
 func SetHostHeader(anns map[string]string, value string) {
 	anns[AnnotationPrefix+HostHeaderKey] = value
 }
+
+func SetProtocol(anns map[string]string, value string) {
+	anns[AnnotationPrefix+ProtocolKey] = value
+}

internal/controllers/gateway/backendtlspolicy_controller.go

@@ -10,6 +10,7 @@ import (
 	"github.com/samber/lo"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	k8stypes "k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -36,6 +37,9 @@ type BackendTLSPolicyReconciler struct {
 	DataplaneClient  controllers.DataPlane
 	CacheSyncTimeout time.Duration
 	StatusQueue      *status.Queue
+	// If GatewayNN is set,
+	// only resources managed by the specified Gateway are reconciled.
+	GatewayNN controllers.OptionalNamespacedName
 }
 
 // SetupWithManager sets up the controller with the Manager.
@@ -269,7 +273,6 @@ func (r *BackendTLSPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		if apierrors.IsNotFound(err) {
 			backendTLSPolicy.Namespace = req.Namespace
 			backendTLSPolicy.Name = req.Name
-
 			return ctrl.Result{}, r.DataplaneClient.DeleteObject(backendTLSPolicy)
 		}
 		return ctrl.Result{}, err
@@ -282,13 +285,25 @@ func (r *BackendTLSPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		return ctrl.Result{}, err
 	}
 
-	// If there are valid ancestors for the given policy, push the policy to the dataplane cache.
 	if len(ancestors) > 0 {
-		if err := r.DataplaneClient.UpdateObject(backendTLSPolicy); err != nil {
+		acceptedCondition, err := r.validateBackendTLSPolicy(ctx, *backendTLSPolicy)
+		if err != nil {
 			return ctrl.Result{}, err
 		}
 
-		if err := r.setPolicyStatus(ctx, *backendTLSPolicy, ancestors); err != nil {
+		// If the policy is accepted, update the policy in the dataplane.
+		if acceptedCondition.Status == metav1.ConditionTrue {
+			if err := r.DataplaneClient.UpdateObject(backendTLSPolicy); err != nil {
+				return ctrl.Result{}, err
+			}
+		} else {
+			// In case the policy is not accepted, ensure it gets deleted from the dataplane cache
+			if err := r.DataplaneClient.DeleteObject(backendTLSPolicy); err != nil {
+				return ctrl.Result{}, err
+			}
+		}
+
+		if err := r.setPolicyStatus(ctx, *backendTLSPolicy, ancestors, *acceptedCondition); err != nil {
 			return ctrl.Result{}, err
 		}
 	}

internal/controllers/gateway/backendtlspolicy_utils.go

@@ -74,6 +74,7 @@ func (r *BackendTLSPolicyReconciler) getBackendTLSPolicyAncestors(ctx context.Co
 				// Check the resolvedRefs condition is set to true to ensure that all the references are properly resolved
 				// and granted by ReferenceGrants.
 				for _, parentStatus := range httpRoute.Status.Parents {
+
 					if parentStatus.ControllerName == GetControllerName() &&
 						*parentStatus.ParentRef.Group == *parentRef.Group &&
 						*parentStatus.ParentRef.Kind == *parentRef.Kind &&
@@ -106,19 +107,26 @@ func (r *BackendTLSPolicyReconciler) getBackendTLSPolicyAncestors(ctx context.Co
 }
 
 // setPolicyStatus enforces an ancestorStatus for each Gateway associated to the given policy.
-// TODO: Conditions to the policy still to be implemented.
-func (r *BackendTLSPolicyReconciler) setPolicyStatus(ctx context.Context, policy gatewayapi.BackendTLSPolicy, gateways []gatewayapi.Gateway) error {
+func (r *BackendTLSPolicyReconciler) setPolicyStatus(ctx context.Context, policy gatewayapi.BackendTLSPolicy, gateways []gatewayapi.Gateway, acceptedCondition metav1.Condition) error {
 	ancestors := []gatewayapi.PolicyAncestorStatus{}
 
+	var completeAcceptedCondition *metav1.Condition
 	// First copy all the ancestorstatuses managed by other controllers.
 	kicAncestors := []gatewayapi.PolicyAncestorStatus{}
 	for _, ancestor := range policy.Status.Ancestors {
 		if ancestor.ControllerName == GetControllerName() {
 			kicAncestors = append(kicAncestors, ancestor)
+			if completeAcceptedCondition == nil {
+				completeAcceptedCondition = getCompleteAcceptedCondition(ancestor, acceptedCondition)
+			}
 			continue
 		}
 		ancestors = append(ancestors, ancestor)
 	}
+	if completeAcceptedCondition == nil {
+		completeAcceptedCondition = &acceptedCondition
+		completeAcceptedCondition.LastTransitionTime = metav1.Now()
+	}
 
 	// Sort the Gateways to be consistent across subsequent reconciliation loops.
 	sortGateways(gateways, kicAncestors, policy.Namespace)
@@ -137,7 +145,9 @@ func (r *BackendTLSPolicyReconciler) setPolicyStatus(ctx context.Context, policy
 				Namespace: lo.ToPtr(gatewayapi.Namespace(gateway.Namespace)),
 			},
 			ControllerName: GetControllerName(),
+			Conditions:     []metav1.Condition{*completeAcceptedCondition},
 		}
+
 		ancestors = append(ancestors, ancestor)
 	}
 
@@ -147,6 +157,20 @@ func (r *BackendTLSPolicyReconciler) setPolicyStatus(ctx context.Context, policy
 	return r.Status().Patch(ctx, newPolicy, client.MergeFrom(&policy))
 }
 
+func getCompleteAcceptedCondition(ancestors gatewayapi.PolicyAncestorStatus, acceptedCondition metav1.Condition) *metav1.Condition {
+	for _, condition := range ancestors.Conditions {
+		if condition.Type == acceptedCondition.Type &&
+			condition.Status == acceptedCondition.Status &&
+			condition.Reason == acceptedCondition.Reason &&
+			condition.Message == acceptedCondition.Message {
+			acceptedCondition.LastTransitionTime = condition.LastTransitionTime
+			return &acceptedCondition
+		}
+	}
+	acceptedCondition.LastTransitionTime = metav1.Now()
+	return &acceptedCondition
+}
+
 // sortGateways sorts the given slice of Gateway objects by namespace and name.
 func sortGateways(gateways []gatewayapi.Gateway, kicAncestors []gatewayapi.PolicyAncestorStatus, policyNamespace string) {
 	kicAncestorsMap := lo.SliceToMap(kicAncestors, func(ancestor gatewayapi.PolicyAncestorStatus) (string, gatewayapi.PolicyAncestorStatus) {
@@ -175,3 +199,58 @@ func sortGateways(gateways []gatewayapi.Gateway, kicAncestors []gatewayapi.Polic
 		}
 	})
 }
+
+// validateBackendTLSPolicy validates the given BackendTLSPolicy and returns the accepted Condition related to the policy.
+func (r *BackendTLSPolicyReconciler) validateBackendTLSPolicy(ctx context.Context, policy gatewayapi.BackendTLSPolicy) (acceptedCondition *metav1.Condition, err error) {
+	acceptedCondition = &metav1.Condition{
+		Type:               string(gatewayapi.PolicyConditionAccepted),
+		Status:             metav1.ConditionTrue,
+		Reason:             string(gatewayapi.PolicyConditionAccepted),
+		ObservedGeneration: policy.Generation,
+	}
+
+	for _, targetRef := range policy.Spec.TargetRefs {
+		if (targetRef.Group != "core" && targetRef.Group != "") || targetRef.Kind != "Service" {
+			continue
+		}
+		policies := &gatewayapi.BackendTLSPolicyList{}
+		if err := r.List(ctx, policies,
+			client.InNamespace(policy.Namespace),
+			client.MatchingFields{backendTLSPolicyTargetRefIndexKey: string(targetRef.Name)},
+		); err != nil {
+			return nil, err
+		}
+
+		if len(policies.Items) > 1 {
+			acceptedCondition = &metav1.Condition{
+				Type:    string(gatewayapi.PolicyConditionAccepted),
+				Status:  metav1.ConditionFalse,
+				Reason:  string(gatewayapi.PolicyReasonConflicted),
+				Message: "Multiple BackendTLSPolicies target the same service",
+			}
+			return acceptedCondition, nil
+		}
+	}
+
+	// TODO: check CACerts are stored in a CM
+
+	var reason string
+	if len(policy.Spec.Validation.SubjectAltNames) > 0 {
+		acceptedCondition.Status = metav1.ConditionFalse
+		reason = "SubjectAltNames feature is not currently supported."
+	}
+
+	if policy.Spec.Validation.WellKnownCACertificates != nil {
+		acceptedCondition.Status = metav1.ConditionFalse
+		if reason != "" {
+			reason += " "
+		}
+		reason += "WellKnownCACertificates feature is not currently supported."
+	}
+	if reason != "" {
+		acceptedCondition.Reason = string(gatewayapi.PolicyReasonInvalid)
+		acceptedCondition.Message = reason
+	}
+
+	return acceptedCondition, nil
+}