BackendTLSPolicy conformance tests for conflict resolution #4043
Conversation
Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>
|
/cc @kubernetes-sigs/gateway-api-admins |
|
I tested this with Envoy Gateway, and all assertions passed except that the status condition of the second policy is set to False with reason Conflicted. It appears that Envoy completely ignores the conflicted policy and does not set any status for it. |
ac6a825 to
8b995c7
Compare
Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>
8b995c7 to
d962aa0
Compare
|
/assign |
|
hum wait: I was reading the GEP (https://gateway-api.sigs.k8s.io/geps/gep-1897/) but this condition is not clear there. Is this something actually related to how policies are attached and not to BackendTLSPolicy? |
yes this is specific to DirectPolicy attachment https://gateway-api.sigs.k8s.io/geps/gep-2648/ |
|
If the section names differ, it is still possible to merge the policies. However, if two distinct I agree that it would be better if this behavior is explicitly defined in the GEP of the BackendTLSPolicy. Since it is currently missing there, I assumed it is inferred from the Direct Policy Attachment, as @kl52752 mentioned: |
|
ok, thanks for the clarification folks. @snorwin as a request, can you just add to your code then, maybe as a comment that this is not BackendTLSPolicy specific, and point to the DAP GEP? I think this would just make things slightly less confusing for someone implementing the conformance and trying to understand why this is required |
|
/lgtm |
|
/hold If possible please just add the reference to the DAP GEP, as a comment, to make it clear that this is a DirectPolicy Attachment requirement. Thanks! |
|
@rikatz I was thinking if we should update the godoc (https://github.com/kubernetes-sigs/gateway-api/blob/main/apis/v1alpha3/backendtlspolicy_types.go#L71) in a separate PR to clarify that targetRefs are expected to be unique across different policies, and that the implementation must mark them as conflicted if this condition isn’t met. |
I think any information would be good. If this is implementation specific, let's just add that marker that avoids overloading the CRD with implementation specific information, but yeah, feel free to open a new PR to update it! |
Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>
|
/lgtm Thanks. |
|
/cc @shaneutt |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: shaneutt, snorwin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind test
/area conformance-test
What this PR does / why we need it:
This PR introduces some basic conformance tests to ensure that the status condition
Acceptedon a BackendTLSPolicy is set tofalsewithReason: Conflictedwhen a policy cannot be accepted due to another policy 8000 already targeting the same target (including thesectionName).Which issue(s) this PR fixes:
Fixes #3953
Does this PR introduce a user-facing change?: