Skip to content

Apply PolicyAffected status for target refs #3535

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Apply PolicyAffected status for target refs #3535

wants to merge 1 commit into from
+543 −1

Conversation

salonichf5
Copy link
Contributor

@salonichf5 salonichf5 commented Jun 23, 2025
edited
Loading

Proposed changes

Write a clear and concise description that helps reviewers understand the purpose and impact of your changes. Use the
following format:

Problem: As a user I would like to know which target refs are affected by ClientSettingsPolicy or ObservabilityPolicy

Solution: Adds new conditions NewObservabilityPolicyAffected and NewClientSettingsPolicyAffected

Testing: Manual testing

Apply ObservabilityPolicy and ClientSettingsPolicy to targetRefs

  1. policyAffected status should be applied to targetRefs conditions list.
  2. Apply multiple policies to targetRefs - only one policyAffected status is added to targetRefs conditions list.
  3. Remove policies -- policyAffected status should be removed from targetRefs conditions list -- Status is removed from the resources (Gateways, HTTPRoute, GRPCRoute)

ClientSettingsPolicy for Gateway, HTTPRoutes and GRPCRoutes

  1. CSP for gateway
apiVersion: gateway.nginx.org/v1alpha1
kind: ClientSettingsPolicy
metadata:
  name: gateway-client-settings
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: gateway
  body:
    maxSize: "50" # sizes without a unit are bytes.

Status:

k describe gateways.gateway.networking.k8s.io gateway
    Message:               ClientSettingsPolicy is applied to the resource
    Observed Generation:   1
    Reason:                PolicyAffected
    Status:                True
    Type:                  ClientSettingsPolicyAffected
  1. multiple CSP for one HTTPRoute -- one condition applied
apiVersion: gateway.nginx.org/v1alpha1
kind: ClientSettingsPolicy
metadata:
  name: tea-client-settings
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: tea
  body:
    maxSize: "75" # sizes without a unit are bytes.
---
apiVersion: gateway.nginx.org/v1alpha1
kind: ClientSettingsPolicy
metadata:
  name: second-tea-client-settings
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: tea
  body:
    maxSize: "70" # sizes without a unit are bytes.

Status
k describe httproutes.gateway.networking.k8s.io tea

      Message:               ClientSettingsPolicy is applied to the resource
      Observed Generation:   1
      Reason:                PolicyAffected
      Status:                True
      Type:                  ClientSettingsPolicyAffected
    Controller Name:         gateway.nginx.org/nginx-gateway-controller
  1. CSP for GRPCRoutes
apiVersion: gateway.nginx.org/v1alpha1
kind: ClientSettingsPolicy
metadata:
  name: tea-client-settings
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: GRPCRoute
    name: exact-matching
  body:
    maxSize: "75" # sizes without a unit are bytes.
---
apiVersion: gateway.nginx.org/v1alpha1
kind: ClientSettingsPolicy
metadata:
  name: second-tea-client-settings
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: GRPCRoute
    name: exact-matching
  body:
    maxSize: "70" # sizes without a unit are bytes.


Status

      Message:               ClientSettingsPolicy is applied to the resource
      Observed Generation:   1
      Reason:                PolicyAffected
      Status:                True
      Type:                  ClientSettingsPolicyAffected
    Controller Name:         gateway.nginx.org/nginx-gateway-controller
  1. Deleted all CSP Policies and status policyAffected was removed from the resources.

ObservabilityPolicy for HTTPRoutes and GRPCRoutes

  1. ObservabilityPolicy for HTTPRoutes and GRPCRoutes
apiVersion: gateway.nginx.org/v1alpha2
kind: ObservabilityPolicy
metadata:
  name: coffee
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: coffee
  tracing:
    strategy: ratio
    ratio: 75
    spanAttributes:
    - key: coffee-key
      value: coffee-value
---
apiVersion: gateway.nginx.org/v1alpha2
kind: ObservabilityPolicy
metadata:
  name: coffee-second
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: GRPCRoute
    name: exact-matching
  tracing:
    strategy: ratio
    ratio: 70
    spanAttributes:
    - key: coffee-key
      value: coffee-value


Status

k describe httproutes.gateway.networking.k8s.io coffee
      Message:               ObservabilityPolicy is applied to the resource
      Observed Generation:   1
      Reason:                PolicyAffected
      Status:                True
      Type:                  ObservabilityPolicyAffected
    Controller Name:         gateway.nginx.org/nginx-gateway-controller
    
k describe grpcroutes.gateway.networking.k8s.io exact-matching
      Message:               ObservabilityPolicy is applied to the resource
      Observed Generation:   1
      Reason:                PolicyAffected
      Status:                True
      Type:                  ObservabilityPolicyAffected
    Controller Name:         gateway.nginx.org/nginx-gateway-controller
  1. Removing policies removes status from the resource

Please focus on (optional): If you any specific areas where you would like reviewers to focus their attention or provide
specific feedback, add them here.

Closes #1761

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

Adds policyAffected status for policy target refs.

@github-actions github-actions bot added the enhancement New feature or request label Jun 23, 2025
@codecov Codecov
Copy link

codecov bot commented Jun 23, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 86.84%. Comparing base (36e64ae) to head (e3bd76e).
Report is 16 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3535      +/-   ##
==========================================
+ Coverage   86.82%   86.84%   +0.02%     
==========================================
  Files         127      127              
  Lines       15079    15154      +75     
  Branches       62       62              
==========================================
+ Hits        13092    13161      +69     
- Misses       1836     1841       +5     
- Partials      151      152       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@salonichf5 salonichf5 force-pushed the feat/policyAffected branch 4 times, most recently from bed6023 to fb9cf54 Compare June 24, 2025 16:28
@salonichf5 salonichf5 marked this pull request as ready for review June 24, 2025 16:28
@salonichf5 salonichf5 requested a review from a team as a code owner June 24, 2025 16:28
@salonichf5 salonichf5 force-pushed the feat/policyAffected branch from fb9cf54 to e3bd76e Compare June 24, 2025 16:53
@bjee19
Copy link
Contributor

bjee19 commented Jun 24, 2025

@salonichf5 I see in the issue gateway.nginx.org/Waf/WAFPolicyAffected was also added to the acceptance criteria, will that be added in this PR or is that going to come from another PR related to the waf work?

bjee19
bjee19 reviewed Jun 25, 2025
View reviewed changes
internal/controller/state/graph/policies.go
Comment on lines +492 to +494
if conditionsList == nil {
return
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we have to worry about this case? Will the conditionsList ever be nil?

ciarams87
ciarams87 reviewed Jun 25, 2025
View reviewed changes
Copy link
Contributor

@ciarams87 ciarams87 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple of minor suggestions, otherwise looks good, great work!

internal/controller/state/conditions/conditions.go
@@ -185,6 +197,33 @@ func ConvertConditions(
return apiConds
}

// HasMatchingCondition checks if the given condition matches any of the existing conditions.
func HasMatchingCondition(existingConditions []Condition, cond Condition) bool {
condMap := make(map[Condition]struct{}, len(existingConditions))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because existingConditions is unlikely to be very long, do we think this could be updated to use a simple iteration instead? e.g. something like

	for _, existing := range existingConditions {
		if existing.Type == cond.Type &&
		   existing.Status == cond.Status &&
		   existing.Reason == cond.Reason &&
		   existing.Message == cond.Message {
		   return true
		}
	}
	return false

internal/controller/state/conditions/conditions_test.go
@@ -105,3 +105,43 @@ func TestConvertConditions(t *testing.T) {
result := ConvertConditions(conds, generation, time)
g.Expect(result).Should(Equal(expected))
}

func TestHasMatchingConding(t *testing.T) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
func TestHasMatchingConding(t *testing.T) {
func TestHasMatchingCondition(t *testing.T) {

internal/controller/state/graph/policies.go
@@ -448,3 +448,60 @@ func refGroupKind(group v1.Group, kind v1.Kind) string {

return fmt.Sprintf("%s/%s", group, kind)
}

// addPolicyAffectedStatusToTargetRefs adds the policyAffected status to the target references
// of ClientSetttingsPolicies and ObservabilityPolicies.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// of ClientSetttingsPolicies and ObservabilityPolicies.
// of ClientSettingsPolicies and ObservabilityPolicies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ciarams87 ciarams87 ciarams87 left review comments

@bjee19 bjee19 bjee19 left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
enhancement New feature or request release-notes
Projects
NGINX Gateway Fabric
Status: 🆕 New
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement PolicyAffected Status for NGF Policies
3 participants
@salonichf5 @bjee19 @ciarams87