fix(gatewayapi): correct ListenerReason for unresolved certificate re…

…fs, enable ReferenceGrant conformance tests Signed-off-by: Mike Beaumont <mjboamail@gmail.com>
kumahq · Aug 11, 2022 · d18f89f · d18f89f
1 parent 308f420
commit d18f89f
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 8 deletions.
diff --git a/pkg/plugins/runtime/k8s/controllers/gatewayapi/gateway_conversion.go b/pkg/plugins/runtime/k8s/controllers/gatewayapi/gateway_conversion.go
@@ -210,7 +210,7 @@ func (r *GatewayReconciler) gapiToKumaGateway(
 			listener.Hostname = string(*l.Hostname)
 		}
 
-		var unresolvableRefs []string
+		var unresolvableCertRefs []string
 		if l.TLS != nil {
 			for _, certRef := range l.TLS.CertificateRefs {
 				policyRef := policy.PolicyReferenceSecret(policy.FromGatewayIn(gateway.Namespace), certRef)
@@ -222,11 +222,11 @@ func (r *GatewayReconciler) gapiToKumaGateway(
 
 				if !permitted {
 					message := fmt.Sprintf("%q %q", policyRef.GroupKindReferredTo().String(), policyRef.NamespacedNameReferredTo().String())
-					unresolvableRefs = append(unresolvableRefs, message)
+					unresolvableCertRefs = append(unresolvableCertRefs, message)
 				}
 			}
 
-			if len(unresolvableRefs) == 0 {
+			if len(unresolvableCertRefs) == 0 {
 				if l.TLS.Mode != nil && *l.TLS.Mode == gatewayapi.TLSModePassthrough {
 					continue // todo admission webhook should prevent this
 				}
@@ -272,7 +272,7 @@ func (r *GatewayReconciler) gapiToKumaGateway(
 
 		var resolvedRefConditions []kube_meta.Condition
 
-		if len(unresolvableRefs) == 0 {
+		if len(unresolvableCertRefs) == 0 {
 			listeners = append(listeners, listener)
 
 			resolvedRefConditions = []kube_meta.Condition{
@@ -292,8 +292,8 @@ func (r *GatewayReconciler) gapiToKumaGateway(
 				{
 					Type:    string(gatewayapi.ListenerConditionResolvedRefs),
 					Status:  kube_meta.ConditionFalse,
-					Reason:  string(gatewayapi.ListenerReasonRefNotPermitted),
-					Message: fmt.Sprintf("references to %s not permitted by any ReferencePolicy", strings.Join(unresolvableRefs, ", ")),
+					Reason:  string(gatewayapi.ListenerReasonInvalidCertificateRef),
+					Message: fmt.Sprintf("references to %s not permitted by any ReferencePolicy", strings.Join(unresolvableCertRefs, ", ")),
 				},
 				{
 					Type:    string(gatewayapi.ListenerConditionReady),

diff --git a/test/e2e/gateway/gatewayapi/conformance_test.go b/test/e2e/gateway/gatewayapi/conformance_test.go
@@ -80,6 +80,9 @@ func TestConformance(t *testing.T) {
 			metadata.KumaSidecarInjectionAnnotation: metadata.AnnotationTrue,
 		},
 		ValidUniqueListenerPorts: validUniqueListenerPorts,
+		SupportedFeatures: []suite.SupportedFeature{
+			suite.SupportReferenceGrant,
+		},
 	})
 
 	conformanceSuite.Setup(t)
@@ -88,9 +91,10 @@ func TestConformance(t *testing.T) {
 	for _, test := range tests.ConformanceTests {
 		switch test.ShortName {
 		case tests.HTTPRouteDisallowedKind.ShortName, // TODO: we only support HTTPRoute so it's not yet possible to test this
-			tests.HTTPRouteInvalidCrossNamespaceBackendRef.ShortName,
+			tests.HTTPRouteInvalidCrossNamespaceBackendRef.ShortName, // The following fail due to #4597
 			tests.HTTPRouteInvalidBackendRefUnknownKind.ShortName,
-			tests.HTTPRouteInvalidNonExistentBackendRef.ShortName:
+			tests.HTTPRouteInvalidNonExistentBackendRef.ShortName,
+			tests.HTTPRouteInvalidReferenceGrant.ShortName:
 			continue
 		}
 		passingTests = append(passingTests, test)