Merge pull request #112 from datum-cloud/fix/waitforhttpslistener

fix: wait for https listener before applying envoypatchpolicy

Author: zachsmith1

internal/controller/httpproxy_controller.go

@@ -880,15 +880,20 @@ func (r *HTTPProxyReconciler) reconcileConnectorEnvoyPatchPolicy(
 		return nil, false, nil
 	}
 
-	// Wait for the Gateway to be Programmed before creating the EnvoyPatchPolicy.
-	// This ensures the RouteConfiguration exists in Envoy's xDS, so the patch
-	// can be applied immediately rather than waiting for Envoy Gateway to retry.
+	// Wait for the Gateway and default HTTPS listener to be Programmed before
+	// creating the EnvoyPatchPolicy. This ensures the target RouteConfiguration
+	// exists in Envoy's xDS, so the patch can be applied immediately rather than
+	// waiting for Envoy Gateway to retry.
 	gatewayProgrammed := apimeta.IsStatusConditionTrue(
 		gateway.Status.Conditions,
 		string(gatewayv1.GatewayConditionProgrammed),
 	)
-	if !gatewayProgrammed {
-		// Gateway not yet programmed; requeue will happen when Gateway status changes.
+	defaultHTTPSListenerProgrammed := gatewayListenerProgrammed(
+		gateway.Status.Listeners,
+		gatewayutil.DefaultHTTPSListenerName,
+	)
+	if !gatewayProgrammed || !defaultHTTPSListenerProgrammed {
+		// Gateway/listener not yet programmed; requeue will happen when status changes.
 		return nil, true, nil
 	}
 
@@ -983,6 +988,16 @@ func cleanupConnectorOfflineHTTPRouteFilter(ctx context.Context, cl client.Clien
 	return cl.Delete(ctx, &filter)
 }
 
+func gatewayListenerProgrammed(listeners []gatewayv1.ListenerStatus, listenerName gatewayv1.SectionName) bool {
+	for _, listener := range listeners {
+		if listener.Name != listenerName {
+			continue
+		}
+		return apimeta.IsStatusConditionTrue(listener.Conditions, string(gatewayv1.ListenerConditionProgrammed))
+	}
+	return false
+}
+
 func downstreamPatchPolicyReady(policy *envoygatewayv1alpha1.EnvoyPatchPolicy, gatewayClassName string) (bool, string) {
 	if policy == nil {
 		return false, "Downstream EnvoyPatchPolicy not found"

internal/controller/httpproxy_controller_test.go

@@ -460,7 +460,67 @@ func TestHTTPProxyReconcile(t *testing.T) {
 				},
 			},
 			postCreateGatewayStatus: func(g *gatewayv1.Gateway) {
-				// EnvoyPatchPolicy is only created after Gateway is Programmed
+				setGatewayProgrammedWithDefaultHTTPSListener(g)
+			},
+			expectedError: false,
+			expectedConditions: []metav1.Condition{
+				{
+					Type:   networkingv1alpha.HTTPProxyConditionAccepted,
+					Status: metav1.ConditionTrue,
+					Reason: networkingv1alpha.HTTPProxyReasonAccepted,
+				},
+				{
+					Type:   networkingv1alpha.HTTPProxyConditionProgrammed,
+					Status: metav1.ConditionFalse,
+					Reason: networkingv1alpha.HTTPProxyReasonPending,
+				},
+			},
+			assert: func(t *testContext, cl client.Client, httpProxy *networkingv1alpha.HTTPProxy) {
+				var patchList envoygatewayv1alpha1.EnvoyPatchPolicyList
+				err := t.downstreamClient.List(context.Background(), &patchList)
+				assert.NoError(t, err)
+				assert.Len(t, patchList.Items, 1)
+				assert.Equal(t, fmt.Sprintf("connector-%s", httpProxy.Name), patchList.Items[0].Name)
+			},
+		},
+		{
+			name:              "connector backend waits for default-https listener programmed",
+			httpProxy:         connectorHTTPProxy,
+			downstreamObjects: connectorDownstreamObjects(connectorHTTPProxy),
+			namespaceUID:      string(connectorNamespaceUID),
+			existingObjects: []client.Object{
+				&networkingv1alpha1.Connector{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "connector-1",
+						Namespace: "test",
+					},
+					Status: networkingv1alpha1.ConnectorStatus{
+						Conditions: []metav1.Condition{
+							{
+								Type:   networkingv1alpha1.ConnectorConditionReady,
+								Status: metav1.ConditionTrue,
+								Reason: networkingv1alpha1.ConnectorReasonReady,
+							},
+						},
+						ConnectionDetails: &networkingv1alpha1.ConnectorConnectionDetails{
+							Type: networkingv1alpha1.PublicKeyConnectorConnectionType,
+							PublicKey: &networkingv1alpha1.ConnectorConnectionDetailsPublicKey{
+								Id:            "node-123",
+								DiscoveryMode: networkingv1alpha1.DNSPublicKeyDiscoveryMode,
+								HomeRelay:     "https://relay.example.test",
+								Addresses: []networkingv1alpha1.PublicKeyConnectorAddress{
+									{
+										Address: "127.0.0.1",
+										Port:    80,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			postCreateGatewayStatus: func(g *gatewayv1.Gateway) {
+				// Gateway-level Programmed is not enough without default-https listener Programmed.
 				apimeta.SetStatusCondition(&g.Status.Conditions, metav1.Condition{
 					Type:               string(gatewayv1.GatewayConditionProgrammed),
 					Status:             metav1.ConditionTrue,
@@ -485,8 +545,7 @@ func TestHTTPProxyReconcile(t *testing.T) {
 				var patchList envoygatewayv1alpha1.EnvoyPatchPolicyList
 				err := t.downstreamClient.List(context.Background(), &patchList)
 				assert.NoError(t, err)
-				assert.Len(t, patchList.Items, 1)
-				assert.Equal(t, fmt.Sprintf("connector-%s", httpProxy.Name), patchList.Items[0].Name)
+				assert.Len(t, patchList.Items, 0)
 			},
 		},
 		{
@@ -512,12 +571,7 @@ func TestHTTPProxyReconcile(t *testing.T) {
 				},
 			},
 			postCreateGatewayStatus: func(g *gatewayv1.Gateway) {
-				apimeta.SetStatusCondition(&g.Status.Conditions, metav1.Condition{
-					Type:               string(gatewayv1.GatewayConditionProgrammed),
-					Status:             metav1.ConditionTrue,
-					ObservedGeneration: g.Generation,
-					Reason:             string(gatewayv1.GatewayReasonProgrammed),
-				})
+				setGatewayProgrammedWithDefaultHTTPSListener(g)
 			},
 			expectedError: false,
 			expectedConditions: []metav1.Condition{
@@ -600,13 +654,7 @@ func TestHTTPProxyReconcile(t *testing.T) {
 				},
 			},
 			postCreateGatewayStatus: func(g *gatewayv1.Gateway) {
-				// EnvoyPatchPolicy is only created after Gateway is Programmed
-				apimeta.SetStatusCondition(&g.Status.Conditions, metav1.Condition{
-					Type:               string(gatewayv1.GatewayConditionProgrammed),
-					Status:             metav1.ConditionTrue,
-					ObservedGeneration: g.Generation,
-					Reason:             string(gatewayv1.GatewayReasonProgrammed),
-				})
+				setGatewayProgrammedWithDefaultHTTPSListener(g)
 			},
 			expectedError: false,
 			expectedConditions: []metav1.Condition{
@@ -1508,6 +1556,35 @@ func TestHTTPProxyFinalizerCleanup(t *testing.T) {
 	}
 }
 
+func setGatewayProgrammedWithDefaultHTTPSListener(g *gatewayv1.Gateway) {
+	apimeta.SetStatusCondition(&g.Status.Conditions, metav1.Condition{
+		Type:               string(gatewayv1.GatewayConditionProgrammed),
+		Status:             metav1.ConditionTrue,
+		ObservedGeneration: g.Generation,
+		Reason:             string(gatewayv1.GatewayReasonProgrammed),
+	})
+
+	defaultHTTPSListenerStatus := gatewayv1.ListenerStatus{
+		Name: gatewayutil.DefaultHTTPSListenerName,
+		Conditions: []metav1.Condition{
+			{
+				Type:               string(gatewayv1.ListenerConditionProgrammed),
+				Status:             metav1.ConditionTrue,
+				ObservedGeneration: g.Generation,
+				Reason:             string(gatewayv1.ListenerReasonProgrammed),
+			},
+		},
+	}
+
+	for i := range g.Status.Listeners {
+		if g.Status.Listeners[i].Name == gatewayutil.DefaultHTTPSListenerName {
+			g.Status.Listeners[i] = defaultHTTPSListenerStatus
+			return
+		}
+	}
+	g.Status.Listeners = append(g.Status.Listeners, defaultHTTPSListenerStatus)
+}
+
 func newHTTPProxy(opts ...func(*networkingv1alpha.HTTPProxy)) *networkingv1alpha.HTTPProxy {
 	p := &networkingv1alpha.HTTPProxy{
 		ObjectMeta: metav1.ObjectMeta{

internal/controller/trafficprotectionpolicy_controller.go

@@ -53,6 +53,9 @@ const (
 	// PolicyReasonWaitingForCertificates indicates that the policy is waiting
 	// for TLS certificates to become ready before EnvoyPatchPolicies can be created.
 	PolicyReasonWaitingForCertificates gatewayv1alpha2.PolicyConditionReason = "WaitingForCertificates"
+	// PolicyReasonWaitingForListenersProgrammed indicates that the policy is waiting
+	// for HTTPS listeners to be Programmed=True before EnvoyPatchPolicies can be created.
+	PolicyReasonWaitingForListenersProgrammed gatewayv1alpha2.PolicyConditionReason = "WaitingForListenersProgrammed"
 )
 
 // certificateReadinessResult contains the result of checking certificate readiness
@@ -138,6 +141,19 @@ func (r *TrafficProtectionPolicyReconciler) Reconcile(ctx context.Context, req N
 		return ctrl.Result{}, nil
 	}
 
+	listenerReadiness := r.checkHTTPSListenersProgrammed(attachments)
+	if !listenerReadiness.AllReady {
+		logger.Info("waiting for HTTPS listeners to become programmed", "pendingListeners", listenerReadiness.PendingListeners)
+		r.setWaitingForListenersProgrammedConditions(trafficProtectionPolicies, listenerReadiness.PendingListeners)
+
+		if err := r.updateTPPAncestorsStatus(ctx, cl.GetClient(), trafficProtectionPolicies, originalTrafficProtectionPolicies); err != nil {
+			return ctrl.Result{}, err
+		}
+
+		// Gateway/HTTPRoute watches will trigger reconciliation when listener status changes.
+		return ctrl.Result{}, nil
+	}
+
 	desiredPolicies, err := r.getDesiredEnvoyPatchPolicies(downstreamNamespaceName, attachments)
 	if err != nil {
 		return ctrl.Result{}, err
@@ -367,6 +383,70 @@ func (r *TrafficProtectionPolicyReconciler) setWaitingForCertificatesConditions(
 	}
 }
 
+// checkHTTPSListenersProgrammed checks if all referenced HTTPS listeners are
+// Programmed=True on the upstream Gateway status.
+func (r *TrafficProtectionPolicyReconciler) checkHTTPSListenersProgrammed(
+	attachments []policyAttachment,
+) *certificateReadinessResult {
+	pendingListenersSet := sets.New[string]()
+
+	for _, attachment := range attachments {
+		if attachment.Listener != nil {
+			for _, l := range attachment.Gateway.Spec.Listeners {
+				if l.Name != *attachment.Listener || l.Protocol != gatewayv1.HTTPSProtocolType {
+					continue
+				}
+				if !gatewayListenerProgrammed(attachment.Gateway.Status.Listeners, l.Name) {
+					pendingListenersSet.Insert(fmt.Sprintf("%s/%s", attachment.Gateway.Name, l.Name))
+				}
+			}
+			continue
+		}
+
+		for _, l := range attachment.Gateway.Spec.Listeners {
+			if l.Protocol != gatewayv1.HTTPSProtocolType {
+				continue
+			}
+			if !gatewayListenerProgrammed(attachment.Gateway.Status.Listeners, l.Name) {
+				pendingListenersSet.Insert(fmt.Sprintf("%s/%s", attachment.Gateway.Name, l.Name))
+			}
+		}
+	}
+
+	pendingListeners := sets.List(pendingListenersSet)
+	sort.Strings(pendingListeners)
+
+	return &certificateReadinessResult{
+		AllReady:         len(pendingListeners) == 0,
+		PendingListeners: pendingListeners,
+	}
+}
+
+// setWaitingForListenersProgrammedConditions sets Accepted=False with reason
+// WaitingForListenersProgrammed while HTTPS listeners are not yet Programmed=True.
+func (r *TrafficProtectionPolicyReconciler) setWaitingForListenersProgrammedConditions(
+	policies []*policyContext,
+	pendingListeners []string,
+) {
+	message := fmt.Sprintf("Waiting for HTTPS listeners to become Programmed=True: %s", strings.Join(pendingListeners, ", "))
+
+	for _, policy := range policies {
+		for _, targetRef := range policy.Spec.TargetRefs {
+			ancestorRef := getAncestorRefForTarget(policy.Namespace, targetRef)
+			gatewaystatus.SetConditionForPolicyAncestor(
+				&policy.Status.PolicyStatus,
+				ancestorRef,
+				string(r.Config.Gateway.ControllerName),
+				gatewayv1alpha2.PolicyConditionAccepted,
+				metav1.ConditionFalse,
+				PolicyReasonWaitingForListenersProgrammed,
+				message,
+				policy.Generation,
+			)
+		}
+	}
+}
+
 func (r *TrafficProtectionPolicyReconciler) ensureHTTPCorazaListenerFilter(ctx context.Context) error {
 	envoyPatchPolicy := &envoygatewayv1alpha1.EnvoyPatchPolicy{
 		ObjectMeta: metav1.ObjectMeta{