Warnings for unsupported Gateway and Routes rules fields (#4036)

Proposed changes
Problem:
As an NGF user,
I want clear feedback when I've specified a field that is unsupported by NGF,
So that I understand why certain features aren't working.
Routes should still be considered valid and configured, so we don't break existing users

Solution:
For all fields in various resources (Gateway, HTTPRoute, GRPCRoute, etc) that NGF does not yet support, add validation and error conditions if they are specified
Routes should still be considered valid and configured, so we don't break existing users

Author: tataruty

internal/controller/state/conditions/conditions.go

@@ -38,6 +38,10 @@ const (
 	// Route rules has a backendRef with an unsupported value.
 	RouteReasonBackendRefUnsupportedValue v1.RouteConditionReason = "UnsupportedValue"
 
+	// RouteReasonUnsupportedField is used with the "Accepted" condition when a Route contains fields that are
+	// not yet supported.
+	RouteReasonUnsupportedField v1.RouteConditionReason = "UnsupportedField"
+
 	// RouteReasonInvalidGateway is used with the "Accepted" (false) condition when the Gateway the Route
 	// references is invalid.
 	RouteReasonInvalidGateway v1.RouteConditionReason = "InvalidGateway"
@@ -62,6 +66,10 @@ const (
 	// invalid. Used with ResolvedRefs (false).
 	RouteReasonInvalidFilter v1.RouteConditionReason = "InvalidFilter"
 
+	// GatewayReasonUnsupportedField is used with the "Accepted" condition when a Gateway contains fields
+	// that are not yet supported.
+	GatewayReasonUnsupportedField v1.GatewayConditionReason = "UnsupportedField"
+
 	// GatewayReasonUnsupportedValue is used with GatewayConditionAccepted (false) when a value of a field in a Gateway
 	// is invalid or not supported.
 	GatewayReasonUnsupportedValue v1.GatewayConditionReason = "UnsupportedValue"
@@ -354,6 +362,17 @@ func NewRouteUnsupportedValue(msg string) Condition {
 	}
 }
 
+// NewRouteAcceptedUnsupportedField returns a Condition that indicates that the Route is accepted but
+// includes an unsupported field.
+func NewRouteAcceptedUnsupportedField(msg string) Condition {
+	return Condition{
+		Type:    string(v1.RouteConditionAccepted),
+		Status:  metav1.ConditionTrue,
+		Reason:  string(RouteReasonUnsupportedField),
+		Message: fmt.Sprintf("The following unsupported parameters were ignored: %s", msg),
+	}
+}
+
 // NewRoutePartiallyInvalid returns a Condition that indicates that the Route contains a combination
 // of both valid and invalid rules.
 //
@@ -945,6 +964,17 @@ func NewGatewayInvalidParameters(msg string) Condition {
 	}
 }
 
+// NewGatewayAcceptedUnsupportedField returns a Condition that indicates the Gateway is accepted but
+// contains a field that is not supported.
+func NewGatewayAcceptedUnsupportedField(msg string) Condition {
+	return Condition{
+		Type:    string(v1.GatewayConditionAccepted),
+		Status:  metav1.ConditionTrue,
+		Reason:  string(GatewayReasonUnsupportedField),
+		Message: fmt.Sprintf("Gateway accepted but the following unsupported parameters were ignored: %s", msg),
+	}
+}
+
 // NewPolicyAccepted returns a Condition that indicates that the Policy is accepted.
 func NewPolicyAccepted() Condition {
 	return Condition{

internal/controller/state/graph/gateway.go

@@ -193,6 +193,9 @@ func validateGateway(gw *v1.Gateway, gc *GatewayClass, npCfg *NginxProxy) ([]con
 	// invalidate the entire Gateway.
 	valid := len(conds) == 0
 
+	// Validate unsupported fields - these are warnings, don't affect validity
+	conds = append(conds, validateUnsupportedGatewayFields(gw)...)
+
 	if gw.Spec.Infrastructure != nil && gw.Spec.Infrastructure.ParametersRef != nil {
 		paramConds := validateGatewayParametersRef(npCfg, *gw.Spec.Infrastructure.ParametersRef)
 		conds = append(conds, paramConds...)
@@ -267,3 +270,17 @@ func (g *Gateway) collectSnippetsFiltersFromRoute(
 		}
 	}
 }
+
+func validateUnsupportedGatewayFields(gw *v1.Gateway) []conditions.Condition {
+	var conds []conditions.Condition
+
+	if gw.Spec.AllowedListeners != nil {
+		conds = append(conds, conditions.NewGatewayAcceptedUnsupportedField("AllowedListeners"))
+	}
+
+	if gw.Spec.BackendTLS != nil {
+		conds = append(conds, conditions.NewGatewayAcceptedUnsupportedField("BackendTLS"))
+	}
+
+	return conds
+}

internal/controller/state/graph/gateway_test.go

@@ -286,10 +286,12 @@ func TestBuildGateway(t *testing.T) {
 	)
 
 	type gatewayCfg struct {
-		name      string
-		ref       *v1.LocalParametersReference
-		listeners []v1.Listener
-		addresses []v1.GatewaySpecAddress
+		ref              *v1.LocalParametersReference
+		allowedListeners *v1.AllowedListeners
+		backendTLS       *v1.GatewayBackendTLS
+		name             string
+		listeners        []v1.Listener
+		addresses        []v1.GatewaySpecAddress
 	}
 
 	var lastCreatedGateway *v1.Gateway
@@ -304,6 +306,8 @@ func TestBuildGateway(t *testing.T) {
 				GatewayClassName: gcName,
 				Listeners:        cfg.listeners,
 				Addresses:        cfg.addresses,
+				AllowedListeners: cfg.allowedListeners,
+				BackendTLS:       cfg.backendTLS,
 			},
 		}
 
@@ -1513,6 +1517,103 @@ func TestBuildGateway(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "One unsupported field + supported fields (valid)",
+			gateway: createGateway(gatewayCfg{
+				name:             "gateway-valid-np",
+				listeners:        []v1.Listener{foo80Listener1},
+				ref:              validGwNpRef,
+				allowedListeners: &v1.AllowedListeners{},
+			}),
+			gatewayClass: validGCWithNp,
+			expected: map[types.NamespacedName]*Gateway{
+				{Namespace: validGwNp.Namespace, Name: "gateway-valid-np"}: {
+					Source: getLastCreatedGateway(),
+					Listeners: []*Listener{
+						{
+							Name:           "foo-80-1",
+							GatewayName:    client.ObjectKeyFromObject(getLastCreatedGateway()),
+							Source:         foo80Listener1,
+							Valid:          true,
+							Attachable:     true,
+							Routes:         map[RouteKey]*L7Route{},
+							L4Routes:       map[L4RouteKey]*L4Route{},
+							SupportedKinds: supportedKindsForListeners,
+						},
+					},
+					DeploymentName: types.NamespacedName{
+						Namespace: "test",
+						Name:      controller.CreateNginxResourceName("gateway-valid-np", gcName),
+					},
+					Valid: true,
+					NginxProxy: &NginxProxy{
+						Source: validGwNp,
+						Valid:  true,
+					},
+					EffectiveNginxProxy: &EffectiveNginxProxy{
+						Logging: &ngfAPIv1alpha2.NginxLogging{
+							ErrorLevel: helpers.GetPointer(ngfAPIv1alpha2.NginxLogLevelError),
+						},
+						IPFamily: helpers.GetPointer(ngfAPIv1alpha2.Dual),
+						Metrics: &ngfAPIv1alpha2.Metrics{
+							Disable: helpers.GetPointer(false),
+							Port:    helpers.GetPointer(int32(90)),
+						},
+					},
+					Conditions: []conditions.Condition{
+						conditions.NewGatewayAcceptedUnsupportedField("AllowedListeners"),
+						conditions.NewGatewayResolvedRefs(),
+					},
+				},
+			},
+		},
+		{
+			name: "One unsupported field + NewGatewayRefInvalid (invalid)",
+			gateway: createGateway(gatewayCfg{
+				name:      "gateway-valid-np",
+				listeners: []v1.Listener{foo80Listener1},
+				ref: &v1.LocalParametersReference{
+					Kind: "wrong-kind", // Invalid reference
+					Name: "invalid-ref",
+				},
+				backendTLS: &v1.GatewayBackendTLS{},
+			}),
+			gatewayClass: validGCWithNp,
+			expected: map[types.NamespacedName]*Gateway{
+				{Namespace: validGwNp.Namespace, Name: "gateway-valid-np"}: {
+					Source: getLastCreatedGateway(),
+					Listeners: []*Listener{
+						{
+							Name:           "foo-80-1",
+							GatewayName:    client.ObjectKeyFromObject(getLastCreatedGateway()),
+							Source:         foo80Listener1,
+							Valid:          true,
+							Attachable:     true,
+							Routes:         map[RouteKey]*L7Route{},
+							L4Routes:       map[L4RouteKey]*L4Route{},
+							SupportedKinds: supportedKindsForListeners,
+						},
+					},
+					DeploymentName: types.NamespacedName{
+						Namespace: "test",
+						Name:      controller.CreateNginxResourceName("gateway-valid-np", gcName),
+					},
+					Valid: true,
+					EffectiveNginxProxy: &EffectiveNginxProxy{
+						IPFamily: helpers.GetPointer(ngfAPIv1alpha2.Dual),
+					},
+					Conditions: []conditions.Condition{
+						conditions.NewGatewayAcceptedUnsupportedField("BackendTLS"),
+						conditions.NewGatewayRefInvalid(
+							"spec.infrastructure.parametersRef.kind: Unsupported value: \"wrong-kind\": supported values: \"NginxProxy\"",
+						),
+						conditions.NewGatewayInvalidParameters(
+							"spec.infrastructure.parametersRef.kind: Unsupported value: \"wrong-kind\": supported values: \"NginxProxy\"",
+						),
+					},
+				},
+			},
+		},
 	}
 
 	secretResolver := newSecretResolver(
@@ -1821,3 +1922,55 @@ func TestGetReferencedSnippetsFilters(t *testing.T) {
 	emptyFilterResult := gw.GetReferencedSnippetsFilters(routes, map[types.NamespacedName]*SnippetsFilter{})
 	g.Expect(emptyFilterResult).To(BeEmpty())
 }
+
+func TestValidateUnsupportedGatewayFields(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name          string
+		gateway       *v1.Gateway
+		expectedConds []conditions.Condition
+	}{
+		{
+			name: "No unsupported fields",
+			gateway: &v1.Gateway{
+				Spec: v1.GatewaySpec{},
+			},
+			expectedConds: nil,
+		},
+		{
+			name: "One unsupported field: AllowedListeners",
+			gateway: &v1.Gateway{
+				Spec: v1.GatewaySpec{
+					AllowedListeners: &v1.AllowedListeners{},
+				},
+			},
+			expectedConds: []conditions.Condition{
+				conditions.NewGatewayAcceptedUnsupportedField("AllowedListeners"),
+			},
+		},
+		{
+			name: "Multiple unsupported fields: AllowedListeners and BackendTLS",
+			gateway: &v1.Gateway{
+				Spec: v1.GatewaySpec{
+					AllowedListeners: &v1.AllowedListeners{},
+					BackendTLS:       &v1.GatewayBackendTLS{},
+				},
+			},
+			expectedConds: []conditions.Condition{
+				conditions.NewGatewayAcceptedUnsupportedField("AllowedListeners"),
+				conditions.NewGatewayAcceptedUnsupportedField("BackendTLS"),
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			g := NewWithT(t)
+
+			conds := validateUnsupportedGatewayFields(test.gateway)
+			g.Expect(conds).To(Equal(test.expectedConds))
+		})
+	}
+}

internal/controller/state/graph/grpcroute.go

@@ -165,6 +165,11 @@ func processGRPCRouteRule(
 
 	validMatches := true
 
+	unsupportedFieldsErrors := checkForUnsupportedGRPCFields(specRule, rulePath)
+	if len(unsupportedFieldsErrors) > 0 {
+		errors.warn = append(errors.warn, unsupportedFieldsErrors...)
+	}
+
 	for j, match := range specRule.Matches {
 		matchPath := rulePath.Child("matches").Index(j)
 
@@ -260,6 +265,11 @@ func processGRPCRouteRules(
 	conds = make([]conditions.Condition, 0, 2)
 	valid = true
 
+	// add warning condition for unsupported fields if any
+	if len(allRulesErrors.warn) > 0 {
+		conds = append(conds, conditions.NewRouteAcceptedUnsupportedField(allRulesErrors.warn.ToAggregate().Error()))
+	}
+
 	if len(allRulesErrors.invalid) > 0 {
 		msg := allRulesErrors.invalid.ToAggregate().Error()
 
@@ -444,3 +454,26 @@ func validateGRPCHeaderMatch(
 
 	return allErrs
 }
+
+func checkForUnsupportedGRPCFields(rule v1.GRPCRouteRule, rulePath *field.Path) field.ErrorList {
+	var ruleErrors field.ErrorList
+
+	if rule.Name != nil {
+		ruleErrors = append(ruleErrors, field.Forbidden(
+			rulePath.Child("name"),
+			"Name",
+		))
+	}
+	if rule.SessionPersistence != nil {
+		ruleErrors = append(ruleErrors, field.Forbidden(
+			rulePath.Child("sessionPersistence"),
+			"SessionPersistence",
+		))
+	}
+
+	if len(ruleErrors) == 0 {
+		return nil
+	}
+
+	return ruleErrors
+}