NE-1969: Set Degraded=True if unmanaged Gateway API CRDs exist

Set the ingress cluster operator’s `Degraded` status to `True` if unmanaged
Gateway API CRDs exist on the cluster.

An unmanaged Gateway API CRD is one with "gateway.networking.k8s.io" or
"gateway.networking.x-k8s.io" in its `spec.group` field, and not managed
by the gatewayapi controller.

This commit uses the cluster operator’s `status.extension` field
to store the names of unmanaged CRDs. The gatewayapi controller writes
to this field, while the status controller reads it and updates the
ingress cluster operator’s `Degraded` status accordingly.

Author: alebedev87

pkg/operator/controller/gateway-service-dns/controller_test.go

@@ -254,7 +254,13 @@ func Test_Reconcile(t *testing.T) {
 				WithScheme(scheme).
 				WithRuntimeObjects(tc.existingObjects...).
 				Build()
-			cl := &testutil.FakeClientRecorder{fakeClient, t, []client.Object{}, []client.Object{}, []client.Object{}}
+			cl := &testutil.FakeClientRecorder{
+				Client:  fakeClient,
+				T:       t,
+				Added:   []client.Object{},
+				Updated: []client.Object{},
+				Deleted: []client.Object{},
+			}
 			informer := informertest.FakeInformers{Scheme: scheme}
 			cache := testutil.FakeCache{Informers: &informer, Reader: cl}
 			reconciler := &reconciler{

pkg/operator/controller/gatewayapi/controller.go

@@ -2,6 +2,7 @@ package gatewayapi
 
 import (
 	"context"
+	"fmt"
 	"sync"
 
 	logf "github.com/openshift/cluster-ingress-operator/pkg/log"
@@ -14,6 +15,7 @@ import (
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/types"
 
+	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
@@ -25,7 +27,10 @@ import (
 )
 
 const (
-	controllerName = "gatewayapi_controller"
+	controllerName                        = "gatewayapi_controller"
+	experimentalGatewayAPIGroupName       = "gateway.networking.x-k8s.io"
+	gatewayAPICRDIndexFieldName           = "gatewayAPICRD"
+	unmanagedGatewayAPICRDIndexFieldValue = "unmanaged"
 )
 
 var log = logf.Logger.WithName(controllerName)
@@ -36,6 +41,7 @@ func New(mgr manager.Manager, config Config) (controller.Controller, error) {
 	operatorCache := mgr.GetCache()
 	reconciler := &reconciler{
 		client: mgr.GetClient(),
+		cache:  operatorCache,
 		config: config,
 	}
 	c, err := controller.New(controllerName, mgr, controller.Options{Reconciler: reconciler})
@@ -60,14 +66,34 @@ func New(mgr manager.Manager, config Config) (controller.Controller, error) {
 		}}
 	}
 
-	// watch for CRDs
-	crdPredicate := predicate.NewPredicateFuncs(func(o client.Object) bool {
-		return o.(*apiextensionsv1.CustomResourceDefinition).Spec.Group == gatewayapiv1.GroupName
-	})
+	isGatewayAPICRD := func(o client.Object) bool {
+		crd := o.(*apiextensionsv1.CustomResourceDefinition)
+		return crd.Spec.Group == gatewayapiv1.GroupName || crd.Spec.Group == experimentalGatewayAPIGroupName
+	}
+	crdPredicate := predicate.NewPredicateFuncs(isGatewayAPICRD)
 
+	// watch for CRDs
 	if err := c.Watch(source.Kind[client.Object](operatorCache, &apiextensionsv1.CustomResourceDefinition{}, handler.EnqueueRequestsFromMapFunc(toFeatureGate), crdPredicate)); err != nil {
 		return nil, err
 	}
+
+	// Index unmanaged Gateway API CRDs to enable efficient filtering
+	// during list operations.
+	if err := mgr.GetFieldIndexer().IndexField(
+		context.Background(),
+		&apiextensionsv1.CustomResourceDefinition{},
+		gatewayAPICRDIndexFieldName,
+		client.IndexerFunc(func(o client.Object) []string {
+			if isGatewayAPICRD(o) {
+				if _, found := managedCRDMap[o.GetName()]; !found {
+					return []string{unmanagedGatewayAPICRDIndexFieldValue}
+				}
+			}
+			return []string{}
+		})); err != nil {
+		return nil, fmt.Errorf("failed to create index for custom resource definitions: %w", err)
+	}
+
 	return c, nil
 }
 
@@ -90,6 +116,7 @@ type reconciler struct {
 	config Config
 
 	client           client.Client
+	cache            cache.Cache
 	recorder         record.EventRecorder
 	startControllers sync.Once
 }
@@ -111,6 +138,12 @@ func (r *reconciler) Reconcile(ctx context.Context, request reconcile.Request) (
 		return reconcile.Result{}, err
 	}
 
+	if crdNames, err := r.listUnmanagedGatewayAPICRDs(ctx); err != nil {
+		return reconcile.Result{}, fmt.Errorf("failed to list unmanaged gateway CRDs: %w", err)
+	} else if err = r.setUnmanagedGatewayAPICRDNamesStatus(ctx, crdNames); err != nil {
+		return reconcile.Result{}, fmt.Errorf("failed to update the ingress cluster operator status: %w", err)
+	}
+
 	if !r.config.GatewayAPIControllerEnabled {
 		return reconcile.Result{}, nil
 	}

pkg/operator/controller/gatewayapi/controller_test.go

@@ -2,6 +2,7 @@ package gatewayapi
 
 import (
 	"context"
+	"strings"
 	"testing"
 	"time"
 
@@ -17,6 +18,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 
+	"sigs.k8s.io/controller-runtime/pkg/cache/informertest"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
@@ -36,28 +38,57 @@ func Test_Reconcile(t *testing.T) {
 			ObjectMeta: metav1.ObjectMeta{Name: name},
 		}
 	}
+	co := func(name string) *configv1.ClusterOperator {
+		return &configv1.ClusterOperator{
+			ObjectMeta: metav1.ObjectMeta{Name: name},
+		}
+	}
+	coWithExtension := func(name, extension string) *configv1.ClusterOperator {
+		co := co(name)
+		co.Status = configv1.ClusterOperatorStatus{
+			Extension: runtime.RawExtension{
+				Raw: []byte(extension),
+			},
+		}
+		return co
+	}
+
 	tests := []struct {
 		name                        string
 		gatewayAPIEnabled           bool
 		gatewayAPIControllerEnabled bool
 		existingObjects             []runtime.Object
-		expectCreate                []client.Object
-		expectUpdate                []client.Object
-		expectDelete                []client.Object
-		expectStartCtrl             bool
+		// existingStatusSubresource contains the original version of objects
+		// whose status will updated by Reconcile function.
+		// This field is similar to `existingObjects` but is specifically used
+		// for objects where status updates are performed using `Status().Update()` call.
+		existingStatusSubresource []client.Object
+		expectCreate              []client.Object
+		expectUpdate              []client.Object
+		expectDelete              []client.Object
+		// expectStatusUpdate contains the updated versions of objects
+		// whose status is expected to be updated by the test.
+		expectStatusUpdate []client.Object
+		expectStartCtrl    bool
 	}{
 		{
 			name:              "gateway API disabled",
 			gatewayAPIEnabled: false,
-			expectCreate:      []client.Object{},
-			expectUpdate:      []client.Object{},
-			expectDelete:      []client.Object{},
-			expectStartCtrl:   false,
+			existingObjects: []runtime.Object{
+				co("ingress"),
+			},
+			expectCreate:    []client.Object{},
+			expectUpdate:    []client.Object{},
+			expectDelete:    []client.Object{},
+			expectStartCtrl: false,
 		},
 		{
 			name:                        "gateway API enabled",
 			gatewayAPIEnabled:           true,
 			gatewayAPIControllerEnabled: true,
+			existingObjects: []runtime.Object{
+				co("ingress"),
+			},
 			expectCreate: []client.Object{
 				crd("gatewayclasses.gateway.networking.k8s.io"),
 				crd("gateways.gateway.networking.k8s.io"),
@@ -75,6 +106,9 @@ func Test_Reconcile(t *testing.T) {
 			name:                        "gateway API enabled, gateway API controller disabled",
 			gatewayAPIEnabled:           true,
 			gatewayAPIControllerEnabled: false,
+			existingObjects: []runtime.Object{
+				co("ingress"),
+			},
 			expectCreate: []client.Object{
 				crd("gatewayclasses.gateway.networking.k8s.io"),
 				crd("gateways.gateway.networking.k8s.io"),
@@ -88,6 +122,87 @@ func Test_Reconcile(t *testing.T) {
 			expectDelete:    []client.Object{},
 			expectStartCtrl: false,
 		},
+		{
+			name:                        "unmanaged gateway API CRDs created",
+			gatewayAPIEnabled:           true,
+			gatewayAPIControllerEnabled: true,
+			existingObjects: []runtime.Object{
+				co("ingress"),
+				crd("listenersets.gateway.networking.x-k8s.io"),
+				crd("backendtrafficpolicies.gateway.networking.x-k8s.io"),
+			},
+			existingStatusSubresource: []client.Object{
+				co("ingress"),
+			},
+			expectCreate: []client.Object{
+				crd("gatewayclasses.gateway.networking.k8s.io"),
+				crd("gateways.gateway.networking.k8s.io"),
+				crd("grpcroutes.gateway.networking.k8s.io"),
+				crd("httproutes.gateway.networking.k8s.io"),
+				crd("referencegrants.gateway.networking.k8s.io"),
+				clusterRole("system:openshift:gateway-api:aggregate-to-admin"),
+				clusterRole("system:openshift:gateway-api:aggregate-to-view"),
+			},
+			expectUpdate: []client.Object{},
+			expectDelete: []client.Object{},
+			expectStatusUpdate: []client.Object{
+				coWithExtension("ingress", `{"unmanagedGatewayAPICRDNames":"backendtrafficpolicies.gateway.networking.x-k8s.io,listenersets.gateway.networking.x-k8s.io"}`),
+			},
+			expectStartCtrl: true,
+		},
+		{
+			name:                        "unmanaged gateway API CRDs removed",
+			gatewayAPIEnabled:           true,
+			gatewayAPIControllerEnabled: true,
+			existingObjects: []runtime.Object{
+				coWithExtension("ingress", `{"unmanagedGatewayAPICRDNames":"listenersets.gateway.networking.x-k8s.io"}`),
+			},
+			existingStatusSubresource: []client.Object{
+				co("ingress"),
+			},
+			expectCreate: []client.Object{
+				crd("gatewayclasses.gateway.networking.k8s.io"),
+				crd("gateways.gateway.networking.k8s.io"),
+				crd("grpcroutes.gateway.networking.k8s.io"),
+				crd("httproutes.gateway.networking.k8s.io"),
+				crd("referencegrants.gateway.networking.k8s.io"),
+				clusterRole("system:openshift:gateway-api:aggregate-to-admin"),
+				clusterRole("system:openshift:gateway-api:aggregate-to-view"),
+			},
+			expectUpdate: []client.Object{},
+			expectDelete: []client.Object{},
+			expectStatusUpdate: []client.Object{
+				coWithExtension("ingress", `{}`),
+			},
+			expectStartCtrl: true,
+		},
+		{
+			name:                        "third party CRDs",
+			gatewayAPIEnabled:           true,
+			gatewayAPIControllerEnabled: true,
+			existingObjects: []runtime.Object{
+				co("ingress"),
+				crd("thirdpartycrd1.openshift.io"),
+				crd("thirdpartycrd2.openshift.io"),
+			},
+			existingStatusSubresource: []client.Object{
+				co("ingress"),
+			},
+			expectCreate: []client.Object{
+				crd("gatewayclasses.gateway.networking.k8s.io"),
+				crd("gateways.gateway.networking.k8s.io"),
+				crd("grpcroutes.gateway.networking.k8s.io"),
+				crd("httproutes.gateway.networking.k8s.io"),
+				crd("referencegrants.gateway.networking.k8s.io"),
+				clusterRole("system:openshift:gateway-api:aggregate-to-admin"),
+				clusterRole("system:openshift:gateway-api:aggregate-to-view"),
+			},
+			expectUpdate: []client.Object{},
+			expectDelete: []client.Object{},
+			// Third party CRDs have no impact on cluster operator status.
+			expectStatusUpdate: []client.Object{},
+			expectStartCtrl:    true,
+		},
 	}
 
 	scheme := runtime.NewScheme()
@@ -100,11 +215,31 @@ func Test_Reconcile(t *testing.T) {
 			fakeClient := fake.NewClientBuilder().
 				WithScheme(scheme).
 				WithRuntimeObjects(tc.existingObjects...).
+				WithStatusSubresource(tc.existingStatusSubresource...).
+				WithIndex(&apiextensionsv1.CustomResourceDefinition{}, "gatewayAPICRD", client.IndexerFunc(func(o client.Object) []string {
+					// Assume that all experimental CRDs are unmanaged.
+					if strings.Contains(o.GetName(), "gateway.networking.x-k8s.io") {
+						return []string{"unmanaged"}
+					}
+					return []string{}
+				})).
 				Build()
-			cl := &testutil.FakeClientRecorder{fakeClient, t, []client.Object{}, []client.Object{}, []client.Object{}}
+			cl := &testutil.FakeClientRecorder{
+				Client:  fakeClient,
+				T:       t,
+				Added:   []client.Object{},
+				Updated: []client.Object{},
+				Deleted: []client.Object{},
+				StatusWriter: &testutil.FakeStatusWriter{
+					StatusWriter: fakeClient.Status(),
+				},
+			}
 			ctrl := &testutil.FakeController{t, false, nil}
+			informer := informertest.FakeInformers{Scheme: scheme}
+			cache := &testutil.FakeCache{Informers: &informer, Reader: fakeClient}
 			reconciler := &reconciler{
 				client: cl,
+				cache:  cache,
 				config: Config{
 					GatewayAPIEnabled:           tc.gatewayAPIEnabled,
 					GatewayAPIControllerEnabled: tc.gatewayAPIControllerEnabled,
@@ -144,6 +279,9 @@ func Test_Reconcile(t *testing.T) {
 			if diff := cmp.Diff(tc.expectDelete, cl.Deleted, cmpOpts...); diff != "" {
 				t.Fatalf("found diff between expected and actual deletes: %s", diff)
 			}
+			if diff := cmp.Diff(tc.expectStatusUpdate, cl.StatusWriter.Updated, cmpOpts...); diff != "" {
+				t.Fatalf("found diff between expected and actual status updates: %s", diff)
+			}
 		})
 	}
 }
@@ -153,11 +291,30 @@ func TestReconcileOnlyStartsControllerOnce(t *testing.T) {
 	configv1.Install(scheme)
 	apiextensionsv1.AddToScheme(scheme)
 	rbacv1.AddToScheme(scheme)
-	fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithRuntimeObjects().Build()
-	cl := &testutil.FakeClientRecorder{fakeClient, t, []client.Object{}, []client.Object{}, []client.Object{}}
+	fakeClient := fake.NewClientBuilder().
+		WithScheme(scheme).
+		WithRuntimeObjects(
+			&configv1.ClusterOperator{
+				ObjectMeta: metav1.ObjectMeta{Name: "ingress"},
+			}).
+		WithIndex(&apiextensionsv1.CustomResourceDefinition{}, "gatewayAPICRD", client.IndexerFunc(func(o client.Object) []string {
+			// Assume that there are no unmanaged CRDs.
+			return []string{}
+		})).
+		Build()
+	cl := &testutil.FakeClientRecorder{
+		Client:  fakeClient,
+		T:       t,
+		Added:   []client.Object{},
+		Updated: []client.Object{},
+		Deleted: []client.Object{},
+	}
 	ctrl := &testutil.FakeController{t, false, make(chan struct{})}
+	informer := informertest.FakeInformers{Scheme: scheme}
+	cache := &testutil.FakeCache{Informers: &informer, Reader: fakeClient}
 	reconciler := &reconciler{
 		client: cl,
+		cache:  cache,
 		config: Config{
 			GatewayAPIEnabled:           true,
 			GatewayAPIControllerEnabled: true,