NE-1969: Set Degraded=True if unmanaged Gateway API CRDs exist

Set the ingress cluster operator’s `Degraded` status to `True` if unmanaged
Gateway API CRDs exist on the cluster.

An unmanaged Gateway API CRD is one with "gateway.networking.k8s.io" or
"gateway.networking.x-k8s.io" in its `spec.group` field, and not managed
by the gatewayapi controller.

This commit uses the cluster operator’s `status.extension` field
to store the names of unmanaged CRDs. The gatewayapi controller writes
to this field, while the status controller reads it and updates the
ingress cluster operator’s `Degraded` status accordingly.

Author: alebedev87

pkg/operator/controller/gateway-service-dns/controller_test.go

@@ -254,7 +254,13 @@ func Test_Reconcile(t *testing.T) {
 				WithScheme(scheme).
 				WithRuntimeObjects(tc.existingObjects...).
 				Build()
-			cl := &testutil.FakeClientRecorder{fakeClient, t, []client.Object{}, []client.Object{}, []client.Object{}}
+			cl := &testutil.FakeClientRecorder{
+				Client:  fakeClient,
+				T:       t,
+				Added:   []client.Object{},
+				Updated: []client.Object{},
+				Deleted: []client.Object{},
+			}
 			informer := informertest.FakeInformers{Scheme: scheme}
 			cache := testutil.FakeCache{Informers: &informer, Reader: cl}
 			reconciler := &reconciler{

pkg/operator/controller/gatewayapi/controller.go

@@ -2,6 +2,7 @@ package gatewayapi
 
 import (
 	"context"
+	"fmt"
 	"sync"
 
 	logf "github.com/openshift/cluster-ingress-operator/pkg/log"
@@ -14,6 +15,7 @@ import (
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/types"
 
+	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
@@ -25,7 +27,10 @@ import (
 )
 
 const (
-	controllerName = "gatewayapi_controller"
+	controllerName                    = "gatewayapi_controller"
+	experimantalGatewayAPIGroupName   = "gateway.networking.x-k8s.io"
+	crdAPIGroupIndexFieldName         = "crdAPIGroup"
+	gatewayCRDAPIGroupIndexFieldValue = "gateway"
 )
 
 var log = logf.Logger.WithName(controllerName)
@@ -36,6 +41,7 @@ func New(mgr manager.Manager, config Config) (controller.Controller, error) {
 	operatorCache := mgr.GetCache()
 	reconciler := &reconciler{
 		client: mgr.GetClient(),
+		cache:  operatorCache,
 		config: config,
 	}
 	c, err := controller.New(controllerName, mgr, controller.Options{Reconciler: reconciler})
@@ -60,14 +66,33 @@ func New(mgr manager.Manager, config Config) (controller.Controller, error) {
 		}}
 	}
 
-	// watch for CRDs
-	crdPredicate := predicate.NewPredicateFuncs(func(o client.Object) bool {
-		return o.(*apiextensionsv1.CustomResourceDefinition).Spec.Group == gatewayapiv1.GroupName
-	})
+	isGatewayAPICRD := func(o client.Object) bool {
+		crd := o.(*apiextensionsv1.CustomResourceDefinition)
+		return crd.Spec.Group == gatewayapiv1.GroupName || crd.Spec.Group == experimantalGatewayAPIGroupName
+	}
+	crdPredicate := predicate.NewPredicateFuncs(isGatewayAPICRD)
 
+	// watch for CRDs
 	if err := c.Watch(source.Kind[client.Object](operatorCache, &apiextensionsv1.CustomResourceDefinition{}, handler.EnqueueRequestsFromMapFunc(toFeatureGate), crdPredicate)); err != nil {
 		return nil, err
 	}
+
+	// Index Gateway API CRDs by the "spec.group" field
+	// to enable efficient filtering during list operations.
+	// Currently, only Gateway API groups have a dedicated index field.
+	if err := mgr.GetFieldIndexer().IndexField(
+		context.Background(),
+		&apiextensionsv1.CustomResourceDefinition{},
+		crdAPIGroupIndexFieldName,
+		client.IndexerFunc(func(o client.Object) []string {
+			if isGatewayAPICRD(o) {
+				return []string{gatewayCRDAPIGroupIndexFieldValue}
+			}
+			return []string{}
+		})); err != nil {
+		return nil, fmt.Errorf("failed to create index for custom resource definitions: %w", err)
+	}
+
 	return c, nil
 }
 
@@ -90,6 +115,7 @@ type reconciler struct {
 	config Config
 
 	client           client.Client
+	cache            cache.Cache
 	recorder         record.EventRecorder
 	startControllers sync.Once
 }
@@ -107,6 +133,12 @@ func (r *reconciler) Reconcile(ctx context.Context, request reconcile.Request) (
 		return reconcile.Result{}, err
 	}
 
+	if crdNames, err := r.listUnmanagedGatewayAPICRDs(ctx); err != nil {
+		return reconcile.Result{}, fmt.Errorf("failed to list unmanaged gateway CRDs: %w", err)
+	} else if err = r.setUnmanagedGatewayAPICRDNamesStatus(ctx, crdNames); err != nil {
+		return reconcile.Result{}, fmt.Errorf("failed to update the ingress cluster operator status: %w", err)
+	}
+
 	if !r.config.GatewayAPIControllerEnabled {
 		return reconcile.Result{}, nil
 	}

pkg/operator/controller/gatewayapi/controller_test.go

@@ -2,6 +2,7 @@ package gatewayapi
 
 import (
 	"context"
+	"strings"
 	"testing"
 	"time"
 
@@ -16,6 +17,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 
+	"sigs.k8s.io/controller-runtime/pkg/cache/informertest"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
@@ -30,28 +32,41 @@ func Test_Reconcile(t *testing.T) {
 			ObjectMeta: metav1.ObjectMeta{Name: name},
 		}
 	}
+	co := func(name string) *configv1.ClusterOperator {
+		return &configv1.ClusterOperator{
+			ObjectMeta: metav1.ObjectMeta{Name: name},
+		}
+	}
 	tests := []struct {
 		name                        string
 		gatewayAPIEnabled           bool
 		gatewayAPIControllerEnabled bool
 		existingObjects             []runtime.Object
+		existingStatusSubresource   []client.Object
 		expectCreate                []client.Object
 		expectUpdate                []client.Object
 		expectDelete                []client.Object
+		expectStatusUpdate          []client.Object
 		expectStartCtrl             bool
 	}{
 		{
 			name:              "gateway API disabled",
 			gatewayAPIEnabled: false,
-			expectCreate:      []client.Object{},
-			expectUpdate:      []client.Object{},
-			expectDelete:      []client.Object{},
-			expectStartCtrl:   false,
+			existingObjects: []runtime.Object{
+				co("ingress"),
+			},
+			expectCreate:    []client.Object{},
+			expectUpdate:    []client.Object{},
+			expectDelete:    []client.Object{},
+			expectStartCtrl: false,
 		},
 		{
 			name:                        "gateway API enabled",
 			gatewayAPIEnabled:           true,
 			gatewayAPIControllerEnabled: true,
+			existingObjects: []runtime.Object{
+				co("ingress"),
+			},
 			expectCreate: []client.Object{
 				crd("gatewayclasses.gateway.networking.k8s.io"),
 				crd("gateways.gateway.networking.k8s.io"),
@@ -67,6 +82,9 @@ func Test_Reconcile(t *testing.T) {
 			name:                        "gateway API enabled, gateway API controller disabled",
 			gatewayAPIEnabled:           true,
 			gatewayAPIControllerEnabled: false,
+			existingObjects: []runtime.Object{
+				co("ingress"),
+			},
 			expectCreate: []client.Object{
 				crd("gatewayclasses.gateway.networking.k8s.io"),
 				crd("gateways.gateway.networking.k8s.io"),
@@ -78,6 +96,55 @@ func Test_Reconcile(t *testing.T) {
 			expectDelete:    []client.Object{},
 			expectStartCtrl: false,
 		},
+		{
+			name:                        "unmanaged gateway API CRDs",
+			gatewayAPIEnabled:           true,
+			gatewayAPIControllerEnabled: true,
+			existingObjects: []runtime.Object{
+				co("ingress"),
+				crd("listenersets.gateway.networking.x-k8s.io"),
+			},
+			existingStatusSubresource: []client.Object{
+				co("ingress"),
+			},
+			expectCreate: []client.Object{
+				crd("gatewayclasses.gateway.networking.k8s.io"),
+				crd("gateways.gateway.networking.k8s.io"),
+				crd("grpcroutes.gateway.networking.k8s.io"),
+				crd("httproutes.gateway.networking.k8s.io"),
+				crd("referencegrants.gateway.networking.k8s.io"),
+			},
+			expectUpdate: []client.Object{},
+			expectDelete: []client.Object{},
+			expectStatusUpdate: []client.Object{
+				co("ingress"),
+			},
+			expectStartCtrl: true,
+		},
+		{
+			name:                        "third party CRDs",
+			gatewayAPIEnabled:           true,
+			gatewayAPIControllerEnabled: true,
+			existingObjects: []runtime.Object{
+				co("ingress"),
+				crd("thirdpartycrd1.openshift.io"),
+				crd("thirdpartycrd2.openshift.io"),
+			},
+			existingStatusSubresource: []client.Object{
+				co("ingress"),
+			},
+			expectCreate: []client.Object{
+				crd("gatewayclasses.gateway.networking.k8s.io"),
+				crd("gateways.gateway.networking.k8s.io"),
+				crd("grpcroutes.gateway.networking.k8s.io"),
+				crd("httproutes.gateway.networking.k8s.io"),
+				crd("referencegrants.gateway.networking.k8s.io"),
+			},
+			expectUpdate:       []client.Object{},
+			expectDelete:       []client.Object{},
+			expectStatusUpdate: []client.Object{},
+			expectStartCtrl:    true,
+		},
 	}
 
 	scheme := runtime.NewScheme()
@@ -89,11 +156,30 @@ func Test_Reconcile(t *testing.T) {
 			fakeClient := fake.NewClientBuilder().
 				WithScheme(scheme).
 				WithRuntimeObjects(tc.existingObjects...).
+				WithStatusSubresource(tc.existingStatusSubresource...).
+				WithIndex(&apiextensionsv1.CustomResourceDefinition{}, "crdAPIGroup", client.IndexerFunc(func(o client.Object) []string {
+					if strings.Contains(o.GetName(), "gateway.networking") {
+						return []string{"gateway"}
+					}
+					return []string{}
+				})).
 				Build()
-			cl := &testutil.FakeClientRecorder{fakeClient, t, []client.Object{}, []client.Object{}, []client.Object{}}
+			cl := &testutil.FakeClientRecorder{
+				Client:  fakeClient,
+				T:       t,
+				Added:   []client.Object{},
+				Updated: []client.Object{},
+				Deleted: []client.Object{},
+				StatusWriter: &testutil.FakeStatusWriter{
+					StatusWriter: fakeClient.Status(),
+				},
+			}
 			ctrl := &testutil.FakeController{t, false, nil}
+			informer := informertest.FakeInformers{Scheme: scheme}
+			cache := &testutil.FakeCache{Informers: &informer, Reader: fakeClient}
 			reconciler := &reconciler{
 				client: cl,
+				cache:  cache,
 				config: Config{
 					GatewayAPIEnabled:           tc.gatewayAPIEnabled,
 					GatewayAPIControllerEnabled: tc.gatewayAPIControllerEnabled,
@@ -122,6 +208,7 @@ func Test_Reconcile(t *testing.T) {
 				cmpopts.IgnoreFields(metav1.ObjectMeta{}, "Annotations", "ResourceVersion"),
 				cmpopts.IgnoreFields(metav1.TypeMeta{}, "Kind", "APIVersion"),
 				cmpopts.IgnoreFields(apiextensionsv1.CustomResourceDefinition{}, "Spec"),
+				cmpopts.IgnoreFields(configv1.ClusterOperator{}, "Status"),
 			}
 			if diff := cmp.Diff(tc.expectCreate, cl.Added, cmpOpts...); diff != "" {
 				t.Fatalf("found diff between expected and actual creates: %s", diff)
@@ -132,6 +219,9 @@ func Test_Reconcile(t *testing.T) {
 			if diff := cmp.Diff(tc.expectDelete, cl.Deleted, cmpOpts...); diff != "" {
 				t.Fatalf("found diff between expected and actual deletes: %s", diff)
 			}
+			if diff := cmp.Diff(tc.expectStatusUpdate, cl.StatusWriter.Updated, cmpOpts...); diff != "" {
+				t.Fatalf("found diff between expected and actual status updates: %s", diff)
+			}
 		})
 	}
 }
@@ -140,11 +230,29 @@ func TestReconcileOnlyStartsControllerOnce(t *testing.T) {
 	scheme := runtime.NewScheme()
 	configv1.Install(scheme)
 	apiextensionsv1.AddToScheme(scheme)
-	fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithRuntimeObjects().Build()
-	cl := &testutil.FakeClientRecorder{fakeClient, t, []client.Object{}, []client.Object{}, []client.Object{}}
+	fakeClient := fake.NewClientBuilder().
+		WithScheme(scheme).
+		WithRuntimeObjects(
+			&configv1.ClusterOperator{
+				ObjectMeta: metav1.ObjectMeta{Name: "ingress"},
+			}).
+		WithIndex(&apiextensionsv1.CustomResourceDefinition{}, "crdAPIGroup", client.IndexerFunc(func(o client.Object) []string {
+			return []string{"gateway"} // all crds are gateway api ones
+		})).
+		Build()
+	cl := &testutil.FakeClientRecorder{
+		Client:  fakeClient,
+		T:       t,
+		Added:   []client.Object{},
+		Updated: []client.Object{},
+		Deleted: []client.Object{},
+	}
 	ctrl := &testutil.FakeController{t, false, make(chan struct{})}
+	informer := informertest.FakeInformers{Scheme: scheme}
+	cache := &testutil.FakeCache{Informers: &informer, Reader: fakeClient}
 	reconciler := &reconciler{
 		client: cl,
+		cache:  cache,
 		config: Config{
 			GatewayAPIEnabled:           true,
 			GatewayAPIControllerEnabled: true,

pkg/operator/controller/gatewayapi/crds.go

@@ -14,6 +14,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 // managedCRDs is a list of CRDs that this controller manages.
@@ -25,6 +26,15 @@ var managedCRDs = []*apiextensionsv1.CustomResourceDefinition{
 	manifests.ReferenceGrantCRD(),
 }
 
+// managedCRDMap is a map of CRDs that this controller manages.
+var managedCRDMap = map[string]*apiextensionsv1.CustomResourceDefinition{
+	manifests.GatewayClassCRD().Name:   manifests.GatewayClassCRD(),
+	manifests.GatewayCRD().Name:        manifests.GatewayCRD(),
+	manifests.GRPCRouteCRD().Name:      manifests.GRPCRouteCRD(),
+	manifests.HTTPRouteCRD().Name:      manifests.HTTPRouteCRD(),
+	manifests.ReferenceGrantCRD().Name: manifests.ReferenceGrantCRD(),
+}
+
 // ensureCRD attempts to ensure that the specified CRD exists and returns a
 // Boolean indicating whether it exists, the CRD if it does exist, and an error
 // value.
@@ -69,6 +79,24 @@ func (r *reconciler) ensureGatewayAPICRDs(ctx context.Context) error {
 	return utilerrors.NewAggregate(errs)
 }
 
+// listUnmanagedGatewayAPICRDs returns a list of unmanaged Gateway API CRDs
+// which exist in the cluster. A Gateway API CRD has "gateway.networking.k8s.io"
+// or "gateway.networking.x-k8s.io" in its "spec.group" field.
+func (r *reconciler) listUnmanagedGatewayAPICRDs(ctx context.Context) ([]string, error) {
+	gatewayAPICRDs := &apiextensionsv1.CustomResourceDefinitionList{}
+	if err := r.cache.List(ctx, gatewayAPICRDs, client.MatchingFields{crdAPIGroupIndexFieldName: gatewayCRDAPIGroupIndexFieldValue}); err != nil {
+		return nil, fmt.Errorf("failed to list gateway API CRDs: %w", err)
+	}
+
+	var unmanagedCRDNames []string
+	for _, crd := range gatewayAPICRDs.Items {
+		if _, found := managedCRDMap[crd.Name]; !found {
+			unmanagedCRDNames = append(unmanagedCRDNames, crd.Name)
+		}
+	}
+	return unmanagedCRDNames, nil
+}
+
 // currentCRD returns a Boolean indicating whether an CRD
 // exists for the IngressController with the given name, as well as the
 // CRD if it does exist and an error value.