Mirror OpenShift Route admission errors to OpenStackControlPlane conditions

Add route admission status checking to ensure that OpenStackControlPlane
expose conditions (e.g., OpenStackControlPlaneExposeBarbicanReady) properly
reflect errors from the underlying OpenShift Route objects.

Previously, the expose conditions would be set based only on whether the
route could be created, but would not reflect subsequent admission failures
by the OpenShift router (e.g., hostname conflicts, invalid configurations).
This could leave the condition in a misleading state where it appeared
successful while the route was actually not admitted.

Changes:
- Add checkRouteAdmissionStatus() helper function to inspect route
  status.ingress[0].conditions for the "Admitted" condition
- Update ensureRoute() to check route admission status after creation
  and update the condition accordingly
- Add OpenStackControlPlaneExposeServiceReadyRouteAdmissionErrorMessage
  constant for clear error reporting
- Set expose conditions to True only when routes are successfully admitted
- Set expose conditions to False with detailed error messages when route
  admission fails

This ensures that conditions like OpenStackControlPlaneExposeBarbicanReady,
OpenStackControlPlaneExposeKeystoneAPIReady, etc. accurately reflect the
actual state of the routes, making debugging easier for operators.

The implementation handles edge cases gracefully:
- Routes without ingress status yet (during initial creation)
- Routes without admission conditions yet (still being processed)
- Routes with failed admission (error is surfaced in the condition)
- Routes successfully admitted (condition set to True)

Note: RouteAdmitted (type "Admitted") is currently the only officially
defined condition type in the OpenShift Route API (github.com/openshift/api).
The implementation loops through all conditions to be future-proof for when
additional condition types are added, but today it will only find the
"Admitted" condition.

Jira: https://issues.redhat.com/browse/OSPRH-8984

AssistedBy: cloude-4-sonnet
Signed-off-by: Martin Schuppert <[email protected]>

Author: stuggi

apis/core/v1beta1/conditions.go

@@ -448,6 +448,9 @@ const (
 	// OpenStackControlPlaneExposeServiceReadyMessage
 	OpenStackControlPlaneExposeServiceReadyMessage = "OpenStackControlPlane %s service exposed"
 
+	// OpenStackControlPlaneExposeServiceReadyRouteAdmissionErrorMessage
+	OpenStackControlPlaneExposeServiceReadyRouteAdmissionErrorMessage = "OpenStackControlPlane %s route %s admission failed: %s"
+
 	// OpenStackControlPlaneCAReadyInitMessage
 	OpenStackControlPlaneCAReadyInitMessage = "OpenStackControlPlane CAs not started"
 

go.mod

@@ -114,6 +114,7 @@ require (
 	golang.org/x/tools v0.37.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
 	google.golang.org/protobuf v1.36.7 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	k8s.io/apiextensions-apiserver v0.33.2 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect

pkg/openstack/common.go

@@ -516,6 +516,26 @@ func (ed *EndpointDetail) ensureRoute(
 			return ctrlResult, nil
 		}
 
+		// Check the route admission status and update condition accordingly
+		err = checkRouteAdmissionStatus(ctx, helper, ed.Name, ed.Namespace)
+		if err != nil {
+			instance.Status.Conditions.Set(condition.FalseCondition(
+				condType,
+				condition.ErrorReason,
+				condition.SeverityWarning,
+				corev1.OpenStackControlPlaneExposeServiceReadyRouteAdmissionErrorMessage,
+				owner.GetName(),
+				ed.Name,
+				err.Error()))
+			return ctrl.Result{}, err
+		}
+
+		// Route is successfully created and admitted
+		instance.Status.Conditions.MarkTrue(
+			condType,
+			corev1.OpenStackControlPlaneExposeServiceReadyMessage,
+			owner.GetName())
+
 		return ctrl.Result{}, nil
 	}
 	instance.Status.Conditions.Remove(condType)
@@ -707,6 +727,45 @@ func (ed *EndpointDetail) CreateRoute(
 	return ctrl.Result{}, nil
 }
 
+// checkRouteAdmissionStatus checks the admission status of a route and returns an error if not admitted
+func checkRouteAdmissionStatus(
+	ctx context.Context,
+	helper *helper.Helper,
+	routeName string,
+	namespace string,
+) error {
+	serviceRoute := &routev1.Route{}
+	err := helper.GetClient().Get(ctx, types.NamespacedName{Name: routeName, Namespace: namespace}, serviceRoute)
+	if err != nil {
+		return err
+	}
+
+	// Check if the route has ingress status
+	if len(serviceRoute.Status.Ingress) == 0 {
+		// Route exists but has no ingress status yet - this is normal during initial creation
+		// Return nil to allow reconciliation to continue
+		return nil
+	}
+
+	// Check the admission status of the first ingress
+	for _, condition := range serviceRoute.Status.Ingress[0].Conditions {
+		// RouteAdmitted (value: "Admitted") is currently the only officially defined condition type in the OpenShift Route API
+		// https://github.com/openshift/api/blob/c9bef43e850983ce73f69a58b9da0bd02883c26a/route/v1/types.go#L384
+		// RouteAdmitted means the route is able to service requests for the provided Host
+		if condition.Type == routev1.RouteAdmitted {
+			if condition.Status != k8s_corev1.ConditionTrue {
+				// Route admission failed - return error with the message
+				return fmt.Errorf("%s", condition.Message)
+			}
+			// Route is admitted successfully
+			return nil
+		}
+	}
+
+	// No admission condition found yet - route is still being processed
+	return nil
+}
+
 // GetEndptCertSecret -
 func (e *Endpoints) GetEndptCertSecret(endpt service.Endpoint) *string {
 	var endptTLSSecret *string