kuadrant-operator icon indicating copy to clipboard operation
kuadrant-operator copied to clipboard
verified publisher icon Kuadrant

Gateway doesn't indicate that TLSPolicy is failing

Open pehala opened this issue 2 years ago • 2 comments

If you use TLSPolicy, which is failing, in a single-cluster context, Gateway reports ready and claims to be only affected by DNSPolicy.

I expect to see at least some status indicating that something is wrong with the TLSPolicy attached. There is an error in the listener section but that still didn't prevent Gateway from going to "Ready" state.

Gateway:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  labels:
    app: testrun-phala-kudrnt-te-j3k-qsqdtgg
    cluster.open-cluster-management.io/placement: http-gateway
  name: mgc-gate-phala-kudrnt-te-6ybc
  namespace: kuadrant
spec:
  gatewayClassName: istio
  listeners:
    - allowedRoutes:
        namespaces:
          from: All
      hostname: '*.aws.kua.3scale.app-services-dev.net'
      name: api
      port: 443
      protocol: HTTPS
      tls:
        certificateRefs:
          - group: ''
            kind: Secret
            name: mgc-gate-phala-kudrnt-te-6ybc-tls
        mode: Terminate
status:
  addresses:
    - type: IPAddress
      value: 10.0.193.68
  conditions:
    - lastTransitionTime: '2024-02-13T13:51:15Z'
      message: Resource accepted
      observedGeneration: 1
      reason: Accepted
      status: 'True'
      type: Accepted
    - lastTransitionTime: '2024-02-13T13:53:04Z'
      message: >-
        Resource programmed, assigned to service(s)
        mgc-gate-phala-kudrnt-te-6ybc-istio.kuadrant.svc.cluster.local:443
      observedGeneration: 1
      reason: Programmed
      status: 'True'
      type: Programmed
    - lastTransitionTime: '2024-02-13T13:54:01Z'
      message: >-
        policy success. Object affected by policy kuadrant.io/v1alpha1,
        Kind=DNSPolicy in namespace kuadrant with name dns-phala-kudrnt-te-heyl 
      observedGeneration: 1
      reason: Accepted
      status: 'True'
      type: kuadrant.io/DNSPolicyAffected
  listeners:
    - attachedRoutes: 0
      conditions:
        - lastTransitionTime: '2024-02-13T13:51:15Z'
          message: No errors found
          observedGeneration: 1
          reason: Accepted
          status: 'True'
          type: Accepted
        - lastTransitionTime: '2024-02-13T13:51:15Z'
          message: No errors found
          observedGeneration: 1
          reason: NoConflicts
          status: 'False'
          type: Conflicted
        - lastTransitionTime: '2024-02-13T13:51:15Z'
          message: Bad TLS configuration
          observedGeneration: 1
          reason: Invalid
          status: 'False'
          type: Programmed
        - lastTransitionTime: '2024-02-13T13:51:15Z'
          message: >-
            invalid certificate reference
            /Secret/mgc-gate-phala-kudrnt-te-6ybc-tls., secret
            kuadrant/mgc-gate-phala-kudrnt-te-6ybc-tls not found
          observedGeneration: 1
          reason: InvalidCertificateRef
          status: 'False'
          type: ResolvedRefs
      name: api
      supportedKinds:
        - group: gateway.networking.k8s.io
          kind: HTTPRoute
        - group: gateway.networking.k8s.io
          kind: GRPCRoute

TLSPolicy:

apiVersion: kuadrant.io/v1alpha1
kind: TLSPolicy
metadata:
  name: tls-phala-kudrnt-te-jeui
  namespace: kuadrant
  finalizers:
    - kuadrant.io/tls-policy
  labels:
    app: testrun-phala-kudrnt-te-j3k-qsqdtgg
spec:
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: selfsigned-cluster-issuer2
  privateKey: {}
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: mgc-gate-phala-kudrnt-te-6ybc
    namespace: kuadrant
status:
  conditions:
    - lastTransitionTime: '2024-02-13T13:51:19Z'
      message: ClusterIssuer.cert-manager.io "selfsigned-cluster-issuer2" not found
      reason: ReconciliationError
      status: 'False'
      type: Ready
  observedGeneration: 1

pehala avatar Feb 13 '24 13:02 pehala

Ensure that TLS Policy affected status is on gateway when policy is not ready.

philbrookes avatar May 09 '24 09:05 philbrookes

We can't stop the gateway from going into a ready state, but we could add the enforced and accepted conditions as stated. Some work was done here around TLSPolicy status https://github.com/Kuadrant/kuadrant-operator/pull/635 so it may be worth re-checking if this is still an issue

maleck13 avatar May 15 '24 07:05 maleck13

I was not able to reproduce this issue. The failing TLS Policy:

k get tlspolicy tls-policy -n test -o yaml | yq ".status.conditions"
- lastTransitionTime: "2024-05-28T13:58:42Z"
  message: 'TLSPolicy has encountered some issues: ClusterIssuer.cert-manager.io "selfsigned-cluster-issuer2" not found'
  reason: Unknown
  status: "False"
  type: Accepted

And the Gateway status:

k get gateway test -n test -o yaml | yq ".status.conditions"
- lastTransitionTime: "2024-05-28T13:58:42Z"
  message: Resource accepted
  observedGeneration: 1
  reason: Accepted
  status: "True"
  type: Accepted
- lastTransitionTime: "2024-05-28T13:58:44Z"
  message: Resource programmed, assigned to service(s) test-istio.test.svc.cluster.local:80
  observedGeneration: 1
  reason: Programmed
  status: "True"
  type: Programmed
- lastTransitionTime: "2024-05-28T13:58:44Z"
  message: Object affected by DNSPolicy test/dnspolicy-sample
  observedGeneration: 1
  reason: Accepted
  status: "True"
  type: kuadrant.io/DNSPolicyAffected
- lastTransitionTime: "2024-05-28T13:58:44Z"
  message: Object unaffected by TLSPolicy test/tls-policy, policy is not accepted
  observedGeneration: 1
  reason: Unknown
  status: "False"
  type: kuadrant.io/TLSPolicyAffected

Closing this issue

maksymvavilov avatar May 28 '24 14:05 maksymvavilov