Gateway Listener Conditions are Not Updated Properly for an Invalid or Missing ReferenceGrant

[danehans]

#519 adds support for TLS termination. As part of this PR, initial ReferenceGrant support was added to allow Gateways to reference Secrets in a different namespace. However, listener status is not being updated properly for the following conditions:

1. A Gateway listener should fail to become ready if the Gateway has a certificateRef for a Secret in a different namespace and a ReferenceGrant exists but does not grant permission to that specific Secret.
2. A Gateway listener should fail to become ready if the Gateway has a certificateRef for a Secret in a different namespace and a ReferenceGrant granting permission to the Secret does not exist.

[skriss]

There is code for this in the Gateway API translator: https://github.com/envoyproxy/gateway/blob/main/internal/gatewayapi/translator.go#L416-L441

Will have to dig in further to see what's going wrong.

[skriss]

@danehans I ran through #542 but created the TLS secret in the envoy-gateway-system namespace instead of default, and edited the Gateway to reference that TLS secret, and the status looked like what I'd expect:

spec:
    gatewayClassName: eg
    listeners:
    - allowedRoutes:
        namespaces:
          from: Same
      name: http
      port: 8080
      protocol: HTTP
    - allowedRoutes:
        namespaces:
          from: Same
      name: https
      port: 8443
      protocol: HTTPS
      tls:
        certificateRefs:
        - group: ""
          kind: Secret
          name: example-cert
          namespace: envoy-gateway-system
        mode: Terminate
  status:
    addresses:
    - type: IPAddress
      value: 172.18.255.200
    conditions:
    - lastTransitionTime: "2022-10-12T02:38:43Z"
      message: The Gateway has been scheduled by Envoy Gateway
      observedGeneration: 1
      reason: Scheduled
      status: "True"
      type: Scheduled
    - lastTransitionTime: "2022-10-12T02:38:44Z"
      message: Address assigned to the Gateway, 1/1 envoy Deployment replicas available
      observedGeneration: 1
      reason: Ready
      status: "True"
      type: Ready
    listeners:
    - attachedRoutes: 0
      conditions:
      - lastTransitionTime: "2022-10-12T02:38:43Z"
        message: Listener is ready
        observedGeneration: 1
        reason: Ready
        status: "True"
        type: Ready
      name: http
      supportedKinds:
      - group: gateway.networking.k8s.io
        kind: HTTPRoute
    - attachedRoutes: 0
      conditions:
      - lastTransitionTime: "2022-10-12T02:38:43Z"
        message: Certificate ref to secret envoy-gateway-system/example-cert not permitted
          by any ReferenceGrant
        observedGeneration: 1
        reason: InvalidCertificateRef
        status: "False"
        type: ResolvedRefs
      - lastTransitionTime: "2022-10-12T02:38:43Z"
        message: Listener is invalid, see other Conditions for details.
        observedGeneration: 1
        reason: Invalid
        status: "False"
        type: Ready
      name: https
      supportedKinds:
      - group: gateway.networking.k8s.io
        kind: HTTPRoute

I'll try some more permutations tomorrow to see if I can repro, but if you have any additional repro information, that'd be helpful. Wondering if it's an issue of an update/delete not cascading through all the related resources properly.

[danehans]

@skriss thanks for looking into this. This issue was created due to two failed ReferenceGrant conformance tests. I commented them out and referenced this issue in conformance_tests.go.

[skriss]

Ah, there was a clarification to the condition reason to use for this scenario (see first bullet under Conformance in https://github.com/kubernetes-sigs/gateway-api/releases/tag/v0.5.1), I've got a patch ready for that but looks like this is also hitting #441 and the Service is not being created.

[danehans]

cc: @AliceProxy