fix: skip provision when IR Infra is invalid

[zirain]

fixes: #7735

This patch follow up #7009, contains two fixes:

1. Gateway with valid EnvoyPorxy and GatewayClass with invalid EnvoyProxy should be provisioned
2. Failed gateways should not trigger IR deletion for Setting invalid values in EnvoyProxy deletes Deployment all together #7735

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.71%. Comparing base (79af9fe) to head (422b0d6).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7754      +/-   ##
==========================================
+ Coverage   73.67%   73.71%   +0.03%     
==========================================
  Files         241      241              
  Lines       36561    36569       +8     
==========================================
+ Hits        26937    26957      +20     
+ Misses       7712     7704       -8     
+ Partials     1912     1908       -4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[arkodg]

feel like a workaround, can we address this in a better way in the translator to populate Status w/o trckling down error to downstream callers

[zirain]

what about add a invalid/valid into Infra?

type Infra struct {
	Invalid *bool
	// Proxy defines managed proxy infrastructure.
	Proxy *ProxyInfra `json:"proxy" yaml:"proxy"`
}

[github-actions]

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. Please feel free to give a status update now, ping for review, when it's ready. Thank you for your contributions!

[netlify]

✅ Deploy Preview for cerulean-figolla-1f9435 canceled.

Name	Link
🔨 Latest commit	422b0d6
🔍 Latest deploy log	https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/6982dbb68258be0008aa23ff

[arkodg]

trying to better understand why this is needed

• a failedGateway in the gateway API layer impacts Status of the Gateway
• if we fail, we dont insert any invalid values in the IR
• we have validations in the infra layer deal with errors

we are trying to allow partial valid IRs to go through

[zirain]

we dont insert any invalid values in the IR

if we do this, there will be a delete event in Infra layer.

[arkodg]

can you elaborate here

[zirain]

#7735 (comment) showed the delete event.

[arkodg]

thats because it most likely deleted the infra IR instead of creating an Infra IR with unset stat val

[zirain]

that's what I did in internal/gatewayapi/translator.go L474.

[arkodg]

is this needed anymore ?

[zirain]

updated

[zhaohuabing]

Nit: the two loops inside this method are exact the same and can be a bit confusing when reading the code(I expected there are different behaviors when I reviewed the code at the first time).

It can be simplified as:

func (t *Translator) InitIRs(gateways []*GatewayContext) (map[string]*ir.Xds, map[string]*ir.Infra) {

with one loop.

Also, it would be good to add a line of comment to the caller to explain why the Infra IRs of failed Gateways also need to be created.

[zirain]

we shouldn't merge them, in most of the cases, we just need acceptedGateways.
failedGateways will be removed in the next iteration.

[zhaohuabing]

LGTM thanks!

[arkodg]

why does this need to be moved down

[zirain]

move back.

[arkodg]

follow up, should this be Accepted:True and ResolvedRefs:False ?
cc @zhaohuabing

[zirain]

should we use RefNotPermitted here?

	// This condition indicates whether the controller was able to resolve all
	// the object references for the Gateway that are not part of a specific
	// Listener configuration, and also provides a positive-polarity summary of
	// Listener's "ResolvedRefs" condition. This condition does not directly
	// impact the Gateway's Accepted or Programmed conditions.
	//
	// Possible reasons for this condition to be True are:
	//
	// * "ResolvedRefs"
	//
	// Possible reasons for this condition to be False are:
	//
	// * "RefNotPermitted"
	// * "InvalidClientCertificateRef"
	// * "ListenersNotResolved"
	//
	// Controllers may raise this condition with other reasons, but should
	// prefer to use the reasons listed above to improve interoperability.
	//
	// Note: This condition is considered Experimental and may change in future
	// releases of the API.

[arkodg]

probably ListenersNotResolved, from https://github.com/kubernetes-sigs/gateway-api/blob/8ecfe98081f74aec9eb8c44ef265380e2edb9094/apis/v1/gateway_types.go#L1323
RefNotPermitted seems more scoped to ReferenceGrant issues

[zirain]

/retest

[cnvergence]

lgtm