From 551f2ca148c51baadc73981e5c4d35e2fe72dbb8 Mon Sep 17 00:00:00 2001 From: Roman Willi Date: Wed, 10 Jun 2026 17:16:44 +0200 Subject: [PATCH 1/2] feat(health): support various Policies of Airlock Microgateway Signed-off-by: Roman Willi --- .../microgateway.airlock.com/_/health.lua | 49 +++++++++++++++++++ .../_/health_test.yaml | 26 ++++++++++ .../_/testdata/xcustomresource_unknown.yaml | 18 +++++++ .../xpolicy_degraded_conflicting.yaml | 25 ++++++++++ .../xpolicy_degraded_resolved_refs.yaml | 27 ++++++++++ .../_/testdata/xpolicy_healthy.yaml | 25 ++++++++++ .../_/testdata/xpolicy_progressing.yaml | 18 +++++++ ...olicy_progressing_observed_generation.yaml | 25 ++++++++++ util/lua/lua_test.go | 1 + 9 files changed, 214 insertions(+) create mode 100644 resource_customizations/microgateway.airlock.com/_/health.lua create mode 100644 resource_customizations/microgateway.airlock.com/_/health_test.yaml create mode 100644 resource_customizations/microgateway.airlock.com/_/testdata/xcustomresource_unknown.yaml create mode 100644 resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_degraded_conflicting.yaml create mode 100644 resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_degraded_resolved_refs.yaml create mode 100644 resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_healthy.yaml create mode 100644 resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_progressing.yaml create mode 100644 resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_progressing_observed_generation.yaml diff --git a/resource_customizations/microgateway.airlock.com/_/health.lua b/resource_customizations/microgateway.airlock.com/_/health.lua new file mode 100644 index 0000000000000..7b39259745e57 --- /dev/null +++ b/resource_customizations/microgateway.airlock.com/_/health.lua @@ -0,0 +1,49 @@ +local hs = { status = "Progressing", message = "Waiting for " .. (obj.kind or "Policy") .. " status"} + +local function is_policy_kind(kind) + return kind ~= nil and string.match(kind, "Policy$") ~= nil +end + +if not is_policy_kind(obj.kind) then + return nil +end + +if obj.status ~= nil and obj.status.ancestors ~= nil then + if obj.metadata.generation ~= nil then + for i, ancestor in ipairs(obj.status.ancestors) do + for _, condition in ipairs(ancestor.conditions) do + if condition.observedGeneration ~= nil then + if condition.observedGeneration ~= obj.metadata.generation then + hs.message = "Waiting for Ancestor " .. (ancestor.ancestorRef.name or "") .. " to update " .. (obj.kind or "Policy") .. " status" + return hs + end + end + end + end + end + + for i, ancestor in ipairs(obj.status.ancestors) do + for j, condition in ipairs(ancestor.conditions) do + if condition.type == "Accepted" then + if condition.status ~= "True" then + hs.status = "Degraded" + hs.message = "Ancestor " .. (ancestor.ancestorRef.name or "") .. ": " .. condition.message + return hs + else + hs.status = "Healthy" + hs.message = (obj.kind or "Policy") .. " is healthy" + end + end + + if condition.type == "ResolvedRefs" then + if condition.status ~= "True" then + hs.status = "Degraded" + hs.message = "Ancestor " .. (ancestor.ancestorRef.name or "") .. ": " .. condition.message + return hs + end + end + end + end +end + +return hs diff --git a/resource_customizations/microgateway.airlock.com/_/health_test.yaml b/resource_customizations/microgateway.airlock.com/_/health_test.yaml new file mode 100644 index 0000000000000..c1023dec2ba54 --- /dev/null +++ b/resource_customizations/microgateway.airlock.com/_/health_test.yaml @@ -0,0 +1,26 @@ +tests: +- healthStatus: + status: Healthy + message: "XPolicy is healthy" + inputPath: testdata/xpolicy_healthy.yaml +- healthStatus: + status: Degraded + message: "Ancestor example-gateway: XPolicy is conflicting with other policies for this ancestor: [example-xpolicy]" + inputPath: testdata/xpolicy_degraded_conflicting.yaml +- healthStatus: + status: Degraded + message: >- + Ancestor example-gateway: Resolving XPolicy failed: + Missing referenced XResource.Secret 'ca' + WARNING: traffic to referenced target(s) will be rejected. + inputPath: testdata/xpolicy_degraded_resolved_refs.yaml +- healthStatus: + status: Progressing + message: "Waiting for XPolicy status" + inputPath: testdata/xpolicy_progressing.yaml +- healthStatus: + status: Progressing + message: "Waiting for Ancestor example-gateway to update XPolicy status" + inputPath: testdata/xpolicy_progressing_observed_generation.yaml +- healthStatus: {} + inputPath: testdata/xcustomresource_unknown.yaml diff --git a/resource_customizations/microgateway.airlock.com/_/testdata/xcustomresource_unknown.yaml b/resource_customizations/microgateway.airlock.com/_/testdata/xcustomresource_unknown.yaml new file mode 100644 index 0000000000000..48df41d132e88 --- /dev/null +++ b/resource_customizations/microgateway.airlock.com/_/testdata/xcustomresource_unknown.yaml @@ -0,0 +1,18 @@ +apiVersion: microgateway.airlock.com/v1alpha1 +kind: XCustomResource +metadata: + name: example-xcustomresource + namespace: default +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: example-httproute +status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: example-gateway + conditions: [] + controllerName: example.com/gatewayclass-controller diff --git a/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_degraded_conflicting.yaml b/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_degraded_conflicting.yaml new file mode 100644 index 0000000000000..5c70957e39949 --- /dev/null +++ b/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_degraded_conflicting.yaml @@ -0,0 +1,25 @@ +apiVersion: microgateway.airlock.com/v1alpha1 +kind: XPolicy +metadata: + name: example-xpolicy-2 + namespace: default +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: example-httproute +status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: example-gateway + conditions: + - lastTransitionTime: '2026-04-16T14:21:38Z' + message: >- + XPolicy is conflicting with other policies for this ancestor: [example-xpolicy] + observedGeneration: 3 + reason: Conflicted + status: 'False' + type: Accepted + controllerName: example.com/gatewayclass-controller diff --git a/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_degraded_resolved_refs.yaml b/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_degraded_resolved_refs.yaml new file mode 100644 index 0000000000000..7106baadc7190 --- /dev/null +++ b/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_degraded_resolved_refs.yaml @@ -0,0 +1,27 @@ +apiVersion: microgateway.airlock.com/v1alpha1 +kind: XPolicy +metadata: + name: example-xpolicy + namespace: default +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: example-httproute +status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: example-gateway + conditions: + - lastTransitionTime: '2026-04-16T12:20:11Z' + message: >- + Resolving XPolicy failed: + Missing referenced XResource.Secret 'ca' + WARNING: traffic to referenced target(s) will be rejected. + observedGeneration: 3 + reason: Invalid + status: 'False' + type: Accepted + controllerName: example.com/gatewayclass-controller diff --git a/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_healthy.yaml b/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_healthy.yaml new file mode 100644 index 0000000000000..8ef59db47b784 --- /dev/null +++ b/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_healthy.yaml @@ -0,0 +1,25 @@ +apiVersion: microgateway.airlock.com/v1alpha1 +kind: XPolicy +metadata: + name: example-xpolicy + namespace: default + generation: 3 +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: example-httproute +status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: example-gateway + conditions: + - lastTransitionTime: '2026-04-16T12:20:11Z' + message: XPolicy is accepted + observedGeneration: 3 + reason: Accepted + status: 'True' + type: Accepted + controllerName: example.com/gatewayclass-controller diff --git a/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_progressing.yaml b/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_progressing.yaml new file mode 100644 index 0000000000000..3f1dc08003b84 --- /dev/null +++ b/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_progressing.yaml @@ -0,0 +1,18 @@ +apiVersion: microgateway.airlock.com/v1alpha1 +kind: XPolicy +metadata: + name: example-xpolicy + namespace: default +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: example-httproute +status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: example-gateway + conditions: [] + controllerName: example.com/gatewayclass-controller diff --git a/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_progressing_observed_generation.yaml b/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_progressing_observed_generation.yaml new file mode 100644 index 0000000000000..0d3335ce9088f --- /dev/null +++ b/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_progressing_observed_generation.yaml @@ -0,0 +1,25 @@ +apiVersion: microgateway.airlock.com/v1alpha1 +kind: XPolicy +metadata: + name: example-xpolicy + namespace: default + generation: 3 +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: example-httproute +status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: example-gateway + conditions: + - lastTransitionTime: '2026-04-16T12:20:11Z' + message: XPolicy is accepted + observedGeneration: 1 + reason: Accepted + status: 'True' + type: Accepted + controllerName: example.com/gatewayclass-controller diff --git a/util/lua/lua_test.go b/util/lua/lua_test.go index fdc3e36921112..ef2968ec458e1 100644 --- a/util/lua/lua_test.go +++ b/util/lua/lua_test.go @@ -1127,6 +1127,7 @@ func Test_getHealthScriptPaths(t *testing.T) { "_.crossplane.io/_", "_.upbound.io/_", "grafana-org-operator.kubitus-project.gitlab.io/_", + "microgateway.airlock.com/_", "operator.victoriametrics.com/_", }, paths) } From eddfbc9ac0b1f970f83fb157825f7f4b146e4ffc Mon Sep 17 00:00:00 2001 From: Roman Willi Date: Mon, 15 Jun 2026 09:35:58 +0200 Subject: [PATCH 2/2] feat(health): implement unit test cases with actual resource kinds of microgateway.airlock.com API group Signed-off-by: Roman Willi --- .../microgateway.airlock.com/_/health.lua | 2 +- .../_/health_test.yaml | 28 ++++++++++--------- ...licting.yaml => degraded_conflicting.yaml} | 6 ++-- ..._refs.yaml => degraded_resolved_refs.yaml} | 8 +++--- .../{xpolicy_healthy.yaml => healthy.yaml} | 6 ++-- ...resource_unknown.yaml => progressing.yaml} | 4 +-- ...l => progressing_observed_generation.yaml} | 6 ++-- ...{xpolicy_progressing.yaml => unknown.yaml} | 4 +-- 8 files changed, 33 insertions(+), 31 deletions(-) rename resource_customizations/microgateway.airlock.com/_/testdata/{xpolicy_degraded_conflicting.yaml => degraded_conflicting.yaml} (74%) rename resource_customizations/microgateway.airlock.com/_/testdata/{xpolicy_degraded_resolved_refs.yaml => degraded_resolved_refs.yaml} (78%) rename resource_customizations/microgateway.airlock.com/_/testdata/{xpolicy_healthy.yaml => healthy.yaml} (83%) rename resource_customizations/microgateway.airlock.com/_/testdata/{xcustomresource_unknown.yaml => progressing.yaml} (85%) rename resource_customizations/microgateway.airlock.com/_/testdata/{xpolicy_progressing_observed_generation.yaml => progressing_observed_generation.yaml} (86%) rename resource_customizations/microgateway.airlock.com/_/testdata/{xpolicy_progressing.yaml => unknown.yaml} (90%) diff --git a/resource_customizations/microgateway.airlock.com/_/health.lua b/resource_customizations/microgateway.airlock.com/_/health.lua index 7b39259745e57..df614f9d2145b 100644 --- a/resource_customizations/microgateway.airlock.com/_/health.lua +++ b/resource_customizations/microgateway.airlock.com/_/health.lua @@ -5,7 +5,7 @@ local function is_policy_kind(kind) end if not is_policy_kind(obj.kind) then - return nil + return { status = "Healthy", message = obj.kind .. " is healthy" } end if obj.status ~= nil and obj.status.ancestors ~= nil then diff --git a/resource_customizations/microgateway.airlock.com/_/health_test.yaml b/resource_customizations/microgateway.airlock.com/_/health_test.yaml index c1023dec2ba54..d498851a7ba97 100644 --- a/resource_customizations/microgateway.airlock.com/_/health_test.yaml +++ b/resource_customizations/microgateway.airlock.com/_/health_test.yaml @@ -1,26 +1,28 @@ tests: - healthStatus: status: Healthy - message: "XPolicy is healthy" - inputPath: testdata/xpolicy_healthy.yaml + message: "AccessControlPolicy is healthy" + inputPath: testdata/healthy.yaml - healthStatus: status: Degraded - message: "Ancestor example-gateway: XPolicy is conflicting with other policies for this ancestor: [example-xpolicy]" - inputPath: testdata/xpolicy_degraded_conflicting.yaml + message: "Ancestor example-gateway: ContentSecurityPolicy is conflicting with other policies for this ancestor: [example-contentsecuritypolicy]" + inputPath: testdata/degraded_conflicting.yaml - healthStatus: status: Degraded message: >- - Ancestor example-gateway: Resolving XPolicy failed: - Missing referenced XResource.Secret 'ca' + Ancestor example-gateway: Resolving CustomResponsePolicy failed: + Missing referenced CustomResponse 'example' WARNING: traffic to referenced target(s) will be rejected. - inputPath: testdata/xpolicy_degraded_resolved_refs.yaml + inputPath: testdata/degraded_resolved_refs.yaml - healthStatus: status: Progressing - message: "Waiting for XPolicy status" - inputPath: testdata/xpolicy_progressing.yaml + message: "Waiting for EnvoyExtensionPolicy status" + inputPath: testdata/progressing.yaml - healthStatus: status: Progressing - message: "Waiting for Ancestor example-gateway to update XPolicy status" - inputPath: testdata/xpolicy_progressing_observed_generation.yaml -- healthStatus: {} - inputPath: testdata/xcustomresource_unknown.yaml + message: "Waiting for Ancestor example-gateway to update ICAPPolicy status" + inputPath: testdata/progressing_observed_generation.yaml +- healthStatus: + status: Healthy + message: "DenyRules is healthy" + inputPath: testdata/unknown.yaml diff --git a/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_degraded_conflicting.yaml b/resource_customizations/microgateway.airlock.com/_/testdata/degraded_conflicting.yaml similarity index 74% rename from resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_degraded_conflicting.yaml rename to resource_customizations/microgateway.airlock.com/_/testdata/degraded_conflicting.yaml index 5c70957e39949..1201ca9d5c0b1 100644 --- a/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_degraded_conflicting.yaml +++ b/resource_customizations/microgateway.airlock.com/_/testdata/degraded_conflicting.yaml @@ -1,7 +1,7 @@ apiVersion: microgateway.airlock.com/v1alpha1 -kind: XPolicy +kind: ContentSecurityPolicy metadata: - name: example-xpolicy-2 + name: example-contentsecuritypolicy-2 namespace: default spec: targetRefs: @@ -17,7 +17,7 @@ status: conditions: - lastTransitionTime: '2026-04-16T14:21:38Z' message: >- - XPolicy is conflicting with other policies for this ancestor: [example-xpolicy] + ContentSecurityPolicy is conflicting with other policies for this ancestor: [example-contentsecuritypolicy] observedGeneration: 3 reason: Conflicted status: 'False' diff --git a/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_degraded_resolved_refs.yaml b/resource_customizations/microgateway.airlock.com/_/testdata/degraded_resolved_refs.yaml similarity index 78% rename from resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_degraded_resolved_refs.yaml rename to resource_customizations/microgateway.airlock.com/_/testdata/degraded_resolved_refs.yaml index 7106baadc7190..1cab9d48e26d5 100644 --- a/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_degraded_resolved_refs.yaml +++ b/resource_customizations/microgateway.airlock.com/_/testdata/degraded_resolved_refs.yaml @@ -1,7 +1,7 @@ apiVersion: microgateway.airlock.com/v1alpha1 -kind: XPolicy +kind: CustomResponsePolicy metadata: - name: example-xpolicy + name: example-customresponsepolicy namespace: default spec: targetRefs: @@ -17,8 +17,8 @@ status: conditions: - lastTransitionTime: '2026-04-16T12:20:11Z' message: >- - Resolving XPolicy failed: - Missing referenced XResource.Secret 'ca' + Resolving CustomResponsePolicy failed: + Missing referenced CustomResponse 'example' WARNING: traffic to referenced target(s) will be rejected. observedGeneration: 3 reason: Invalid diff --git a/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_healthy.yaml b/resource_customizations/microgateway.airlock.com/_/testdata/healthy.yaml similarity index 83% rename from resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_healthy.yaml rename to resource_customizations/microgateway.airlock.com/_/testdata/healthy.yaml index 8ef59db47b784..258c16910f0ed 100644 --- a/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_healthy.yaml +++ b/resource_customizations/microgateway.airlock.com/_/testdata/healthy.yaml @@ -1,7 +1,7 @@ apiVersion: microgateway.airlock.com/v1alpha1 -kind: XPolicy +kind: AccessControlPolicy metadata: - name: example-xpolicy + name: example-accesscontrolpolicy namespace: default generation: 3 spec: @@ -17,7 +17,7 @@ status: name: example-gateway conditions: - lastTransitionTime: '2026-04-16T12:20:11Z' - message: XPolicy is accepted + message: AccessControlPolicy is accepted observedGeneration: 3 reason: Accepted status: 'True' diff --git a/resource_customizations/microgateway.airlock.com/_/testdata/xcustomresource_unknown.yaml b/resource_customizations/microgateway.airlock.com/_/testdata/progressing.yaml similarity index 85% rename from resource_customizations/microgateway.airlock.com/_/testdata/xcustomresource_unknown.yaml rename to resource_customizations/microgateway.airlock.com/_/testdata/progressing.yaml index 48df41d132e88..9e60e52719d8b 100644 --- a/resource_customizations/microgateway.airlock.com/_/testdata/xcustomresource_unknown.yaml +++ b/resource_customizations/microgateway.airlock.com/_/testdata/progressing.yaml @@ -1,7 +1,7 @@ apiVersion: microgateway.airlock.com/v1alpha1 -kind: XCustomResource +kind: EnvoyExtensionPolicy metadata: - name: example-xcustomresource + name: example-envoyextensionpolicy namespace: default spec: targetRefs: diff --git a/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_progressing_observed_generation.yaml b/resource_customizations/microgateway.airlock.com/_/testdata/progressing_observed_generation.yaml similarity index 86% rename from resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_progressing_observed_generation.yaml rename to resource_customizations/microgateway.airlock.com/_/testdata/progressing_observed_generation.yaml index 0d3335ce9088f..850d6797802b2 100644 --- a/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_progressing_observed_generation.yaml +++ b/resource_customizations/microgateway.airlock.com/_/testdata/progressing_observed_generation.yaml @@ -1,7 +1,7 @@ apiVersion: microgateway.airlock.com/v1alpha1 -kind: XPolicy +kind: ICAPPolicy metadata: - name: example-xpolicy + name: example-icappolicy namespace: default generation: 3 spec: @@ -17,7 +17,7 @@ status: name: example-gateway conditions: - lastTransitionTime: '2026-04-16T12:20:11Z' - message: XPolicy is accepted + message: ICAPPolicy is accepted observedGeneration: 1 reason: Accepted status: 'True' diff --git a/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_progressing.yaml b/resource_customizations/microgateway.airlock.com/_/testdata/unknown.yaml similarity index 90% rename from resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_progressing.yaml rename to resource_customizations/microgateway.airlock.com/_/testdata/unknown.yaml index 3f1dc08003b84..5e0bced44a949 100644 --- a/resource_customizations/microgateway.airlock.com/_/testdata/xpolicy_progressing.yaml +++ b/resource_customizations/microgateway.airlock.com/_/testdata/unknown.yaml @@ -1,7 +1,7 @@ apiVersion: microgateway.airlock.com/v1alpha1 -kind: XPolicy +kind: DenyRules metadata: - name: example-xpolicy + name: example-denyrules namespace: default spec: targetRefs: