Add support for multiple target references in SnippetsPolicy

Author: fabian4

apis/v1alpha1/policy_methods.go

@@ -33,7 +33,7 @@ func (p *UpstreamSettingsPolicy) SetPolicyStatus(status gatewayv1.PolicyStatus)
 }
 
 func (p *SnippetsPolicy) GetTargetRefs() []gatewayv1.LocalPolicyTargetReference {
-	return []gatewayv1.LocalPolicyTargetReference{p.Spec.TargetRef.LocalPolicyTargetReference}
+	return p.Spec.TargetRefs
 }
 
 func (p *SnippetsPolicy) GetPolicyStatus() gatewayv1.PolicyStatus {

apis/v1alpha1/snippetspolicy_types.go

@@ -25,10 +25,9 @@ import (
 // +kubebuilder:object:root=true
 // +kubebuilder:storageversion
 // +kubebuilder:subresource:status
-// +kubebuilder:resource:shortName=snipol
+// +kubebuilder:metadata:labels="gateway.networking.k8s.io/policy=direct"
+// +kubebuilder:resource:categories=nginx-gateway-fabric,shortName=snippetspolicy
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
-// +kubebuilder:printcolumn:name="Accepted",type=string,JSONPath=`.status.conditions[?(@.type=="Accepted")].status`
-// +kubebuilder:printcolumn:name="Reason",type=string,JSONPath=`.status.conditions[?(@.type=="Accepted")].reason`
 
 // SnippetsPolicy provides a way to inject NGINX snippets into the configuration on Gateway level.
 type SnippetsPolicy struct {
@@ -53,11 +52,13 @@ type SnippetsPolicyList struct {
 
 // SnippetsPolicySpec defines the desired state of the SnippetsPolicy.
 type SnippetsPolicySpec struct {
-	// TargetRef is the reference to the Gateway that this policy should be applied to.
-	// +kubebuilder:validation:XValidation:message="TargetRef Kind must be Gateway",rule="self.kind == 'Gateway'"
-	// +kubebuilder:validation:XValidation:message="TargetRef Group must be gateway.networking.k8s.io",rule="self.group == 'gateway.networking.k8s.io'"
+	// TargetRefs identifies API object(s) to apply the policy to.
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=16
+	// +kubebuilder:validation:XValidation:message="TargetRefs Kind must be Gateway",rule="self.all(t, t.kind == 'Gateway')"
+	// +kubebuilder:validation:XValidation:message="TargetRefs Group must be gateway.networking.k8s.io",rule="self.all(t, t.group == 'gateway.networking.k8s.io')"
 	//nolint:lll
-	TargetRef SnippetsPolicyTargetRef `json:"targetRef"`
+	TargetRefs []gatewayv1.LocalPolicyTargetReference `json:"targetRefs"`
 
 	// Snippets is a list of snippets to be injected into the NGINX configuration.
 	// +kubebuilder:validation:MaxItems=3
@@ -66,8 +67,3 @@ type SnippetsPolicySpec struct {
 	//nolint:lll
 	Snippets []Snippet `json:"snippets"`
 }
-
-// SnippetsPolicyTargetRef identifies an API object to apply the policy to.
-type SnippetsPolicyTargetRef struct {
-	gatewayv1.LocalPolicyTargetReference `json:",inline"`
-}

apis/v1alpha1/zz_generated.deepcopy.go

@@ -4,28 +4,26 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.19.0
+  labels:
+    gateway.networking.k8s.io/policy: direct
   name: snippetspolicies.gateway.nginx.org
 spec:
   group: gateway.nginx.org
   names:
+    categories:
+    - nginx-gateway-fabric
     kind: SnippetsPolicy
     listKind: SnippetsPolicyList
     plural: snippetspolicies
     shortNames:
-    - snipol
+    - snippetspolicy
     singular: snippetspolicy
   scope: Namespaced
   versions:
   - additionalPrinterColumns:
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
-    - jsonPath: .status.conditions[?(@.type=="Accepted")].status
-      name: Accepted
-      type: string
-    - jsonPath: .status.conditions[?(@.type=="Accepted")].reason
-      name: Reason
-      type: string
     name: v1alpha1
     schema:
       openAPIV3Schema:
@@ -82,39 +80,49 @@ spec:
                   rule: self.all(s1, self.exists_one(s2, s1.context == s2.context))
                 - message: http.server.location context is not supported in SnippetsPolicy
                   rule: '!self.exists(s, s.context == ''http.server.location'')'
-              targetRef:
-                description: TargetRef is the reference to the Gateway that this policy
-                  should be applied to.
-                properties:
-                  group:
-                    description: Group is the group of the target resource.
-                    maxLength: 253
-                    pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                    type: string
-                  kind:
-                    description: Kind is kind of the target resource.
-                    maxLength: 63
-                    minLength: 1
-                    pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
-                    type: string
-                  name:
-                    description: Name is the name of the target resource.
-                    maxLength: 253
-                    minLength: 1
-                    type: string
-                required:
-                - group
-                - kind
-                - name
-                type: object
+              targetRefs:
+                description: TargetRefs identifies API object(s) to apply the policy
+                  to.
+                items:
+                  description: |-
+                    LocalPolicyTargetReference identifies an API object to apply a direct or
+                    inherited policy to. This should be used as part of Policy resources
+                    that can target Gateway API resources. For more information on how this
+                    policy attachment model works, and a sample Policy resource, refer to
+                    the policy attachment documentation for Gateway API.
+                  properties:
+                    group:
+                      description: Group is the group of the target resource.
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      description: Kind is kind of the target resource.
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    name:
+                      description: Name is the name of the target resource.
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                  required:
+                  - group
+                  - kind
+                  - name
+                  type: object
+                maxItems: 16
+                minItems: 1
+                type: array
                 x-kubernetes-validations:
-                - message: TargetRef Kind must be Gateway
-                  rule: self.kind == 'Gateway'
-                - message: TargetRef Group must be gateway.networking.k8s.io
-                  rule: self.group == 'gateway.networking.k8s.io'
+                - message: TargetRefs Kind must be Gateway
+                  rule: self.all(t, t.kind == 'Gateway')
+                - message: TargetRefs Group must be gateway.networking.k8s.io
+                  rule: self.all(t, t.group == 'gateway.networking.k8s.io')
             required:
             - snippets
-            - targetRef
+            - targetRefs
             type: object
           status:
             description: Status defines the current state of the SnippetsPolicy.

config/crd/bases/gateway.nginx.org_snippetspolicies.yaml

@@ -79,41 +79,42 @@ func (g *Generator) generate(pols []policies.Policy, context v1alpha1.NginxConte
 				continue
 			}
 
-			// TargetRef info for file path and comment
-			gwRef := sp.Spec.TargetRef
-			gwNsName := fmt.Sprintf("%s-%s", sp.GetNamespace(), gwRef.Name) // Assuming local target ref implies same namespace
-
-			policyNsName := fmt.Sprintf("%s/%s", sp.GetNamespace(), sp.GetName())
-
-			// Build content and filename
-			var content string
-			var filename string
-
-			switch context {
-			case v1alpha1.NginxContextMain:
-				content = fmt.Sprintf(mainTemplate, policyNsName, gwNsName, snippet.Value)
-				filename = filepath.Join(
-					"includes", "policy", gwNsName,
-					fmt.Sprintf("SnippetsPolicy_main_%s.conf", sp.GetName()),
-				)
-			case v1alpha1.NginxContextHTTP:
-				content = fmt.Sprintf(httpTemplate, policyNsName, gwNsName, snippet.Value)
-				filename = filepath.Join(
-					"includes", "policy", gwNsName,
-					fmt.Sprintf("SnippetsPolicy_http_%s.conf", sp.GetName()),
-				)
-			case v1alpha1.NginxContextHTTPServer:
-				content = fmt.Sprintf(serverTemplate, policyNsName, gwNsName, serverID, snippet.Value)
-				filename = filepath.Join(
-					"includes", "policy", gwNsName, serverID,
-					fmt.Sprintf("SnippetsPolicy_server_%s.conf", sp.GetName()),
-				)
+			for _, gwRef := range sp.Spec.TargetRefs {
+				// TargetRef info for file path and comment
+				gwNsName := fmt.Sprintf("%s-%s", sp.GetNamespace(), gwRef.Name) // Assuming local target ref implies same namespace
+
+				policyNsName := fmt.Sprintf("%s/%s", sp.GetNamespace(), sp.GetName())
+
+				// Build content and filename
+				var content string
+				var filename string
+
+				switch context {
+				case v1alpha1.NginxContextMain:
+					content = fmt.Sprintf(mainTemplate, policyNsName, gwNsName, snippet.Value)
+					filename = filepath.Join(
+						"includes", "policy", gwNsName,
+						fmt.Sprintf("SnippetsPolicy_main_%s.conf", sp.GetName()),
+					)
+				case v1alpha1.NginxContextHTTP:
+					content = fmt.Sprintf(httpTemplate, policyNsName, gwNsName, snippet.Value)
+					filename = filepath.Join(
+						"includes", "policy", gwNsName,
+						fmt.Sprintf("SnippetsPolicy_http_%s.conf", sp.GetName()),
+					)
+				case v1alpha1.NginxContextHTTPServer:
+					content = fmt.Sprintf(serverTemplate, policyNsName, gwNsName, serverID, snippet.Value)
+					filename = filepath.Join(
+						"includes", "policy", gwNsName, serverID,
+						fmt.Sprintf("SnippetsPolicy_server_%s.conf", sp.GetName()),
+					)
+				}
+
+				files = append(files, policies.File{
+					Name:    filename,
+					Content: []byte(content),
+				})
 			}
-
-			files = append(files, policies.File{
-				Name:    filename,
-				Content: []byte(content),
-			})
 		}
 	}
 	return files

internal/controller/nginx/config/policies/snippetspolicy/generator.go

@@ -23,8 +23,8 @@ func TestGenerator(t *testing.T) {
 			Namespace: "default",
 		},
 		Spec: v1alpha1.SnippetsPolicySpec{
-			TargetRef: v1alpha1.SnippetsPolicyTargetRef{
-				LocalPolicyTargetReference: gatewayv1.LocalPolicyTargetReference{
+			TargetRefs: []gatewayv1.LocalPolicyTargetReference{
+				{
 					Group: gatewayv1.GroupName,
 					Kind:  kinds.Gateway,
 					Name:  "gateway-1",
@@ -81,8 +81,8 @@ func TestGenerator(t *testing.T) {
 		policy1 := &v1alpha1.SnippetsPolicy{
 			ObjectMeta: metav1.ObjectMeta{Name: "p1", Namespace: "default"},
 			Spec: v1alpha1.SnippetsPolicySpec{
-				TargetRef: v1alpha1.SnippetsPolicyTargetRef{
-					LocalPolicyTargetReference: gatewayv1.LocalPolicyTargetReference{
+				TargetRefs: []gatewayv1.LocalPolicyTargetReference{
+					{
 						Name: "gw",
 					},
 				},
@@ -94,8 +94,8 @@ func TestGenerator(t *testing.T) {
 		policy2 := &v1alpha1.SnippetsPolicy{
 			ObjectMeta: metav1.ObjectMeta{Name: "p2", Namespace: "default"},
 			Spec: v1alpha1.SnippetsPolicySpec{
-				TargetRef: v1alpha1.SnippetsPolicyTargetRef{
-					LocalPolicyTargetReference: gatewayv1.LocalPolicyTargetReference{
+				TargetRefs: []gatewayv1.LocalPolicyTargetReference{
+					{
 						Name: "gw",
 					},
 				},
@@ -110,4 +110,33 @@ func TestGenerator(t *testing.T) {
 		gWithT.Expect(files[0].Name).To(ContainSubstring("p1"))
 		gWithT.Expect(files[1].Name).To(ContainSubstring("p2"))
 	})
+
+	t.Run("GenerateForMain with multiple targets", func(t *testing.T) {
+		gWithT := NewWithT(t)
+		policy := &v1alpha1.SnippetsPolicy{
+			ObjectMeta: metav1.ObjectMeta{Name: "policy-multi", Namespace: "default"},
+			Spec: v1alpha1.SnippetsPolicySpec{
+				TargetRefs: []gatewayv1.LocalPolicyTargetReference{
+					{
+						Name: "gw1",
+					},
+					{
+						Name: "gw2",
+					},
+				},
+				Snippets: []v1alpha1.Snippet{
+					{Context: v1alpha1.NginxContextMain, Value: "data;"},
+				},
+			},
+		}
+
+		files := g.GenerateForMain([]policies.Policy{policy})
+		gWithT.Expect(files).To(HaveLen(2))
+		gWithT.Expect(files[0].Name).To(ContainSubstring("gw1"))
+		gWithT.Expect(files[1].Name).To(ContainSubstring("gw2"))
+		gWithT.Expect(string(files[0].Content)).To(ContainSubstring("data;"))
+		gWithT.Expect(string(files[1].Content)).To(ContainSubstring("data;"))
+		gWithT.Expect(string(files[0].Content)).To(ContainSubstring("gw1"))
+		gWithT.Expect(string(files[1].Content)).To(ContainSubstring("gw2"))
+	})
 }

internal/controller/nginx/config/policies/snippetspolicy/generator_test.go

@@ -42,13 +42,15 @@ func NewValidator() *Validator {
 func (v *Validator) Validate(policy policies.Policy) []conditions.Condition {
 	sp := helpers.MustCastObject[*ngfAPI.SnippetsPolicy](policy)
 
-	targetRefPath := field.NewPath("spec").Child("targetRef")
+	targetRefsPath := field.NewPath("spec").Child("targetRefs")
 	supportedKinds := []gatewayv1.Kind{kinds.Gateway}
 	supportedGroups := []gatewayv1.Group{gatewayv1.GroupName}
 
 	// Validate TargetRef
-	if err := policies.ValidateTargetRef(sp.Spec.TargetRef.LocalPolicyTargetReference, targetRefPath, supportedGroups, supportedKinds); err != nil {
-		return []conditions.Condition{conditions.NewPolicyInvalid(err.Error())}
+	for i, targetRef := range sp.Spec.TargetRefs {
+		if err := policies.ValidateTargetRef(targetRef, targetRefsPath.Index(i), supportedGroups, supportedKinds); err != nil {
+			return []conditions.Condition{conditions.NewPolicyInvalid(err.Error())}
+		}
 	}
 
 	// Validate Snippets