kubernetes-sigs · deszhou · Jul 25, 2024 · Jul 25, 2024 · Jul 25, 2024 · Jul 26, 2024
diff --git a/gwctl/pkg/policymanager/manager.go b/gwctl/pkg/policymanager/manager.go
@@ -22,14 +22,13 @@ import (
 	"fmt"
 	"strings"
 
-	"sigs.k8s.io/controller-runtime/pkg/client"
-
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/dynamic"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
 	"sigs.k8s.io/gateway-api/gwctl/pkg/common"
@@ -216,10 +215,10 @@ func (p PolicyCRD) IsClusterScoped() bool {
 
 type Policy struct {
 	u unstructured.Unstructured
-	// targetRef references the target object this policy is attached to. This
+	// targetRefs references the target object this policy is attached to. This
 	// only makes sense in case of a directly-attached-policy, or an
 	// unmerged-inherited-policy.
-	targetRef common.ObjRef
+	targetRefs []common.ObjRef
 	// Indicates whether the policy is supposed to be "inherited" (as opposed to
 	// "direct").
 	inherited bool
@@ -230,29 +229,53 @@ func (p Policy) ClientObject() client.Object { return p.Unstructured() }
 func PolicyFromUnstructured(u unstructured.Unstructured, policyCRDs map[PolicyCrdID]PolicyCRD) (Policy, error) {
 	result := Policy{u: u}
 
-	// Identify targetRef of Policy.
+	// Identify targetRefs of Policy.
 	type genericPolicy struct {
 		metav1.TypeMeta   `json:",inline"`
 		metav1.ObjectMeta `json:"metadata,omitempty"`
 		Spec              struct {
-			TargetRef gatewayv1alpha2.NamespacedPolicyTargetReference
+			TargetRefs []gatewayv1alpha2.NamespacedPolicyTargetReference `json:"targetRefs"`
+			TargetRef  *gatewayv1alpha2.NamespacedPolicyTargetReference  `json:"targetRef"`
 		}
 	}
 	structuredPolicy := &genericPolicy{}
 	if err := runtime.DefaultUnstructuredConverter.FromUnstructured(u.UnstructuredContent(), structuredPolicy); err != nil {
 		return Policy{}, fmt.Errorf("failed to convert unstructured policy resource to structured: %v", err)
 	}
-	result.targetRef = common.ObjRef{
-		Group:     string(structuredPolicy.Spec.TargetRef.Group),
-		Kind:      string(structuredPolicy.Spec.TargetRef.Kind),
-		Name:      string(structuredPolicy.Spec.TargetRef.Name),
-		Namespace: structuredPolicy.GetNamespace(),
-	}
-	if result.targetRef.Namespace == "" {
-		result.targetRef.Namespace = result.u.GetNamespace()
+
+	// Process targetRefs
+	for _, targetRef := range structuredPolicy.Spec.TargetRefs {
+		objRef := common.ObjRef{
+			Group:     string(targetRef.Group),
+			Kind:      string(targetRef.Kind),
+			Name:      string(targetRef.Name),
+			Namespace: u.GetNamespace(),
+		}
+		if objRef.Namespace == "" {
+			objRef.Namespace = u.GetNamespace()
+		}
-			Namespace: u.GetNamespace(),
-		}
-		if objRef.Namespace == "" {
-			objRef.Namespace = u.GetNamespace()
-		}
+			Namespace: structuredPolicy.GetNamespace(),
+		}
+		if objRef.Namespace == "" {
+			objRef.Namespace = u.GetNamespace()
+		}
-			Namespace: u.GetNamespace(),
-		}
-		if objRef.Namespace == "" {
-			objRef.Namespace = u.GetNamespace()
-		}
+			Namespace: structuredPolicy.GetNamespace(),
+		}
+		if objRef.Namespace == "" {
+			objRef.Namespace = u.GetNamespace()
+		}
+		if targetRef.Namespace != nil {
+			objRef.Namespace = string(*targetRef.Namespace)
+		}
+		result.targetRefs = append(result.targetRefs, objRef)
 	}
-	if structuredPolicy.Spec.TargetRef.Namespace != nil {
-		result.targetRef.Namespace = string(*structuredPolicy.Spec.TargetRef.Namespace)
+
+	// Process single targetRef (if present and targetRefs is empty)
+	if structuredPolicy.Spec.TargetRef != nil && len(result.targetRefs) == 0 {
+		targetRef := structuredPolicy.Spec.TargetRef
+		objRef := common.ObjRef{
+			Group:     string(targetRef.Group),
+			Kind:      string(targetRef.Kind),
+			Name:      string(targetRef.Name),
+			Namespace: u.GetNamespace(),
+		}
+		if objRef.Namespace == "" {
+			objRef.Namespace = u.GetNamespace()
+		}
+		if targetRef.Namespace != nil {
+			objRef.Namespace = string(*targetRef.Namespace)
+		}
+		result.targetRefs = append(result.targetRefs, objRef)
 	}
 
 	// Get the CRD corresponding to this policy object.
@@ -274,8 +297,8 @@ func (p Policy) PolicyCrdID() PolicyCrdID {
 	return PolicyCrdID(p.u.GetObjectKind().GroupVersionKind().Kind + "." + p.u.GetObjectKind().GroupVersionKind().Group)
 }
 
-func (p Policy) TargetRef() common.ObjRef {
-	return p.targetRef
+func (p Policy) TargetRefs() []common.ObjRef {
+	return p.targetRefs
 }
 
 func (p Policy) IsInherited() bool {
@@ -287,19 +310,24 @@ func (p Policy) IsDirect() bool {
 }
 
 func (p Policy) IsAttachedTo(objRef common.ObjRef) bool {
-	if p.targetRef.Kind == "Namespace" && p.targetRef.Name == "" {
-		p.targetRef.Name = "default"
-	}
-	if objRef.Kind == "Namespace" && objRef.Name == "" {
-		objRef.Name = "default"
-	}
-	if p.targetRef.Kind != "Namespace" && p.targetRef.Namespace == "" {
-		p.targetRef.Namespace = "default"
-	}
-	if objRef.Kind != "Namespace" && objRef.Namespace == "" {
-		objRef.Namespace = "default"
+	for _, targetRef := range p.targetRefs {
+		if targetRef.Kind == "Namespace" && targetRef.Name == "" {
+			targetRef.Name = "default"
+		}
+		if objRef.Kind == "Namespace" && objRef.Name == "" {
+			objRef.Name = "default"
+		}
+		if targetRef.Kind != "Namespace" && targetRef.Namespace == "" {
+			targetRef.Namespace = "default"
+		}
+		if objRef.Kind != "Namespace" && objRef.Namespace == "" {
+			objRef.Namespace = "default"
+		}
+		if targetRef == objRef {
+			return true
+		}
 	}
-	return p.targetRef == objRef
+	return false
 }
 
 func (p Policy) Unstructured() *unstructured.Unstructured {
@@ -308,9 +336,9 @@ func (p Policy) Unstructured() *unstructured.Unstructured {
 
 func (p Policy) DeepCopy() Policy {
 	clone := Policy{
-		u:         *p.u.DeepCopy(),
-		targetRef: p.targetRef,
-		inherited: p.inherited,
+		u:          *p.u.DeepCopy(),
+		targetRefs: p.targetRefs,
+		inherited:  p.inherited,
 	}
 	return clone
 }
@@ -320,18 +348,28 @@ func (p Policy) Spec() map[string]interface{} {
 	if err != nil || !ok {
 		return nil
 	}
-
 	result, ok := spec.(map[string]interface{})
 	if !ok {
 		return nil
 	}
+
+	if targetRef, hasTargetRef := result["targetRef"]; hasTargetRef {
+		if _, hasTargetRefs := result["targetRefs"]; !hasTargetRefs {
+			result["targetRefs"] = []interface{}{targetRef}
+		} else {
+			result["targetRefs"] = append(result["targetRefs"].([]interface{}), targetRef)
+		}
+		delete(result, "targetRef")
+	}
+
 	return result
 }
 
 func (p Policy) EffectiveSpec() (map[string]interface{}, error) {
 	if !p.IsInherited() {
 		// No merging is required in case of Direct policies.
 		result := p.Spec()
+		delete(result, "targetRefs")
 		delete(result, "targetRef")
 		return result, nil
 	}

diff --git a/gwctl/pkg/policymanager/merger.go b/gwctl/pkg/policymanager/merger.go
@@ -58,7 +58,14 @@ func MergePoliciesOfSimilarKind(policies []Policy) (map[PolicyCrdID]Policy, erro
 			return nil, err
 		}
 
-		result[policyCrdID] = mergedPolicies[policyCrdID]
+		mergedPolicy := mergedPolicies[policyCrdID]
+
+		// Check and set targetRefs to nil if it's an empty slice
+		if len(mergedPolicy.targetRefs) == 0 {
+			mergedPolicy.targetRefs = nil
+		}
+
+		result[policyCrdID] = mergedPolicy
 	}
 	return result, nil
 }
@@ -149,10 +156,26 @@ func mergePolicy(parent, child Policy) (Policy, error) {
 	result.u.SetUnstructuredContent(resultUnstructured)
 	// Merging two policies means the targetRef no longer makes any sense since
 	// since they can be conflicting. So we unset the targetRef.
-	result.targetRef = common.ObjRef{}
+	result.targetRefs = mergeTargetRefs(parent.targetRefs, child.targetRefs)
 	return result, nil
 }
 
+// Helper function to merge targetRefs from two policies
+func mergeTargetRefs(refs1, refs2 []common.ObjRef) []common.ObjRef {
+	refMap := make(map[common.ObjRef]struct{})
+	for _, ref := range refs1 {
+		refMap[ref] = struct{}{}
+	}
+	for _, ref := range refs2 {
+		refMap[ref] = struct{}{}
+	}
+	result := make([]common.ObjRef, 0, len(refMap))
+	for ref := range refMap {
+		result = append(result, ref)
+	}
+	return result
+}
+
 func mergeUnstructured(parent, patch map[string]interface{}) (map[string]interface{}, error) {
 	currentJSON, err := json.Marshal(parent)
 	if err != nil {

diff --git a/gwctl/pkg/policymanager/merger_test.go b/gwctl/pkg/policymanager/merger_test.go
@@ -87,9 +87,11 @@ func TestMergePoliciesOfSimilarKind(t *testing.T) {
 					"spec": map[string]interface{}{
 						"condition": "path=/def",
 						"seconds":   float64(30),
-						"targetRef": map[string]interface{}{
-							"kind": "Namespace",
-							"name": "default",
+						"targetRefs": []interface{}{
+							map[string]interface{}{
+								"kind": "Namespace",
+								"name": "default",
+							},
 						},
 					},
 				},
@@ -106,9 +108,11 @@ func TestMergePoliciesOfSimilarKind(t *testing.T) {
 					"spec": map[string]interface{}{
 						"condition": "path=/abc",
 						"seconds":   float64(60),
-						"targetRef": map[string]interface{}{
-							"kind": "Namespace",
-							"name": "default",
+						"targetRefs": []interface{}{
+							map[string]interface{}{
+								"kind": "Namespace",
+								"name": "default",
+							},
 						},
 					},
 				},
@@ -152,9 +156,11 @@ func TestMergePoliciesOfSimilarKind(t *testing.T) {
 					"spec": map[string]interface{}{
 						"condition": "path=/def",
 						"seconds":   float64(30),
-						"targetRef": map[string]interface{}{
-							"kind": "Namespace",
-							"name": "default",
+						"targetRefs": []interface{}{
+							map[string]interface{}{
+								"kind": "Namespace",
+								"name": "default",
+							},
 						},
 					},
 				},

diff --git a/gwctl/pkg/printer/backends_test.go b/gwctl/pkg/printer/backends_test.go
@@ -164,11 +164,19 @@ func TestBackendsPrinter_Print(t *testing.T) {
 					"default": map[string]interface{}{
 						"key2": "value-parent-2",
 					},
-					"targetRef": map[string]interface{}{
-						"group":     "",
-						"kind":      "Service",
-						"name":      "foo-svc-1",
-						"namespace": "ns1",
+					"targetRefs": []interface{}{
+						map[string]interface{}{
+							"group":     "",
+							"kind":      "Service",
+							"name":      "foo-svc-1",
+							"namespace": "ns1",
+						},
+						map[string]interface{}{
+							"group":     "",
+							"kind":      "Service",
+							"name":      "foo-svc-2",
+							"namespace": "ns1",
+						},
 					},
 				},
 			},
@@ -219,7 +227,7 @@ ns1        foo-svc-2  Service  2d
 	want2 := `
 NAMESPACE  NAME       TYPE     AGE  REFERRED BY ROUTES                                 POLICIES
 ns1        foo-svc-1  Service  3d   ns1/foo-httproute-1                                1
-ns1        foo-svc-2  Service  2d   ns1/foo-httproute-2, ns1/foo-httproute-3 + 2 more  0
+ns1        foo-svc-2  Service  2d   ns1/foo-httproute-2, ns1/foo-httproute-3 + 2 more  1
 `
 	if diff := cmp.Diff(common.YamlString(want2), common.YamlString(got2), common.YamlStringTransformer); diff != "" {
 		t.Errorf("Unexpected diff\ngot=\n%v\nwant=\n%v\ndiff (-want +got)=\n%v", got2, want2, diff)

diff --git a/gwctl/pkg/printer/common.go b/gwctl/pkg/printer/common.go
@@ -171,26 +171,27 @@ func convertPoliciesToRefsTable(policies []*resourcediscovery.PolicyNode, includ
 			policyName = fmt.Sprintf("%v/%v", ns, policyName)
 		}
 
-		targetKind := policyNode.Policy.TargetRef().Kind
-
-		targetName := policyNode.Policy.TargetRef().Name
-		if ns := policyNode.Policy.TargetRef().Namespace; ns != "" {
-			targetName = fmt.Sprintf("%v/%v", ns, targetName)
-		}
+		// Iterate over each TargetRef
+		for _, targetRef := range policyNode.Policy.TargetRefs() {
+			targetKind := targetRef.Kind
+			targetName := targetRef.Name
+			if ns := targetRef.Namespace; ns != "" {
+				targetName = fmt.Sprintf("%v/%v", ns, targetName)
+			}
 
-		row := []string{
-			policyType, // Type
-			policyName, // Name
-		}
+			row := []string{
+				policyType, // Type
+				policyName, // Name
+			}
 
-		if includeTarget {
-			row = append(row,
-				targetKind, // Target Kind
-				targetName, // Target Name
-			)
+			if includeTarget {
+				row = append(row,
+					targetKind, // Target Kind
+					targetName, // Target Name
+				)
+			}
+			table.Rows = append(table.Rows, row)
 		}
-
-		table.Rows = append(table.Rows, row)
 	}
 	return table
 }

diff --git a/gwctl/pkg/printer/gatewayclasses_test.go b/gwctl/pkg/printer/gatewayclasses_test.go
@@ -228,10 +228,12 @@ func TestGatewayClassesPrinter_PrintDescribeView(t *testing.T) {
 							"name": "policy-name",
 						},
 						"spec": map[string]interface{}{
-							"targetRef": map[string]interface{}{
-								"group": "gateway.networking.k8s.io",
-								"kind":  "GatewayClass",
-								"name":  "foo-gatewayclass",
+							"targetRefs": []interface{}{
+								map[string]interface{}{
+									"group": "gateway.networking.k8s.io",
+									"kind":  "GatewayClass",
+									"name":  "foo-gatewayclass",
+								},
 							},
 						},
 					},