test(gatewayapi): BackendTLSPolicy lookup does not prefer sectionName-specific match over wildcard#9034
Conversation
✅ Deploy Preview for cerulean-figolla-1f9435 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f3bf3e450f
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| name: ca-cmap | ||
| hostname: sectioned.example.com | ||
| status: | ||
| ancestors: null |
There was a problem hiding this comment.
Encode spec-expected precedence in golden output
This golden file currently asserts the known-bug outcome (policy-sectioned has no accepted ancestor), even though the paired input comments state the spec-expected behavior is that the sectioned policy should win for its matching port. Because TestTranslate compares against this .out.yaml, the new case will pass while preserving the incorrect precedence logic, so it does not protect against the real regression and can block a later fix by treating correct behavior as a failure.
Useful? React with 👍 / 👎.
What type of PR is this?
This PR adds testcase and golden config to reproduce issue #9035
What this PR does / why we need it:
Adds a translator test case that locks in the current (buggy) behavior of BackendTLSPolicy lookup: when two policies target the same Service — one with targetRefs[].sectionName set and one without — the
wildcard (no sectionName) policy shadows the sectioned one if it sorts earlier in the resource list (which happens whenever it has an older creationTimestamp).
The golden output captures the broken state: policy-sectioned.status.ancestors is null, and both routes (including the one on the section the sectioned policy targets) end up with the wildcard policy's TLS
config. When the precedence fix lands, the output will need to be regenerated and the diff will be a clean visual proof of the fix.
Which issue(s) this PR fixes:
N/A. Asserts behavior in #9035
Release Notes: Yes/No