refactor with specIvalid

Signed-off-by: zirain <zirain2009@gmail.com>

Author: zirain

internal/gatewayapi/contexts.go

@@ -138,6 +138,10 @@ type ListenerContext struct {
 
 	namespaceSelector labels.Selector
 
+	// specValid indicates whether per-listener spec validation succeeded.
+	// Conflict detection should only consider listeners with specValid=true.
+	specValid bool
+
 	tls ListenerTLSConfig
 
 	httpIR *ir.HTTPListener

internal/gatewayapi/listener.go

@@ -214,6 +214,94 @@ func validClientCertificateRef(ref *gwapiv1.SecretObjectReference) error {
 	return nil
 }
 
+// allowedRouteKindsForProtocol returns the route kinds supported by the given listener protocol.
+func allowedRouteKindsForProtocol(protocol gwapiv1.ProtocolType, tlsMode *gwapiv1.TLSModeType) []gwapiv1.Kind {
+	switch protocol {
+	case gwapiv1.HTTPProtocolType, gwapiv1.HTTPSProtocolType:
+		return []gwapiv1.Kind{resource.KindHTTPRoute, resource.KindGRPCRoute}
+	case gwapiv1.TLSProtocolType:
+		if tlsMode != nil && *tlsMode == gwapiv1.TLSModePassthrough {
+			return []gwapiv1.Kind{resource.KindTLSRoute}
+		}
+		// Terminate mode or unspecified defaults to accept both TCP and TLS routes
+		return []gwapiv1.Kind{resource.KindTCPRoute, resource.KindTLSRoute}
+	case gwapiv1.TCPProtocolType:
+		return []gwapiv1.Kind{resource.KindTCPRoute}
+	case gwapiv1.UDPProtocolType:
+		return []gwapiv1.Kind{resource.KindUDPRoute}
+	default:
+		return nil
+	}
+}
+
+// validateProtocolRules validates protocol-specific constraints (hostname, TLS requirements).
+// Returns true if all constraints are satisfied, false otherwise.
+func validateProtocolRules(listener *ListenerContext) bool {
+	switch listener.Protocol {
+	case gwapiv1.HTTPProtocolType, gwapiv1.HTTPSProtocolType, gwapiv1.TLSProtocolType,
+		gwapiv1.TCPProtocolType, gwapiv1.UDPProtocolType:
+		// All supported protocols pass basic validation here.
+		// Protocol-specific constraints (TLS, hostname) are validated in
+		// validateTLSConfiguration and validateHostName respectively,
+		// where they can set proper conditions.
+		return true
+
+	default:
+		// Unsupported protocol handled separately
+		return false
+	}
+}
+
+func (t *Translator) validateListenerSpec(listener *ListenerContext, resources *resource.Resources) bool {
+	// Validate listener spec directly without relying on conditions.
+	// Start with valid assumption and invalidate on failures.
+
+	// Phase 1: Validate fundamental rules
+	specValid := t.validateAllowedNamespaces(listener)
+	if !validateProtocolRules(listener) {
+		specValid = false
+	}
+
+	// Phase 2: Validate allowed routes based on protocol
+	if listener.Protocol == gwapiv1.HTTPProtocolType ||
+		listener.Protocol == gwapiv1.HTTPSProtocolType ||
+		listener.Protocol == gwapiv1.TCPProtocolType ||
+		listener.Protocol == gwapiv1.UDPProtocolType ||
+		listener.Protocol == gwapiv1.TLSProtocolType {
+		var tlsMode *gwapiv1.TLSModeType
+		if listener.TLS != nil {
+			tlsMode = listener.TLS.Mode
+		}
+		allowedKinds := allowedRouteKindsForProtocol(listener.Protocol, tlsMode)
+		if !t.validateAllowedRoutes(listener, allowedKinds...) {
+			specValid = false
+		}
+	} else {
+		// Unsupported protocol
+		specValid = false
+		listener.SetSupportedKinds()
+		listener.SetCondition(
+			gwapiv1.ListenerConditionAccepted,
+			metav1.ConditionFalse,
+			gwapiv1.ListenerReasonUnsupportedProtocol,
+			fmt.Sprintf("Protocol %s is unsupported, must be %s, %s, %s or %s.", listener.Protocol,
+				gwapiv1.HTTPProtocolType, gwapiv1.HTTPSProtocolType, gwapiv1.TCPProtocolType, gwapiv1.UDPProtocolType),
+		)
+	}
+
+	// Phase 3: Validate TLS configuration details
+	if !t.validateTLSConfiguration(listener, resources) {
+		specValid = false
+	}
+
+	// Phase 4: Validate Hostname configuration
+	if !t.validateHostName(listener) {
+		specValid = false
+	}
+
+	return specValid
+}
+
 func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource.XdsIRMap, infraIR resource.InfraIRMap, resources *resource.Resources) {
 	// Infra IR proxy ports must be unique.
 	foundPorts := make(map[string][]*protocolPort)
@@ -223,51 +311,13 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource
 	// don't block valid ones during conflict detection.
 	for _, gateway := range gateways {
 		for _, listener := range gateway.listeners {
-			// Process protocol & supported kinds
-			switch listener.Protocol {
-			case gwapiv1.TLSProtocolType:
-				if listener.TLS != nil {
-					switch *listener.TLS.Mode {
-					case gwapiv1.TLSModePassthrough:
-						t.validateAllowedRoutes(listener, resource.KindTLSRoute)
-					case gwapiv1.TLSModeTerminate:
-						t.validateAllowedRoutes(listener, resource.KindTCPRoute, resource.KindTLSRoute)
-					default:
-						t.validateAllowedRoutes(listener, resource.KindTCPRoute, resource.KindTLSRoute)
-					}
-				} else {
-					t.validateAllowedRoutes(listener, resource.KindTCPRoute, resource.KindTLSRoute)
-				}
-			case gwapiv1.HTTPProtocolType, gwapiv1.HTTPSProtocolType:
-				t.validateAllowedRoutes(listener, resource.KindHTTPRoute, resource.KindGRPCRoute)
-			case gwapiv1.TCPProtocolType:
-				t.validateAllowedRoutes(listener, resource.KindTCPRoute)
-			case gwapiv1.UDPProtocolType:
-				t.validateAllowedRoutes(listener, resource.KindUDPRoute)
-			default:
-				listener.SetSupportedKinds()
-				listener.SetCondition(
-					gwapiv1.ListenerConditionAccepted,
-					metav1.ConditionFalse,
-					gwapiv1.ListenerReasonUnsupportedProtocol,
-					fmt.Sprintf("Protocol %s is unsupported, must be %s, %s, %s or %s.", listener.Protocol,
-						gwapiv1.HTTPProtocolType, gwapiv1.HTTPSProtocolType, gwapiv1.TCPProtocolType, gwapiv1.UDPProtocolType),
-				)
-			}
-
-			// Validate allowed namespaces
-			t.validateAllowedNamespaces(listener)
-
-			// Process TLS configuration
-			t.validateTLSConfiguration(listener, resources)
-
-			// Process Hostname configuration
-			t.validateHostName(listener)
+			listener.specValid = t.validateListenerSpec(listener, resources)
 		}
 	}
 
 	// Phase 2: Run conflict detection.
 	// Only listeners that haven't been marked as invalid will participate in conflict resolution.
+	t.validateConflictedProtocolsListeners(gateways)
 	t.validateConflictedLayer7Listeners(gateways)
 	t.validateConflictedLayer4Listeners(gateways, gwapiv1.TCPProtocolType)
 	t.validateConflictedLayer4Listeners(gateways, gwapiv1.UDPProtocolType)
@@ -286,9 +336,9 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource
 		t.processProxyObservability(gateway, xdsIR[irKey], infraIR[irKey].Proxy, resources)
 
 		for _, listener := range gateway.listeners {
-			// Process conditions and check if the listener is ready
-			isReady := t.validateListenerConditions(listener)
-			if !isReady {
+			// Finalize listener conditions and check readiness.
+			t.validateListenerConditions(listener)
+			if !listener.IsReady() {
 				// Skip invalid listeners from IR building
 				continue
 			}

internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml

@@ -45,18 +45,18 @@ gateways:
         kind: HTTPRoute
       - group: gateway.networking.k8s.io
         kind: GRPCRoute
-    - attachedRoutes: 1
+    - attachedRoutes: 0
       conditions:
       - lastTransitionTime: null
-        message: Sending translated listener configuration to the data plane
-        reason: Programmed
+        message: All listeners for a given port must use a compatible protocol
+        reason: ProtocolConflict
         status: "True"
-        type: Programmed
+        type: Conflicted
       - lastTransitionTime: null
-        message: Listener has been successfully translated
-        reason: Accepted
-        status: "True"
-        type: Accepted
+        message: Listener is invalid, see other Conditions for details.
+        reason: Invalid
+        status: "False"
+        type: Programmed
       - lastTransitionTime: null
         message: Listener references have been resolved
         reason: ResolvedRefs
@@ -110,12 +110,6 @@ infraIR:
           name: http-80
           protocol: HTTP
           servicePort: 80
-      - name: envoy-gateway/gateway-1/tcp
-        ports:
-        - containerPort: 10080
-          name: tcp-80
-          protocol: TCP
-          servicePort: 80
       metadata:
         labels:
           gateway.envoyproxy.io/owning-gateway-name: gateway-1
@@ -143,9 +137,9 @@ tcpRoutes:
     parents:
     - conditions:
       - lastTransitionTime: null
-        message: Route is accepted
-        reason: Accepted
-        status: "True"
+        message: Multiple routes on the same TCP listener
+        reason: UnsupportedValue
+        status: "False"
         type: Accepted
       - lastTransitionTime: null
         message: Resolved all the Object references for the Route
@@ -233,38 +227,3 @@ xdsIR:
       ipFamily: IPv4
       path: /ready
       port: 19003
-    tcp:
-    - address: 0.0.0.0
-      externalPort: 80
-      metadata:
-        kind: Gateway
-        name: gateway-1
-        namespace: envoy-gateway
-        sectionName: tcp
-      name: envoy-gateway/gateway-1/tcp
-      port: 10080
-      routes:
-      - destination:
-          metadata:
-            kind: TCPRoute
-            name: tcproute-1
-            namespace: default
-          name: tcproute/default/tcproute-1/rule/-1
-          settings:
-          - addressType: IP
-            endpoints:
-            - host: 7.7.7.7
-              port: 8163
-            metadata:
-              kind: Service
-              name: service-1
-              namespace: default
-              sectionName: "8163"
-            name: tcproute/default/tcproute-1/rule/-1/backend/0
-            protocol: TCP
-            weight: 1
-        metadata:
-          kind: TCPRoute
-          name: tcproute-1
-          namespace: default
-        name: tcproute/default/tcproute-1