feat(health): support various policies _.microgateway.airlock.com (#28268)

Signed-off-by: Roman Willi <roman.willi@ergon.ch>

Author: root30

resource_customizations/microgateway.airlock.com/_/health.lua

@@ -0,0 +1,53 @@
+local hs = { status = "Progressing", message = "Waiting for " .. (obj.kind or "Policy")  .. " status"}
+
+local function is_policy_kind(kind)
+  return kind ~= nil and string.match(kind, "Policy$") ~= nil
+end
+
+if not is_policy_kind(obj.kind) then
+  return { status = "Healthy", message = obj.kind .. " is healthy" }
+end
+
+if obj.status ~= nil and obj.status.ancestors ~= nil then
+  if obj.metadata.generation ~= nil then
+    for i, ancestor in ipairs(obj.status.ancestors) do
+      for _, condition in ipairs(ancestor.conditions) do
+        if condition.observedGeneration == nil or condition.observedGeneration ~= obj.metadata.generation then
+           hs.message = "Waiting for Ancestor " .. (ancestor.ancestorRef.name or "") .. " to update " .. (obj.kind or "Policy")  .. " status"
+           return hs
+        end
+      end
+    end
+  end
+
+  for i, ancestor in ipairs(obj.status.ancestors) do
+    local hasAcceptedCondition = false
+    for j, condition in ipairs(ancestor.conditions) do
+      if condition.type == "Accepted" then
+        hasAcceptedCondition = true
+        if condition.status ~= "True" then
+          hs.status = "Degraded"
+          hs.message = "Ancestor " .. (ancestor.ancestorRef.name or "") .. ": " .. condition.message
+          return hs
+        else
+          hs.status = "Healthy"
+          hs.message = (obj.kind or "Policy")  .. " is healthy"
+        end
+      end
+
+      if condition.type == "ResolvedRefs" then
+        if condition.status ~= "True" then
+          hs.status = "Degraded"
+          hs.message = "Ancestor " .. (ancestor.ancestorRef.name or "") .. ": " .. condition.message
+          return hs
+        end
+      end
+    end
+    if not hasAcceptedCondition then
+        hs.status = "Degraded"
+        hs.message = "Ancestor " .. (ancestor.ancestorRef.name or "") .. ": " .. (obj.kind or "Policy")  .. " is not accepted"
+    end
+  end
+end
+
+return hs

resource_customizations/microgateway.airlock.com/_/health_test.yaml

@@ -0,0 +1,32 @@
+tests:
+- healthStatus:
+    status: Healthy
+    message: "AccessControlPolicy is healthy"
+  inputPath: testdata/healthy.yaml
+- healthStatus:
+    status: Degraded
+    message: "Ancestor example-gateway: ContentSecurityPolicy is conflicting with other policies for this ancestor: [example-contentsecuritypolicy]"
+  inputPath: testdata/degraded_conflicting.yaml
+- healthStatus:
+    status: Degraded
+    message: >-
+      Ancestor example-gateway: Resolving CustomResponsePolicy failed:
+      Missing referenced CustomResponse 'example'
+      WARNING: traffic to referenced target(s) will be rejected.
+  inputPath: testdata/degraded_resolved_refs.yaml
+- healthStatus:
+    status: Degraded
+    message: "Ancestor example-gateway-2: RateLimitPolicy is not accepted"
+  inputPath: testdata/degraded_multiple_ancestors.yaml
+- healthStatus:
+    status: Progressing
+    message: "Waiting for EnvoyExtensionPolicy status"
+  inputPath: testdata/progressing.yaml
+- healthStatus:
+    status: Progressing
+    message: "Waiting for Ancestor example-gateway to update ICAPPolicy status"
+  inputPath: testdata/progressing_observed_generation.yaml
+- healthStatus:
+    status: Healthy
+    message: "DenyRules is healthy"
+  inputPath: testdata/unknown.yaml

resource_customizations/microgateway.airlock.com/_/testdata/degraded_conflicting.yaml

@@ -0,0 +1,25 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: ContentSecurityPolicy
+metadata:
+  name: example-contentsecuritypolicy-2
+  namespace: default
+spec:
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: example-httproute
+status:
+  ancestors:
+  - ancestorRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: example-gateway
+    conditions:
+    - lastTransitionTime: '2026-04-16T14:21:38Z'
+      message: >-
+        ContentSecurityPolicy is conflicting with other policies for this ancestor: [example-contentsecuritypolicy]
+      observedGeneration: 3
+      reason: Conflicted
+      status: 'False'
+      type: Accepted
+    controllerName: example.com/gatewayclass-controller

resource_customizations/microgateway.airlock.com/_/testdata/degraded_multiple_ancestors.yaml

@@ -0,0 +1,37 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: RateLimitPolicy
+metadata:
+  name: example-ratelimitpolicy
+  namespace: default
+  generation: 3
+spec:
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: example-httproute
+status:
+  ancestors:
+  - ancestorRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: example-gateway
+    conditions:
+    - lastTransitionTime: '2026-04-16T12:20:11Z'
+      message: RateLimitPolicy is accepted
+      observedGeneration: 3
+      reason: Accepted
+      status: 'True'
+      type: Accepted
+    controllerName: example.com/gatewayclass-controller
+  - ancestorRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: example-gateway-2
+    conditions:
+      - lastTransitionTime: '2026-04-16T12:20:11Z'
+        message: FooBar
+        observedGeneration: 3
+        reason: Foo
+        status: 'True'
+        type: Bar
+    controllerName: example.com/gatewayclass-controller

resource_customizations/microgateway.airlock.com/_/testdata/degraded_resolved_refs.yaml

@@ -0,0 +1,27 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: CustomResponsePolicy
+metadata:
+  name: example-customresponsepolicy
+  namespace: default
+spec:
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: example-httproute
+status:
+  ancestors:
+  - ancestorRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: example-gateway
+    conditions:
+    - lastTransitionTime: '2026-04-16T12:20:11Z'
+      message: >-
+        Resolving CustomResponsePolicy failed:
+        Missing referenced CustomResponse 'example'
+        WARNING: traffic to referenced target(s) will be rejected.
+      observedGeneration: 3
+      reason: Invalid
+      status: 'False'
+      type: Accepted
+    controllerName: example.com/gatewayclass-controller

resource_customizations/microgateway.airlock.com/_/testdata/healthy.yaml

@@ -0,0 +1,25 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: AccessControlPolicy
+metadata:
+  name: example-accesscontrolpolicy
+  namespace: default
+  generation: 3
+spec:
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: example-httproute
+status:
+  ancestors:
+  - ancestorRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: example-gateway
+    conditions:
+    - lastTransitionTime: '2026-04-16T12:20:11Z'
+      message: AccessControlPolicy is accepted
+      observedGeneration: 3
+      reason: Accepted
+      status: 'True'
+      type: Accepted
+    controllerName: example.com/gatewayclass-controller

resource_customizations/microgateway.airlock.com/_/testdata/progressing.yaml

@@ -0,0 +1,12 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: EnvoyExtensionPolicy
+metadata:
+  name: example-envoyextensionpolicy
+  namespace: default
+spec:
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: example-httproute
+status:
+  ancestors: []

resource_customizations/microgateway.airlock.com/_/testdata/progressing_observed_generation.yaml

@@ -0,0 +1,25 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: ICAPPolicy
+metadata:
+  name: example-icappolicy
+  namespace: default
+  generation: 3
+spec:
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: example-httproute
+status:
+  ancestors:
+  - ancestorRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: example-gateway
+    conditions:
+    - lastTransitionTime: '2026-04-16T12:20:11Z'
+      message: ICAPPolicy is accepted
+      observedGeneration: 1
+      reason: Accepted
+      status: 'True'
+      type: Accepted
+    controllerName: example.com/gatewayclass-controller

resource_customizations/microgateway.airlock.com/_/testdata/unknown.yaml

@@ -0,0 +1,17 @@
+apiVersion: microgateway.airlock.com/v1alpha1
+kind: DenyRules
+metadata:
+  name: example-denyrules
+  namespace: default
+spec:
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: example-httproute
+status:
+  ancestors:
+  - ancestorRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: example-gateway
+    controllerName: example.com/gatewayclass-controller

util/lua/lua_test.go

@@ -1127,6 +1127,7 @@ func Test_getHealthScriptPaths(t *testing.T) {
 		"_.crossplane.io/_",
 		"_.upbound.io/_",
 		"grafana-org-operator.kubitus-project.gitlab.io/_",
+		"microgateway.airlock.com/_",
 		"operator.victoriametrics.com/_",
 	}, paths)
 }