feat: policy spans and tracking merging policies

api/v1/merge_strategies.go

@@ -192,7 +192,7 @@ func EffectivePolicyForPath[T machinery.Policy](path []machinery.Targetable, pre
 	return &concreteEffectivePolicy
 }
 
-// OrderedPoliciesForPath gathers all policies in a path sorted from the least specific to the most specific.
+// PoliciesInPath gathers all policies in a path sorted from the least specific to the most specific.
 // Only policies whose predicate returns true are considered.
 func PoliciesInPath(path []machinery.Targetable, predicate func(machinery.Policy) bool) []machinery.Policy {
 	return lo.FlatMap(path, func(targetable machinery.Targetable, _ int) []machinery.Policy {

cmd/main.go

@@ -24,6 +24,7 @@ import (
 	"runtime"
 	"time"
 
+	"github.com/kuadrant/policy-machinery/controller"
 	"go.opentelemetry.io/otel"
 	"go.uber.org/zap/zapcore"
 
@@ -119,6 +120,8 @@ func printControllerMetaInfo() {
 }
 
 func main() {
+	var opts []controller.ControllerOption
+
 	// Setup OpenTelemetry if enabled
 	otelConfig := kuadrantOtel.NewConfig(gitSHA, dirty, version)
 	if otelConfig.Enabled {
@@ -176,6 +179,8 @@ func main() {
 				}
 			}()
 		}
+
+		opts = append(opts, controller.WithTracer(traceProvider.TracerProvider().Tracer(otelConfig.ServiceName)))
 	}
 
 	printControllerMetaInfo()
@@ -255,7 +260,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	stateOfTheWorld, err := controllers.NewPolicyMachineryController(mgr, client, log.Log)
+	stateOfTheWorld, err := controllers.NewPolicyMachineryController(mgr, client, log.Log, opts...)
 	if err != nil {
 		setupLog.Error(err, "unable to setup policy controller")
 		os.Exit(1)

go.mod

@@ -16,7 +16,7 @@ require (
 	github.com/kuadrant/authorino-operator v0.21.0
 	github.com/kuadrant/dns-operator v0.0.0-20250826105007-7a0e6d88f7bb
 	github.com/kuadrant/limitador-operator v0.15.0
-	github.com/kuadrant/policy-machinery v0.6.4
+	github.com/kuadrant/policy-machinery v0.7.1-0.20251119154946-1ca17a075dd2
 	github.com/martinlindhe/base36 v1.1.1
 	github.com/onsi/ginkgo/v2 v2.22.0
 	github.com/onsi/gomega v1.36.1
@@ -63,7 +63,7 @@ require (
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/emicklei/dot v1.6.2 // indirect
+	github.com/emicklei/dot v1.8.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.1 // indirect
 	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect

go.sum

@@ -22,8 +22,8 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/elliotchance/orderedmap/v2 v2.2.0 h1:7/2iwO98kYT4XkOjA9mBEIwvi4KpGB4cyHeOFOnj4Vk=
 github.com/elliotchance/orderedmap/v2 v2.2.0/go.mod h1:85lZyVbpGaGvHvnKa7Qhx7zncAdBIBq6u56Hb1PRU5Q=
-github.com/emicklei/dot v1.6.2 h1:08GN+DD79cy/tzN6uLCT84+2Wk9u+wvqP+Hkx/dIR8A=
-github.com/emicklei/dot v1.6.2/go.mod h1:DeV7GvQtIw4h2u73RKBkkFdvVAz0D9fzeJrgPW6gy/s=
+github.com/emicklei/dot v1.8.0 h1:HnD60yAKFAevNeT+TPYr9pb8VB9bqdeSo0nzwIW6IOI=
+github.com/emicklei/dot v1.8.0/go.mod h1:DeV7GvQtIw4h2u73RKBkkFdvVAz0D9fzeJrgPW6gy/s=
 github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtzpL63nKAU=
 github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/gateway v1.2.6 h1:QxHBcJUdF2Rvof1Om6GQnSGKnq+l57zp60AGfFuql1Q=
@@ -93,8 +93,8 @@ github.com/kuadrant/dns-operator v0.0.0-20250826105007-7a0e6d88f7bb h1:YTWt8bn7x
 github.com/kuadrant/dns-operator v0.0.0-20250826105007-7a0e6d88f7bb/go.mod h1:EF37SlMqbarJieimWDPRv/N5BACbdzLa9nCBJcoeFvs=
 github.com/kuadrant/limitador-operator v0.15.0 h1:BWgYKV0iasFY3+zKQhLpTdfIlI2pD4MuGr8Hc30ypfg=
 github.com/kuadrant/limitador-operator v0.15.0/go.mod h1:58b5gdSemjXUijd2TBPKBwaQskU7rynHGHD7rTqk2OE=
-github.com/kuadrant/policy-machinery v0.6.4 h1:UMdZ2p7WyUdOKcWlJA2w2MzJnB8/Nn4dT6hE9cUcbeg=
-github.com/kuadrant/policy-machinery v0.6.4/go.mod h1:ZV4xS0CCxPgu/Xg6gz+YUaS9zqEXKOiAj33bZ67B6Lo=
+github.com/kuadrant/policy-machinery v0.7.1-0.20251119154946-1ca17a075dd2 h1:82Qf4klsgQ/176P8PoDbno8Jlik/WPg4j2l3pp1nKG8=
+github.com/kuadrant/policy-machinery v0.7.1-0.20251119154946-1ca17a075dd2/go.mod h1:8JF2bof6DJsEVSQOxpi8Kuj/zEps+BezpRZpF3XRAa4=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=

internal/controller/auth_policies_validator.go

@@ -6,7 +6,8 @@ import (
 
 	"github.com/kuadrant/policy-machinery/controller"
 	"github.com/kuadrant/policy-machinery/machinery"
-	"github.com/samber/lo"
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/codes"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/utils/ptr"
@@ -36,6 +37,7 @@ func (r *AuthPolicyValidator) Subscription() controller.Subscription {
 
 func (r *AuthPolicyValidator) Validate(ctx context.Context, _ []controller.ResourceEvent, topology *machinery.Topology, _ error, state *sync.Map) error {
 	logger := controller.LoggerFromContext(ctx).WithName("AuthPolicyValidator").WithValues("context", ctx)
+	tracer := controller.TracerFromContext(ctx)
 
 	policies := topology.Policies().Items(func(o machinery.Object) bool {
 		return o.GroupVersionKind().GroupKind() == kuadrantv1.AuthPolicyGroupKind
@@ -44,13 +46,25 @@ func (r *AuthPolicyValidator) Validate(ctx context.Context, _ []controller.Resou
 	logger.V(1).Info("validating auth policies", "policies", len(policies))
 	defer logger.V(1).Info("finished validating auth policies")
 
-	state.Store(StateAuthPolicyValid, lo.SliceToMap(policies, func(policy machinery.Policy) (string, error) {
-		if err := r.isMissingDependency(); err != nil {
-			return policy.GetLocator(), err
-		}
+	validationResults := make(map[string]error)
+
+	for _, policy := range policies {
+		p := policy.(*kuadrantv1.AuthPolicy)
+
+		_, span := tracer.Start(ctx, "policy.AuthPolicy.validate")
+		span.SetAttributes(
+			attribute.String("policy.name", p.GetName()),
+			attribute.String("policy.namespace", p.GetNamespace()),
+			attribute.String("policy.kind", kuadrantv1.AuthPolicyGroupKind.Kind),
+			attribute.String("policy.uid", string(p.GetUID())),
+		)
 
 		var err error
-		if len(policy.GetTargetRefs()) > 0 && len(topology.Targetables().Children(policy)) == 0 {
+		if missingDepErr := r.isMissingDependency(); missingDepErr != nil {
+			err = missingDepErr
+			span.RecordError(err)
+			span.SetStatus(codes.Error, "missing dependency")
+		} else if len(policy.GetTargetRefs()) > 0 && len(topology.Targetables().Children(policy)) == 0 {
 			ref := policy.GetTargetRefs()[0]
 			var res schema.GroupResource
 			switch ref.GroupVersionKind().Kind {
@@ -60,9 +74,18 @@ func (r *AuthPolicyValidator) Validate(ctx context.Context, _ []controller.Resou
 				res = controller.HTTPRoutesResource.GroupResource()
 			}
 			err = kuadrant.NewErrPolicyTargetNotFound(kuadrantv1.AuthPolicyGroupKind.Kind, ref, apierrors.NewNotFound(res, ref.GetName()))
+			span.RecordError(err)
+			span.SetStatus(codes.Error, "target not found")
+		} else {
+			span.AddEvent("policy validated successfully")
+			span.SetStatus(codes.Ok, "")
 		}
-		return policy.GetLocator(), err
-	}))
+
+		validationResults[policy.GetLocator()] = err
+		span.End()
+	}
+
+	state.Store(StateAuthPolicyValid, validationResults)
 
 	return nil
 }

internal/controller/auth_policy_status_updater.go

@@ -15,6 +15,8 @@ import (
 	"github.com/kuadrant/policy-machinery/controller"
 	"github.com/kuadrant/policy-machinery/machinery"
 	"github.com/samber/lo"
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/codes"
 	"k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -60,6 +62,7 @@ func (r *AuthPolicyStatusUpdater) Subscription() controller.Subscription {
 
 func (r *AuthPolicyStatusUpdater) UpdateStatus(ctx context.Context, _ []controller.ResourceEvent, topology *machinery.Topology, _ error, state *sync.Map) error {
 	logger := controller.LoggerFromContext(ctx).WithName("AuthPolicyStatusUpdater").WithValues("context", ctx)
+	tracer := controller.TracerFromContext(ctx)
 
 	policies := lo.FilterMap(topology.Policies().Items(), func(item machinery.Policy, _ int) (*kuadrantv1.AuthPolicy, bool) {
 		p, ok := item.(*kuadrantv1.AuthPolicy)
@@ -72,8 +75,19 @@ func (r *AuthPolicyStatusUpdater) UpdateStatus(ctx context.Context, _ []controll
 	defer logger.V(1).Info("finished updating authpolicy statuses")
 
 	for _, policy := range policies {
+		policyCtx, span := tracer.Start(ctx, "policy.AuthPolicy")
+		span.SetAttributes(
+			attribute.String("policy.name", policy.GetName()),
+			attribute.String("policy.namespace", policy.GetNamespace()),
+			attribute.String("policy.kind", kuadrantv1.AuthPolicyGroupKind.Kind),
+			attribute.String("policy.uid", string(policy.GetUID())),
+		)
+
 		if policy.GetDeletionTimestamp() != nil {
 			logger.V(1).Info("authpolicy is marked for deletion, skipping", "name", policy.Name, "namespace", policy.Namespace)
+			span.AddEvent("policy marked for deletion, skipping")
+			span.SetStatus(codes.Ok, "")
+			span.End()
 			continue
 		}
 
@@ -97,6 +111,9 @@ func (r *AuthPolicyStatusUpdater) UpdateStatus(ctx context.Context, _ []controll
 		equalStatus := equality.Semantic.DeepEqual(newStatus, policy.Status)
 		if equalStatus && policy.Generation == policy.Status.ObservedGeneration {
 			logger.V(1).Info("policy status unchanged, skipping update")
+			span.AddEvent("policy status unchanged, skipping update")
+			span.SetStatus(codes.Ok, "")
+			span.End()
 			continue
 		}
 		newStatus.ObservedGeneration = policy.Generation
@@ -105,18 +122,32 @@ func (r *AuthPolicyStatusUpdater) UpdateStatus(ctx context.Context, _ []controll
 		obj, err := controller.Destruct(policy)
 		if err != nil {
 			logger.Error(err, "unable to destruct policy") // should never happen
+			span.RecordError(err)
+			span.SetStatus(codes.Error, "unable to destruct policy")
+			span.End()
 			continue
 		}
 
-		_, err = r.client.Resource(kuadrantv1.AuthPoliciesResource).Namespace(policy.GetNamespace()).UpdateStatus(ctx, obj, metav1.UpdateOptions{})
+		_, err = r.client.Resource(kuadrantv1.AuthPoliciesResource).Namespace(policy.GetNamespace()).UpdateStatus(policyCtx, obj, metav1.UpdateOptions{})
 		if err != nil {
 			if strings.Contains(err.Error(), "StorageError: invalid object") {
 				logger.Info("possible error updating resource", "err", err, "possible_cause", "resource has being removed from the cluster already")
+				span.AddEvent("resource already removed from cluster")
+				span.SetStatus(codes.Ok, "")
+				span.End()
 				continue
 			}
 			logger.Error(err, "unable to update status for authpolicy", "name", policy.GetName(), "namespace", policy.GetNamespace())
+			span.RecordError(err)
+			span.SetStatus(codes.Error, "unable to update status")
+			span.End()
 			// TODO: handle error
+			continue
 		}
+
+		span.AddEvent("policy status updated successfully")
+		span.SetStatus(codes.Ok, "")
+		span.End()
 	}
 
 	return nil

internal/controller/auth_workflow_helpers.go

@@ -161,9 +161,10 @@ func buildWasmActionsForAuth(pathID string, effectivePolicy EffectiveAuthPolicy)
 	spec := effectivePolicy.Spec.Spec.Proper()
 
 	action := wasm.Action{
-		ServiceName: wasm.AuthServiceName,
-		Scope:       AuthConfigNameForPath(pathID),
-		Predicates:  spec.Predicates.Into(),
+		ServiceName:          wasm.AuthServiceName,
+		Scope:                AuthConfigNameForPath(pathID),
+		Predicates:           spec.Predicates.Into(),
+		SourcePolicyLocators: effectivePolicy.SourcePolicies,
 	}
 
 	return []wasm.Action{action}

internal/controller/authorino_reconciler.go

@@ -8,9 +8,9 @@ import (
 	"github.com/kuadrant/policy-machinery/controller"
 	"github.com/kuadrant/policy-machinery/machinery"
 	"github.com/samber/lo"
-	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/codes"
+	"go.opentelemetry.io/otel/trace"
 	apiErrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/dynamic"
@@ -40,10 +40,7 @@ func (r *AuthorinoReconciler) Subscription() *controller.Subscription {
 }
 
 func (r *AuthorinoReconciler) Reconcile(ctx context.Context, _ []controller.ResourceEvent, topology *machinery.Topology, _ error, _ *sync.Map) error {
-	tracer := otel.Tracer("kuadrant-operator")
-	ctx, span := tracer.Start(ctx, "AuthorinoReconciler.Reconcile")
-	defer span.End()
-
+	span := trace.SpanFromContext(ctx)
 	logger := controller.LoggerFromContext(ctx).WithName("AuthorinoReconciler").WithValues("context", ctx)
 	logger.V(1).Info("reconciling authorino resource", "status", "started")
 	defer logger.V(1).Info("reconciling authorino resource", "status", "completed")

internal/controller/dnspolicies_validator.go

@@ -7,6 +7,8 @@ import (
 	"sync"
 
 	"github.com/samber/lo"
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/codes"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -42,6 +44,7 @@ func (r *DNSPoliciesValidator) Subscription() controller.Subscription {
 
 func (r *DNSPoliciesValidator) validate(ctx context.Context, _ []controller.ResourceEvent, topology *machinery.Topology, _ error, state *sync.Map) error {
 	logger := controller.LoggerFromContext(ctx).WithName("DNSPoliciesValidator").WithValues("context", ctx)
+	tracer := controller.TracerFromContext(ctx)
 
 	policies := lo.Filter(topology.Policies().Items(), func(p machinery.Policy, _ int) bool {
 		_, ok := p.(*kuadrantv1.DNSPolicy)
@@ -50,23 +53,46 @@ func (r *DNSPoliciesValidator) validate(ctx context.Context, _ []controller.Reso
 
 	logger.V(1).Info("validating dns policies", "policies", len(policies))
 
-	state.Store(StateDNSPolicyAcceptedKey, lo.SliceToMap(policies, func(p machinery.Policy) (string, error) {
-		if err := r.isMissingDependency(); err != nil {
-			return p.GetLocator(), err
-		}
+	validationResults := make(map[string]error)
 
+	for _, p := range policies {
 		policy := p.(*kuadrantv1.DNSPolicy)
 
-		if err := isTargetRefsFound(topology, policy); err != nil {
-			return policy.GetLocator(), err
+		_, span := tracer.Start(ctx, "policy.DNSPolicy.validate")
+		span.SetAttributes(
+			attribute.String("policy.name", policy.GetName()),
+			attribute.String("policy.namespace", policy.GetNamespace()),
+			attribute.String("policy.kind", kuadrantv1.DNSPolicyGroupKind.Kind),
+			attribute.String("policy.uid", string(policy.GetUID())),
+		)
+
+		var err error
+		if missingDepErr := r.isMissingDependency(); missingDepErr != nil {
+			err = missingDepErr
+			span.RecordError(err)
+			span.SetStatus(codes.Error, "missing dependency")
+		} else if targetErr := isTargetRefsFound(topology, policy); targetErr != nil {
+			err = targetErr
+			span.RecordError(err)
+			span.SetStatus(codes.Error, "target not found")
+		} else if conflictErr := isConflict(policies, policy); conflictErr != nil {
+			err = conflictErr
+			span.RecordError(err)
+			span.SetStatus(codes.Error, "conflicting policy")
+		} else if validateErr := policy.Validate(); validateErr != nil {
+			err = validateErr
+			span.RecordError(err)
+			span.SetStatus(codes.Error, "validation failed")
+		} else {
+			span.AddEvent("policy validated successfully")
+			span.SetStatus(codes.Ok, "")
 		}
 
-		if err := isConflict(policies, policy); err != nil {
-			return policy.GetLocator(), err
-		}
+		validationResults[policy.GetLocator()] = err
+		span.End()
+	}
 
-		return policy.GetLocator(), policy.Validate()
-	}))
+	state.Store(StateDNSPolicyAcceptedKey, validationResults)
 
 	logger.V(1).Info("finished validating dns policies")