fix: check policy status when generating config

pkg/gateway/processor/v2/backend_lb_policy.go

@@ -25,7 +25,7 @@ func NewBackendLBPolicyProcessor(c *ConfigGenerator) BackendPolicyProcessor {
 	}
 }
 
-func (p *BackendLBPolicyProcessor) Process(route client.Object, _ gwv1.ParentReference, routeRule any, backendRef gwv1.BackendObjectReference, svcPort *fgwv2.ServicePortName) {
+func (p *BackendLBPolicyProcessor) Process(route client.Object, routeParentRef gwv1.ParentReference, routeRule any, backendRef gwv1.BackendObjectReference, svcPort *fgwv2.ServicePortName) {
 	// Any configuration that is specified at Route Rule level MUST override configuration
 	// that is attached at the backend level because route rule have a more global view and
 	// responsibility for the overall traffic routing.
@@ -66,6 +66,10 @@ func (p *BackendLBPolicyProcessor) Process(route client.Object, _ gwv1.ParentRef
 		return
 	}
 
+	if !gwutils.IsPolicyAcceptedForAncestor(routeParentRef, policy.Status.Ancestors) {
+		return
+	}
+
 	p2 := p.getOrCreateBackendLBPolicy(policy)
 	if p2 == nil {
 		return

pkg/gateway/processor/v2/backend_tls_policy.go

@@ -30,7 +30,7 @@ func NewBackendTLSPolicyProcessor(c *ConfigGenerator) BackendPolicyProcessor {
 	}
 }
 
-func (p *BackendTLSPolicyProcessor) Process(route client.Object, _ gwv1.ParentReference, routeRule any, backendRef gwv1.BackendObjectReference, svcPort *fgwv2.ServicePortName) {
+func (p *BackendTLSPolicyProcessor) Process(route client.Object, routeParentRef gwv1.ParentReference, routeRule any, backendRef gwv1.BackendObjectReference, svcPort *fgwv2.ServicePortName) {
 	targetRef := gwv1alpha2.LocalPolicyTargetReferenceWithSectionName{
 		LocalPolicyTargetReference: gwv1alpha2.LocalPolicyTargetReference{
 			Group: ptr.Deref(backendRef.Group, corev1.GroupName),
@@ -45,6 +45,10 @@ func (p *BackendTLSPolicyProcessor) Process(route client.Object, _ gwv1.ParentRe
 		return
 	}
 
+	if !gwutils.IsPolicyAcceptedForAncestor(routeParentRef, policy.Status.Ancestors) {
+		return
+	}
+
 	hostname := string(policy.Spec.Validation.Hostname)
 	if err := gwutils.IsValidHostname(hostname); err != nil {
 		return

pkg/gateway/processor/v2/health_check_policy.go

@@ -41,6 +41,10 @@ func (p *HealthCheckPolicyProcessor) Process(route client.Object, routeParentRef
 		return
 	}
 
+	if !gwutils.IsPolicyAcceptedForAncestor(routeParentRef, policy.Status.Ancestors) {
+		return
+	}
+
 	psu := policies.NewPolicyStatusHolderWithNamespacedPolicyTargetReference(
 		policy,
 		&policy.ObjectMeta,

pkg/gateway/processor/v2/retry_policy.go

@@ -41,6 +41,10 @@ func (p *RetryPolicyProcessor) Process(route client.Object, routeParentRef gwv1.
 		return
 	}
 
+	if !gwutils.IsPolicyAcceptedForAncestor(routeParentRef, policy.Status.Ancestors) {
+		return
+	}
+
 	psh := policies.NewPolicyStatusHolderWithNamespacedPolicyTargetReference(
 		policy,
 		&policy.ObjectMeta,

pkg/gateway/utils/policies.go

@@ -3,6 +3,10 @@ package utils
 import (
 	"fmt"
 
+	"github.com/google/go-cmp/cmp"
+	metautil "k8s.io/apimachinery/pkg/api/meta"
+	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -57,6 +61,16 @@ func HasAccessToBackendTargetRef(client cache.Cache, policy client.Object, targe
 	return true
 }
 
+func IsPolicyAcceptedForAncestor(ancestorRef gwv1.ParentReference, ancestors []gwv1alpha2.PolicyAncestorStatus) bool {
+	for _, ancestor := range ancestors {
+		if cmp.Equal(ancestor.AncestorRef, ancestorRef) {
+			return metautil.IsStatusConditionTrue(ancestor.Conditions, string(gwv1alpha2.PolicyConditionAccepted))
+		}
+	}
+
+	return false
+}
+
 // ---------------------------- Access Control ----------------------------
 
 // GetAccessControlsMatchTypePort returns a list of AccessControlPolicy objects that match the given selector