fix(validation): support simultaneous ALB and NGINX traffic routing validation

Previously, when both ALB and NGINX traffic routing were configured
simultaneously, the validation logic incorrectly applied NGINX validation
rules to ALB ingresses, causing validation errors like:
'ingress has no rules using service sample-api backend'

This fix modifies the ValidateIngress function to:
- Check if an ingress belongs to NGINX configuration first
- Check if an ingress belongs to ALB configuration second
- Only validate ingresses against their respective traffic routing rules

Added helper functions isNginxIngress() and isAlbIngress() to properly
identify which traffic routing configuration an ingress belongs to.

Fixes #4452

Signed-off-by: puretension <[email protected]>

Author: puretension

pkg/apis/rollouts/validation/validation_references.go

@@ -222,13 +222,59 @@ func ValidateIngress(rollout *v1alpha1.Rollout, ingress *ingressutil.Ingress) fi
 	fldPath := field.NewPath("spec", "strategy", "canary", "trafficRouting")
 	canary := rollout.Spec.Strategy.Canary
 
+	// Check if this ingress belongs to NGINX configuration
 	if canary.TrafficRouting.Nginx != nil {
-		return validateNginxIngress(canary, ingress, fldPath)
-	} else if canary.TrafficRouting.ALB != nil {
-		return validateAlbIngress(canary, ingress, fldPath)
-	} else {
-		return allErrs
+		if isNginxIngress(canary, ingress.GetName()) {
+			return validateNginxIngress(canary, ingress, fldPath)
+		}
+	}
+
+	// Check if this ingress belongs to ALB configuration
+	if canary.TrafficRouting.ALB != nil {
+		if isAlbIngress(canary, ingress.GetName()) {
+			return validateAlbIngress(canary, ingress, fldPath)
+		}
+	}
+
+	return allErrs
+}
+
+func isNginxIngress(canary *v1alpha1.CanaryStrategy, ingressName string) bool {
+	nginx := canary.TrafficRouting.Nginx
+	if nginx == nil {
+		return false
+	}
+
+	// Check single stable ingress
+	if nginx.StableIngress == ingressName {
+		return true
+	}
+
+	// Check multiple stable ingresses
+	if nginx.StableIngresses != nil && slices.Contains(nginx.StableIngresses, ingressName) {
+		return true
+	}
+
+	return false
+}
+
+func isAlbIngress(canary *v1alpha1.CanaryStrategy, ingressName string) bool {
+	alb := canary.TrafficRouting.ALB
+	if alb == nil {
+		return false
+	}
+
+	// Check single ingress
+	if alb.Ingress == ingressName {
+		return true
 	}
+
+	// Check multiple ingresses
+	if alb.Ingresses != nil && slices.Contains(alb.Ingresses, ingressName) {
+		return true
+	}
+
+	return false
 }
 
 func validateNginxIngress(canary *v1alpha1.CanaryStrategy, ingress *ingressutil.Ingress, fldPath *field.Path) field.ErrorList {

pkg/apis/rollouts/validation/validation_references_test.go

@@ -846,6 +846,45 @@ func TestValidateAlbIngress(t *testing.T) {
 	})
 }
 
+func TestValidateIngressSimultaneousAlbNginx(t *testing.T) {
+	t.Run("validate simultaneous ALB and NGINX ingresses - success", func(t *testing.T) {
+		// Create a rollout with both ALB and NGINX traffic routing
+		rollout := getAlbRollout("alb-ingress")
+		rollout.Spec.Strategy.Canary.TrafficRouting.Nginx = &v1alpha1.NginxTrafficRouting{
+			StableIngresses: []string{"nginx-ingress-1", "nginx-ingress-2"},
+		}
+
+		// Test ALB ingress validation
+		albIngressObj := getIngress()
+		albIngressObj.Name = "alb-ingress"
+		albIngress := ingressutil.NewLegacyIngress(albIngressObj)
+		allErrs := ValidateIngress(rollout, albIngress)
+		assert.Empty(t, allErrs)
+
+		// Test NGINX ingress validation
+		nginxIngressObj := getIngress()
+		nginxIngressObj.Name = "nginx-ingress-1"
+		nginxIngress := ingressutil.NewLegacyIngress(nginxIngressObj)
+		allErrs = ValidateIngress(rollout, nginxIngress)
+		assert.Empty(t, allErrs)
+	})
+
+	t.Run("validate simultaneous ALB and NGINX ingresses - ALB ingress not validated against NGINX rules", func(t *testing.T) {
+		// Create a rollout with both ALB and NGINX traffic routing
+		rollout := getAlbRollout("alb-ingress")
+		rollout.Spec.Strategy.Canary.TrafficRouting.Nginx = &v1alpha1.NginxTrafficRouting{
+			StableIngresses: []string{"nginx-ingress-1", "nginx-ingress-2"},
+		}
+
+		// Test that ALB ingress is not validated against NGINX rules
+		albIngressObj := getIngress()
+		albIngressObj.Name = "alb-ingress"
+		albIngress := ingressutil.NewLegacyIngress(albIngressObj)
+		allErrs := ValidateIngress(rollout, albIngress)
+		assert.Empty(t, allErrs, "ALB ingress should not be validated against NGINX rules")
+	})
+}
+
 func TestValidateRolloutNginxIngressesConfig(t *testing.T) {
 	var emptyStableIngress string
 	var emptyStableIngresses []string