Clarifying policy TargetNotFound condition responsibility #2755
Description
We are working on implementing BackendTLSPolicy in Contour.
I'd like to get clarity on how the TargetNotFound condition reason should work as I think there is some wonky ux here.
There is this note: Note also that implementations MUST ONLY populate ancestor status for the Ancestor resources they are responsible for. in GEP-713#standard-status-struct. If the targetRef is not found, this would read to me as the implementation is not responsible for this BackendTLSPolicy and the implementation shouldn't add a condition because it is not in the Gateway->Route->Service hierarchy. Perhaps you could say if the Route has the same backendRef as the BackendTLSPolicy targetRef it is in the hierarchy, but this wouldn't help if the user made a typo in the targetRef. And alternatively, having the implementations add an ancestor reference to every BackendTLSPolicy that can't find the target seems bad as well since they may be unrelated to whatever Gateway implementation is reconciling.
Of course, it will be a bit of a bad experience for a user to make a mistake in their targetRef config and not get an updated policy status. However, I am not sure if we want gateway implementations to be responsible for this given we either update what we can and leave some policies out if we can't match them at all or we match all of them and duplicate status information for every gateway that may exist on a cluster.