nginx · tataruty · Nov 11, 2025 · Nov 11, 2025 · Nov 11, 2025 · Nov 11, 2025
@@ -49,10 +49,10 @@ var _ = Describe("Policy CompositeValidator", func() {
 		policies.ManagerConfig{
 			Validator: &policiesfakes.FakeValidator{
 				ValidateStub: func(_ policies.Policy) []conditions.Condition {
-					return []conditions.Condition{conditions.NewPolicyInvalid("apple error")}
+					return []conditions.Condition{conditions.NewPolicyInvalid("Apple error")}
 				},
 				ValidateGlobalSettingsStub: func(_ policies.Policy, _ *policies.GlobalSettings) []conditions.Condition {
-					return []conditions.Condition{conditions.NewPolicyInvalid("apple global settings error")}
+					return []conditions.Condition{conditions.NewPolicyInvalid("Apple global settings error")}
 				},
 				ConflictsStub: func(_ policies.Policy, _ policies.Policy) bool { return true },
 			},
@@ -61,10 +61,10 @@ var _ = Describe("Policy CompositeValidator", func() {
 		policies.ManagerConfig{
 			Validator: &policiesfakes.FakeValidator{
 				ValidateStub: func(_ policies.Policy) []conditions.Condition {
-					return []conditions.Condition{conditions.NewPolicyInvalid("orange error")}
+					return []conditions.Condition{conditions.NewPolicyInvalid("Orange error")}
 				},
 				ValidateGlobalSettingsStub: func(_ policies.Policy, _ *policies.GlobalSettings) []conditions.Condition {
-					return []conditions.Condition{conditions.NewPolicyInvalid("orange global settings error")}
+					return []conditions.Condition{conditions.NewPolicyInvalid("Orange global settings error")}
 				},
 				ConflictsStub: func(_ policies.Policy, _ policies.Policy) bool { return false },
 			},
@@ -83,19 +83,18 @@ var _ = Describe("Policy CompositeValidator", func() {
 
 				conds := mgr.Validate(applePolicy)
 				Expect(conds).To(HaveLen(1))
-				Expect(conds[0].Message).To(Equal("apple error"))
+				Expect(conds[0].Message).To(Equal("Apple error"))
 
 				conds = mgr.ValidateGlobalSettings(applePolicy, globalSettings)
 				Expect(conds).To(HaveLen(1))
-				Expect(conds[0].Message).To(Equal("apple global settings error"))
-
+				Expect(conds[0].Message).To(Equal("Apple global settings error"))
 				conds = mgr.Validate(orangePolicy)
 				Expect(conds).To(HaveLen(1))
-				Expect(conds[0].Message).To(Equal("orange error"))
+				Expect(conds[0].Message).To(Equal("Orange error"))
 
 				conds = mgr.ValidateGlobalSettings(orangePolicy, globalSettings)
 				Expect(conds).To(HaveLen(1))
-				Expect(conds[0].Message).To(Equal("orange global settings error"))
+				Expect(conds[0].Message).To(Equal("Orange global settings error"))
 			})
 			It("Returns whether the policies conflict", func() {
 				Expect(mgr.Conflicts(applePolicy, applePolicy)).To(BeTrue())

@@ -1276,7 +1276,7 @@ var _ = Describe("ChangeProcessor", func() {
 							expGraph.GatewayClass = nil
 
 							gw := expGraph.Gateways[types.NamespacedName{Namespace: "test", Name: "gateway-1"}]
-							gw.Conditions = conditions.NewGatewayInvalid("GatewayClass doesn't exist")
+							gw.Conditions = conditions.NewGatewayInvalid("The GatewayClass doesn't exist")
 							gw.Valid = false
 							gw.Listeners = nil
 
@@ -2253,7 +2253,7 @@ var _ = Describe("ChangeProcessor", func() {
 									},
 								},
 							},
-							Conditions: conditions.NewGatewayInvalid("GatewayClass doesn't exist"),
+							Conditions: conditions.NewGatewayInvalid("The GatewayClass doesn't exist"),
 							DeploymentName: types.NamespacedName{
 								Namespace: "test",
 								Name:      "gateway-2-test-class",

@@ -461,10 +461,10 @@ func verifyIPFamily(npCfg *EffectiveNginxProxy, svcIPFamily []v1.IPFamily) error
 	containsIPv6 := slices.Contains(svcIPFamily, v1.IPv6Protocol)
 	containsIPv4 := slices.Contains(svcIPFamily, v1.IPv4Protocol)
 
-	//nolint: stylecheck // used in status condition which is normally capitalized
-	errIPv6Mismatch := errors.New("service configured with IPv6 family but NginxProxy is configured with IPv4")
-	//nolint: stylecheck // used in status condition which is normally capitalized
-	errIPv4Mismatch := errors.New("service configured with IPv4 family but NginxProxy is configured with IPv6")
+	//nolint: staticcheck // used in status condition which is normally capitalized
+	errIPv6Mismatch := errors.New("The Service configured with IPv6 family but NginxProxy is configured with IPv4")
+	//nolint: staticcheck // used in status condition which is normally capitalized
+	errIPv4Mismatch := errors.New("The Service configured with IPv4 family but NginxProxy is configured with IPv6")
 
 	npIPFamily := npCfg.IPFamily
 
@@ -687,8 +687,9 @@ func validateRouteBackendRefAppProtocol(
 	appProtocol string,
 	backendTLSPolicy *BackendTLSPolicy,
 ) error {
+	//nolint: staticcheck // used in status condition which is normally capitalized
 	err := fmt.Errorf(
-		"route type %s does not support service port appProtocol %s",
+		"The RouteType %s does not support service port appProtocol %s",
 		routeType,
 		appProtocol,
 	)
@@ -749,8 +750,8 @@ func getServicePort(svc *v1.Service, port int32) (v1.ServicePort, error) {
 			return p, nil
 		}
 	}
-
-	return v1.ServicePort{}, fmt.Errorf("no matching port for Service %s and port %d", svc.Name, port)
+	//nolint: staticcheck // used in status condition which is normally capitalized
+	return v1.ServicePort{}, fmt.Errorf("No matching port for Service %s and port %d", svc.Name, port)
 }
 
 func getRefGrantFromResourceForRoute(routeType RouteType, routeNs string) fromResource {

@@ -616,15 +616,15 @@ func TestVerifyIPFamily(t *testing.T) {
 				IPFamily: helpers.GetPointer(ngfAPIv1alpha2.IPv4),
 			},
 			svcIPFamily: []v1.IPFamily{v1.IPv6Protocol},
-			expErr:      errors.New("service configured with IPv6 family but NginxProxy is configured with IPv4"),
+			expErr:      errors.New("The Service configured with IPv6 family but NginxProxy is configured with IPv4"),
 		},
 		{
 			name: "Invalid - IPv6 configured for NGINX, service has only IPv4",
 			npCfg: &EffectiveNginxProxy{
 				IPFamily: helpers.GetPointer(ngfAPIv1alpha2.IPv6),
 			},
 			svcIPFamily: []v1.IPFamily{v1.IPv4Protocol},
-			expErr:      errors.New("service configured with IPv4 family but NginxProxy is configured with IPv6"),
+			expErr:      errors.New("The Service configured with IPv4 family but NginxProxy is configured with IPv6"),
 		},
 		{
 			name:        "Valid - When NginxProxy is nil",
@@ -985,12 +985,12 @@ func TestAddBackendRefsToRules(t *testing.T) {
 			},
 			expectedConditions: []conditions.Condition{
 				conditions.NewRouteBackendRefUnsupportedProtocol(
-					"route type http does not support service port appProtocol kubernetes.io/h2c;" +
+					"The RouteType http does not support service port appProtocol kubernetes.io/h2c;" +
 						" nginx does not support proxying to upstreams with http2 or h2c",
 				),
 			},
 			policies: emptyPolicies,
-			name:     "invalid backendRef with service port appProtocol h2c and route type http",
+			name:     "invalid backendRef with service port appProtocol h2c and The RouteType http",
 		},
 		{
 			route: createRoute("hr1", RouteTypeHTTP, "Service", 1, "svcWS"),
@@ -1005,7 +1005,7 @@ func TestAddBackendRefsToRules(t *testing.T) {
 			},
 			expectedConditions: nil,
 			policies:           emptyPolicies,
-			name:               "valid backendRef with service port appProtocol ws and route type http",
+			name:               "valid backendRef with service port appProtocol ws and RouteType http",
 		},
 		{
 			route: createRoute("hr1", RouteTypeHTTP, "Service", 1, "svcWSS"),
@@ -1022,7 +1022,7 @@ func TestAddBackendRefsToRules(t *testing.T) {
 			expectedConditions: nil,
 			policies:           policiesMatching,
 			name: "valid backendRef with service port appProtocol wss," +
-				" route type http, and corresponding BackendTLSPolicy",
+				" The RouteType http, and corresponding BackendTLSPolicy",
 		},
 		{
 			route: createRoute("hr1", RouteTypeHTTP, "Service", 1, "svcWSS"),
@@ -1037,12 +1037,12 @@ func TestAddBackendRefsToRules(t *testing.T) {
 			},
 			expectedConditions: []conditions.Condition{
 				conditions.NewRouteBackendRefUnsupportedProtocol(
-					"route type http does not support service port appProtocol kubernetes.io/wss;" +
+					"The RouteType http does not support service port appProtocol kubernetes.io/wss;" +
 						" missing corresponding BackendTLSPolicy",
 				),
 			},
 			policies: emptyPolicies,
-			name:     "invalid backendRef with service port appProtocol wss, route type http, but missing BackendTLSPolicy",
+			name:     "invalid backendRef with service port appProtocol wss, RouteType http, but missing BackendTLSPolicy",
 		},
 		{
 			route: createRoute("gr1", RouteTypeGRPC, "Service", 1, "svcH2c"),
@@ -1057,7 +1057,7 @@ func TestAddBackendRefsToRules(t *testing.T) {
 			},
 			expectedConditions: nil,
 			policies:           emptyPolicies,
-			name:               "valid backendRef with service port appProtocol h2c and route type grpc",
+			name:               "valid backendRef with service port appProtocol h2c and RouteType grpc",
 		},
 		{
 			route: createRoute("gr1", RouteTypeGRPC, "Service", 1, "svcWS"),
@@ -1072,11 +1072,11 @@ func TestAddBackendRefsToRules(t *testing.T) {
 			},
 			expectedConditions: []conditions.Condition{
 				conditions.NewRouteBackendRefUnsupportedProtocol(
-					"route type grpc does not support service port appProtocol kubernetes.io/ws",
+					"The RouteType grpc does not support service port appProtocol kubernetes.io/ws",
 				),
 			},
 			policies: emptyPolicies,
-			name:     "invalid backendRef with service port appProtocol ws and route type grpc",
+			name:     "invalid backendRef with service port appProtocol ws and RouteType grpc",
 		},
 		{
 			route: createRoute("gr1", RouteTypeGRPC, "Service", 1, "svcWSS"),
@@ -1091,11 +1091,11 @@ func TestAddBackendRefsToRules(t *testing.T) {
 			},
 			expectedConditions: []conditions.Condition{
 				conditions.NewRouteBackendRefUnsupportedProtocol(
-					"route type grpc does not support service port appProtocol kubernetes.io/wss",
+					"The RouteType grpc does not support service port appProtocol kubernetes.io/wss",
 				),
 			},
 			policies: emptyPolicies,
-			name:     "invalid backendRef with service port appProtocol wss and route type grpc",
+			name:     "invalid backendRef with service port appProtocol wss and RouteType grpc",
 		},
 		{
 			route: createRoute("hr1", RouteTypeHTTP, "Service", 1, "svcGRPC"),
@@ -1111,7 +1111,7 @@ func TestAddBackendRefsToRules(t *testing.T) {
 			expectedConditions: nil,
 			policies:           emptyPolicies,
 			name: "valid backendRef with non-Kubernetes Standard Application Protocol" +
-				" service port appProtocol and route type http",
+				" service port appProtocol and RouteType http",
 		},
 		{
 			route: createRoute("gr1", RouteTypeGRPC, "Service", 1, "svcGRPC"),
@@ -1127,7 +1127,7 @@ func TestAddBackendRefsToRules(t *testing.T) {
 			expectedConditions: nil,
 			policies:           emptyPolicies,
 			name: "valid backendRef with non-Kubernetes Standard Application Protocol" +
-				" service port appProtocol and route type grpc",
+				" service port appProtocol and RouteType grpc",
 		},
 		{
 			route: modRoute(createRoute("hr1", RouteTypeHTTP, "Service", 1, "svc1"), func(route *L7Route) *L7Route {
@@ -1528,7 +1528,7 @@ func TestCreateBackend(t *testing.T) {
 				Valid:       true,
 				InvalidForGateways: map[types.NamespacedName]conditions.Condition{
 					{Namespace: "test", Name: "gateway"}: conditions.NewRouteInvalidIPFamily(
-						`service configured with IPv4 family but NginxProxy is configured with IPv6`,
+						`The Service configured with IPv4 family but NginxProxy is configured with IPv6`,
 					),
 				},
 			},

@@ -75,7 +75,7 @@ func validateBackendTLSPolicy(
 
 	if err := validateBackendTLSHostname(backendTLSPolicy); err != nil {
 		valid = false
-		conds = append(conds, conditions.NewPolicyInvalid(fmt.Sprintf("invalid hostname: %s", err.Error())))
+		conds = append(conds, conditions.NewPolicyInvalid(fmt.Sprintf("Invalid hostname: %s", err.Error())))
 	}
 
 	caCertRefs := backendTLSPolicy.Spec.Validation.CACertificateRefs
@@ -109,7 +109,7 @@ func validateBackendTLSPolicy(
 		valid = false
 		conds = append(
 			conds,
-			conditions.NewPolicyInvalid("either CACertificateRefs or WellKnownCACertificates must be specified"),
+			conditions.NewPolicyInvalid("Either CACertificateRefs or WellKnownCACertificates must be specified"),
 		)
 	}
 

@@ -1,6 +1,8 @@
 package graph
 
 import (
+	"strings"
+
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -134,10 +136,11 @@ func validateGatewayParametersRef(npCfg *NginxProxy, ref v1.LocalParametersRefer
 
 	if _, ok := supportedParamKinds[string(ref.Kind)]; !ok {
 		err := field.NotSupported(path.Child("kind"), string(ref.Kind), []string{kinds.NginxProxy})
+		condMsg := strings.ToUpper(err.Error()[:1]) + err.Error()[1:] // Capitalize first letter
 		conds = append(
 			conds,
-			conditions.NewGatewayRefInvalid(err.Error()),
-			conditions.NewGatewayInvalidParameters(err.Error()),
+			conditions.NewGatewayRefInvalid(condMsg),
+			conditions.NewGatewayInvalidParameters(condMsg),
 		)
 
 		return conds
@@ -157,6 +160,7 @@ func validateGatewayParametersRef(npCfg *NginxProxy, ref v1.LocalParametersRefer
 
 	if !npCfg.Valid {
 		msg := npCfg.ErrMsgs.ToAggregate().Error()
+		msg = strings.ToUpper(msg[:1]) + msg[1:]
 		conds = append(
 			conds,
 			conditions.NewGatewayRefInvalid(msg),
@@ -174,16 +178,16 @@ func validateGateway(gw *v1.Gateway, gc *GatewayClass, npCfg *NginxProxy) ([]con
 	var conds []conditions.Condition
 
 	if gc == nil {
-		conds = append(conds, conditions.NewGatewayInvalid("GatewayClass doesn't exist")...)
+		conds = append(conds, conditions.NewGatewayInvalid("The GatewayClass doesn't exist")...)
 	} else if !gc.Valid {
-		conds = append(conds, conditions.NewGatewayInvalid("GatewayClass is invalid")...)
+		conds = append(conds, conditions.NewGatewayInvalid("The GatewayClass is invalid")...)
 	}
 
 	// Set the unaccepted conditions here, because those make the gateway invalid. We set the unprogrammed conditions
 	// elsewhere, because those do not make the gateway invalid.
 	for _, address := range gw.Spec.Addresses {
 		if address.Type == nil {
-			conds = append(conds, conditions.NewGatewayUnsupportedAddress("AddressType must be specified"))
+			conds = append(conds, conditions.NewGatewayUnsupportedAddress("The AddressType must be specified"))
 		} else if *address.Type != v1.IPAddressType {
 			conds = append(conds, conditions.NewGatewayUnsupportedAddress("Only AddressType IPAddress is supported"))
 		}

@@ -192,7 +192,7 @@ func (c *listenerConfigurator) configure(listener v1.Listener, gwNSName types.Na
 		var err error
 		allowedRouteSelector, err = metav1.LabelSelectorAsSelector(selector)
 		if err != nil {
-			msg := fmt.Sprintf("invalid label selector: %s", err.Error())
+			msg := fmt.Sprintf("Invalid label selector: %s", err.Error())
 			conds = append(conds, conditions.NewListenerUnsupportedValue(msg)...)
 			valid = false
 		}