fix: trigger reconcile for Secret updates referenced by a BackendTLSP… (

#4581) fix: trigger reconcile for Secret updates referenced by a BackendTLSPolicy Signed-off-by: Arko Dasgupta <arko@tetrate.io>
envoyproxy · Oct 31, 2024 · db68027 · db68027
1 parent efe625d
commit db68027
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 1 deletion.
diff --git a/internal/provider/kubernetes/indexers.go b/internal/provider/kubernetes/indexers.go
@@ -40,6 +40,7 @@ const (
 	backendSecurityPolicyIndex       = "backendSecurityPolicyIndex"
 	configMapCtpIndex                = "configMapCtpIndex"
 	secretCtpIndex                   = "secretCtpIndex"
+	secretBtlsIndex                  = "secretBtlsIndex"
 	configMapBtlsIndex               = "configMapBtlsIndex"
 	backendEnvoyExtensionPolicyIndex = "backendEnvoyExtensionPolicyIndex"
 	backendEnvoyProxyTelemetryIndex  = "backendEnvoyProxyTelemetryIndex"
@@ -702,14 +703,17 @@ func configMapRouteFilterIndexFunc(rawObj client.Object) []string {
 	return configMapReferences
 }
 
-// addBtlsIndexers adds indexing on BackendTLSPolicy, for ConfigMap objects that are
+// addBtlsIndexers adds indexing on BackendTLSPolicy, for ConfigMap and Secret objects that are
 // referenced in BackendTLSPolicy objects. This helps in querying for BackendTLSPolicies that are
 // affected by a particular ConfigMap CRUD.
 func addBtlsIndexers(ctx context.Context, mgr manager.Manager) error {
 	if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1a3.BackendTLSPolicy{}, configMapBtlsIndex, configMapBtlsIndexFunc); err != nil {
 		return err
 	}
 
+	if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1a3.BackendTLSPolicy{}, secretBtlsIndex, secretBtlsIndexFunc); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -731,6 +735,24 @@ func configMapBtlsIndexFunc(rawObj client.Object) []string {
 	return configMapReferences
 }
 
+func secretBtlsIndexFunc(rawObj client.Object) []string {
+	btls := rawObj.(*gwapiv1a3.BackendTLSPolicy)
+	var secretReferences []string
+	if btls.Spec.Validation.CACertificateRefs != nil {
+		for _, caCertRef := range btls.Spec.Validation.CACertificateRefs {
+			if string(caCertRef.Kind) == resource.KindSecret {
+				secretReferences = append(secretReferences,
+					types.NamespacedName{
+						Namespace: btls.Namespace,
+						Name:      string(caCertRef.Name),
+					}.String(),
+				)
+			}
+		}
+	}
+	return secretReferences
+}
+
 // addEnvoyExtensionPolicyIndexers adds indexing on EnvoyExtensionPolicy.
 //   - For Service objects that are referenced in EnvoyExtensionPolicy objects via
 //     `.spec.extProc.[*].service.backendObjectReference`. This helps in querying for

diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go
@@ -172,6 +172,28 @@ func (r *gatewayAPIReconciler) validateSecretForReconcile(obj client.Object) boo
 		}
 	}
 
+	if r.bTLSPolicyCRDExists {
+		if r.isBackendTLSPolicyReferencingSecret(&nsName) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (r *gatewayAPIReconciler) isBackendTLSPolicyReferencingSecret(nsName *types.NamespacedName) bool {
+	btlsList := &gwapiv1a3.BackendTLSPolicyList{}
+	if err := r.client.List(context.Background(), btlsList, &client.ListOptions{
+		FieldSelector: fields.OneTermEqualSelector(secretBtlsIndex, nsName.String()),
+	}); err != nil {
+		r.log.Error(err, "unable to find associated BackendTLSPolicy")
+		return false
+	}
+
+	if len(btlsList.Items) > 0 {
+		return true
+	}
+
 	return false
 }