Add secret reconciling support.

Author: zongzw

deploy/0.prepare-certificates.yaml

@@ -9,6 +9,7 @@ spec:
   selfSigned: {}
 
 ---
+
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -25,7 +26,9 @@ spec:
     name: selfsigned-issuer
     kind: ClusterIssuer
     group: cert-manager.io
+
 ---
+
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
@@ -36,6 +39,7 @@ spec:
     secretName: root-secret
 
 ---
+
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:

internal/controllers/httproute_controller.go

@@ -78,7 +78,7 @@ func (r *HttpRouteReconciler) GetResObject() client.Object {
 
 func handleDeletingHTTPRoute(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	hr := pkg.ActiveSIGs.GetHTTPRoute(req.NamespacedName.String())
-	gws := pkg.ActiveSIGs.GatewayRefsOf(hr)
+	gws := pkg.ActiveSIGs.GatewayRefsOfHR(hr)
 	drs := map[string]*deployer.DeployRequest{}
 	for _, gw := range gws {
 		if _, f := drs[string(gw.Spec.GatewayClassName)]; !f {
@@ -150,7 +150,7 @@ func handleUpsertingHTTPRoute(ctx context.Context, obj *gatewayv1beta1.HTTPRoute
 	slog.Debugf("upserting " + reqnsn)
 
 	hr := pkg.ActiveSIGs.GetHTTPRoute(reqnsn)
-	gws := pkg.ActiveSIGs.GatewayRefsOf(hr)
+	gws := pkg.ActiveSIGs.GatewayRefsOfHR(hr)
 	drs := map[string]*deployer.DeployRequest{}
 
 	for _, gw := range gws {
@@ -182,7 +182,7 @@ func handleUpsertingHTTPRoute(ctx context.Context, obj *gatewayv1beta1.HTTPRoute
 
 	// We still need to consider gateways that were previously associated but are no longer associated,
 	// Or the previously associated gateways may be recognized as resource deletions.
-	gws = pkg.UnifiedGateways(append(gws, pkg.ActiveSIGs.GatewayRefsOf(obj.DeepCopy())...))
+	gws = pkg.UnifiedGateways(append(gws, pkg.ActiveSIGs.GatewayRefsOfHR(obj.DeepCopy())...))
 
 	for _, gw := range gws {
 		if _, f := drs[string(gw.Spec.GatewayClassName)]; !f {

internal/controllers/referencegrant_controller.go

@@ -60,9 +60,9 @@ func (r *ReferenceGrantReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 				pkg.ActiveSIGs.UnsetReferenceGrant(keyname)
 				return fmt.Sprintf("deleting referencegrant %s", keyname)
 			}); err != nil {
-				return ctrl.Result{}, nil
-			} else {
 				return ctrl.Result{}, err
+			} else {
+				return ctrl.Result{}, nil
 			}
 		} else {
 			return ctrl.Result{}, err

internal/controllers/secret_controller.go

@@ -18,11 +18,12 @@ package controllers
 
 import (
 	"context"
+	"fmt"
 	"time"
 
 	"github.com/f5devcentral/bigip-kubernetes-gateway/internal/pkg"
-	"github.com/google/uuid"
 	"github.com/f5devcentral/f5-bigip-rest-go/utils"
+	"github.com/google/uuid"
 	v1 "k8s.io/api/core/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -48,17 +49,43 @@ func (r *SecretReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 	slog := utils.LogFromContext(lctx)
 
 	var obj v1.Secret
-	slog.Infof("serect event: %s", req.NamespacedName)
+	slog.Infof("secret event: %s", req.NamespacedName)
 
 	if err := r.Client.Get(ctx, req.NamespacedName, &obj); err != nil {
-		if client.IgnoreNotFound(err) != nil {
+		if client.IgnoreNotFound(err) == nil {
+			// delete
+			scrt := pkg.ActiveSIGs.GetSecret(req.NamespacedName.String())
+			gws := pkg.ActiveSIGs.GatewayRefsOfSecret(scrt)
+			names := []string{}
+			for _, gw := range gws {
+				names = append(names, utils.Keyname(gw.Namespace, gw.Name))
+			}
+			slog.Warnf("there are still gateways referring to secret '%s': %s "+
+				"-- they are not impacted, however, next deployments would fail "+
+				"because of missing the secret", req.NamespacedName, names)
+			pkg.ActiveSIGs.UnsetSerect(req.NamespacedName.String())
+
+			return ctrl.Result{}, nil
+		} else {
 			return ctrl.Result{}, err
 		}
-		// Can not find Sercet, remove it from the local cache
-		pkg.ActiveSIGs.UnsetSerect(req.NamespacedName.String())
+	} else {
+		// upsert
+		apply := func() string {
+			pkg.ActiveSIGs.SetSecret(obj.DeepCopy())
+			return fmt.Sprintf("upserting secret %s", req.NamespacedName.String())
+		}
+
+		scrt := obj.DeepCopy()
+		gws := pkg.ActiveSIGs.GatewayRefsOfSecret(scrt)
+		cls := []string{}
+		for _, gw := range gws {
+			cls = append(cls, string(gw.Spec.GatewayClassName))
+		}
+		if err := pkg.DeployForEvent(lctx, cls, apply); err != nil {
+			return ctrl.Result{}, err
+		}
+
 		return ctrl.Result{}, nil
 	}
-	// Find Secret, add it to the local cache.
-	pkg.ActiveSIGs.SetSecret(obj.DeepCopy())
-	return ctrl.Result{}, nil
 }

internal/controllers/v1_controller.go

@@ -23,9 +23,9 @@ import (
 
 	"github.com/f5devcentral/bigip-kubernetes-gateway/internal/k8s"
 	"github.com/f5devcentral/bigip-kubernetes-gateway/internal/pkg"
-	"github.com/google/uuid"
 	"github.com/f5devcentral/f5-bigip-rest-go/deployer"
 	"github.com/f5devcentral/f5-bigip-rest-go/utils"
+	"github.com/google/uuid"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -99,8 +99,9 @@ func (r *EndpointsReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 			return ctrl.Result{}, err
 		}
 	} else {
-		defer pkg.ActiveSIGs.SetEndpoints(&obj)
-		return handleUpsertingEndpoints(lctx, &obj)
+		eps := obj.DeepCopy()
+		defer pkg.ActiveSIGs.SetEndpoints(eps)
+		return handleUpsertingEndpoints(lctx, eps)
 	}
 }
 
@@ -121,8 +122,9 @@ func (r *ServiceReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
 			return ctrl.Result{}, err
 		}
 	} else {
-		defer pkg.ActiveSIGs.SetService(&obj)
-		return handleUpsertingService(lctx, &obj)
+		svc := obj.DeepCopy()
+		defer pkg.ActiveSIGs.SetService(svc)
+		return handleUpsertingService(lctx, svc)
 	}
 }
 

internal/pkg/cache.go

@@ -253,16 +253,18 @@ func (c *SIGCache) _attachedGateways(gwc *gatewayv1beta1.GatewayClass) []*gatewa
 	return gws
 }
 
-func (c *SIGCache) GatewayRefsOf(hr *gatewayv1beta1.HTTPRoute) []*gatewayv1beta1.Gateway {
+func (c *SIGCache) GatewayRefsOfHR(hr *gatewayv1beta1.HTTPRoute) []*gatewayv1beta1.Gateway {
 	defer utils.TimeItToPrometheus()()
 
 	c.mutex.RLock()
 	defer c.mutex.RUnlock()
 
-	return c._gatewayRefsOf(hr)
+	return c._gatewayRefsOfHR(hr)
 }
 
-func (c *SIGCache) _gatewayRefsOf(hr *gatewayv1beta1.HTTPRoute) []*gatewayv1beta1.Gateway {
+func (c *SIGCache) _gatewayRefsOfHR(hr *gatewayv1beta1.HTTPRoute) []*gatewayv1beta1.Gateway {
+	defer utils.TimeItToPrometheus()()
+
 	if hr == nil {
 		return []*gatewayv1beta1.Gateway{}
 	}
@@ -290,6 +292,87 @@ func (c *SIGCache) _gatewayRefsOf(hr *gatewayv1beta1.HTTPRoute) []*gatewayv1beta
 	return gws
 }
 
+func (c *SIGCache) GatewayRefsOfSecret(scrt *v1.Secret) []*gatewayv1beta1.Gateway {
+	defer utils.TimeItToPrometheus()()
+
+	c.mutex.RLock()
+	defer c.mutex.RUnlock()
+
+	if scrt == nil {
+		return []*gatewayv1beta1.Gateway{}
+	}
+	gws := []*gatewayv1beta1.Gateway{}
+
+	for _, gw := range c.Gateway {
+		for _, listener := range gw.Spec.Listeners {
+			found := false
+			if listener.Protocol == gatewayv1beta1.HTTPSProtocolType && listener.TLS != nil &&
+				(listener.TLS.Mode == nil || *listener.TLS.Mode == gatewayv1beta1.TLSModeTerminate) {
+				for _, ref := range listener.TLS.CertificateRefs {
+					ns := gw.Namespace
+					if ref.Namespace != nil {
+						ns = string(*ref.Namespace)
+					}
+					if !c._canRefer(gw, scrt) {
+						continue
+					}
+					if err := validateSecretType(ref.Group, ref.Kind); err == nil {
+						if ns == scrt.Namespace && ref.Name == gatewayv1beta1.ObjectName(scrt.Name) {
+							gws = append(gws, gw)
+							found = true
+							break
+						}
+					}
+				}
+			}
+			if found {
+				break
+			}
+		}
+	}
+
+	return gws
+}
+
+func (c *SIGCache) AttachedSecrets(gw *gatewayv1beta1.Gateway) (map[string][]*v1.Secret, error) {
+	defer utils.TimeItToPrometheus()()
+
+	c.mutex.RLock()
+	defer c.mutex.RUnlock()
+
+	rlt := map[string][]*v1.Secret{}
+	if gw == nil {
+		return rlt, nil
+	}
+
+	for _, listener := range gw.Spec.Listeners {
+		lsname := gwListenerName(gw, &listener)
+		if _, ok := rlt[lsname]; !ok {
+			rlt[lsname] = []*v1.Secret{}
+		}
+		if listener.Protocol == gatewayv1beta1.HTTPSProtocolType && listener.TLS != nil &&
+			(listener.TLS.Mode == nil || *listener.TLS.Mode == gatewayv1beta1.TLSModeTerminate) {
+			for _, ref := range listener.TLS.CertificateRefs {
+				ns := gw.Namespace
+				if ref.Namespace != nil {
+					ns = string(*ref.Namespace)
+				}
+				n := utils.Keyname(ns, string(ref.Name))
+				scrt := c.Secret[n]
+				if scrt != nil && c._canRefer(gw, scrt) {
+					if err := validateSecretType(ref.Group, ref.Kind); err != nil {
+						return rlt, err
+					}
+					rlt[lsname] = append(rlt[lsname], scrt)
+				} else {
+					return rlt, fmt.Errorf("secret %s not exist or cannnot refer to", n)
+				}
+			}
+		}
+	}
+	return rlt, nil
+}
+
 func (c *SIGCache) AttachedHTTPRoutes(gw *gatewayv1beta1.Gateway) []*gatewayv1beta1.HTTPRoute {
 	defer utils.TimeItToPrometheus()()
 
@@ -481,7 +564,7 @@ func (c *SIGCache) GetNeighborGateways(gw *gatewayv1beta1.Gateway) []*gatewayv1b
 	gwmap := map[string]*gatewayv1beta1.Gateway{}
 	hrs := c._attachedHTTPRoutes(gw)
 	for _, hr := range hrs {
-		gws := c._gatewayRefsOf(hr)
+		gws := c._gatewayRefsOfHR(hr)
 		for _, ng := range gws {
 			kn := utils.Keyname(ng.Namespace, ng.Name)
 			if _, f := gwmap[kn]; !f {
@@ -510,7 +593,7 @@ func (c *SIGCache) GetRootGateways(svcs []*v1.Service) []*gatewayv1beta1.Gateway
 	for _, svc := range svcs {
 		hrs := c._HTTPRoutesRefsOf(svc)
 		for _, hr := range hrs {
-			gws := c._gatewayRefsOf(hr)
+			gws := c._gatewayRefsOfHR(hr)
 			for _, gw := range gws {
 				gwmap[utils.Keyname(gw.Namespace, gw.Name)] = gw
 			}
@@ -532,7 +615,7 @@ func (c *SIGCache) RGImpactedGatewayClasses(rg *gatewayv1beta1.ReferenceGrant) [
 	hrs := c._rgImpactedHTTPRoutes(rg)
 	gws := c._rgImpactedGateways(rg)
 	for _, hr := range hrs {
-		gws = append(gws, c._gatewayRefsOf(hr)...)
+		gws = append(gws, c._gatewayRefsOfHR(hr)...)
 	}
 	gws = UnifiedGateways(gws)
 	return ClassNamesOfGateways(gws)