resolve reviewer comments

Signed-off-by: Jintao Zhang <[email protected]>
Co-authored-by: Patryk Małek <[email protected]>

Author: tao12345666333

controller/gateway/controller.go

@@ -47,6 +47,7 @@ import (
 	operatorerrors "github.com/kong/kong-operator/internal/errors"
 	gwtypes "github.com/kong/kong-operator/internal/types"
 	"github.com/kong/kong-operator/internal/utils/gatewayclass"
+	idx "github.com/kong/kong-operator/internal/utils/index"
 	"github.com/kong/kong-operator/modules/manager/logging"
 	"github.com/kong/kong-operator/pkg/consts"
 	gatewayutils "github.com/kong/kong-operator/pkg/utils/gateway"
@@ -146,10 +147,11 @@ func (r *Reconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager) err
 			mgr.GetCache(),
 			&corev1.Secret{},
 			handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, s *corev1.Secret) []reconcile.Request {
-				// List Gateways and select those that reference the Secret in any listener certificateRef.
+				// Use field index to list only Gateways that reference this Secret.
 				var gwList gwtypes.GatewayList
-				if err := r.List(ctx, &gwList); err != nil {
-					ctrllog.FromContext(ctx).Error(err, "failed to list gateways for Secret watch", "secret", client.ObjectKeyFromObject(s))
+				key := fmt.Sprintf("%s/%s", s.Namespace, s.Name)
+				if err := r.List(ctx, &gwList, client.MatchingFields{idx.TLSCertificateSecretsOnGatewayIndex: key}); err != nil {
+					ctrllog.FromContext(ctx).Error(err, "failed to list indexed gateways for Secret watch", "secret", client.ObjectKeyFromObject(s))
 					return nil
 				}
 				recs := make([]reconcile.Request, 0, len(gwList.Items))
@@ -159,9 +161,7 @@ func (r *Reconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager) err
 					if !r.gatewayHasMatchingGatewayClass(&gw) {
 						continue
 					}
-					if secretReferencedByGateway(&gw, s.Namespace, s.Name) {
-						recs = append(recs, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(&gw)})
-					}
+					recs = append(recs, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(&gw)})
 				}
 				return recs
 			}),

controller/gateway/controller_secret_watch_test.go

@@ -3,6 +3,7 @@ package gateway
 import (
 	"testing"
 
+	"github.com/samber/lo"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
@@ -23,18 +24,15 @@ func gwWithListenerCertRef(name string, ref gatewayv1.SecretObjectReference) *gw
 					Port:     443,
 					Protocol: gwtypes.HTTPSProtocolType,
 					TLS: &gatewayv1.GatewayTLSConfig{
-						Mode:            gatewayTLSModePtr(gatewayv1.TLSModeTerminate),
+						Mode:            lo.ToPtr(gatewayv1.TLSModeTerminate),
 						CertificateRefs: []gatewayv1.SecretObjectReference{ref},
 					},
-				},
 			},
 		},
 	}
 	return gw
 }
 
-func gatewayTLSModePtr(m gatewayv1.TLSModeType) *gatewayv1.TLSModeType { return &m }
-
 func Test_secretReferencedByGateway_SameNamespace_DefaultGroupKind(t *testing.T) {
 	// No Group/Kind set => treated as core/v1 Secret
 	ref := gatewayv1.SecretObjectReference{

ingress-controller/internal/controllers/gateway/gateway_controller.go

@@ -147,7 +147,7 @@ func (r *GatewayReconciler) SetupWithManager(mgr ctrl.Manager) error {
 				}
 				recs := make([]reconcile.Request, 0, len(referrers))
 				for _, obj := range referrers {
-					nn := k8stypes.NamespacedName{Namespace: obj.GetNamespace(), Name: obj.GetName()}
+					nn := client.ObjectKeyFromObject(obj)
 					if !r.GatewayNN.MatchesNN(nn) { // respect --gateway-to-reconcile if set
 						continue
 					}

internal/utils/index/gateway_tls_secret.go

@@ -0,0 +1,59 @@
+package index
+
+import (
+	"github.com/samber/lo"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	gwtypes "github.com/kong/kong-operator/internal/types"
+)
+
+const (
+	// TLSCertificateSecretsOnGatewayIndex maps Secret "namespace/name" to Gateway objects that
+	// reference them in listeners.tls.certificateRefs.
+	TLSCertificateSecretsOnGatewayIndex = "TLSCertificateSecretsOnGateway"
+)
+
+// OptionsForGatewayTLSSecret returns index options for Gateways referencing Secrets via TLS certificateRefs.
+func OptionsForGatewayTLSSecret() []Option {
+	return []Option{
+		{
+			Object:         &gwtypes.Gateway{},
+			Field:          TLSCertificateSecretsOnGatewayIndex,
+			ExtractValueFn: tlsCertificateSecretsOnGateway,
+		},
+	}
+}
+
+// tlsCertificateSecretsOnGateway extracts Secret references (namespace/name) from a Gateway's listeners.tls.certificateRefs.
+func tlsCertificateSecretsOnGateway(o client.Object) []string {
+	gw, ok := o.(*gwtypes.Gateway)
+	if !ok {
+		return nil
+	}
+
+	var out []string
+	for _, l := range gw.Spec.Listeners {
+		if l.TLS == nil {
+			continue
+		}
+		for _, ref := range l.TLS.CertificateRefs {
+			// Only index core/v1 Secret references (or defaulted ones when group/kind are nil).
+			if ref.Group != nil && string(*ref.Group) != corev1.GroupName {
+				continue
+			}
+			if ref.Kind != nil && string(*ref.Kind) != "Secret" {
+				continue
+			}
+			ns := gw.Namespace
+			if ref.Namespace != nil {
+				ns = string(*ref.Namespace)
+			}
+			if ref.Name == "" {
+				continue
+			}
+			out = append(out, ns+"/"+string(ref.Name))
+		}
+	}
+	return lo.Uniq(out)
+}

modules/manager/controller_setup.go

@@ -98,6 +98,9 @@ func SetupCacheIndexes(ctx context.Context, mgr manager.Manager, cfg Config) err
 
 	if cfg.GatewayControllerEnabled {
 		indexOptions = append(indexOptions, index.OptionsForGatewayClass()...)
+		// Index Gateways by referenced TLS Secrets so the Gateway controller can
+		// efficiently list Gateways for a Secret event.
+		indexOptions = append(indexOptions, index.OptionsForGatewayTLSSecret()...)
 	}
 
 	if cfg.KonnectControllersEnabled {

test/envtest/gateway_secret_watch_envtest_test.go

@@ -4,6 +4,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/samber/lo"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -15,6 +16,8 @@ import (
 	certhelper "github.com/kong/kong-operator/ingress-controller/test/helpers/certificate"
 	"github.com/kong/kong-operator/modules/manager/logging"
 	managerscheme "github.com/kong/kong-operator/modules/manager/scheme"
+	gwcdecor "github.com/kong/kong-operator/internal/utils/gatewayclass"
+	k8sutils "github.com/kong/kong-operator/pkg/utils/kubernetes"
 	"github.com/kong/kong-operator/pkg/vars"
 )
 
@@ -62,18 +65,9 @@ func TestGatewaySecretWatch_UpdatesResolvedRefsOnSecretRotation(t *testing.T) {
 			ObservedGeneration: cur.Generation,
 			LastTransitionTime: metav1.Now(),
 		}
-		// Replace existing condition if present; otherwise append.
-		updated := false
-		for i := range cur.Status.Conditions {
-			if cur.Status.Conditions[i].Type == cond.Type {
-				cur.Status.Conditions[i] = cond
-				updated = true
-				break
-			}
-		}
-		if !updated {
-			cur.Status.Conditions = append(cur.Status.Conditions, cond)
-		}
+		// Use shared helper to set/merge the condition.
+		gwcd := gwcdecor.DecorateGatewayClass(&cur)
+		k8sutils.SetCondition(cond, gwcd)
 		if err := c.Status().Update(ctx, &cur); err != nil {
 			return false
 		}
@@ -103,35 +97,18 @@ func TestGatewaySecretWatch_UpdatesResolvedRefsOnSecretRotation(t *testing.T) {
 					Port:     443,
 					Protocol: gatewayv1.HTTPSProtocolType,
 					TLS: &gatewayv1.GatewayTLSConfig{
-						Mode: gatewayTLSModePtr(gatewayv1.TLSModeTerminate),
+						Mode: lo.ToPtr(gatewayv1.TLSModeTerminate),
 						CertificateRefs: []gatewayv1.SecretObjectReference{{
 							Name: gatewayv1.ObjectName(secretName),
 						}},
 					},
-				},
 			},
 		},
 	}
 	require.NoError(t, c.Create(ctx, gw))
 
 	// Initially, the invalid Secret should result in ResolvedRefs=False (InvalidCertificateRef).
-	require.Eventually(t, func() bool {
-		var cur gatewayv1.Gateway
-		if err := c.Get(ctx, types.NamespacedName{Namespace: ns.Name, Name: gw.Name}, &cur); err != nil {
-			return false
-		}
-		if len(cur.Status.Listeners) == 0 {
-			return false
-		}
-		for _, ls := range cur.Status.Listeners {
-			for _, cond := range ls.Conditions {
-				if cond.Type == string(gatewayv1.ListenerConditionResolvedRefs) && cond.Status == metav1.ConditionFalse {
-					return true
-				}
-			}
-		}
-		return false
-	}, 30*time.Second, 300*time.Millisecond)
+	waitForGatewayResolvedRefsStatus(t, ctx, c, ns.Name, gw.Name, metav1.ConditionFalse, 30*time.Second, 300*time.Millisecond)
 
 	// Now rotate the Secret with a valid TLS certificate and key.
 	certPEM, keyPEM := certhelper.MustGenerateCertPEMFormat()
@@ -145,23 +122,35 @@ func TestGatewaySecretWatch_UpdatesResolvedRefsOnSecretRotation(t *testing.T) {
 	}, client.MergeFrom(bad)))
 
 	// After rotation, the Secret watch should enqueue the Gateway and ResolvedRefs should become True.
+	waitForGatewayResolvedRefsStatus(t, ctx, c, ns.Name, gw.Name, metav1.ConditionTrue, 60*time.Second, 500*time.Millisecond)
+}
+
+// waitForGatewayResolvedRefsStatus waits until the Gateway's listener ResolvedRefs condition
+// matches the expected status, or fails after the provided timeout.
+func waitForGatewayResolvedRefsStatus(
+	t *testing.T,
+	ctx context.Context,
+	c client.Client,
+	namespace, name string,
+	status metav1.ConditionStatus,
+	timeout, interval time.Duration,
+) {
+	t.Helper()
 	require.Eventually(t, func() bool {
 		var cur gatewayv1.Gateway
-		if err := c.Get(ctx, types.NamespacedName{Namespace: ns.Name, Name: gw.Name}, &cur); err != nil {
+		if err := c.Get(ctx, types.NamespacedName{Namespace: namespace, Name: name}, &cur); err != nil {
 			return false
 		}
 		if len(cur.Status.Listeners) == 0 {
 			return false
 		}
 		for _, ls := range cur.Status.Listeners {
 			for _, cond := range ls.Conditions {
-				if cond.Type == string(gatewayv1.ListenerConditionResolvedRefs) && cond.Status == metav1.ConditionTrue {
+				if cond.Type == string(gatewayv1.ListenerConditionResolvedRefs) && cond.Status == status {
 					return true
 				}
 			}
 		}
 		return false
-	}, 60*time.Second, 500*time.Millisecond)
+	}, timeout, interval)
 }
-
-func gatewayTLSModePtr(m gatewayv1.TLSModeType) *gatewayv1.TLSModeType { return &m }