make Gateway controllers watch changes on Secrets referenced by spec.listeners.tls.certificateRef

Signed-off-by: Jintao Zhang <[email protected]>

Author: tao12345666333

controller/gateway/controller.go

@@ -21,7 +21,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
+	ctrllog "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"sigs.k8s.io/controller-runtime/pkg/source"
 	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
 	gatewayv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
@@ -137,9 +139,65 @@ func (r *Reconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager) err
 			),
 		)
 	}
+
+	// Watch Secrets to requeue Gateways that reference them via listeners.tls.certificateRefs.
+	builder.WatchesRawSource(
+		source.Kind(
+			mgr.GetCache(),
+			&corev1.Secret{},
+			handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, s *corev1.Secret) []reconcile.Request {
+				// List Gateways and select those that reference the Secret in any listener certificateRef.
+				var gwList gwtypes.GatewayList
+				if err := r.List(ctx, &gwList); err != nil {
+					ctrllog.FromContext(ctx).Error(err, "failed to list gateways for Secret watch", "secret", client.ObjectKeyFromObject(s))
+					return nil
+				}
+				recs := make([]reconcile.Request, 0, len(gwList.Items))
+				for i := range gwList.Items {
+					gw := gwList.Items[i]
+					// Optional pre-filter: only enqueue Gateways managed by this controller.
+					if !r.gatewayHasMatchingGatewayClass(&gw) {
+						continue
+					}
+					if secretReferencedByGateway(&gw, s.Namespace, s.Name) {
+						recs = append(recs, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(&gw)})
+					}
+				}
+				return recs
+			}),
+		),
+	)
+
 	return builder.Complete(r)
 }
 
+// secretReferencedByGateway returns true if any listener in the Gateway references the Secret
+// identified by secretNS/secretName in its TLS certificateRefs.
+func secretReferencedByGateway(gw *gwtypes.Gateway, secretNS, secretName string) bool {
+	for _, l := range gw.Spec.Listeners {
+		if l.TLS == nil {
+			continue
+		}
+		for _, ref := range l.TLS.CertificateRefs {
+			// Only accept core Secret references when Group/Kind is specified.
+			if ref.Group != nil && string(*ref.Group) != corev1.GroupName {
+				continue
+			}
+			if ref.Kind != nil && string(*ref.Kind) != "Secret" {
+				continue
+			}
+			ns := gw.Namespace
+			if ref.Namespace != nil {
+				ns = string(*ref.Namespace)
+			}
+			if ns == secretNS && string(ref.Name) == secretName {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 // Reconcile moves the current state of an object to the intended state.
 func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	logger := log.GetLogger(ctx, "gateway", r.LoggingMode)

controller/gateway/controller_secret_watch_test.go

@@ -0,0 +1,95 @@
+package gateway
+
+import (
+	"testing"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
+
+	gwtypes "github.com/kong/kong-operator/internal/types"
+)
+
+func gwWithListenerCertRef(name string, ref gatewayv1.SecretObjectReference) *gwtypes.Gateway {
+	gw := &gwtypes.Gateway{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "ns1",
+			Name:      name,
+		},
+		Spec: gwtypes.GatewaySpec{
+			Listeners: []gwtypes.Listener{
+				{
+					Name:     "https",
+					Port:     443,
+					Protocol: gwtypes.HTTPSProtocolType,
+					TLS: &gatewayv1.GatewayTLSConfig{
+						Mode:            gatewayTLSModePtr(gatewayv1.TLSModeTerminate),
+						CertificateRefs: []gatewayv1.SecretObjectReference{ref},
+					},
+				},
+			},
+		},
+	}
+	return gw
+}
+
+func gatewayTLSModePtr(m gatewayv1.TLSModeType) *gatewayv1.TLSModeType { return &m }
+
+func Test_secretReferencedByGateway_SameNamespace_DefaultGroupKind(t *testing.T) {
+	// No Group/Kind set => treated as core/v1 Secret
+	ref := gatewayv1.SecretObjectReference{
+		Name: "cert",
+		// Namespace nil -> same namespace as Gateway
+	}
+	gw := gwWithListenerCertRef("gw1", ref)
+
+	if !secretReferencedByGateway(gw, "ns1", "cert") {
+		t.Fatalf("expected match for same-namespace Secret reference with default group/kind")
+	}
+}
+
+func Test_secretReferencedByGateway_CrossNamespace_ExplicitCoreSecret(t *testing.T) {
+	// Explicit Group/Kind of core/Secret and explicit namespace
+	ns := gatewayv1.Namespace("other")
+	kind := gatewayv1.Kind("Secret")
+	group := gatewayv1.Group(corev1.GroupName)
+	ref := gatewayv1.SecretObjectReference{
+		Group:     &group,
+		Kind:      &kind,
+		Name:      "cert2",
+		Namespace: &ns,
+	}
+	gw := gwWithListenerCertRef("gw1", ref)
+
+	if !secretReferencedByGateway(gw, "other", "cert2") {
+		t.Fatalf("expected match for cross-namespace explicit core/Secret reference")
+	}
+}
+
+func Test_secretReferencedByGateway_IgnoresNonSecretOrNonCore(t *testing.T) {
+	// Non-core group => should be ignored
+	ns := gatewayv1.Namespace("ns1")
+	badGroup := gatewayv1.Group("example.com")
+	kindSecret := gatewayv1.Kind("Secret")
+	refNonCore := gatewayv1.SecretObjectReference{Group: &badGroup, Kind: &kindSecret, Name: "cert", Namespace: &ns}
+	gw := gwWithListenerCertRef("gw1", refNonCore)
+	if secretReferencedByGateway(gw, "ns1", "cert") {
+		t.Fatalf("did not expect match for non-core group")
+	}
+
+	// Non-Secret kind => should be ignored
+	groupCore := gatewayv1.Group(corev1.GroupName)
+	badKind := gatewayv1.Kind("ConfigMap")
+	refNonSecret := gatewayv1.SecretObjectReference{Group: &groupCore, Kind: &badKind, Name: "cert"}
+	gw2 := gwWithListenerCertRef("gw2", refNonSecret)
+	if secretReferencedByGateway(gw2, "ns1", "cert") {
+		t.Fatalf("did not expect match for non-Secret kind")
+	}
+}
+
+func Test_secretReferencedByGateway_NoTLSOrNoRefs(t *testing.T) {
+	gw := &gwtypes.Gateway{Spec: gwtypes.GatewaySpec{}}
+	if secretReferencedByGateway(gw, "ns", "name") {
+		t.Fatalf("did not expect match when no listeners/tls refs present")
+	}
+}

ingress-controller/internal/controllers/gateway/gateway_controller.go

@@ -27,6 +27,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
 	gatewayv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
 
 	"github.com/kong/kong-operator/ingress-controller/internal/annotations"
@@ -133,6 +134,30 @@ func (r *GatewayReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		)
 	}
 
+	// Watch Secrets to immediately reconcile Gateways when referenced certificate Secrets change.
+	blder.WatchesRawSource(
+		source.Kind(
+			mgr.GetCache(),
+			&corev1.Secret{},
+			handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, s *corev1.Secret) []reconcile.Request {
+				referrers, err := r.ReferenceIndexers.ListReferrerObjectsByReferent(s)
+				if err != nil {
+					r.Log.Error(err, "Failed to list referrers for Secret", "secret", client.ObjectKeyFromObject(s))
+					return nil
+				}
+				recs := make([]reconcile.Request, 0, len(referrers))
+				for _, obj := range referrers {
+					nn := k8stypes.NamespacedName{Namespace: obj.GetNamespace(), Name: obj.GetName()}
+					if !r.GatewayNN.MatchesNN(nn) { // respect --gateway-to-reconcile if set
+						continue
+					}
+					recs = append(recs, reconcile.Request{NamespacedName: nn})
+				}
+				return recs
+			}),
+		),
+	)
+
 	if err := blder.Complete(r); err != nil {
 		return err
 	}

test/envtest/gateway_secret_watch_envtest_test.go

@@ -0,0 +1,167 @@
+package envtest
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
+
+	kogateway "github.com/kong/kong-operator/controller/gateway"
+	certhelper "github.com/kong/kong-operator/ingress-controller/test/helpers/certificate"
+	"github.com/kong/kong-operator/modules/manager/logging"
+	managerscheme "github.com/kong/kong-operator/modules/manager/scheme"
+	"github.com/kong/kong-operator/pkg/vars"
+)
+
+func TestGatewaySecretWatch_UpdatesResolvedRefsOnSecretRotation(t *testing.T) {
+	t.Parallel()
+
+	// Prepare scheme, envtest, manager and KO Gateway reconciler.
+	scheme := managerscheme.Get()
+	ctx := t.Context()
+
+	cfg, ns := Setup(t, ctx, scheme)
+	mgr, logs := NewManager(t, ctx, cfg, scheme)
+
+	r := &kogateway.Reconciler{
+		Client:                mgr.GetClient(),
+		CacheSyncTimeout:      30 * time.Second,
+		Scheme:                scheme,
+		Namespace:             ns.Name,
+		DefaultDataPlaneImage: "kong:latest",
+		LoggingMode:           logging.DevelopmentMode,
+	}
+	StartReconcilers(ctx, t, mgr, logs, r)
+
+	c := mgr.GetClient()
+
+	// Create a GatewayClass accepted by the controller.
+	gc := &gatewayv1.GatewayClass{
+		ObjectMeta: metav1.ObjectMeta{Name: "gc-ko"},
+		Spec: gatewayv1.GatewayClassSpec{
+			ControllerName: gatewayv1.GatewayController(vars.ControllerName()),
+		},
+	}
+	require.NoError(t, c.Create(ctx, gc))
+
+	// Patch status Accepted=True for GatewayClass so KO Gateway controller processes Gateways.
+	require.Eventually(t, func() bool {
+		var cur gatewayv1.GatewayClass
+		if err := c.Get(ctx, types.NamespacedName{Name: gc.Name}, &cur); err != nil {
+			return false
+		}
+		cond := metav1.Condition{
+			Type:               string(gatewayv1.GatewayClassConditionStatusAccepted),
+			Status:             metav1.ConditionTrue,
+			Reason:             string(gatewayv1.GatewayClassReasonAccepted),
+			ObservedGeneration: cur.Generation,
+			LastTransitionTime: metav1.Now(),
+		}
+		// Replace existing condition if present; otherwise append.
+		updated := false
+		for i := range cur.Status.Conditions {
+			if cur.Status.Conditions[i].Type == cond.Type {
+				cur.Status.Conditions[i] = cond
+				updated = true
+				break
+			}
+		}
+		if !updated {
+			cur.Status.Conditions = append(cur.Status.Conditions, cond)
+		}
+		if err := c.Status().Update(ctx, &cur); err != nil {
+			return false
+		}
+		return true
+	}, 10*time.Second, 200*time.Millisecond)
+
+	// Create an initial INVALID TLS Secret referenced by the Gateway listener.
+	secretName := "test-cert"
+	bad := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{Namespace: ns.Name, Name: secretName},
+		Type:       corev1.SecretTypeTLS,
+		Data: map[string][]byte{
+			corev1.TLSCertKey:       []byte("not-a-cert"),
+			corev1.TLSPrivateKeyKey: []byte("not-a-key"),
+		},
+	}
+	require.NoError(t, c.Create(ctx, bad))
+
+	// Create a Gateway with a TLS listener referencing the Secret.
+	gw := &gatewayv1.Gateway{
+		ObjectMeta: metav1.ObjectMeta{Namespace: ns.Name, Name: "gw"},
+		Spec: gatewayv1.GatewaySpec{
+			GatewayClassName: gatewayv1.ObjectName(gc.Name),
+			Listeners: []gatewayv1.Listener{
+				{
+					Name:     "https",
+					Port:     443,
+					Protocol: gatewayv1.HTTPSProtocolType,
+					TLS: &gatewayv1.GatewayTLSConfig{
+						Mode: gatewayTLSModePtr(gatewayv1.TLSModeTerminate),
+						CertificateRefs: []gatewayv1.SecretObjectReference{{
+							Name: gatewayv1.ObjectName(secretName),
+						}},
+					},
+				},
+			},
+		},
+	}
+	require.NoError(t, c.Create(ctx, gw))
+
+	// Initially, the invalid Secret should result in ResolvedRefs=False (InvalidCertificateRef).
+	require.Eventually(t, func() bool {
+		var cur gatewayv1.Gateway
+		if err := c.Get(ctx, types.NamespacedName{Namespace: ns.Name, Name: gw.Name}, &cur); err != nil {
+			return false
+		}
+		if len(cur.Status.Listeners) == 0 {
+			return false
+		}
+		for _, ls := range cur.Status.Listeners {
+			for _, cond := range ls.Conditions {
+				if cond.Type == string(gatewayv1.ListenerConditionResolvedRefs) && cond.Status == metav1.ConditionFalse {
+					return true
+				}
+			}
+		}
+		return false
+	}, 30*time.Second, 300*time.Millisecond)
+
+	// Now rotate the Secret with a valid TLS certificate and key.
+	certPEM, keyPEM := certhelper.MustGenerateCertPEMFormat()
+	require.NoError(t, c.Patch(ctx, &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{Namespace: ns.Name, Name: secretName},
+		Type:       corev1.SecretTypeTLS,
+		Data: map[string][]byte{
+			corev1.TLSCertKey:       certPEM,
+			corev1.TLSPrivateKeyKey: keyPEM,
+		},
+	}, client.MergeFrom(bad)))
+
+	// After rotation, the Secret watch should enqueue the Gateway and ResolvedRefs should become True.
+	require.Eventually(t, func() bool {
+		var cur gatewayv1.Gateway
+		if err := c.Get(ctx, types.NamespacedName{Namespace: ns.Name, Name: gw.Name}, &cur); err != nil {
+			return false
+		}
+		if len(cur.Status.Listeners) == 0 {
+			return false
+		}
+		for _, ls := range cur.Status.Listeners {
+			for _, cond := range ls.Conditions {
+				if cond.Type == string(gatewayv1.ListenerConditionResolvedRefs) && cond.Status == metav1.ConditionTrue {
+					return true
+				}
+			}
+		}
+		return false
+	}, 60*time.Second, 500*time.Millisecond)
+}
+
+func gatewayTLSModePtr(m gatewayv1.TLSModeType) *gatewayv1.TLSModeType { return &m }