make Gateway controllers watch changes on Secrets referenced by spec.listeners.tls.certificateRef

Signed-off-by: Jintao Zhang <[email protected]>

Author: tao12345666333

controller/gateway/controller.go

@@ -21,7 +21,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
+	ctrllog "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"sigs.k8s.io/controller-runtime/pkg/source"
 	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
 	gatewayv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
@@ -137,9 +139,65 @@ func (r *Reconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager) err
 			),
 		)
 	}
+
+	// Watch Secrets to requeue Gateways that reference them via listeners.tls.certificateRefs.
+	builder.WatchesRawSource(
+		source.Kind(
+			mgr.GetCache(),
+			&corev1.Secret{},
+			handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, s *corev1.Secret) []reconcile.Request {
+				// List Gateways and select those that reference the Secret in any listener certificateRef.
+				var gwList gwtypes.GatewayList
+				if err := r.List(ctx, &gwList); err != nil {
+					ctrllog.FromContext(ctx).Error(err, "failed to list gateways for Secret watch", "secret", client.ObjectKeyFromObject(s))
+					return nil
+				}
+				recs := make([]reconcile.Request, 0, len(gwList.Items))
+				for i := range gwList.Items {
+					gw := gwList.Items[i]
+					// Optional pre-filter: only enqueue Gateways managed by this controller.
+					if !r.gatewayHasMatchingGatewayClass(&gw) {
+						continue
+					}
+					if secretReferencedByGateway(&gw, s.Namespace, s.Name) {
+						recs = append(recs, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(&gw)})
+					}
+				}
+				return recs
+			}),
+		),
+	)
+
 	return builder.Complete(r)
 }
 
+// secretReferencedByGateway returns true if any listener in the Gateway references the Secret
+// identified by secretNS/secretName in its TLS certificateRefs.
+func secretReferencedByGateway(gw *gwtypes.Gateway, secretNS, secretName string) bool {
+	for _, l := range gw.Spec.Listeners {
+		if l.TLS == nil {
+			continue
+		}
+		for _, ref := range l.TLS.CertificateRefs {
+			// Only accept core Secret references when Group/Kind is specified.
+			if ref.Group != nil && string(*ref.Group) != corev1.GroupName {
+				continue
+			}
+			if ref.Kind != nil && string(*ref.Kind) != "Secret" {
+				continue
+			}
+			ns := gw.Namespace
+			if ref.Namespace != nil {
+				ns = string(*ref.Namespace)
+			}
+			if ns == secretNS && string(ref.Name) == secretName {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 // Reconcile moves the current state of an object to the intended state.
 func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	logger := log.GetLogger(ctx, "gateway", r.LoggingMode)

controller/gateway/controller_secret_watch_test.go

@@ -0,0 +1,95 @@
+package gateway
+
+import (
+    "testing"
+
+    corev1 "k8s.io/api/core/v1"
+    metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+    gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
+
+    gwtypes "github.com/kong/kong-operator/internal/types"
+)
+
+func gwWithListenerCertRef(ns, name string, ref gatewayv1.SecretObjectReference) *gwtypes.Gateway {
+    gw := &gwtypes.Gateway{
+        ObjectMeta: metav1.ObjectMeta{
+            Namespace: ns,
+            Name:      name,
+        },
+        Spec: gwtypes.GatewaySpec{
+            Listeners: []gwtypes.Listener{
+                {
+                    Name:     "https",
+                    Port:     443,
+                    Protocol: gwtypes.HTTPSProtocolType,
+                    TLS: &gatewayv1.GatewayTLSConfig{
+                        Mode: gatewayTLSModePtr(gatewayv1.TLSModeTerminate),
+                        CertificateRefs: []gatewayv1.SecretObjectReference{ref},
+                    },
+                },
+            },
+        },
+    }
+    return gw
+}
+
+func gatewayTLSModePtr(m gatewayv1.TLSModeType) *gatewayv1.TLSModeType { return &m }
+
+func Test_secretReferencedByGateway_SameNamespace_DefaultGroupKind(t *testing.T) {
+    // No Group/Kind set => treated as core/v1 Secret
+    ref := gatewayv1.SecretObjectReference{
+        Name: "cert",
+        // Namespace nil -> same namespace as Gateway
+    }
+    gw := gwWithListenerCertRef("ns1", "gw1", ref)
+
+    if !secretReferencedByGateway(gw, "ns1", "cert") {
+        t.Fatalf("expected match for same-namespace Secret reference with default group/kind")
+    }
+}
+
+func Test_secretReferencedByGateway_CrossNamespace_ExplicitCoreSecret(t *testing.T) {
+    // Explicit Group/Kind of core/Secret and explicit namespace
+    ns := gatewayv1.Namespace("other")
+    kind := gatewayv1.Kind("Secret")
+    group := gatewayv1.Group(corev1.GroupName)
+    ref := gatewayv1.SecretObjectReference{
+        Group:     &group,
+        Kind:      &kind,
+        Name:      "cert2",
+        Namespace: &ns,
+    }
+    gw := gwWithListenerCertRef("ns1", "gw1", ref)
+
+    if !secretReferencedByGateway(gw, "other", "cert2") {
+        t.Fatalf("expected match for cross-namespace explicit core/Secret reference")
+    }
+}
+
+func Test_secretReferencedByGateway_IgnoresNonSecretOrNonCore(t *testing.T) {
+    // Non-core group => should be ignored
+    ns := gatewayv1.Namespace("ns1")
+    badGroup := gatewayv1.Group("example.com")
+    kindSecret := gatewayv1.Kind("Secret")
+    refNonCore := gatewayv1.SecretObjectReference{Group: &badGroup, Kind: &kindSecret, Name: "cert", Namespace: &ns}
+    gw := gwWithListenerCertRef("ns1", "gw1", refNonCore)
+    if secretReferencedByGateway(gw, "ns1", "cert") {
+        t.Fatalf("did not expect match for non-core group")
+    }
+
+    // Non-Secret kind => should be ignored
+    groupCore := gatewayv1.Group(corev1.GroupName)
+    badKind := gatewayv1.Kind("ConfigMap")
+    refNonSecret := gatewayv1.SecretObjectReference{Group: &groupCore, Kind: &badKind, Name: "cert"}
+    gw2 := gwWithListenerCertRef("ns1", "gw2", refNonSecret)
+    if secretReferencedByGateway(gw2, "ns1", "cert") {
+        t.Fatalf("did not expect match for non-Secret kind")
+    }
+}
+
+func Test_secretReferencedByGateway_NoTLSOrNoRefs(t *testing.T) {
+    gw := &gwtypes.Gateway{Spec: gwtypes.GatewaySpec{}}
+    if secretReferencedByGateway(gw, "ns", "name") {
+        t.Fatalf("did not expect match when no listeners/tls refs present")
+    }
+}

ingress-controller/internal/controllers/gateway/gateway_controller.go

@@ -27,6 +27,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
 	gatewayv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
 
 	"github.com/kong/kong-operator/ingress-controller/internal/annotations"
@@ -133,6 +134,30 @@ func (r *GatewayReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		)
 	}
 
+	// Watch Secrets to immediately reconcile Gateways when referenced certificate Secrets change.
+	blder.WatchesRawSource(
+		source.Kind(
+			mgr.GetCache(),
+			&corev1.Secret{},
+			handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, s *corev1.Secret) []reconcile.Request {
+				referrers, err := r.ReferenceIndexers.ListReferrerObjectsByReferent(s)
+				if err != nil {
+					r.Log.Error(err, "Failed to list referrers for Secret", "secret", client.ObjectKeyFromObject(s))
+					return nil
+				}
+				recs := make([]reconcile.Request, 0, len(referrers))
+				for _, obj := range referrers {
+					nn := k8stypes.NamespacedName{Namespace: obj.GetNamespace(), Name: obj.GetName()}
+					if !r.GatewayNN.MatchesNN(nn) { // respect --gateway-to-reconcile if set
+						continue
+					}
+					recs = append(recs, reconcile.Request{NamespacedName: nn})
+				}
+				return recs
+			}),
+		),
+	)
+
 	if err := blder.Complete(r); err != nil {
 		return err
 	}