fix(GatewayAPI): reconcile Gateways on Secret changes

Signed-off-by: Mike Beaumont <mjboamail@gmail.com>
kumahq · May 12, 2023 · c9ff21b · c9ff21b
1 parent 8f2f68c
commit c9ff21b
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 3 deletions.
diff --git a/pkg/plugins/runtime/k8s/controllers/gatewayapi/gateway_controller.go b/pkg/plugins/runtime/k8s/controllers/gatewayapi/gateway_controller.go
@@ -161,7 +161,8 @@ func (r *GatewayReconciler) createOrUpdateInstance(ctx context.Context, mesh str
 	return instance, nil
 }
 
-const gatewayIndexField = ".metadata.gateway"
+const gatewayOfRouteIndexField = ".metadata.gateway"
+const secretsOfGatewayIndexField = ".metadata.secrets"
 
 // gatewaysForRoute returns a function that calculates which MeshGateways might
 // be affected by changes in an HTTPRoute so they can be reconciled.
@@ -305,10 +306,42 @@ func gatewaysForGrant(l logr.Logger, client kube_client.Client) kube_handler.Map
 	}
 }
 
+// gatewaysForSecret returns a function that calculates which Gateways might
+// be affected by changes in a Secret so they can be reconciled.
+func gatewaysForSecret(l logr.Logger, client kube_client.Client) kube_handler.MapFunc {
+	l = l.WithName("gatewaysForSecret")
+
+	return func(obj kube_client.Object) []kube_reconcile.Request {
+		secret, ok := obj.(*kube_core.Secret)
+		if !ok {
+			l.Error(nil, "unexpected error converting to be mapped %T object to Secret", obj)
+			return nil
+		}
+
+		var gateways gatewayapi.GatewayList
+		if err := client.List(context.Background(), &gateways, kube_client.MatchingFields{
+			secretsOfGatewayIndexField: kube_client.ObjectKeyFromObject(secret).String(),
+		}); err != nil {
+			l.Error(nil, "unexpected error listing Gateways")
+			return nil
+		}
+
+		var requests []kube_reconcile.Request
+
+		for i := range gateways.Items {
+			requests = append(requests, kube_reconcile.Request{
+				NamespacedName: kube_client.ObjectKeyFromObject(&gateways.Items[i]),
+			})
+		}
+
+		return requests
+	}
+}
+
 func (r *GatewayReconciler) SetupWithManager(mgr kube_ctrl.Manager) error {
 	// This index helps us list routes that point to a MeshGateway in
 	// attachedListenersForMeshGateway.
-	if err := mgr.GetFieldIndexer().IndexField(context.Background(), &gatewayapi.HTTPRoute{}, gatewayIndexField, func(obj kube_client.Object) []string {
+	if err := mgr.GetFieldIndexer().IndexField(context.Background(), &gatewayapi.HTTPRoute{}, gatewayOfRouteIndexField, func(obj kube_client.Object) []string {
 		route := obj.(*gatewayapi.HTTPRoute)
 
 		var names []string
@@ -330,6 +363,35 @@ func (r *GatewayReconciler) SetupWithManager(mgr kube_ctrl.Manager) error {
 		return err
 	}
 
+	if err := mgr.GetFieldIndexer().IndexField(context.Background(), &gatewayapi.Gateway{}, secretsOfGatewayIndexField, func(obj kube_client.Object) []string {
+		gateway := obj.(*gatewayapi.Gateway)
+
+		var refs []string
+
+		for _, listener := range gateway.Spec.Listeners {
+			if listener.TLS == nil {
+				continue
+			}
+
+			for _, ref := range listener.TLS.CertificateRefs {
+				namespace := gateway.Namespace
+				if ref.Namespace != nil {
+					namespace = string(*ref.Namespace)
+				}
+
+				refs = append(
+					refs,
+					kube_types.NamespacedName{Namespace: namespace, Name: string(ref.Name)}.String(),
+				)
+			}
+
+		}
+
+		return refs
+	}); err != nil {
+		return err
+	}
+
 	return kube_ctrl.NewControllerManagedBy(mgr).
 		For(&gatewayapi.Gateway{}).
 		Owns(&mesh_k8s.MeshGateway{}).
@@ -350,5 +412,9 @@ func (r *GatewayReconciler) SetupWithManager(mgr kube_ctrl.Manager) error {
 			&kube_source.Kind{Type: &gatewayapi.ReferenceGrant{}},
 			kube_handler.EnqueueRequestsFromMapFunc(gatewaysForGrant(r.Log, r.Client)),
 		).
+		Watches(
+			&kube_source.Kind{Type: &kube_core.Secret{}},
+			kube_handler.EnqueueRequestsFromMapFunc(gatewaysForSecret(r.Log, r.Client)),
+		).
 		Complete(r)
 }
diff --git a/pkg/plugins/runtime/k8s/controllers/gatewayapi/gateway_status.go b/pkg/plugins/runtime/k8s/controllers/gatewayapi/gateway_status.go
@@ -94,7 +94,7 @@ func attachedRoutesForListeners(
 ) (AttachedRoutesForListeners, error) {
 	var routes gatewayapi.HTTPRouteList
 	if err := client.List(ctx, &routes, kube_client.MatchingFields{
-		gatewayIndexField: kube_client.ObjectKeyFromObject(gateway).String(),
+		gatewayOfRouteIndexField: kube_client.ObjectKeyFromObject(gateway).String(),
 	}); err != nil {
 		return nil, errors.Wrap(err, "unexpected error listing HTTPRoutes")
 	}