WIP add indexer for secret reference

Kong · Oct 13, 2022 · d5f2d54 · d5f2d54
1 parent 76b8b80
commit d5f2d54
Show file tree

Hide file tree

Showing 10 changed files with 669 additions and 87 deletions.
diff --git a/hack/generators/controllers/networking/main.go b/hack/generators/controllers/networking/main.go
@@ -43,6 +43,7 @@ var inputControllersNeeded = &typesNeeded{
 		NeedsStatusPermissions:            true,
 		AcceptsIngressClassNameAnnotation: false,
 		AcceptsIngressClassNameSpec:       false,
+		NeedsUpdateReferences:             true,
 		RBACVerbs:                         []string{"get", "list", "watch"},
 	},
 	typeNeeded{
@@ -59,20 +60,6 @@ var inputControllersNeeded = &typesNeeded{
 		AcceptsIngressClassNameSpec:       false,
 		RBACVerbs:                         []string{"list", "watch"},
 	},
-	typeNeeded{
-		Group:                             "\"\"",
-		Version:                           "v1",
-		Kind:                              "Secret",
-		PackageImportAlias:                "corev1",
-		PackageAlias:                      "CoreV1",
-		Package:                           corev1,
-		Plural:                            "secrets",
-		CacheType:                         "Secret",
-		NeedsStatusPermissions:            true,
-		AcceptsIngressClassNameAnnotation: false,
-		AcceptsIngressClassNameSpec:       false,
-		RBACVerbs:                         []string{"list", "watch"},
-	},
 	typeNeeded{
 		Group:                             "networking.k8s.io",
 		Version:                           "v1",
@@ -86,6 +73,7 @@ var inputControllersNeeded = &typesNeeded{
 		CapableOfStatusUpdates:            true,
 		AcceptsIngressClassNameAnnotation: true,
 		AcceptsIngressClassNameSpec:       true,
+		NeedsUpdateReferences:             true,
 		RBACVerbs:                         []string{"get", "list", "watch"},
 	},
 	typeNeeded{
@@ -115,6 +103,7 @@ var inputControllersNeeded = &typesNeeded{
 		CapableOfStatusUpdates:            true,
 		AcceptsIngressClassNameAnnotation: true,
 		AcceptsIngressClassNameSpec:       true,
+		NeedsUpdateReferences:             true,
 		RBACVerbs:                         []string{"get", "list", "watch"},
 	},
 	typeNeeded{
@@ -130,6 +119,7 @@ var inputControllersNeeded = &typesNeeded{
 		CapableOfStatusUpdates:            true,
 		AcceptsIngressClassNameAnnotation: true,
 		AcceptsIngressClassNameSpec:       true,
+		NeedsUpdateReferences:             true,
 		RBACVerbs:                         []string{"get", "list", "watch"},
 	},
 	typeNeeded{
@@ -158,6 +148,7 @@ var inputControllersNeeded = &typesNeeded{
 		NeedsStatusPermissions:            true,
 		AcceptsIngressClassNameAnnotation: false,
 		AcceptsIngressClassNameSpec:       false,
+		NeedsUpdateReferences:             true,
 		RBACVerbs:                         []string{"get", "list", "watch"},
 	},
 	typeNeeded{
@@ -172,6 +163,7 @@ var inputControllersNeeded = &typesNeeded{
 		NeedsStatusPermissions:            true,
 		AcceptsIngressClassNameAnnotation: true,
 		AcceptsIngressClassNameSpec:       false,
+		NeedsUpdateReferences:             true,
 		RBACVerbs:                         []string{"get", "list", "watch"},
 	},
 	typeNeeded{
@@ -186,6 +178,7 @@ var inputControllersNeeded = &typesNeeded{
 		NeedsStatusPermissions:            true,
 		AcceptsIngressClassNameAnnotation: true,
 		AcceptsIngressClassNameSpec:       false,
+		NeedsUpdateReferences:             true,
 		RBACVerbs:                         []string{"get", "list", "watch"},
 	},
 	typeNeeded{
@@ -201,6 +194,7 @@ var inputControllersNeeded = &typesNeeded{
 		CapableOfStatusUpdates:            true,
 		AcceptsIngressClassNameAnnotation: true,
 		AcceptsIngressClassNameSpec:       false,
+		NeedsUpdateReferences:             true,
 		RBACVerbs:                         []string{"get", "list", "watch"},
 	},
 	typeNeeded{
@@ -355,6 +349,10 @@ type typeNeeded struct {
 	// CapableOfStatusUpdates indicates that the controllers should manage status
 	// updates for the resource.
 	CapableOfStatusUpdates bool
+
+	// NeedUpdateReferences is true if we need to update the referece relationships
+	// between reconciled object and other objects.
+	NeedsUpdateReferences bool
 }
 
 func (t *typeNeeded) generate(contents *bytes.Buffer) error {
@@ -587,6 +585,13 @@ func (r *{{.PackageAlias}}{{.Kind}}Reconciler) Reconcile(ctx context.Context, re
 		return ctrl.Result{}, err
 	}
 
+{{- if .NeedsUpdateReferences }}
+	// update reference relationship from the {{.Kind}} to other objects.
+	if err := updateReferredObjects(ctx, r.Client, r.DataplaneClient, obj); err != nil {
+		return ctrl.Result{}, err
+	}
+{{- end }}
+
 {{- if .CapableOfStatusUpdates}}
 	// if status updates are enabled report the status for the object
 	if r.DataplaneClient.AreKubernetesObjectReportsEnabled() {

diff --git a/internal/controllers/configuration/object_references.go b/internal/controllers/configuration/object_references.go
@@ -0,0 +1,267 @@
+package configuration
+
+import (
+	"context"
+
+	corev1 "k8s.io/api/core/v1"
+	extv1beta1 "k8s.io/api/extensions/v1beta1"
+	netv1 "k8s.io/api/networking/v1"
+	netv1beta1 "k8s.io/api/networking/v1beta1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/kong/kubernetes-ingress-controller/v2/internal/annotations"
+	"github.com/kong/kubernetes-ingress-controller/v2/internal/dataplane"
+	kongv1 "github.com/kong/kubernetes-ingress-controller/v2/pkg/apis/configuration/v1"
+	kongv1beta1 "github.com/kong/kubernetes-ingress-controller/v2/pkg/apis/configuration/v1beta1"
+)
+
+func updateReferredObjects(
+	ctx context.Context, client client.Client, dataplaneClient *dataplane.KongClient, obj runtime.Object) error {
+	switch obj := obj.(type) {
+	case *corev1.Service:
+		return updateCoreV1ServiceReferredSecrets(ctx, client, dataplaneClient, obj)
+	case *netv1.Ingress:
+		return updateNetV1IngressReferredSecrets(ctx, client, dataplaneClient, obj)
+	case *netv1beta1.Ingress:
+		return updateNetV1beta1IngressReferredSecrets(ctx, client, dataplaneClient, obj)
+	case *extv1beta1.Ingress:
+		return updateExtensionV1beta1IngressReferredSecrets(ctx, client, dataplaneClient, obj)
+	case *kongv1.KongPlugin:
+		return updateKongPluginReferredSecrets(ctx, client, dataplaneClient, obj)
+	case *kongv1.KongClusterPlugin:
+		return updateKongClusterPluginReferredSecrets(ctx, client, dataplaneClient, obj)
+	case *kongv1.KongConsumer:
+		return updateKongConsumerReferredSecrets(ctx, client, dataplaneClient, obj)
+	case *kongv1beta1.TCPIngress:
+		return updateTCPIngressReferredSecrets(ctx, client, dataplaneClient, obj)
+	}
+
+	return nil
+}
+
+func updateSecretInStore(ctx context.Context, client client.Client, dataplaneClient *dataplane.KongClient, secret *corev1.Secret) error {
+	err := client.Get(ctx, types.NamespacedName{
+		Namespace: secret.Namespace,
+		Name:      secret.Name,
+	}, secret)
+
+	if err != nil && !k8serrors.IsNotFound(err) {
+		return err
+	}
+
+	return dataplaneClient.UpdateObject(secret)
+}
+
+func updateCoreV1ServiceReferredSecrets(
+	ctx context.Context, client client.Client, dataplaneClient *dataplane.KongClient, service *corev1.Service,
+) error {
+	if service.Annotations == nil {
+		return nil
+	}
+	secretName := annotations.ExtractClientCertificate(service.Annotations)
+	if secretName != "" {
+		secret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: service.Namespace,
+				Name:      secretName,
+			},
+		}
+		err := dataplaneClient.SetObjectReference(service.DeepCopy(), secret.DeepCopy())
+		if err != nil {
+			return err
+		}
+
+		if err := updateSecretInStore(ctx, client, dataplaneClient, secret); err != nil {
+			return err
+		}
+	}
+	// TODO: remove outdated reference records.
+
+	return nil
+}
+
+func updateNetV1IngressReferredSecrets(
+	ctx context.Context, client client.Client, dataplaneClient *dataplane.KongClient, ingress *netv1.Ingress,
+) error {
+	for _, tls := range ingress.Spec.TLS {
+		secret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: ingress.Namespace,
+				Name:      tls.SecretName,
+			},
+		}
+
+		err := dataplaneClient.SetObjectReference(ingress.DeepCopy(), secret.DeepCopy())
+		if err != nil {
+			return err
+		}
+		// REVIEW: do we allow to refer to a secret which does not exist yet?
+		err = client.Get(ctx, types.NamespacedName{
+			Namespace: ingress.Namespace,
+			Name:      tls.SecretName,
+		}, secret)
+		if err != nil {
+			return err
+		}
+
+		if err := updateSecretInStore(ctx, client, dataplaneClient, secret); err != nil {
+			return err
+		}
+
+	}
+
+	return nil
+}
+
+func updateNetV1beta1IngressReferredSecrets(
+	ctx context.Context, client client.Client, dataplaneClient *dataplane.KongClient, ingress *netv1beta1.Ingress,
+) error {
+
+	for _, tls := range ingress.Spec.TLS {
+		secret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: ingress.Namespace,
+				Name:      tls.SecretName,
+			},
+		}
+
+		err := dataplaneClient.SetObjectReference(ingress.DeepCopy(), secret.DeepCopy())
+		if err != nil {
+			return err
+		}
+
+		if err := updateSecretInStore(ctx, client, dataplaneClient, secret); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func updateExtensionV1beta1IngressReferredSecrets(
+	ctx context.Context, client client.Client, dataplaneClient *dataplane.KongClient, ingress *extv1beta1.Ingress,
+) error {
+
+	for _, tls := range ingress.Spec.TLS {
+		secret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: ingress.Namespace,
+				Name:      tls.SecretName,
+			},
+		}
+
+		err := dataplaneClient.SetObjectReference(ingress.DeepCopy(), secret.DeepCopy())
+		if err != nil {
+			return err
+		}
+
+		if err := updateSecretInStore(ctx, client, dataplaneClient, secret); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func updateKongPluginReferredSecrets(
+	ctx context.Context, client client.Client, dataplaneClient *dataplane.KongClient, plugin *kongv1.KongPlugin,
+) error {
+	if plugin.ConfigFrom != nil {
+		secretName := plugin.ConfigFrom.SecretValue.Secret
+		secret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: plugin.Namespace,
+				Name:      secretName,
+			},
+		}
+
+		err := dataplaneClient.SetObjectReference(plugin.DeepCopy(), secret.DeepCopy())
+		if err != nil {
+			return err
+		}
+
+		if err := updateSecretInStore(ctx, client, dataplaneClient, secret); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func updateKongClusterPluginReferredSecrets(
+	ctx context.Context, client client.Client, dataplaneClient *dataplane.KongClient, plugin *kongv1.KongClusterPlugin,
+) error {
+	if plugin.ConfigFrom != nil {
+		secretNamespace := plugin.ConfigFrom.SecretValue.Namespace
+		secretName := plugin.ConfigFrom.SecretValue.Secret
+		secret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: secretNamespace,
+				Name:      secretName,
+			},
+		}
+
+		err := dataplaneClient.SetObjectReference(plugin.DeepCopy(), secret.DeepCopy())
+		if err != nil {
+			return err
+		}
+
+		if err := updateSecretInStore(ctx, client, dataplaneClient, secret); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func updateKongConsumerReferredSecrets(
+	ctx context.Context, client client.Client, dataplaneClient *dataplane.KongClient, consumer *kongv1.KongConsumer,
+) error {
+	for _, secretName := range consumer.Credentials {
+		secret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: consumer.Namespace,
+				Name:      secretName,
+			},
+		}
+
+		err := dataplaneClient.SetObjectReference(consumer.DeepCopy(), secret.DeepCopy())
+		if err != nil {
+			return err
+		}
+
+		if err := updateSecretInStore(ctx, client, dataplaneClient, secret); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func updateTCPIngressReferredSecrets(
+	ctx context.Context, client client.Client, dataplaneClient *dataplane.KongClient, tcpIngress *kongv1beta1.TCPIngress,
+) error {
+	for _, tls := range tcpIngress.Spec.TLS {
+		secret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: tcpIngress.Namespace,
+				Name:      tls.SecretName,
+			},
+		}
+
+		err := dataplaneClient.SetObjectReference(tcpIngress.DeepCopy(), secret.DeepCopy())
+		if err != nil {
+			return err
+		}
+
+		if err := updateSecretInStore(ctx, client, dataplaneClient, secret); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}