feat(#3097): create warning translation failure events for CA secrets

CHANGELOG.md

@@ -110,6 +110,8 @@ Adding a new version? You'll need three changes:
   [#3121](https://github.com/Kong/kubernetes-ingress-controller/pull/3121)
 - Routes support annotations for path handling.
   [#3121](https://github.com/Kong/kubernetes-ingress-controller/pull/3121)
+- Warning events are recorded when CA secrets cannot be properly translated into Kong configuration.  
+  [#3125](https://github.com/Kong/kubernetes-ingress-controller/pull/3125)
 
 ### Fixed
 

internal/dataplane/kong_client.go

@@ -11,6 +11,8 @@ import (
 	"github.com/kong/go-kong/kong"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/sirupsen/logrus"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/kong/kubernetes-ingress-controller/v2/internal/dataplane/deckgen"
@@ -24,6 +26,9 @@ import (
 	"github.com/kong/kubernetes-ingress-controller/v2/internal/versions"
 )
 
+// KongConfigurationTranslationFailedEventReason defines an event reason used for creating all translation failure events.
+const KongConfigurationTranslationFailedEventReason = "KongConfigurationTranslationFailed"
+
 // -----------------------------------------------------------------------------
 // Dataplane Client - Kong - Public Types
 // -----------------------------------------------------------------------------
@@ -106,6 +111,9 @@ type KongClient struct {
 	// whether a Kubernetes object has corresponding data-plane configuration that
 	// is actively configured (e.g. to know how to set the object status).
 	kubernetesObjectReportsFilter k8sobj.Set
+
+	// eventRecorder is used to record warning events for translation failures.
+	eventRecorder record.EventRecorder
 }
 
 // NewKongClient provides a new KongClient object after connecting to the
@@ -118,6 +126,7 @@ func NewKongClient(
 	skipCACertificates bool,
 	diagnostic util.ConfigDumpDiagnostic,
 	kongConfig sendconfig.Kong,
+	eventRecorder record.EventRecorder,
 ) (*KongClient, error) {
 	// build the client object
 	cache := store.NewCacheStores()
@@ -131,6 +140,7 @@ func NewKongClient(
 		prometheusMetrics:  metrics.NewCtrlFuncMetrics(),
 		cache:              &cache,
 		kongConfig:         kongConfig,
+		eventRecorder:      eventRecorder,
 	}
 
 	// download the kong root configuration (and validate connectivity to the proxy API)
@@ -320,6 +330,7 @@ func (c *KongClient) Update(ctx context.Context) error {
 		c.prometheusMetrics.TranslationCount.With(prometheus.Labels{
 			metrics.SuccessKey: metrics.SuccessFalse,
 		}).Inc()
+		c.recordTranslationFailureWarningEvents(translationFailures)
 		c.logger.Debugf("%d translation failures have occurred when building data-plane configuration", failuresCount)
 	} else {
 		c.prometheusMetrics.TranslationCount.With(prometheus.Labels{
@@ -447,3 +458,13 @@ func (c *KongClient) updateKubernetesObjectReportFilter(set k8sobj.Set) {
 	defer c.kubernetesObjectReportLock.Unlock()
 	c.kubernetesObjectReportsFilter = set
 }
+
+// recordTranslationFailureWarningEvents records a warning KongConfigurationTranslationFailedEventReason events,
+// one per a translation failure causing object.
+func (c *KongClient) recordTranslationFailureWarningEvents(translationFailures []parser.TranslationFailure) {
+	for _, failure := range translationFailures {
+		for _, obj := range failure.CausingObjects() {
+			c.eventRecorder.Event(obj, corev1.EventTypeWarning, KongConfigurationTranslationFailedEventReason, failure.Reason())
+		}
+	}
+}

internal/manager/consts.go

@@ -19,3 +19,6 @@ const MetricsPort = 10255
 
 // DiagnosticsPort is the default port of the manager's diagnostics service listens on.
 const DiagnosticsPort = 10256
+
+// KongClientEventRecorderComponentName is a KongClient component name used to identify the events recording component.
+const KongClientEventRecorderComponentName = "kong-client"

internal/manager/run.go

@@ -151,7 +151,18 @@ func RunWithLogger(ctx context.Context, c *Config, diagnostic util.ConfigDumpDia
 	if err != nil {
 		return fmt.Errorf("%f is not a valid number of seconds to the timeout config for the kong client: %w", c.ProxyTimeoutSeconds, err)
 	}
-	dataplaneClient, err := dataplane.NewKongClient(deprecatedLogger, timeoutDuration, c.IngressClassName, c.EnableReverseSync, c.SkipCACertificates, diagnostic, kongConfig)
+
+	eventRecorder := mgr.GetEventRecorderFor(KongClientEventRecorderComponentName)
+	dataplaneClient, err := dataplane.NewKongClient(
+		deprecatedLogger,
+		timeoutDuration,
+		c.IngressClassName,
+		c.EnableReverseSync,
+		c.SkipCACertificates,
+		diagnostic,
+		kongConfig,
+		eventRecorder,
+	)
 	if err != nil {
 		return fmt.Errorf("failed to initialize kong data-plane client: %w", err)
 	}
@@ -200,7 +211,7 @@ func RunWithLogger(ctx context.Context, c *Config, diagnostic util.ConfigDumpDia
 
 	// BUG: kubebuilder (at the time of writing - 3.0.0-rc.1) does not allow this tag anywhere else than main.go
 	// See https://github.com/kubernetes-sigs/kubebuilder/issues/932
-	//+kubebuilder:scaffold:builder
+	// +kubebuilder:scaffold:builder
 
 	setupLog.Info("Starting health check servers")
 	if err := mgr.AddHealthzCheck("health", healthz.Ping); err != nil {

test/integration/translation_failures_test.go

@@ -0,0 +1,130 @@
+//go:build integration_tests
+// +build integration_tests
+
+package integration
+
+import (
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/kong/kubernetes-ingress-controller/v2/internal/annotations"
+	"github.com/kong/kubernetes-ingress-controller/v2/internal/dataplane"
+	kongv1 "github.com/kong/kubernetes-ingress-controller/v2/pkg/apis/configuration/v1"
+	"github.com/kong/kubernetes-ingress-controller/v2/pkg/clientset"
+)
+
+// TestTranslationFailures ensures that proper warning Kubernetes events are recorded in case of translation failures
+// encountered.
+func TestTranslationFailures(t *testing.T) {
+	testCases := []struct {
+		name string
+		// translationFailureTrigger should create objects that trigger translation failure and return the objects
+		// that we expect translation failure warning events to be created for.
+		translationFailureTrigger func(t *testing.T, ns string) []client.Object
+	}{
+		{
+			name: "invalid CA secret",
+			translationFailureTrigger: func(t *testing.T, ns string) []client.Object {
+				createdSecret, err := env.Cluster().Client().CoreV1().Secrets(ns).Create(ctx, invalidCASecret(ns), metav1.CreateOptions{})
+				require.NoError(t, err)
+
+				return []client.Object{createdSecret}
+			},
+		},
+		{
+			name: "invalid CA secret referred by a plugin",
+			translationFailureTrigger: func(t *testing.T, ns string) []client.Object {
+				createdSecret, err := env.Cluster().Client().CoreV1().Secrets(ns).Create(ctx, invalidCASecret(ns), metav1.CreateOptions{})
+				require.NoError(t, err)
+
+				c, err := clientset.NewForConfig(env.Cluster().Config())
+				require.NoError(t, err)
+				createdPlugin, err := c.ConfigurationV1().KongPlugins(ns).Create(ctx, pluginUsingInvalidCACert(ns), metav1.CreateOptions{})
+				require.NoError(t, err)
+
+				// expect events for both: a faulty secret and a plugin referring it
+				return []client.Object{createdSecret, createdPlugin}
+			},
+		},
+	}
+
+	for _, tt := range testCases {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			ns, cleaner := setup(t)
+			defer func() { assert.NoError(t, cleaner.Cleanup(ctx)) }()
+
+			expectedCausingObjects := tt.translationFailureTrigger(t, ns.GetName())
+
+			require.Eventually(t, func() bool {
+				eventsForAllObjectsFound := true
+
+				for _, expectedCausingObject := range expectedCausingObjects {
+					events, err := env.Cluster().Client().CoreV1().Events(ns.GetName()).List(ctx, metav1.ListOptions{
+						FieldSelector: fmt.Sprintf(
+							"reason=%s,type=%s,involvedObject.name=%s",
+							dataplane.KongConfigurationTranslationFailedEventReason,
+							corev1.EventTypeWarning,
+							expectedCausingObject.GetName(),
+						),
+					})
+					if err != nil {
+						t.Logf("failed to list events: %s", err)
+						eventsForAllObjectsFound = false
+					}
+
+					if len(events.Items) == 0 {
+						t.Logf("waiting for events related to '%s' to be created", expectedCausingObject.GetName())
+						eventsForAllObjectsFound = false
+					}
+				}
+
+				return eventsForAllObjectsFound
+			}, time.Minute*5, time.Second)
+		})
+	}
+}
+
+const invalidCASecretID = "8214a145-a328-4c56-ab72-2973a56d4eae" //nolint:gosec
+
+func invalidCASecret(ns string) *corev1.Secret {
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: "ca-secret-",
+			Namespace:    ns,
+			Labels: map[string]string{
+				"konghq.com/ca-cert": "true",
+			},
+			Annotations: map[string]string{
+				annotations.IngressClassKey: ingressClass,
+			},
+		},
+		Data: map[string][]byte{
+			"id": []byte(invalidCASecretID),
+			// missing cert key
+		},
+	}
+}
+
+func pluginUsingInvalidCACert(ns string) *kongv1.KongPlugin {
+	return &kongv1.KongPlugin{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: "kong-plugin-",
+			Namespace:    ns,
+			Annotations: map[string]string{
+				annotations.IngressClassKey: ingressClass,
+			},
+		},
+		Config:     v1.JSON{Raw: []byte(fmt.Sprintf(`{"ca_certificates": ["%s"]}`, invalidCASecretID))},
+		PluginName: "mtls-auth",
+	}
+}