-
Notifications
You must be signed in to change notification settings - Fork 2.8k
/
tlsroute_reconcile.go
150 lines (126 loc) · 4.93 KB
/
tlsroute_reconcile.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium
package gateway_api
import (
"context"
"fmt"
"github.com/google/go-cmp/cmp"
"github.com/google/go-cmp/cmp/cmpopts"
"github.com/sirupsen/logrus"
k8serrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
ctrl "sigs.k8s.io/controller-runtime"
gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
gatewayv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
controllerruntime "github.com/cilium/cilium/operator/pkg/controller-runtime"
"github.com/cilium/cilium/operator/pkg/gateway-api/routechecks"
"github.com/cilium/cilium/pkg/logging/logfields"
)
// Reconcile is part of the main kubernetes reconciliation loop which aims to
// move the current state of the cluster closer to the desired state.
//
// For more details, check Reconcile and its Result here:
// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.12.2/pkg/reconcile
func (r *tlsRouteReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
scopedLog := log.WithContext(ctx).WithFields(logrus.Fields{
logfields.Controller: "tlsRoute",
logfields.Resource: req.NamespacedName,
})
scopedLog.Info("Reconciling TLSRoute")
// Fetch the TLSRoute instance
original := &gatewayv1alpha2.TLSRoute{}
if err := r.Client.Get(ctx, req.NamespacedName, original); err != nil {
if k8serrors.IsNotFound(err) {
return controllerruntime.Success()
}
scopedLog.WithError(err).Error("Unable to fetch TLSRoute")
return controllerruntime.Fail(err)
}
// Ignore deleted TLSRoute, this can happen when foregroundDeletion is enabled
if original.GetDeletionTimestamp() != nil {
return controllerruntime.Success()
}
tr := original.DeepCopy()
// check if this cert is allowed to be used by this gateway
grants := &gatewayv1beta1.ReferenceGrantList{}
if err := r.Client.List(ctx, grants); err != nil {
return r.handleReconcileErrorWithStatus(ctx, fmt.Errorf("failed to retrieve reference grants: %w", err), original, tr)
}
// input for the validators
i := &routechecks.TLSRouteInput{
Ctx: ctx,
Logger: scopedLog.WithField(logfields.Resource, tr),
Client: r.Client,
Grants: grants,
TLSRoute: tr,
}
// gateway validators
for _, parent := range tr.Spec.ParentRefs {
// set acceptance to okay, this wil be overwritten in checks if needed
i.SetParentCondition(parent, metav1.Condition{
Type: string(gatewayv1.RouteConditionAccepted),
Status: metav1.ConditionTrue,
Reason: string(gatewayv1.RouteReasonAccepted),
Message: "Accepted TLSRoute",
})
// set status to okay, this wil be overwritten in checks if needed
i.SetAllParentCondition(metav1.Condition{
Type: string(gatewayv1.RouteConditionResolvedRefs),
Status: metav1.ConditionTrue,
Reason: string(gatewayv1.RouteReasonResolvedRefs),
Message: "Service reference is valid",
})
// run the actual validators
for _, fn := range []routechecks.CheckGatewayFunc{
routechecks.CheckGatewayAllowedForNamespace,
routechecks.CheckGatewayRouteKindAllowed,
routechecks.CheckGatewayMatchingPorts,
routechecks.CheckGatewayMatchingHostnames,
routechecks.CheckGatewayMatchingSection,
} {
continueCheck, err := fn(i, parent)
if err != nil {
return r.handleReconcileErrorWithStatus(ctx, fmt.Errorf("failed to apply route check: %w", err), original, tr)
}
if !continueCheck {
break
}
}
}
// backend validators
for _, fn := range []routechecks.CheckRuleFunc{
routechecks.CheckAgainstCrossNamespaceBackendReferences,
routechecks.CheckBackend,
routechecks.CheckHasServiceImportSupport,
routechecks.CheckBackendIsExistingService,
} {
continueCheck, err := fn(i)
if err != nil {
return r.handleReconcileErrorWithStatus(ctx, fmt.Errorf("failed to apply Gateway check: %w", err), original, tr)
}
if !continueCheck {
break
}
}
if err := r.updateStatus(ctx, original, tr); err != nil {
return ctrl.Result{}, fmt.Errorf("failed to update TLSRoute status: %w", err)
}
scopedLog.Info("Successfully reconciled TLSRoute")
return controllerruntime.Success()
}
func (r *tlsRouteReconciler) updateStatus(ctx context.Context, original *gatewayv1alpha2.TLSRoute, new *gatewayv1alpha2.TLSRoute) error {
oldStatus := original.Status.DeepCopy()
newStatus := new.Status.DeepCopy()
opts := cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime")
if cmp.Equal(oldStatus, newStatus, opts) {
return nil
}
return r.Client.Status().Update(ctx, new)
}
func (r *tlsRouteReconciler) handleReconcileErrorWithStatus(ctx context.Context, reconcileErr error, original *gatewayv1alpha2.TLSRoute, modified *gatewayv1alpha2.TLSRoute) (ctrl.Result, error) {
if err := r.updateStatus(ctx, original, modified); err != nil {
return controllerruntime.Fail(fmt.Errorf("failed to update TLSRoute status while handling the reconcile error %w: %w", reconcileErr, err))
}
return controllerruntime.Fail(reconcileErr)
}