knative-extensions · nak3 · Aug 2, 2023 · Aug 2, 2023 · Aug 2, 2023 · Aug 2, 2023
diff --git a/cmd/kourier/main.go b/cmd/kourier/main.go
@@ -18,16 +18,17 @@ package main
 
 import (
 	"knative.dev/net-kourier/pkg/config"
-	"knative.dev/net-kourier/pkg/reconciler/informerfiltering"
 	kourierIngressController "knative.dev/net-kourier/pkg/reconciler/ingress"
+	"knative.dev/networking/pkg/apis/networking"
 	"knative.dev/pkg/signals"
 
 	// This defines the shared main for injected controllers.
+	filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
 	"knative.dev/pkg/injection/sharedmain"
 )
 
 func main() {
-	ctx := informerfiltering.GetContextWithFilteringLabelSelector(signals.NewContext())
+	ctx := filteredFactory.WithSelectors(signals.NewContext(), networking.CertificateUIDLabelKey)
 	ctx = sharedmain.WithHealthProbesDisabled(ctx)
 	sharedmain.MainWithContext(ctx, config.ControllerName, kourierIngressController.NewController)
 }
diff --git a/config/200-serviceaccount.yaml b/config/200-serviceaccount.yaml
@@ -37,8 +37,11 @@ rules:
     resources: ["events"]
     verbs: ["create", "update", "patch"]
   - apiGroups: [""]
-    resources: ["pods", "endpoints", "services", "secrets"]
+    resources: ["pods", "endpoints", "services"]
     verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "update"]
   - apiGroups: [""]
     resources: ["configmaps"]
     verbs: [ "get", "list", "watch" ]

diff --git a/config/300-controller.yaml b/config/300-controller.yaml
@@ -57,8 +57,6 @@ spec:
               value: "knative.dev/samples"
             - name: KOURIER_GATEWAY_NAMESPACE
               value: "kourier-system"
-            - name: ENABLE_SECRET_INFORMER_FILTERING_BY_CERT_UID
-              value: "false"
             # KUBE_API_BURST and KUBE_API_QPS allows to configure maximum burst for throttle and maximum QPS to the server from the client.
             # Setting these values using env vars is possible since https://github.com/knative/pkg/pull/2755.
             # 200 is an arbitrary value, but it speeds up kourier startup duration, and the whole ingress reconciliation process as a whole.

diff --git a/pkg/generator/ingress_translator.go b/pkg/generator/ingress_translator.go
@@ -34,10 +34,13 @@ import (
 	"google.golang.org/protobuf/types/known/anypb"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	kubeclient "k8s.io/client-go/kubernetes"
 	pkgconfig "knative.dev/net-kourier/pkg/config"
 	envoy "knative.dev/net-kourier/pkg/envoy/api"
 	"knative.dev/net-kourier/pkg/reconciler/ingress/config"
+	"knative.dev/networking/pkg/apis/networking"
 	"knative.dev/networking/pkg/apis/networking/v1alpha1"
 	"knative.dev/networking/pkg/certificates"
 	netconfig "knative.dev/networking/pkg/config"
@@ -61,6 +64,7 @@ type IngressTranslator struct {
 	endpointsGetter func(ns, name string) (*corev1.Endpoints, error)
 	serviceGetter   func(ns, name string) (*corev1.Service, error)
 	namespaceGetter func(name string) (*corev1.Namespace, error)
+	kubeClient      kubeclient.Interface
 	tracker         tracker.Interface
 }
 
@@ -69,12 +73,14 @@ func NewIngressTranslator(
 	endpointsGetter func(ns, name string) (*corev1.Endpoints, error),
 	serviceGetter func(ns, name string) (*corev1.Service, error),
 	namespaceGetter func(name string) (*corev1.Namespace, error),
+	kubeClient kubeclient.Interface,
 	tracker tracker.Interface) IngressTranslator {
 	return IngressTranslator{
 		secretGetter:    secretGetter,
 		endpointsGetter: endpointsGetter,
 		serviceGetter:   serviceGetter,
 		namespaceGetter: namespaceGetter,
+		kubeClient:      kubeClient,
 		tracker:         tracker,
 	}
 }
@@ -89,10 +95,31 @@ func (translator *IngressTranslator) translateIngress(ctx context.Context, ingre
 		}
 
 		secret, err := translator.secretGetter(ingressTLS.SecretNamespace, ingressTLS.SecretName)
-		if err != nil {
+		if apierrors.IsNotFound(err) {
+			// As secret does not have a CertificateUIDLabel for the first time, informer cannot get the secret.
+			// Try to use k8s client to get the secret. It may have some cost but it happens only once when a new secret is specified.
+			secret, err = translator.kubeClient.CoreV1().Secrets(ingressTLS.SecretNamespace).Get(ctx, ingressTLS.SecretName, metav1.GetOptions{})
+			if err != nil {
+				return nil, fmt.Errorf("failed to get secret: %w", err)
+			}
+		} else if err != nil {
 			return nil, fmt.Errorf("failed to fetch secret: %w", err)
 		}
 
+		if secret.Labels == nil || secret.Labels[networking.CertificateUIDLabelKey] == "" {
+			// Don't modify the informers copy
+			existing := secret.DeepCopy()
+			if existing.Labels == nil {
+				existing.Labels = make(map[string]string)
+			}
+			existing.Labels[networking.CertificateUIDLabelKey] = ingressTLS.SecretName
+			secret, err = translator.kubeClient.CoreV1().Secrets(ingressTLS.SecretNamespace).Update(ctx, existing, metav1.UpdateOptions{})
+			if err != nil {
+				return nil, fmt.Errorf("failed to update secret: %w", err)
+			}
+
+		}
+
 		// Validate certificate here as these are defined by users.
 		// We should not send Gateway without validation.
 		_, err = tls.X509KeyPair(

diff --git a/pkg/generator/ingress_translator_test.go b/pkg/generator/ingress_translator_test.go
@@ -673,6 +673,7 @@ func TestIngressTranslator(t *testing.T) {
 				func(name string) (*corev1.Namespace, error) {
 					return kubeclient.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{})
 				},
+				kubeclient,
 				&pkgtest.FakeTracker{},
 			)
 
@@ -885,6 +886,7 @@ func TestIngressTranslatorWithHTTPOptionDisabled(t *testing.T) {
 				func(name string) (*corev1.Namespace, error) {
 					return kubeclient.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{})
 				},
+				kubeclient,
 				&pkgtest.FakeTracker{},
 			)
 
@@ -1211,6 +1213,7 @@ func TestIngressTranslatorWithUpstreamTLS(t *testing.T) {
 				func(name string) (*corev1.Namespace, error) {
 					return kubeclient.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{})
 				},
+				kubeclient,
 				&pkgtest.FakeTracker{},
 			)
 
@@ -1312,6 +1315,7 @@ func TestIngressTranslatorHTTP01Challenge(t *testing.T) {
 			func(name string) (*corev1.Namespace, error) {
 				return kubeclient.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{})
 			},
+			kubeclient,
 			&pkgtest.FakeTracker{},
 		)
 
@@ -1424,6 +1428,7 @@ func TestIngressTranslatorDomainMappingDisableHTTP2(t *testing.T) {
 			func(name string) (*corev1.Namespace, error) {
 				return kubeclient.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{})
 			},
+			kubeclient,
 			&pkgtest.FakeTracker{},
 		)
 

diff --git a/pkg/reconciler/informerfiltering/util.go b/pkg/reconciler/informerfiltering/util.go
diff --git a/pkg/reconciler/ingress/controller.go b/pkg/reconciler/ingress/controller.go
@@ -190,6 +190,7 @@ func NewController(ctx context.Context, cmw configmap.Watcher) *controller.Impl
 		func(name string) (*corev1.Namespace, error) {
 			return namespaceInformer.Lister().Get(name)
 		},
+		kubernetesClient,
 		impl.Tracker)
 	r.ingressTranslator = &ingressTranslator
 
@@ -223,6 +224,7 @@ func NewController(ctx context.Context, cmw configmap.Watcher) *controller.Impl
 		func(name string) (*corev1.Namespace, error) {
 			return namespaceInformer.Lister().Get(name)
 		},
+		kubernetesClient,
 		impl.Tracker)
 
 	for _, ingress := range ingressesToSync {