refactor: TLS support

- bump github.com/l7mp/stunner version v0.11.3
- expose throttleTimeout on the command line, fixes #4
- support per-Gateway LoadBalancer annotations, fixes #11
- consolidate controllers into 4 reconciliation loops
- suppress reconciliation for events on unrelated k8s objects
- let gateway controller watch TLS Secrets ref'd by Gateway listeners
- actually render TLS cert/key into running config
- implement SecretStore to locally cache Secrets
- maintain only a single node in the local NodeStore
- allow ExternalDNS addresses when public IP is taken from a Node
- convert object log pretty-printer to JSON.Marschal for more readable output
- billions of new tests

config/rbac/role.yaml

@@ -27,90 +27,26 @@ rules:
   - ""
   resources:
   - endpoints
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
   - nodes
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - nodes/status
-  verbs:
-  - get
-- apiGroups:
-  - ""
-  resources:
+  - secrets
   - services
   verbs:
-  - create
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - ""
   resources:
+  - endpoints/status
+  - nodes/status
   - services/status
   verbs:
   - get
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
   - gatewayclasses
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - gateway.networking.k8s.io
-  resources:
-  - gatewayclasses/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - gateway.networking.k8s.io
-  resources:
-  - gatewayclasses/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - gateway.networking.k8s.io
-  resources:
   - gateways
-  verbs:
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - gateway.networking.k8s.io
-  resources:
-  - gateways/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - gateway.networking.k8s.io
-  resources:
-  - gateways/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - gateway.networking.k8s.io
-  resources:
   - udproutes
   verbs:
   - get
@@ -121,40 +57,17 @@ rules:
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
-  - udproutes/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - gateway.networking.k8s.io
-  resources:
+  - gatewayclasses/status
+  - gateways/status
   - udproutes/status
   verbs:
-  - get
   - patch
   - update
 - apiGroups:
   - stunner.l7mp.io
   resources:
   - gatewayconfigs
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch
-- apiGroups:
-  - stunner.l7mp.io
-  resources:
-  - gatewayconfigs/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - stunner.l7mp.io
-  resources:
-  - gatewayconfigs/status
-  verbs:
-  - get
-  - patch
-  - update

go.mod

@@ -5,7 +5,7 @@ go 1.18
 require (
 	github.com/go-logr/logr v1.2.3
 	github.com/go-logr/zapr v1.2.3
-	github.com/l7mp/stunner v0.11.2
+	github.com/l7mp/stunner v0.11.3
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.19.0
 	github.com/stretchr/testify v1.8.0
@@ -58,7 +58,6 @@ require (
 	github.com/prometheus/common v0.37.0 // indirect
 	github.com/prometheus/procfs v0.8.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/telepresenceio/watchable v0.0.0-20220726211108-9bb86f92afa7 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.8.0 // indirect
 	golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d // indirect

internal/config/defaults.go

@@ -1,5 +1,11 @@
 package config
 
+import (
+	"time"
+
+	corev1 "k8s.io/api/core/v1"
+)
+
 const (
 	// DefaultControllerName is a unique identifier which indicates this operator's name.
 	DefaultControllerName = "stunner.l7mp.io/gateway-operator"
@@ -11,6 +17,15 @@ const (
 	// so that the controller can assign the right public  address to the right listener.
 	GatewayAddressAnnotationKey = "stunner.l7mp.io/related-gateway-name"
 
+	// ServiceTypeAnnotationKey defines the type of the service created to expose each Gateway
+	// to external clients. Can be either `None` (no service created), `ClusterIP`, `NodePort`,
+	// `ExternalName` or `LoadBalancer`. Default is `LoadBalancer`.
+	ServiceTypeAnnotationKey = "stunner.l7mp.io/service-type"
+
+	// DefaultServiceType defines the default type of services created to expose each Gateway
+	// to external clients.
+	DefaultServiceType = corev1.ServiceTypeLoadBalancer
+
 	// // GatewayManagedLabelValue indicates that the object's lifecycle is managed by
 	// // the gateway controller.
 	// GatewayManagedLabelValue = "gateway"
@@ -43,4 +58,7 @@ const (
 
 	// DefaultHealthCheckEndpoint is the default URI at which health-check requests are served.
 	DefaultHealthCheckEndpoint = "http://0.0.0.0:8086"
+
+	// DefaultThrottleTimeout is the default time interval to wait between subsequent config renders.
+	DefaultThrottleTimeout = 250 * time.Millisecond
 )

internal/config/vars.go

@@ -19,4 +19,12 @@ var (
 	// ClusterIP. If both EnableEndpointDiscovery and EnableRelayToClusterIP are on, clients
 	// can connect to both the ClusterIP and any direct pod IP.
 	EnableRelayToClusterIP = DefaultEnableRelayToClusterIP
+
+	// ThrottleTimeout defines the amount of time to wait before initiating a new config render
+	// process. This allows to rate-limit config renders in very large clusters or frequently
+	// changing resources, where the config rendering process is too expensive to be run after
+	// every CRUD operation on the object being watched by the operator. The larger the
+	// throttle timeout the slower the controller and the smaller the operator CPU
+	// consumption. Default is 250 msec.
+	ThrottleTimeout = DefaultThrottleTimeout
 )

internal/controllers/doc.go

@@ -14,9 +14,5 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Package controllers contains the controllers form the STUNNer Gateway API operator
+// Package `controllers` implements the controllers for the STUNNer gateway operator.
 package controllers
-
-// the opetator needs full permission to K8s configmaps
-//+kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=core,resources=configmaps/finalizers,verbs=update