check gateway class and do not skip listeners when gateway class is not managed by KIC

Author: randmonkey

hack/generators/cache-stores/spec.go

@@ -60,6 +60,11 @@ var supportedTypes = []cacheStoreSupportedType{
 		Type:    "Gateway",
 		Package: "gatewayapi",
 	},
+	{
+		Type:    "GatewayClass",
+		Package: "gatewayapi",
+		KeyFunc: clusterWideKeyFunc,
+	},
 	{
 		Type:    "BackendTLSPolicy",
 		Package: "gatewayapi",

internal/controllers/gateway/gateway_controller.go

@@ -181,6 +181,7 @@ func (r *GatewayReconciler) gatewayHasMatchingGatewayClass(obj client.Object) bo
 		r.Log.Error(err, "Could not retrieve gatewayclass", "gatewayclass", gateway.Spec.GatewayClassName)
 		return false
 	}
+
 	return isGatewayClassControlled(gatewayClass)
 }
 
@@ -440,6 +441,11 @@ func (r *GatewayReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
 		debug(log, gateway, "Ensured gateway was removed from the data-plane (if ever present)")
 		return ctrl.Result{}, nil
 	}
+	err := r.DataplaneClient.UpdateObject(gwc)
+	if err != nil {
+		debug(log, gwc, "Failed to update GatewayClass in dataplane, requeueing")
+		return ctrl.Result{}, err
+	}
 
 	// if there's any deletion timestamp on the object, we can simply ignore it. At this point
 	// with unmanaged mode being the only option supported there are no finalizers and

internal/dataplane/fallback/graph_dependencies.go

@@ -62,6 +62,7 @@ func ResolveDependencies(cache store.CacheStores, obj client.Object) ([]client.O
 		*discoveryv1.EndpointSlice,
 		*gatewayapi.ReferenceGrant,
 		*gatewayapi.Gateway,
+		*gatewayapi.GatewayClass,
 		*gatewayapi.BackendTLSPolicy,
 		*configurationv1.KongIngress,
 		*configurationv1beta1.KongUpstreamPolicy,

internal/dataplane/translator/translate_certs.go

@@ -9,9 +9,11 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/kong/go-kong/kong"
+	"github.com/samber/lo"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	"github.com/kong/kubernetes-ingress-controller/v3/internal/annotations"
 	"github.com/kong/kubernetes-ingress-controller/v3/internal/dataplane/kongstate"
 	"github.com/kong/kubernetes-ingress-controller/v3/internal/gatewayapi"
 	"github.com/kong/kubernetes-ingress-controller/v3/internal/logging"
@@ -55,11 +57,16 @@ func (t *Translator) getGatewayCerts() []certWrapper {
 		return certs
 	}
 	for _, gateway := range gateways {
-		statuses := make(map[gatewayapi.SectionName]gatewayapi.ListenerStatus, len(gateway.Status.Listeners))
-		for _, status := range gateway.Status.Listeners {
-			statuses[status.Name] = status
+		gwc, err := s.GetGatewayClass(string(gateway.Spec.GatewayClassName))
+		if err != nil {
+			logger.Error(err, "Failed to get GatewayClass for Gateway, skipping", "gateway", gateway.Name, "gateway_class", gateway.Spec.GatewayClassName)
+			continue
 		}
 
+		statuses := lo.SliceToMap(gateway.Status.Listeners, func(status gatewayapi.ListenerStatus) (gatewayapi.SectionName, gatewayapi.ListenerStatus) {
+			return status.Name, status
+		})
+
 		for _, listener := range gateway.Spec.Listeners {
 			status, ok := statuses[listener.Name]
 			if !ok {
@@ -72,14 +79,18 @@ func (t *Translator) getGatewayCerts() []certWrapper {
 				continue
 			}
 
-			// Check if listener is marked as programmed
-			if !util.CheckCondition(
-				status.Conditions,
-				util.ConditionType(gatewayapi.ListenerConditionProgrammed),
-				util.ConditionReason(gatewayapi.ListenerReasonProgrammed),
-				metav1.ConditionTrue,
-				gateway.Generation,
-			) {
+			// Check if listener is marked as programmed when the gateway is controlled by KIC in its spec and has the "Unmanaged" annotation.
+			// If the GatewayClass is does not satify the condition, the gateway is considered to be managed by other components (for example Kong Oprator),
+			// So we do not check the "Programmed" condition before extracting the certificate from the listener.
+			if gwc.Spec.ControllerName == gatewayapi.GatewayController(t.gatewayControllerName) &&
+				annotations.ExtractUnmanagedGatewayClassMode(gwc.Annotations) != "" &&
+				!util.CheckCondition(
+					status.Conditions,
+					util.ConditionType(gatewayapi.ListenerConditionProgrammed),
+					util.ConditionReason(gatewayapi.ListenerReasonProgrammed),
+					metav1.ConditionTrue,
+					gateway.Generation,
+				) {
 				continue
 			}
 

internal/dataplane/translator/translator.go

@@ -109,8 +109,9 @@ type Translator struct {
 	failuresCollector          *failures.ResourceFailuresCollector
 	translatedObjectsCollector *ObjectsCollector
 
-	clusterDomain      string
-	enableDrainSupport bool
+	clusterDomain         string
+	enableDrainSupport    bool
+	gatewayControllerName string
 }
 
 // Config is a configuration for the Translator.
@@ -120,6 +121,10 @@ type Config struct {
 
 	// ClusterDomain is the cluster domain used for translating Kubernetes objects.
 	ClusterDomain string
+
+	// GatewayControllerName is the gateway controller name used by KIC.
+	// GatewayClasses with this controller name in spec.ControllerName are managed by KIC, otherwise they are managed by other components(like Kong Operator).
+	GatewayControllerName string
 }
 
 // NewTranslator produces a new Translator object provided a logging mechanism
@@ -152,6 +157,7 @@ func NewTranslator(
 		translatedObjectsCollector: translatedObjectsCollector,
 		clusterDomain:              config.ClusterDomain,
 		enableDrainSupport:         config.EnableDrainSupport,
+		gatewayControllerName:      config.GatewayControllerName,
 	}, nil
 }
 

internal/manager/run.go

@@ -221,8 +221,9 @@ func New(
 
 	configTranslator, err := translator.NewTranslator(logger, storer, c.KongWorkspace, kongSemVersion, translatorFeatureFlags, NewSchemaServiceGetter(clientsManager),
 		translator.Config{
-			ClusterDomain:      c.ClusterDomain,
-			EnableDrainSupport: c.EnableDrainSupport,
+			ClusterDomain:         c.ClusterDomain,
+			EnableDrainSupport:    c.EnableDrainSupport,
+			GatewayControllerName: c.GatewayAPIControllerName,
 		},
 	)
 	if err != nil {

internal/store/fake_store.go

@@ -41,6 +41,7 @@ type FakeObjects struct {
 	GRPCRoutes                     []*gatewayapi.GRPCRoute
 	ReferenceGrants                []*gatewayapi.ReferenceGrant
 	Gateways                       []*gatewayapi.Gateway
+	GatewayClasses                 []*gatewayapi.GatewayClass
 	BackendTLSPolicies             []*gatewayapi.BackendTLSPolicy
 	TCPIngresses                   []*configurationv1beta1.TCPIngress
 	UDPIngresses                   []*configurationv1beta1.UDPIngress

internal/store/store.go

@@ -99,6 +99,7 @@ type Storer interface {
 
 	// Gateway API resources.
 	GetGateway(namespace string, name string) (*gatewayapi.Gateway, error)
+	GetGatewayClass(name string) (*gatewayapi.GatewayClass, error)
 	ListHTTPRoutes() ([]*gatewayapi.HTTPRoute, error)
 	ListUDPRoutes() ([]*gatewayapi.UDPRoute, error)
 	ListTCPRoutes() ([]*gatewayapi.TCPRoute, error)
@@ -607,6 +608,18 @@ func (s Store) GetGateway(namespace string, name string) (*gatewayapi.Gateway, e
 	return obj.(*gatewayapi.Gateway), nil
 }
 
+// GetGatewayClass returns gatewayclass resource having the specified name.
+func (s Store) GetGatewayClass(name string) (*gatewayapi.GatewayClass, error) {
+	obj, exists, err := s.stores.GatewayClass.GetByKey(name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, NotFoundError{fmt.Sprintf("GatewayClass %v not found", name)}
+	}
+	return obj.(*gatewayapi.GatewayClass), nil
+}
+
 // GetKongVault returns kongvault resource having specified name.
 func (s Store) GetKongVault(name string) (*configurationv1alpha1.KongVault, error) {
 	p, exists, err := s.stores.KongVault.GetByKey(name)