Skip to content

Commit 03f7ea1

Browse files
committed
fix: grant configmaps RBAC and reduce getListenerStatus complexity
- Add configmaps get/list/watch to the e2e/conformance controller manifest so the ConfigMap informer can sync; without it the manager cache never becomes ready and all reconcile-dependent tests time out. - Extract frontendValidation listener validation into a helper to keep getListenerStatus under the gocyclo threshold. - Use a constant for the repeated "api6.com" test host (goconst).
1 parent fb552a7 commit 03f7ea1

3 files changed

Lines changed: 68 additions & 62 deletions

File tree

internal/controller/utils.go

Lines changed: 63 additions & 60 deletions
Original file line numberDiff line numberDiff line change
@@ -942,66 +942,7 @@ func getListenerStatus(
942942
}
943943

944944
if listener.TLS.FrontendValidation != nil {
945-
var configMap corev1.ConfigMap
946-
for _, ref := range listener.TLS.FrontendValidation.CACertificateRefs {
947-
if ref.Group != "" && string(ref.Group) != corev1.GroupName {
948-
conditionResolvedRefs.Status = metav1.ConditionFalse
949-
conditionResolvedRefs.Reason = string(gatewayv1.ListenerReasonInvalidCertificateRef)
950-
conditionResolvedRefs.Message = fmt.Sprintf(`Invalid Group for caCertificateRef, expect "", got "%s"`, ref.Group)
951-
conditionProgrammed.Status = metav1.ConditionFalse
952-
conditionProgrammed.Reason = string(gatewayv1.ListenerReasonInvalid)
953-
break
954-
}
955-
if ref.Kind != "" && string(ref.Kind) != KindConfigMap {
956-
conditionResolvedRefs.Status = metav1.ConditionFalse
957-
conditionResolvedRefs.Reason = string(gatewayv1.ListenerReasonInvalidCertificateRef)
958-
conditionResolvedRefs.Message = fmt.Sprintf(`Invalid Kind for caCertificateRef, expect "ConfigMap", got "%s"`, ref.Kind)
959-
conditionProgrammed.Status = metav1.ConditionFalse
960-
conditionProgrammed.Reason = string(gatewayv1.ListenerReasonInvalid)
961-
break
962-
}
963-
if permitted := checkReferenceGrant(ctx,
964-
mrgc,
965-
v1beta1.ReferenceGrantFrom{
966-
Group: gatewayv1.GroupName,
967-
Kind: KindGateway,
968-
Namespace: v1beta1.Namespace(gateway.Namespace),
969-
},
970-
gatewayv1.ObjectReference{
971-
Group: corev1.GroupName,
972-
Kind: KindConfigMap,
973-
Name: ref.Name,
974-
Namespace: ref.Namespace,
975-
},
976-
); !permitted {
977-
conditionResolvedRefs.Status = metav1.ConditionFalse
978-
conditionResolvedRefs.Reason = string(gatewayv1.ListenerReasonRefNotPermitted)
979-
conditionResolvedRefs.Message = "caCertificateRefs cross namespaces is not permitted"
980-
conditionProgrammed.Status = metav1.ConditionFalse
981-
conditionProgrammed.Reason = string(gatewayv1.ListenerReasonInvalid)
982-
break
983-
}
984-
configMapNN := k8stypes.NamespacedName{
985-
Namespace: string(*cmp.Or(ref.Namespace, (*gatewayv1.Namespace)(&gateway.Namespace))),
986-
Name: string(ref.Name),
987-
}
988-
if err := mrgc.Get(ctx, configMapNN, &configMap); err != nil {
989-
conditionResolvedRefs.Status = metav1.ConditionFalse
990-
conditionResolvedRefs.Reason = string(gatewayv1.ListenerReasonInvalidCertificateRef)
991-
conditionResolvedRefs.Message = err.Error()
992-
conditionProgrammed.Status = metav1.ConditionFalse
993-
conditionProgrammed.Reason = string(gatewayv1.ListenerReasonInvalid)
994-
break
995-
}
996-
if _, err := sslutils.ExtractCAFromConfigMap(&configMap); err != nil {
997-
conditionResolvedRefs.Status = metav1.ConditionFalse
998-
conditionResolvedRefs.Reason = string(gatewayv1.ListenerReasonInvalidCertificateRef)
999-
conditionResolvedRefs.Message = fmt.Sprintf("Malformed CA ConfigMap referenced: %s", err.Error())
1000-
conditionProgrammed.Status = metav1.ConditionFalse
1001-
conditionProgrammed.Reason = string(gatewayv1.ListenerReasonInvalid)
1002-
break
1003-
}
1004-
}
945+
validateListenerFrontendValidation(ctx, mrgc, gateway, listener.TLS.FrontendValidation, &conditionResolvedRefs, &conditionProgrammed)
1005946
}
1006947
}
1007948

@@ -1041,6 +982,68 @@ func getListenerStatus(
1041982
return statusArray, nil
1042983
}
1043984

985+
// validateListenerFrontendValidation validates a listener's TLS frontendValidation
986+
// (downstream mTLS CA references) and records the outcome on the listener conditions.
987+
func validateListenerFrontendValidation(
988+
ctx context.Context,
989+
mrgc client.Client,
990+
gateway *gatewayv1.Gateway,
991+
frontendValidation *gatewayv1.FrontendTLSValidation,
992+
conditionResolvedRefs, conditionProgrammed *metav1.Condition,
993+
) {
994+
setInvalid := func(reason gatewayv1.ListenerConditionReason, message string) {
995+
conditionResolvedRefs.Status = metav1.ConditionFalse
996+
conditionResolvedRefs.Reason = string(reason)
997+
conditionResolvedRefs.Message = message
998+
conditionProgrammed.Status = metav1.ConditionFalse
999+
conditionProgrammed.Reason = string(gatewayv1.ListenerReasonInvalid)
1000+
}
1001+
1002+
var configMap corev1.ConfigMap
1003+
for _, ref := range frontendValidation.CACertificateRefs {
1004+
if ref.Group != "" && string(ref.Group) != corev1.GroupName {
1005+
setInvalid(gatewayv1.ListenerReasonInvalidCertificateRef,
1006+
fmt.Sprintf(`Invalid Group for caCertificateRef, expect "", got "%s"`, ref.Group))
1007+
return
1008+
}
1009+
if ref.Kind != "" && string(ref.Kind) != KindConfigMap {
1010+
setInvalid(gatewayv1.ListenerReasonInvalidCertificateRef,
1011+
fmt.Sprintf(`Invalid Kind for caCertificateRef, expect "ConfigMap", got "%s"`, ref.Kind))
1012+
return
1013+
}
1014+
if permitted := checkReferenceGrant(ctx,
1015+
mrgc,
1016+
v1beta1.ReferenceGrantFrom{
1017+
Group: gatewayv1.GroupName,
1018+
Kind: KindGateway,
1019+
Namespace: v1beta1.Namespace(gateway.Namespace),
1020+
},
1021+
gatewayv1.ObjectReference{
1022+
Group: corev1.GroupName,
1023+
Kind: KindConfigMap,
1024+
Name: ref.Name,
1025+
Namespace: ref.Namespace,
1026+
},
1027+
); !permitted {
1028+
setInvalid(gatewayv1.ListenerReasonRefNotPermitted, "caCertificateRefs cross namespaces is not permitted")
1029+
return
1030+
}
1031+
configMapNN := k8stypes.NamespacedName{
1032+
Namespace: string(*cmp.Or(ref.Namespace, (*gatewayv1.Namespace)(&gateway.Namespace))),
1033+
Name: string(ref.Name),
1034+
}
1035+
if err := mrgc.Get(ctx, configMapNN, &configMap); err != nil {
1036+
setInvalid(gatewayv1.ListenerReasonInvalidCertificateRef, err.Error())
1037+
return
1038+
}
1039+
if _, err := sslutils.ExtractCAFromConfigMap(&configMap); err != nil {
1040+
setInvalid(gatewayv1.ListenerReasonInvalidCertificateRef,
1041+
fmt.Sprintf("Malformed CA ConfigMap referenced: %s", err.Error()))
1042+
return
1043+
}
1044+
}
1045+
}
1046+
10441047
// SplitMetaNamespaceKey returns the namespace and name that
10451048
// MetaNamespaceKeyFunc encoded into key.
10461049
func SplitMetaNamespaceKey(key string) (namespace, name string, err error) {

test/e2e/framework/manifests/ingress.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,7 @@ rules:
8080
- apiGroups:
8181
- ""
8282
resources:
83+
- configmaps
8384
- namespaces
8485
- pods
8586
- secrets

test/e2e/gatewayapi/gateway.go

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,8 @@ import (
3636

3737
const _secretName = "test-apisix-tls"
3838

39+
const _hostAPI6 = "api6.com"
40+
3941
var Cert = strings.TrimSpace(framework.TestServerCert)
4042

4143
var Key = strings.TrimSpace(framework.TestServerKey)
@@ -176,7 +178,7 @@ spec:
176178

177179
By("create secret")
178180
secretName := _secretName
179-
host := "api6.com"
181+
host := _hostAPI6
180182
createSecret(s, secretName)
181183
gatewayClassName := s.Namespace()
182184
var defaultGatewayClass = `
@@ -238,7 +240,7 @@ spec:
238240

239241
By("create server cert secret")
240242
secretName := _secretName
241-
host := "api6.com"
243+
host := _hostAPI6
242244
createSecret(s, secretName)
243245

244246
By("create CA ConfigMap for frontendValidation")

0 commit comments

Comments
 (0)