BUG/MINOR: fix stale crt-list entry after gateway deletion

When a gateway is deleted, gateway.reset() replaces g.Listeners with a
new empty map before the certificate builder runs. secretsPerVirtualListener
then calls GetListenerForKey for each entry in previousReferencedSecrets;
since g.Listeners is empty it returns nil and silently drops the deleted
gateway's secrets from the previous virtual-listener mapping.

handleUpdatedCrtList therefore computes an empty removedSecretRefsForListener
and skips the crt-list update. The PEM is still deleted (handleDeReferencedSecretsStorage
fires on the raw secret diff), leaving a .list file that references a
non-existent PEM and causing HAProxy to fail on the next reload.

Fix by replacing the indirect reconstruction of the previous mapping with
previousSecretsPerVirtualListener, which reads directly from
GateTree.PreviousVirtualListeners. The *Listener values stored there are
held by the VirtualListener slice and survive gateway.reset() because
reset only reassigns the map pointer on the Gateway, not the Listener
objects themselves.

Author: ivanmatmati

k8s/gate/tree/certificate_builder.go

@@ -23,6 +23,7 @@ import (
 	objtypes "github.com/haproxytech/haproxy-unified-gateway/k8s/gate/object-types"
 	"github.com/haproxytech/haproxy-unified-gateway/k8s/gate/store"
 	"github.com/haproxytech/haproxy-unified-gateway/k8s/gate/utils"
+	utilsk8s "github.com/haproxytech/haproxy-unified-gateway/k8s/gate/utils-k8s"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -88,7 +89,7 @@ func (b *CertificateBuilderImpl) computeCertificateDiffs() {
 	b.handleUpdatedSecretsStorage(previousSecretsReferenced, currentSecretsReferenced)
 
 	// crt-list
-	b.handleCrtList(previousSecretsReferenced, currentSecretsReferenced)
+	b.handleCrtList(currentSecretsReferenced)
 }
 
 func (b *CertificateBuilderImpl) ensureCertificatesStorage() {
@@ -210,8 +211,8 @@ func (b *CertificateBuilderImpl) handleUpdatedSecretsStorage(previousRefSecrets,
 //		  Namespace: "example", Name: "offload"}]   ===> SecretKey
 //		      map[client.ObjectKey{Namespace: "example", Name: hug-gateway_https"}]struct{}{}  ====> Set of GatewayListenerKey referencing this Secret
 //		}
-func (b *CertificateBuilderImpl) handleCrtList(previousRefSecrets, newRefSecrets map[client.ObjectKey]map[client.ObjectKey]struct{}) {
-	previousSecretsByGatewayListener := b.secretsPerVirtualListener(previousRefSecrets)
+func (b *CertificateBuilderImpl) handleCrtList(newRefSecrets map[client.ObjectKey]map[client.ObjectKey]struct{}) {
+	previousSecretsByGatewayListener := b.previousSecretsPerVirtualListener()
 	newSecretsByGatewayListener := b.secretsPerVirtualListener(newRefSecrets)
 
 	b.handleNewReferencedCrtList(previousSecretsByGatewayListener, newSecretsByGatewayListener)
@@ -251,6 +252,46 @@ func (b *CertificateBuilderImpl) secretsPerVirtualListener(mapSecret2Listeners m
 	return secretsPerVirtualListener
 }
 
+// previousSecretsPerVirtualListener rebuilds the previous virtual-listener→secret mapping
+// directly from GateTree.PreviousVirtualListeners instead of re-deriving it from the
+// previousReferencedSecrets index via GetListenerForKey.
+//
+// The indirect path breaks when a gateway is deleted: gateway.reset() clears g.Listeners
+// before the certificate builder runs, so GetListenerForKey returns nil and the deleted
+// gateway's secrets are silently dropped from the previous mapping. That causes
+// handleUpdatedCrtList to see no removed secrets and skip the crt-list update, leaving a
+// stale entry in the .list file that points to the already-deleted PEM.
+//
+// PreviousVirtualListeners holds *Listener values from the previous cycle. Those Listener
+// objects are referenced by the slice in each VirtualListener and survive gateway.reset()
+// because reset only replaces g.Listeners (the map on the Gateway), not the Listener
+// objects themselves.
+func (b *CertificateBuilderImpl) previousSecretsPerVirtualListener() map[string]map[client.ObjectKey]struct{} {
+	result := make(map[string]map[client.ObjectKey]struct{})
+	for vlName, vl := range b.GateTree.PreviousVirtualListeners {
+		for _, listener := range vl.Listeners {
+			if listener.K8sResource.TLS == nil {
+				continue
+			}
+			for _, certRef := range listener.K8sResource.TLS.CertificateRefs {
+				if !utilsk8s.IsSecretGroupKindSupported(certRef) {
+					continue
+				}
+				ns := listener.Owner.Namespace
+				if certRef.Namespace != nil {
+					ns = string(*certRef.Namespace)
+				}
+				secretKey := client.ObjectKey{Namespace: ns, Name: string(certRef.Name)}
+				if _, ok := result[vlName]; !ok {
+					result[vlName] = make(map[client.ObjectKey]struct{})
+				}
+				result[vlName][secretKey] = struct{}{}
+			}
+		}
+	}
+	return result
+}
+
 // handleNewReferencedCrtList creates crt-list entries for newly referenced virtual listeners.
 // It compares the previous and new sets of secrets per virtual listener to identify which
 // virtual listeners have been newly referenced (present in new but not in previous).