Gateway API updated to 0.5.1

CHANGELOG.md

@@ -71,6 +71,14 @@ Adding a new version? You'll need three changes:
  inconsistent Service annotations. Previously this issue prevented the
  controller from applying configuration until corrected.
  [#2988](https:/Kong/kubernetes-ingress-controller/pull/2988)
+- Gateway API has been updated to 0.5.1. That version brought in some changes
+ in the conformance tests logic. Now, when the TLS config of a listener
+ references a non-existing secret, the listener ResolvedRefs condition reason
+ is set to InvalidCertificateRef. In addition, if a TLS config references a
+ secret in another namespace, and no ReferenceGrant allows that
+ reference, the listener ResolvedRefs condition reason is set to
+ RefNotPermitted.
+ [#3024](https:/Kong/kubernetes-ingress-controller/pull/3024)
 
 ## [2.7.0]
 

go.mod

@@ -40,7 +40,7 @@ require (
  knative.dev/networking v0.0.0-20220302134042-e8b2eb995165
  knative.dev/pkg v0.0.0-20220301181942-2fdd5f232e77
  sigs.k8s.io/controller-runtime v0.13.0
- sigs.k8s.io/gateway-api v0.5.0
+ sigs.k8s.io/gateway-api v0.5.1
  sigs.k8s.io/kustomize/api v0.12.1
  sigs.k8s.io/kustomize/kyaml v0.13.9
  sigs.k8s.io/yaml v1.3.0

go.sum

@@ -1465,8 +1465,8 @@ rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
 sigs.k8s.io/controller-runtime v0.13.0 h1:iqa5RNciy7ADWnIc8QxCbOX5FEKVR3uxVxKHRMc2WIQ=
 sigs.k8s.io/controller-runtime v0.13.0/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI=
-sigs.k8s.io/gateway-api v0.5.0 h1:ze+k9fJqvmL8s1t3e4q1ST8RnN+f09dEv+gfacahlAE=
-sigs.k8s.io/gateway-api v0.5.0/go.mod h1:x0AP6gugkFV8fC/oTlnOMU0pnmuzIR8LfIPRVUjxSqA=
+sigs.k8s.io/gateway-api v0.5.1 h1:EqzgOKhChzyve9rmeXXbceBYB6xiM50vDfq0kK5qpdw=
+sigs.k8s.io/gateway-api v0.5.1/go.mod h1:x0AP6gugkFV8fC/oTlnOMU0pnmuzIR8LfIPRVUjxSqA=
 sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k=
 sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/kind v0.16.0 h1:GFXyyxtPnHFKqXr3ZG8/X0+0K9sl69lejStlPn2WQyM=

internal/controllers/gateway/gateway_controller.go

@@ -423,7 +423,10 @@ func (r *GatewayReconciler) reconcileUnmanagedGateway(ctx context.Context, log l
  // a single set of shared listens. We lack knowledge of whether this is compatible with user intent, and it may
  // be incompatible with the spec, so we should consider evaluating cross-Gateway compatibility and raising error
  // conditions in the event of a problem
- listenerStatuses := getListenerStatus(gateway, kongListeners, referenceGrantList.Items)
+ listenerStatuses, err := r.getListenerStatus(ctx, gateway, kongListeners, referenceGrantList.Items)
+ if err != nil {
+ return ctrl.Result{}, err
+ }
 
  // once specification matches the reference Service, all that's left to do is ensure that the
  // Gateway status reflects the spec. As the status is simply a mirror of the Service, this is

internal/controllers/gateway/gateway_controller_test.go

@@ -597,7 +597,7 @@ func TestGetReferenceGrantConditionReason(t *testing.T) {
  },
  },
  },
- expectedReason: string(gatewayv1alpha2.ListenerReasonInvalidCertificateRef),
+ expectedReason: string(gatewayv1alpha2.ListenerReasonRefNotPermitted),
  },
  {
  name: "reference granted, secret name not specified",

internal/controllers/gateway/gateway_utils.go

@@ -1,12 +1,15 @@
 package gateway
 
 import (
+ "context"
  "fmt"
  "reflect"
  "sort"
  "strings"
 
  "github.com/go-logr/logr"
+ corev1 "k8s.io/api/core/v1"
+ k8serrors "k8s.io/apimachinery/pkg/api/errors"
  metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  "k8s.io/apimachinery/pkg/types"
  "sigs.k8s.io/controller-runtime/pkg/client"
@@ -229,11 +232,12 @@ func canSharePort(requested, existing ProtocolType) bool {
  }
 }
 
-func getListenerStatus(
+func (r *GatewayReconciler) getListenerStatus(
+ ctx context.Context,
  gateway *Gateway,
  kongListens []Listener,
  referenceGrants []gatewayv1alpha2.ReferenceGrant,
-) []ListenerStatus {
+) ([]ListenerStatus, error) {
  statuses := make(map[SectionName]ListenerStatus, len(gateway.Spec.Listeners))
  portToProtocol, portToHostname, listenerToAttached := initializeListenerMaps(gateway)
  kongProtocolsToPort := buildKongPortMap(kongListens)
@@ -398,21 +402,32 @@ func getListenerStatus(
  if listener.TLS != nil {
  resolvedRefReason = string(gatewayv1alpha2.ListenerReasonResolvedRefs)
  for _, certRef := range listener.TLS.CertificateRefs {
+ // if the certificate is in the same namespace of the gateway, no ReferenceGrant is needed
+ if certRef.Namespace != nil && *certRef.Namespace != (Namespace)(gateway.Namespace) {
+ // get the result of the certificate reference. If the returned reason is not successful, the loop
+ // must be broken because the secret reference isn't granted
+ resolvedRefReason = getReferenceGrantConditionReason(gateway.Namespace, certRef, referenceGrants)
+ if resolvedRefReason != string(gatewayv1alpha2.ListenerReasonResolvedRefs) {
+ break
+ }
+ }
+
  // only secrets are supported as certificate references
  if (certRef.Group != nil && (*certRef.Group != "core" && *certRef.Group != "")) ||
  (certRef.Kind != nil && *certRef.Kind != "Secret") {
  resolvedRefReason = string(gatewayv1alpha2.ListenerReasonInvalidCertificateRef)
  break
  }
- // if the certificate is in the same namespace of the gateway, no ReferenceGrant is needed
- if certRef.Namespace == nil || *certRef.Namespace == (Namespace)(gateway.Namespace) {
- continue
+ secret := &corev1.Secret{}
+ secretNamespace := gateway.Namespace
+ if certRef.Namespace != nil {
+ secretNamespace = string(*certRef.Namespace)
  }
- // get the result of the certificate reference. If the returned reason is not successful, the loop
- // must be broken because a secret reference isn't granted
- resolvedRefReason = getReferenceGrantConditionReason(gateway.Namespace, certRef, referenceGrants)
- if resolvedRefReason != string(gatewayv1alpha2.ListenerReasonResolvedRefs) {
- break
+ if err := r.Client.Get(ctx, types.NamespacedName{Namespace: secretNamespace, Name: string(certRef.Name)}, secret); err != nil {
+  if !k8serrors.IsNotFound(err) {
+  return nil, err
+  }
+ resolvedRefReason = string(gatewayv1alpha2.ListenerReasonInvalidCertificateRef)
  }
  }
  }
@@ -494,7 +509,7 @@ func getListenerStatus(
  statusArray = append(statusArray, status)
  }
 
- return statusArray
+ return statusArray, nil
 }
 
 // getReferenceGrantConditionReason gets a certRef belonging to a specific listener and a slice of referenceGrants.
@@ -534,7 +549,7 @@ func getReferenceGrantConditionReason(
  }
  }
  // if no grants have been found for the reference, return an "InvalidCertificateRef" reason
- return string(gatewayv1alpha2.ListenerReasonInvalidCertificateRef)
+ return string(gatewayv1alpha2.ListenerReasonRefNotPermitted)
 }
 
 // -----------------------------------------------------------------------------

test/consts/zz_generated_gateway.go

@@ -3,7 +3,7 @@
 package consts
 
 const (
- GatewayStandardCRDsKustomizeURL = "github.com/kubernetes-sigs/gateway-api/config/crd/?ref=v0.5.0"
- GatewayExperimentalCRDsKustomizeURL = "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref=v0.5.0"
- GatewayRawRepoURL = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v0.5.0"
+ GatewayStandardCRDsKustomizeURL = "github.com/kubernetes-sigs/gateway-api/config/crd/?ref=v0.5.1"
+ GatewayExperimentalCRDsKustomizeURL = "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref=v0.5.1"
+ GatewayRawRepoURL = "https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v0.5.1"
 )

test/integration/tlsroute_test.go

@@ -615,7 +615,7 @@ func TestTLSRouteReferenceGrant(t *testing.T) {
  if ok := util.CheckCondition(
  status.Conditions,
  util.ConditionType(gatewayv1alpha2.ListenerConditionResolvedRefs),
- util.ConditionReason(gatewayv1alpha2.ListenerReasonInvalidCertificateRef),
+ util.ConditionReason(gatewayv1alpha2.ListenerReasonRefNotPermitted),
  metav1.ConditionFalse,
  gateway.Generation,
  ); ok {