chore: Add GatewayClass protection and deletion logic

dspo · dspo · commit 443aa9ad9557 · 2025-04-29T08:51:01.000+08:00
Introduce a finalizer to prevent deletion of GatewayClasses still in use by Gateways, and implement corresponding e2e tests to validate the protection mechanism and proper removal flow.
diff --git a/internal/controller/gatewayclass_congroller.go b/internal/controller/gatewayclass_congroller.go
@@ -3,18 +3,26 @@ package controller
 import (
 	"context"
 	"fmt"
+	"time"
 
 	"github.com/go-logr/logr"
 	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/record"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
 
 	"github.com/api7/api7-ingress-controller/internal/controller/config"
 )
 
+const (
+	FinalizerGatewayClassProtection = "apisix.apache.org/gc-protection"
+)
+
 // +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gatewayclasses,verbs=get;list;watch;update
 // +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gatewayclasses/status,verbs=get;update
 
@@ -23,11 +31,13 @@ type GatewayClassReconciler struct { //nolint:revive
 	client.Client
 	Scheme *runtime.Scheme
 
+	record.EventRecorder
 	Log logr.Logger
 }
 
 // SetupWithManager sets up the controller with the Manager.
 func (r *GatewayClassReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	r.EventRecorder = mgr.GetEventRecorderFor("gatewayclass-controller")
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&gatewayv1.GatewayClass{}).
 		WithEventFilter(predicate.NewPredicateFuncs(r.GatewayClassFilter)).
@@ -41,6 +51,43 @@ func (r *GatewayClassReconciler) Reconcile(ctx context.Context, req ctrl.Request
 		return ctrl.Result{}, client.IgnoreNotFound(err)
 	}
 
+	if gc.GetDeletionTimestamp().IsZero() {
+		if !controllerutil.ContainsFinalizer(gc, FinalizerGatewayClassProtection) {
+			controllerutil.AddFinalizer(gc, FinalizerGatewayClassProtection)
+			if err := r.Update(ctx, gc); err != nil {
+				return ctrl.Result{}, err
+			}
+		}
+	} else {
+		if controllerutil.ContainsFinalizer(gc, FinalizerGatewayClassProtection) {
+			var gatewayList gatewayv1.GatewayList
+			if err := r.List(ctx, &gatewayList); err != nil {
+				r.Log.Error(err, "failed to list gateways")
+				return ctrl.Result{}, err
+			}
+			var gateways []types.NamespacedName
+			for _, gateway := range gatewayList.Items {
+				if string(gateway.Spec.GatewayClassName) == gc.GetName() {
+					gateways = append(gateways, types.NamespacedName{
+						Namespace: gateway.GetNamespace(),
+						Name:      gateway.GetName(),
+					})
+				}
+			}
+			if len(gateways) > 0 {
+				r.Eventf(gc, "Warning", "DeletionBlocked", "the GatewayClass is still in using by Gateways: %v", gateways)
+				return ctrl.Result{RequeueAfter: 5 * time.Second}, nil
+			} else {
+				controllerutil.RemoveFinalizer(gc, FinalizerGatewayClassProtection)
+				if err := r.Update(ctx, gc); err != nil {
+					return ctrl.Result{}, err
+				}
+			}
+		}
+
+		return ctrl.Result{}, nil
+	}
+
 	condition := meta.Condition{
 		Type:               string(gatewayv1.GatewayClassConditionStatusAccepted),
 		Status:             meta.ConditionTrue,
diff --git a/test/e2e/gatewayapi/gatewayclass.go b/test/e2e/gatewayapi/gatewayclass.go
@@ -31,6 +31,18 @@ metadata:
   name: api7-not-accepeted
 spec:
   controllerName: "apisix.apache.org/not-exist"
+`
+		const defaultGateway = `
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: api7ee
+spec:
+  gatewayClassName: api7
+  listeners:
+    - name: http1
+      protocol: HTTP
+      port: 80
 `
 		It("Create GatewayClass", func() {
 			By("create default GatewayClass")
@@ -53,5 +65,50 @@ spec:
 			Expect(gcyaml).To(ContainSubstring(`status: Unknown`), "checking GatewayClass condition status")
 			Expect(gcyaml).To(ContainSubstring("message: Waiting for controller"), "checking GatewayClass condition message")
 		})
+
+		It("Delete GatewayClass", func() {
+			By("create default GatewayClass")
+			err := s.CreateResourceFromStringWithNamespace(defautlGatewayClass, "")
+			Expect(err).NotTo(HaveOccurred(), "creating GatewayClass")
+			Eventually(func() string {
+				spec, err := s.GetResourceYaml("GatewayClass", "api7")
+				Expect(err).NotTo(HaveOccurred(), "get resource yaml")
+				return spec
+			}).WithTimeout(8 * time.Second).ProbeEvery(time.Second).Should(ContainSubstring(`status: "True"`))
+
+			By("create a Gateway")
+			err = s.CreateResourceFromString(defaultGateway)
+			Expect(err).NotTo(HaveOccurred(), "creating Gateway")
+			time.Sleep(time.Second)
+
+			By("try to delete the GatewayClass")
+			_, err = s.RunKubectlAndGetOutput("delete", "GatewayClass", "api7", "--wait=false")
+			Expect(err).NotTo(HaveOccurred())
+
+			_, err = s.GetResourceYaml("GatewayClass", "api7")
+			Expect(err).NotTo(HaveOccurred(), "get resource yaml")
+
+			output, err := s.RunKubectlAndGetOutput("describe", "GatewayClass", "api7")
+			Expect(err).NotTo(HaveOccurred(), "describe GatewayClass api7")
+			Expect(output).To(And(
+				ContainSubstring("Warning"),
+				ContainSubstring("DeletionBlocked"),
+				ContainSubstring("gatewayclass-controller"),
+				ContainSubstring("the GatewayClass is still in using by Gateways"),
+			))
+
+			By("delete the Gateway")
+			err = s.DeleteResource("Gateway", "api7ee")
+			Expect(err).NotTo(HaveOccurred(), "deleting Gateway")
+			time.Sleep(time.Second)
+
+			By("try to delete the GatewayClass again")
+			err = s.DeleteResource("GatewayClass", "api7")
+			Expect(err).NotTo(HaveOccurred())
+
+			_, err = s.GetResourceYaml("GatewayClass", "api7")
+			Expect(err).To(HaveOccurred(), "get resource yaml")
+			Expect(err.Error()).To(ContainSubstring("not found"))
+		})
 	})
 })
