api7
diff --git a/‎internal/adc/translator/apisixtls.go‎
Lines changed: 3 additions & 2 deletions b/‎internal/adc/translator/apisixtls.go‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎internal/adc/translator/apisixupstream.go‎
Lines changed: 2 additions & 1 deletion b/‎internal/adc/translator/apisixupstream.go‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎internal/adc/translator/gateway.go‎
Lines changed: 3 additions & 67 deletions b/‎internal/adc/translator/gateway.go‎
Lines changed: 3 additions & 67 deletions
diff --git a/‎internal/adc/translator/ingress.go‎
Lines changed: 3 additions & 2 deletions b/‎internal/adc/translator/ingress.go‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎internal/controller/indexer/indexer.go‎
Lines changed: 29 additions & 0 deletions b/‎internal/controller/indexer/indexer.go‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎internal/controller/indexer/ssl_host.go‎
Lines changed: 143 additions & 0 deletions b/‎internal/controller/indexer/ssl_host.go‎
Lines changed: 143 additions & 0 deletions
@@ -27,6 +27,7 @@ import (
 	"github.com/apache/apisix-ingress-controller/internal/controller/label"
 	"github.com/apache/apisix-ingress-controller/internal/id"
 	"github.com/apache/apisix-ingress-controller/internal/provider"
+	sslutils "github.com/apache/apisix-ingress-controller/internal/ssl"
 	internaltypes "github.com/apache/apisix-ingress-controller/internal/types"
 )
 
@@ -44,7 +45,7 @@ func (t *Translator) TranslateApisixTls(tctx *provider.TranslateContext, tls *ap
 	}
 
 	// Extract cert and key from secret
-	cert, key, err := extractKeyPair(secret, true)
+	cert, key, err := sslutils.ExtractKeyPair(secret, true)
 	if err != nil {
 		return nil, err
 	}
@@ -81,7 +82,7 @@ func (t *Translator) TranslateApisixTls(tctx *provider.TranslateContext, tls *ap
 			return nil, fmt.Errorf("client CA secret %s not found", caSecretKey.String())
 		}
 
-		ca, _, err := extractKeyPair(caSecret, false)
+		ca, _, err := sslutils.ExtractKeyPair(caSecret, false)
 		if err != nil {
 			return nil, err
 		}
 
@@ -29,6 +29,7 @@ import (
 	"github.com/apache/apisix-ingress-controller/api/adc"
 	apiv2 "github.com/apache/apisix-ingress-controller/api/v2"
 	"github.com/apache/apisix-ingress-controller/internal/provider"
+	sslutils "github.com/apache/apisix-ingress-controller/internal/ssl"
 	"github.com/apache/apisix-ingress-controller/internal/utils"
 )
 
@@ -187,7 +188,7 @@ func translateApisixUpstreamClientTLS(tctx *provider.TranslateContext, config *a
 		return errors.Errorf("sercret %s not found", secretNN)
 	}
 
-	cert, key, err := extractKeyPair(secret, true)
+	cert, key, err := sslutils.ExtractKeyPair(secret, true)
 	if err != nil {
 		return err
 	}
 
@@ -18,13 +18,10 @@
 package translator
 
 import (
-	"crypto/x509"
 	"encoding/json"
-	"encoding/pem"
 	"fmt"
 
 	"github.com/pkg/errors"
-	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
 
@@ -33,6 +30,7 @@ import (
 	"github.com/apache/apisix-ingress-controller/internal/controller/label"
 	"github.com/apache/apisix-ingress-controller/internal/id"
 	"github.com/apache/apisix-ingress-controller/internal/provider"
+	sslutils "github.com/apache/apisix-ingress-controller/internal/ssl"
 	internaltypes "github.com/apache/apisix-ingress-controller/internal/types"
 	"github.com/apache/apisix-ingress-controller/internal/utils"
 )
@@ -97,7 +95,7 @@ func (t *Translator) translateSecret(tctx *provider.TranslateContext, listener g
 					t.Log.Error(errors.New("secret data is nil"), "failed to get secret data", "secret", secretNN)
 					return nil, fmt.Errorf("no secret data found for %s/%s", ns, name)
 				}
-				cert, key, err := extractKeyPair(secret, true)
+				cert, key, err := sslutils.ExtractKeyPair(secret, true)
 				if err != nil {
 					t.Log.Error(err, "extract key pair", "secret", secretNN)
 					return nil, err
@@ -110,7 +108,7 @@ func (t *Translator) translateSecret(tctx *provider.TranslateContext, listener g
 				if listener.Hostname != nil && *listener.Hostname != "" {
 					sslObj.Snis = append(sslObj.Snis, string(*listener.Hostname))
 				} else {
-					hosts, err := extractHost(cert)
+					hosts, err := sslutils.ExtractHostsFromCertificate(cert)
 					if err != nil {
 						return nil, err
 					}
@@ -137,68 +135,6 @@ func (t *Translator) translateSecret(tctx *provider.TranslateContext, listener g
 	return sslObjs, nil
 }
 
-func extractHost(cert []byte) ([]string, error) {
-	block, _ := pem.Decode(cert)
-	if block == nil {
-		return nil, errors.New("parse certificate: not in PEM format")
-	}
-	der, err := x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		return nil, errors.Wrap(err, "parse certificate")
-	}
-	hosts := make([]string, 0, len(der.DNSNames))
-	for _, dnsName := range der.DNSNames {
-		if dnsName != "*" {
-			hosts = append(hosts, dnsName)
-		}
-	}
-	return hosts, nil
-}
-
-func extractKeyPair(s *corev1.Secret, hasPrivateKey bool) ([]byte, []byte, error) {
-	if _, ok := s.Data["cert"]; ok {
-		return extractApisixSecretKeyPair(s, hasPrivateKey)
-	} else if _, ok := s.Data[corev1.TLSCertKey]; ok {
-		return extractKubeSecretKeyPair(s, hasPrivateKey)
-	} else if ca, ok := s.Data[corev1.ServiceAccountRootCAKey]; ok && !hasPrivateKey {
-		return ca, nil, nil
-	} else {
-		return nil, nil, errors.New("unknown secret format")
-	}
-}
-
-func extractApisixSecretKeyPair(s *corev1.Secret, hasPrivateKey bool) (cert []byte, key []byte, err error) {
-	var ok bool
-	cert, ok = s.Data["cert"]
-	if !ok {
-		return nil, nil, errors.New("missing cert field")
-	}
-
-	if hasPrivateKey {
-		key, ok = s.Data["key"]
-		if !ok {
-			return nil, nil, errors.New("missing key field")
-		}
-	}
-	return
-}
-
-func extractKubeSecretKeyPair(s *corev1.Secret, hasPrivateKey bool) (cert []byte, key []byte, err error) {
-	var ok bool
-	cert, ok = s.Data[corev1.TLSCertKey]
-	if !ok {
-		return nil, nil, errors.New("missing cert field")
-	}
-
-	if hasPrivateKey {
-		key, ok = s.Data[corev1.TLSPrivateKeyKey]
-		if !ok {
-			return nil, nil, errors.New("missing key field")
-		}
-	}
-	return
-}
-
 // fillPluginsFromGatewayProxy fill plugins from GatewayProxy to given plugins
 func (t *Translator) fillPluginsFromGatewayProxy(plugins adctypes.GlobalRule, gatewayProxy *v1alpha1.GatewayProxy) {
 	if gatewayProxy == nil {
 
@@ -32,19 +32,20 @@ import (
 	"github.com/apache/apisix-ingress-controller/internal/controller/label"
 	"github.com/apache/apisix-ingress-controller/internal/id"
 	"github.com/apache/apisix-ingress-controller/internal/provider"
+	sslutils "github.com/apache/apisix-ingress-controller/internal/ssl"
 	internaltypes "github.com/apache/apisix-ingress-controller/internal/types"
 )
 
 func (t *Translator) translateIngressTLS(namespace, name string, tlsIndex int, ingressTLS *networkingv1.IngressTLS, secret *corev1.Secret, labels map[string]string) (*adctypes.SSL, error) {
 	// extract the key pair from the secret
-	cert, key, err := extractKeyPair(secret, true)
+	cert, key, err := sslutils.ExtractKeyPair(secret, true)
 	if err != nil {
 		return nil, err
 	}
 
 	hosts := ingressTLS.Hosts
 	if len(hosts) == 0 {
-		certHosts, err := extractHost(cert)
+		certHosts, err := sslutils.ExtractHostsFromCertificate(cert)
 		if err != nil {
 			return nil, err
 		}
 
@@ -50,6 +50,7 @@ const (
 	IngressClassParametersRef = "ingressClassParametersRef"
 	ConsumerGatewayRef        = "consumerGatewayRef"
 	PolicyTargetRefs          = "targetRefs"
+	TLSHostIndexRef           = "tlsHostRefs"
 	GatewayClassIndexRef      = "gatewayClassRef"
 	ApisixUpstreamRef         = "apisixUpstreamRef"
 	PluginConfigIndexRef      = "pluginConfigRefs"
@@ -140,6 +141,16 @@ func setupGatewayIndexer(mgr ctrl.Manager) error {
 	); err != nil {
 		return err
 	}
+
+	if err := mgr.GetFieldIndexer().IndexField(
+		context.Background(),
+		&gatewayv1.Gateway{},
+		TLSHostIndexRef,
+		GatewayTLSHostIndexFunc,
+	); err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -460,6 +471,15 @@ func setupIngressIndexer(mgr ctrl.Manager) error {
 		return err
 	}
 
+	if err := mgr.GetFieldIndexer().IndexField(
+		context.Background(),
+		&networkingv1.Ingress{},
+		TLSHostIndexRef,
+		IngressTLSHostIndexFunc,
+	); err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -925,6 +945,15 @@ func setupApisixTlsIndexer(mgr ctrl.Manager) error {
 		return err
 	}
 
+	if err := mgr.GetFieldIndexer().IndexField(
+		context.Background(),
+		&apiv2.ApisixTls{},
+		TLSHostIndexRef,
+		ApisixTlsHostIndexFunc,
+	); err != nil {
+		return err
+	}
+
 	return nil
 }
 
 
@@ -0,0 +1,143 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package indexer
+
+import (
+	"sort"
+
+	networkingv1 "k8s.io/api/networking/v1"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
+
+	apiv2 "github.com/apache/apisix-ingress-controller/api/v2"
+	sslutil "github.com/apache/apisix-ingress-controller/internal/ssl"
+)
+
+var (
+	tlsHostIndexLogger = ctrl.Log.WithName("tls-host-indexer")
+	// Empty host is used to match the resource which does not specify any explicit host.
+	emptyHost = ""
+)
+
+// GatewayTLSHostIndexFunc indexes Gateways by their TLS SNI hosts.
+func GatewayTLSHostIndexFunc(rawObj client.Object) []string {
+	gateway, ok := rawObj.(*gatewayv1.Gateway)
+	if !ok {
+		return nil
+	}
+	if len(gateway.Spec.Listeners) == 0 {
+		return nil
+	}
+
+	hosts := make(map[string]struct{})
+
+	for _, listener := range gateway.Spec.Listeners {
+		if listener.TLS == nil || len(listener.TLS.CertificateRefs) == 0 {
+			continue
+		}
+
+		hasExplicitHost := false
+		if listener.Hostname != nil {
+			candidates := sslutil.NormalizeHosts([]string{string(*listener.Hostname)})
+			for _, host := range candidates {
+				if host == "" {
+					continue
+				}
+				hasExplicitHost = true
+				hosts[host] = struct{}{}
+			}
+		}
+
+		if !hasExplicitHost {
+			hosts[emptyHost] = struct{}{}
+		}
+	}
+
+	tlsHostIndexLogger.Info("GatewayTLSHostIndexFunc", "hosts", hostSetToSlice(hosts), "len", len(hostSetToSlice(hosts)))
+
+	return hostSetToSlice(hosts)
+}
+
+// IngressTLSHostIndexFunc indexes Ingresses by their TLS SNI hosts.
+func IngressTLSHostIndexFunc(rawObj client.Object) []string {
+	ingress, ok := rawObj.(*networkingv1.Ingress)
+	if !ok {
+		return nil
+	}
+	if len(ingress.Spec.TLS) == 0 {
+		return nil
+	}
+
+	hosts := make(map[string]struct{})
+	for _, tls := range ingress.Spec.TLS {
+		if tls.SecretName == "" {
+			continue
+		}
+
+		hasExplicitHost := false
+		candidates := sslutil.NormalizeHosts(tls.Hosts)
+		for _, host := range candidates {
+			if host == "" {
+				continue
+			}
+			hasExplicitHost = true
+			hosts[host] = struct{}{}
+		}
+
+		if !hasExplicitHost {
+			hosts[emptyHost] = struct{}{}
+		}
+	}
+
+	return hostSetToSlice(hosts)
+}
+
+// ApisixTlsHostIndexFunc indexes ApisixTls resources by their declared TLS hosts.
+func ApisixTlsHostIndexFunc(rawObj client.Object) []string {
+	tls, ok := rawObj.(*apiv2.ApisixTls)
+	if !ok {
+		return nil
+	}
+	if len(tls.Spec.Hosts) == 0 {
+		return nil
+	}
+
+	hostSet := make(map[string]struct{}, len(tls.Spec.Hosts))
+	for _, host := range tls.Spec.Hosts {
+		for _, normalized := range sslutil.NormalizeHosts([]string{string(host)}) {
+			if normalized == "" {
+				continue
+			}
+			hostSet[normalized] = struct{}{}
+		}
+	}
+	return hostSetToSlice(hostSet)
+}
+
+func hostSetToSlice(set map[string]struct{}) []string {
+	if len(set) == 0 {
+		return nil
+	}
+	result := make([]string, 0, len(set))
+	for host := range set {
+		result = append(result, host)
+	}
+	sort.Strings(result)
+	return result
+}
Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,7 @@ import (`
`27`	`27`	`"github.com/apache/apisix-ingress-controller/internal/controller/label"`
`28`	`28`	`"github.com/apache/apisix-ingress-controller/internal/id"`
`29`	`29`	`"github.com/apache/apisix-ingress-controller/internal/provider"`
	`30`	`+ sslutils "github.com/apache/apisix-ingress-controller/internal/ssl"`
`30`	`31`	`internaltypes "github.com/apache/apisix-ingress-controller/internal/types"`
`31`	`32`	`)`
`32`	`33`
`@@ -44,7 +45,7 @@ func (t Translator) TranslateApisixTls(tctx provider.TranslateContext, tls *ap`
`44`	`45`	`}`
`45`	`46`
`46`	`47`	`// Extract cert and key from secret`
`47`		`- cert, key, err := extractKeyPair(secret, true)`
	`48`	`+ cert, key, err := sslutils.ExtractKeyPair(secret, true)`
`48`	`49`	`if err != nil {`
`49`	`50`	`return nil, err`
`50`	`51`	`}`
`@@ -81,7 +82,7 @@ func (t Translator) TranslateApisixTls(tctx provider.TranslateContext, tls *ap`
`81`	`82`	`return nil, fmt.Errorf("client CA secret %s not found", caSecretKey.String())`
`82`	`83`	`}`
`83`	`84`
`84`		`- ca, _, err := extractKeyPair(caSecret, false)`
	`85`	`+ ca, _, err := sslutils.ExtractKeyPair(caSecret, false)`
`85`	`86`	`if err != nil {`
`86`	`87`	`return nil, err`
`87`	`88`	`}`
Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@ import (`
`29`	`29`	`"github.com/apache/apisix-ingress-controller/api/adc"`
`30`	`30`	`apiv2 "github.com/apache/apisix-ingress-controller/api/v2"`
`31`	`31`	`"github.com/apache/apisix-ingress-controller/internal/provider"`
	`32`	`+ sslutils "github.com/apache/apisix-ingress-controller/internal/ssl"`
`32`	`33`	`"github.com/apache/apisix-ingress-controller/internal/utils"`
`33`	`34`	`)`
`34`	`35`
`@@ -187,7 +188,7 @@ func translateApisixUpstreamClientTLS(tctx provider.TranslateContext, config a`
`187`	`188`	`return errors.Errorf("sercret %s not found", secretNN)`
`188`	`189`	`}`
`189`	`190`
`190`		`- cert, key, err := extractKeyPair(secret, true)`
	`191`	`+ cert, key, err := sslutils.ExtractKeyPair(secret, true)`
`191`	`192`	`if err != nil {`
`192`	`193`	`return err`
`193`	`194`	`}`