fix: add support for EndpointSubset in GatewayProxy and update RBAC permissions

Author: dspo

api/v1alpha1/gatewayproxy_types.go

@@ -116,9 +116,10 @@ type ControlPlaneAuth struct {
 }
 
 // ControlPlaneProvider defines the configuration for control plane provider.
+// +kubebuilder:validation:XValidation:rule="has(self.endpoints) != has(self.service)"
 type ControlPlaneProvider struct {
 	// Endpoints specifies the list of control plane endpoints.
-	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Optional
 	// +kubebuilder:validation:MinItems=1
 	Endpoints []string `json:"endpoints"`
 

config/crd/bases/apisix.apache.org_gatewayproxies.yaml

@@ -137,8 +137,9 @@ spec:
                         type: boolean
                     required:
                     - auth
-                    - endpoints
                     type: object
+                    x-kubernetes-validations:
+                    - rule: has(self.endpoints) != has(self.service)
                   type:
                     description: Type specifies the type of provider. Can only be
                       `ControlPlane`.

config/rbac/role.yaml

@@ -7,13 +7,7 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - events
-  verbs:
-  - create
-  - patch
-- apiGroups:
-  - ""
-  resources:
+  - endpoints
   - namespaces
   - pods
   - secrets
@@ -22,6 +16,13 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 - apiGroups:
   - apisix.apache.org
   resources:

internal/controller/gatewayclass_congroller.go

@@ -43,9 +43,6 @@ const (
 	FinalizerGatewayClassProtection = "apisix.apache.org/gc-protection"
 )
 
-// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gatewayclasses,verbs=get;list;watch;update
-// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gatewayclasses/status,verbs=get;update
-
 // GatewayClassReconciler reconciles a GatewayClass object.
 type GatewayClassReconciler struct { //nolint:revive
 	client.Client

internal/controller/ingressclass_controller.go

@@ -27,6 +27,7 @@ import (
 	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -227,6 +228,16 @@ func (r *IngressClassReconciler) processInfrastructure(tctx *provider.TranslateC
 				}] = secret
 			}
 		}
+
+		if service := gatewayProxy.Spec.Provider.ControlPlane.Service; service != nil {
+			if err := addProviderEndpointsToTranslateContext(tctx, r.Client, types.NamespacedName{
+				Namespace: gatewayProxy.GetNamespace(),
+				Name:      service.Name,
+			}); err != nil {
+				return err
+			}
+		}
+
 	}
 
 	_, ok := tctx.GatewayProxies[rk]

internal/controller/utils.go

@@ -921,34 +921,44 @@ func ProcessGatewayProxy(r client.Client, tctx *provider.TranslateContext, gatew
 			tctx.ResourceParentRefs[rk] = append(tctx.ResourceParentRefs[rk], gatewayKind)
 
 			// Process provider secrets if provider exists
-			if gatewayProxy.Spec.Provider != nil && gatewayProxy.Spec.Provider.Type == v1alpha1.ProviderTypeControlPlane {
-				if gatewayProxy.Spec.Provider.ControlPlane != nil &&
-					gatewayProxy.Spec.Provider.ControlPlane.Auth.Type == v1alpha1.AuthTypeAdminKey &&
-					gatewayProxy.Spec.Provider.ControlPlane.Auth.AdminKey != nil &&
-					gatewayProxy.Spec.Provider.ControlPlane.Auth.AdminKey.ValueFrom != nil &&
-					gatewayProxy.Spec.Provider.ControlPlane.Auth.AdminKey.ValueFrom.SecretKeyRef != nil {
-
-					secretRef := gatewayProxy.Spec.Provider.ControlPlane.Auth.AdminKey.ValueFrom.SecretKeyRef
-					secret := &corev1.Secret{}
-					if err := r.Get(context.Background(), client.ObjectKey{
-						Namespace: ns,
-						Name:      secretRef.Name,
-					}, secret); err != nil {
-						log.Error(err, "failed to get secret for GatewayProxy provider",
-							"namespace", ns,
-							"name", secretRef.Name)
-						return err
-					}
+			if prov := gatewayProxy.Spec.Provider; prov != nil && prov.Type == v1alpha1.ProviderTypeControlPlane {
+				if cp := prov.ControlPlane; cp != nil {
+					if cp.Auth.Type == v1alpha1.AuthTypeAdminKey &&
+						cp.Auth.AdminKey != nil &&
+						cp.Auth.AdminKey.ValueFrom != nil &&
+						cp.Auth.AdminKey.ValueFrom.SecretKeyRef != nil {
+
+						secretRef := cp.Auth.AdminKey.ValueFrom.SecretKeyRef
+						secret := &corev1.Secret{}
+						if err := r.Get(context.Background(), client.ObjectKey{
+							Namespace: ns,
+							Name:      secretRef.Name,
+						}, secret); err != nil {
+							log.Error(err, "failed to get secret for GatewayProxy provider",
+								"namespace", ns,
+								"name", secretRef.Name)
+							return err
+						}
 
-					log.Info("found secret for GatewayProxy provider",
-						"gateway", gateway.Name,
-						"gatewayproxy", gatewayProxy.Name,
-						"secret", secretRef.Name)
+						log.Info("found secret for GatewayProxy provider",
+							"gateway", gateway.Name,
+							"gatewayproxy", gatewayProxy.Name,
+							"secret", secretRef.Name)
 
-					tctx.Secrets[k8stypes.NamespacedName{
-						Namespace: ns,
-						Name:      secretRef.Name,
-					}] = secret
+						tctx.Secrets[k8stypes.NamespacedName{
+							Namespace: ns,
+							Name:      secretRef.Name,
+						}] = secret
+					}
+
+					if cp.Service != nil {
+						if err := addProviderEndpointsToTranslateContext(tctx, r, k8stypes.NamespacedName{
+							Namespace: gatewayProxy.GetNamespace(),
+							Name:      cp.Service.Name,
+						}); err != nil {
+							return err
+						}
+					}
 				}
 			}
 		}
@@ -1340,40 +1350,76 @@ func ProcessIngressClassParameters(tctx *provider.TranslateContext, c client.Cli
 
 		// check if the provider field references a secret
 		if gatewayProxy.Spec.Provider != nil && gatewayProxy.Spec.Provider.Type == v1alpha1.ProviderTypeControlPlane {
-			if gatewayProxy.Spec.Provider.ControlPlane != nil &&
-				gatewayProxy.Spec.Provider.ControlPlane.Auth.Type == v1alpha1.AuthTypeAdminKey &&
-				gatewayProxy.Spec.Provider.ControlPlane.Auth.AdminKey != nil &&
-				gatewayProxy.Spec.Provider.ControlPlane.Auth.AdminKey.ValueFrom != nil &&
-				gatewayProxy.Spec.Provider.ControlPlane.Auth.AdminKey.ValueFrom.SecretKeyRef != nil {
-
-				secretRef := gatewayProxy.Spec.Provider.ControlPlane.Auth.AdminKey.ValueFrom.SecretKeyRef
-				secret := &corev1.Secret{}
-				if err := c.Get(tctx, client.ObjectKey{
-					Namespace: ns,
-					Name:      secretRef.Name,
-				}, secret); err != nil {
-					log.Error(err, "failed to get secret for GatewayProxy provider",
-						"namespace", ns,
-						"name", secretRef.Name)
-					return err
-				}
+			if cp := gatewayProxy.Spec.Provider.ControlPlane; cp != nil {
+				// process control plane provider auth
+				if cp.Auth.Type == v1alpha1.AuthTypeAdminKey &&
+					cp.Auth.AdminKey != nil &&
+					cp.Auth.AdminKey.ValueFrom != nil &&
+					cp.Auth.AdminKey.ValueFrom.SecretKeyRef != nil {
+
+					secretRef := cp.Auth.AdminKey.ValueFrom.SecretKeyRef
+					secret := &corev1.Secret{}
+					if err := c.Get(tctx, client.ObjectKey{
+						Namespace: ns,
+						Name:      secretRef.Name,
+					}, secret); err != nil {
+						log.Error(err, "failed to get secret for GatewayProxy provider",
+							"namespace", ns,
+							"name", secretRef.Name)
+						return err
+					}
 
-				log.Info("found secret for GatewayProxy provider",
-					"ingressClass", ingressClass.Name,
-					"gatewayproxy", gatewayProxy.Name,
-					"secret", secretRef.Name)
+					log.Info("found secret for GatewayProxy provider",
+						"ingressClass", ingressClass.Name,
+						"gatewayproxy", gatewayProxy.Name,
+						"secret", secretRef.Name)
+
+					tctx.Secrets[k8stypes.NamespacedName{
+						Namespace: ns,
+						Name:      secretRef.Name,
+					}] = secret
+				}
 
-				tctx.Secrets[k8stypes.NamespacedName{
-					Namespace: ns,
-					Name:      secretRef.Name,
-				}] = secret
+				// process control plane provider service
+				if cp.Service != nil {
+					if err := addProviderEndpointsToTranslateContext(tctx, c, client.ObjectKey{
+						Namespace: gatewayProxy.GetNamespace(),
+						Name:      cp.Service.Name,
+					}); err != nil {
+						return err
+					}
+				}
 			}
 		}
 	}
 
 	return nil
 }
 
+func addProviderEndpointsToTranslateContext(tctx *provider.TranslateContext, c client.Client, serviceNN k8stypes.NamespacedName) error {
+	log.Debugf("to process provider endpints by provider.service: %s", serviceNN)
+	var (
+		service corev1.Service
+	)
+	if err := c.Get(tctx, serviceNN, &service); err != nil {
+		log.Error(err, "failed to get service from GatewayProxy provider", "key", serviceNN)
+		return err
+	}
+	tctx.Services[serviceNN] = &service
+
+	// get endpoints
+	var (
+		endpoints corev1.Endpoints
+	)
+	if err := c.Get(tctx, serviceNN, &endpoints); err != nil {
+		log.Error(err, "failed to get endpoints for GatewayProxy provider", "endpoints", serviceNN)
+		return err
+	}
+	tctx.EndpointSubset[serviceNN] = endpoints.Subsets
+
+	return nil
+}
+
 func GetIngressClass(ctx context.Context, c client.Client, log logr.Logger, ingressClassName string) (*networkingv1.IngressClass, error) {
 	if ingressClassName == "" {
 		// Check for default ingress class

internal/manager/controllers.go

@@ -34,6 +34,7 @@ import (
 // +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups="discovery.k8s.io",resources=endpointslices,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=services,verbs=get;list;watch
+// +kubebuilder:rbac:groups="",resources=endpoints,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch

internal/provider/adc/config.go

@@ -18,19 +18,19 @@
 package adc
 
 import (
-	"errors"
-	"fmt"
+	"net"
 	"slices"
+	"strconv"
 
 	"github.com/api7/gopkg/pkg/log"
+	"github.com/pkg/errors"
 	"go.uber.org/zap"
+	corev1 "k8s.io/api/core/v1"
 	k8stypes "k8s.io/apimachinery/pkg/types"
-	"k8s.io/utils/ptr"
-	v1 "sigs.k8s.io/gateway-api/apis/v1"
 
 	"github.com/apache/apisix-ingress-controller/api/v1alpha1"
 	"github.com/apache/apisix-ingress-controller/internal/provider"
-	types "github.com/apache/apisix-ingress-controller/internal/types"
+	"github.com/apache/apisix-ingress-controller/internal/types"
 )
 
 func (d *adcClient) getConfigsForGatewayProxy(tctx *provider.TranslateContext, gatewayProxy *v1alpha1.GatewayProxy) (*adcConfig, error) {
@@ -86,24 +86,34 @@ func (d *adcClient) getConfigsForGatewayProxy(tctx *provider.TranslateContext, g
 		}
 		_, ok := tctx.Services[namespacedName]
 		if !ok {
-			return nil, errors.New("no service found for service reference")
+			return nil, errors.Errorf("no service found for service reference: %s", namespacedName)
 		}
-		endpoint := tctx.EndpointSlices[namespacedName]
-		if endpoint == nil {
-			return nil, nil
-		}
-		upstreamNodes, err := d.translator.TranslateBackendRef(tctx, v1.BackendRef{
-			BackendObjectReference: v1.BackendObjectReference{
-				Name: v1.ObjectName(provider.ControlPlane.Service.Name),
-				Port: ptr.To(v1.PortNumber(provider.ControlPlane.Service.Port)),
-			},
-		})
-		if err != nil {
-			return nil, err
-		}
-		for _, node := range upstreamNodes {
-			config.ServerAddrs = append(config.ServerAddrs, fmt.Sprintf("http://%s:%d", node.Host, node.Port))
+
+		var (
+			subsets = tctx.EndpointSubset[namespacedName]
+			port    = strconv.FormatInt(int64(provider.ControlPlane.Service.Port), 10)
+		)
+		for _, endpoint := range subsets {
+			if !slices.ContainsFunc(endpoint.Ports, func(port corev1.EndpointPort) bool {
+				return port.Port == provider.ControlPlane.Service.Port
+			}) {
+				continue
+			}
+
+			for _, addresses := range [][]corev1.EndpointAddress{
+				endpoint.NotReadyAddresses,
+				endpoint.Addresses,
+			} {
+				for _, addr := range addresses {
+					serverAddr := "http://" + net.JoinHostPort(addr.IP, port)
+					if tlsVerify := provider.ControlPlane.TlsVerify; tlsVerify != nil && *tlsVerify {
+						serverAddr = "https://" + net.JoinHostPort(addr.IP, port)
+					}
+					config.ServerAddrs = append(config.ServerAddrs, serverAddr)
+				}
+			}
 		}
+		log.Debugf("add server address to config.ServiceAddrs: %v", config.ServerAddrs)
 	}
 
 	return &config, nil

internal/provider/provider.go

@@ -47,6 +47,7 @@ type TranslateContext struct {
 	Credentials      []v1alpha1.Credential
 
 	EndpointSlices         map[k8stypes.NamespacedName][]discoveryv1.EndpointSlice
+	EndpointSubset         map[k8stypes.NamespacedName][]corev1.EndpointSubset
 	Secrets                map[k8stypes.NamespacedName]*corev1.Secret
 	PluginConfigs          map[k8stypes.NamespacedName]*v1alpha1.PluginConfig
 	ApisixPluginConfigs    map[k8stypes.NamespacedName]*apiv2.ApisixPluginConfig
@@ -64,6 +65,7 @@ func NewDefaultTranslateContext(ctx context.Context) *TranslateContext {
 	return &TranslateContext{
 		Context:                ctx,
 		EndpointSlices:         make(map[k8stypes.NamespacedName][]discoveryv1.EndpointSlice),
+		EndpointSubset:         make(map[k8stypes.NamespacedName][]corev1.EndpointSubset),
 		Secrets:                make(map[k8stypes.NamespacedName]*corev1.Secret),
 		PluginConfigs:          make(map[k8stypes.NamespacedName]*v1alpha1.PluginConfig),
 		ApisixPluginConfigs:    make(map[k8stypes.NamespacedName]*apiv2.ApisixPluginConfig),

test/e2e/framework/manifests/ingress.yaml

@@ -81,6 +81,7 @@ rules:
   - ""
   resources:
   - namespaces
+  - endpoints
   verbs:
   - get
   - list