allow multiple listener referencing same cert

Author: Revolyssup

internal/controlplane/controlplane.go

@@ -68,8 +68,16 @@ func (d *dashboardClient) Update(ctx context.Context, tctx *translator.Translate
 		}
 	}
 	for _, ssl := range result.SSL {
-		if _, err := d.c.Cluster(name).SSL().Update(ctx, ssl); err != nil {
-			return err
+		oldssl, err := d.c.Cluster(name).SSL().Get(ctx, ssl.Cert)
+		if err != nil || oldssl == nil {
+			if _, err := d.c.Cluster(name).SSL().Create(ctx, ssl); err != nil {
+				return err
+			}
+		} else {
+			ssl.Snis = append(ssl.Snis, oldssl.Snis...)
+			if _, err := d.c.Cluster(name).SSL().Update(ctx, ssl); err != nil {
+				return err
+			}
 		}
 	}
 	return nil

internal/controlplane/translator/gateway.go

@@ -5,7 +5,7 @@ import (
 
 	v1 "github.com/api7/api7-ingress-controller/api/dashboard/v1"
 	"github.com/api7/api7-ingress-controller/internal/controlplane/label"
-	"github.com/api7/api7-ingress-controller/pkg/id"
+	"github.com/api7/api7-ingress-controller/internal/id"
 	"github.com/api7/gopkg/pkg/log"
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
@@ -36,7 +36,6 @@ func (t *Translator) translateSecret(tctx *TranslateContext, listener gatewayv1.
 		return nil, fmt.Errorf("no certificateRefs found in listener %s", listener.Name)
 	}
 	sslObjs := make([]*v1.Ssl, 0)
-	gatewayName := obj.GetName()
 	switch *listener.TLS.Mode {
 	case gatewayv1.TLSModeTerminate:
 		for _, ref := range listener.TLS.CertificateRefs {
@@ -45,7 +44,6 @@ func (t *Translator) translateSecret(tctx *TranslateContext, listener gatewayv1.
 				ns = string(*ref.Namespace)
 			}
 			sslObj := &v1.Ssl{}
-			sslObj.ID = id.GenID(fmt.Sprintf("%s_%s_%s", ns, gatewayName, listener.Name))
 			sslObj.Snis = []string{}
 			if listener.Hostname != nil && *listener.Hostname != "" {
 				sslObj.Snis = append(sslObj.Snis, string(*listener.Hostname))
@@ -62,6 +60,8 @@ func (t *Translator) translateSecret(tctx *TranslateContext, listener gatewayv1.
 			}
 			sslObj.Cert = string(cert)
 			sslObj.Key = string(key)
+			//Note: Dashboard doesn't allow duplicate certificate across ssl objects
+			sslObj.ID = id.GenID(sslObj.Cert)
 			sslObj.Labels = label.GenLabel(obj)
 			sslObjs = append(sslObjs, sslObj)
 		}

test/e2e/gatewayapi/gateway.go

@@ -227,9 +227,18 @@ spec:
 			assert.Len(GinkgoT(), tls, 1, "tls number not expect")
 			assert.Equal(GinkgoT(), Cert, tls[0].Cert, "tls cert not expect")
 			assert.Equal(GinkgoT(), []string{host}, tls[0].Snis)
+
+			By("Delete Gateway")
+			err = s.DeleteResource("Gateway", "api7ee")
+			Expect(err).NotTo(HaveOccurred(), "deleting Gateway")
+			time.Sleep(5 * time.Second)
+
+			tls, err = s.DefaultDataplaneResource().SSL().List(context.Background())
+			assert.Nil(GinkgoT(), err, "list tls error")
+			assert.Len(GinkgoT(), tls, 0, "tls number not expect")
 		})
 
-		Context("Gateway SSL without hostname", func() {
+		Context("Gateway SSL with and without hostname", func() {
 			It("Check if SSL resource was created", func() {
 				secretName := _secretName
 				createSecret(s, secretName)
@@ -246,19 +255,34 @@ spec:
 apiVersion: gateway.networking.k8s.io/v1
 kind: Gateway
 metadata:
-  name: api7ee
+  name: same-namespace-with-https-listener
 spec:
   gatewayClassName: api7
   listeners:
-    - name: http1
-      protocol: HTTPS
-      port: 443
-      tls:
-        certificateRefs:
-        - kind: Secret
-          group: ""
-          name: %s
-`, secretName)
+  - name: https
+    port: 443
+    protocol: HTTPS
+    allowedRoutes:
+      namespaces:
+        from: Same
+    tls:
+      certificateRefs:
+      - group: ""
+        kind: Secret
+        name: %s
+  - name: https-with-hostname
+    port: 443
+    hostname: api6.com
+    protocol: HTTPS
+    allowedRoutes:
+      namespaces:
+        from: Same
+    tls:
+      certificateRefs:
+      - group: ""
+        kind: Secret
+        name: %s
+`, secretName, secretName)
 				By("create GatewayClass")
 				err := s.CreateResourceFromStringWithNamespace(defaultGatewayClass, "")
 				Expect(err).NotTo(HaveOccurred(), "creating GatewayClass")