feat: Enable ReferenceGrant checks and streamline validation logic

Author: dspo

internal/controller/gateway_controller.go

@@ -169,12 +169,7 @@ func (r *GatewayReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
 		}
 	}
 
-	var referenceGrantList v1beta1.ReferenceGrantList
-	if err := r.List(ctx, &referenceGrantList); err != nil {
-		r.Log.Error(err, "failed to list reference grants")
-		return ctrl.Result{}, err
-	}
-	listenerStatuses, err := getListenerStatus(ctx, r.Client, gateway, referenceGrantList.Items)
+	listenerStatuses, err := getListenerStatus(ctx, r.Client, gateway)
 	if err != nil {
 		r.Log.Error(err, "failed to get listener status", "gateway", types.NamespacedName{Namespace: gateway.GetNamespace()})
 		return ctrl.Result{}, err

internal/controller/httproute_controller.go

@@ -459,12 +459,8 @@ func (r *HTTPRouteReconciler) processHTTPRouteBackendRefs(tctx *provider.Transla
 
 		// if cross namespaces between HTTPRoute and referenced Service, check ReferenceGrant
 		if hrNN.Namespace != targetNN.Namespace {
-			var referenceGrantList v1beta1.ReferenceGrantList
-			if err := r.List(tctx, &referenceGrantList, client.InNamespace(targetNN.Namespace)); err != nil {
-				r.Log.Error(err, "failed to list ReferenceGrants", "namespace", targetNN.Namespace)
-				return err
-			}
-			if permitted := checkReferenceGrant(
+			if permitted := checkReferenceGrant(tctx,
+				r.Client,
 				v1beta1.ReferenceGrantFrom{
 					Group:     gatewayv1.GroupName,
 					Kind:      KindHTTPRoute,
@@ -476,7 +472,6 @@ func (r *HTTPRouteReconciler) processHTTPRouteBackendRefs(tctx *provider.Transla
 					Name:      gatewayv1.ObjectName(targetNN.Name),
 					Namespace: (*gatewayv1.Namespace)(&targetNN.Namespace),
 				},
-				referenceGrantList.Items,
 			); !permitted {
 				terr = ReasonError{
 					Reason:  string(v1beta1.RouteReasonRefNotPermitted),

internal/controller/utils.go

@@ -60,6 +60,18 @@ var (
 	ErrNoMatchingListenerHostname = errors.New("no matching hostnames in listener")
 )
 
+var (
+	enableReferenceGrant bool
+)
+
+func SetEnableReferenceGrant(enable bool) {
+	enableReferenceGrant = enable
+}
+
+func GetEnableReferenceGrant() bool {
+	return enableReferenceGrant
+}
+
 // IsDefaultIngressClass returns whether an IngressClass is the default IngressClass.
 func IsDefaultIngressClass(obj client.Object) bool {
 	if ingressClass, ok := obj.(*networkingv1.IngressClass); ok {
@@ -651,7 +663,6 @@ func getListenerStatus(
 	ctx context.Context,
 	mrgc client.Client,
 	gateway *gatewayv1.Gateway,
-	grants []v1beta1.ReferenceGrant,
 ) ([]gatewayv1.ListenerStatus, error) {
 	statuses := make(map[gatewayv1.SectionName]gatewayv1.ListenerStatus, len(gateway.Spec.Listeners))
 
@@ -739,7 +750,8 @@ func getListenerStatus(
 					conditionProgrammed.Reason = string(gatewayv1.ListenerReasonInvalid)
 					break
 				}
-				if permitted := checkReferenceGrant(
+				if permitted := checkReferenceGrant(ctx,
+					mrgc,
 					v1beta1.ReferenceGrantFrom{
 						Group:     gatewayv1.GroupName,
 						Kind:      KindGateway,
@@ -751,7 +763,6 @@ func getListenerStatus(
 						Name:      ref.Name,
 						Namespace: ref.Namespace,
 					},
-					grants,
 				); !permitted {
 					conditionResolvedRefs.Status = metav1.ConditionFalse
 					conditionResolvedRefs.Reason = string(gatewayv1.ListenerReasonRefNotPermitted)
@@ -1107,11 +1118,21 @@ func referenceGrantPredicates(kind gatewayv1.Kind) predicate.Funcs {
 	return predicates
 }
 
-func checkReferenceGrant(obj v1beta1.ReferenceGrantFrom, ref gatewayv1.ObjectReference, grants []v1beta1.ReferenceGrant) bool {
+func checkReferenceGrant(ctx context.Context, cli client.Client, obj v1beta1.ReferenceGrantFrom, ref gatewayv1.ObjectReference) bool {
 	if ref.Namespace == nil || *ref.Namespace == obj.Namespace {
 		return true
 	}
-	for _, grant := range grants {
+
+	if !GetEnableReferenceGrant() {
+		return false
+	}
+
+	var grantList v1beta1.ReferenceGrantList
+	if err := cli.List(ctx, &grantList, client.InNamespace(*ref.Namespace)); err != nil {
+		return false
+	}
+
+	for _, grant := range grantList.Items {
 		if grant.Namespace == string(*ref.Namespace) {
 			for _, from := range grant.Spec.From {
 				if obj == from {

internal/manager/run.go

@@ -19,7 +19,6 @@ import (
 	"time"
 
 	"github.com/go-logr/logr"
-	"github.com/pkg/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -34,6 +33,7 @@ import (
 	"sigs.k8s.io/gateway-api/apis/v1beta1"
 
 	"github.com/apache/apisix-ingress-controller/api/v1alpha1"
+	"github.com/apache/apisix-ingress-controller/internal/controller"
 	"github.com/apache/apisix-ingress-controller/internal/controller/config"
 	"github.com/apache/apisix-ingress-controller/internal/provider/adc"
 )
@@ -177,20 +177,24 @@ func Run(ctx context.Context, logger logr.Logger) error {
 		}
 	}()
 
+	setupLog.Info("check ReferenceGrants is enabled")
+	_, err = mgr.GetRESTMapper().KindsFor(schema.GroupVersionResource{
+		Group:    v1beta1.GroupVersion.Group,
+		Version:  v1beta1.GroupVersion.Version,
+		Resource: "referencegrants",
+	})
+	if err != nil {
+		logger.Error(err, "CRD ReferenceGrants is not installed")
+	}
+	controller.SetEnableReferenceGrant(err == nil)
+
 	setupLog.Info("setting up controllers")
 	controllers, err := setupControllers(ctx, mgr, provider)
 	if err != nil {
 		setupLog.Error(err, "unable to set up controllers")
 		return err
 	}
-	if _, err = mgr.GetRESTMapper().KindsFor(schema.GroupVersionResource{
-		Group:    v1beta1.GroupVersion.Group,
-		Version:  v1beta1.GroupVersion.Version,
-		Resource: "referencegrants",
-	}); err != nil {
-		logger.Error(err, "CRD ReferenceGrants is not installed")
-		return errors.Wrap(err, "CRD ReferenceGrants is not installed")
-	}
+
 	for _, c := range controllers {
 		if err := c.SetupWithManager(mgr); err != nil {
 			return err