Skip to content

Commit de81779

Browse files
dspodspo
committed
refactor: Simplify permission checking in ReferenceGrant validation
1 parent 7e362e4 commit de81779

File tree

2 files changed

+9
-6
lines changed

2 files changed

+9
-6
lines changed

internal/controller/httproute_controller.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -464,7 +464,7 @@ func (r *HTTPRouteReconciler) processHTTPRouteBackendRefs(tctx *provider.Transla
464464
r.Log.Error(err, "failed to list ReferenceGrants", "namespace", targetNN.Namespace)
465465
return err
466466
}
467-
if !checkReferenceGrant(
467+
if permitted := checkReferenceGrant(
468468
v1beta1.ReferenceGrantFrom{
469469
Group: gatewayv1.GroupName,
470470
Kind: KindHTTPRoute,
@@ -476,7 +476,7 @@ func (r *HTTPRouteReconciler) processHTTPRouteBackendRefs(tctx *provider.Transla
476476
Name: (*gatewayv1.ObjectName)(&targetNN.Name),
477477
},
478478
referenceGrantList.Items,
479-
) {
479+
); !permitted {
480480
terr = ReasonError{
481481
Reason: string(v1beta1.RouteReasonRefNotPermitted),
482482
Message: fmt.Sprintf("%s is in a different namespace than the HTTPRoute %s and no ReferenceGrant allowing reference is configured", targetNN, hrNN),

internal/controller/utils.go

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -741,7 +741,7 @@ func getListenerStatus(
741741
}
742742
// if cross namespaces, check if the Gateway has the permission to access the Secret
743743
if ref.Namespace != nil && string(*ref.Namespace) != gateway.Namespace {
744-
if ok := checkReferenceGrant(
744+
if permitted := checkReferenceGrant(
745745
v1beta1.ReferenceGrantFrom{
746746
Group: gatewayv1.GroupName,
747747
Kind: KindGateway,
@@ -753,7 +753,7 @@ func getListenerStatus(
753753
Name: &ref.Name,
754754
},
755755
grants,
756-
); !ok {
756+
); !permitted {
757757
conditionResolvedRefs.Status = metav1.ConditionFalse
758758
conditionResolvedRefs.Reason = string(gatewayv1.ListenerReasonRefNotPermitted)
759759
conditionResolvedRefs.Message = "certificateRefs cross namespaces is not permitted"
@@ -763,8 +763,11 @@ func getListenerStatus(
763763
}
764764
}
765765

766-
ns := cmp.Or(ref.Namespace, (*gatewayv1.Namespace)(&gateway.Namespace))
767-
if err := mrgc.Get(ctx, client.ObjectKey{Namespace: string(*ns), Name: string(ref.Name)}, &secret); err != nil {
766+
secretNN := types.NamespacedName{
767+
Namespace: string(*cmp.Or(ref.Namespace, (*gatewayv1.Namespace)(&gateway.Namespace))),
768+
Name: string(ref.Name),
769+
}
770+
if err := mrgc.Get(ctx, secretNN, &secret); err != nil {
768771
conditionResolvedRefs.Status = metav1.ConditionFalse
769772
conditionResolvedRefs.Reason = string(gatewayv1.ListenerReasonInvalidCertificateRef)
770773
conditionResolvedRefs.Message = err.Error()

0 commit comments

Comments
 (0)