fix: cert watch for default https-listener

Author: zachsmith1

internal/controller/httpproxy_controller.go

@@ -1036,17 +1036,72 @@ func (r *HTTPProxyReconciler) buildCertificateStatuses(
 	}
 	statuses := make([]networkingv1alpha.HostnameStatus, 0, httpsListenerCount)
 
+	wildcardSuffix := "." + r.Config.Gateway.TargetDomain
+
 	for _, l := range gateway.Spec.Listeners {
 		if l.Protocol != gatewayv1.HTTPSProtocolType || l.Hostname == nil {
 			continue
 		}
 
+		hs := networkingv1alpha.HostnameStatus{Hostname: string(*l.Hostname)}
+
+		hostname := string(*l.Hostname)
+		hostnameUnderWildcard := strings.HasSuffix(hostname, wildcardSuffix) || hostname == r.Config.Gateway.TargetDomain
+		useSharedTLS := hostnameUnderWildcard && r.Config.Gateway.HasDefaultListenerTLSSecret()
+
+		if useSharedTLS {
+			secret := &v1.Secret{}
+			secretKey := client.ObjectKey{
+				Namespace: downstreamNamespaceName,
+				Name:      r.Config.Gateway.DefaultListenerTLSSecretName,
+			}
+			if err := downstreamClient.Get(ctx, secretKey, secret); err != nil {
+				if apierrors.IsNotFound(err) {
+					apimeta.SetStatusCondition(&hs.Conditions, metav1.Condition{
+						Type:               networkingv1alpha.HostnameConditionCertificateReady,
+						Status:             metav1.ConditionFalse,
+						Reason:             networkingv1alpha.CertificateReadyReasonPending,
+						Message:            "Shared TLS secret not found in downstream cluster",
+						ObservedGeneration: httpProxy.Generation,
+					})
+				} else {
+					apimeta.SetStatusCondition(&hs.Conditions, metav1.Condition{
+						Type:               networkingv1alpha.HostnameConditionCertificateReady,
+						Status:             metav1.ConditionUnknown,
+						Reason:             networkingv1alpha.CertificateReadyReasonPending,
+						Message:            fmt.Sprintf("Failed to get shared TLS secret: %v", err),
+						ObservedGeneration: httpProxy.Generation,
+					})
+				}
+				statuses = append(statuses, hs)
+				continue
+			}
+
+			if len(secret.Data["tls.crt"]) > 0 && len(secret.Data["tls.key"]) > 0 {
+				apimeta.SetStatusCondition(&hs.Conditions, metav1.Condition{
+					Type:               networkingv1alpha.HostnameConditionCertificateReady,
+					Status:             metav1.ConditionTrue,
+					Reason:             networkingv1alpha.CertificateReadyReasonCertificateIssued,
+					Message:            "Shared wildcard TLS certificate is ready",
+					ObservedGeneration: httpProxy.Generation,
+				})
+			} else {
+				apimeta.SetStatusCondition(&hs.Conditions, metav1.Condition{
+					Type:               networkingv1alpha.HostnameConditionCertificateReady,
+					Status:             metav1.ConditionFalse,
+					Reason:             networkingv1alpha.CertificateReadyReasonPending,
+					Message:            "Shared TLS secret is missing tls.crt or tls.key data",
+					ObservedGeneration: httpProxy.Generation,
+				})
+			}
+			statuses = append(statuses, hs)
+			continue
+		}
+
 		certName := resourcename.GetValidDNS1123Name(fmt.Sprintf("%s-%s", gateway.Name, l.Name))
 		certificate := newUnstructuredForGVK(certificateGVK)
 		certKey := client.ObjectKey{Namespace: downstreamNamespaceName, Name: certName}
 
-		hs := networkingv1alpha.HostnameStatus{Hostname: string(*l.Hostname)}
-
 		if err := downstreamClient.Get(ctx, certKey, certificate); err != nil {
 			if apierrors.IsNotFound(err) {
 				apimeta.SetStatusCondition(&hs.Conditions, metav1.Condition{

internal/controller/httpproxy_controller_test.go

@@ -2081,14 +2081,53 @@ func TestBuildCertificateStatuses(t *testing.T) {
 		return cert
 	}
 
+	sharedTLSConfig := config.NetworkServicesOperator{
+		Gateway: config.GatewayConfig{
+			TargetDomain:                 "example.com",
+			DefaultListenerTLSSecretName: "wildcard-tls",
+		},
+	}
+
+	gatewayWithWildcardHostname := &gatewayv1.Gateway{
+		ObjectMeta: metav1.ObjectMeta{Name: "my-proxy", Namespace: "test-ns"},
+		Spec: gatewayv1.GatewaySpec{
+			Listeners: []gatewayv1.Listener{
+				{
+					Name:     "default-https",
+					Protocol: gatewayv1.HTTPSProtocolType,
+					Hostname: ptr.To(gatewayv1.Hostname("app.example.com")),
+				},
+			},
+		},
+	}
+
+	makeSharedTLSSecret := func(hasTLSData bool) *corev1.Secret {
+		s := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: downstreamNamespaceName,
+				Name:      "wildcard-tls",
+			},
+		}
+		if hasTLSData {
+			s.Data = map[string][]byte{
+				"tls.crt": []byte("cert-data"),
+				"tls.key": []byte("key-data"),
+			}
+		}
+		return s
+	}
+
 	tests := []struct {
 		name              string
+		config            *config.NetworkServicesOperator
+		gateway           *gatewayv1.Gateway
 		downstreamCluster bool
 		downstreamObjects []client.Object
 		wantNil           bool
 		wantLen           int
 		wantReason        string
 		wantStatus        metav1.ConditionStatus
+		wantMessage       string
 	}{
 		{
 			name:              "DownstreamCluster nil returns nil",
@@ -2098,7 +2137,7 @@ func TestBuildCertificateStatuses(t *testing.T) {
 		{
 			name:              "certificate not found returns Pending",
 			downstreamCluster: true,
-			downstreamObjects: []client.Object{}, // no certificate
+			downstreamObjects: []client.Object{},
 			wantNil:           false,
 			wantLen:           1,
 			wantReason:        networkingv1alpha.CertificateReadyReasonPending,
@@ -2131,6 +2170,48 @@ func TestBuildCertificateStatuses(t *testing.T) {
 			wantReason:        networkingv1alpha.CertificateReadyReasonProvisioningFailed,
 			wantStatus:        metav1.ConditionFalse,
 		},
+		{
+			name:              "shared TLS secret found and valid returns CertificateIssued",
+			config:            &sharedTLSConfig,
+			gateway:           gatewayWithWildcardHostname,
+			downstreamCluster: true,
+			downstreamObjects: []client.Object{makeSharedTLSSecret(true)},
+			wantLen:           1,
+			wantReason:        networkingv1alpha.CertificateReadyReasonCertificateIssued,
+			wantStatus:        metav1.ConditionTrue,
+			wantMessage:       "Shared wildcard TLS certificate is ready",
+		},
+		{
+			name:              "shared TLS secret not found returns Pending",
+			config:            &sharedTLSConfig,
+			gateway:           gatewayWithWildcardHostname,
+			downstreamCluster: true,
+			downstreamObjects: []client.Object{},
+			wantLen:           1,
+			wantReason:        networkingv1alpha.CertificateReadyReasonPending,
+			wantStatus:        metav1.ConditionFalse,
+			wantMessage:       "Shared TLS secret not found in downstream cluster",
+		},
+		{
+			name:              "shared TLS secret missing tls data returns Pending",
+			config:            &sharedTLSConfig,
+			gateway:           gatewayWithWildcardHostname,
+			downstreamCluster: true,
+			downstreamObjects: []client.Object{makeSharedTLSSecret(false)},
+			wantLen:           1,
+			wantReason:        networkingv1alpha.CertificateReadyReasonPending,
+			wantStatus:        metav1.ConditionFalse,
+			wantMessage:       "Shared TLS secret is missing tls.crt or tls.key data",
+		},
+		{
+			name:              "custom hostname still checks certificate even with shared TLS enabled",
+			config:            &sharedTLSConfig,
+			downstreamCluster: true,
+			downstreamObjects: []client.Object{},
+			wantLen:           1,
+			wantReason:        networkingv1alpha.CertificateReadyReasonPending,
+			wantStatus:        metav1.ConditionFalse,
+		},
 	}
 
 	for _, tt := range tests {
@@ -2157,13 +2238,23 @@ func TestBuildCertificateStatuses(t *testing.T) {
 				downstreamCluster = &clusterWithClient{c: downstreamClient, scheme: scheme}
 			}
 
+			cfg := config.NetworkServicesOperator{}
+			if tt.config != nil {
+				cfg = *tt.config
+			}
+
+			gw := gatewayWithHTTPS
+			if tt.gateway != nil {
+				gw = tt.gateway
+			}
+
 			r := &HTTPProxyReconciler{
-				Config:            config.NetworkServicesOperator{},
+				Config:            cfg,
 				DownstreamCluster: downstreamCluster,
 			}
 
 			ctx := context.Background()
-			got := r.buildCertificateStatuses(ctx, upstreamClient, "local", gatewayWithHTTPS, httpProxy)
+			got := r.buildCertificateStatuses(ctx, upstreamClient, "local", gw, httpProxy)
 
 			if tt.wantNil {
 				assert.Nil(t, got)
@@ -2176,6 +2267,9 @@ func TestBuildCertificateStatuses(t *testing.T) {
 				require.NotNil(t, cond)
 				assert.Equal(t, tt.wantStatus, cond.Status)
 				assert.Equal(t, tt.wantReason, cond.Reason)
+				if tt.wantMessage != "" {
+					assert.Equal(t, tt.wantMessage, cond.Message)
+				}
 			}
 		})
 	}