Merge pull request #129 from zvlb/main

Refactor. Add tests

Author: zvlb

api/v1alpha1/listener_webhook.go

@@ -45,7 +45,7 @@ func (l *Listener) ValidateDelete(ctx context.Context, cl client.Client) error {
 	virtualServices := &VirtualServiceList{}
 	listOpts := []client.ListOption{
 		client.InNamespace(l.Namespace),
-		client.MatchingFields{options.VirtualServiceListenerFeild: l.Name},
+		client.MatchingFields{options.VirtualServiceListenerNameFeild: l.Name},
 	}
 	if err := cl.List(ctx, virtualServices, listOpts...); err != nil {
 		return err

api/v1alpha1/virtualservice_methods.go

@@ -19,6 +19,7 @@ package v1alpha1
 import (
 	"context"
 	"encoding/json"
+	"strings"
 
 	"github.com/kaasops/envoy-xds-controller/pkg/errors"
 	"github.com/kaasops/envoy-xds-controller/pkg/utils/hash"
@@ -48,6 +49,45 @@ func (vs *VirtualService) SetValid(ctx context.Context, cl client.Client) error
 	return cl.Status().Update(ctx, vs.DeepCopy())
 }
 
+func (vs *VirtualService) SetValidWithUsedSecrets(ctx context.Context, cl client.Client, secrets []string) error {
+	if vs.Status.Valid != nil && *vs.Status.Valid {
+		return nil
+	}
+	valid := true
+	vs.Status.Valid = &valid
+	vs.Status.Error = nil
+
+	err := vs.setUsedSecrets(secrets)
+	if err != nil {
+		return err
+	}
+
+	return cl.Status().Update(ctx, vs.DeepCopy())
+}
+
+func (vs *VirtualService) setUsedSecrets(secrets []string) error {
+	usedSecrets := []ResourceRef{}
+
+	for _, s := range secrets {
+		splitS := strings.Split(s, "/")
+
+		if len(splitS) != 2 {
+			return errors.New("something go wrong, when trying to get secret namespace and name")
+		}
+
+		usedSecret := ResourceRef{
+			Name:      splitS[1],
+			Namespace: &splitS[0],
+		}
+
+		usedSecrets = append(usedSecrets, usedSecret)
+	}
+
+	vs.Status.UsedSecrets = usedSecrets
+
+	return nil
+}
+
 func (vs *VirtualService) SetInvalid(ctx context.Context, cl client.Client) error {
 	if vs.Status.Valid != nil && !*vs.Status.Valid {
 		return nil

api/v1alpha1/virtualservice_types.go

@@ -54,14 +54,15 @@ type TlsConfig struct {
 }
 
 type ResourceRef struct {
-	Name string `json:"name,omitempty"`
-	// Namespace string `json:"namespace,omitempty"`
+	Name      string  `json:"name,omitempty"`
+	Namespace *string `json:"namespace,omitempty"`
 }
 
 // VirtualServiceStatus defines the observed state of VirtualService
 type VirtualServiceStatus struct {
-	Error *string `json:"error,omitempty"`
-	Valid *bool   `json:"valid,omitempty"`
+	Error       *string       `json:"error,omitempty"`
+	Valid       *bool         `json:"valid,omitempty"`
+	UsedSecrets []ResourceRef `json:"usedSecrets,omitempty"`
 
 	LastAppliedHash *uint32 `json:"lastAppliedHash,omitempty"`
 }

api/v1alpha1/virtualservice_webhook.go

@@ -29,8 +29,7 @@ import (
 	"github.com/kaasops/envoy-xds-controller/pkg/options"
 	"github.com/kaasops/envoy-xds-controller/pkg/utils"
 	"github.com/kaasops/envoy-xds-controller/pkg/utils/k8s"
-	corev1 "k8s.io/api/core/v1"
-	api_errors "k8s.io/apimachinery/pkg/api/errors"
+
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/discovery"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -193,7 +192,7 @@ func (vs *VirtualService) checkIfDomainAlredyExist(
 	virtualServices := &VirtualServiceList{}
 	listOpts := []client.ListOption{
 		client.InNamespace(vs.Namespace),
-		client.MatchingFields{options.VirtualServiceListenerFeild: vs.Spec.Listener.Name},
+		client.MatchingFields{options.VirtualServiceListenerNameFeild: vs.Spec.Listener.Name},
 	}
 	if err := cl.List(ctx, virtualServices, listOpts...); err != nil {
 		return err
@@ -236,11 +235,19 @@ func (tc *TlsConfig) Validate(
 		return errors.Wrap(err, "cannot get TlsConfig Type")
 	}
 
+	// If Watch Namespaces set - try to found secret in all namespaces
+	namespaces := cfg.GetWatchNamespaces()
+
 	switch tlsType {
 	case SecretRefType:
-		return validateSecretRef(ctx, client, vs.Namespace, tc.SecretRef)
+		// If .Spec.TlsConfig.SecretRef.Namespace set - find secret only in this namespace
+		if vs.Spec.TlsConfig.SecretRef.Namespace != nil {
+			namespaces = []string{*vs.Spec.TlsConfig.SecretRef.Namespace}
+		}
+
+		return validateSecretRef(ctx, client, namespaces, tc.SecretRef)
 	case AutoDiscoveryType:
-		return validateAutoDiscovery(ctx, vs, client)
+		return validateAutoDiscovery(ctx, vs, namespaces, client)
 	}
 
 	return errors.New("unexpected behavior when processing a TlsConfig Type")
@@ -249,31 +256,37 @@ func (tc *TlsConfig) Validate(
 func validateSecretRef(
 	ctx context.Context,
 	client client.Client,
-	namespace string,
+	namespaces []string,
 	rr *ResourceRef,
 ) error {
-	secret := &corev1.Secret{}
-
-	err := client.Get(ctx, types.NamespacedName{Name: rr.Name, Namespace: namespace}, secret)
+	secrets, err := k8s.GetCertificateSecrets(ctx, client, namespaces)
 	if err != nil {
-		if api_errors.IsNotFound(err) {
-			return errors.Wrap(err, fmt.Sprintf("Secret %s from .Spec.TlsConfig.SecretRef.Name not found", rr.Name))
-		}
 		return err
 	}
 
-	if secret.Type != corev1.SecretTypeTLS {
-		return errors.Newf("Secret %s is not a TLS secret", rr.Name)
+	for _, secret := range secrets {
+		if rr.Namespace == nil {
+			if secret.Name == rr.Name {
+				return nil
+			}
+		} else {
+			if secret.Namespace == *rr.Namespace {
+				if secret.Name == rr.Name {
+					return nil
+				}
+			}
+		}
 	}
 
-	// TODO (may be). Add check Certificate in secret have VS domain in DNS
+	return errors.New(fmt.Sprintf("Secret %s/%s from .Spec.TlsConfig.SecretRef not found", *rr.Namespace, rr.Name))
 
-	return nil
+	// TODO (may be). Add check Certificate in secret have VS domain in DNS
 }
 
 func validateAutoDiscovery(
 	ctx context.Context,
 	vs *VirtualService,
+	namespaces []string,
 	client client.Client,
 ) error {
 	// Get Virtual Host from Virtual Service
@@ -283,7 +296,7 @@ func validateAutoDiscovery(
 	}
 
 	// Create index for fast search certificate for domain
-	index, err := k8s.IndexCertificateSecrets(ctx, client, vs.Namespace)
+	index, err := k8s.IndexCertificateSecrets(ctx, client, namespaces)
 	if err != nil {
 		return errors.Wrap(err, "cannot generate TLS certificates index from Kubernetes secrets")
 	}

api/v1alpha1/zz_generated.deepcopy.go

@@ -57,19 +57,25 @@ spec:
                 properties:
                   name:
                     type: string
+                  namespace:
+                    type: string
                 type: object
               additionalHttpFilters:
                 items:
                   properties:
                     name:
                       type: string
+                    namespace:
+                      type: string
                   type: object
                 type: array
               additionalRoutes:
                 items:
                   properties:
                     name:
                       type: string
+                    namespace:
+                      type: string
                   type: object
                 type: array
               httpFilters:
@@ -82,6 +88,8 @@ spec:
                 properties:
                   name:
                     type: string
+                  namespace:
+                    type: string
                 type: object
               tlsConfig:
                 properties:
@@ -92,6 +100,8 @@ spec:
                     properties:
                       name:
                         type: string
+                      namespace:
+                        type: string
                     type: object
                 type: object
               upgradeConfigs:
@@ -117,6 +127,15 @@ spec:
               lastAppliedHash:
                 format: int32
                 type: integer
+              usedSecrets:
+                items:
+                  properties:
+                    name:
+                      type: string
+                    namespace:
+                      type: string
+                  type: object
+                type: array
               valid:
                 type: boolean
             type: object

config/crd/bases/envoy.kaasops.io_virtualservices.yaml

@@ -109,7 +109,7 @@ func (r *ListenerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 	virtualServices := &v1alpha1.VirtualServiceList{}
 	listOpts := []client.ListOption{
 		client.InNamespace(req.Namespace),
-		client.MatchingFields{options.VirtualServiceListenerFeild: req.Name},
+		client.MatchingFields{options.VirtualServiceListenerNameFeild: req.Name},
 	}
 	if err = r.List(ctx, virtualServices, listOpts...); err != nil {
 		return ctrl.Result{}, errors.Wrap(err, errors.GetFromKubernetesMessage)
@@ -118,7 +118,7 @@ func (r *ListenerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 	listener.Name = getResourceName(req.Namespace, req.Name)
 
 	// Create HashMap for fast searching of certificates
-	index, err := k8s.IndexCertificateSecrets(ctx, r.Client, instance.Namespace)
+	index, err := k8s.IndexCertificateSecrets(ctx, r.Client, r.Config.GetWatchNamespaces())
 	if err != nil {
 		return ctrl.Result{}, errors.Wrap(err, "cannot generate TLS certificates index from Kubernetes secrets")
 	}
@@ -194,6 +194,20 @@ func (r *ListenerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 
 				chains = append(chains, filterChains...)
 
+				// If for this vs used some secrets (with certificates), add this information to status
+				if virtSvc.CertificatesWithDomains != nil {
+					i := 0
+					keys := make([]string, len(virtSvc.CertificatesWithDomains))
+					for k := range virtSvc.CertificatesWithDomains {
+						keys[i] = k
+						i++
+					}
+					if err := vs.SetValidWithUsedSecrets(ctx, r.Client, keys); err != nil {
+						errs = append(errs, err)
+					}
+					continue
+				}
+
 				if err := vs.SetValid(ctx, r.Client); err != nil {
 					errs = append(errs, err)
 				}
@@ -202,9 +216,8 @@ func (r *ListenerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 
 		// Check errors
 		if len(errs) != 0 {
-			r.log.Error(nil, "FilterChain build errors")
 			for _, e := range errs {
-				r.log.Error(e, "")
+				r.log.Error(e, "FilterChain build errors")
 			}
 
 			// Stop working with this NodeID
@@ -258,7 +271,7 @@ func (r *ListenerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 // SetupWithManager sets up the controller with the Manager.
 func (r *ListenerReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	// Add listener name to index
-	if err := mgr.GetFieldIndexer().IndexField(context.Background(), &v1alpha1.VirtualService{}, options.VirtualServiceListenerFeild, func(rawObject client.Object) []string {
+	if err := mgr.GetFieldIndexer().IndexField(context.Background(), &v1alpha1.VirtualService{}, options.VirtualServiceListenerNameFeild, func(rawObject client.Object) []string {
 		virtualService := rawObject.(*v1alpha1.VirtualService)
 		// if listener feild is empty use default listener name as index
 		if virtualService.Spec.Listener == nil {

controllers/listener_controller.go

@@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "0.55"
+version: "0.56"
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v0.1.43"
+appVersion: "v0.2.0"
 
 home: https://github.com/kaasops/envoy-xds-controller
 sources: