From fed8af3cc17e0aa8e4043ada0f02d2b6d338b0b2 Mon Sep 17 00:00:00 2001 From: huabing zhao Date: Fri, 15 Dec 2023 15:53:03 +0800 Subject: [PATCH] reuse validateSecretRef for TLS secret validation Signed-off-by: huabing zhao --- internal/gatewayapi/validate.go | 62 ++++++--------------------------- 1 file changed, 10 insertions(+), 52 deletions(-) diff --git a/internal/gatewayapi/validate.go b/internal/gatewayapi/validate.go index 8acc278a46d4..09737a6b317b 100644 --- a/internal/gatewayapi/validate.go +++ b/internal/gatewayapi/validate.go @@ -19,6 +19,8 @@ import ( gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" + + "github.com/envoyproxy/gateway/internal/status" ) func (t *Translator) validateBackendRef(backendRef *gwapiv1a2.BackendRef, parentRef *RouteParentContext, route RouteContext, @@ -285,64 +287,20 @@ func (t *Translator) validateTerminateModeAndGetTLSSecrets(listener *ListenerCon secrets := make([]*v1.Secret, 0) for _, certificateRef := range listener.TLS.CertificateRefs { - // TODO zhaohuabing: reuse validateSecretRef - if certificateRef.Group != nil && string(*certificateRef.Group) != "" { - listener.SetCondition( - gwapiv1.ListenerConditionResolvedRefs, - metav1.ConditionFalse, - gwapiv1.ListenerReasonInvalidCertificateRef, - "Listener's TLS certificate ref group must be unspecified/empty.", - ) - break - } - - if certificateRef.Kind != nil && string(*certificateRef.Kind) != KindSecret { - listener.SetCondition( - gwapiv1.ListenerConditionResolvedRefs, - metav1.ConditionFalse, - gwapiv1.ListenerReasonInvalidCertificateRef, - fmt.Sprintf("Listener's TLS certificate ref kind must be %s.", KindSecret), - ) - break - } - - secretNamespace := listener.gateway.Namespace - - if certificateRef.Namespace != nil && string(*certificateRef.Namespace) != "" && string(*certificateRef.Namespace) != listener.gateway.Namespace { - if !t.validateCrossNamespaceRef( - crossNamespaceFrom{ - group: gwapiv1.GroupName, - kind: KindGateway, - namespace: listener.gateway.Namespace, - }, - crossNamespaceTo{ - group: "", - kind: KindSecret, - namespace: string(*certificateRef.Namespace), - name: string(certificateRef.Name), - }, - resources.ReferenceGrants, - ) { - listener.SetCondition( - gwapiv1.ListenerConditionResolvedRefs, - metav1.ConditionFalse, - gwapiv1.ListenerReasonRefNotPermitted, - fmt.Sprintf("Certificate ref to secret %s/%s not permitted by any ReferenceGrant.", *certificateRef.Namespace, certificateRef.Name), - ) - break - } - - secretNamespace = string(*certificateRef.Namespace) + from := crossNamespaceFrom{ + group: gwapiv1.GroupName, + kind: KindGateway, + namespace: listener.gateway.Namespace, } - secret := resources.GetSecret(secretNamespace, string(certificateRef.Name)) - - if secret == nil { + secret, err := t.validateSecretRef( + true, from, certificateRef, resources) + if err != nil { listener.SetCondition( gwapiv1.ListenerConditionResolvedRefs, metav1.ConditionFalse, gwapiv1.ListenerReasonInvalidCertificateRef, - fmt.Sprintf("Secret %s/%s does not exist.", listener.gateway.Namespace, certificateRef.Name), + status.Error2ConditionMsg(err), ) break }