APIGW: Update how status conditions for certificates are handled (#17115

) * Move status condition for invalid certifcate to reference the listener that is using the certificate * Fix where we set the condition status for listeners and certificate refs, added tests * Add changelog
hashicorp · Jun 22, 2023 · efee5ee · efee5ee
1 parent 27332fc
commit efee5ee
Show file tree

Hide file tree

Showing 8 changed files with 724 additions and 20 deletions.
diff --git a/.changelog/17115.txt b/.changelog/17115.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+gateway: Change status condition reason for invalid certificate on a listener from "Accepted" to "ResolvedRefs".
+```
diff --git a/agent/consul/gateways/controller_gateways.go b/agent/consul/gateways/controller_gateways.go
@@ -240,6 +240,19 @@ func (r *apiGatewayReconciler) reconcileGateway(_ context.Context, req controlle
 		return err
 	}
 
+	// set each listener as having valid certs, then overwrite that status condition
+	// if there are any certificate errors
+	meta.eachListener(func(listener *structs.APIGatewayListener, bound *structs.BoundAPIGatewayListener) error {
+		listenerRef := structs.ResourceReference{
+			Kind:           structs.APIGateway,
+			Name:           meta.BoundGateway.Name,
+			SectionName:    bound.Name,
+			EnterpriseMeta: meta.BoundGateway.EnterpriseMeta,
+		}
+		updater.SetCondition(conditions.validCertificate(listenerRef))
+		return nil
+	})
+
 	for ref, err := range certificateErrors {
 		updater.SetCondition(conditions.invalidCertificate(ref, err))
 	}
@@ -744,8 +757,14 @@ func (g *gatewayMeta) checkCertificates(store *state.Store) (map[structs.Resourc
 			if err != nil {
 				return err
 			}
+			listenerRef := structs.ResourceReference{
+				Kind:           structs.APIGateway,
+				Name:           g.BoundGateway.Name,
+				SectionName:    bound.Name,
+				EnterpriseMeta: g.BoundGateway.EnterpriseMeta,
+			}
 			if certificate == nil {
-				certificateErrors[ref] = errors.New("certificate not found")
+				certificateErrors[listenerRef] = fmt.Errorf("certificate %q not found", ref.Name)
 			} else {
 				bound.Certificates = append(bound.Certificates, ref)
 			}
@@ -855,7 +874,7 @@ func newGatewayConditionGenerator() *gatewayConditionGenerator {
 // to a given APIGateway listener.
 func (g *gatewayConditionGenerator) invalidCertificate(ref structs.ResourceReference, err error) structs.Condition {
 	return structs.Condition{
-		Type:               "Accepted",
+		Type:               "ResolvedRefs",
 		Status:             "False",
 		Reason:             "InvalidCertificate",
 		Message:            err.Error(),
@@ -864,6 +883,17 @@ func (g *gatewayConditionGenerator) invalidCertificate(ref structs.ResourceRefer
 	}
 }
 
+func (g *gatewayConditionGenerator) validCertificate(ref structs.ResourceReference) structs.Condition {
+	return structs.Condition{
+		Type:               "ResolvedRefs",
+		Status:             "True",
+		Reason:             "ResolvedRefs",
+		Message:            "resolved refs",
+		Resource:           pointerTo(ref),
+		LastTransitionTime: g.now,
+	}
+}
+
 // invalidCertificates is used to set the overall condition of the APIGateway
 // to invalid due to missing certificates that it references.
 func (g *gatewayConditionGenerator) invalidCertificates() structs.Condition {