Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

provider: finalize EnvoyProxy referenced by a managed GatewayClass #1534

Merged
merged 11 commits into from
Sep 12, 2023
Merged

provider: finalize EnvoyProxy referenced by a managed GatewayClass #1534

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
d11b0e0
Add/remove finalizers for envoy proxies
cnvergence Jun 15, 2023
4fb41f6
Refactor finalizers funcs
cnvergence Jun 16, 2023
7713603
add finalizer check to the tests
cnvergence Jun 16, 2023
30a6ab1
Add rbac role and process finalizers
cnvergence Jun 18, 2023
17aa923
improve logging
cnvergence Jun 19, 2023
34174e9
Update test case remove finalizer
cnvergence Jul 24, 2023
e1197da
Rework processing ParamsRef
cnvergence Jul 31, 2023
0ceae24
Remove roles.yaml
cnvergence Aug 4, 2023
55bc00a
Add patch to rbac.tpl
cnvergence Aug 4, 2023
5cf95f4
Add integration test for envoyproxy finalizers
cnvergence Aug 23, 2023
5fe8c4e
Restore envoyproxy status checks
cnvergence Aug 30, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions charts/gateway-helm/templates/_rbac.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ verbs:
- list
- update
- watch
- patch
{{- end }}

{{- define "eg.rbac.namespaced.gateway.envoyproxy" -}}
Expand Down
107 changes: 79 additions & 28 deletions internal/provider/kubernetes/controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -298,15 +298,13 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques
}

// Process the parametersRef of the accepted GatewayClass.
if acceptedGC.Spec.ParametersRef != nil && acceptedGC.DeletionTimestamp == nil {
if err := r.processParamsRef(ctx, acceptedGC, resourceTree); err != nil {
msg := fmt.Sprintf("%s: %v", status.MsgGatewayClassInvalidParams, err)
if err := r.gatewayClassUpdater(ctx, acceptedGC, false, string(gwapiv1b1.GatewayClassReasonInvalidParameters), msg); err != nil {
r.log.Error(err, "unable to update GatewayClass status")
}
r.log.Error(err, "failed to process parametersRef for gatewayclass", "name", acceptedGC.Name)
return reconcile.Result{}, err
if err := r.processParamsRef(ctx, acceptedGC, resourceTree); err != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if acceptedGC.Spec.ParametersRef != nil is removed from here, can we add it back ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like we can't, since this is the only code flow which can remove a finalizer from an unreferenced envoyproxy resource

msg := fmt.Sprintf("%s: %v", status.MsgGatewayClassInvalidParams, err)
if err := r.gatewayClassUpdater(ctx, acceptedGC, false, string(gwapiv1b1.GatewayClassReasonInvalidParameters), msg); err != nil {
r.log.Error(err, "unable to update GatewayClass status")
}
r.log.Error(err, "failed to process parametersRef for gatewayclass", "name", acceptedGC.Name)
return reconcile.Result{}, err
}

if err := r.gatewayClassUpdater(ctx, acceptedGC, true, string(gwapiv1b1.GatewayClassReasonAccepted), status.MsgValidGatewayClass); err != nil {
Expand All @@ -317,7 +315,6 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques
// Update finalizer on the gateway class based on the resource tree.
if len(resourceTree.Gateways) == 0 {
r.log.Info("No gateways found for accepted gatewayclass")

// If needed, remove the finalizer from the accepted GatewayClass.
if err := r.removeFinalizer(ctx, acceptedGC); err != nil {
r.log.Error(err, fmt.Sprintf("failed to remove finalizer from gatewayclass %s",
Expand Down Expand Up @@ -957,28 +954,56 @@ func secretGatewayIndexFunc(rawObj client.Object) []string {
return secretReferences
}

// removeFinalizer removes the gatewayclass finalizer from the provided gc, if it exists.
func (r *gatewayAPIReconciler) removeFinalizer(ctx context.Context, gc *gwapiv1b1.GatewayClass) error {
if slice.ContainsString(gc.Finalizers, gatewayClassFinalizer) {
base := client.MergeFrom(gc.DeepCopy())
gc.Finalizers = slice.RemoveString(gc.Finalizers, gatewayClassFinalizer)
if err := r.client.Patch(ctx, gc, base); err != nil {
return fmt.Errorf("failed to remove finalizer from gatewayclass %s: %w", gc.Name, err)
// addGcFinalizer adds the gatewayclass or envoyproxy finalizer to the provided object, if it doesn't exist.
func (r *gatewayAPIReconciler) addFinalizer(ctx context.Context, obj client.Object) error {
switch objType := obj.(type) {
case *gwapiv1b1.GatewayClass:
if !slice.ContainsString(objType.Finalizers, gatewayClassFinalizer) {
base := client.MergeFrom(objType.DeepCopy())
objType.Finalizers = append(objType.Finalizers, gatewayClassFinalizer)
if err := r.client.Patch(ctx, objType, base); err != nil {
return fmt.Errorf("failed to add finalizer to Gateway Class %s: %w", objType.Name, err)
}
}
return nil
case *egcfgv1a1.EnvoyProxy:
if !slice.ContainsString(objType.Finalizers, gatewayClassFinalizer) {
base := client.MergeFrom(objType.DeepCopy())
objType.Finalizers = append(objType.Finalizers, gatewayClassFinalizer)
if err := r.client.Patch(ctx, objType, base); err != nil {
return fmt.Errorf("failed to add finalizer to Envoy Proxy %s: %w", objType.Name, err)
}
}
return nil
}
return nil

return fmt.Errorf("%s is not supported for finalizer processing", obj.GetObjectKind().GroupVersionKind().Kind)
}

// addFinalizer adds the gatewayclass finalizer to the provided gc, if it doesn't exist.
func (r *gatewayAPIReconciler) addFinalizer(ctx context.Context, gc *gwapiv1b1.GatewayClass) error {
if !slice.ContainsString(gc.Finalizers, gatewayClassFinalizer) {
base := client.MergeFrom(gc.DeepCopy())
gc.Finalizers = append(gc.Finalizers, gatewayClassFinalizer)
if err := r.client.Patch(ctx, gc, base); err != nil {
return fmt.Errorf("failed to add finalizer to gatewayclass %s: %w", gc.Name, err)
// removeFinalizer removes the gatewayclass or envoyproxy finalizer from the provided object, if it exists.
func (r *gatewayAPIReconciler) removeFinalizer(ctx context.Context, obj client.Object) error {
switch objType := obj.(type) {
case *gwapiv1b1.GatewayClass:
if slice.ContainsString(objType.Finalizers, gatewayClassFinalizer) {
base := client.MergeFrom(objType.DeepCopy())
objType.Finalizers = slice.RemoveString(objType.Finalizers, gatewayClassFinalizer)
if err := r.client.Patch(ctx, objType, base); err != nil {
return fmt.Errorf("failed to add finalizer to Gateway Class %s: %w", objType.Name, err)
}
}
return nil
case *egcfgv1a1.EnvoyProxy:
if slice.ContainsString(objType.Finalizers, gatewayClassFinalizer) {
base := client.MergeFrom(objType.DeepCopy())
objType.Finalizers = slice.RemoveString(objType.Finalizers, gatewayClassFinalizer)
if err := r.client.Patch(ctx, objType, base); err != nil {
return fmt.Errorf("failed to add finalizer to Envoy Proxy %s: %w", objType.Name, err)
}
}
return nil
}
return nil

return fmt.Errorf("%s is not supported for finalizer processing", obj.GetObjectKind().GroupVersionKind().Kind)
}

// subscribeAndUpdateStatus subscribes to gateway API object status updates and
Expand Down Expand Up @@ -1417,10 +1442,11 @@ func (r *gatewayAPIReconciler) hasManagedClass(obj client.Object) bool {

// processParamsRef processes the parametersRef of the provided GatewayClass.
func (r *gatewayAPIReconciler) processParamsRef(ctx context.Context, gc *gwapiv1b1.GatewayClass, resourceTree *gatewayapi.Resources) error {
if !refsEnvoyProxy(gc) {
return fmt.Errorf("unsupported parametersRef for gatewayclass %s", gc.Name)
if gc.Spec.ParametersRef != nil {
if !refsEnvoyProxy(gc) {
return fmt.Errorf("unsupported parametersRef for gatewayclass %s", gc.Name)
}
}

epList := new(egcfgv1a1.EnvoyProxyList)
// The EnvoyProxy must be in the same namespace as EG.
if err := r.client.List(ctx, epList, &client.ListOptions{Namespace: r.namespace}); err != nil {
Expand All @@ -1439,15 +1465,40 @@ func (r *gatewayAPIReconciler) processParamsRef(ctx context.Context, gc *gwapiv1
ep := epList.Items[i]
r.log.Info("processing envoyproxy", "namespace", ep.Namespace, "name", ep.Name)
if classRefsEnvoyProxy(gc, &ep) {
if !gc.DeletionTimestamp.IsZero() {
if err := r.removeFinalizer(ctx, &ep); err != nil {
r.log.Error(err, fmt.Sprintf("failed to remove finalizer from envoy proxy %s",
ep.Name))
return err
}
return nil
}
found = true
if err := validation.ValidateEnvoyProxy(&ep); err != nil {
validationErr = fmt.Errorf("invalid envoyproxy: %v", err)
continue
}
valid = true

if err := r.addFinalizer(ctx, &ep); err != nil {
r.log.Error(err, fmt.Sprintf("failed adding finalizer to envoy proxy %s",
ep.Name))
return err
}

resourceTree.EnvoyProxy = &ep
break
}

// Remove finalizer from EnvoyProxy when GatewayClass stops referencing it
if slice.ContainsString(ep.Finalizers, gatewayClassFinalizer) {
if err := r.removeFinalizer(ctx, &ep); err != nil {
r.log.Error(err, fmt.Sprintf("failed to remove finalizer from envoy proxy %s",
ep.Name))
return err
}
return nil
}
}

if !found {
cnvergence marked this conversation as resolved.
Show resolved Hide resolved
Expand Down
113 changes: 111 additions & 2 deletions internal/provider/kubernetes/controller_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,114 @@ func TestAddGatewayClassFinalizer(t *testing.T) {
}
}

func TestAddEnvoyProxyFinalizer(t *testing.T) {
testCases := []struct {
name string
ep *egcfgv1a1.EnvoyProxy
expect []string
}{
{
name: "envoyproxy with no finalizers",
ep: &egcfgv1a1.EnvoyProxy{
ObjectMeta: metav1.ObjectMeta{
Name: "test",
},
},
expect: []string{gatewayClassFinalizer},
},
{
name: "envoyproxy with a different finalizer",
ep: &egcfgv1a1.EnvoyProxy{
ObjectMeta: metav1.ObjectMeta{
Name: "test-ep",
Finalizers: []string{"fooFinalizer"},
},
},
expect: []string{"fooFinalizer", gatewayClassFinalizer},
},
{
name: "envoyproxy with existing gatewayclass finalizer",
ep: &egcfgv1a1.EnvoyProxy{
ObjectMeta: metav1.ObjectMeta{
Name: "test-ep",
Finalizers: []string{gatewayClassFinalizer},
},
},
expect: []string{gatewayClassFinalizer},
},
}
// Create the reconciler.
r := new(gatewayAPIReconciler)
ctx := context.Background()

for _, tc := range testCases {
tc := tc
t.Run(tc.name, func(t *testing.T) {
r.client = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).WithObjects(tc.ep).Build()
err := r.addFinalizer(ctx, tc.ep)
require.NoError(t, err)
key := types.NamespacedName{Name: tc.ep.Name}
err = r.client.Get(ctx, key, tc.ep)
require.NoError(t, err)
require.Equal(t, tc.expect, tc.ep.Finalizers)
})
}
}

func TestRemoveEnvoyProxyFinalizer(t *testing.T) {
testCases := []struct {
name string
ep *egcfgv1a1.EnvoyProxy
expect []string
}{
{
name: "envoyproxy with no finalizers",
ep: &egcfgv1a1.EnvoyProxy{
ObjectMeta: metav1.ObjectMeta{
Name: "test",
},
},
expect: nil,
},
{
name: "envoyproxy with a different finalizer",
ep: &egcfgv1a1.EnvoyProxy{
ObjectMeta: metav1.ObjectMeta{
Name: "test-ep",
Finalizers: []string{"fooFinalizer"},
},
},
expect: []string{"fooFinalizer"},
},
{
name: "envoyproxy with existing gatewayclass finalizer",
cnvergence marked this conversation as resolved.
Show resolved Hide resolved
ep: &egcfgv1a1.EnvoyProxy{
ObjectMeta: metav1.ObjectMeta{
Name: "test-ep",
Finalizers: []string{gatewayClassFinalizer},
},
},
expect: nil,
},
}

// Create the reconciler.
r := new(gatewayAPIReconciler)
ctx := context.Background()

for _, tc := range testCases {
tc := tc
t.Run(tc.name, func(t *testing.T) {
r.client = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).WithObjects(tc.ep).Build()
err := r.removeFinalizer(ctx, tc.ep)
require.NoError(t, err)
key := types.NamespacedName{Name: tc.ep.Name}
err = r.client.Get(ctx, key, tc.ep)
require.NoError(t, err)
require.Equal(t, tc.expect, tc.ep.Finalizers)
})
}
}
func TestRemoveGatewayClassFinalizer(t *testing.T) {
testCases := []struct {
name string
Expand Down Expand Up @@ -363,8 +471,9 @@ func TestProcessParamsRef(t *testing.T) {
},
ep: &egcfgv1a1.EnvoyProxy{
ObjectMeta: metav1.ObjectMeta{
Namespace: config.DefaultNamespace,
Name: "test",
Namespace: config.DefaultNamespace,
Name: "test",
Finalizers: []string{gatewayClassFinalizer},
},
},
expected: true,
Expand Down
14 changes: 14 additions & 0 deletions internal/provider/kubernetes/kubernetes_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -202,6 +202,20 @@ func testGatewayClassWithParamRef(ctx context.Context, t *testing.T, provider *P
res, ok := resources.GatewayAPIResources.Load(gc.Name)
assert.Equal(t, ok, true)
assert.Equal(t, res.EnvoyProxy.Spec, ep.Spec)

// Ensure the envoyproxy has been finalized.
require.Eventually(t, func() bool {
err := cli.Get(ctx, types.NamespacedName{Name: ep.Name, Namespace: testNs}, ep)
return err == nil && slices.Contains(ep.Finalizers, gatewayClassFinalizer)
}, defaultWait, defaultTick)

//Ensure that envoyproxy finalizer will be removed when GatewayClass stops referencing it
gc.Spec.ParametersRef = nil
require.NoError(t, cli.Update(ctx, gc))
require.Eventually(t, func() bool {
err := cli.Get(ctx, types.NamespacedName{Name: ep.Name, Namespace: testNs}, ep)
return err == nil && !slices.Contains(ep.Finalizers, gatewayClassFinalizer)
}, defaultWait, defaultTick)
}

func testGatewayScheduledStatus(ctx context.Context, t *testing.T, provider *Provider, resources *message.ProviderResources) {
Expand Down