github.com/cilium/cilium@v1.16.2/operator/pkg/gateway-api/secretsync.go (about) 1 // SPDX-License-Identifier: Apache-2.0 2 // Copyright Authors of Cilium 3 4 package gateway_api 5 6 import ( 7 "context" 8 9 "github.com/sirupsen/logrus" 10 corev1 "k8s.io/api/core/v1" 11 "k8s.io/apimachinery/pkg/types" 12 "sigs.k8s.io/controller-runtime/pkg/client" 13 "sigs.k8s.io/controller-runtime/pkg/handler" 14 "sigs.k8s.io/controller-runtime/pkg/reconcile" 15 gatewayv1 "sigs.k8s.io/gateway-api/apis/v1" 16 17 "github.com/cilium/cilium/operator/pkg/gateway-api/helpers" 18 "github.com/cilium/cilium/pkg/logging/logfields" 19 ) 20 21 func EnqueueTLSSecrets(c client.Client, logger logrus.FieldLogger) handler.EventHandler { 22 return handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, obj client.Object) []reconcile.Request { 23 scopedLog := logger.WithFields(logrus.Fields{ 24 logfields.Controller: "secrets", 25 logfields.Resource: obj.GetName(), 26 }) 27 28 gw, ok := obj.(*gatewayv1.Gateway) 29 if !ok { 30 return nil 31 } 32 33 // Check whether Gateway is managed by Cilium 34 if !hasMatchingController(ctx, c, controllerName)(gw) { 35 return nil 36 } 37 38 var reqs []reconcile.Request 39 for _, l := range gw.Spec.Listeners { 40 if l.TLS == nil { 41 continue 42 } 43 for _, cert := range l.TLS.CertificateRefs { 44 if !helpers.IsSecret(cert) { 45 continue 46 } 47 s := types.NamespacedName{ 48 Namespace: helpers.NamespaceDerefOr(cert.Namespace, gw.Namespace), 49 Name: string(cert.Name), 50 } 51 reqs = append(reqs, reconcile.Request{NamespacedName: s}) 52 scopedLog.WithField("secret", s).Debug("Enqueued secret for gateway") 53 } 54 } 55 return reqs 56 }) 57 } 58 59 func IsReferencedByCiliumGateway(ctx context.Context, c client.Client, logger logrus.FieldLogger, obj *corev1.Secret) bool { 60 gateways := getGatewaysForSecret(ctx, c, obj) 61 for _, gw := range gateways { 62 if hasMatchingController(ctx, c, controllerName)(gw) { 63 return true 64 } 65 } 66 67 return false 68 }