[Backport release/3.4.x] fix(translator): check gateway class and do not skip listeners when gateway class is not managed by KIC (#7718)

* fix(translator): check gateway class and do not skip listeners when gateway class is not managed by KIC (#7666)

* check gateway class and do not skip listeners when gateway class is not managed by KIC

* update changelog

* store gatewayclass into cache in gwc controller

* fix comments and move gwc controller name check after getting gwc

(cherry picked from commit 2562662)

* fix changelog

Author: randmonkey

CHANGELOG.md

@@ -112,6 +112,12 @@ Adding a new version? You'll need three changes:
 
 ### Fixed
 
+- Do not skip the gateway listeners without `Programmed` condition set to `True`
+  when the gateway class does not contain `konghq.com/gateway-unmanaged`
+  annotation in extracting certificates from listeners. This fixes the issue
+  that KIC deletes the certificates of listeners on dataplane pods deleted when
+  KIC is running under the control of Kong gateway operator.
+  [#7666](https://github.com/Kong/kubernetes-ingress-controller/pull/7666)
 - Add `request-termination` plugin to return `500` if there are no available
   `backendRef` only when the service is translated from `HTTPRoute` or
   `GRPCRoute`.
@@ -4112,8 +4118,8 @@ Please read the changelog and test in your environment.
  - The initial versions  were rapildy iterated to deliver
    a working ingress controller.
 
-[3.4.6]: https://github.com/kong/kubernetes-ingress-controller/compare/v3.4.7...v3.4.8
-[3.4.5]: https://github.com/kong/kubernetes-ingress-controller/compare/v3.4.6...v3.4.7
+[3.4.8]: https://github.com/kong/kubernetes-ingress-controller/compare/v3.4.7...v3.4.8
+[3.4.7]: https://github.com/kong/kubernetes-ingress-controller/compare/v3.4.6...v3.4.7
 [3.4.6]: https://github.com/kong/kubernetes-ingress-controller/compare/v3.4.5...v3.4.6
 [3.4.5]: https://github.com/kong/kubernetes-ingress-controller/compare/v3.4.4...v3.4.5
 [3.4.4]: https://github.com/kong/kubernetes-ingress-controller/compare/v3.4.3...v3.4.4

hack/generators/cache-stores/spec.go

@@ -60,6 +60,11 @@ var supportedTypes = []cacheStoreSupportedType{
 		Type:    "Gateway",
 		Package: "gatewayapi",
 	},
+	{
+		Type:    "GatewayClass",
+		Package: "gatewayapi",
+		KeyFunc: clusterWideKeyFunc,
+	},
 	{
 		Type:    "BackendTLSPolicy",
 		Package: "gatewayapi",

internal/controllers/gateway/gateway_controller.go

@@ -143,6 +143,8 @@ func (r *GatewayReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Log:              r.Log.WithName(strings.ToUpper(gatewayapi.V1GroupVersion) + "GatewayClass"),
 		Scheme:           r.Scheme,
 		CacheSyncTimeout: r.CacheSyncTimeout,
+
+		DataplaneClient: r.DataplaneClient,
 	}
 
 	return gwcCTRL.SetupWithManager(mgr)
@@ -181,6 +183,7 @@ func (r *GatewayReconciler) gatewayHasMatchingGatewayClass(obj client.Object) bo
 		r.Log.Error(err, "Could not retrieve gatewayclass", "gatewayclass", gateway.Spec.GatewayClassName)
 		return false
 	}
+
 	return isGatewayClassControlled(gatewayClass)
 }
 

internal/controllers/gateway/gatewayclass_controller.go

@@ -18,6 +18,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
+	"github.com/kong/kubernetes-ingress-controller/v3/internal/controllers"
 	"github.com/kong/kubernetes-ingress-controller/v3/internal/gatewayapi"
 	"github.com/kong/kubernetes-ingress-controller/v3/internal/logging"
 	"github.com/kong/kubernetes-ingress-controller/v3/internal/util"
@@ -59,6 +60,8 @@ type GatewayClassReconciler struct { //nolint:revive
 	Log              logr.Logger
 	Scheme           *runtime.Scheme
 	CacheSyncTimeout time.Duration
+
+	DataplaneClient controllers.DataPlane
 }
 
 // SetupWithManager sets up the controller with the Manager.
@@ -144,6 +147,13 @@ func (r *GatewayClassReconciler) Reconcile(ctx context.Context, req ctrl.Request
 			setGatewayClassCondition(gwc, acceptedCondtion)
 			return ctrl.Result{}, r.Status().Update(ctx, pruneGatewayClassStatusConds(gwc))
 		}
+
+		// Add the gatewayclass to the translation cache if the gatewayclass is managed by the KIC instance.
+		err := r.DataplaneClient.UpdateObject(gwc)
+		if err != nil {
+			debug(log, gwc, "Failed to update GatewayClass in dataplane, requeueing")
+			return ctrl.Result{}, err
+		}
 	}
 
 	return ctrl.Result{}, nil

internal/dataplane/fallback/graph_dependencies.go

@@ -62,6 +62,7 @@ func ResolveDependencies(cache store.CacheStores, obj client.Object) ([]client.O
 		*discoveryv1.EndpointSlice,
 		*gatewayapi.ReferenceGrant,
 		*gatewayapi.Gateway,
+		*gatewayapi.GatewayClass,
 		*gatewayapi.BackendTLSPolicy,
 		*configurationv1.KongIngress,
 		*configurationv1beta1.KongUpstreamPolicy,

internal/dataplane/kong_client_golden_test.go

@@ -259,7 +259,10 @@ func runKongClientGoldenTest(t *testing.T, tc kongClientGoldenTestCase) {
 	// Create the translator.
 	logger := zapr.NewLogger(zap.NewNop())
 	s := store.New(cacheStores, "kong", logger)
-	p, err := translator.NewTranslator(logger, s, "", tc.featureFlags, fakeSchemaServiceProvier{}, consts.DefaultClusterDomain)
+	translatorConfig := translator.Config{
+		ClusterDomain: consts.DefaultClusterDomain,
+	}
+	p, err := translator.NewTranslator(logger, s, "", tc.featureFlags, fakeSchemaServiceProvier{}, translatorConfig)
 	require.NoError(t, err, "failed creating translator")
 
 	// Start a mock Admin API server and create an Admin API client for inspecting the configuration.

internal/dataplane/translator/translate_certs.go

@@ -9,9 +9,11 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/kong/go-kong/kong"
+	"github.com/samber/lo"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	"github.com/kong/kubernetes-ingress-controller/v3/internal/annotations"
 	"github.com/kong/kubernetes-ingress-controller/v3/internal/dataplane/kongstate"
 	"github.com/kong/kubernetes-ingress-controller/v3/internal/gatewayapi"
 	"github.com/kong/kubernetes-ingress-controller/v3/internal/logging"
@@ -55,11 +57,21 @@ func (t *Translator) getGatewayCerts() []certWrapper {
 		return certs
 	}
 	for _, gateway := range gateways {
-		statuses := make(map[gatewayapi.SectionName]gatewayapi.ListenerStatus, len(gateway.Status.Listeners))
-		for _, status := range gateway.Status.Listeners {
-			statuses[status.Name] = status
+		gwc, err := s.GetGatewayClass(string(gateway.Spec.GatewayClassName))
+		if err != nil {
+			logger.Error(err, "Failed to get GatewayClass for Gateway, skipping", "gateway", gateway.Name, "gateway_class", gateway.Spec.GatewayClassName)
+			continue
 		}
 
+		// Skip the gateway when the gateway's GatewayClass is not controlled by the KIC instance.
+		if gwc.Spec.ControllerName != gatewayapi.GatewayController(t.gatewayControllerName) {
+			continue
+		}
+
+		statuses := lo.SliceToMap(gateway.Status.Listeners, func(status gatewayapi.ListenerStatus) (gatewayapi.SectionName, gatewayapi.ListenerStatus) {
+			return status.Name, status
+		})
+
 		for _, listener := range gateway.Spec.Listeners {
 			status, ok := statuses[listener.Name]
 			if !ok {
@@ -72,14 +84,18 @@ func (t *Translator) getGatewayCerts() []certWrapper {
 				continue
 			}
 
-			// Check if listener is marked as programmed
-			if !util.CheckCondition(
-				status.Conditions,
-				util.ConditionType(gatewayapi.ListenerConditionProgrammed),
-				util.ConditionReason(gatewayapi.ListenerReasonProgrammed),
-				metav1.ConditionTrue,
-				gateway.Generation,
-			) {
+			// Check if listener is marked as programmed when the gateway's GatewayClass has the "Unmanaged" annotation.
+			// If the GatewayClass does not have the annotation, the gateway is considered to be managed by other components (for example Kong Operator),
+			// so we do not check the "Programmed" condition before extracting the certificate from the listener
+			// to prevent unexpected deletion of certificates when the instance is managed by Kong Operator.
+			if annotations.ExtractUnmanagedGatewayClassMode(gwc.Annotations) != "" &&
+				!util.CheckCondition(
+					status.Conditions,
+					util.ConditionType(gatewayapi.ListenerConditionProgrammed),
+					util.ConditionReason(gatewayapi.ListenerReasonProgrammed),
+					metav1.ConditionTrue,
+					gateway.Generation,
+				) {
 				continue
 			}
 

internal/dataplane/translator/translator.go

@@ -105,7 +105,18 @@ type Translator struct {
 	failuresCollector          *failures.ResourceFailuresCollector
 	translatedObjectsCollector *ObjectsCollector
 
-	clusterDomain string
+	clusterDomain         string
+	gatewayControllerName string
+}
+
+// Config is a configuration for the Translator.
+type Config struct {
+	// ClusterDomain is the cluster domain used for translating Kubernetes objects.
+	ClusterDomain string
+
+	// GatewayControllerName is the gateway controller name used by KIC.
+	// GatewayClasses with this controller name in spec.ControllerName are managed by KIC, otherwise they are managed by other  (like Kong Operator).
+	GatewayControllerName string
 }
 
 // NewTranslator produces a new Translator object provided a logging mechanism
@@ -116,7 +127,7 @@ func NewTranslator(
 	workspace string,
 	featureFlags FeatureFlags,
 	schemaServiceProvider SchemaServiceProvider,
-	clusterDomain string,
+	config Config,
 ) (*Translator, error) {
 	failuresCollector := failures.NewResourceFailuresCollector(logger)
 
@@ -134,7 +145,8 @@ func NewTranslator(
 		schemaServiceProvider:      schemaServiceProvider,
 		failuresCollector:          failuresCollector,
 		translatedObjectsCollector: translatedObjectsCollector,
-		clusterDomain:              clusterDomain,
+		clusterDomain:              config.ClusterDomain,
+		gatewayControllerName:      config.GatewayControllerName,
 	}, nil
 }
 

internal/dataplane/translator/translator_test.go

@@ -5103,6 +5103,9 @@ func (p fakeSchemaServiceProvier) GetSchemaService() kong.AbstractSchemaService
 
 func mustNewTranslator(t *testing.T, storer store.Storer) *Translator {
 	logger := zapr.NewLogger(zap.NewNop())
+	translatorConfig := Config{
+		ClusterDomain: consts.DefaultClusterDomain,
+	}
 	p, err := NewTranslator(logger, storer, "",
 		FeatureFlags{
 			// We'll assume these are true for all tests.
@@ -5111,7 +5114,7 @@ func mustNewTranslator(t *testing.T, storer store.Storer) *Translator {
 			KongServiceFacade:                 true,
 		},
 		fakeSchemaServiceProvier{},
-		consts.DefaultClusterDomain,
+		translatorConfig,
 	)
 	require.NoError(t, err)
 	return p

internal/manager/run.go

@@ -210,7 +210,12 @@ func New(
 	cache := store.NewCacheStores()
 	storer := store.New(cache, c.IngressClassName, logger)
 
-	configTranslator, err := translator.NewTranslator(logger, storer, c.KongWorkspace, translatorFeatureFlags, NewSchemaServiceGetter(clientsManager), c.ClusterDomain)
+	configTranslator, err := translator.NewTranslator(logger, storer, c.KongWorkspace, translatorFeatureFlags, NewSchemaServiceGetter(clientsManager),
+		translator.Config{
+			ClusterDomain:         c.ClusterDomain,
+			GatewayControllerName: c.GatewayAPIControllerName,
+		},
+	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create translator: %w", err)
 	}