Merge pull request #1 from zac-nixon/znixon/kelly/auth

kellyyan · web-flow · commit 885756c1042a · 2025-04-10T15:26:50.000-07:00
auth changes
diff --git a/controllers/ingress/eventhandlers/ingress_class_params_events.go b/controllers/ingress/eventhandlers/ingress_class_params_events.go
@@ -61,8 +61,8 @@ func (h *enqueueRequestsForIngressClassParamsEvent) Delete(ctx context.Context,
 	h.enqueueImpactedIngressClasses(ctx, ingClassParamsOld)
 }
 
-func (h *enqueueRequestsForIngressClassParamsEvent) Generic(context.Context, event.TypedGenericEvent[*elbv2api.IngressClassParams], workqueue.TypedRateLimitingInterface[reconcile.Request]) {
-	// we don't have any generic event for secrets.
+func (h *enqueueRequestsForIngressClassParamsEvent) Generic(ctx context.Context, e event.TypedGenericEvent[*elbv2api.IngressClassParams], _ workqueue.TypedRateLimitingInterface[reconcile.Request]) {
+	h.enqueueImpactedIngressClasses(ctx, e.Object)
 }
 
 func (h *enqueueRequestsForIngressClassParamsEvent) enqueueImpactedIngressClasses(ctx context.Context, ingClassParams *elbv2api.IngressClassParams) {
diff --git a/controllers/ingress/eventhandlers/secret_events.go b/controllers/ingress/eventhandlers/secret_events.go
@@ -2,6 +2,7 @@ package eventhandlers
 
 import (
 	"context"
+	elbv2api "sigs.k8s.io/aws-load-balancer-controller/apis/elbv2/v1beta1"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	"github.com/go-logr/logr"
@@ -18,11 +19,12 @@ import (
 )
 
 // NewEnqueueRequestsForSecretEvent constructs new enqueueRequestsForSecretEvent.
-func NewEnqueueRequestsForSecretEvent(ingEventChan chan<- event.TypedGenericEvent[*networking.Ingress], svcEventChan chan<- event.TypedGenericEvent[*corev1.Service],
+func NewEnqueueRequestsForSecretEvent(ingEventChan chan<- event.TypedGenericEvent[*networking.Ingress], svcEventChan chan<- event.TypedGenericEvent[*corev1.Service], icpEventChan chan<- event.TypedGenericEvent[*elbv2api.IngressClassParams],
 	k8sClient client.Client, eventRecorder record.EventRecorder, logger logr.Logger) handler.TypedEventHandler[*corev1.Secret, reconcile.Request] {
 	return &enqueueRequestsForSecretEvent{
 		ingEventChan:  ingEventChan,
 		svcEventChan:  svcEventChan,
+		icpEventChan:  icpEventChan,
 		k8sClient:     k8sClient,
 		eventRecorder: eventRecorder,
 		logger:        logger,
@@ -34,6 +36,7 @@ var _ handler.TypedEventHandler[*corev1.Secret, reconcile.Request] = (*enqueueRe
 type enqueueRequestsForSecretEvent struct {
 	ingEventChan  chan<- event.TypedGenericEvent[*networking.Ingress]
 	svcEventChan  chan<- event.TypedGenericEvent[*corev1.Service]
+	icpEventChan  chan<- event.TypedGenericEvent[*elbv2api.IngressClassParams]
 	k8sClient     client.Client
 	eventRecorder record.EventRecorder
 	logger        logr.Logger
@@ -69,7 +72,7 @@ func (h *enqueueRequestsForSecretEvent) Generic(ctx context.Context, e event.Typ
 	h.enqueueImpactedObjects(ctx, secretObj)
 }
 
-func (h *enqueueRequestsForSecretEvent) enqueueImpactedObjects(ctx context.Context, secret *corev1.Secret) {
+func (h *enqueueRequestsForSecretEvent) enqueueImpactedObjects(_ context.Context, secret *corev1.Secret) {
 	secretKey := k8s.NamespacedName(secret)
 
 	ingList := &networking.IngressList{}
@@ -79,6 +82,7 @@ func (h *enqueueRequestsForSecretEvent) enqueueImpactedObjects(ctx context.Conte
 		h.logger.Error(err, "failed to fetch ingresses")
 		return
 	}
+
 	for index := range ingList.Items {
 		ing := &ingList.Items[index]
 
@@ -107,4 +111,27 @@ func (h *enqueueRequestsForSecretEvent) enqueueImpactedObjects(ctx context.Conte
 			Object: svc,
 		}
 	}
+
+	if h.icpEventChan == nil {
+		return
+	}
+
+	ingressClassParamsList := &elbv2api.IngressClassParamsList{}
+	if err := h.k8sClient.List(context.Background(), ingressClassParamsList,
+		client.InNamespace(""),
+		client.MatchingFields{ingress.IndexKeyIngressClassParamsSecretRefName: secret.GetName()}); err != nil {
+		h.logger.Error(err, "failed to fetch ingress class params")
+		return
+	}
+
+	for index := range ingressClassParamsList.Items {
+		icp := &ingressClassParamsList.Items[index]
+
+		h.logger.Info("enqueue ingress class for secret event",
+			"secret", secretKey,
+			"icp", k8s.NamespacedName(icp))
+		h.icpEventChan <- event.TypedGenericEvent[*elbv2api.IngressClassParams]{
+			Object: icp,
+		}
+	}
 }
diff --git a/controllers/ingress/group_controller.go b/controllers/ingress/group_controller.go
@@ -3,7 +3,6 @@ package ingress
 import (
 	"context"
 	"fmt"
-
 	"github.com/go-logr/logr"
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
@@ -44,7 +43,10 @@ const (
 	// the groupVersion of used Ingress & IngressClass resource.
 	ingressResourcesGroupVersion = "networking.k8s.io/v1"
 	ingressClassKind             = "IngressClass"
-	ingressClassParams           = "IngressClassParams"
+
+	// the groupVersion of used by IngressClassParams resource.
+	ingressClassParamsResourcesGroupVersion = "elbv2.k8s.aws/v1beta1"
+	ingressClassParamsKind                  = "IngressClassParams"
 )
 
 // NewGroupReconciler constructs new GroupReconciler
@@ -278,14 +280,20 @@ func (r *groupReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager
 		return err
 	}
 
-	resList, err := clientSet.ServerResourcesForGroupVersion(ingressResourcesGroupVersion)
+	ingressClassResourceList, err := clientSet.ServerResourcesForGroupVersion(ingressResourcesGroupVersion)
 	if err != nil {
 		return err
 	}
 
-	ingressClassParamsAvailable := isResourceKindAvailable(resList, ingressClassParams)
-	ingressClassResourceAvailable := isResourceKindAvailable(resList, ingressClassKind)
-	if err := r.setupIndexes(ctx, mgr.GetFieldIndexer(), ingressClassParamsAvailable, ingressClassResourceAvailable); err != nil {
+	ingressClassParamsResourceList, err := clientSet.ServerResourcesForGroupVersion(ingressClassParamsResourcesGroupVersion)
+	if err != nil {
+		return err
+	}
+
+	ingressClassResourceAvailable := isResourceKindAvailable(ingressClassResourceList, ingressClassKind)
+
+	ingressClassParamsResourceAvailable := isResourceKindAvailable(ingressClassParamsResourceList, ingressClassParamsKind)
+	if err := r.setupIndexes(ctx, mgr.GetFieldIndexer(), ingressClassResourceAvailable, ingressClassParamsResourceAvailable); err != nil {
 		return err
 	}
 	if err := r.setupWatches(ctx, c, mgr, ingressClassResourceAvailable, clientSet); err != nil {
@@ -294,7 +302,7 @@ func (r *groupReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager
 	return nil
 }
 
-func (r *groupReconciler) setupIndexes(ctx context.Context, fieldIndexer client.FieldIndexer, ingressClassParamsAvailable bool, ingressClassResourceAvailable bool) error {
+func (r *groupReconciler) setupIndexes(ctx context.Context, fieldIndexer client.FieldIndexer, ingressClassResourceAvailable bool, ingressClassParamsResourceAvailable bool) error {
 	// Service indexes
 	if err := fieldIndexer.IndexField(ctx, &networking.Ingress{}, ingress.IndexKeyServiceRefName,
 		func(obj client.Object) []string {
@@ -304,21 +312,6 @@ func (r *groupReconciler) setupIndexes(ctx context.Context, fieldIndexer client.
 		return err
 	}
 
-	// Secret indexes
-	if ingressClassParamsAvailable {
-		if err := fieldIndexer.IndexField(ctx, &elbv2api.IngressClassParams{}, ingress.IndexKeySecretRefName,
-			func(obj client.Object) []string {
-				ingClassParamsObj := obj.(*elbv2api.IngressClassParams)
-				if ingClassParamsObj.Spec.AuthConfig != nil && ingClassParamsObj.Spec.AuthConfig.IDPConfigOIDC != nil {
-					return []string{ingClassParamsObj.Spec.AuthConfig.IDPConfigOIDC.SecretName}
-				}
-				return nil
-			},
-		); err != nil {
-			return err
-		}
-	}
-
 	if err := fieldIndexer.IndexField(ctx, &networking.Ingress{}, ingress.IndexKeySecretRefName,
 		func(obj client.Object) []string {
 			return r.referenceIndexer.BuildSecretRefIndexes(context.Background(), &elbv2api.IngressClassParams{}, obj.(*networking.Ingress))
@@ -351,6 +344,16 @@ func (r *groupReconciler) setupIndexes(ctx context.Context, fieldIndexer client.
 			return err
 		}
 	}
+
+	if ingressClassParamsResourceAvailable {
+		if err := fieldIndexer.IndexField(ctx, &elbv2api.IngressClassParams{}, ingress.IndexKeyIngressClassParamsSecretRefName,
+			func(obj client.Object) []string {
+				return r.referenceIndexer.BuildIngressClassParamsSecretIndexes(context.Background(), obj.(*elbv2api.IngressClassParams))
+			},
+		); err != nil {
+			return err
+		}
+	}
 	return nil
 }
 
@@ -362,8 +365,7 @@ func (r *groupReconciler) setupWatches(_ context.Context, c controller.Controlle
 		r.logger.WithName("eventHandlers").WithName("ingress"))
 	svcEventHandler := eventhandlers.NewEnqueueRequestsForServiceEvent(ingEventChan, r.k8sClient, r.eventRecorder,
 		r.logger.WithName("eventHandlers").WithName("service"))
-	secretEventHandler := eventhandlers.NewEnqueueRequestsForSecretEvent(ingEventChan, svcEventChan, r.k8sClient, r.eventRecorder,
-		r.logger.WithName("eventHandlers").WithName("secret"))
+
 	if err := c.Watch(source.Channel(ingEventChan, ingEventHandler)); err != nil {
 		return err
 	}
@@ -376,15 +378,11 @@ func (r *groupReconciler) setupWatches(_ context.Context, c controller.Controlle
 	if err := c.Watch(source.Kind(mgr.GetCache(), &corev1.Service{}, svcEventHandler)); err != nil {
 		return err
 	}
-	// Add this watch for Secrets
-	if err := c.Watch(source.Kind(mgr.GetCache(), &corev1.Secret{}, secretEventHandler)); err != nil {
-		return err
-	}
-	if err := c.Watch(source.Channel(secretEventsChan, secretEventHandler)); err != nil {
-		return err
-	}
+
+	var ingressClassParamsEventChan chan event.TypedGenericEvent[*elbv2api.IngressClassParams]
 	if ingressClassResourceAvailable {
 		ingClassEventChan := make(chan event.TypedGenericEvent[*networking.IngressClass])
+		ingressClassParamsEventChan = make(chan event.TypedGenericEvent[*elbv2api.IngressClassParams])
 		ingClassParamsEventHandler := eventhandlers.NewEnqueueRequestsForIngressClassParamsEvent(ingClassEventChan, r.k8sClient, r.eventRecorder,
 			r.logger.WithName("eventHandlers").WithName("ingressClassParams"))
 		ingClassEventHandler := eventhandlers.NewEnqueueRequestsForIngressClassEvent(ingEventChan, r.k8sClient, r.eventRecorder,
@@ -398,7 +396,21 @@ func (r *groupReconciler) setupWatches(_ context.Context, c controller.Controlle
 		if err := c.Watch(source.Kind(mgr.GetCache(), &networking.IngressClass{}, ingClassEventHandler)); err != nil {
 			return err
 		}
+		if err := c.Watch(source.Channel(ingressClassParamsEventChan, ingClassParamsEventHandler)); err != nil {
+			return err
+		}
 	}
+
+	secretEventHandler := eventhandlers.NewEnqueueRequestsForSecretEvent(ingEventChan, svcEventChan, ingressClassParamsEventChan, r.k8sClient, r.eventRecorder,
+		r.logger.WithName("eventHandlers").WithName("secret"))
+	// Add this watch for Secrets
+	if err := c.Watch(source.Kind(mgr.GetCache(), &corev1.Secret{}, secretEventHandler)); err != nil {
+		return err
+	}
+	if err := c.Watch(source.Channel(secretEventsChan, secretEventHandler)); err != nil {
+		return err
+	}
+
 	r.secretsManager = k8s.NewSecretsManager(clientSet, secretEventsChan, ctrl.Log.WithName("secrets-manager"))
 	return nil
 }
diff --git a/pkg/ingress/reference_indexer.go b/pkg/ingress/reference_indexer.go
@@ -20,6 +20,8 @@ const (
 	IndexKeyIngressClassRefName = "ingress.ingressClassRef.name"
 	// IndexKeyIngressClassParamsRefName is index key for ingressClassParams referenced by IngressClass
 	IndexKeyIngressClassParamsRefName = "ingressClass.ingressClassParamsRef.name"
+	// IndexKeyIngressClassParamsSecretRefName is index key for secrets referenced by IngressClassParams
+	IndexKeyIngressClassParamsSecretRefName = "ingressClass.ingressClassParamsRef.secret"
 )
 
 // ReferenceIndexer has the ability to index Ingresses with referenced objects
@@ -32,6 +34,8 @@ type ReferenceIndexer interface {
 	BuildIngressClassRefIndexes(ctx context.Context, ing *networking.Ingress) []string
 	// BuildIngressClassParamsRefIndexes returns the name of related IngressClassParams objects
 	BuildIngressClassParamsRefIndexes(ctx context.Context, ingClass *networking.IngressClass) []string
+	// BuildIngressClassParamsSecretIndexes returns the secret names that the ingress class param references
+	BuildIngressClassParamsSecretIndexes(ctx context.Context, ingressClassParams *elbv2api.IngressClassParams) []string
 }
 
 // NewDefaultReferenceIndexer constructs new defaultReferenceIndexer
@@ -121,6 +125,16 @@ func (i *defaultReferenceIndexer) BuildIngressClassParamsRefIndexes(_ context.Co
 	return []string{ingClassParamsName}
 }
 
+func (i *defaultReferenceIndexer) BuildIngressClassParamsSecretIndexes(_ context.Context, ingressClassParams *elbv2api.IngressClassParams) []string {
+	if ingressClassParams == nil {
+		return nil
+	}
+	if ingressClassParams.Spec.AuthConfig != nil && ingressClassParams.Spec.AuthConfig.IDPConfigOIDC != nil && ingressClassParams.Spec.AuthConfig.IDPConfigOIDC.SecretName != "" {
+		return []string{ingressClassParams.Spec.AuthConfig.IDPConfigOIDC.SecretName}
+	}
+	return nil
+}
+
 func extractServiceNamesFromAction(action Action) []string {
 	if action.Type != ActionTypeForward || action.ForwardConfig == nil {
 		return nil

Original file line number	Diff line number	Diff line change
`@@ -61,8 +61,8 @@ func (h *enqueueRequestsForIngressClassParamsEvent) Delete(ctx context.Context,`
`61`	`61`	`h.enqueueImpactedIngressClasses(ctx, ingClassParamsOld)`
`62`	`62`	`}`
`63`	`63`
`64`		`-func (h enqueueRequestsForIngressClassParamsEvent) Generic(context.Context, event.TypedGenericEvent[elbv2api.IngressClassParams], workqueue.TypedRateLimitingInterface[reconcile.Request]) {`
`65`		`- // we don't have any generic event for secrets.`
	`64`	`+func (h enqueueRequestsForIngressClassParamsEvent) Generic(ctx context.Context, e event.TypedGenericEvent[elbv2api.IngressClassParams], _ workqueue.TypedRateLimitingInterface[reconcile.Request]) {`
	`65`	`+ h.enqueueImpactedIngressClasses(ctx, e.Object)`
`66`	`66`	`}`
`67`	`67`
`68`	`68`	`func (h enqueueRequestsForIngressClassParamsEvent) enqueueImpactedIngressClasses(ctx context.Context, ingClassParams elbv2api.IngressClassParams) {`