Fix the auto cert discovery logic for secure listeners on gateways (#4214)

Author: shraddhabang

pkg/gateway/model/model_build_listener.go

@@ -103,7 +103,7 @@ func (l listenerBuilderImpl) buildListenerSpec(ctx context.Context, stack core.S
 	if sslPolicyErr != nil {
 		return &elbv2model.ListenerSpec{}, sslPolicyErr
 	}
-	certificates, certsErr := l.buildCertificates(ctx, gwLsCfg, lbLsCfg)
+	certificates, certsErr := l.buildCertificates(ctx, gw, port, gwLsCfg, lbLsCfg)
 	if certsErr != nil {
 		return &elbv2model.ListenerSpec{}, certsErr
 	}
@@ -253,21 +253,23 @@ func buildListenerAttributes(lsCfg *elbv2gw.ListenerConfiguration) ([]elbv2model
 	return attributes, nil
 }
 
-func (l listenerBuilderImpl) buildCertificates(ctx context.Context, gwLsCfg *gwListenerConfig, lbLsCfg *elbv2gw.ListenerConfiguration) ([]elbv2model.Certificate, error) {
-	// TODO for cert discovery and secure listeners during L7 and L4 gateways implementations
-
+func (l listenerBuilderImpl) buildCertificates(ctx context.Context, gw *gwv1.Gateway, port int32, gwLsCfg *gwListenerConfig, lbLsCfg *elbv2gw.ListenerConfiguration) ([]elbv2model.Certificate, error) {
+	if !isHTTPSOrTLSProtocol(gwLsCfg.protocol) {
+		return []elbv2model.Certificate{}, nil
+	}
 	certs := make([]elbv2model.Certificate, 0)
-
 	// Build explict certs
 	if lbLsCfg != nil {
 		certs = append(certs, l.buildExplicitTLSCertARNs(ctx, *lbLsCfg)...)
 	}
-
-	// Build inferred certs
-	if len(certs) == 0 && lbLsCfg != nil {
-		discoveredCerts, err := l.buildInferredTLSCertARNs(ctx, lbLsCfg.ProtocolPort, gwLsCfg.hostnames)
+	// If any explicit certs are not found then build inferred certs using cert discovery
+	if len(certs) == 0 {
+		if len(gwLsCfg.hostnames) == 0 {
+			return []elbv2model.Certificate{}, errors.Errorf("No hostnames found for TLS cert discovery for listener on gateway %s with protocol:port %s:%v", k8s.NamespacedName(gw), gwLsCfg.protocol, port)
+		}
+		discoveredCerts, err := l.buildInferredTLSCertARNs(ctx, gwLsCfg.hostnames)
 		if err != nil {
-			l.logger.Error(err, "Unable to discover certs for listener")
+			l.logger.Error(err, "Unable to discover certs for listener on gateway %s with protocol:port %s:%v\", k8s.NamespacedName(gw), gwLsCfg.protocol, port")
 			return []elbv2model.Certificate{}, err
 		}
 		for _, cert := range discoveredCerts {
@@ -298,12 +300,7 @@ func (l listenerBuilderImpl) buildExplicitTLSCertARNs(ctx context.Context, liste
 	return certs
 }
 
-func (l listenerBuilderImpl) buildInferredTLSCertARNs(ctx context.Context, protocolPort elbv2gw.ProtocolPort, hostnames []string) ([]string, error) {
-	if len(hostnames) == 0 {
-		l.logger.Info("No hostnames found for TLS cert discovery", "protocolPort", protocolPort)
-		return nil, nil
-	}
-
+func (l listenerBuilderImpl) buildInferredTLSCertARNs(ctx context.Context, hostnames []string) ([]string, error) {
 	hosts := sets.NewString()
 	for _, hostname := range hostnames {
 		hosts.Insert(hostname)

pkg/gateway/model/model_build_listener_test.go

@@ -357,6 +357,8 @@ func Test_buildListenerALPNPolicy(t *testing.T) {
 func TestBuildCertificates(t *testing.T) {
 	tests := []struct {
 		name       string
+		gateway    *gwv1.Gateway
+		port       int32
 		gwLsCfg    *gwListenerConfig
 		lbLsCfg    *elbv2gw.ListenerConfiguration
 		setupMocks func(mockCertDiscovery *certs.MockCertDiscovery)
@@ -365,7 +367,20 @@ func TestBuildCertificates(t *testing.T) {
 	}{
 		{
 			name: "default certificate only - explicit config",
+			gateway: &gwv1.Gateway{
+				Spec: gwv1.GatewaySpec{
+					Listeners: []gwv1.Listener{
+						{
+							Name:     "https",
+							Port:     443,
+							Protocol: gwv1.HTTPSProtocolType,
+						},
+					},
+				},
+			},
+			port: 443,
 			gwLsCfg: &gwListenerConfig{
+				protocol:  elbv2model.ProtocolHTTPS,
 				hostnames: []string{"my-host-1", "my-host-2"},
 			},
 			lbLsCfg: &elbv2gw.ListenerConfiguration{
@@ -379,7 +394,20 @@ func TestBuildCertificates(t *testing.T) {
 		},
 		{
 			name: "multiple certificates without default - explicit config",
+			gateway: &gwv1.Gateway{
+				Spec: gwv1.GatewaySpec{
+					Listeners: []gwv1.Listener{
+						{
+							Name:     "tls",
+							Port:     443,
+							Protocol: gwv1.TLSProtocolType,
+						},
+					},
+				},
+			},
+			port: 443,
 			gwLsCfg: &gwListenerConfig{
+				protocol:  elbv2model.ProtocolTLS,
 				hostnames: []string{"my-host-1", "my-host-2"},
 			},
 			lbLsCfg: &elbv2gw.ListenerConfiguration{
@@ -399,7 +427,20 @@ func TestBuildCertificates(t *testing.T) {
 		},
 		{
 			name: "multiple certificates with default - explicit config",
+			gateway: &gwv1.Gateway{
+				Spec: gwv1.GatewaySpec{
+					Listeners: []gwv1.Listener{
+						{
+							Name:     "https",
+							Port:     443,
+							Protocol: gwv1.HTTPSProtocolType,
+						},
+					},
+				},
+			},
+			port: 443,
 			gwLsCfg: &gwListenerConfig{
+				protocol:  elbv2model.ProtocolHTTPS,
 				hostnames: []string{"my-host-1", "my-host-2"},
 			},
 			lbLsCfg: &elbv2gw.ListenerConfiguration{
@@ -423,7 +464,20 @@ func TestBuildCertificates(t *testing.T) {
 		},
 		{
 			name: "auto-discover certificates for one hosts",
+			gateway: &gwv1.Gateway{
+				Spec: gwv1.GatewaySpec{
+					Listeners: []gwv1.Listener{
+						{
+							Name:     "tls",
+							Port:     443,
+							Protocol: gwv1.TLSProtocolType,
+						},
+					},
+				},
+			},
+			port: 443,
 			gwLsCfg: &gwListenerConfig{
+				protocol:  elbv2model.ProtocolTLS,
 				hostnames: []string{"example.com"},
 			},
 			lbLsCfg: &elbv2gw.ListenerConfiguration{
@@ -444,12 +498,23 @@ func TestBuildCertificates(t *testing.T) {
 		},
 		{
 			name: "auto-discover certificates for hosts",
+			gateway: &gwv1.Gateway{
+				Spec: gwv1.GatewaySpec{
+					Listeners: []gwv1.Listener{
+						{
+							Name:     "tls",
+							Port:     443,
+							Protocol: gwv1.TLSProtocolType,
+						},
+					},
+				},
+			},
+			port: 443,
 			gwLsCfg: &gwListenerConfig{
+				protocol:  elbv2model.ProtocolTLS,
 				hostnames: []string{"example.com", "*.example.org"},
 			},
-			lbLsCfg: &elbv2gw.ListenerConfiguration{
-				ProtocolPort: "TLS:443",
-			},
+			lbLsCfg: nil,
 			setupMocks: func(mockCertDiscovery *certs.MockCertDiscovery) {
 				// The hostnames will be sorted alphabetically by sets.NewString().List()
 				mockCertDiscovery.EXPECT().
@@ -470,7 +535,20 @@ func TestBuildCertificates(t *testing.T) {
 		},
 		{
 			name: "certificate discovery fails",
+			gateway: &gwv1.Gateway{
+				Spec: gwv1.GatewaySpec{
+					Listeners: []gwv1.Listener{
+						{
+							Name:     "https",
+							Port:     443,
+							Protocol: gwv1.HTTPSProtocolType,
+						},
+					},
+				},
+			},
+			port: 443,
 			gwLsCfg: &gwListenerConfig{
+				protocol:  elbv2model.ProtocolHTTPS,
 				hostnames: []string{"example.com"},
 			},
 			lbLsCfg: &elbv2gw.ListenerConfiguration{
@@ -485,15 +563,50 @@ func TestBuildCertificates(t *testing.T) {
 			wantErr: true,
 		},
 		{
-			name: "no hostname for discovery",
+			name: "no hostname for discovery : no secure listeners",
+			gateway: &gwv1.Gateway{
+				Spec: gwv1.GatewaySpec{
+					Listeners: []gwv1.Listener{
+						{
+							Name:     "http",
+							Port:     80,
+							Protocol: gwv1.HTTPProtocolType,
+						},
+					},
+				},
+			},
+			port: 443,
 			gwLsCfg: &gwListenerConfig{
+				protocol:  elbv2model.ProtocolHTTP,
 				hostnames: []string{},
 			},
 			lbLsCfg: &elbv2gw.ListenerConfiguration{
-				ProtocolPort: "HTTPS:443",
+				ProtocolPort: "HTTP:80",
 			},
 			want: []elbv2model.Certificate{},
 		},
+		{
+			name: "no hostname for discovery : secure listeners",
+			gateway: &gwv1.Gateway{
+				Spec: gwv1.GatewaySpec{
+					Listeners: []gwv1.Listener{
+						{
+							Name:     "https",
+							Port:     443,
+							Protocol: gwv1.HTTPSProtocolType,
+						},
+					},
+				},
+			},
+			port: 443,
+			gwLsCfg: &gwListenerConfig{
+				protocol:  elbv2model.ProtocolHTTPS,
+				hostnames: []string{},
+			},
+			lbLsCfg: nil,
+			want:    []elbv2model.Certificate{},
+			wantErr: true,
+		},
 	}
 
 	for _, tt := range tests {
@@ -510,7 +623,7 @@ func TestBuildCertificates(t *testing.T) {
 				certDiscovery: mockCertDiscovery,
 			}
 
-			got, err := builder.buildCertificates(context.Background(), tt.gwLsCfg, tt.lbLsCfg)
+			got, err := builder.buildCertificates(context.Background(), tt.gateway, tt.port, tt.gwLsCfg, tt.lbLsCfg)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("buildCertificates() error = %v, wantErr %v", err, tt.wantErr)
 				return