http-route-controller: watch ReferencePolicy lifecycle

internal/k8s/controllers/http_route_controller.go

@@ -3,7 +3,14 @@ package controllers
 import (
 	"context"
 
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
 	gateway "sigs.k8s.io/gateway-api/apis/v1alpha2"
 
 	"github.com/hashicorp/consul-api-gateway/internal/k8s/gatewayclient"
@@ -53,5 +60,126 @@ func (r *HTTPRouteReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 func (r *HTTPRouteReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&gateway.HTTPRoute{}).
+		Watches(
+			&source.Kind{Type: &gateway.ReferencePolicy{}},
+			handler.EnqueueRequestsFromMapFunc(r.referencePolicyToRouteRequests),
+		).
 		Complete(gatewayclient.NewRequeueingMiddleware(r.Log, r))
 }
+
+// For UpdateEvents which contain both a new and old object, this transformation
+// function is run on both objects and both sets of Requests are enqueued.
+//
+// This is needed to reconcile any objects matched by  both current and prior
+// state in case a ReferencePolicy has been modified to revoke permission from a
+// namespace or to a service
+//
+// It may be possible to improve performance here by filtering Routes by
+// BackendRefs selectable by the To fields, but currently we just revalidate
+// all Routes allowed in the From Namespaces
+func (r *HTTPRouteReconciler) referencePolicyToRouteRequests(object client.Object) []reconcile.Request {
+	// TODO: Is there a safer way I could typecheck this with
+	// object.GetObjectKind() or something before casting?
+	refPolicy := *object.(*gateway.ReferencePolicy)
+	r.Log.Info("event for ReferencePolicy", "object", refPolicy)
+
+	routes := r.getRoutesAffectedByReferencePolicy(refPolicy)
+	requests := []reconcile.Request{}
+
+	for _, route := range routes {
+		requests = append(requests, reconcile.Request{
+			NamespacedName: types.NamespacedName{
+				Name:      route.Name,
+				Namespace: route.Namespace,
+			},
+		})
+	}
+
+	return requests
+}
+
+func (r *HTTPRouteReconciler) getRoutesAffectedByReferencePolicy(refPolicy gateway.ReferencePolicy) []gateway.HTTPRoute {
+	matches := []gateway.HTTPRoute{}
+
+	// toSelectors := []fields.Selector{}
+	// for _, to := range refPolicy.Spec.To {
+	// 	// When empty, the Kubernetes core API group is inferred.
+	// 	group := "core/v1"
+	// 	if to.Group != "" {
+	// 		group = string(to.Group)
+	// 	}
+
+	// 	toSelectors = append(toSelectors, groupKindToFieldSelector(schema.GroupKind{
+	// 		Group: group,
+	// 		Kind:  string(to.Kind),
+	// 	}))
+	// }
+
+	routes := r.getReferencePolicyObjectsFrom(refPolicy)
+
+	// TODO: match only routes with BackendRefs selectable by a
+	// ReferencePolicyTo instead of appending all routes. This seems expensive,
+	// so not sure if it would actually improve performance or not.
+	matches = append(matches, routes...)
+
+	// for _, route := range routes {
+	// 	routeMatched := false
+
+	// 	// TODO: should this use reflection to handle xRoute types? seems expensive
+	// 	for _, rule := range route.Spec.Rules {
+	// 		for range rule.BackendRefs {
+	// 			// Check if backendRef.BackendObjectReference is selectable by
+	// 			// the requirements in any refPolicy.Spec.To
+	// 			for _, selector := range toSelectors {
+	// 				if selector.Matches(fields.Set{
+	//                  "kind": backendRef.BackendObjectReference.Kind
+	//                  "metadata.name": backendRef.BackendObjectReference.Name
+	// 				}) {
+	// 					routeMatched = true
+	// 					matches = append(matches, route)
+
+	// 					// Exit toSelectors loop early if route has already been matched
+	// 					if routeMatched {
+	// 						break
+	// 					}
+	// 				}
+	// 			}
+
+	// 			// Exit BackendRefs loop early if route has already been matched
+	// 			if routeMatched {
+	// 				break
+	// 			}
+	// 		}
+
+	// 		// Exit Rules loop early if route has already been matched
+	// 		if routeMatched {
+	// 			break
+	// 		}
+	// 	}
+	// }
+
+	return matches
+}
+
+func (r *HTTPRouteReconciler) getReferencePolicyObjectsFrom(refPolicy gateway.ReferencePolicy) []gateway.HTTPRoute {
+	matches := []gateway.HTTPRoute{}
+
+	for _, from := range refPolicy.Spec.From {
+		// TODO: search by from.Group and from.Kind instead of assuming HTTPRoute
+		routes, err := r.Client.GetHTTPRoutesInNamespace(context.TODO(), string(from.Namespace))
+		if err != nil {
+			// TODO: is there a better way to handle this error?
+			return matches
+		}
+
+		matches = append(matches, routes...)
+	}
+
+	return matches
+}
+
+func groupKindToFieldSelector(gk schema.GroupKind) fields.Selector {
+	return fields.SelectorFromSet(fields.Set{
+		"kind": gk.Kind,
+	})
+}

internal/k8s/controllers/http_route_controller_test.go

@@ -6,12 +6,22 @@ import (
 
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	gw "sigs.k8s.io/gateway-api/apis/v1alpha2"
 
+	"github.com/hashicorp/consul-api-gateway/internal/k8s/gatewayclient"
 	"github.com/hashicorp/consul-api-gateway/internal/k8s/gatewayclient/mocks"
 	reconcilerMocks "github.com/hashicorp/consul-api-gateway/internal/k8s/reconciler/mocks"
 	"github.com/hashicorp/go-hclog"
+
+	apigwv1alpha1 "github.com/hashicorp/consul-api-gateway/pkg/apis/v1alpha1"
 )
 
 var (
@@ -75,3 +85,104 @@ func TestHTTPRoute(t *testing.T) {
 		})
 	}
 }
+
+func TestHTTPRouteReferencePolicyToRouteRequests(t *testing.T) {
+	t.Parallel()
+
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	serviceNamespace := gw.Namespace("namespace3")
+
+	backendObjRef := gw.BackendObjectReference{
+		Name:      gw.ObjectName("service"),
+		Namespace: &serviceNamespace,
+	}
+
+	httpRouteSpec := gw.HTTPRouteSpec{
+		Rules: []gw.HTTPRouteRule{{
+			BackendRefs: []gw.HTTPBackendRef{{
+				BackendRef: gw.BackendRef{
+					BackendObjectReference: backendObjRef,
+				},
+			}},
+		}},
+	}
+
+	refPolicy := gw.ReferencePolicy{
+		TypeMeta:   metav1.TypeMeta{Kind: "ReferencePolicy"},
+		ObjectMeta: metav1.ObjectMeta{Namespace: "namespace3"},
+		Spec: gw.ReferencePolicySpec{
+			From: []gw.ReferencePolicyFrom{{
+				Group:     "gateway.networking.k8s.io",
+				Kind:      "HTTPRoute",
+				Namespace: "namespace1",
+			}},
+			To: []gw.ReferencePolicyTo{{
+				Kind: "Service",
+			}},
+		},
+	}
+
+	gatewayclient := NewTestClient(
+		&gw.HTTPRouteList{
+			Items: []gw.HTTPRoute{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "httproute",
+						Namespace: "namespace1",
+					},
+					Spec: httpRouteSpec,
+				},
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "httproute",
+						Namespace: "namespace2",
+					},
+					Spec: httpRouteSpec,
+				},
+			},
+		},
+		&refPolicy,
+	)
+
+	controller := &HTTPRouteReconciler{
+		Client:         gatewayclient,
+		Log:            hclog.NewNullLogger(),
+		ControllerName: mockControllerName,
+		Manager:        reconcilerMocks.NewMockReconcileManager(ctrl),
+	}
+
+	requests := controller.referencePolicyToRouteRequests(&refPolicy)
+
+	// FIXME: This should only request reconciliation for the one HTTPRoute in the
+	// allowed namespace
+	//
+	// require.Equal(t, 1, len(requests))
+	require.Equal(t, []reconcile.Request{{
+		NamespacedName: types.NamespacedName{
+			Name:      "httproute",
+			Namespace: "namespace1",
+		},
+	}}, requests)
+}
+
+// FIXME: this should be refactored into a test utility package
+func NewTestClient(list client.ObjectList, objects ...client.Object) gatewayclient.Client {
+	scheme := runtime.NewScheme()
+	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+	utilruntime.Must(gw.AddToScheme(scheme))
+	apigwv1alpha1.RegisterTypes(scheme)
+
+	builder := fake.
+		NewClientBuilder().
+		WithScheme(scheme)
+	if list != nil {
+		builder = builder.WithLists(list)
+	}
+	if len(objects) > 0 {
+		builder = builder.WithObjects(objects...)
+	}
+
+	return gatewayclient.New(builder.Build(), scheme, "")
+}

internal/k8s/gatewayclient/gatewayclient.go

@@ -33,6 +33,7 @@ type Client interface {
 	GetSecret(ctx context.Context, key types.NamespacedName) (*core.Secret, error)
 	GetService(ctx context.Context, key types.NamespacedName) (*core.Service, error)
 	GetHTTPRoute(ctx context.Context, key types.NamespacedName) (*gateway.HTTPRoute, error)
+	GetHTTPRoutesInNamespace(ctx context.Context, ns string) ([]gateway.HTTPRoute, error)
 	GetTCPRoute(ctx context.Context, key types.NamespacedName) (*gateway.TCPRoute, error)
 	GetMeshService(ctx context.Context, key types.NamespacedName) (*apigwv1alpha1.MeshService, error)
 	GetNamespace(ctx context.Context, key types.NamespacedName) (*core.Namespace, error)
@@ -250,6 +251,15 @@ func (g *gatewayClient) GetHTTPRoute(ctx context.Context, key types.NamespacedNa
 	return route, nil
 }
 
+// TODO: Make this generic over Group and Kind, returning []client.Object
+func (g *gatewayClient) GetHTTPRoutesInNamespace(ctx context.Context, ns string) ([]gateway.HTTPRoute, error) {
+	routeList := &gateway.HTTPRouteList{}
+	if err := g.Client.List(ctx, routeList, client.InNamespace(ns)); err != nil {
+		return []gateway.HTTPRoute{}, NewK8sError(err)
+	}
+	return routeList.Items, nil
+}
+
 func (g *gatewayClient) GetTCPRoute(ctx context.Context, key types.NamespacedName) (*gateway.TCPRoute, error) {
 	route := &gateway.TCPRoute{}
 	if err := g.Client.Get(ctx, key, route); err != nil {

internal/k8s/gatewayclient/gatewayclient_test.go

@@ -100,6 +100,25 @@ func TestGetHTTPRoute(t *testing.T) {
 	require.NotNil(t, route)
 }
 
+func TestGetHTTPRoutesInNamespace(t *testing.T) {
+	t.Parallel()
+
+	gatewayclient := newTestClient(nil, &gateway.HTTPRoute{
+		ObjectMeta: meta.ObjectMeta{
+			Name:      "httproute",
+			Namespace: "namespace1",
+		},
+	})
+
+	routes, err := gatewayclient.GetHTTPRoutesInNamespace(context.Background(), "namespace1")
+	require.NoError(t, err)
+	require.Equal(t, len(routes), 1)
+
+	routes, err = gatewayclient.GetHTTPRoutesInNamespace(context.Background(), "namespace2")
+	require.NoError(t, err)
+	require.Equal(t, len(routes), 0)
+}
+
 func TestGetGatewayClass(t *testing.T) {
 	t.Parallel()