knative-extensions · knative-prow · Jul 12, 2022 · Jun 28, 2022 · Jun 28, 2022 · Jun 28, 2022
diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
@@ -39,5 +39,8 @@ metadata:
     app.kubernetes.io/version: devel
 rules:
   - apiGroups: ["gateway.networking.k8s.io"]
-    resources: ["httproutes", "gateways"]
+    resources: ["httproutes", "referencepolicies"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gateways"]
+    verbs: ["get", "list", "update", "patch", "watch"]
diff --git a/docs/test-version.md b/docs/test-version.md
@@ -15,5 +15,5 @@ The following Gateway API version and Ingress were tested as part of the release
 
 | Ingress | Tested version          | Unavailable features           |
 | ------- | ----------------------- | ------------------------------ |
-| Istio   | v1.13.2     | tls,retry,httpoption,host-rewrite   |
-| Contour | v1.21.0    | tls,retry,httpoption,basics/http2,websocket,websocket/split,grpc,grpc/split,visibility/path,visibility,update,host-rewrite |
+| Istio   | v1.13.2     | retry,httpoption,host-rewrite   |
+| Contour | v1.21.0    | retry,httpoption,basics/http2,websocket,websocket/split,grpc,grpc/split,visibility/path,visibility,update,host-rewrite |
diff --git a/hack/test-env.sh b/hack/test-env.sh
@@ -16,6 +16,6 @@
 
 export GATEWAY_API_VERSION="v0.4.3"
 export ISTIO_VERSION="1.13.2"
-export ISTIO_UNSUPPORTED_E2E_TESTS="tls,retry,httpoption,host-rewrite"
+export ISTIO_UNSUPPORTED_E2E_TESTS="retry,httpoption,host-rewrite"
 export CONTOUR_VERSION="v1.21.0"
-export CONTOUR_UNSUPPORTED_E2E_TESTS="tls,retry,httpoption,basics/http2,websocket,websocket/split,grpc,grpc/split,visibility/path,visibility,update,host-rewrite"
+export CONTOUR_UNSUPPORTED_E2E_TESTS="retry,httpoption,basics/http2,websocket,websocket/split,grpc,grpc/split,visibility/path,visibility,update,host-rewrite"
diff --git a/pkg/reconciler/ingress/controller.go b/pkg/reconciler/ingress/controller.go
@@ -37,6 +37,7 @@ import (
 	gwapiclient "knative.dev/net-gateway-api/pkg/client/gatewayapi/injection/client"
 	gatewayinformer "knative.dev/net-gateway-api/pkg/client/gatewayapi/injection/informers/apis/v1alpha2/gateway"
 	httprouteinformer "knative.dev/net-gateway-api/pkg/client/gatewayapi/injection/informers/apis/v1alpha2/httproute"
+	referencepolicyinformer "knative.dev/net-gateway-api/pkg/client/gatewayapi/injection/informers/apis/v1alpha2/referencepolicy"
 	"knative.dev/net-gateway-api/pkg/reconciler/ingress/config"
 )
 
@@ -55,12 +56,15 @@ func NewController(
 
 	ingressInformer := ingressinformer.Get(ctx)
 	httprouteInformer := httprouteinformer.Get(ctx)
+	referencePolicyInformer := referencepolicyinformer.Get(ctx)
 	gatewayInformer := gatewayinformer.Get(ctx)
 	endpointsInformer := endpointsinformer.Get(ctx)
 
 	c := &Reconciler{
-		gwapiclient:     gwapiclient.Get(ctx),
-		httprouteLister: httprouteInformer.Lister(),
+		gwapiclient:           gwapiclient.Get(ctx),
+		httprouteLister:       httprouteInformer.Lister(),
+		referencePolicyLister: referencePolicyInformer.Lister(),
+		gatewayLister:         gatewayInformer.Lister(),
 	}
 
 	filterFunc := reconciler.AnnotationFilterFunc(networking.IngressClassAnnotationKey, gatewayAPIIngressClassName, false)

diff --git a/pkg/reconciler/ingress/controller_test.go b/pkg/reconciler/ingress/controller_test.go
@@ -32,6 +32,7 @@ import (
 
 	_ "knative.dev/net-gateway-api/pkg/client/gatewayapi/injection/informers/apis/v1alpha2/gateway/fake"
 	_ "knative.dev/net-gateway-api/pkg/client/gatewayapi/injection/informers/apis/v1alpha2/httproute/fake"
+	_ "knative.dev/net-gateway-api/pkg/client/gatewayapi/injection/informers/apis/v1alpha2/referencepolicy/fake"
 	"knative.dev/net-gateway-api/pkg/reconciler/ingress/config"
 )
 

diff --git a/pkg/reconciler/ingress/ingress.go b/pkg/reconciler/ingress/ingress.go
@@ -27,7 +27,6 @@ import (
 	ingressreconciler "knative.dev/networking/pkg/client/injection/reconciler/networking/v1alpha1/ingress"
 	"knative.dev/networking/pkg/ingress"
 	"knative.dev/networking/pkg/status"
-	"knative.dev/pkg/logging"
 	"knative.dev/pkg/network"
 	pkgreconciler "knative.dev/pkg/reconciler"
 
@@ -49,6 +48,10 @@ type Reconciler struct {
 
 	// Listers index properties about resources
 	httprouteLister gatewayListers.HTTPRouteLister
+
+	referencePolicyLister gatewayListers.ReferencePolicyLister
+
+	gatewayLister gatewayListers.GatewayLister
 }
 
 var (
@@ -58,6 +61,7 @@ var (
 // ReconcileKind implements Interface.ReconcileKind.
 func (c *Reconciler) ReconcileKind(ctx context.Context, ingress *v1alpha1.Ingress) pkgreconciler.Event {
 	reconcileErr := c.reconcileIngress(ctx, ingress)
+
 	if reconcileErr != nil {
 		ingress.Status.MarkIngressNotReady(notReconciledReason, notReconciledMessage)
 		return reconcileErr
@@ -66,8 +70,16 @@ func (c *Reconciler) ReconcileKind(ctx context.Context, ingress *v1alpha1.Ingres
 	return nil
 }
 
+// FinalizeKind implements Interface.FinalizeKind
+func (c *Reconciler) FinalizeKind(ctx context.Context, ingress *v1alpha1.Ingress) pkgreconciler.Event {
+	gatewayConfig := config.FromContext(ctx).Gateway
+
+	// We currently only support TLS on the external IP
+	return c.clearGatewayListeners(ctx, ingress, gatewayConfig.Gateways[v1alpha1.IngressVisibilityExternalIP].Gateway)
+}
+
 func (c *Reconciler) reconcileIngress(ctx context.Context, ing *v1alpha1.Ingress) error {
-	logger := logging.FromContext(ctx)
+	gatewayConfig := config.FromContext(ctx).Gateway
 
 	// We may be reading a version of the object that was stored at an older version
 	// and may not have had all of the assumed defaults specified.  This won't result
@@ -82,8 +94,6 @@ func (c *Reconciler) reconcileIngress(ctx context.Context, ing *v1alpha1.Ingress
 		return fmt.Errorf("failed to add knative probe header: %w", err)
 	}
 
-	logger.Infof("Reconciling ingress: %#v", ing)
-
 	for _, rule := range ing.Spec.Rules {
 		rule := rule
 
@@ -97,17 +107,37 @@ func (c *Reconciler) reconcileIngress(ctx context.Context, ing *v1alpha1.Ingress
 		} else {
 			ing.Status.MarkIngressNotReady("HTTPRouteNotReady", "Waiting for HTTPRoute becomes Ready.")
 		}
-		logger.Infof("HTTPRoute successfully synced %v", httproutes)
 	}
 
+	listeners := make([]*gatewayv1alpha2.Listener, 0, len(ing.Spec.TLS))
+	for _, tls := range ing.Spec.TLS {
+		tls := tls
+
+		l, err := c.reconcileTLS(ctx, &tls, ing)
+		if err != nil {
+			return err
+		}
+		listeners = append(listeners, l...)
+	}
+
+	if len(listeners) > 0 {
+		// For now, we only reconcile the external visibility, because there's
+		// no way to provide TLS for internal listeners.
+		err := c.reconcileGatewayListeners(
+			ctx, listeners, ing, *gatewayConfig.Gateways[v1alpha1.IngressVisibilityExternalIP].Gateway)
+		if err != nil {
+			return err
+		}
+	}
+
+	// TODO: check Gateway readiness before reporting Ingress ready
+
 	ready, err := c.statusManager.IsReady(ctx, before)
 	if err != nil {
 		return fmt.Errorf("failed to probe Ingress: %w", err)
 	}
 
 	if ready {
-		gatewayConfig := config.FromContext(ctx).Gateway
-
 		namespacedNameService := gatewayConfig.Gateways[v1alpha1.IngressVisibilityExternalIP].Service
 		publicLbs := []v1alpha1.LoadBalancerIngressStatus{
 			{DomainInternal: network.GetServiceHostname(namespacedNameService.Name, namespacedNameService.Namespace)},