feat: initial implementation of gateway-cert-operator
Kubernetes operator that automates HTTPS listener configuration on
Gateway API Gateway resources whenever a cert-manager Certificate is
created or updated.
Core behaviour:
- Watches cert-manager Certificate resources for the annotation
gateway-cert-operator.io/gateway-name to identify the target Gateway
- Builds HTTPS listeners (prefixed "auto-") from each Certificate's
DNS SANs and merges them into the target Gateway's listener list
- Preserves any manually-managed listeners; removes stale auto-listeners
when Certificates are deleted or their annotations are removed
- Supports optional annotations to override the target namespace and
listener port (default 443)
Components:
- main.go – manager setup, scheme registration,
health/readiness probes
- internal/controller/ – Certificate reconciler with field
indexing and dual-watch pattern
- internal/gateway/patch.go – listener construction, merge, and
equality helpers
- deploy/manifests.yaml – Namespace, RBAC, and Deployment
- docs/README.md – usage guide and architecture notes
- Dockerfile – distroless multi-stage build
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
154
internal/controller/certificate_controller.go
Normal file
154
internal/controller/certificate_controller.go
Normal file
@@ -0,0 +1,154 @@
|
||||
package controller
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
cmv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
ctrl "sigs.k8s.io/controller-runtime"
|
||||
"sigs.k8s.io/controller-runtime/pkg/client"
|
||||
"sigs.k8s.io/controller-runtime/pkg/handler"
|
||||
"sigs.k8s.io/controller-runtime/pkg/log"
|
||||
"sigs.k8s.io/controller-runtime/pkg/reconcile"
|
||||
gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
|
||||
|
||||
gw "github.com/example/gateway-cert-operator/internal/gateway"
|
||||
)
|
||||
|
||||
const (
|
||||
// AnnotationGatewayName is the annotation key specifying which Gateway to update.
|
||||
AnnotationGatewayName = "gateway-cert-operator.io/gateway-name"
|
||||
// AnnotationGatewayNamespace optionally overrides the Gateway namespace. Defaults to Certificate namespace.
|
||||
AnnotationGatewayNamespace = "gateway-cert-operator.io/gateway-namespace"
|
||||
// AnnotationListenerPort optionally overrides the listener port. Defaults to 443.
|
||||
AnnotationListenerPort = "gateway-cert-operator.io/listener-port"
|
||||
|
||||
// ListenerPrefix is prepended to managed listener names so we can distinguish ours.
|
||||
ListenerPrefix = "auto-"
|
||||
|
||||
// IndexFieldGatewayTarget is the field index for mapping Certificates to their target Gateway.
|
||||
IndexFieldGatewayTarget = ".metadata.annotations.gatewayTarget"
|
||||
)
|
||||
|
||||
// CertificateReconciler reconciles Certificate objects and patches Gateway listeners.
|
||||
type CertificateReconciler struct {
|
||||
client.Client
|
||||
}
|
||||
|
||||
// SetupCertificateReconciler creates the reconciler and registers watches.
|
||||
func SetupCertificateReconciler(mgr ctrl.Manager) error {
|
||||
r := &CertificateReconciler{Client: mgr.GetClient()}
|
||||
|
||||
// Index Certificates by their target Gateway so we can list all certs for a given Gateway.
|
||||
if err := mgr.GetFieldIndexer().IndexField(context.Background(), &cmv1.Certificate{}, IndexFieldGatewayTarget, func(obj client.Object) []string {
|
||||
cert := obj.(*cmv1.Certificate)
|
||||
gwName, ok := cert.Annotations[AnnotationGatewayName]
|
||||
if !ok {
|
||||
return nil
|
||||
}
|
||||
gwNs := cert.Annotations[AnnotationGatewayNamespace]
|
||||
if gwNs == "" {
|
||||
gwNs = cert.Namespace
|
||||
}
|
||||
return []string{fmt.Sprintf("%s/%s", gwNs, gwName)}
|
||||
}); err != nil {
|
||||
return fmt.Errorf("failed to setup field index: %w", err)
|
||||
}
|
||||
|
||||
return ctrl.NewControllerManagedBy(mgr).
|
||||
For(&cmv1.Certificate{}).
|
||||
// Secondary watch: if someone edits the Gateway, re-reconcile relevant Certificates.
|
||||
Watches(&gwapiv1.Gateway{}, handler.EnqueueRequestsFromMapFunc(r.gatewayToCertificates)).
|
||||
Complete(r)
|
||||
}
|
||||
|
||||
// Reconcile handles Certificate create/update/delete events.
|
||||
func (r *CertificateReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
|
||||
log := log.FromContext(ctx)
|
||||
|
||||
var cert cmv1.Certificate
|
||||
if err := r.Get(ctx, req.NamespacedName, &cert); err != nil {
|
||||
// Certificate deleted — we still need to reconcile the Gateway.
|
||||
// We can't know which Gateway it targeted anymore, so we rely on the
|
||||
// fact that the index query below will simply not return this cert,
|
||||
// and the Gateway will be patched without its listener.
|
||||
// To handle this properly, we reconcile ALL Gateways that had any
|
||||
// managed listener. In practice, deletion triggers the index update,
|
||||
// and the Gateway watch re-enqueues the right certs.
|
||||
return ctrl.Result{}, client.IgnoreNotFound(err)
|
||||
}
|
||||
|
||||
gwName, ok := cert.Annotations[AnnotationGatewayName]
|
||||
if !ok {
|
||||
log.V(1).Info("certificate missing gateway annotation, skipping")
|
||||
return ctrl.Result{}, nil
|
||||
}
|
||||
|
||||
gwNamespace := cert.Annotations[AnnotationGatewayNamespace]
|
||||
if gwNamespace == "" {
|
||||
gwNamespace = cert.Namespace
|
||||
}
|
||||
|
||||
// List ALL certificates targeting this Gateway so we compute the full desired state.
|
||||
var certList cmv1.CertificateList
|
||||
if err := r.List(ctx, &certList, client.MatchingFields{
|
||||
IndexFieldGatewayTarget: fmt.Sprintf("%s/%s", gwNamespace, gwName),
|
||||
}); err != nil {
|
||||
return ctrl.Result{}, fmt.Errorf("listing certificates for gateway %s/%s: %w", gwNamespace, gwName, err)
|
||||
}
|
||||
|
||||
// Build desired listeners from all annotated certificates.
|
||||
desiredListeners := gw.BuildListenersFromCertificates(certList.Items, ListenerPrefix)
|
||||
|
||||
// Fetch the target Gateway.
|
||||
var gateway gwapiv1.Gateway
|
||||
if err := r.Get(ctx, types.NamespacedName{Name: gwName, Namespace: gwNamespace}, &gateway); err != nil {
|
||||
return ctrl.Result{}, fmt.Errorf("getting gateway %s/%s: %w", gwNamespace, gwName, err)
|
||||
}
|
||||
|
||||
// Merge: keep non-prefixed listeners, replace all auto-* listeners.
|
||||
updated := gw.MergeListeners(gateway.Spec.Listeners, desiredListeners, ListenerPrefix)
|
||||
|
||||
if gw.ListenersEqual(gateway.Spec.Listeners, updated) {
|
||||
log.V(1).Info("gateway listeners already up to date")
|
||||
return ctrl.Result{}, nil
|
||||
}
|
||||
|
||||
patch := client.MergeFrom(gateway.DeepCopy())
|
||||
gateway.Spec.Listeners = updated
|
||||
if err := r.Patch(ctx, &gateway, patch); err != nil {
|
||||
return ctrl.Result{}, fmt.Errorf("patching gateway %s/%s: %w", gwNamespace, gwName, err)
|
||||
}
|
||||
|
||||
log.Info("patched gateway listeners",
|
||||
"gateway", fmt.Sprintf("%s/%s", gwNamespace, gwName),
|
||||
"managedListeners", len(desiredListeners),
|
||||
)
|
||||
return ctrl.Result{}, nil
|
||||
}
|
||||
|
||||
// gatewayToCertificates maps a Gateway event back to all Certificates targeting it.
|
||||
func (r *CertificateReconciler) gatewayToCertificates(ctx context.Context, obj client.Object) []reconcile.Request {
|
||||
gw := obj.(*gwapiv1.Gateway)
|
||||
key := fmt.Sprintf("%s/%s", gw.Namespace, gw.Name)
|
||||
|
||||
var certList cmv1.CertificateList
|
||||
if err := r.List(ctx, &certList, client.MatchingFields{
|
||||
IndexFieldGatewayTarget: key,
|
||||
}); err != nil {
|
||||
log.FromContext(ctx).Error(err, "listing certificates for gateway", "gateway", key)
|
||||
return nil
|
||||
}
|
||||
|
||||
requests := make([]reconcile.Request, 0, len(certList.Items))
|
||||
for _, cert := range certList.Items {
|
||||
requests = append(requests, reconcile.Request{
|
||||
NamespacedName: types.NamespacedName{
|
||||
Name: cert.Name,
|
||||
Namespace: cert.Namespace,
|
||||
},
|
||||
})
|
||||
}
|
||||
return requests
|
||||
}
|
||||
Reference in New Issue
Block a user