-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: tlspolicy enforced condition #635
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes look good.
I am starting to wonder if we need an enforced status per listener though. Doesn't need to be part of this PR
13bfb5f
to
51d0cc8
Compare
expectedCertificates := r.expectedCertificatesForGateway(ctx, gw.Gateway, tlsPolicy) | ||
|
||
for _, cert := range expectedCertificates { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if this is what we want but there's no error if len(expectedCerificates) == 0
since this is already allowed at:
kuadrant-operator/controllers/tlspolicy_certmanager_certificates.go
Lines 115 to 119 in bca5130
err := validateGatewayListenerBlock(field.NewPath("spec", "listeners").Index(i), l, gateway).ToAggregate() if err != nil { log.Info("Skipped a listener block: " + err.Error()) continue } kuadrant-operator/controllers/tlspolicy_certmanager_certificates.go
Lines 36 to 39 in bca5130
expectedCertificates := r.expectedCertificatesForGateway(ctx, gw.Gateway, tlsPolicy) if err := r.createOrUpdateGatewayCertificates(ctx, expectedCertificates); err != nil { return fmt.Errorf("error creating and updating expected certificates for gateway %v: %w", gw.Gateway.Name, err) }
so I've kept it the same. In this case a TLSPolicy is still marked as enforced: true
even if there are no Certificates
created
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that is ok. If there are no expected certificates then we have done everything we can to enforce
Description
Closes: #572
Add enforced condition for TLSPolicy. This is based on whether the underlying
Issuer
andCertificates
are in aReady
state.Verification
Happy path is integration tested but if you want to verify manually