validate the presence of specified cluster or clusterisssuer in tlspo…

…licy

pkg/controllers/tlspolicy/tlspolicy_controller.go

@@ -21,6 +21,7 @@ import (
 	"fmt"
 
 	"github.com/go-logr/logr"
+	v1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
 
 	"k8s.io/apimachinery/pkg/api/equality"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -151,6 +152,25 @@ func (r *TLSPolicyReconciler) reconcileResources(ctx context.Context, tlsPolicy
 		return err
 	}
 
+	// validate that the issuer specified exists
+	issuerName := tlsPolicy.Spec.IssuerRef.Name
+	issuerKind := tlsPolicy.Spec.IssuerRef.Kind
+	var issuer client.Object
+	issuerNamespace := ""
+	if issuerKind == v1.ClusterIssuerKind {
+		issuer = &v1.ClusterIssuer{}
+	} else if issuerKind == v1.IssuerKind || issuerKind == "" {
+		issuer = &v1.Issuer{}
+		issuerNamespace = tlsPolicy.Namespace
+	} else {
+		return fmt.Errorf("issuer kind not supported: %s. Must be either ClusterIssuer or Issuer", issuerKind)
+	}
+
+	err = r.Client().Get(ctx, client.ObjectKey{Name: issuerName, Namespace: issuerNamespace}, issuer)
+	if err != nil {
+		return err
+	}
+
 	// reconcile based on gateway diffs
 	gatewayDiffObj, err := r.ComputeGatewayDiffs(ctx, tlsPolicy, targetNetworkObject, &TLSPolicyRefsConfig{})
 	if err != nil {

test/e2e/gateway_single_spoke_test.go

@@ -6,6 +6,7 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
+	v1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
 	"net"
 	"net/http"
 	"strings"
@@ -39,6 +40,7 @@ var _ = Describe("Gateway single target cluster", func() {
 	var gw *gatewayapi.Gateway
 	var placement *ocm_cluster_v1beta1.Placement
 	var tlsPolicy *v1alpha1.TLSPolicy
+	var issuer *v1.Issuer
 
 	BeforeEach(func(ctx SpecContext) {
 		testID = "t-e2e-" + tconfig.GenerateName()
@@ -87,7 +89,20 @@ var _ = Describe("Gateway single target cluster", func() {
 		err = tconfig.HubClient().Create(ctx, gw)
 		Expect(err).ToNot(HaveOccurred())
 
-		By("setting up  TLSPolicy in the hub")
+		By("setting up Issuer in the hub")
+		issuer = &v1.Issuer{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      testID,
+				Namespace: tconfig.HubNamespace(),
+			},
+			Spec: v1.IssuerSpec{
+				IssuerConfig: v1.IssuerConfig{},
+			},
+		}
+		err = tconfig.HubClient().Create(ctx, issuer)
+		Expect(err).ToNot(HaveOccurred())
+
+		By("setting up TLSPolicy in the hub")
 		tlsPolicy = &mgcv1alpha1.TLSPolicy{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      testID,

test/integration/tlspolicy_controller_test.go

@@ -27,6 +27,7 @@ var _ = Describe("TLSPolicy", Ordered, func() {
 
 	var testNamespace string
 	var gatewayClass *gatewayv1beta1.GatewayClass
+	var issuer *certmanv1.Issuer
 
 	BeforeAll(func() {
 		logger = zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))
@@ -42,6 +43,11 @@ var _ = Describe("TLSPolicy", Ordered, func() {
 
 	BeforeEach(func() {
 		CreateNamespace(&testNamespace)
+		issuer = NewTestIssuer("testissuer", testNamespace)
+		Expect(k8sClient.Create(ctx, issuer)).To(BeNil())
+		Eventually(func() error { //issuer exists
+			return k8sClient.Get(ctx, client.ObjectKey{Name: issuer.Name, Namespace: issuer.Namespace}, issuer)
+		}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
 	})
 
 	AfterEach(func() {
@@ -55,6 +61,11 @@ var _ = Describe("TLSPolicy", Ordered, func() {
 		for _, policy := range policyList.Items {
 			k8sClient.Delete(ctx, &policy)
 		}
+		issuerList := certmanv1.IssuerList{}
+		Expect(k8sClient.List(ctx, &issuerList)).To(BeNil())
+		for _, issuer := range issuerList.Items {
+			k8sClient.Delete(ctx, &issuer)
+		}
 	})
 
 	AfterAll(func() {
@@ -74,7 +85,7 @@ var _ = Describe("TLSPolicy", Ordered, func() {
 			Expect(err).ToNot(HaveOccurred())
 		})
 
-		Context("valid target and policy", func() {
+		Context("valid target, issuer and policy", func() {
 
 			BeforeEach(func() {
 				gateway = NewTestGateway("test-gateway", gwClassName, testNamespace).
@@ -84,7 +95,7 @@ var _ = Describe("TLSPolicy", Ordered, func() {
 					return k8sClient.Get(ctx, client.ObjectKey{Name: gateway.Name, Namespace: gateway.Namespace}, gateway)
 				}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
 				tlsPolicy = NewTestTLSPolicy("test-tls-policy", testNamespace).
-					WithTargetGateway(gateway.Name).TLSPolicy
+					WithTargetGateway(gateway.Name).WithIssuer("testissuer", certmanv1.IssuerKind, "cert-manager.io").TLSPolicy
 				Expect(k8sClient.Create(ctx, tlsPolicy)).To(BeNil())
 				Eventually(func() error { //tls policy exists
 					return k8sClient.Get(ctx, client.ObjectKey{Name: tlsPolicy.Name, Namespace: tlsPolicy.Namespace}, tlsPolicy)
@@ -154,7 +165,7 @@ var _ = Describe("TLSPolicy", Ordered, func() {
 					return k8sClient.Get(ctx, client.ObjectKey{Name: gateway.Name, Namespace: gateway.Namespace}, gateway)
 				}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
 				tlsPolicy = NewTestTLSPolicy("test-tls-policy", testNamespace).
-					WithTargetGateway(gateway.Name).TLSPolicy
+					WithTargetGateway(gateway.Name).WithIssuer("testissuer", certmanv1.IssuerKind, "cert-manager.io").TLSPolicy
 				Expect(k8sClient.Create(ctx, tlsPolicy)).To(BeNil())
 				Eventually(func() error { //tls policy exists
 					return k8sClient.Get(ctx, client.ObjectKey{Name: tlsPolicy.Name, Namespace: tlsPolicy.Namespace}, tlsPolicy)
@@ -182,7 +193,7 @@ var _ = Describe("TLSPolicy", Ordered, func() {
 					return k8sClient.Get(ctx, client.ObjectKey{Name: gateway.Name, Namespace: gateway.Namespace}, gateway)
 				}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
 				tlsPolicy = NewTestTLSPolicy("test-tls-policy", testNamespace).
-					WithTargetGateway(gateway.Name).TLSPolicy
+					WithTargetGateway(gateway.Name).WithIssuer("testissuer", certmanv1.IssuerKind, "cert-manager.io").TLSPolicy
 				Expect(k8sClient.Create(ctx, tlsPolicy)).To(BeNil())
 				Eventually(func() error { //tls policy exists
 					return k8sClient.Get(ctx, client.ObjectKey{Name: tlsPolicy.Name, Namespace: tlsPolicy.Namespace}, tlsPolicy)
@@ -218,7 +229,7 @@ var _ = Describe("TLSPolicy", Ordered, func() {
 					return k8sClient.Get(ctx, client.ObjectKey{Name: gateway.Name, Namespace: gateway.Namespace}, gateway)
 				}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
 				tlsPolicy = NewTestTLSPolicy("test-tls-policy", testNamespace).
-					WithTargetGateway(gateway.Name).TLSPolicy
+					WithTargetGateway(gateway.Name).WithIssuer("testissuer", certmanv1.IssuerKind, "cert-manager.io").TLSPolicy
 				Expect(k8sClient.Create(ctx, tlsPolicy)).To(BeNil())
 				Eventually(func() error { //tls policy exists
 					return k8sClient.Get(ctx, client.ObjectKey{Name: tlsPolicy.Name, Namespace: tlsPolicy.Namespace}, tlsPolicy)

test/util/suite_config.go

@@ -24,6 +24,7 @@ import (
 	gatewayapi "sigs.k8s.io/gateway-api/apis/v1beta1"
 
 	mgcv1alpha1 "github.com/Kuadrant/multicluster-gateway-controller/pkg/apis/v1alpha1"
+	v1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
 )
 
 const (
@@ -110,6 +111,10 @@ func (cfg *SuiteConfig) Build() error {
 	if err != nil {
 		return err
 	}
+	err = v1.AddToScheme(scheme.Scheme)
+	if err != nil {
+		return err
+	}
 
 	cfg.cpClient, err = client.New(restcfg, client.Options{Scheme: scheme.Scheme})
 	if err != nil {

test/util/test_types.go

@@ -3,6 +3,7 @@
 package testutil
 
 import (
+	v1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
 	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -34,6 +35,15 @@ func NewTestGateway(gwName, gwClassName, ns string) *TestGateway {
 	}
 }
 
+func NewTestIssuer(name, ns string) *v1.Issuer {
+	return &v1.Issuer{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: ns,
+		},
+	}
+}
+
 func (t *TestGateway) WithListener(listener gatewayv1beta1.Listener) *TestGateway {
 	t.Spec.Listeners = append(t.Spec.Listeners, listener)
 	return t