ut

Signed-off-by: zirain <zirain2009@gmail.com>

Author: zirain

internal/provider/kubernetes/indexers.go

@@ -955,11 +955,9 @@ func secretBtlsIndexFunc(rawObj client.Object) []string {
 func clusterTrustBundleBtlsIndexFunc(rawObj client.Object) []string {
 	btls := rawObj.(*gwapiv1a3.BackendTLSPolicy)
 	var refs []string
-	if btls.Spec.Validation.CACertificateRefs != nil {
-		for _, caCertRef := range btls.Spec.Validation.CACertificateRefs {
-			if string(caCertRef.Kind) == resource.KindClusterTrustBundle {
-				refs = append(refs, string(caCertRef.Name))
-			}
+	for _, caCertRef := range btls.Spec.Validation.CACertificateRefs {
+		if string(caCertRef.Kind) == resource.KindClusterTrustBundle {
+			refs = append(refs, string(caCertRef.Name))
 		}
 	}
 	return refs

internal/provider/kubernetes/predicates.go

@@ -245,7 +245,7 @@ func (r *gatewayAPIReconciler) isBackendReferencingClusterTrustBundle(ctb *certi
 func (r *gatewayAPIReconciler) isBackendTLSPolicyReferencingClusterTrustBundle(ctb *certificatesv1a1.ClusterTrustBundle) bool {
 	btlsList := &gwapiv1a3.BackendTLSPolicyList{}
 	if err := r.client.List(context.Background(), btlsList, &client.ListOptions{
-		FieldSelector: fields.OneTermEqualSelector(clusterTrustBundleBackendIndex, ctb.Name),
+		FieldSelector: fields.OneTermEqualSelector(clusterTrustBundleBtlsIndex, ctb.Name),
 	}); err != nil {
 		r.log.Error(err, "unable to find associated BackendTLSPolicy")
 		return false

internal/provider/kubernetes/predicates_test.go

@@ -11,6 +11,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+	certificatesv1a1 "k8s.io/api/certificates/v1alpha1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -20,6 +21,7 @@ import (
 	fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
 	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 	gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+	gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
 
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
 	"github.com/envoyproxy/gateway/internal/envoygateway"
@@ -1341,3 +1343,126 @@ func TestValidateHTTPRouteFilerForReconcile(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateClusterTrustBundleForReconcile(t *testing.T) {
+	gc := test.GetGatewayClass("test-gc", egv1a1.GatewayControllerName, nil)
+	gtw := test.GetGateway(types.NamespacedName{Namespace: "default", Name: "scheduled-status-test"}, "test-gc", 8080)
+	ctb := test.GetClusterTrustBundle("fake-ctb")
+	backend := &egv1a1.Backend{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "backend-dynamic-resolver-clustertrustbundle",
+			Namespace: "default",
+		},
+		Spec: egv1a1.BackendSpec{
+			Type: ptr.To(egv1a1.BackendTypeDynamicResolver),
+			TLS: &egv1a1.BackendTLSSettings{
+				CACertificateRefs: []gwapiv1.LocalObjectReference{
+					{
+						Kind: gwapiv1.Kind("ClusterTrustBundle"),
+						Name: gwapiv1.ObjectName(ctb.Name),
+					},
+				},
+			},
+		},
+	}
+	btp := &gwapiv1a3.BackendTLSPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "backend-tls-policy-dynamic-resolver-clustertrustbundle",
+			Namespace: "default",
+		},
+		Spec: gwapiv1a3.BackendTLSPolicySpec{
+			Validation: gwapiv1a3.BackendTLSPolicyValidation{
+				CACertificateRefs: []gwapiv1.LocalObjectReference{
+					{
+						Kind: gwapiv1.Kind("ClusterTrustBundle"),
+						Name: gwapiv1.ObjectName(ctb.Name),
+					},
+				},
+			},
+		},
+	}
+	ctp := test.GetClientTrafficPolicy(
+		types.NamespacedName{Name: "fake-ctp", Namespace: "default"},
+		&egv1a1.ClientTLSSettings{
+			ClientValidation: &egv1a1.ClientValidationContext{
+				CACertificateRefs: []gwapiv1.SecretObjectReference{
+					{
+						Kind: ptr.To[gwapiv1.Kind]("ClusterTrustBundle"),
+						Name: gwapiv1.ObjectName(ctb.Name),
+					},
+				},
+			},
+		})
+
+	testCases := []struct {
+		name    string
+		configs []client.Object
+		ctb     *certificatesv1a1.ClusterTrustBundle
+		expect  bool
+	}{
+		{
+			name: "referenced by Backend",
+			configs: []client.Object{
+				gc,
+				gtw,
+				backend,
+			},
+			ctb:    ctb,
+			expect: true,
+		},
+		{
+			name: "referenced by BackendTLSPolicy",
+			configs: []client.Object{
+				gc,
+				gtw,
+				btp,
+			},
+			ctb:    ctb,
+			expect: true,
+		},
+		{
+			name: "referenced by ClientTrafficPolicy",
+			configs: []client.Object{
+				gc,
+				gtw,
+				ctp,
+			},
+			ctb:    ctb,
+			expect: true,
+		},
+		{
+			name: "ClusterTrustBundle not referenced",
+			configs: []client.Object{
+				gc,
+				gtw,
+			},
+			ctb:    ctb,
+			expect: false,
+		},
+	}
+
+	// Create the reconciler.
+	logger := logging.DefaultLogger(os.Stdout, egv1a1.LogLevelInfo)
+
+	r := gatewayAPIReconciler{
+		classController:     egv1a1.GatewayControllerName,
+		log:                 logger,
+		backendCRDExists:    true,
+		bTLSPolicyCRDExists: true,
+		ctpCRDExists:        true,
+	}
+
+	for _, tc := range testCases {
+		r.client = fakeclient.NewClientBuilder().
+			WithScheme(envoygateway.GetScheme()).
+			WithObjects(tc.configs...).
+			WithIndex(&egv1a1.Backend{}, clusterTrustBundleBackendIndex, clusterTrustBundleBackendIndexFunc).
+			WithIndex(&gwapiv1a3.BackendTLSPolicy{}, clusterTrustBundleBtlsIndex, clusterTrustBundleBtlsIndexFunc).
+			WithIndex(&egv1a1.ClientTrafficPolicy{}, clusterTrustBundlerCtpIndex, clusterTrustBundleCtpIndexFunc).
+			Build()
+		t.Run(tc.name, func(t *testing.T) {
+			res := r.validateClusterTrustBundleForReconcile(tc.ctb)
+			require.Equal(t, tc.expect, res)
+		})
+	}
+}

internal/provider/kubernetes/test/utils.go

@@ -7,6 +7,7 @@ package test
 
 import (
 	appsv1 "k8s.io/api/apps/v1"
+	certificatesv1a1 "k8s.io/api/certificates/v1alpha1"
 	corev1 "k8s.io/api/core/v1"
 	discoveryv1 "k8s.io/api/discovery/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -417,3 +418,26 @@ func GetHTTPRouteFilter(nsName types.NamespacedName) *egv1a1.HTTPRouteFilter {
 		},
 	}
 }
+
+func GetClusterTrustBundle(name string) *certificatesv1a1.ClusterTrustBundle {
+	return &certificatesv1a1.ClusterTrustBundle{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Spec: certificatesv1a1.ClusterTrustBundleSpec{
+			TrustBundle: "fake-trust-bundle",
+		},
+	}
+}
+
+func GetClientTrafficPolicy(nn types.NamespacedName, tls *egv1a1.ClientTLSSettings) *egv1a1.ClientTrafficPolicy {
+	return &egv1a1.ClientTrafficPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      nn.Name,
+			Namespace: nn.Namespace,
+		},
+		Spec: egv1a1.ClientTrafficPolicySpec{
+			TLS: tls,
+		},
+	}
+}