fixup: conventions naming and move functions

Signed-off-by: KevFan <chfan@redhat.com>

controllers/effective_tls_policies_reconciler.go

@@ -208,6 +208,11 @@ func expectedCertificatesForGateway(ctx context.Context, gateway *gatewayapiv1.G
 
 	tlsHosts := make(map[corev1.ObjectReference][]string)
 	for i, l := range gateway.Spec.Listeners {
+		hostname := "*"
+		if l.Hostname != nil {
+			hostname = string(*l.Hostname)
+		}
+
 		err := validateGatewayListenerBlock(field.NewPath("spec", "listeners").Index(i), l, gateway).ToAggregate()
 		if err != nil {
 			log.Info("Skipped a listener block: " + err.Error())
@@ -225,7 +230,7 @@ func expectedCertificatesForGateway(ctx context.Context, gateway *gatewayapiv1.G
 			}
 			// Gateway API hostname explicitly disallows IP addresses, so this
 			// should be OK.
-			tlsHosts[secretRef] = append(tlsHosts[secretRef], string(*l.Hostname))
+			tlsHosts[secretRef] = append(tlsHosts[secretRef], hostname)
 		}
 	}
 
@@ -285,3 +290,104 @@ func buildCertManagerCertificate(tlsPolicy *kuadrantv1alpha1.TLSPolicy, secretRe
 	translatePolicy(crt, tlsPolicy.Spec)
 	return crt
 }
+
+// https://cert-manager.io/docs/usage/gateway/#supported-annotations
+// Helper functions largely based on cert manager https://github.com/cert-manager/cert-manager/blob/master/pkg/controller/certificate-shim/sync.go
+
+func validateGatewayListenerBlock(path *field.Path, l gatewayapiv1.Listener, ingLike metav1.Object) field.ErrorList {
+	var errs field.ErrorList
+
+	if l.Hostname == nil || *l.Hostname == "" {
+		errs = append(errs, field.Required(path.Child("hostname"), "the hostname cannot be empty"))
+	}
+
+	if l.TLS == nil {
+		errs = append(errs, field.Required(path.Child("tls"), "the TLS block cannot be empty"))
+		return errs
+	}
+
+	if len(l.TLS.CertificateRefs) == 0 {
+		errs = append(errs, field.Required(path.Child("tls").Child("certificateRef"),
+			"listener has no certificateRefs"))
+	} else {
+		// check that each CertificateRef is valid
+		for i, secretRef := range l.TLS.CertificateRefs {
+			if *secretRef.Group != "core" && *secretRef.Group != "" {
+				errs = append(errs, field.NotSupported(path.Child("tls").Child("certificateRef").Index(i).Child("group"),
+					*secretRef.Group, []string{"core", ""}))
+			}
+
+			if *secretRef.Kind != "Secret" && *secretRef.Kind != "" {
+				errs = append(errs, field.NotSupported(path.Child("tls").Child("certificateRef").Index(i).Child("kind"),
+					*secretRef.Kind, []string{"Secret", ""}))
+			}
+
+			if secretRef.Namespace != nil && string(*secretRef.Namespace) != ingLike.GetNamespace() {
+				errs = append(errs, field.Invalid(path.Child("tls").Child("certificateRef").Index(i).Child("namespace"),
+					*secretRef.Namespace, "cross-namespace secret references are not allowed in listeners"))
+			}
+		}
+	}
+
+	if l.TLS.Mode == nil {
+		errs = append(errs, field.Required(path.Child("tls").Child("mode"),
+			"the mode field is required"))
+	} else {
+		if *l.TLS.Mode != gatewayapiv1.TLSModeTerminate {
+			errs = append(errs, field.NotSupported(path.Child("tls").Child("mode"),
+				*l.TLS.Mode, []string{string(gatewayapiv1.TLSModeTerminate)}))
+		}
+	}
+
+	return errs
+}
+
+// translatePolicy updates the Certificate spec using the TLSPolicy spec
+// converted from https://github.com/cert-manager/cert-manager/blob/master/pkg/controller/certificate-shim/helper.go#L63
+func translatePolicy(crt *certmanv1.Certificate, tlsPolicy kuadrantv1alpha1.TLSPolicySpec) {
+	if tlsPolicy.CommonName != "" {
+		crt.Spec.CommonName = tlsPolicy.CommonName
+	}
+
+	if tlsPolicy.Duration != nil {
+		crt.Spec.Duration = tlsPolicy.Duration
+	}
+
+	if tlsPolicy.RenewBefore != nil {
+		crt.Spec.RenewBefore = tlsPolicy.RenewBefore
+	}
+
+	if tlsPolicy.RenewBefore != nil {
+		crt.Spec.RenewBefore = tlsPolicy.RenewBefore
+	}
+
+	if tlsPolicy.Usages != nil {
+		crt.Spec.Usages = tlsPolicy.Usages
+	}
+
+	if tlsPolicy.RevisionHistoryLimit != nil {
+		crt.Spec.RevisionHistoryLimit = tlsPolicy.RevisionHistoryLimit
+	}
+
+	if tlsPolicy.PrivateKey != nil {
+		if crt.Spec.PrivateKey == nil {
+			crt.Spec.PrivateKey = &certmanv1.CertificatePrivateKey{}
+		}
+
+		if tlsPolicy.PrivateKey.Algorithm != "" {
+			crt.Spec.PrivateKey.Algorithm = tlsPolicy.PrivateKey.Algorithm
+		}
+
+		if tlsPolicy.PrivateKey.Encoding != "" {
+			crt.Spec.PrivateKey.Encoding = tlsPolicy.PrivateKey.Encoding
+		}
+
+		if tlsPolicy.PrivateKey.Size != 0 {
+			crt.Spec.PrivateKey.Size = tlsPolicy.PrivateKey.Size
+		}
+
+		if tlsPolicy.PrivateKey.RotationPolicy != "" {
+			crt.Spec.PrivateKey.RotationPolicy = tlsPolicy.PrivateKey.RotationPolicy
+		}
+	}
+}

controllers/tls_workflow.go

@@ -35,11 +35,11 @@ var (
 
 func NewTLSWorkflow(client *dynamic.DynamicClient, scheme *runtime.Scheme, isCertManagerInstalled bool) *controller.Workflow {
 	return &controller.Workflow{
-		Precondition: NewValidateTLSPoliciesValidatorReconciler(isCertManagerInstalled).Subscription().Reconcile,
+		Precondition: NewTLSPoliciesValidator(isCertManagerInstalled).Subscription().Reconcile,
 		Tasks: []controller.ReconcileFunc{
 			NewEffectiveTLSPoliciesReconciler(client, scheme).Subscription().Reconcile,
 		},
-		Postcondition: NewTLSPolicyStatusUpdaterReconciler(client).Subscription().Reconcile,
+		Postcondition: NewTLSPolicyStatusUpdater(client).Subscription().Reconcile,
 	}
 }
 

controllers/tlspolicies_validator.go

@@ -17,7 +17,7 @@ import (
 	"github.com/kuadrant/kuadrant-operator/pkg/library/kuadrant"
 )
 
-func NewValidateTLSPoliciesValidatorReconciler(isCertManagerInstalled bool) *ValidateTLSPoliciesValidatorReconciler {
+func NewTLSPoliciesValidator(isCertManagerInstalled bool) *ValidateTLSPoliciesValidatorReconciler {
 	return &ValidateTLSPoliciesValidatorReconciler{
 		isCertManagerInstalled: isCertManagerInstalled,
 	}

controllers/tlspolicy_status_updater.go

@@ -24,15 +24,15 @@ import (
 	"github.com/kuadrant/kuadrant-operator/pkg/library/utils"
 )
 
-type TLSPolicyStatusUpdaterReconciler struct {
+type TLSPolicyStatusUpdater struct {
 	Client *dynamic.DynamicClient
 }
 
-func NewTLSPolicyStatusUpdaterReconciler(client *dynamic.DynamicClient) *TLSPolicyStatusUpdaterReconciler {
-	return &TLSPolicyStatusUpdaterReconciler{Client: client}
+func NewTLSPolicyStatusUpdater(client *dynamic.DynamicClient) *TLSPolicyStatusUpdater {
+	return &TLSPolicyStatusUpdater{Client: client}
 }
 
-func (t *TLSPolicyStatusUpdaterReconciler) Subscription() *controller.Subscription {
+func (t *TLSPolicyStatusUpdater) Subscription() *controller.Subscription {
 	return &controller.Subscription{
 		Events: []controller.ResourceEventMatcher{
 			{Kind: &machinery.GatewayGroupKind},
@@ -46,8 +46,8 @@ func (t *TLSPolicyStatusUpdaterReconciler) Subscription() *controller.Subscripti
 	}
 }
 
-func (t *TLSPolicyStatusUpdaterReconciler) UpdateStatus(ctx context.Context, _ []controller.ResourceEvent, topology *machinery.Topology, _ error, s *sync.Map) error {
-	logger := controller.LoggerFromContext(ctx).WithName("TLSPolicyStatusUpdaterReconciler").WithName("UpdateStatus")
+func (t *TLSPolicyStatusUpdater) UpdateStatus(ctx context.Context, _ []controller.ResourceEvent, topology *machinery.Topology, _ error, s *sync.Map) error {
+	logger := controller.LoggerFromContext(ctx).WithName("TLSPolicyStatusUpdater").WithName("UpdateStatus")
 
 	policies := lo.FilterMap(topology.Policies().Items(), func(item machinery.Policy, index int) (*kuadrantv1alpha1.TLSPolicy, bool) {
 		p, ok := item.(*kuadrantv1alpha1.TLSPolicy)
@@ -102,7 +102,7 @@ func (t *TLSPolicyStatusUpdaterReconciler) UpdateStatus(ctx context.Context, _ [
 	return nil
 }
 
-func (t *TLSPolicyStatusUpdaterReconciler) enforcedCondition(ctx context.Context, tlsPolicy *kuadrantv1alpha1.TLSPolicy, topology *machinery.Topology) *metav1.Condition {
+func (t *TLSPolicyStatusUpdater) enforcedCondition(ctx context.Context, tlsPolicy *kuadrantv1alpha1.TLSPolicy, topology *machinery.Topology) *metav1.Condition {
 	if err := t.isIssuerReady(ctx, tlsPolicy, topology); err != nil {
 		return kuadrant.EnforcedCondition(tlsPolicy, kuadrant.NewErrUnknown(tlsPolicy.Kind(), err), false)
 	}
@@ -114,8 +114,8 @@ func (t *TLSPolicyStatusUpdaterReconciler) enforcedCondition(ctx context.Context
 	return kuadrant.EnforcedCondition(tlsPolicy, nil, true)
 }
 
-func (t *TLSPolicyStatusUpdaterReconciler) isIssuerReady(ctx context.Context, tlsPolicy *kuadrantv1alpha1.TLSPolicy, topology *machinery.Topology) error {
-	logger := controller.LoggerFromContext(ctx).WithName("TLSPolicyStatusUpdaterReconciler").WithName("isIssuerReady")
+func (t *TLSPolicyStatusUpdater) isIssuerReady(ctx context.Context, tlsPolicy *kuadrantv1alpha1.TLSPolicy, topology *machinery.Topology) error {
+	logger := controller.LoggerFromContext(ctx).WithName("TLSPolicyStatusUpdater").WithName("isIssuerReady")
 
 	// Get all gateways
 	gws := lo.FilterMap(topology.Targetables().Items(), func(item machinery.Targetable, index int) (*machinery.Gateway, bool) {
@@ -180,7 +180,7 @@ func (t *TLSPolicyStatusUpdaterReconciler) isIssuerReady(ctx context.Context, tl
 	return nil
 }
 
-func (t *TLSPolicyStatusUpdaterReconciler) isCertificatesReady(p machinery.Policy, topology *machinery.Topology) error {
+func (t *TLSPolicyStatusUpdater) isCertificatesReady(p machinery.Policy, topology *machinery.Topology) error {
 	tlsPolicy, ok := p.(*kuadrantv1alpha1.TLSPolicy)
 	if !ok {
 		return errors.New("invalid policy")

controllers/tlspolicy_status_updater_test.go

@@ -461,7 +461,7 @@ func TestTLSPolicyStatusTask_enforcedCondition(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t1 *testing.T) {
-			t := &TLSPolicyStatusUpdaterReconciler{}
+			t := TLSPolicyStatusUpdater{}
 			if got := t.enforcedCondition(context.Background(), tt.args.tlsPolicy, tt.args.topology(tt.args.tlsPolicy)); !reflect.DeepEqual(got, tt.want) {
 				t1.Errorf("enforcedCondition() = %v, want %v", got, tt.want)
 			}