[Backport release/3.5.x] fix(translator): check gateway class and do not skip listeners when gateway class is not managed by KIC (#7711)

team-k8s-bot · randmonkey · web-flow · commit 9f0d81f7ecee · 2025-09-19T10:23:17.000+08:00
* fix(translator): check gateway class and do not skip listeners when gateway class is not managed by KIC (#7666) * check gateway class and do not skip listeners when gateway class is not managed by KIC * update changelog * store gatewayclass into cache in gwc controller * fix comments and move gwc controller name check after getting gwc (cherry picked from commit 2562662) * fix changlog --------- Co-authored-by: Tao Yi <tao.yi@konghq.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -109,15 +109,26 @@ Adding a new version? You'll need three changes:
  - [0.0.5](#005)
  - [0.0.4 and prior](#004-and-prior)
 
+## Unreleased
+
+### Fixed
+
+- Do not skip the gateway listeners without `Programmed` condition set to `True`
+  when the gateway class does not contain `konghq.com/gateway-unmanaged`
+  annotation in extracting certificates from listeners. This fixes the issue
+  that KIC deletes the certificates of listeners on dataplane pods deleted when
+  KIC is running under the control of Kong gateway operator.
+  [#7666](https://github.com/Kong/kubernetes-ingress-controller/pull/7666)
+
 ## [3.5.1]
 
 > Release date: 2025-07-31
 
 ### Fixed
 
 - Fix the issue that invalid label value causing KIC failed to store the license
-from Konnect into `Secret`.
-[#7648](https://github.com/Kong/kubernetes-ingress-controller/pull/7648)
+  from Konnect into `Secret`.
+  [#7648](https://github.com/Kong/kubernetes-ingress-controller/pull/7648)
 
 ## [3.5.0]
 
diff --git a/hack/generators/cache-stores/spec.go b/hack/generators/cache-stores/spec.go
@@ -60,6 +60,11 @@ var supportedTypes = []cacheStoreSupportedType{
 		Type:    "Gateway",
 		Package: "gatewayapi",
 	},
+	{
+		Type:    "GatewayClass",
+		Package: "gatewayapi",
+		KeyFunc: clusterWideKeyFunc,
+	},
 	{
 		Type:    "BackendTLSPolicy",
 		Package: "gatewayapi",
diff --git a/internal/controllers/gateway/gateway_controller.go b/internal/controllers/gateway/gateway_controller.go
@@ -143,6 +143,8 @@ func (r *GatewayReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Log:              r.Log.WithName(strings.ToUpper(gatewayapi.V1GroupVersion) + "GatewayClass"),
 		Scheme:           r.Scheme,
 		CacheSyncTimeout: r.CacheSyncTimeout,
+
+		DataplaneClient: r.DataplaneClient,
 	}
 
 	return gwcCTRL.SetupWithManager(mgr)
@@ -181,6 +183,7 @@ func (r *GatewayReconciler) gatewayHasMatchingGatewayClass(obj client.Object) bo
 		r.Log.Error(err, "Could not retrieve gatewayclass", "gatewayclass", gateway.Spec.GatewayClassName)
 		return false
 	}
+
 	return isGatewayClassControlled(gatewayClass)
 }
 
diff --git a/internal/controllers/gateway/gatewayclass_controller.go b/internal/controllers/gateway/gatewayclass_controller.go
@@ -18,6 +18,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
+	"github.com/kong/kubernetes-ingress-controller/v3/internal/controllers"
 	"github.com/kong/kubernetes-ingress-controller/v3/internal/gatewayapi"
 	"github.com/kong/kubernetes-ingress-controller/v3/internal/logging"
 	"github.com/kong/kubernetes-ingress-controller/v3/internal/util"
@@ -59,6 +60,8 @@ type GatewayClassReconciler struct { //nolint:revive
 	Log              logr.Logger
 	Scheme           *runtime.Scheme
 	CacheSyncTimeout time.Duration
+
+	DataplaneClient controllers.DataPlane
 }
 
 // SetupWithManager sets up the controller with the Manager.
@@ -144,6 +147,13 @@ func (r *GatewayClassReconciler) Reconcile(ctx context.Context, req ctrl.Request
 			setGatewayClassCondition(gwc, acceptedCondtion)
 			return ctrl.Result{}, r.Status().Update(ctx, pruneGatewayClassStatusConds(gwc))
 		}
+
+		// Add the gatewayclass to the translation cache if the gatewayclass is managed by the KIC instance.
+		err := r.DataplaneClient.UpdateObject(gwc)
+		if err != nil {
+			debug(log, gwc, "Failed to update GatewayClass in dataplane, requeueing")
+			return ctrl.Result{}, err
+		}
 	}
 
 	return ctrl.Result{}, nil
diff --git a/internal/dataplane/fallback/graph_dependencies.go b/internal/dataplane/fallback/graph_dependencies.go
@@ -62,6 +62,7 @@ func ResolveDependencies(cache store.CacheStores, obj client.Object) ([]client.O
 		*discoveryv1.EndpointSlice,
 		*gatewayapi.ReferenceGrant,
 		*gatewayapi.Gateway,
+		*gatewayapi.GatewayClass,
 		*gatewayapi.BackendTLSPolicy,
 		*configurationv1.KongIngress,
 		*configurationv1beta1.KongUpstreamPolicy,
diff --git a/internal/dataplane/translator/translate_certs.go b/internal/dataplane/translator/translate_certs.go
@@ -9,9 +9,11 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/kong/go-kong/kong"
+	"github.com/samber/lo"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	"github.com/kong/kubernetes-ingress-controller/v3/internal/annotations"
 	"github.com/kong/kubernetes-ingress-controller/v3/internal/dataplane/kongstate"
 	"github.com/kong/kubernetes-ingress-controller/v3/internal/gatewayapi"
 	"github.com/kong/kubernetes-ingress-controller/v3/internal/logging"
@@ -55,11 +57,21 @@ func (t *Translator) getGatewayCerts() []certWrapper {
 		return certs
 	}
 	for _, gateway := range gateways {
-		statuses := make(map[gatewayapi.SectionName]gatewayapi.ListenerStatus, len(gateway.Status.Listeners))
-		for _, status := range gateway.Status.Listeners {
-			statuses[status.Name] = status
+		gwc, err := s.GetGatewayClass(string(gateway.Spec.GatewayClassName))
+		if err != nil {
+			logger.Error(err, "Failed to get GatewayClass for Gateway, skipping", "gateway", gateway.Name, "gateway_class", gateway.Spec.GatewayClassName)
+			continue
 		}
 
+		// Skip the gateway when the gateway's GatewayClass is not controlled by the KIC instance.
+		if gwc.Spec.ControllerName != gatewayapi.GatewayController(t.gatewayControllerName) {
+			continue
+		}
+
+		statuses := lo.SliceToMap(gateway.Status.Listeners, func(status gatewayapi.ListenerStatus) (gatewayapi.SectionName, gatewayapi.ListenerStatus) {
+			return status.Name, status
+		})
+
 		for _, listener := range gateway.Spec.Listeners {
 			status, ok := statuses[listener.Name]
 			if !ok {
@@ -72,14 +84,18 @@ func (t *Translator) getGatewayCerts() []certWrapper {
 				continue
 			}
 
-			// Check if listener is marked as programmed
-			if !util.CheckCondition(
-				status.Conditions,
-				util.ConditionType(gatewayapi.ListenerConditionProgrammed),
-				util.ConditionReason(gatewayapi.ListenerReasonProgrammed),
-				metav1.ConditionTrue,
-				gateway.Generation,
-			) {
+			// Check if listener is marked as programmed when the gateway's GatewayClass has the "Unmanaged" annotation.
+			// If the GatewayClass does not have the annotation, the gateway is considered to be managed by other components (for example Kong Operator),
+			// so we do not check the "Programmed" condition before extracting the certificate from the listener
+			// to prevent unexpected deletion of certificates when the instance is managed by Kong Operator.
+			if annotations.ExtractUnmanagedGatewayClassMode(gwc.Annotations) != "" &&
+				!util.CheckCondition(
+					status.Conditions,
+					util.ConditionType(gatewayapi.ListenerConditionProgrammed),
+					util.ConditionReason(gatewayapi.ListenerReasonProgrammed),
+					metav1.ConditionTrue,
+					gateway.Generation,
+				) {
 				continue
 			}
 
diff --git a/internal/dataplane/translator/translator.go b/internal/dataplane/translator/translator.go
@@ -109,8 +109,9 @@ type Translator struct {
 	failuresCollector          *failures.ResourceFailuresCollector
 	translatedObjectsCollector *ObjectsCollector
 
-	clusterDomain      string
-	enableDrainSupport bool
+	clusterDomain         string
+	enableDrainSupport    bool
+	gatewayControllerName string
 }
 
 // Config is a configuration for the Translator.
@@ -120,6 +121,10 @@ type Config struct {
 
 	// ClusterDomain is the cluster domain used for translating Kubernetes objects.
 	ClusterDomain string
+
+	// GatewayControllerName is the gateway controller name used by KIC.
+	// GatewayClasses with this controller name in spec.ControllerName are managed by KIC, otherwise they are managed by other  (like Kong Operator).
+	GatewayControllerName string
 }
 
 // NewTranslator produces a new Translator object provided a logging mechanism
@@ -152,6 +157,7 @@ func NewTranslator(
 		translatedObjectsCollector: translatedObjectsCollector,
 		clusterDomain:              config.ClusterDomain,
 		enableDrainSupport:         config.EnableDrainSupport,
+		gatewayControllerName:      config.GatewayControllerName,
 	}, nil
 }
 
diff --git a/internal/manager/run.go b/internal/manager/run.go
@@ -221,8 +221,9 @@ func New(
 
 	configTranslator, err := translator.NewTranslator(logger, storer, c.KongWorkspace, kongSemVersion, translatorFeatureFlags, NewSchemaServiceGetter(clientsManager),
 		translator.Config{
-			ClusterDomain:      c.ClusterDomain,
-			EnableDrainSupport: c.EnableDrainSupport,
+			ClusterDomain:         c.ClusterDomain,
+			EnableDrainSupport:    c.EnableDrainSupport,
+			GatewayControllerName: c.GatewayAPIControllerName,
 		},
 	)
 	if err != nil {
diff --git a/internal/store/fake_store.go b/internal/store/fake_store.go
@@ -41,6 +41,7 @@ type FakeObjects struct {
 	GRPCRoutes                     []*gatewayapi.GRPCRoute
 	ReferenceGrants                []*gatewayapi.ReferenceGrant
 	Gateways                       []*gatewayapi.Gateway
+	GatewayClasses                 []*gatewayapi.GatewayClass
 	BackendTLSPolicies             []*gatewayapi.BackendTLSPolicy
 	TCPIngresses                   []*configurationv1beta1.TCPIngress
 	UDPIngresses                   []*configurationv1beta1.UDPIngress
diff --git a/internal/store/store.go b/internal/store/store.go
@@ -99,6 +99,7 @@ type Storer interface {
 
 	// Gateway API resources.
 	GetGateway(namespace string, name string) (*gatewayapi.Gateway, error)
+	GetGatewayClass(name string) (*gatewayapi.GatewayClass, error)
 	ListHTTPRoutes() ([]*gatewayapi.HTTPRoute, error)
 	ListUDPRoutes() ([]*gatewayapi.UDPRoute, error)
 	ListTCPRoutes() ([]*gatewayapi.TCPRoute, error)
@@ -607,6 +608,18 @@ func (s Store) GetGateway(namespace string, name string) (*gatewayapi.Gateway, e
 	return obj.(*gatewayapi.Gateway), nil
 }
 
+// GetGatewayClass returns gatewayclass resource having the specified name.
+func (s Store) GetGatewayClass(name string) (*gatewayapi.GatewayClass, error) {
+	obj, exists, err := s.stores.GatewayClass.GetByKey(name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, NotFoundError{fmt.Sprintf("GatewayClass %v not found", name)}
+	}
+	return obj.(*gatewayapi.GatewayClass), nil
+}
+
 // GetKongVault returns kongvault resource having specified name.
 func (s Store) GetKongVault(name string) (*configurationv1alpha1.KongVault, error) {
 	p, exists, err := s.stores.KongVault.GetByKey(name)
diff --git a/internal/store/zz_generated.cache_stores.go b/internal/store/zz_generated.cache_stores.go
diff --git a/internal/store/zz_generated.cache_stores_test.go b/internal/store/zz_generated.cache_stores_test.go

Original file line number	Diff line number	Diff line change
`@@ -143,6 +143,8 @@ func (r *GatewayReconciler) SetupWithManager(mgr ctrl.Manager) error {`
`143`	`143`	`Log: r.Log.WithName(strings.ToUpper(gatewayapi.V1GroupVersion) + "GatewayClass"),`
`144`	`144`	`Scheme: r.Scheme,`
`145`	`145`	`CacheSyncTimeout: r.CacheSyncTimeout,`
	`146`	`+`
	`147`	`+ DataplaneClient: r.DataplaneClient,`
`146`	`148`	`}`
`147`	`149`
`148`	`150`	`return gwcCTRL.SetupWithManager(mgr)`
`@@ -181,6 +183,7 @@ func (r *GatewayReconciler) gatewayHasMatchingGatewayClass(obj client.Object) bo`
`181`	`183`	`r.Log.Error(err, "Could not retrieve gatewayclass", "gatewayclass", gateway.Spec.GatewayClassName)`
`182`	`184`	`return false`
`183`	`185`	`}`
	`186`	`+`
`184`	`187`	`return isGatewayClassControlled(gatewayClass)`
`185`	`188`	`}`
`186`	`189`