[release-1.17] Create a per ingress ReferenceGrant to avoid conflicts in the same namespace (#830)

* Create a per ingress ReferenceGrant to avoid conflicts in the same namespace

Signed-off-by: Rajat Vig <[email protected]>

* Format

Signed-off-by: Rajat Vig <[email protected]>

* Add a test for the MakeReferenceGrant method

Signed-off-by: Rajat Vig <[email protected]>

* Fix lint error

Signed-off-by: Rajat Vig <[email protected]>

* Use kmeta.ChildName and change test for long names

Signed-off-by: Rajat Vig <[email protected]>

---------

Signed-off-by: Rajat Vig <[email protected]>
Co-authored-by: Rajat Vig <[email protected]>

Author: knative-prow-robot

pkg/reconciler/ingress/ingress_test.go

@@ -229,6 +229,7 @@ func TestReconcile(t *testing.T) {
 func TestReconcileTLS(t *testing.T) {
 	// The gateway API annoyingly has a number of
 	secretName := "name-WE-STICK-A-LONG-UID-HERE"
+	ingressName := "name"
 	nsName := "ns"
 	deleteTime := time.Now().Add(-10 * time.Second)
 	table := TableTest{{
@@ -240,8 +241,8 @@ func TestReconcileTLS(t *testing.T) {
 			gw(defaultListener),
 		},
 		WantCreates: []runtime.Object{
-			httpRoute(t, ing(withBasicSpec, withGatewayAPIClass, withTLS())),
-			rp(secret(secretName, nsName)),
+			httpRoute(t, ing(withBasicSpec, withGatewayAPIClass, withTLS(), withName(ingressName))),
+			rp(ingressName, secret(secretName, nsName)),
 		},
 		WantUpdates: []clientgotesting.UpdateActionImpl{{
 			Object: gw(defaultListener, tlsListener("example.com", nsName, secretName)),
@@ -271,8 +272,8 @@ func TestReconcileTLS(t *testing.T) {
 			ing(withBasicSpec, withFinalizer, withGatewayAPIClass, withTLS(), makeItReady),
 			secret(secretName, nsName),
 			gw(defaultListener, tlsListener("example.com", nsName, secretName)),
-			httpRoute(t, ing(withBasicSpec, withGatewayAPIClass, withTLS()), httpRouteReady),
-			rp(secret(secretName, nsName)),
+			httpRoute(t, ing(withBasicSpec, withGatewayAPIClass, withTLS(), withName(ingressName)), httpRouteReady),
+			rp(ingressName, secret(secretName, nsName)),
 		},
 		WantUpdates: []clientgotesting.UpdateActionImpl{
 			// None
@@ -292,8 +293,8 @@ func TestReconcileTLS(t *testing.T) {
 			}),
 			secret(secretName, nsName),
 			gw(defaultListener, tlsListener("secure.example.com", nsName, secretName)),
-			httpRoute(t, ing(withBasicSpec, withGatewayAPIClass, withTLS())),
-			rp(secret(secretName, nsName)),
+			httpRoute(t, ing(withBasicSpec, withGatewayAPIClass, withTLS(), withName(ingressName))),
+			rp(ingressName, secret(secretName, nsName)),
 		},
 		WantUpdates: []clientgotesting.UpdateActionImpl{{
 			Object: gw(defaultListener),
@@ -307,8 +308,8 @@ func TestReconcileTLS(t *testing.T) {
 			secret(secretName, nsName),
 		},
 		WantCreates: []runtime.Object{
-			httpRoute(t, ing(withBasicSpec, withGatewayAPIClass, withTLS())),
-			rp(secret(secretName, nsName)),
+			httpRoute(t, ing(withBasicSpec, withGatewayAPIClass, withTLS(), withName(ingressName))),
+			rp(ingressName, secret(secretName, nsName)),
 		},
 		WantUpdates: []clientgotesting.UpdateActionImpl{
 			// None
@@ -2546,6 +2547,12 @@ func withTLS() IngressOption {
 	}
 }
 
+func withName(name string) IngressOption {
+	return func(i *v1alpha1.Ingress) {
+		i.Name = name
+	}
+}
+
 func secret(name, ns string) *corev1.Secret {
 	return &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
@@ -2560,11 +2567,11 @@ func secret(name, ns string) *corev1.Secret {
 	}
 }
 
-func rp(to *corev1.Secret) *gatewayapiv1beta1.ReferenceGrant {
+func rp(ingressName string, to *corev1.Secret) *gatewayapiv1beta1.ReferenceGrant {
 	t := true
 	return &gatewayapiv1beta1.ReferenceGrant{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      to.Name + "-" + testNamespace,
+			Name:      ingressName + "-" + to.Name + "-" + testNamespace,
 			Namespace: to.Namespace,
 			OwnerReferences: []metav1.OwnerReference{{
 				APIVersion:         "networking.internal.knative.dev/v1alpha1",

pkg/reconciler/ingress/resources/reference_grant.go

@@ -18,20 +18,17 @@ package resources
 
 import (
 	"context"
+	"fmt"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	netv1alpha1 "knative.dev/networking/pkg/apis/networking/v1alpha1"
 	"knative.dev/pkg/kmeta"
 	gatewayv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
 )
 
-// Grant the resource "to" access to the resource "from"
+// MakeReferenceGrant Grant the resource "to" access to the resource "from"
 func MakeReferenceGrant(_ context.Context, ing *netv1alpha1.Ingress, to, from metav1.PartialObjectMetadata) *gatewayv1beta1.ReferenceGrant {
-	name := to.Name
-	if len(name)+len(from.Namespace) > 62 {
-		name = name[:62-len(from.Namespace)]
-	}
-	name += "-" + from.Namespace
+	name := kmeta.ChildName(ing.Name, fmt.Sprintf("-%s-%s", to.Name, from.Namespace))
 
 	return &gatewayv1beta1.ReferenceGrant{
 		ObjectMeta: metav1.ObjectMeta{

pkg/reconciler/ingress/resources/reference_grant_test.go

@@ -0,0 +1,102 @@
+/*
+Copyright 2021 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resources
+
+import (
+	"context"
+	"strings"
+	"testing"
+
+	"knative.dev/pkg/ptr"
+
+	"github.com/google/go-cmp/cmp"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	netv1alpha1 "knative.dev/networking/pkg/apis/networking/v1alpha1"
+	gatewayv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
+)
+
+func TestMakeReferenceGrantLongName(t *testing.T) {
+	ing := &netv1alpha1.Ingress{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-ingress",
+			Namespace: "test-namespace",
+		},
+	}
+
+	to := metav1.PartialObjectMetadata{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "to-resource",
+			Namespace: "to-namespace",
+			Labels: map[string]string{
+				"app": "test-app",
+			},
+			Annotations: map[string]string{
+				"annotation-key": "annotation-value",
+			},
+		},
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Service",
+			APIVersion: "v1",
+		},
+	}
+
+	from := metav1.PartialObjectMetadata{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: strings.Repeat("f", 63),
+		},
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Ingress",
+			APIVersion: "networking.k8s.io/v1",
+		},
+	}
+
+	want := &gatewayv1beta1.ReferenceGrant{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        "test-ingress0156b17a6c5096e2fdeb6058cc449e26-to-resource-ffffff",
+			Namespace:   "to-namespace",
+			Labels:      to.Labels,
+			Annotations: to.Annotations,
+			OwnerReferences: []metav1.OwnerReference{
+				{
+					APIVersion:         "networking.internal.knative.dev/v1alpha1",
+					Kind:               "Ingress",
+					Name:               "test-ingress",
+					Controller:         ptr.Bool(true),
+					BlockOwnerDeletion: ptr.Bool(true),
+				},
+			},
+		},
+		Spec: gatewayv1beta1.ReferenceGrantSpec{
+			From: []gatewayv1beta1.ReferenceGrantFrom{{
+				Group:     gatewayv1beta1.Group("networking.k8s.io"),
+				Kind:      gatewayv1beta1.Kind("Ingress"),
+				Namespace: gatewayv1beta1.Namespace(strings.Repeat("f", 63)),
+			}},
+			To: []gatewayv1beta1.ReferenceGrantTo{{
+				Group: gatewayv1beta1.Group(""),
+				Kind:  gatewayv1beta1.Kind("Service"),
+				Name:  (*gatewayv1beta1.ObjectName)(&to.Name),
+			}},
+		},
+	}
+
+	got := MakeReferenceGrant(context.TODO(), ing, to, from)
+
+	if diff := cmp.Diff(want, got); diff != "" {
+		t.Errorf("MakeReferenceGrant (-want, +got):\n%s", diff)
+	}
+}