chore: PR polished

Signed-off-by: Mattia Lavacca <[email protected]>

CHANGELOG.md

@@ -117,6 +117,9 @@ Adding a new version? You'll need three changes:
   KIC restarts, it is now able to fetch the last good configuration from a running
   proxy instance and store it in its internal cache.
   [#4265](https://github.com/Kong/kubernetes-ingress-controller/pull/4265)
+- A new `--publish-service-tls` flag has been added to expose Kong TLS stream port
+  (default 8899) through a service using a different port.
+  [#3797](https://github.com/Kong/kubernetes-ingress-controller/pull/3797)
 
 ### Changed
 

internal/controllers/gateway/gateway_controller.go

@@ -770,7 +770,6 @@ func (r *GatewayReconciler) determineListenersFromDataPlane(
 	// are configured for them in the data-plane.
 	upgradedListeners := make([]Listener, 0, len(listeners))
 	for _, listener := range listeners {
-		newListeners := make([]Listener, 0)
 		if streamListener, ok := streamListenersMap[portMapper[int(listener.Port)]]; ok {
 			if streamListener.SSL {
 				listener.Protocol = gatewayv1beta1.TLSProtocolType
@@ -779,7 +778,6 @@ func (r *GatewayReconciler) determineListenersFromDataPlane(
 						{Group: &gatewayV1beta1Group, Kind: (Kind)("TLSRoute")},
 					},
 				}
-				newListeners = append(newListeners, listener)
 			}
 		}
 		if proxyListener, ok := proxyListenersMap[portMapper[int(listener.Port)]]; ok {
@@ -790,23 +788,16 @@ func (r *GatewayReconciler) determineListenersFromDataPlane(
 						{Group: &gatewayV1beta1Group, Kind: (Kind)("HTTPRoute")},
 					},
 				}
-				tlsListener := listener
-				tlsListener.Protocol = gatewayv1beta1.TLSProtocolType
-				tlsListener.AllowedRoutes.Kinds = append(tlsListener.AllowedRoutes.Kinds,
-					gatewayv1beta1.RouteGroupKind{Group: &gatewayV1beta1Group, Kind: (Kind)("TLSRoute")})
-				newListeners = append(newListeners, listener)
-				newListeners = append(newListeners, tlsListener)
 			} else {
 				listener.Protocol = gatewayv1beta1.HTTPProtocolType
 				listener.AllowedRoutes = &gatewayv1beta1.AllowedRoutes{
 					Kinds: []gatewayv1beta1.RouteGroupKind{
 						{Group: &gatewayV1beta1Group, Kind: (Kind)("HTTPRoute")},
 					},
 				}
-				newListeners = append(newListeners, listener)
 			}
 		}
-		upgradedListeners = append(upgradedListeners, newListeners...)
+		upgradedListeners = append(upgradedListeners, listener)
 	}
 
 	return upgradedListeners, nil

internal/dataplane/parser/translate_tlsroute.go

@@ -133,10 +133,13 @@ func (p *Parser) isTLSRoutePassthrough(tlsroute *gatewayv1alpha2.TLSRoute) (bool
 			return false, err
 		}
 
+		if parentRef.SectionName == nil {
+			continue
+		}
 		// if anyone of the listeners used for the gateway is configured to passthrough
 		// TLS requests, we return true.
 		for _, listener := range gateway.Spec.Listeners {
-			if parentRef.SectionName == nil || listener.Name == *parentRef.SectionName {
+			if listener.Name == *parentRef.SectionName {
 				if listener.TLS != nil && listener.TLS.Mode != nil &&
 					*listener.TLS.Mode == gatewayv1beta1.TLSModePassthrough {
 					return true, nil

internal/manager/config.go

@@ -211,7 +211,7 @@ func (c *Config) FlagSet() *pflag.FlagSet {
 		`endpoints. If omitted, the same Service will be used for both TCP and UDP routes.`)
 	flagSet.Var(flags.NewValidatedValue(&c.PublishServiceTLS, namespacedNameFromFlagValue, nnTypeNameOverride), "publish-service-tls", `Service fronting TLS routing resources in `+
 		`"namespace/name" format. The controller will update TLS route status information with this Service's `+
-		`endpoints. If omitted, the same Service will be used for both TCP and UDP routes.`)
+		`endpoints. If omitted, the same Service will be used for both HTTP and TLS routes.`)
 	flagSet.StringSliceVar(&c.PublishStatusAddressUDP, "publish-status-address-udp", []string{},
 		`User-provided address CSV, for use in lieu of "publish-service-udp" when that Service lacks useful address information.`)
 

test/conformance/gateway_conformance_test.go

@@ -41,7 +41,7 @@ var skippedTestsForExpressionRoutes = []string{
 	tests.HTTPRouteRedirectPortAndScheme.ShortName,
 	// https://github.com/Kong/kubernetes-ingress-controller/issues/3680
 	tests.GatewayClassObservedGenerationBump.ShortName,
-	// https://github.com/Kong/kubernetes-ingress-controller/issues/3678
+	// https://github.com/Kong/kubernetes-ingress-controller/issues/4312
 	tests.TLSRouteSimpleSameNamespace.ShortName,
 	// https://github.com/Kong/kubernetes-ingress-controller/issues/3679
 	tests.HTTPRouteQueryParamMatching.ShortName,
@@ -101,6 +101,8 @@ func TestGatewayConformance(t *testing.T) {
 	require.NoError(t, gatewayv1alpha2.AddToScheme(client.Scheme()))
 	require.NoError(t, gatewayv1beta1.AddToScheme(client.Scheme()))
 
+	// This service creation is a temporary solution, intended to be replaced by
+	// https://github.com/Kong/charts/issues/848
 	t.Log("creating tls service for gateway conformance tests")
 	tlsService := &corev1.Service{
 		ObjectMeta: metav1.ObjectMeta{