refactor: effective tls policies reconciler

[KevFan]

Description

Part of #819 #824

• Refactor the logic for the management of TLSPolicy Certificates into a workflow task
• Re-add validation for TLS Policy to check for if Issuer kind is correct and if the issuer is present on cluster, with the addition of integrations tests to test for this

Verification

• Passing integration tests should be enough to test that nothing is broken from this change

[KevFan]

No need for finalizer since associated Certificate's will also be deleted by owner ref

[Boomatang]

Some of my initial thoughts. Have not ran the code base yet.

[Boomatang]

Would it not make more sense to do the deletion timestamp filtering when getting the list of policies in the first place.

[KevFan]

I've reverted the filtering logic in the latest commit and started looping through the attached policies of listeners/gateways instead. I've kept this kind of check but not sure is there any chance that an deleted policy would still be attached to the listener or gateway 🤔

[Boomatang]

Can we be more positive in our checks, doing if ok instead of `if !ok. I also wonder if it is better to have the more common action listed first. So if we do more creates that should be listed first but if we do more creates that should be.

[KevFan]

Sure but whether to do !ok or ok first depends also on whether we create or update first, so if we want to be more positive in our check here if ok, this would mean update is first 🤔

Not sure which action do we expect more of. Maybe @mikenairn can answer on this

[mikenairn]

I wouldn't expect too many updates of a Certificate resource after creation. I don't have strong opinions on this, but for what its worth i did if ok in the dnspolicy equivalent task, and deal with updates first.

[guicassolato]

if ok { update } / if !ok { create }. Does it matter? The number of jump instructions in the final compiled code is literally the same I think.

If !ok feels like being negative (it doesn't to me BTW), then perhaps we could rename the variable to missing. Is it better? I.e. if missing { create }.

IMO, if it doesn't have any obvious downside in performance, the important thing is that the code is readable. In my head (and it could be only me), I read this in terms of chronology and progressive use cases.

The first thing that happens is having nothing, then:

1. user creates the network resources
2. user creates the policies
3. the operator creates the internal resources (for the first time after seeing the policies)
4. user adjusts the policies and/or network resources
5. operator updates the internal resources accordingly.

[KevFan]

Thanks guys 👍 I don't think it matters in fairness unless people really feel it hinders readability. My preference is to keep it as is tbh as I also prefer dealing with the create first followed by update action. If we feel strongly about this, maybe this can be done in a separate where this can be dealt with in the entire codebase

[Boomatang]

The cleaning up of orphaned certs gives me an odd feeling, which I have yet to put my finger on. Had the same feeling with the DNS records. The question I ask find asking my self is what does the cleaning up of orphaned certs have to do with TLS polices and their reconcile. I have this feeling that this clean up should be structured as a Task in the Workflow over being part of the TLS policy reconcile. There seems to be a mixing of concerns. I understand how this mixing of concerns is ingrained in us from using the controller runtime. This currently a feeling that this is a code smell, but yet I don't have a good though on what to do about it.

One thing that I don't know at time of writing is how do certs become orphaned.

[KevFan]

I believe this is because there is a indirect link between policies and the subresouce (certificates in this case) and so gives the expected state of the cluster. Though true, this probably can be done as a separate task, that I can look into if you feel strongly about this.

A cert can be orphaned when a gateway listener is removed, or is the target ref of a tls policy is changed to another gateway. In both of these cases the cert(s) is created and will be orphaned since the policy still exists and still valid

[guicassolato]

Indeed we need to cleanup certs that remained orphan due to, e.g., a listener being removed from a gateway ceteris paribus.

Let's keep this as-is now since it does the job. Maybe in the future we can look for this pattern across the reconcilers (not only this one) and try to improve them all by having "janitors" as separate tasks that can run in parallel to other tasks.

[Boomatang]

I am happy with leaving this for now. It is some thing that can be done in the future.

[guicassolato]

Nice work, @KevFan. This will easily adapt to when we decide to support sectionName and effectively inheritance on TLSPolicies.

[mikenairn]

Is it good enough to just assume if you have no policies, use the gateway ones? Should it not check for a policy of the expected type being attached to the listener and if none fallback? Will this not also reconcile a gateway policy multiple times, once per listener?

[KevFan]

Yes, that's true, this should check for policies of specific type before failing back also 👍
Yes, unfortunately, this would reconcile a gateway policy multiple times. Not quite sure how to approach this one 🤔

[KevFan]

Updated to filter for tls policies. I'm aware of the multiple reconciles for gateway policies but I think I'll look to address this as I look into the reconcile for section name support in another PR.

[Boomatang]

I am happy to approve this. Any comment I had was based around styling which can be done later.