Revert "fix: fix generating SNIs in dbless (#7853)" (#7872) (#7873)

team-k8s-bot · pmalek · web-flow · commit b8f95a834566 · 2026-03-31T15:59:36.000+02:00
This reverts commit 18c1423. (cherry picked from commit a5878ae) Co-authored-by: Patryk Małek <pmalek@users.noreply.github.com>
diff --git a/internal/dataplane/deckgen/deckgen.go b/internal/dataplane/deckgen/deckgen.go
@@ -32,7 +32,7 @@ func GenerateSHA(targetContent *file.Content, customEntities map[string][]custom
 }
 
 // GetFCertificateFromKongCert converts a kong.Certificate to a file.FCertificate.
-func GetFCertificateFromKongCert(inmemory bool, kongCert kong.Certificate) file.FCertificate {
+func GetFCertificateFromKongCert(kongCert kong.Certificate) file.FCertificate {
 	var res file.FCertificate
 	if kongCert.ID != nil {
 		res.ID = kong.String(*kongCert.ID)
@@ -43,17 +43,17 @@ func GetFCertificateFromKongCert(inmemory bool, kongCert kong.Certificate) file.
 	if kongCert.Cert != nil {
 		res.Cert = kong.String(*kongCert.Cert)
 	}
-	res.SNIs = getCertsSNIs(inmemory, kongCert)
+	res.SNIs = getCertsSNIs(kongCert)
 	return res
 }
 
-func getCertsSNIs(inmemory bool, kongCert kong.Certificate) []kong.SNI {
+func getCertsSNIs(kongCert kong.Certificate) []kong.SNI {
 	snis := make([]kong.SNI, 0, len(kongCert.SNIs))
 	for _, sni := range kongCert.SNIs {
 		kongSNI := kong.SNI{
 			Name: sni,
 		}
-		if !inmemory && kongCert.ID != nil {
+		if kongCert.ID != nil {
 			kongSNI.Certificate = &kong.Certificate{
 				ID: kongCert.ID,
 			}
diff --git a/internal/dataplane/deckgen/deckgen_test.go b/internal/dataplane/deckgen/deckgen_test.go
@@ -10,102 +10,6 @@ import (
 	"github.com/kong/kubernetes-ingress-controller/v3/internal/dataplane/deckgen"
 )
 
-func TestGetFCertificateFromKongCert(t *testing.T) {
-	testCases := []struct {
-		name     string
-		inmemory bool
-		cert     kong.Certificate
-		want     file.FCertificate
-	}{
-		{
-			name:     "empty certificate",
-			inmemory: false,
-			cert:     kong.Certificate{},
-			want: file.FCertificate{
-				SNIs: []kong.SNI{},
-			},
-		},
-		{
-			name:     "all fields set, inmemory=true, SNIs have no certificate ref",
-			inmemory: true,
-			cert: kong.Certificate{
-				ID:   kong.String("cert-id"),
-				Key:  kong.String("cert-key"),
-				Cert: kong.String("cert-pem"),
-				SNIs: []*string{kong.String("example.com"), kong.String("other.com")},
-			},
-			want: file.FCertificate{
-				ID:   kong.String("cert-id"),
-				Key:  kong.String("cert-key"),
-				Cert: kong.String("cert-pem"),
-				SNIs: []kong.SNI{
-					{Name: kong.String("example.com")},
-					{Name: kong.String("other.com")},
-				},
-			},
-		},
-		{
-			name:     "all fields set, inmemory=false, SNIs have certificate ref",
-			inmemory: false,
-			cert: kong.Certificate{
-				ID:   kong.String("cert-id"),
-				Key:  kong.String("cert-key"),
-				Cert: kong.String("cert-pem"),
-				SNIs: []*string{kong.String("example.com")},
-			},
-			want: file.FCertificate{
-				ID:   kong.String("cert-id"),
-				Key:  kong.String("cert-key"),
-				Cert: kong.String("cert-pem"),
-				SNIs: []kong.SNI{
-					{
-						Name:        kong.String("example.com"),
-						Certificate: &kong.Certificate{ID: kong.String("cert-id")},
-					},
-				},
-			},
-		},
-		{
-			name:     "nil ID, inmemory=false, SNIs have no certificate ref",
-			inmemory: false,
-			cert: kong.Certificate{
-				Key:  kong.String("cert-key"),
-				Cert: kong.String("cert-pem"),
-				SNIs: []*string{kong.String("example.com")},
-			},
-			want: file.FCertificate{
-				Key:  kong.String("cert-key"),
-				Cert: kong.String("cert-pem"),
-				SNIs: []kong.SNI{
-					{Name: kong.String("example.com")},
-				},
-			},
-		},
-		{
-			name:     "no SNIs",
-			inmemory: false,
-			cert: kong.Certificate{
-				ID:   kong.String("cert-id"),
-				Key:  kong.String("cert-key"),
-				Cert: kong.String("cert-pem"),
-			},
-			want: file.FCertificate{
-				ID:   kong.String("cert-id"),
-				Key:  kong.String("cert-key"),
-				Cert: kong.String("cert-pem"),
-				SNIs: []kong.SNI{},
-			},
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			got := deckgen.GetFCertificateFromKongCert(tc.inmemory, tc.cert)
-			require.Equal(t, tc.want, got)
-		})
-	}
-}
-
 func TestIsContentEmpty(t *testing.T) {
 	testCases := []struct {
 		name    string
diff --git a/internal/dataplane/deckgen/generate.go b/internal/dataplane/deckgen/generate.go
@@ -32,11 +32,6 @@ type GenerateDeckContentParams struct {
 	// the configuration is empty. It is used to workaround behavior in Kong where sending an empty configuration
 	// does not make its `GET /status/ready` endpoint return 200s.
 	AppendStubEntityWhenConfigEmpty bool
-
-	// InMemory indicates whether the generated deck content is intended to be used in-memory.
-	// This is used to determine whether to include certain fields in the generated content
-	// that are not relevant for in-memory use but are required for db based / konnect configurations.
-	InMemory bool
 }
 
 // ToDeckContent generates a decK configuration from `k8sState` and auxiliary parameters.
@@ -130,7 +125,7 @@ func ToDeckContent(
 	})
 
 	for _, c := range k8sState.Certificates {
-		cert := GetFCertificateFromKongCert(params.InMemory, c.Certificate)
+		cert := GetFCertificateFromKongCert(c.Certificate)
 		content.Certificates = append(content.Certificates, cert)
 	}
 	sort.SliceStable(content.Certificates, func(i, j int) bool {
diff --git a/internal/dataplane/kong_client.go b/internal/dataplane/kong_client.go
@@ -794,7 +794,6 @@ func (c *KongClient) sendToClient(
 		ExpressionRoutes:                config.ExpressionRoutes,
 		PluginSchemas:                   client.PluginSchemaStore(),
 		AppendStubEntityWhenConfigEmpty: config.InMemory,
-		InMemory:                        config.InMemory,
 	}
 	targetContent := deckgen.ToDeckContent(ctx, logger, s, deckGenParams)
 	customEntities := make(sendconfig.CustomEntitiesByType)
diff --git a/internal/dataplane/kong_client_golden_test.go b/internal/dataplane/kong_client_golden_test.go
@@ -262,7 +262,7 @@ func runKongClientGoldenTest(t *testing.T, tc kongClientGoldenTestCase) {
 	// Create the translator.
 	logger := zapr.NewLogger(zap.NewNop())
 	s := store.New(cacheStores, "kong", logger)
-	p, err := translator.NewTranslator(logger, s, "", semver.MustParse("3.12.0"), tc.featureFlags, fakeSchemaServiceProvier{},
+	p, err := translator.NewTranslator(logger, s, "", semver.MustParse("3.9.1"), tc.featureFlags, fakeSchemaServiceProvier{},
 		translator.Config{
 			ClusterDomain:      consts.DefaultClusterDomain,
 			EnableDrainSupport: consts.DefaultEnableDrainSupport,
diff --git a/internal/dataplane/testdata/golden/ingress-v1-rule-with-tls-and-consumer/default_golden.yaml b/internal/dataplane/testdata/golden/ingress-v1-rule-with-tls-and-consumer/default_golden.yaml
@@ -31,8 +31,12 @@ certificates:
     5GTyl7XJmyY/
     -----END PRIVATE KEY-----
   snis:
-  - name: 1.example.com
-  - name: 2.example.com
+  - certificate:
+      id: c6ac927c-4f5a-4e88-8b5d-c7b01d0f43af
+    name: 1.example.com
+  - certificate:
+      id: c6ac927c-4f5a-4e88-8b5d-c7b01d0f43af
+    name: 2.example.com
 consumers:
 - basicauth_credentials:
   - password: consumer-1-password
diff --git a/internal/dataplane/testdata/golden/ingress-v1-rule-with-tls-and-consumer/expression-routes-on_golden.yaml b/internal/dataplane/testdata/golden/ingress-v1-rule-with-tls-and-consumer/expression-routes-on_golden.yaml
@@ -31,8 +31,12 @@ certificates:
     5GTyl7XJmyY/
     -----END PRIVATE KEY-----
   snis:
-  - name: 1.example.com
-  - name: 2.example.com
+  - certificate:
+      id: c6ac927c-4f5a-4e88-8b5d-c7b01d0f43af
+    name: 1.example.com
+  - certificate:
+      id: c6ac927c-4f5a-4e88-8b5d-c7b01d0f43af
+    name: 2.example.com
 consumers:
 - basicauth_credentials:
   - password: consumer-1-password
diff --git a/internal/dataplane/testdata/golden/ingress-v1-rule-with-tls-and-consumer/expression-routes-on_settings.yaml b/internal/dataplane/testdata/golden/ingress-v1-rule-with-tls-and-consumer/expression-routes-on_settings.yaml
diff --git a/internal/dataplane/testdata/golden/ingress-v1-rule-with-tls-and-consumer/in.yaml b/internal/dataplane/testdata/golden/ingress-v1-rule-with-tls-and-consumer/in.yaml
diff --git a/internal/dataplane/testdata/golden/ingress-v1-rule-with-tls/default_golden.yaml b/internal/dataplane/testdata/golden/ingress-v1-rule-with-tls/default_golden.yaml
@@ -31,8 +31,12 @@ certificates:
     7InkkRoDnTrU3Ro=
     -----END PRIVATE KEY-----
   snis:
-  - name: 3.example.com
-  - name: 4.example.com
+  - certificate:
+      id: 8aade13c-1470-46bd-9849-9a74e349214f
+    name: 3.example.com
+  - certificate:
+      id: 8aade13c-1470-46bd-9849-9a74e349214f
+    name: 4.example.com
 - cert: |-
     -----BEGIN CERTIFICATE-----
     MIIBoTCCAQoCCQC/V5OfTXu7xDANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApr
@@ -64,8 +68,12 @@ certificates:
     5GTyl7XJmyY/
     -----END PRIVATE KEY-----
   snis:
-  - name: 1.example.com
-  - name: 2.example.com
+  - certificate:
+      id: c6ac927c-4f5a-4e88-8b5d-c7b01d0f43af
+    name: 1.example.com
+  - certificate:
+      id: c6ac927c-4f5a-4e88-8b5d-c7b01d0f43af
+    name: 2.example.com
 services:
 - connect_timeout: 60000
   host: foo-svc.bar-namespace.80.svc
diff --git a/internal/dataplane/testdata/golden/ingress-v1-rule-with-tls/expression-routes-on_golden.yaml b/internal/dataplane/testdata/golden/ingress-v1-rule-with-tls/expression-routes-on_golden.yaml
@@ -31,8 +31,12 @@ certificates:
     7InkkRoDnTrU3Ro=
     -----END PRIVATE KEY-----
   snis:
-  - name: 3.example.com
-  - name: 4.example.com
+  - certificate:
+      id: 8aade13c-1470-46bd-9849-9a74e349214f
+    name: 3.example.com
+  - certificate:
+      id: 8aade13c-1470-46bd-9849-9a74e349214f
+    name: 4.example.com
 - cert: |-
     -----BEGIN CERTIFICATE-----
     MIIBoTCCAQoCCQC/V5OfTXu7xDANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApr
@@ -64,8 +68,12 @@ certificates:
     5GTyl7XJmyY/
     -----END PRIVATE KEY-----
   snis:
-  - name: 1.example.com
-  - name: 2.example.com
+  - certificate:
+      id: c6ac927c-4f5a-4e88-8b5d-c7b01d0f43af
+    name: 1.example.com
+  - certificate:
+      id: c6ac927c-4f5a-4e88-8b5d-c7b01d0f43af
+    name: 2.example.com
 services:
 - connect_timeout: 60000
   host: foo-svc.bar-namespace.80.svc

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ func GenerateSHA(targetContent *file.Content, customEntities map[string][]custom`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`// GetFCertificateFromKongCert converts a kong.Certificate to a file.FCertificate.`
`35`		`-func GetFCertificateFromKongCert(inmemory bool, kongCert kong.Certificate) file.FCertificate {`
	`35`	`+func GetFCertificateFromKongCert(kongCert kong.Certificate) file.FCertificate {`
`36`	`36`	`var res file.FCertificate`
`37`	`37`	`if kongCert.ID != nil {`
`38`	`38`	`res.ID = kong.String(*kongCert.ID)`
`@@ -43,17 +43,17 @@ func GetFCertificateFromKongCert(inmemory bool, kongCert kong.Certificate) file.`
`43`	`43`	`if kongCert.Cert != nil {`
`44`	`44`	`res.Cert = kong.String(*kongCert.Cert)`
`45`	`45`	`}`
`46`		`- res.SNIs = getCertsSNIs(inmemory, kongCert)`
	`46`	`+ res.SNIs = getCertsSNIs(kongCert)`
`47`	`47`	`return res`
`48`	`48`	`}`
`49`	`49`
`50`		`-func getCertsSNIs(inmemory bool, kongCert kong.Certificate) []kong.SNI {`
	`50`	`+func getCertsSNIs(kongCert kong.Certificate) []kong.SNI {`
`51`	`51`	`snis := make([]kong.SNI, 0, len(kongCert.SNIs))`
`52`	`52`	`for _, sni := range kongCert.SNIs {`
`53`	`53`	`kongSNI := kong.SNI{`
`54`	`54`	`Name: sni,`
`55`	`55`	`}`
`56`		`- if !inmemory && kongCert.ID != nil {`
	`56`	`+ if kongCert.ID != nil {`
`57`	`57`	`kongSNI.Certificate = &kong.Certificate{`
`58`	`58`	`ID: kongCert.ID,`
`59`	`59`	`}`
Original file line number	Diff line number	Diff line change
`@@ -794,7 +794,6 @@ func (c *KongClient) sendToClient(`
`794`	`794`	`ExpressionRoutes: config.ExpressionRoutes,`
`795`	`795`	`PluginSchemas: client.PluginSchemaStore(),`
`796`	`796`	`AppendStubEntityWhenConfigEmpty: config.InMemory,`
`797`		`- InMemory: config.InMemory,`
`798`	`797`	`}`
`799`	`798`	`targetContent := deckgen.ToDeckContent(ctx, logger, s, deckGenParams)`
`800`	`799`	`customEntities := make(sendconfig.CustomEntitiesByType)`