wip

projectcontour · Oct 13, 2023 · 685858b · 685858b
1 parent af938e6
commit 685858b
Show file tree

Hide file tree

Showing 5 changed files with 126 additions and 0 deletions.
diff --git a/Makefile b/Makefile
@@ -300,10 +300,18 @@ site-check: ## Test the site's links
 setup-kind-cluster: ## Make a kind cluster for testing
 	./test/scripts/make-kind-cluster.sh
 
+.PHONY: setup-remote-cluster
+setup-remote-cluster: ## Make a kind cluster for testing
+	./test/scripts/set-up-cluster.sh
+
 .PHONY: install-contour-working
 install-contour-working: | setup-kind-cluster ## Install the local working directory version of Contour into a kind cluster
 	./test/scripts/install-contour-working.sh
 
+.PHONY: remote-install-contour-working
+remote-install-contour-working: | setup-remote-cluster ## Install the local working directory version of Contour into a kind cluster
+	./test/scripts/install-contour-working-remote.sh
+
 .PHONY: install-contour-release
 install-contour-release: | setup-kind-cluster ## Install the release version of Contour in CONTOUR_UPGRADE_FROM_VERSION, defaults to latest
 	./test/scripts/install-contour-release.sh $(CONTOUR_UPGRADE_FROM_VERSION)

diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go
@@ -1306,14 +1306,24 @@ type HeaderValue struct {
 }
 
 // UpstreamValidation defines how to verify the backend service's certificate
+// +kubebuilder:validation:XValidation:message="subjectNames[0] must equal subjectName if set",rule="has(self.subjectNames) ? self.subjectNames[0] == self.subjectName : true"
 type UpstreamValidation struct {
 	// Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend.
 	// The secret must contain key named ca.crt.
 	// The name can be optionally prefixed with namespace "namespace/name".
 	// When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
 	CACertificate string `json:"caSecret"`
 	// Key which is expected to be present in the 'subjectAltName' of the presented certificate.
+	// Deprecated, migrate to using the plural field subjectNames.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=256
 	SubjectName string `json:"subjectName"`
+	// List of keys, of which at least one is expected to be present in the 'subjectAltName of the
+	// presented certificate.
+	// +optional
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=8
+	SubjectNames []string `json:"subjectNames"`
 }
 
 // DownstreamValidation defines how to verify the client certificate.

diff --git a/contour b/contour
diff --git a/test/scripts/install-contour-working-remote.sh b/test/scripts/install-contour-working-remote.sh
@@ -0,0 +1,62 @@
+#! /usr/bin/env bash
+
+# Copyright Project Contour Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.  You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+set -o pipefail
+set -o errexit
+set -o nounset
+
+# install-contour-working-remote.sh: Install Contour from the working repo to a remote cluster. Assumes it exists
+
+readonly KUBECTL=${KUBECTL:-kubectl}
+readonly IMAGE=${IMAGE:-"ghcr.io/projectcontour/contour"}
+
+readonly WAITTIME=${WAITTIME:-5m}
+
+readonly HERE=$(cd $(dirname $0) && pwd)
+readonly REPO=$(cd ${HERE}/../.. && pwd)
+
+# Set (pseudo) random image tag to trigger restarts at every deployment.
+# TODO: Come up with a scheme that doesn't fill up the dev environment with randomly-tagged images.
+VERSION="v$$"
+
+# Build the image.
+make -C ${REPO} container IMAGE=${IMAGE} VERSION=${VERSION}
+
+# Install Contour
+${KUBECTL} apply -f ${REPO}/examples/contour/00-common.yaml
+${KUBECTL} apply -f ${REPO}/examples/contour/01-contour-config.yaml
+${KUBECTL} apply -f ${REPO}/examples/contour/01-crds.yaml
+${KUBECTL} apply -f ${REPO}/examples/contour/02-rbac.yaml
+${KUBECTL} apply -f ${REPO}/examples/contour/02-role-contour.yaml
+${KUBECTL} apply -f ${REPO}/examples/contour/02-service-contour.yaml
+${KUBECTL} apply -f ${REPO}/examples/contour/02-service-envoy.yaml
+
+for file in ${REPO}/examples/contour/02-job-certgen.yaml ${REPO}/examples/contour/03-contour.yaml ${REPO}/examples/contour/03-envoy.yaml ; do
+  # Set image pull policy to IfNotPresent so kubelet will use the
+  # images that we loaded onto the node, rather than trying to pull
+  # them from the registry.
+  # Set the image tag to $VERSION to unambiguously use the image
+  # we built above.
+  sed \
+    "-es|imagePullPolicy: Always|imagePullPolicy: IfNotPresent|" \
+    "-es|image: ghcr.io/projectcontour/contour:.*$|image: ${IMAGE}:${VERSION}|" \
+    "$file" | \
+  ${KUBECTL} apply -f -
+done
+
+# Wait for Contour and Envoy to report "Ready" status.
+${KUBECTL} wait --timeout="${WAITTIME}" -n projectcontour -l app=contour deployments --for=condition=Available
+${KUBECTL} wait --timeout="${WAITTIME}" -n projectcontour -l app=envoy pods --for=condition=Ready
diff --git a/test/scripts/set-up-cluster.sh b/test/scripts/set-up-cluster.sh
@@ -0,0 +1,46 @@
+#! /usr/bin/env bash
+
+# Copyright Project Contour Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.  You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# make-kind-cluster.sh: build a kind cluster and install a working copy
+# of Contour into it.
+
+set -o pipefail
+set -o errexit
+set -o nounset
+
+readonly KUBECTL=${KUBECTL:-kubectl}
+
+readonly SKIP_GATEWAY_API_INSTALL=${SKIP_GATEWAY_API_INSTALL:-"false"}
+readonly WAITTIME=${WAITTIME:-5m}
+
+readonly HERE=$(cd "$(dirname "$0")" && pwd)
+readonly REPO=$(cd "${HERE}/../.." && pwd)
+
+
+# Install cert-manager.
+CERT_MANAGER_VERSION=$(go list -m all | grep github.com/cert-manager/cert-manager | awk '{print $2}')
+
+${KUBECTL} apply -f https://github.com/cert-manager/cert-manager/releases/download/${CERT_MANAGER_VERSION}/cert-manager.yaml
+${KUBECTL} wait --timeout="${WAITTIME}" -n cert-manager -l app=cert-manager deployments --for=condition=Available
+${KUBECTL} wait --timeout="${WAITTIME}" -n cert-manager -l app=webhook deployments --for=condition=Available
+
+if [[ "${SKIP_GATEWAY_API_INSTALL}" != "true" ]]; then
+  # Install Gateway API CRDs.
+  ${KUBECTL} apply -f "${REPO}/examples/gateway/00-crds.yaml"
+fi
+
+# Install Contour CRDs.
+${KUBECTL} apply -f "${REPO}/examples/contour/01-crds.yaml"